Hacking Hardware Picofly - a HWFLY switch modchip

binkinator

binkinator

Garfield’s Fitness Coach
Member
GBAtemp Patron
Level 16
Joined
Mar 29, 2021
Messages
6,511
Trophies
2
XP
6,157
Country
United States
impeeza said:
Hopely, will work.

By the way somebody knows a way to connect the MMC of a switch directely to a PC using a "SD Card" adapter? and using something like https://github.com/eliboa/NxNandManager to edit the Boot 0 and recover from a V2 or Lite with AutoRCM enabled?
Click to expand...

I did this for my eMMC upgrade. Based on @evil_santa ’s recommend I used one of these:

https://www.aliexpress.us/item/3256803361643934.html

9CDE842B-A729-464E-A236-47D68BF76CFA.jpeg

It worked great for a direct copy from my original eMMC to my big one.

Have also heard good things about this one but haven’t used one myself:

https://www.tindie.com/products/ignas/emmc-reader-for-hac-emmc/

This software works for both:

https://github.com/ignasurba/mmcblkNX
 
  • Like
  • Love
Reactions: some1ne, peteruk and impeeza
Piorjade

Piorjade

Well-Known Member
Member
Level 4
Joined
Nov 8, 2015
Messages
142
Trophies
0
XP
407
Country
Gambia, The
Tafty said:
Now when I flashed the hwfly boot0 and rebooted before attempting to launch in HOS I was greated with the white led again as if this was it's first boot, this makes me believe its coded to rewrite boot0 If the data/checksum whatever doesn't match its own code.
Click to expand...
I've said this before, but this is exactly what HWFLY-NX does too.

At boot it verifies that the BCTs are the same of the HWFLY, if not, it re-flashes them. Afterwards it does the same for the actual payload (SD loader).

This whole BEK thing is probably happening in the payload/SD loader, which is why it's useless to try to fix boot0 from Hekate, as the boot0 gets rewritten by the firmware before Hekate boots.
 
  • Like
Reactions: peteruk, Tafty, FruithatMods and 1 other person
FruithatMods

FruithatMods

Well-Known Member
Member
Level 4
Joined
Dec 16, 2018
Messages
128
Trophies
0
Age
34
XP
450
Country
Germany
Piorjade said:
I've said this before, but this is exactly what HWFLY-NX does too.

At boot it verifies that the BCTs are the same of the HWFLY, if not, it re-flashes them. Afterwards it does the same for the actual payload (SD loader).

This whole BEK thing is probably happening in the payload/SD loader, which is why it's useless to try to fix boot0 from Hekate, as the boot0 gets rewritten by the firmware before Hekate boots.
Click to expand...
This is actually a good thing.

During a HOS firmware update boot0 gets overwritten. If the rp2040 chip doesn't check boot0 and overwrite it when it is different we will not be able to boot into hekate after a fw update.
 
  • Like
Reactions: overcode
rulles

rulles

Member
Newcomer
Level 1
Joined
Feb 7, 2023
Messages
21
Trophies
0
Age
34
XP
107
Country
Portugal
binkinator said:
I did this for my eMMC upgrade. Based on @evil_santa ’s recommend I used one of these:

https://www.aliexpress.us/item/3256803361643934.html

View attachment 352786

It worked great for a direct copy from my original eMMC to my big one.

Have also heard good things about this one but haven’t used one myself:

https://www.tindie.com/products/ignas/emmc-reader-for-hac-emmc/

This software works for both:

https://github.com/ignasurba/mmcblkNX
Click to expand...
From my understanding, you use this things to "clone" your emmc and replace by one more bigger.
Is that right?!
 
Piorjade

Piorjade

Well-Known Member
Member
Level 4
Joined
Nov 8, 2015
Messages
142
Trophies
0
XP
407
Country
Gambia, The
FruithatMods said:
This is actually a good thing.

During a HOS firmware update boot0 gets overwritten. If the rp2040 chip doesn't check boot0 and overwrite it when it is different we will not be able to boot into hekate after a fw update.
Click to expand...
Yeah, exactly. But this is the reason we won't be able to make the current half-working firmware work via Hekate shenanigans. Either somebody somehow finds the payload in the binary .uf2 file and overwrites it, or we write this thing from scratch, which will take some time.
 
sith

sith

Well-Known Member
Member
Level 9
Joined
Apr 10, 2007
Messages
188
Trophies
1
XP
1,558
Country
United States
rulles said:
From my understanding, you use this things to "clone" your emmc and replace by one more bigger.
Is that right?!
Click to expand...
seems that is what is being said, though that is completely unnecessary as you can just do everything through hekate, clone your nand bkp onto the larger emmc and then expand the partition. I put a 256gb in mine without anything other than the emmc board and a big microsd.

edit: bink points out below, only true for v1 consoles.
 
Last edited by sith,
FruithatMods

FruithatMods

Well-Known Member
Member
Level 4
Joined
Dec 16, 2018
Messages
128
Trophies
0
Age
34
XP
450
Country
Germany
Piorjade said:
Yeah, exactly. But this is the reason we won't be able to make the current half-working firmware work via Hekate shenanigans. Either somebody somehow finds the payload in the binary .uf2 file and overwrites it, or we write this thing from scratch, which will take some time.
Click to expand...

I think we could do both.
If we know what exact payload it is writing to the emmc we can start looking for it in the uf2 or bin file.

It is better to have an rp2040 which can be updated from the beginning though incase there is some logic in this closed firmware which was badly coded.
 
  • Like
Reactions: impeeza
binkinator

binkinator

Garfield’s Fitness Coach
Member
GBAtemp Patron
Level 16
Joined
Mar 29, 2021
Messages
6,511
Trophies
2
XP
6,157
Country
United States
sith said:
seems that is what is being said, though that is completely unnecessary as you can just do everything through hekate, clone your nand bkp onto the larger emmc and then expand the partition. I put a 256gb in mine without anything other than the emmc board and a big microsd.
Click to expand...
As long as you’re on a V1, this is correct.
 
  • Like
Reactions: sith and impeeza
Piorjade

Piorjade

Well-Known Member
Member
Level 4
Joined
Nov 8, 2015
Messages
142
Trophies
0
XP
407
Country
Gambia, The
FruithatMods said:
I think we could do both.
If we know what exact payload it is writing to the emmc we can start looking for it in the uf2 or bin file.

It is better to have an rp2040 which can be updated from the beginning though incase there is some logic in this closed firmware which was badly coded.
Click to expand...
We can find the payload that was written in the boot0 if somebody provides a boot0 dump after using the current firmware. We can look at the BCTs in the boot0 dump and find out where the payload was written. Then we'll need to look for the same payload in the .uf2 firmware.
 
  • Like
Reactions: impeeza and FruithatMods
FruithatMods

FruithatMods

Well-Known Member
Member
Level 4
Joined
Dec 16, 2018
Messages
128
Trophies
0
Age
34
XP
450
Country
Germany
Piorjade said:
We can find the payload that was written in the boot0 if somebody provides a boot0 dump after using the current firmware. We can look at the BCTs in the boot0 dump and find out where the payload was written. Then we'll need to look for the same payload in the .uf2 firmware.
Click to expand...
Good! Then we are all on the same page.

If someone here has a switch with a removable emmc who wants to dump the firmware after attaching the waveshare board let us all know!
 
  • Love
  • Like
Reactions: szubiennica and impeeza
Piorjade

Piorjade

Well-Known Member
Member
Level 4
Joined
Nov 8, 2015
Messages
142
Trophies
0
XP
407
Country
Gambia, The
FruithatMods said:
Good! Then we are all on the same page.

If someone here has a switch with a removable emmc who wants to dump the firmware after attaching the waveshare board let us all know!
Click to expand...
I don't know personally, but can't Hekate dump boot0 itself? That way no eMMC removing will be needed.
 
  • Like
Reactions: Tafty
Tafty

Tafty

Well-Known Member
Member
Level 6
Joined
Sep 23, 2016
Messages
116
Trophies
0
Age
36
XP
923
Country
FruithatMods said:
Good! Then we are all on the same page.

If someone here has a switch with a removable emmc who wants to dump the firmware after attaching the waveshare board let us all know!
Click to expand...

You can dump the boot0 with hekate... I can provide anyone with the boot0 based on the current Linux firmware we have, but I can't post it here obviously, so it makes more sense for anyone that wants it to PM me and I will send it across.
 
  • Like
Reactions: SylverReZ, peteruk, binkinator and 1 other person
binkinator

binkinator

Garfield’s Fitness Coach
Member
GBAtemp Patron
Level 16
Joined
Mar 29, 2021
Messages
6,511
Trophies
2
XP
6,157
Country
United States
rulles said:
So, this only work in switch V1? In V2 that is not possible?!
Click to expand...
V1 can boot up and act as an SD Card reader with a blank eMMC in place because you can inject a payload. Can’t do this with a Mariko. With Mariko you need a working eMMC so catch-22. This is where the cheap SDCard to eMMC reader comes in.
 
  • Love
  • Like
Reactions: SylverReZ, peteruk and impeeza

Site & Scene News

Go to forum More news

Popular threads in this forum

Paper Mario TTYD 60fps patch?

Paper Mario Thousand Year Door got leaked

Tutorial  How to play Pokerogue on Nintendo Switch

TTYD patch for AMD black screen sewer issue?

Is there any point upgrading to 18.0?

Paper Mario: The Thousand Year Door (Switch) save editor request

Paper Mario TTYD Resolution Patch?

Paper mario the thousand year door amd black screen (steam deck)

General chit-chat
Help Users
  • linuxares @ linuxares:
    Thor from "Pirate Software" said its just better to pirate the game than buy from a keyshop if you care about the devs
     +2
  • The Real Jdbye @ The Real Jdbye:
    devs don't get hit with the chargebacks, the keys are free to generate
  • The Real Jdbye @ The Real Jdbye:
    at least on steam
  • linuxares @ linuxares:
    Except he said the DEVS get hits with the chargeback cost
     +1
  • linuxares @ linuxares:
    since the key gets bought with a stolen credit card
  • The Real Jdbye @ The Real Jdbye:
    there's nothing to charge back because the keys don't cost them money to generate in the first place
  • K3Nv2 @ K3Nv2:
    If the game has a crack sure
  • K3Nv2 @ K3Nv2:
    Most these crack sites have dead links anymore or the crack don't even work
  • linuxares @ linuxares:
    @The Real Jdbye What don't you get? If someone use a stolen creditcard. Then sell said key on G2A. If I the dev sold the game key, I will get the charge back cost. That's how it works, it doesn't matter if I generate 300 keys if 300 of them are bought with stolen credit cards. I never said it was on Steam, but its the dev that gets hit. There is a ton of stories out there if you google it.
     +1
  • K3Nv2 @ K3Nv2:
    Just buy other people's steam account :teach:
  • linuxares @ linuxares:
    Just tell them you're dead ;D
     +1
  • K3Nv2 @ K3Nv2:
    They already know
  • linuxares @ linuxares:
    I honestly wonder how the EU would say if I willed my account to you. And Valve be like "nope!"
     +1
  • cearp @ cearp:
    @K3Nv2 - sounds like you need a better place to find cracks!
  • K3Nv2 @ K3Nv2:
    Psionics offline right now or I would
  • SylverReZ @ SylverReZ:
    @cearp, Psi is offline at the minute, but he knows where to find them.
  • cearp @ cearp:
    get your mind out of the gutter, I'm talking about piracy
  • cearp @ cearp:
    not that type of crack
     +1
  • K3Nv2 @ K3Nv2:
    I mean the drug not the booty pervs
     +2
  • SylverReZ @ SylverReZ:
    :tpi: :rofl2:
     +1
  • linuxares @ linuxares:
    @cearp At a plumber convenstion. Loads of cracks!
     +2
  • K3Nv2 @ K3Nv2:
    A plumber is either on crack or in crack or showcasing crack
     +2
  • cearp @ cearp:
    or of course, dealing with cracks (in pipes)
  • K3Nv2 @ K3Nv2:
    Sure he could be on cracked flooring causing the leak
  • K3Nv2 @ K3Nv2:
    How much you bet delta going to be DRMd to hell and back
    K3Nv2 @ K3Nv2: How much you bet delta going to be DRMd to hell and back