Hacking INSTINCT-NX Chip

  • Thread starter HWE
  • Start date
  • Views 143,564
  • Replies 449
  • Likes 1

SylverReZ

The planet is fine. The people are crazy.
Member
Joined
Sep 13, 2022
Messages
7,335
Trophies
3
Location
The Wired
Website
m4x1mumrez87.neocities.org
XP
22,618
Country
United Kingdom
I found a old "official" video published by the gateway 3ds team.


You'll see what I meant.

Edit: That wasn't the same person actually

I've heard about Gateway many years ago in the 3DS scene when it was relatively popular.
 
Last edited by SylverReZ,

Mena

Well-Known Member
Member
Joined
Oct 5, 2020
Messages
148
Trophies
0
Age
29
XP
1,032
Country
United States
There's an additional list on top of the typical glitch config list. It looks like it stores the last configuration that successfully glitched the console and then attempts to use that last successful config first upon the next boot a couple of times. This would benefit long term especially if you've seen consoles that change the values at which they glitch at depending on their environment. (There was an individual on GBATemp that messaged me a while back about this. It was quite bizarre.)

It seemingly has better debug too. There are LED patterns to help you determine what issue you're having.

1 blue blink for an RST issue
3 blue blinks for a CPU flex issue
1 white blink for a CLK issue
3 white blinks for a CMD issue
1 red blink for DAT0 issue
3 red blinks for...unknown? issue

It verifies each block written to the eMMC during the 'p' command. If I had to guess, it's to make absolutely sure there's no corruption going on. (good thing tbh) you throw out all signal integrity out the window the instant you install one of these chips, whether it be a hwfly chip or this chip (some of the installs i've seen look like y'all have soldered with your damn feet).

TL;DR
There's a ton of safety checks in this thing and a lot of user-friendliness for debugging install issues. I haven't looked at the sdloader with the new INSTINCT-NX logo, but it looks like a rehash of the one used in hwfly-nx. If I had to guess based on how it handles the glitch configs, it starts out good with 25 trains, but only improves the more you boot it over time.
Post automatically merged:

Alright, things have gotten spicy. looking into the glitch function... it has settable timeouts based on emmc type.

C++:
  emmc_type = *(unsigned __int8 *)(a4 + 189);
  switch ( emmc_type )
  {
    case 0x11:
      emmc_timeout = 105;
      break;
    case 0x90:
      emmc_timeout = 65;
      break;
    case 0x15:
      emmc_timeout = 55;
      break;
    default:
      emmc_timeout = 100;
      break;
  }

This is HUGE. This means this chip supports even the troublesome toshiba. In my fork of hwfly-nx I specifically set my timeout to 100 due to the fact I have a Toshiba eMMC and Toshiba is straight-up dogshit. I have a pull request for this on hwfly-nx but the creator doesn't want to merge it. This is likely due to the fact while it'd benefit Toshiba users (get the damn thing to boot) it'd slow down the speed of glitching for all other eMMC types. I'd bet money this has out of box toshiba support.

EDIT 2: I snagged one. Gotta see this thing in person
 
Last edited by Mena,

doom95

Well-Known Member
Member
Joined
Aug 12, 2019
Messages
303
Trophies
0
Age
24
XP
785
Country
Netherlands
toshiba vendor is 0x11, hynix = 0x90, samsung = 0x15?
interesting idea, probably improves glitch speeds a lot, at least for the faster emmcs
 

Mena

Well-Known Member
Member
Joined
Oct 5, 2020
Messages
148
Trophies
0
Age
29
XP
1,032
Country
United States
  • Like
Reactions: jkyoho

rcpd

Well-Known Member
Member
Joined
Jan 31, 2023
Messages
617
Trophies
0
Age
55
XP
1,385
Country
United States
Alright, things have gotten spicy. looking into the glitch function... it has settable timeouts based on emmc type.

C++:
  emmc_type = *(unsigned __int8 *)(a4 + 189);
  switch ( emmc_type )
  {
    case 0x11:
      emmc_timeout = 105;
      break;
    case 0x90:
      emmc_timeout = 65;
      break;
    case 0x15:
      emmc_timeout = 55;
      break;
    default:
      emmc_timeout = 100;
      break;
  }

This is HUGE. This means this chip supports even the troublesome toshiba. In my fork of hwfly-nx I specifically set my timeout to 100 due to the fact I have a Toshiba eMMC and Toshiba is straight-up dogshit. I have a pull request for this on hwfly-nx but the creator doesn't want to merge it. This is likely due to the fact while it'd benefit Toshiba users (get the damn thing to boot) it'd slow down the speed of glitching for all other eMMC types. I'd bet money this has out of box toshiba support.
Some of us are rewriting firmware for the RP2040 to glitch. We came to the same conclusion with similar timings.

Can I ask, where did you obtain the firmware? I would not mind having a look at it in IDA to verify some things for my 2040 firmware.
 

Mena

Well-Known Member
Member
Joined
Oct 5, 2020
Messages
148
Trophies
0
Age
29
XP
1,032
Country
United States
Huge, huh? Instead of silly workarounds with timeouts they could implement something really new.
picofly algorithms reduced the cycle time down to 20ms in the best case, that is 50 attempts per second.
Compared to what we have, it's huge. hwfly chips suck and rp2040 doesn't boot atmo so....better than nothing
 
  • Like
Reactions: binkinator

rcpd

Well-Known Member
Member
Joined
Jan 31, 2023
Messages
617
Trophies
0
Age
55
XP
1,385
Country
United States
So I had a look at this in Ghidra at home and yeah. It’s definitely better than HWFly’s firmware. Elegant. Not sure who the developer is, but they know their microcontroller code.

Huge, huh? Instead of silly workarounds with timeouts they could implement something really new.
picofly algorithms reduced the cycle time down to 20ms in the best case, that is 50 attempts per second.
Actually, it is huge compared to the public firmware we have now. Yours could be better, we aren’t sure without having access to your source. I’m not asking for it, merely commenting that yes, this is damn good. This firmware should cut the learning phase down quite a bit as well as “remember” the last working glitch state meaning much much faster booting times since it can just reuse that one instead of multiple attempts.

This is damn damn good work.
 
  • Like
Reactions: Henx

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
  • BakerMan
    I rather enjoy a life of taking it easy. I haven't reached that life yet though.
  • BakerMan @ BakerMan:
    imagine not having hands, cringe
    +1
  • AncientBoi @ AncientBoi:
    ESPECIALLY for things I do to myself :sad:.. :tpi::rofl2: Or others :shy::blush::evil:
    +1
  • The Real Jdbye @ The Real Jdbye:
    @SylverReZ if you could find a v5 DS ML you would have the best of both worlds since the v5 units had the same backlight brightness levels as the DS Lite unlockable with flashme
  • The Real Jdbye @ The Real Jdbye:
    but that's a long shot
  • The Real Jdbye @ The Real Jdbye:
    i think only the red mario kart edition phat was v5
  • BigOnYa @ BigOnYa:
    A woman with no arms and no legs was sitting on a beach. A man comes along and the woman says, "I've never been hugged before." So the man feels bad and hugs her. She says "Well i've also never been kissed before." So he gives her a kiss on the cheek. She says "Well I've also never been fucked before." So the man picks her up, and throws her in the ocean and says "Now you're fucked."
    +2
  • BakerMan @ BakerMan:
    lmao
  • BakerMan @ BakerMan:
    anyways, we need to re-normalize physical media

    if i didn't want my games to be permanent, then i'd rent them
    +1
  • BigOnYa @ BigOnYa:
    Agreed, that why I try to buy all my games on disc, Xbox anyways. Switch games (which I pirate tbh) don't matter much, I stay offline 24/7 anyways.
    +1
  • AncientBoi @ AncientBoi:
    I don't pirate them, I Use Them :mellow:. Like I do @BigOnYa 's couch :tpi::evil::rofl2:
    +1
  • cearp @ cearp:
    @BakerMan - you can still "own" digital media, arguably easier and better than physical since you can make copies and backups, as much as you like.

    The issue is DRM
    +1
  • cearp @ cearp:
    You can buy drm free games / music / ebooks, and if you keep backups of your data (like documents and family photos etc), then you shouldn't lose the game. but with a disk, your toddler could put it in the toaster and there goes your $60

    :rofl2:
  • cearp @ cearp:
    still, I agree physical media is nice to have. just pointing out the issue is drm
    +1
  • rqkaiju2 @ rqkaiju2:
    i like physical media because it actually feels like you own it. thats why i plan on burning music to cds
  • cearp @ cearp:
    It's nice to not have to have a lot of physical things though, saves space
    +1
  • AncientBoi @ AncientBoi:
    Nor clothes 🤮 . Saves on time, soap, water and money having to wash them. :D
  • SylverReZ @ SylverReZ:
    @rqkaiju2, Physical media is a great source for archiving your data, none of that cloud storage shiz.
    +1
  • AncientBoi @ AncientBoi:
    [squeezes @SylverReZ onto a physical media, then archives you in my old stuff box] :tpi::rofl2::tpi:
    +1
  • BakerMan @ BakerMan:
    guys, should i change my pfp to one of these or keep it the same?
    iu

    iu

    (i guess i could change it to one of my other pfps too, but i just want to see what you guys think first)
  • SylverReZ @ SylverReZ:
    @BakerMan, Up to you.
  • BakerMan @ BakerMan:
    smug sonic time lmao
    +1
    BakerMan @ BakerMan: smug sonic time lmao +1