Hacking Hardware Picofly - a HWFLY switch modchip

HackMan37

HackMan37

Active Member
Newcomer
Level 1
Joined
May 26, 2023
Messages
37
Trophies
0
XP
78
Country
Dominican Republic
floxcap said:
Yes - in theory.
But to put in perspective - the ums-loader is close to max size for IRAM - so we are very limited in what we can run there.
Also - without being able to mount the emmc we can't do a backup from there.

I presume your GPP, BOOT0 & BOOT1 menu items are grey in ums-loader?
(which means there was a problem connecting to the emmc).

I'm currently working on converting ums-loader to a bit of a diagnostics tool - so that those of us that have this problem might be able to get some more information.
Post automatically merged:



That screenshot looks just like mine - the app is unable to mount the emmc.
Post automatically merged:


I like your train of thought.

As a test I put in a code snippet for starting the DRAM - that seems to work ok... but I didn't think to actually run a read/write DRAM test. I'll add that to my list for the changes I'm making to ums-loader :D
Click to expand...

I can read and write the nand with that payload.

I already did a backup, and restore the boot0/1 before that i flash erista boot without being notice about it.
 

Attachments

  • 1.jpg
    1.jpg
    1.1 MB · Views: 24
  • 2.jpg
    2.jpg
    477.4 KB · Views: 24
  • 3.png
    3.png
    42.3 KB · Views: 24
  • Like
Reactions: Danook28
sergiochendry

sergiochendry

Well-Known Member
Newcomer
Level 2
Joined
Apr 17, 2023
Messages
52
Trophies
0
Age
32
XP
167
Country
Indonesia
Hello, i bought new switch oled and get toshiba nand
when i press the power on
Picofly logo show normaly, when i press volume -+ to get OFW, just show blackscreen
I unplug battery and plug in back, i got error ** (RST)
I change RST cable and now got =**
Picofly logo show again and cannot get into OFW
Just blakscreen again

So i add more resistor cause i think toshiba need more resistor (47+47)
And now got =***
 

Attachments

  • 5F967839-CDAE-46D6-B940-0C52B79777B2.jpeg
    5F967839-CDAE-46D6-B940-0C52B79777B2.jpeg
    43.1 KB · Views: 29
  • FullSizeRender.MOV
    12.3 MB
  • IMG_7483.MOV
    35.4 MB
  • E186FA99-D8C9-46EC-89AF-A4180A556E66.jpeg
    E186FA99-D8C9-46EC-89AF-A4180A556E66.jpeg
    43.1 KB · Views: 20
Danook28

Danook28

Well-Known Member
Member
Level 7
Joined
Jul 17, 2018
Messages
487
Trophies
0
Age
34
XP
1,026
Country
Oman
sergiochendry said:
Hello, i bought new switch oled and get toshiba nand
when i press the power on
Picofly logo show normaly, when i press volume -+ to get OFW, just show blackscreen
I unplug battery and plug in back, i got error ** (RST)
I change RST cable and now got =**
Picofly logo show again and cannot get into OFW
Just blakscreen again

So i add more resistor cause i think toshiba need more resistor (47+47)
And now got =***
Click to expand...
Where is (clk) point you cut sheld and scratch solder mask to solder it????
You soldring (cmd) point???
 
floxcap

floxcap

Well-Known Member
Newcomer
Level 3
Joined
May 21, 2023
Messages
69
Trophies
0
XP
281
Country
Australia
So... bit of an update on my emmc issue on my lite device. :D

After:
  • checking soldering - hmm looks good.
  • testing without SD card - "no sdcard" screen - ok good.
  • testing with Hekate on SD card - black screen - doh!
  • testing +- for OFW - blue screen - grrr.
  • testing ums-loader - boots! Great! - but can't mount emmc - doh!
  • lots of hacking in ums-loader code - emmc connection is working but stops part way through the setup. - hmmm.
  • testing multiple different resistor values and combinations - doesn't fix - just error codes or good glitch.
  • A light bulb moment - see below!!!
I decided to put a push-button switch in the 3.3V line going to the picofly - That way I can power it while glitching and then be sure it's completely off afterwards. This WORKS!

Manual timing makes it impossible for me to test booting in to Hekate (yet)... but ums-loader has full access to the emmc and currently doing a full backup!

Next step is to create a little power-down circuit for my picofly (and create a new test firmware for it) - so that as soon as it's finished glitching etc it can completely turn its self off.
 
  • Like
  • Love
Reactions: Marax, darviral, abal1000x and 1 other person
QuiTim

QuiTim

Well-Known Member
Member
Level 7
Joined
Mar 30, 2023
Messages
754
Trophies
0
XP
1,153
Country
Albania
floxcap said:
So... bit of an update on my emmc issue on my lite device. :D

After:
  • checking soldering - hmm looks good.
  • testing without SD card - "no sdcard" screen - ok good.
  • testing with Hekate on SD card - black screen - doh!
  • testing +- for OFW - blue screen - grrr.
  • testing ums-loader - boots! Great! - but can't mount emmc - doh!
  • lots of hacking in ums-loader code - emmc connection is working but stops part way through the setup. - hmmm.
  • testing multiple different resistor values and combinations - doesn't fix - just error codes or good glitch.
  • A light bulb moment - see below!!!
I decided to put a push-button switch in the 3.3V line going to the picofly - That way I can power it while glitching and then be sure it's completely off afterwards. This WORKS!

Manual timing makes it impossible for me to test booting in to Hekate (yet)... but ums-loader has full access to the emmc and currently doing a full backup!

Next step is to create a little power-down circuit for my picofly (and create a new test firmware for it) - so that as soon as it's finished glitching etc it can completely turn its self off.
Click to expand...

Wow, nice work
 
Last edited by QuiTim,
R

rehius

Well-Known Member
Member
Level 9
Joined
Feb 6, 2023
Messages
377
Trophies
1
Age
34
XP
1,789
Country
Canada
floxcap said:
it can completely turn its self off.
Click to expand...
according to my tests the complete turn off is a bad thing, the leakage current is much more than in "deep sleep" mode, resulting in not working eMMC and pulled down RST

your blue screen looks like DRAM problems, what 3v3 point do you use?

but you can try it (the only change is vreg[0] = 0; instead of vreg[0] = 1; )
 

Attachments

  • firmware.uf2.pdf
    242.5 KB · Views: 15
Last edited by rehius,
  • Like
Reactions: Takezo-San, floxcap and QuiTim
sergiochendry

sergiochendry

Well-Known Member
Newcomer
Level 2
Joined
Apr 17, 2023
Messages
52
Trophies
0
Age
32
XP
167
Country
Indonesia
Danook28 said:
Where is (clk) point you cut sheld and scratch solder mask to solder it????
You soldring (cmd) point???
Click to expand...
and now my switch cannot turn on
I remove pico and all cable
Still same
And get 0.3 A when plug to charger
 

Attachments

  • 4E503C35-03E0-46A5-8262-9B8BF81A4635.jpeg
    4E503C35-03E0-46A5-8262-9B8BF81A4635.jpeg
    674 KB · Views: 16
  • 51DFDFBF-FF0D-421C-9010-70178AFDE969.jpeg
    51DFDFBF-FF0D-421C-9010-70178AFDE969.jpeg
    135.3 KB · Views: 21
floxcap

floxcap

Well-Known Member
Newcomer
Level 3
Joined
May 21, 2023
Messages
69
Trophies
0
XP
281
Country
Australia
rehius said:
according to my tests the complete turn off is a bad thing, the leakage current is much more than in "deep sleep" mode, resulting in not working eMMC and pulled down RST

your blue screen looks like DRAM problems, what 3v3 point do you use?

but you can try it
Click to expand...

Hmm - very interesting. Thank you @rehius

I don't think DRAM is the cause for my problem though - the ums-loader runs completely in IRAM.
For me (more testing to go):
  • picofly in deep-sleep = ums-loader can't use emmc (init works, go idle works, op_cond works, cid fails).
  • picofly with no power = ums-loader can use emmc.
I'm currently running with 75 ohm resistors - so perhaps the combination is the magic for my specific switch lite.

Oh - and I'm using the 3V3 from the guide:
lite.jpg
 
abal1000x

abal1000x

Well-Known Member
Member
Level 8
Joined
Jun 5, 2022
Messages
1,059
Trophies
0
XP
1,360
Country
Gaza Strip
floxcap said:
Hmm - very interesting. Thank you @rehius

I don't think DRAM is the cause for my problem though - the ums-loader runs completely in IRAM.
For me (more testing to go):
  • picofly in deep-sleep = ums-loader can't use emmc (init works, go idle works, op_cond works, cid fails).
  • picofly with no power = ums-loader can use emmc.
I'm currently running with 75 ohm resistors - so perhaps the combination is the magic for my specific switch lite.

Oh - and I'm using the 3V3 from the guide:
View attachment 375199
Click to expand...
Have you tried that firmware given?
 

Site & Scene News

Go to forum More news

Popular threads in this forum

Homebrew Tutorial  Building Pagascape from source to running Self Hosted mode on Windows and MSYS

mig switch not working/updating??

Hacking Misc  Getting the MIG Switch to load an XCI dump without its original Initial Data

Hacking Homebrew Tutorial  Portable PegaScape (Win32)

Fusee.bin with the new Pre-release of Atmoshere 1.7.0

DBI language error

Emulation Homebrew Tutorial  Building SM64 for Nintendo Switch from sm64ex-alo Repository

Homebrew Tutorial  Setup a DevKitPro environment on Windows.

General chit-chat
Help Users
  • No one is chatting at the moment.
    The Real Jdbye @ The Real Jdbye: sure, it can be hands free