Hardware Hacking Fake RCMloader dongles in the wild

[Hayato213]

none of mine was overpriced, one cost 5 USD (fake "V5") and a original what I buy on 7 USD.

For me, my wife and my niece is a lot convenient have a little gadget what fits on the switch case and don't get lost and no need to carry extra cables. and my niece isn't allowed to have a phone with her, so.

I just installed a internal gema chip to replace the dongle and never again use a external injection method.

All is about preferences.

Last Week see a Fake V5 on a local game shop and was hilarious don't even have a reset switch on the bottom, we opened and instead a 90° switch have a normal one so if you need to reset it you have to open the case

Good choice of a internal modchip, much more convenient than having a dongle, I had NS Atmosphere and RCM Loader One dongle before I sold them, never used them, crazy thing that my dragon injector is collecting dust.

 

[impeeza]

Good choice of a internal modchip, much more convenient than having a dongle, I had NS Atmosphere and RCM Loader One dongle before I sold them, never used them, crazy thing that my dragon injector is collecting dust.

Dragon Injector? a very great Idea crushed by big N

 

[linuxares]

Dragon Injector? a very great Idea crushed by big N

Yeah... I hate it since it was such a great device

 

[Maxeatedcheese]

Good choice of a internal modchip, much more convenient than having a dongle, I had NS Atmosphere and RCM Loader One dongle before I sold them, never used them, crazy thing that my dragon injector is collecting dust.

just sayin if you want to sell that to me I will pay whatever (reasonable price) for it DI's are so rare now

 

[SylverReZ]

I still have my RCM Loader from Feb '21, just before the big N prohibited the official distributors from selling them.

 

[Hayato213]

Dragon Injector? a very great Idea crushed by big N

https://gbatemp.net/review/dragoninjector.1181/

The project got shutdown by Nintendo

Post automatically merged: Nov 4, 2022

just sayin if you want to sell that to me I will pay whatever (reasonable price) for it DI's are so rare now

Have no idea how much to charge anyway.

 

[Maxeatedcheese]

https://gbatemp.net/review/dragoninjector.1181/

The project got shutdown by Nintendo

Post automatically merged: Nov 4, 2022

Have no idea how much to charge anyway.

Well originally they went for $30 USD but I would be willing to pay 40 if you'll ship it!

 

[Hayato213]

Well originally they went for $30 USD but I would be willing to pay 40 if you'll ship it!

Thanks, I will just keep mine as a collector item.

 

[SylverReZ]

Well originally they went for $30 USD but I would be willing to pay 40 if you'll ship it!

Sounds more like a rip off.

 

[Maxeatedcheese]

Sounds more like a rip off.

Thanks, I will just keep mine as a collector item.

yeah I don't get paid much, I don't really want to spend almost all of my money on one anyways just thought it was worth a shot lol!

im actually a little upset they don't have the files for them online anymore because my boyfriend's dad has a 3d printer and I was thinking of making one myself

 

[SylverReZ]

Here are some links that I have found that will be useful:
https://web.archive.org/web/2020080...ect/DragonInjector-ArduinoCoreSAMD/zip/master
https://github.com/jeromedontdev/DragonInjector-FW
https://github.com/Adran-Marit/DragonInjector-Bootloader

 

[Maxeatedcheese]

Here are some links that I have found that will be useful:
https://web.archive.org/web/2020080...ect/DragonInjector-ArduinoCoreSAMD/zip/master
https://github.com/jeromedontdev/DragonInjector-FW
https://github.com/Adran-Marit/DragonInjector-Bootloader

Thank you so much!! I will update anyone interested if I get around to doing that and I'll probably make like a guide if I do it correctly lol.

 

[SylverReZ]

Here are some teardown photos of my RCM Loader One B for reference if anybody is interested. My RCM Loader is using a 'GDF350G8' GD32-series ARM Cortex-M4 microcontroller running at 108MHz, followed by a 16MBit SPI flash chip labelled '25VQ16ATIG'. After I dumped the flash chip, and opened up the dump with a hex editor, my speculation is that it stores some sort of configuration for the device.

Datasheets:
GDF350G8: Manual: https://gd32mcu.com/data/documents/userManual/GD32F3x0_User_Manual_Rev2.6.pdf / Datasheet: https://www.gd32mcu.com/data/documents/datasheet/GD32F350xx_Datasheet_Rev2.1.pdf
25VQ16ATIG (not the same but similar): https://pdf1.alldatasheet.com/datasheet-pdf/download/1151995/GIGADEVICE/GD25VQ16C.html

 

[Maxeatedcheese]

Here are some teardown photos of my RCM Loader One B for reference if anybody is interested. My RCM Loader is using a 'GDF350G8' GD32-series ARM Cortex-M4 microcontroller running at 108MHz, followed by a 16MBit SPI flash chip labelled '25VQ16ATIG'. After I dumped the flash chip, and opened up the dump with a hex editor, my speculation is that it stores some sort of configuration for the device.

View attachment 335644View attachment 335645

okay so! I saw your teardown and got curious, luckily I had the tools to open my clone chip up (it wasn't difficult it was just 4 plastic clips) and I have spotted a lot of differences.

1: the main chip has a sandpaper like tape on it that keeps you from seeing its label
2: there are 4 other chips, "1AM; 3AUC; HTU6*; 3AUA*"
2* these have a little swoosh symbol I can't figure out what it is, i have a picture i took of these chips using the flash
3: a small piece of metal that reads "32000 MHZ" i assume its probably not a chip but idk im not very literate about these things
4: Battery is larger
5: Text that reads "RCMloader V2.2DDDZ
6: Small metal leads that don't seem to be connected to anything? The one to the right of the USB-C port has letters A, B, D-, D+ if anyone knows what that could mean im curious because as i said im illiterate about hardware

If anyone could help me with info on how to dump any of the chips i am very interested in doing so!

 

[MushGuy]

Hekate will automatically load an updated version of itself from the SD card if found - off the top of my head, I think it's at bootloader/update.bin - just download the latest Hekate and rename it to update.bin in the bootloader folder. Then when you push whatever version is on this dongle, it will load and start the new version.

I didn't even know this was possible. All this time I was updating my Hekate payload in my NS Atmosphere when I could have simply used update.bin in the bootloader folder. I feel like a dummy now!

 

[Maxeatedcheese]

Update: I talked to the seller about this and they said it was an issue with the supplier! They are offering to give me a full refund but I think I got lucky tbh.

okay so! I saw your teardown and got curious, luckily I had the tools to open my clone chip up (it wasn't difficult it was just 4 plastic clips) and I have spotted a lot of differences.
....

 

[SylverReZ]

Ok, I've updated my post with links to the datasheets.

 

[randy_w]

okay so! I saw your teardown and got curious, luckily I had the tools to open my clone chip up (it wasn't difficult it was just 4 plastic clips) and I have spotted a lot of differences.

1: the main chip has a sandpaper like tape on it that keeps you from seeing its label
2: there are 4 other chips, "1AM; 3AUC; HTU6*; 3AUA*"
2* these have a little swoosh symbol I can't figure out what it is, i have a picture i took of these chips using the flash
3: a small piece of metal that reads "32000 MHZ" i assume its probably not a chip but idk im not very literate about these things
4: Battery is larger
5: Text that reads "RCMloader V2.2DDDZ
6: Small metal leads that don't seem to be connected to anything? The one to the right of the USB-C port has letters A, B, D-, D+ if anyone knows what that could mean im curious because as i said im illiterate about hardware

If anyone could help me with info on how to dump any of the chips i am very interested in doing so!

Seems like the main mcu is the same, they just sanded off the label. Too bad it's not an samd21 chip otherwise you can flash matty's fusee suite. You can port it to gd32/stm32 if you have time.
You can probably dump its flash with openocd or st link, then update the binary payload file inside and flash it back. But as others have said, no need to do that as hekate will load the more recent version on sd card.
I think the A/B/D+/D- pads could be used for internal installation (A and B to pull vol+ and joycon pin 10 to ground, d+ and d- to inject payload through usb port). The 4 pads on the side could be the debug/swd port.

 

[Maxeatedcheese]

Seems like the main mcu is the same, they just sanded off the label. Too bad it's not an samd21 chip otherwise you can flash matty's fusee suite. You can port it to gd32/stm32 if you have time.
You can probably dump its flash with openocd or st link, then update the binary payload file inside and flash it back. But as others have said, no need to do that as hekate will load the more recent version on sd card.
I think the A/B/D+/D- pads could be used for internal installation (A and B to pull vol+ and joycon pin 10 to ground, d+ and d- to inject payload through usb port). The 4 pads on the side could be the debug/swd port.

Thank you for the info! I might try to dump said flash just so you all can see what is different from official ones (bc i don't have an official 1B) also the idea of someone installing one of these cheap knockoffs as a modchip is comical but I do agree thats probably what the pads are for

 

[SylverReZ]

Thank you for the info! I might try to dump said flash just so you all can see what is different from official ones (bc i don't have an official 1B) also the idea of someone installing one of these cheap knockoffs as a modchip is comical but I do agree thats probably what the pads are for

I was definitely thinking the same thing.