Hacking Hardware Picofly - a HWFLY switch modchip

Sort by date Sort by reaction score
T

TheSynthax

Well-Known Member
Member
Level 4
Joined
Apr 29, 2018
Messages
221
Trophies
0
XP
511
Country
United States
FruithatMods said:
On second thought it might not be very convenient to use the rp2040 as a usb emmc reader either. Wouldn't we be limited to the usb 1 speeds of the rp2040? 26kBs isn't a lot of fun when interfacing a lot of data.
Click to expand...
Not a big deal for just accessing boot0, but for dumping the entire eMMC it would take a while. Not necessary for just dumping the keys in case you need to reconstruct an image after a brick.
 
  • Like
Reactions: FruithatMods
A

achm3t

Member
Newcomer
Level 3
Joined
Apr 10, 2022
Messages
15
Trophies
0
Age
38
Location
Nursultan
XP
350
Country
Kazakhstan
FruithatMods said:
SD card readers which show up as mass storage devices can't be used to access boot0/boot1 AFAIK.

Unfortunately I don't actually have any adapter or card reader that can access boot0 over 1bit mode. If such a thing exists do say so.

FT232H with postal looks promising but it only works in Windows. It would be nice if we had a Linux equivalent which could access the partitions natively without having to clone them.

The adapter which uses a realtek chip is great but it can't be used in 1 bit mode. This one: https://www.tindie.com/products/ignas/emmc-reader-for-hac-emmc/

Using an rp2040 for this is actually a brilliant idea!
Post automatically merged:

On second thought it might not be very convenient to use the rp2040 as a usb emmc reader either. Wouldn't we be limited to the usb 1 speeds of the rp2040? 26kBs isn't a lot of fun when interfacing a lot of data.
Post automatically merged:

It looks like FT232H could be used in Linux with mmc-utils: https://github.com/mhei/mmc-utils
Click to expand...
Well, there is an Xbox 360 emmc reader project called PicoFlasher. https://github.com/X360Tools/PicoFlasher. It can read 16mb Xbox nand in spi mode and 4gb emmc in 1bit mode (according to only 4 pins required). Don’t know is it capable of reading boot 0/1. In windows definitely no, but Linux may be an option. I do have this picoflasher and a ft2232h reader (also used for Xbox 360 mods). If it can be helpful for the scene I can try, just give instructions what to do :).
 
  • Like
Reactions: ron2797k and peteruk
HenryMin

HenryMin

Well-Known Member
Member
Level 7
Joined
Jun 19, 2020
Messages
141
Trophies
0
XP
1,139
Country
Korea, South
I did research with my mariko console, and I realized that we need proper mariko_kek, mariko_bek, and sbk in keyslot to boot hos on mariko.
keyslots are 'write only', and we can easily write keys to keyslots using hekate bdk, so I just made keyslot validator/writer payload. (Based on Lockpick_RCM)

https://github.com/henryjmin/keyslot_writer/releases

Usage
1. Fill `keyslot.keys` and put it in the sd card path `sd:/switch/keyslot.keys`
2. Boot to hekate and chainload keyslot_writer.bin
3. Select `Validate keyslots` to validate keyslot 0-13
4. Select `Write to keyslots` to write mariko_kek, mariko_bek from file to keyslot 12, 13
5. Select `Reboot to hekate` (Do not select `Power off`)
6. Try to boot Atmosphere

Anyone who has installed rp2040 to mariko can try this method :P
 
  • Like
  • Wow
Reactions: TheSynthax, peteruk, Mansi and 11 others
OMAR1982

OMAR1982

Member
Newcomer
Level 2
Joined
Feb 17, 2023
Messages
18
Trophies
0
Age
41
XP
120
Country
Jordan
HenryMin said:
I did research with my mariko console, and I realized that we need proper mariko_kek, mariko_bek, and sbk in keyslot to boot hos on mariko.
keyslots are 'write only', and we can easily write keys to keyslots using hekate bdk, so I just made keyslot validator/writer payload. (Based on Lockpick_RCM)



Usage
1. Fill `keyslot.keys` and put it in the sd card path `sd:/switch/keyslot.keys`
2. Boot to hekate and chainload keyslot_writer.bin
3. Select `Validate keyslots` to validate keyslot 0-13
4. Select `Write to keyslots` to write mariko_kek, mariko_bek from file to keyslot 12, 13
5. Select `Reboot to hekate` (Do not select `Power off`)
6. Try to boot Atmosphere

Anyone who has installed rp2040 to mariko can try this method :P
Click to expand...
Did anybody try this method ? what is the result?
 
IgraBIT1

IgraBIT1

Member
Newcomer
Level 2
Joined
Jan 27, 2023
Messages
15
Trophies
0
Age
24
XP
122
Country
Russia
HenryMin said:
I did research with my mariko console, and I realized that we need proper mariko_kek, mariko_bek, and sbk in keyslot to boot hos on mariko.
keyslots are 'write only', and we can easily write keys to keyslots using hekate bdk, so I just made keyslot validator/writer payload. (Based on Lockpick_RCM)

https://github.com/henryjmin/keyslot_writer/releases

Usage
1. Fill `keyslot.keys` and put it in the sd card path `sd:/switch/keyslot.keys`
2. Boot to hekate and chainload keyslot_writer.bin
3. Select `Validate keyslots` to validate keyslot 0-13
4. Select `Write to keyslots` to write mariko_kek, mariko_bek from file to keyslot 12, 13
5. Select `Reboot to hekate` (Do not select `Power off`)
6. Try to boot Atmosphere

Anyone who has installed rp2040 to mariko can try this method :P
Click to expand...
does not work. all the same BEK is missing
 
Last edited by IgraBIT1,
IgraBIT1

IgraBIT1

Member
Newcomer
Level 2
Joined
Jan 27, 2023
Messages
15
Trophies
0
Age
24
XP
122
Country
Russia
HenryMin said:
I did research with my mariko console, and I realized that we need proper mariko_kek, mariko_bek, and sbk in keyslot to boot hos on mariko.
keyslots are 'write only', and we can easily write keys to keyslots using hekate bdk, so I just made keyslot validator/writer payload. (Based on Lockpick_RCM)

https://github.com/henryjmin/keyslot_writer/releases

Usage
1. Fill `keyslot.keys` and put it in the sd card path `sd:/switch/keyslot.keys`
2. Boot to hekate and chainload keyslot_writer.bin
3. Select `Validate keyslots` to validate keyslot 0-13
4. Select `Write to keyslots` to write mariko_kek, mariko_bek from file to keyslot 12, 13
5. Select `Reboot to hekate` (Do not select `Power off`)
6. Try to boot Atmosphere

Anyone who has installed rp2040 to mariko can try this method :P
Click to expand...
 

Attachments

  • BmOnjcEvK3MeIiXUfZYqNGIYplR6mvV4gjJKAMElUxi2kfyKrlVU8uDNWSGpZg4quxa81UE57j0SNmL3djxW5G75.jpg
    BmOnjcEvK3MeIiXUfZYqNGIYplR6mvV4gjJKAMElUxi2kfyKrlVU8uDNWSGpZg4quxa81UE57j0SNmL3djxW5G75.jpg
    1.7 MB · Views: 71
  • RUYvZxA_cIVaP2yVQkHSzm-1t9Chs6SI0xuWNUtzoOO3HR9x8jv0e5pqUwExh-VSffxTlr1gd6xiOledu-8tPHkO.jpg
    RUYvZxA_cIVaP2yVQkHSzm-1t9Chs6SI0xuWNUtzoOO3HR9x8jv0e5pqUwExh-VSffxTlr1gd6xiOledu-8tPHkO.jpg
    1.3 MB · Views: 79
  • dpZtGi72bHmOD7akQxIripKxkSzp2HqkHdBjyhk-vizxkvkYhLoN1zfhu5B7NsbDUWTpizYxxcnkSDEJNuL3oHXU.jpg
    dpZtGi72bHmOD7akQxIripKxkSzp2HqkHdBjyhk-vizxkvkYhLoN1zfhu5B7NsbDUWTpizYxxcnkSDEJNuL3oHXU.jpg
    1.4 MB · Views: 96
  • Like
Reactions: whisky9
peteruk

peteruk

Well-Known Member
Member
Level 18
Joined
Jun 26, 2015
Messages
3,005
Trophies
2
XP
7,374
Country
United Kingdom
Animage55 said:
So is this legit or not? Or do I have to go through 72 pages to figure it out?
Click to expand...

At a very high level here, yes the chip/pico is able to perform the glitch. However the very clever people here and elsewhere are working on the software (FW) to get it working.

They've been discussing the possibility of writing their own

The people working on this deserve a lot of credit, they're working hard for everyone's benefit.... be patient, could be next week, next month or never... Sit tight and enjoy the ride
 
  • Like
Reactions: SUPERBANEN, V800, Animage55 and 9 others
lenoa

lenoa

Active Member
Newcomer
Level 2
Joined
Feb 8, 2023
Messages
40
Trophies
0
Age
32
XP
195
Country
Iceland
does bek and kek always same id eventough we dump from our own switch?
Code: 
41XXXXXXXXXXXXXXXXXXXXXXXXXXXX7C
6AXXXXXXXXXXXXXXXXXXXXXXXXXXXX22
 
IgraBIT1

IgraBIT1

Member
Newcomer
Level 2
Joined
Jan 27, 2023
Messages
15
Trophies
0
Age
24
XP
122
Country
Russia
HenryMin said:
I did research with my mariko console, and I realized that we need proper mariko_kek, mariko_bek, and sbk in keyslot to boot hos on mariko.
keyslots are 'write only', and we can easily write keys to keyslots using hekate bdk, so I just made keyslot validator/writer payload. (Based on Lockpick_RCM)

https://github.com/henryjmin/keyslot_writer/releases

Usage
1. Fill `keyslot.keys` and put it in the sd card path `sd:/switch/keyslot.keys`
2. Boot to hekate and chainload keyslot_writer.bin
3. Select `Validate keyslots` to validate keyslot 0-13
4. Select `Write to keyslots` to write mariko_kek, mariko_bek from file to keyslot 12, 13
5. Select `Reboot to hekate` (Do not select `Power off`)
6. Try to boot Atmosphere

Anyone who has installed rp2040 to mariko can try this method :P
Click to expand...
they are not unique. it's always on mariko
 
  • Like
Reactions: lenoa
R

rehius

Well-Known Member
Member
Level 9
Joined
Feb 6, 2023
Messages
377
Trophies
1
Age
34
XP
1,790
Country
Canada
binkinator said:
Did you use two of them or just the one? I like how you did this one without the need for insulation. do you have a pic of the other one?
Click to expand...
Single
 

Attachments

  • mariko_s.jpeg
    mariko_s.jpeg
    116.3 KB · Views: 72
  • erista_s.jpeg
    erista_s.jpeg
    336.4 KB · Views: 96
  • erista_v.jpeg
    erista_v.jpeg
    327 KB · Views: 80
  • lite_v.jpeg
    lite_v.jpeg
    451.4 KB · Views: 75
  • Like
  • Love
Reactions: FruithatMods and binkinator

Site & Scene News

Go to forum More news

Popular threads in this forum

Paper Mario TTYD 60fps patch?

Paper Mario Thousand Year Door got leaked

Hacking Misc Tutorial  Eiyuden Chronicle Hundred Heroes save editing

TTYD patch for AMD black screen sewer issue?

Help a noob with if I need to update CFW to 18.0 or not

Is there any point upgrading to 18.0?

Paper Mario TTYD Resolution Patch?

Hacking Feedback Gaming Hardware Tutorial  Xenoblade Chronicles 3 Mod

General chit-chat
Help Users
    K3Nv2 @ K3Nv2: https://youtu.be/q1474nWP0bI?si=5v445vycfskxD3V8