Well, since some guys are still reversing the firmware, and PIO has been completely spoiled by flynn, here is the (v2.6) PIO code with my comments. actually, that is the heart of the firmware, like the FPGA part of hwfly.
This reveals like half of inventions totally made.
This reveals like half of inventions totally made.
Code:
.program sd_clk
.side_set 1
.wrap_target
; open-drain RST switcher to keep the CPU in reset state
set pindirs, 0 side 1 ; side-set push-pull eMMC clocker (2mA limit is set to prevent damage)
irq clear 0 side 0 ; rising edge sync made with IRQs
set pindirs, 1 side 1
irq clear 0 side 0
.wrap
.program out_cmd_or_dat
.wrap_target
out x, 16 ; first word is the write size
irq wait 0 [1] ; the next cmd will go on falling edge
send_loop:
out pindirs, 1 ; use open-drain just in case, to prevent 3.3v damage
jmp x-- send_loop
irq clear 1 ; unblock the reader
out NULL, 32 ; clear the osr
.wrap
.program in_cmd_or_dat
.wrap_target
out x, 32 ;get read size
irq wait 1 ;wait for cmd send to finish
irq wait 0 ;sync with clock, next cmd will go at rising edge
data_wait:
jmp pin, data_wait [1] ; sync pin wait with rising edge
read_loop:
in pins, 1 ; here we always at the rising edge
jmp x-- read_loop
push
.wrap
.program glitch_sniff_cmd
.wrap_target
next_loop:
mov x, osr ; mmc command pre-loaded bits count (48 - 1 - 1)
wait_for_start_bit:
wait 0 pin, 31
wait 1 pin, 31
jmp pin wait_for_start_bit ; wait for cmd start bit on the rising edge
wait 0 pin, 31
; waits separated by only 1 instruction, should be able to catch 50 MHz
in NULL, 1
read_loop:
wait 1 pin, 31
in pins, 1 ; command sniffer
wait 0 pin, 31
jmp x-- read_loop
irq clear 2 ; 'some cmd has passed' trigger
mov x, isr ; save the last 16 bit of command
push ; send the rest 16 bits of data
jmp x != y, next_loop ; compare the glitch pattern (0x1351, read block + crc)
irq clear 0 ; 'glitch pattern' trigger
.wrap
.program glitch_dat_waiter
.wrap_target
mov x, y ; data length pre-loaded counter (512 + 16 - 1)
wait_for_start_bit:
wait 0 pin, 30
wait 1 pin, 30
jmp pin wait_for_start_bit ; wait for dat start bit of the rising edge
wait 0 pin, 30
skip_loop_dat:
wait 1 pin, 30
;in pins, 1 ; data sniffer (not needed anymore, removed to fit 50mhz code)
wait 0 pin, 30
jmp x-- skip_loop_dat ; skip the required data ticks
irq clear 1 ; 'data transfer done' trigger
.wrap
.program glitch_trigger
.side_set 1
.wrap_target
out x, 32 side 0 ; receive wait timing
out y, 32 side 0 ; receive pulse timing
irq wait 0 side 0 ; wait for read 13
irq wait 1 side 0 ; wait for data transfer
irq wait 2 side 0 ; wait for status request (should be NOPped for Mariko)
irq wait 2 side 0 ; wait for status reply (should be NOPped for Mariko)
wait_for_timing:
jmp x--, wait_for_timing side 0
glitch_en:
jmp y--, glitch_en side 1
.wrap
- Joined
- Sep 2, 2020
- Messages
- 1,274
- Trophies
- 0
- Age
- 39
- Location
- TORONTO
- Website
- form.jotform.com
- XP
- 2,204
- Country
Lot of respects for you guys. Huge work here, congrats.
Can someone please give me the values of those resistor, red, blue, green, and those two mosfets in yellow ?
Also do you know with which software can we open leaked HWFly leaks schematics/ board files ? I tried Eagle/Kicad they are not working. Altium works but layout of pcb seems broken (see where the mosfet emplacement should be in white):
Thanks
Can someone please give me the values of those resistor, red, blue, green, and those two mosfets in yellow ?
Also do you know with which software can we open leaked HWFly leaks schematics/ board files ? I tried Eagle/Kicad they are not working. Altium works but layout of pcb seems broken (see where the mosfet emplacement should be in white):
Thanks
the PIO has been updated since v2.5, so yes, this one should be in the next fw
mainly, software update support
no idea, there are three more things to make & test for it
Hi, sorry for the inconvenience, but is there a diagram to install the chip with the hwfly Flex cables in the V2 and Oled? I saw that there is a diagram for the Lite that uses the third pin of the Flex cable to take it to the "cpu" pinout on the rp2040, I don't know if this also applies to the V2 and the Oled
Attachments
Similar threads
- No one is chatting at the moment.
-
-
-
@
Xdqwerty:
Is it safe to update a modded ps3?
Can I play online in pirated games? (with ps3hen either enabled or not) -
-
-
-
-
-
@
Xdqwerty:
@salazarcosplay, I used apollo save tool to activate my ps3 offline so i could play a game that wasnt working
-
S @ salazarcosplay:from what I understood. you load up the piratged game. you the clear the syscalls, then you play
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
