Hacking Hardware Picofly - a HWFLY switch modchip

[rehius]

Do you have a donation link?

no

 

[chronoss]

no

or something to offer you a beer, cofee or chicha...

 

[minik1971]

good comrades, oled console, the rp2040-zero chip was installed and everything worked fine, it turned on well, the iso emunad was installed, the games were installed but I turned it off and now it does not turn on and it gives this error code, does anyone have knowledge?

 

[cgtchy0412]

good comrades, oled console, the rp2040-zero chip was installed and everything worked fine, it turned on well, the iso emunad was installed, the games were installed but I turned it off and now it does not turn on and it gives this error code, does anyone have knowledge?

Possibly cold joints. First try to reheat/resolder all the pico io wires. Also clean all the point in mainboard from any sort or flux.

 

[Takezo-San]

Anyone know what an infinite glitch means. Using 2.67fw and abels mosfet mod setup. Writing white then infinite blue. Till it goes red and boots to ofw. Is the mosfets? Or chip?

 

[LuigiGad]

Anyone know what an infinite glitch means. Using 2.67fw and abels mosfet mod setup. Writing white then infinite blue. Till it goes red and boots to ofw. Is the mosfets? Or chip?

OLED and dat0 adapter?

 

[abal1000x]

Anyone know what an infinite glitch means. Using 2.67fw and abels mosfet mod setup. Writing white then infinite blue. Till it goes red and boots to ofw. Is the mosfets? Or chip?

i've met it and fixed by shift the dat0 adapter little bit.

i cant explain the reasoning, but its my experience. i am not confident if something fixed without a good reasoning though. Might be something else fixed it.

 

[Takezo-San]

Oled no adaptor. Reball job.

 

[abal1000x]

Oled no adaptor. Reball job.

The flow something like this:

The glitch is some time reference lets say from A to B.
Then the glitch will pick randomly from those range.

If after glitch lets say X read from the CMD line then the glitch succeed.

If after glitch lets say Y read from the CMD line then the glitch failed. Reset and pick randomly another time reference from A to B. Repeat this until the glitch founded or until all time reference from A to B tried.

The error throws after all the point in A to B has been tried.



That is why i said the Dat0 is irrelevant actually, but in my experience i did that and it solved, don't know why and how.

The more probable explanation is the CMD line solder is not good, or the pullup resistor in the board, or the resistor in picofly, such that the reading of X/Y is wrongly read. Or it could be the mosfet is unstable, or it could be the power that supplied is unstable the MAX ic.

 

[Takezo-San]

The flow something like this:

The glitch is some time reference lets say from A to B.
Then the glitch will pick randomly from those range.

If after glitch lets say X read from the CMD line then the glitch succeed.

If after glitch lets say Y read from the CMD line then the glitch failed. Reset and pick randomly another time reference from A to B. Repeat this until the glitch founded or until all time reference from A to B tried.

The error throws after all the point in A to B has been tried.



That is why i said the Dat0 is irrelevant actually, but in my experience i did that and it solved, don't know why and how.

The more probable explanation is the CMD line solder is not good, or the pullup resistor in the board, or the resistor in picofly, such that the reading of X/Y is wrongly read. Or it could be the mosfet is unstable, or it could be the power that supplied is unstable the MAX ic.

Weird thing is, dmm readings were all good. Too many possibilities. Could be dat0 line shifted. That's the only thing I can think of that makes sense. Cap readings from mosfets on dmm were simple enough although I did add a pull down resistor from gate to ground of 1k. Reckon that has something to do with it? Would that 1k be blocking everything from going ahead....though if it was wouldn't the chip show a cyan light or does it have to first get into the emmc, sign the code and then use the power mosfet? which part of the signing code comes first? finding the exploit or cpu power steal? ofcourse 3.3v powers the chip initally but...i clearly lack here in knowledge but patience is king and will aim to take this slow.

Anyone have this infinite blue glitch issue and fixed it other than EMMC line/adaptor?

 

[deeps]

Weird thing is, dmm readings were all good. Too many possibilities. Could be dat0 line shifted. That's the only thing I can think of that makes sense. Cap readings from mosfets on dmm were simple enough although I did add a pull down resistor from gate to ground of 1k. Reckon that has something to do with it? Would that 1k be blocking everything from going ahead....though if it was wouldn't the chip show a cyan light or does it have to first get into the emmc, sign the code and then use the power mosfet? which part of the signing code comes first? finding the exploit or cpu power steal? ofcourse 3.3v powers the chip initally but...i clearly lack here in knowledge but patience is king and will aim to take this slow.

Anyone have this infinite blue glitch issue and fixed it other than EMMC line/adaptor?

might just be reflections but that capacitor looks messed up to me. missing metal edges

 

[abal1000x]

Weird thing is, dmm readings were all good. Too many possibilities. Could be dat0 line shifted. That's the only thing I can think of that makes sense. Cap readings from mosfets on dmm were simple enough although I did add a pull down resistor from gate to ground of 1k. Reckon that has something to do with it? Would that 1k be blocking everything from going ahead....though if it was wouldn't the chip show a cyan light or does it have to first get into the emmc, sign the code and then use the power mosfet? which part of the signing code comes first? finding the exploit or cpu power steal? ofcourse 3.3v powers the chip initally but...i clearly lack here in knowledge but patience is king and will aim to take this slow.

Anyone have this infinite blue glitch issue and fixed it other than EMMC line/adaptor?

The solder from the picture is already an okay. The pulldown resistor won't affect the glitch.

I am not quite understand the question.
The glitch is the power stealing. After the power stolen for a bit, then check the status by reading stream of bytes on the CMD line.

 

[Takezo-San]

The solder from the picture is already an okay. The pulldown resistor won't affect the glitch.

I am not quite understand the question.
The glitch is the power stealing. After the power stolen for a bit, then check the status by reading stream of bytes on the CMD line.

oh ok so mosfet must be fine then. if it was the cmd line, wouldn't it throw the relevant led colour for cmd line error?

Post automatically merged: Jul 16, 2023

might just be reflections but that capacitor looks messed up to me. missing metal edges

just the solder caked on the cap, cap is fine and gave normal readings before and after.

Post automatically merged: Jul 16, 2023

oh ok so mosfet must be fine then. if it was the cmd line, wouldn't it throw the relevant led colour for cmd line error?

Post automatically merged: Jul 16, 2023

just the solder caked on the cap, cap is fine and gave normal readings before and after.

though, on the cmd line, the solder looked like it had bridged between the cmd point and the wire. meaning the wire wasn't directly touching the point. would that affect the glitch? wouldn't an error be thrown if it did?

 

[abal1000x]

oh ok so mosfet must be fine then. if it was the cmd line, wouldn't it throw the relevant led colour for cmd line error?

Post automatically merged: Jul 16, 2023

just the solder caked on the cap, cap is fine and gave normal readings before and after.

The check of CMD line only on voltage. CMD line is a pull up line. Means when there are no data, it will be 1.8V (the 0 bit).
Picofly only check whether the CMD line is 1.8V or not. If it is not then the CMD line is disconnected.

When there are data (1bit) it will be around 0V. When i said, the line is unstable means the stream of the bit of data (1010110...) is unstable. For example if supposed success data is 80 and because the line is unstable it will corrupted into 81. This will lead, the picofly concluded the glitch failed, so reset and try again.

Usually in low level protocol, there are some checksum, but i don't know the detail whether there are checksum or not. I assume it doesn't have any checksum mechanism to check the integrity of the data.

 

[Takezo-San]

The check of CMD line only on voltage. CMD line is a pull up line. Means when there are no data, it will be 1.8V (the 0 bit).
Picofly only check whether the CMD line is 1.8V or not. If it is not then the CMD line is disconnected.

When there are data (1bit) it will be around 0V. When i said, the line is unstable means the stream of the bit of data (1010110...) is unstable. For example if supposed success data is 80 and because the line is unstable it will corrupted into 81. This will lead, the picofly concluded the glitch failed, so reset and try again.

Usually in low level protocol, there are some checksum, but i don't know the detail whether there are checksum or not. I assume it doesn't have any checksum mechanism to check the integrity of the data.

so check cmd line in voltage mode of my dmm and check for 1.8v. if there isn't 1.8v that means its faulty line. yes?

 

[abal1000x]

so check cmd line in voltage mode of my dmm and check for 1.8v. if there isn't 1.8v that means its faulty line. yes?

That is what the picofly do, to check the CMD line, by checking the voltage.

 

[Takezo-San]

That is what the picofly do, to check the CMD line, by checking the voltage.

ok brb

Post automatically merged: Jul 16, 2023

V mode got me nothing. Put it in diode mode and got ~670. weird.

 

[LuigiGad]

Oled no adaptor. Reball job.

according to my experience during the installation of the PicoFly in the various models, making mistakes is practically very difficult, all the points to be soldered are clear, apart from the dat0 if the adapter is used. so if you are precise and clean when soldering, the problems can come either from PicoFly not working (I have happened to have pieces not assembled correctly) or from the adapter not being correctly positioned. I had used one incorrectly positioned and as a result the picofly flashed blue endlessly, unplugging the PicoFly the console no longer starts, black screen practically dead, removed and repositioned the adapter all ok.

 

[Takezo-San]

according to my experience during the installation of the PicoFly in the various models, making mistakes is practically very difficult, all the points to be soldered are clear, apart from the dat0 if the adapter is used. so if you are precise and clean when soldering, the problems can come either from PicoFly not working (I have happened to have pieces not assembled correctly) or from the adapter not being correctly positioned. I had used one incorrectly positioned and as a result the picofly flashed blue endlessly, unplugging the PicoFly the console no longer starts, black screen practically dead, removed and repositioned the adapter all ok.

100% but my one starts!? OFW works no problem. Disconnected pico and boots into ofw. so must be a line that haven't soldered well. ill have to go back and see but im sure its the cmd line. might be bad solder joint even though it gives a good reading. very tricky. or emmc line wire not being hit to the correct dat0 point. maybe could have shifted to the dat1 point. Doubt it but don't want to go straight to that if i can help it. Do the small checks first and if all fails, back to reball again

Or try another pico board with 2.73fw. Who knows. Will try to be as methodical as possible so others will know whY to do better if they get stuck in my position.

 

[CarlosCruz]

Second time more precise