Hacking Hardware Picofly - a HWFLY switch modchip

CompSciOrBust

CompSciOrBust

🤔
Member
Level 11
Joined
Sep 9, 2019
Messages
904
Trophies
1
Location
Switch scene
Website
github.com
XP
2,663
Country
Korea, North
FruithatMods said:
The width of the glitch line on the previously posted image is how tight the timing is. I think that is a good starting point as it is a known working variable.
Click to expand...
The HWFly-NX firmware GitHub repo has known good start points for both glitch width and glitch offset for Erista and Mariko. If you guys are going to build your own glitch chip why reinvent the wheel? Just use HWFly-NX but replace the FPGA communication code with PIO stuff.
 
  • Like
Reactions: binkinator
Piorjade

Piorjade

Well-Known Member
Member
Level 4
Joined
Nov 8, 2015
Messages
142
Trophies
0
XP
407
Country
Gambia, The
To anybody who's bored and knows a bit about the HWFLY-NX firmware, what the hell is this code at line 69 (nice) in firmware/src/payload.c?
(Link: https://github.com/hwfly-nx/firmware/blob/master/firmware/src/payload.c)

1675126022495.png


The BCT offsets above that (0, 0x20, 0x40, 0x60) all make sense if you multiple them by 512 (I've guessed that that's the block size), you get the exact offsets the wiki says:

1675126196298.png


Only this "payload", which I assume is the actual HWFLY / Spacecraft firmware, seemingly makes no sense why the offset is 0x1F80 * 512 = 0xE9E000

package1 (NX Bootloader and stuff like that) starts at 0x100000, this payload is way beyond that and I haven't found anything for this address space..


I'm just curious and learning the code though, please don't get any wrong ideas.
 
  • Like
Reactions: peteruk, binkinator and impeeza
binkinator

binkinator

Garfield’s Fitness Coach
Member
GBAtemp Patron
Level 16
Joined
Mar 29, 2021
Messages
6,511
Trophies
2
XP
6,155
Country
United States
Mansi said:
~52mHz. Need use CMD, CLK, D0 pins.
Click to expand...
It HAS to be 52mHz? That’s fast. My little guy only does 24MHz but has met all my needs (up until today.) I will look into a faster one but it’s probably going to be too pricey.
 
  • Like
Reactions: impeeza
FruithatMods

FruithatMods

Well-Known Member
Member
Level 4
Joined
Dec 16, 2018
Messages
128
Trophies
0
Age
34
XP
450
Country
Germany
Because it is a lot simpler writing c than reading c.

For instance if I were to code the emmc read/write portion of the modchip I would simply hold the reset line to make sure the cpu is off while boot0 is being read and written to.

Is there something wrong with this logic?

If we get a full logic analyser dump we can see if that is how it is already being done. ;) isn't that part done in the fpga?
 
Last edited by FruithatMods,
  • Like
Reactions: binkinator and impeeza
T

TheSynthax

Well-Known Member
Member
Level 4
Joined
Apr 29, 2018
Messages
220
Trophies
0
XP
509
Country
United States
brecht6 said:
Are you guys now in the first phase of figuring it out or already implementig it?
Click to expand...
Just documenting the functionality with a logic analyzer right now, need someone with a fast enough analyzer or scope with enough channels and a working HWFLY or SX-Core/Lite to hook into each of the points and test it during a normal boot, while training, and during a glitch boot.
 
  • Like
Reactions: FruithatMods
saladus

saladus

Well-Known Member
Newcomer
Level 2
Joined
Dec 26, 2022
Messages
95
Trophies
0
Location
your router's unprotected root shell
XP
170
Country
Romania
CompSciOrBust said:
The HWFly-NX firmware GitHub repo has known good start points for both glitch width and glitch offset for Erista and Mariko. If you guys are going to build your own glitch chip why reinvent the wheel? Just use HWFly-NX but replace the FPGA communication code with PIO stuff.
Click to expand...
i think this would be better than making it from scratch honestly :lol:. why try and figure out what the hwfly does when you have what it does nicely packed in a github repo
 
  • Like
Reactions: CompSciOrBust
B

ByteFun

Member
Newcomer
Level 1
Joined
May 6, 2021
Messages
17
Trophies
0
Age
34
XP
85
Country
Russia
Piorjade said:
To anybody who's bored and knows a bit about the HWFLY-NX firmware, what the hell is this code at line 69 (nice) in firmware/src/payload.c?
(Link: https://github.com/hwfly-nx/firmware/blob/master/firmware/src/payload.c)

View attachment 350292

The BCT offsets above that (0, 0x20, 0x40, 0x60) all make sense if you multiple them by 512 (I've guessed that that's the block size), you get the exact offsets the wiki says:

View attachment 350293

Only this "payload", which I assume is the actual HWFLY / Spacecraft firmware, seemingly makes no sense why the offset is 0x1F80 * 512 = 0xE9E000

package1 (NX Bootloader and stuff like that) starts at 0x100000, this payload is way beyond that and I haven't found anything for this address space..


I'm just curious and learning the code though, please don't get any wrong ideas.
Click to expand...
0x1F80 * 0x200 = 0x3F0000
Maybe it's not a block number, but an address? (1F80)
 
Piorjade

Piorjade

Well-Known Member
Member
Level 4
Joined
Nov 8, 2015
Messages
142
Trophies
0
XP
407
Country
Gambia, The
ByteFun said:
0x1F80 * 0x200 = 0x3F0000
Maybe it's not a block number, but an address? (1F80)
Click to expand...
Lmao how did I get this multiplication wrong? Maybe I was too sleep deprived.
Anyway, the function "mmc_check_and_if_different_write" internally calls "mmc_read" with the same parameter. mmc_read only reads a single full block, which is 512 bytes.

So this has to be a block number (0x1F80) and its actual address is 0x3F0000.
Problem is, 0x3F0000 still doesn't make sense to me.

(sigh) This code has as little documentation as I write at work :(
 
  • Like
Reactions: impeeza and FruithatMods
Piorjade

Piorjade

Well-Known Member
Member
Level 4
Joined
Nov 8, 2015
Messages
142
Trophies
0
XP
407
Country
Gambia, The
Mansi said:
Im dumped my old switch emmc witch progger(UFPI).
On the example of these files, you can understand at what addresses the code is being changed. With such success, you can write such a glitch from scratch. The source code of hwfly is there and everything is described there.

The problem is that I'm not strong in the C language (
Click to expand...
Thank you! It seems like 0x3F0000 isn't a special memory address used by Nintendo, if your dump is complete and legit.
I think this is just empty space which HWFLY / Spacecraft-NX uses to store the custom payload. Man I'm dumb..

This means the BCT must redirect the bootloader to run the code at this address next instead of package1ldr

(Left is the "no glitch" file and right is the glitched file)

1675160774480.png
 
  • Like
Reactions: Mansi, binkinator, ByteFun and 3 others
L

lemongrab

New Member
Newbie
Level 1
Joined
Jan 31, 2023
Messages
3
Trophies
0
Age
36
XP
59
Country
Germany
linuxares said:
But you couldn't encrypt the rp2040!!!
Click to expand...
IIRC someone said if you change portions of the code it won't work so my guess is they hardcode the flash ID then checksum the code with the ID in it and if the code is modified it quits. The checksum code is obfuscated to make it harder to circumvent. That would be a basic measure to ensure you can't just copy the flash and change the ID.
 
  • Like
Reactions: impeeza
B

ByteFun

Member
Newcomer
Level 1
Joined
May 6, 2021
Messages
17
Trophies
0
Age
34
XP
85
Country
Russia
lemongrab said:
IIRC someone said if you change portions of the code it won't work so my guess is they hardcode the flash ID then checksum the code with the ID in it and if the code is modified it quits. The checksum code is obfuscated to make it harder to circumvent. That would be a basic measure to ensure you can't just copy the flash and change the ID.
Click to expand...
Have you seen the code? There is a large data segment with high entropy. Specifying an identifier and simply comparing it is too stupid a defense.
 
  • Like
Reactions: impeeza
Mansi

Mansi

Well-Known Member
Newcomer
Level 3
Joined
Jan 14, 2023
Messages
70
Trophies
0
Age
30
XP
331
Country
Belarus
Piorjade said:
Thank you! It seems like 0x3F0000 isn't a special memory address used by Nintendo, if your dump is complete and legit.
I think this is just empty space which HWFLY / Spacecraft-NX uses to store the custom payload. Man I'm dumb..

This means the BCT must redirect the bootloader to run the code at this address next instead of package1ldr

(Left is the "no glitch" file and right is the glitched file)

View attachment 350367
Click to expand...
yep. Im used https://github.com/hwfly-nx/firmware 0.72 version.
check firmware 0.72 in archive. find on HEX this bytes)
Post automatically merged:

my dumps fully work)
 

Site & Scene News

Go to forum More news

Popular threads in this forum

Homebrew Tutorial  Building Pagascape from source to running Self Hosted mode on Windows and MSYS

Hacking Misc  Getting the MIG Switch to load an XCI dump without its original Initial Data

mig switch not working/updating??

Hacking Homebrew Tutorial  Portable PegaScape (Win32)

Fusee.bin with the new Pre-release of Atmoshere 1.7.0

DBI language error

Homebrew Tutorial  Setup a DevKitPro environment on Windows.

Homebrew  I accidentally updated to fw 18.0 on my switch in cfw and now I am getting an error that says unknown pkg1 version. please help me find a solution

General chit-chat
Help Users
    K3Nv2 @ K3Nv2: 16 is becoming bare minimum for today's gaymes +1