Toggle sidebar

Hacking Hardware Picofly - a HWFLY switch modchip

  • Thread starter Thread starter mathew77
  • Start date Start date
  • Views Views 3,669,957
  • Replies Replies 17,052
  • Likes Likes 15
Mansi said:
This dumped firmware for rp2040 glitch from china.
Used "picotool save all" command from linux.
Post automatically merged:

Tested on Switch Lite
Click to expand...
This sounds very interesting. Hopefully someone out there could decrypt the dump if possible.
 
  • Like
Reactions: binkinator
Mansi said:
This dumped firmware for rp2040 glitch from china.
Used "picotool save all" command from linux.
Post automatically merged:

Tested on Switch Lite
Click to expand...
Chucked this thing on an rp2040-zero I had (not soldered into any switch sadly, I am NOT even remotely that good at soldering) and it definitely looks to be doing something. Plugging it into a USB-C port makes the LED go blue, then rapidly switch to green then turn off, I don't have a clue what it's actually doing, but if it's doing what it's thought to be then I'm gonna seriously consider looking around for people in my local area with actual soldering skill to see if I can get it in a console. Consider my interest piqued.
 
  • Like
Reactions: Compi, binkinator, peteruk and 1 other person
What about SWD disabling in firmware. How to enable debugging?
Post automatically merged:

I found xref to encrypted data and, maybe, decryptor code. But i cant connect to target via swd port )
 
ByteFun said:
What about SWD disabling in firmware. How to enable debugging?
Post automatically merged:

I found xref to encrypted data and, maybe, decryptor code. But i cant connect to target via swd port )
Click to expand...
Pi pico have a swd port)

DreedPL said:
is this the correct pinout?
Click to expand...
yep
 
  • Like
Reactions: binkinator
I have some info about PicoFly so i'll share it with you.
1) Yes, it's really exist.
2) Yes, it can glitch (at least it definetely works with Switch Lite and Switch Oled).
3) Yes, you still need a cpu ribbon cable (V2 or higher).
4) The firmware is unique for each chip. Each chip has its own ID, and the firmware uses it for verification.
Example ID - Flash ID: D6 28 60 B8 1C 55 6A 25
5) You need three resistors (probably for protection?), ~45 ohm each.
Switch lite Solder scheme is attached (yes, it's low quality, but who cares?)
 

Attachments

  • RP-2040-Zero(lite).png
    RP-2040-Zero(lite).png
    3.4 MB · Views: 273
  • Like
  • Wow
  • Love
Reactions: Xavier91ns, lordelan, JonJaded and 12 others
PicoPro said:
I have some info about PicoFly so i'll share it with you.
1) Yes, it's really exist.
2) Yes, it can glitch (at least it definetely works with Switch Lite and Switch Oled).
3) Yes, you still need a cpu ribbon cable (V2 or higher).
4) The firmware is unique for each chip. Each chip has its own ID, and the firmware uses it for verification.
Example ID - Flash ID: D6 28 60 B8 1C 55 6A 25
5) You need three resistors (probably for protection?), ~45 ohm each.
Switch lite Solder scheme is attached (yes, it's low quality, but who cares?)
Click to expand...
Also, using the attached file you can get your RP-2040-Zero unique Flash ID.
Connect rp-2040-zero to the PC. Look at the COM port of the chip in the device manager.
Just drug-and-drop .uf2 to your chip and then connect to the COM port using PuTTY or KiTTY (or whatever you use). Strings with a Flash ID of your chip will appear in the console (Flash ID: XX XX XX XX XX XX XX XX).
 

Attachments

Last edited by PicoPro,
  • Like
  • Love
Reactions: ron2797k, whisky9, SylverReZ and 6 others
PicoPro said:
Also, using the attached file you can get your RP-2040-Zero unique Flash ID.
Connect rp-2040-zero to the PC. Look at the COM port of the chip in the device manager.
Just drug-and-drop .uf2 to your chip and then connect to the COM port using PuTTY or KiTTY (or whatever you use). Strings with a Flash ID of your chip will appear in the console (Flash ID: XX XX XX XX XX XX XX XX).
Click to expand...
Given the talk of encryption in the firmware, I'm assuming you can't just hex edit the flash dump to put your own flash ID in and make it work.
 
No
hippy dave said:
Given the talk of encryption in the firmware, I'm assuming you can't just hex edit the flash dump to put your own flash ID in and make it work.
Click to expand...
No! You need encrypt 2nd stage firmware with new key (generated with unique Flash ID)
Post automatically merged:

I'm still trying to enable debugging. I'm sure it's possible to patch the firmware and allow the debugger to connect, but I don't know how. This is my first arm debugging experience, never had any problems on x86/64)
 
Last edited by ByteFun,
  • Like
Reactions: Adran_Marit, darrin41, binkinator and 1 other person
PicoPro said:
Also, using the attached file you can get your RP-2040-Zero unique Flash ID.
Connect rp-2040-zero to the PC. Look at the COM port of the chip in the device manager.
Just drug-and-drop .uf2 to your chip and then connect to the COM port using PuTTY or KiTTY (or whatever you use). Strings with a Flash ID of your chip will appear in the console (Flash ID: XX XX XX XX XX XX XX XX).
Click to expand...
do you have the source code of this, I really start to learning hoy to code this bugger, and is fun.
 
PicoPro said:
I have some info about PicoFly so i'll share it with you.
1) Yes, it's really exist.
2) Yes, it can glitch (at least it definetely works with Switch Lite and Switch Oled).
3) Yes, you still need a cpu ribbon cable (V2 or higher).
4) The firmware is unique for each chip. Each chip has its own ID, and the firmware uses it for verification.
Example ID - Flash ID: D6 28 60 B8 1C 55 6A 25
5) You need three resistors (probably for protection?), ~45 ohm each.
Switch lite Solder scheme is attached (yes, it's low quality, but who cares?)
Click to expand...
Sir, I got my ID and still have hope for the release of this to become true.
 
PicoPro said:
Also, using the attached file you can get your RP-2040-Zero unique Flash ID.
Connect rp-2040-zero to the PC. Look at the COM port of the chip in the device manager.
Just drug-and-drop .uf2 to your chip and then connect to the COM port using PuTTY or KiTTY (or whatever you use). Strings with a Flash ID of your chip will appear in the console (Flash ID: XX XX XX XX XX XX XX XX).
Click to expand...

[/QUOTE]
PicoPro said:
I have some info about PicoFly so i'll share it with you.
1) Yes, it's really exist.
2) Yes, it can glitch (at least it definetely works with Switch Lite and Switch Oled).
3) Yes, you still need a cpu ribbon cable (V2 or higher).
4) The firmware is unique for each chip. Each chip has its own ID, and the firmware uses it for verification.
Example ID - Flash ID: D6 28 60 B8 1C 55 6A 25
5) You need three resistors (probably for protection?), ~45 ohm each.
Switch lite Solder scheme is attached (yes, it's low quality, but who cares?)
Click to expand...

Interesting 🤔
 
evil_santa said:
I think this is the right one

https://github.com/raspberrypi/pico-examples/blob/master/system/unique_board_id/unique_board_id.c
Click to expand...
the code is on C, I am not getting there yet.

If somebody likes, this is my code on Arduino:

C-like: 
#include "pico/unique_id.h"
String cadena;
String cadenaHex;

void setup() {
  Serial.begin(115200);
  while (!Serial) {
    ; // wait for serial port to connect. Needed for native USB port only
  }
  // send an intro:
  Serial.println("\n\nPico Unique Board ID example:");
  Serial.println();
  pixels.begin();
}
 
void loop() { 
  pico_unique_board_id_t board_id;
  pico_get_unique_board_id(&board_id);
  cadena = "";
  cadenaHex = "";
  for (int i = 0; i < PICO_UNIQUE_BOARD_ID_SIZE_BYTES; ++i) {
    //Serial.write(board_id.id[i]);
    //Serial.write(13);
    //Serial.write(10);
    cadena += " ";
    cadena += board_id.id[i];
    cadenaHex += " ";
    cadenaHex += String(board_id.id[i], HEX);
    
  }
  Serial.println("Flash ID (int): " + cadena);
  Serial.println("Flash ID (hex): " + cadenaHex);
  delay(250);
}

I am using Raspberry Pi Pico/RP2040 https://github.com/earlephilhower/arduino-pico board library on the Arduino IDE, that have the unique_id.h file.
 
Last edited by impeeza,
  • Like
Reactions: peteruk, binkinator and ron2797k

Site & Scene News

Go to forum More news

Popular threads in this forum

Dusk for switch (TLoZ Twilight Princess port)

Homebrew  New Homebrew "Foil Server"?

Homebrew  Full List of N64 Recompilation Switch ports

Hacking  WiFi chip failing and can't boot. is it possible to enable Airplane Mode by editing system save files directly?

Homebrew Tutorial Translation Project  CS2SX — Write Nintendo Switch Homebrew in C#

Homebrew  Sonic Unleashed Recompiled (Homebrew Port)

Is it fixable

Hacking Emulation  Switch Prod Keys downloading from sites okay?