Hacking Hardware Picofly - a HWFLY switch modchip

CompSciOrBust · Feb 2, 2023

FruithatMods said:
Did Sony ban the US airforce from using their PlayStation 3 consoles for Linux or did the US Air force just refuse to update their firmware in the end?

They ended up keeping them on a low firmware. They ended up in the hands of collectors eventually. Mr Mario made a video about one.

impeeza · Feb 2, 2023

no body says studying = intelligence nor studying = education.

xianxuhappy · Feb 2, 2023

I read the source code of hwfly and it looks like the custom bct directly overwrites the bct in emmc. so I think the startup process should look like this.
At the first boot, hwfly detects that the bct in emmc is not custom bct, and then directly replaces it with the custom bct.
When the SOC does a bct read, the read is already a custom bct. The fpga detects that the bct read is complete (20 Sectors)and performs a Glitch to skip the bct checksum.
But the problem this poses is that if I want to cancel the hack, the original bct has been overwritten and I have not found a backup.

impeeza · Feb 2, 2023

Probably no the same but this video show how a Voltage glitch is perform:

mrdude · Feb 2, 2023

FruithatMods said:
These are the world's most highly rated universities and schools which only admit the best of the best. I think it is safe to say that he is smarter than all of us here.

Actually it's where the people with enough wealth send their kids - you can buy your way into those universities, or you can get a diversity place. Some of the people that come out of those places are as thick as mince. Look at MP Diane Abbott as a prime example, she went to Cambridge and would get lost in a small square room with only one door in it.

FruithatMods · Feb 2, 2023

mrdude said:
Actually it's where the people with enough wealth send their kids

That's also true. Most people who get admitted into these institutions come from privileged backgrounds.

It doesn't mean they're not smart though. They are.

This doesn't mean there aren't any geniuses or smart kids from underprivileged backgrounds though!

Scientific studies have found that wealth is a bad indicator for intelligence. Just think about how many smart kids or geniuses there may be in the whole world who were never discovered!

Mansi · Feb 2, 2023

Listen, everything is done within the law.
Let's just say we're a group of engineers and we're trying to find vulnerabilities so we can document everything and provide it to Nintendo with a reward.
A week later...
The code is published in github and there is a mass installation of cheap chips)

vittorio · Feb 2, 2023

i was seeing that here are the updated bcts https://github.com/hwfly-nx/firmware

doom95 · Feb 2, 2023

xianxuhappy said:
I read the source code of hwfly and it looks like the custom bct directly overwrites the bct in emmc. so I think the startup process should look like this.
At the first boot, hwfly detects that the bct in emmc is not custom bct, and then directly replaces it with the custom bct.
When the SOC does a bct read, the read is already a custom bct. The fpga detects that the bct read is complete (20 Sectors)and performs a Glitch to skip the bct checksum.
But the problem this poses is that if I want to cancel the hack, the original bct has been overwritten and I have not found a backup.

there's 4 bct slots, acting as backups.
bootrom tries bct 1 first, but if it's not valid then it tries bct 2/3/4.
hwfly-nx overwrites bct1/2 and attempts to glitch the validity check.
if you replace the emmc with an empty one, nothing happens after bct2 fails unless bct3/4 were actually valid, so that's why hwfly-nx writes these with official ones. helps the fpga to detect if the glitch worked.

vittorio · Feb 2, 2023

theoretically we should be able to port everything to Raspberry

CompSciOrBust · Feb 2, 2023

Mansi said:
Listen, everything is done within the law.
Let's just say we're a group of engineers and we're trying to find vulnerabilities so we can document everything and provide it to Nintendo with a reward.
A week later...
The code is published in github and there is a mass installation of cheap chips)

That ain't gonna work buddy. Nintendo don't do bug bounties for hardware vulnerabilities (trust me I'm as disappointed as you are lol). Even if they did you've already admitted that what you're trying to do is replicate a vulnerability that is already public knowledge, and even if this were a novel method of hacking the console you've just publicly admitted that your intention is to make it open source by putting it on GitHub. Nice move 5head.

Deleted member 194275 · Feb 2, 2023

@CompSciOrBust In the end, bending the law is the skill that a Lawyer must have. It's about communication and persuasion and do require lots of skills, proper brain skills that differ a lot from the ones engineers have. Engineers or Math professionals can't bend the laws (because the laws they work under are not man made, are just the nature), so they need to get most understatement to do things "inside" the rules.

As I said, different abilities. The guy maybe can't use a fridge but can protect you from an abusive cop, revert a wrong taxation or whatever.

Piorjade · Feb 2, 2023

xianxuhappy said:
I read the source code of hwfly and it looks like the custom bct directly overwrites the bct in emmc. so I think the startup process should look like this.
At the first boot, hwfly detects that the bct in emmc is not custom bct, and then directly replaces it with the custom bct.
When the SOC does a bct read, the read is already a custom bct. The fpga detects that the bct read is complete (20 Sectors)and performs a Glitch to skip the bct checksum.

That might actually be a way the FPGA might look for a trigger. Count how many bytes have been read from the emmc after booting up -> is it the size of the BCT? -> perform glitch using the given parameters

Related to this: https://gbatemp.net/threads/pikofly-a-probably-fake-hwfly-modchips-or-not.622701/post-10062170

xianxuhappy said:
But the problem this poses is that if I want to cancel the hack, the original bct has been overwritten and I have not found a backup.

As @doom95 has already said, there are 4 BCT slots. HWFLY-NX overrides the first two, the last two get the original BCTs

The Tegra tries to read the first, if it fails then the second, etc. until it can boot. If all 4 fail it goes into RCM AFAIK.

On a side note, I read a bit of the MMC standard documentation and it looks relatively easy to understand. As I can't find MMC cards on Amazon (only SD cards) and SD cards are basically successors to MMC cards, does anybody know if I can read SD cards in some sort of "MMC mode"?

E.g. can I just connect only DAT0 (MMC cards only have one DAT line), Vss2, CLK, Vcc, Vss1, CMD and CAT3 and talk to the SDC with MMC commands?

vittorio · Feb 2, 2023

Piorjade said:
That might actually be a way the FPGA might look for a trigger. Count how many bytes have been read from the emmc after booting up -> is it the size of the BCT? -> perform glitch using the given parameters

Related to this: https://gbatemp.net/threads/pikofly-a-probably-fake-hwfly-modchips-or-not.622701/post-10062170

As @doom95 has already said, there are 4 BCT slots. HWFLY-NX overrides the first two, the last two get the original BCTs

The Tegra tries to read the first, if it fails then the second, etc. until it can boot. If all 4 fail it goes into RCM AFAIK.

On a side note, I read a bit of the MMC standard documentation and it looks relatively easy to understand. As I can't find MMC cards on Amazon (only SD cards) and SD cards are basically successors to MMC cards, does anybody know if I can read SD cards in some sort of "MMC mode"?

View attachment 350682
E.g. can I just connect only DAT0 (MMC cards only have one DAT line), Vss2, CLK, Vcc, Vss1, CMD and CAT3 and talk to the SDC with MMC commands?

interesting, we also have btc

CompSciOrBust · Feb 2, 2023

Piorjade said:
That might actually be a way the FPGA might look for a trigger. Count how many bytes have been read from the emmc after booting up -> is it the size of the BCT? -> perform glitch using the given parameters

Related to this: https://gbatemp.net/threads/pikofly-a-probably-fake-hwfly-modchips-or-not.622701/post-10062170

As @doom95 has already said, there are 4 BCT slots. HWFLY-NX overrides the first two, the last two get the original BCTs

The Tegra tries to read the first, if it fails then the second, etc. until it can boot. If all 4 fail it goes into RCM AFAIK.

On a side note, I read a bit of the MMC standard documentation and it looks relatively easy to understand. As I can't find MMC cards on Amazon (only SD cards) and SD cards are basically successors to MMC cards, does anybody know if I can read SD cards in some sort of "MMC mode"?

View attachment 350682
E.g. can I just connect only DAT0 (MMC cards only have one DAT line), Vss2, CLK, Vcc, Vss1, CMD and CAT3 and talk to the SDC with MMC commands?

I can't find any guide now, I guess none of them were archived, but you can definitely read the eMMC by soldering between test points and an SD Reader.
Pinout on SwitchBrew: https://switchbrew.org/w/index.php?title=EMMC_pinout&mobileaction=toggle_view_desktop
I don't know what device he's using since it doesn't seem to be an SD Reader but this guy has a tweet about it:

You can also buy hac-emmc readers. I have this one: https://www.tindie.com/products/ignas/emmc-reader-for-hac-emmc/

I guess you don't want to have to keep unplugging the NAND from the board over and over though because it will wear down the connector.
Iirc 3DS hard modding used to be done by connecting an SD reader to the eMMC test pads before we had Magnet Hax

Piorjade · Feb 2, 2023

CompSciOrBust said:
I can't find any guide now, I guess none of them were archived, but you can definitely read the eMMC by soldering between test points and an SD Reader.
Pinout on SwitchBrew: https://switchbrew.org/w/index.php?title=EMMC_pinout&mobileaction=toggle_view_desktop
I don't know what device he's using since it doesn't seem to be an SD Reader but this guy has a tweet about it:

I actually wanted to test MMC communication with regular SD/MMC cards so that I don't accidentally bust my Switch eMMC lmao

Also, do you know why HWFLY only uses DAT0 while the eMMC has more data lines available? I thought that the SoC communicates with all lines?

doom95 · Feb 2, 2023

Piorjade said:
That might actually be a way the FPGA might look for a trigger. Count how many bytes have been read from the emmc after booting up -> is it the size of the BCT? -> perform glitch using the given parameters

The 3c talk from many years ago already perfectly explains the glitch trigger.

Mansi · Feb 2, 2023

Are you joking? What are the 4 check slots?!
In emmts, only boot1 and boot2 are used, that's it!

Here is the emmc dump log from my old erista.

Code:

eMMC details:
OCR 0xC0FF8080 (3V3/1V8)
CID 150100424A5444345205AC40C1006525 (Samsung BJTD4R, SN 0xAC40C100 (2889924864), Jun 2018)
CSD D02701320F5903FFF6DBFFEF8E40400D
Device revision [192] 0x08 (MMC v5.1)
Device type [196] 0x57 (SDR HS52, HS200, HS400)
Command classes 0xF5 (Class 0, 2, 4, 5, 6, 7)
Baud rate 0x32 (26MHz)
End of Life Information 0x01 (Normal)
Type A memory lifetime 0x01 (0-10% used)
Type B memory lifetime 0x01 (0-10% used)
Function Reset [162] 0x00 (Temporarily disabled (default))
Boot Configuration [179] 0x00 (No boot, access to USER)
Boot Bus [177] 0x00 (1-Bit SDR, Reset to 1-Bit)
Partition support [160] 0x07 (Yes, ENH, EXT)
Partitions completed [155] 0x00 (NO)
FFU Mode [443] 0x03 (Supported, VSM)
USER partition, size 0x0747C00000 (29.12 GiB)
BOOT1 partition, size 0x0000400000 (4 MiB)
BOOT2 partition, size 0x0000400000 (4 MiB)
RPMB partition, size 0x0000400000 (4 MiB) Authentication key not written
UFPI socket type MMC, max. bus 4-bit
eMMC ID 150100424A5444345205AC40C1006525, DAT0-DAT3
eMMC Info Samsung 'BJTD4R', size 29.12 GiB, SN AC40C100, Jun 2018
eMMC mode 4-Bit, Transfer mode, TI 1, Drv. 0, frequency 52MHz
eMMC Dump, 512 bytes (USER)
00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00000070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00000080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00000090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00000100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00000110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00000120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00000130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00000140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00000150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00000160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00000170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00000180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00000190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000001A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000001B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000001C0 02 00 EE FF FF FF 01 00 00 00 FF FF FF FF 00 00 | ..oÿÿÿÿ....ÿÿÿÿ..
000001D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000001E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000001F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA | ..............Uª
eMMC full backup...29.13 GiB
Current folder 'D:\Temp\UFPI'
Saving data to File 'emmc_backup.txt'...Normal
Saving data to File 'cid_backup.bin'...Normal
Saving data to File 'csd_backup.bin'...Normal
Saving data to File 'ext_csd_backup.bin'...Normal
Saving data to File 'BOOT1_0x0000000000_0x0000400000_backup.bin'...Normal
Reading eMMC BOOT1 from address 0x00000000, size 0x00400000...Normal
Completed in 0.19 seconds(s). Code download speed 21.28 MiB/sec.
Saving data to File 'BOOT2_0x0000000000_0x0000400000_backup.bin'...Normal
Reading eMMC BOOT2 from address 0x00000000, size 0x00400000...Normal
Completed in 0.20 seconds(s). Code download speed 20.51 MiB/sec.
Saving data to File 'RPMB_0x0000000000_0x0000400000_backup.bin'...Normal
Read eMMC RPMB from address 0x00000000, size 0x00400000...Normal
Completed in 0.74 seconds. Code download speed 5.38 MiB/sec.
Saving data to File 'USER_0x0000000000_0x0747C00000_backup.bin'...Normal
Reading eMMC USER from address 0x00000000, size 0x747C00000...Normal
Completed in 23 min. 35 sec. Code download speed 21.06 MiB/sec.
Data Source File 'D:\Temp\UFPI\USER_0x0000000000_0x0747C00000_backup.bin'...Normal
Custom task flags Asynchronous
eMMC Reading Mode 'Auto Select'
eMMC USER verification from address 0x00000000, size 0x747C00000...Normal
Completed in 23 min. 22 sec. Code download speed 21.25 MiB/sec.

Next, open the user section and run the script for the presence of sections in it and get this code.

Code:

[DESC]
Name = Partitions
FlashType1 = eMMC
FlashBase1 = 0

[PARTITIONS]
PartitionsMode = true
0x0000000000,0x00000200,MBR,USER,
0x0000000200,0x00000200,GPT_header,USER,
0x0000000400,0x00000600,GPT_table,USER,
0x0000000A00,0x00003A00,gap_01,USER,
0x0000004400,0x003FBC00,PRODINFO,USER,
0x0000400000,0x00400000,PRODINFOF,USER,
0x0000800000,0x00800000,BCPKG2-1-Normal-Main,USER,
0x0001000000,0x00800000,BCPKG2-2-Normal-Sub,USER,
0x0001800000,0x00800000,BCPKG2-3-SafeMode-Main,USER,
0x0002000000,0x00800000,BCPKG2-4-SafeMode-Sub,USER,
0x0002800000,0x00800000,BCPKG2-5-Repair-Main,USER,
0x0003000000,0x00800000,BCPKG2-6-Repair-Sub,USER,
0x0003800000,0x04000000,SAFE,USER,
0x0007800000,0xA0000000,SYSTEM,USER,
0x00A7800000,0x680000000,USER,USER,
0x0727800000,0x203FBE00,gap_02,USER,
0x0747BFBE00,0x00000600,GPT_table,USER,
0x0747BFC400,0x00003A00,gap_03,USER,
0x0747BFFE00,0x00000200,GPT_header,USER,

You can get and do this yourself if you make a full emmts dump through a hecate.
I did a dump analysis before installing the glitch and after installing it. The difference is only in boot1. boot2 is not used or it serves as a recovery mode.

I draw attention to the line Boot Configuration [179] 0x00 (No boot, access to USER)
This means that when the console is turned on, the first access goes to the user section and only then does the verification of the keys in boot1.

So it goes)

doom95 · Feb 2, 2023

ok bro
bcts are contained within boot0

ghjfdtg · Feb 2, 2023

There is no "MMC mode" on SD cards. But the init is similar. If you really want to mess with real MMCs you can look for these eMMC modules for single board computers. They often offer adapters so you can plug it into standard SD or microSD slots (not every reader supports MMC).

Hacking Hardware Picofly - a HWFLY switch modchip

🤔

¡Kabito!

New Member

¡Kabito!

Developer

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

🤔

Edson Arantes do Nascimento

Well-Known Member

Well-Known Member

🤔

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Similar threads

Popular threads in this forum