Hacking Hardware Picofly - a HWFLY switch modchip

[CarlosCruz]

@bepaqui Nop. Only from the modchip, just fir try.

 

[bepaqui]

@bepaqui Nop. Only from the modchip, just fir try.

I already did that, black screen.

 

[Frays]

I've been reading through the modchip source code, and I am by no means a veteran embedded engineer, so naturally it is a bit of a puzzle to me. I stumbled upon the `mariko_bct.h` file inside the repository, and I am struggling to figure out what it means. I know bct stands for boot configuration table, and mariko is the codename for the v2 switch. However, what are the buffers defined inside this header file? Did rehius define them themselves, or did they find them elsewhere? I presume this code is injected whenever the glitch succeeds and sets up the boot configuration to load the custom bootloader?

 

[Paulo_Suzuki]

My problem was thin wires on the CLK, after this information I managed to solve it, for the CLK it can't be thin wires!

 

[BlueBeans]

Has anyone bought pico chips and had them not flash a green light when dropping the file onto them? I have three here. I’m not sure if it’s the chip itself or maybe the led. I bought 30 of them.

 

[jkyoho]

Has anyone bought pico chips and had them not flash a green light when dropping the file onto them? I have three here. I’m not sure if it’s the chip itself or maybe the led. I bought 30 of them.

same here, I got tiny from waveshare official site and they came with RGB test code out of box. Nuke them and put v2.75 fw on it but no success flash after that. Howevevr, I do have ** code when replugin to PC without holding boot button after fw flashed. So they are good to bang on.
Just make sure you have ** code and you should be good

 

[BlueBeans]

same here, I got tiny from waveshare official site and they came with RGB test code out of box. Nuke them and put v2.75 fw on it but no success flash after that. Howevevr, I do have ** code when replugin to PC without holding boot button after fw flashed. So they are good to bang on.
Just make sure you have ** code and you should be good

What do you mean by ** code?

 

[jkyoho]

What do you mean by ** code?

2x short pulse yellow led
https://gbatemp.net/posts/10090767/

 

[BlueBeans]

2x short pulse yellow led
https://gbatemp.net/posts/10090767/

Duh I’ll plug them back in and see what happens

 

[abal1000x]

I've been reading through the modchip source code, and I am by no means a veteran embedded engineer, so naturally it is a bit of a puzzle to me. I stumbled upon the `mariko_bct.h` file inside the repository, and I am struggling to figure out what it means. I know bct stands for boot configuration table, and mariko is the codename for the v2 switch. However, what are the buffers defined inside this header file? Did rehius define them themselves, or did they find them elsewhere? I presume this code is injected whenever the glitch succeeds and sets up the boot configuration to load the custom bootloader?

I believe he just copy from spacecraft-nx
https://github.com/Spacecraft-NX/firmware/blob/master/firmware/src/mariko_bct.h

 

[superxoi]

As I said I removed the emmc adapter, I only have pictures of CPU flex, 3.3V, A and D. B is disconnected and C is also disconnected. I have no training video but it totally worked the first time before reassembly. This is bizarre.

Post automatically merged: Dec 1, 2023

I did try with all wires off the modchip, you mean I should disconnect all wires from the board too? Will that make a difference...?

Post automatically merged: Dec 1, 2023

Sorry I meant to also reply here.

your solder points are good. no, your 3.3v would not have touched the shield because i do more than 40 oleds now with bridging 2 caps and the blob is bigger than yours but no problem. rst when connected is 1.3 and 0 when disconnecting are normal. not sure what caused your problem to be like this but i had 2 cases maybe it will be a reference for you. 1 was that i used clone hwfly rp2040 the console worked but when turned off i couldn't launch the console anymore (black screen) but my in my case i could boot into hekate, after 2 days putting it aside it booted nomrally again. the 2nd one was that i used rp2040-zero it gave the code of emmc cmd1 block, i tried everything for an hour but turned out it was the chip being faulty. hope it help you somehow.

 

[BlueBeans]

It fits perfect here (close to the speaker), just make sure everything is insulated because the shield goes very close to the edge of rp2040 on this position.
I took this picture before covering everything in kapton so again, make sure you don't short something

That’s a neat way to do it. Do you still cut the shield?

 

[Arakon]

That’s a neat way to do it. Do you still cut the shield?

I didn't have to cut anything at all. Buttons, regulator and USB port were removed, of course.

 

[QuiTim]

That’s a neat way to do it. Do you still cut the shield?

No, but as I said, you need to be careful as it is really a tight fit and the solder points are right below the rp2040 so make sure you use 38/40awg preferably single core as it makes everything easier. And you need to make sure you route those red wires on the yellow or green path (see pic) because the way they are placed on the picture does not work. This takes quite some time so if you are doing alot of these (which i'm not) maybe trimming the rp2040 (as suggested above) is not a bad idea.

 

[bepaqui]

your solder points are good. no, your 3.3v would not have touched the shield because i do more than 40 oleds now with bridging 2 caps and the blob is bigger than yours but no problem. rst when connected is 1.3 and 0 when disconnecting are normal. not sure what caused your problem to be like this but i had 2 cases maybe it will be a reference for you. 1 was that i used clone hwfly rp2040 the console worked but when turned off i couldn't launch the console anymore (black screen) but my in my case i could boot into hekate, after 2 days putting it aside it booted nomrally again. the 2nd one was that i used rp2040-zero it gave the code of emmc cmd1 block, i tried everything for an hour but turned out it was the chip being faulty. hope it help you somehow.

Thank you, my case is looking awfully similar to your first one with the exception of the Hekate boot, it's also looking awfully similar to a tvpartsworld video I'll link but I don't have a USB power meter and my max chip doesn't get hot when connecting the battery, have not tried usb cable yet in fear of damaging it.



What I hate the most is that it might have been the chip or something, which is a clone... Doubt I actually did something wrong, my soldering looks spot on at least in my eyes and I've seen way more botched installations on this very thread that worked perfectly!

I ordered the MAX77812EWB+T chip off mouser just in case I guess because I can't think of anything else that'd be at fault here. Is it worth getting a proper hwfly or instinct chip to see if it "revives" my switch? I've seen that happen on some skhynix oleds in some forum posts.

 

[Frays]

I believe he just copy from spacecraft-nx

It doesn't look like it to me, although probably providing a similar purpose, the mariko bct used in picofly's repository differs from the spacecraft one. Furthermore, the picofly provides some kind of key which is presumably used by the bootrom to verify the contents of the bct data, effectively spoofing it. That's my interpretation of it anyway

 

[Hassal]

Thank you, my case is looking awfully similar to your first one with the exception of the Hekate boot, it's also looking awfully similar to a tvpartsworld video I'll link but I don't have a USB power meter and my max chip doesn't get hot when connecting the battery, have not tried usb cable yet in fear of damaging it.



What I hate the most is that it might have been the chip or something, which is a clone... Doubt I actually did something wrong, my soldering looks spot on at least in my eyes and I've seen way more botched installations on this very thread that worked perfectly!

I ordered the MAX77812EWB+T chip off mouser just in case I guess because I can't think of anything else that'd be at fault here. Is it worth getting a proper hwfly or instinct chip to see if it "revives" my switch? I've seen that happen on some skhynix oleds in some forum posts.

If your problem is a burned component, installing another modchip will not help you. In terms of debugging, HWFLY has more capability than Picofly.

 

[LuigiGad]

I had a problem I've never seen on this OLED. installation completed successfully, eMMC created, everything ok. the next day I turn it on and I have graphic artifacts and continuous freezes. by moving the wires a little it resumes but I have a Blue screen in the original and a yellow screen already created in the eMMC. I solve it with an unbrick level 1. what could be the cause?
The installation is perfect, I'm experienced enough to say, all the values were in the norm in fact the first day it worked perfectly. I also changed modchips no improvement. Now it works perfectly.

 

[QuiTim]

I had a problem I've never seen on this OLED. installation completed successfully, eMMC created, everything ok. the next day I turn it on and I have graphic artifacts and continuous freezes. by moving the wires a little it resumes but I have a Blue screen in the original and a yellow screen already created in the eMMC. I solve it with an unbrick level 1. what could be the cause?
The installation is perfect, I'm experienced enough to say, all the values were in the norm in fact the first day it worked perfectly. I also changed modchips no improvement. Now it works perfectly.

Had this a while ago (hwfly chip). Still don't know for sure what the cause was but maybe you could try and do as I did and hopefully it works for you too.
https://gbatemp.net/threads/help-weird-oled-issue-after-chip-installation.630850/

 

[abal1000x]

It doesn't look like it to me, although probably providing a similar purpose, the mariko bct used in picofly's repository differs from the spacecraft one. Furthermore, the picofly provides some kind of key which is presumably used by the bootrom to verify the contents of the bct data, effectively spoofing it. That's my interpretation of it anyway

When you backup your emmc, you got file BOOT0 that is the bct partition.

Spcecraft extract the whole bct into the header file.
https://github.com/Spacecraft-NX/firmware/blob/master/firmware/src/mariko_bct.h

Picofly used part of it.
https://github.com/rehius/usk/blob/main/mariko_bct.h
Then generate the whole bct in prepare_mariko_bct() such that it become like in the spacecraft table.
https://github.com/rehius/usk/blob/6530fd9fe58980ea03d47905bad5e871b9439b7a/payload.c#L700C6-L700C26
Maybe this is to reduce the size.

Basically both use the same binary.

This is the reference:
https://switchbrew.org/wiki/BCT

the sign part is the 0x0220-0x320 (RsaPssSig)
and the data is from the encrypted part 0x0480-end (RandomAesBlock-end)

Post automatically merged: Dec 2, 2023

I had a problem I've never seen on this OLED. installation completed successfully, eMMC created, everything ok. the next day I turn it on and I have graphic artifacts and continuous freezes. by moving the wires a little it resumes but I have a Blue screen in the original and a yellow screen already created in the eMMC. I solve it with an unbrick level 1. what could be the cause?
The installation is perfect, I'm experienced enough to say, all the values were in the norm in fact the first day it worked perfectly. I also changed modchips no improvement. Now it works perfectly.

What method you use on the Dat0?