Hacking Hardware Picofly - a HWFLY switch modchip

[rehius]

I have, but I didn't know it would matter if I didn't keep part of pin 26 ( I removed It completely). Got a spare one and will try again.

oh, that is not the pad that matters, I meant you were too close to the oscillator, there are important traces and vias close to the pad 20 that you could cut or short

 

[FreeLander]

oh, that is not the pad that matters, I meant you were too close to the oscillator, there are important traces and vias close to the pad 20 that you could cut or short

Got you. Will try again. Thanks <3

 

[Dee87]

Nice. What AWG/MM Did you use?

Post automatically merged: Apr 25, 2023

Hi Dee. Been a minute

I have, but I didn't know it would matter if I didn't keep part of pin 26 ( I removed It completely). Got a spare one and will try again.

Thanks, my man.

well how far it matters but there are some close traces are still needed so just get as close as its on the diagramm

 

[SorataVP69]

Latest firmware here

ChangeLog:

v2.0 + Active MMC communication
v2.1 + Toshiba support
v2.2 + Fix Toshiba boot fail
v2.3 + SanDisk support
v2.4 + Faster Toshiba boot
v2.5 + fix OFW boot
v2.6 + software update, xiao & itsy support
v2.61 + Instinct-NX sdloader, bug fixes
v2.62 + Make 16.0.1 happy (fix OFW boot)
v2.63 + roll back some 2.62 boot speed tricks
v2.64 + enable back the board detection
v2.65 + RP Pico support, double reset removed
v2.66 + Bypass to OFW after update for proper fuse burning

Spoiler: LED indication

must be RED after USB write. if you see green, set "RGB mode" jumper

WHITE = eMMC write
BLUE = glitch
PURPLE = eMMC boot failure, check CMD / CLK
PINK = NS eMMC init fails, inoperative eMMC ?
YELLOW = eMMC write failure, check D0 / unsupported eMMC
CYAN = no reaction to glitch, check mosfet wire
GREEN = success

Spoiler: Diagrams by Dee87

View attachment 357132
View attachment 363821
View attachment 364242
View attachment 364990
View attachment 357133
View attachment 357135
View attachment 357134
View attachment 357136

Spoiler: Solder example

View attachment 357137
View attachment 357138
View attachment 360187
View attachment 363817
View attachment 357139
View attachment 357140
View attachment 360186
View attachment 364818

Spoiler: Issues, questions

Q: What is supported?
A: Erista (v1), Mariko (v2, Lite, OLED)

Q: eMMC types support?
A: Tested on Hynix, Samsung, Toshiba, SanDisk

Q: rp2040 boards support
A: WaveShare 2040-zero/one, xiao-rp2040, adafruit itsybitsy (Pi Pico is not supported for now)

Q: GREEN, but instant reset
A: Clean flux near the RST point

Q: Do I really need 47 Ohm resistors?
A: You can skip them, however in this case you will have to use emuMMC due to the line interference, sysNAND would not boot (sysNAND data can be damaged).

Q: Does the firmware has learning? How to reset statistics
A: Short pin 0 to either 1 or GND during start for chip reset. The statistics is collected each boot. The more you start it - the better it boots.

Q: open source?
A: no

Q: why you made it?
A: to prove it possible!

Q: run Atmosphere?
A: no piracy

Spoiler: Reboot to OFW / Vol+ & Vol- doesn't work, blue/black screen

v2.5 firmware had a bug with BOOT0 corruption. To recover it:
- boot "Full Stock" using hekate
- update to the latest official firmware over Wi-Fi

Spoiler: Sleep mode does not work

- boot "Full Stock" using hekate
- perform a full system reset

Spoiler: Toolbox 0.2 features

- show firmware information
- update firmware from SD card (place update.bin into the root folder)
- rollback to the backup firmware slot
- reset learning statistics
- dump / write sdloader

Spoiler: RGB LED explanation by lightninjay

if you have an rp2040-zero from waveshare/ali then it has a neopixel. It is used for diagnosing proper firmware flashes as well as console glitching. If you plug it in, and flash the uf2 firmware to it and immediately see a red light after flashing (this is not the same as flashing, then unplugging and replugging), then no rgb jumper needs to be made. If on the other hand, you get one quick green flashing light, then you need to bridge the jumper pads indicated to swap the LED colors for proper diagnoses capability.

Hello, is it possible to use the Flex cable from V2 (mariko) in v1 (erista)?

 

[FreeLander]

Hello. I've tried 3 different MOSFET types, and two different wires (0.1mm and 0.3mm). I just won't get a CPU value on diode mode.

I've tried the close GND ground and tried two MOSFETs at once. Same thing.


Any advice? Thank you.

 

[FueledSamantha]

Hello, is it possible to use the Flex cable from V2 (mariko) in v1 (erista)?

I had seen someone do it, its pretty sketchy and even they recommended against it.
Trying to remember who did it and where I saw it.

 

[Adran_Marit]

Hello, is it possible to use the Flex cable from V2 (mariko) in v1 (erista)?

I had seen someone do it, its pretty sketchy and even they recommended against it.
Trying to remember who did it and where I saw it.

while it is possible I would just get a v1 flex

 

[SorataVP69]

while it is possible I would just get a v1 flex

I had seen someone do it, its pretty sketchy and even they recommended against it.
Trying to remember who did it and where I saw it.thanks, if you remember where you saw it please let me know, I'm interested to know

Post automatically merged: Apr 25, 2023

I had seen someone do it, its pretty sketchy and even they recommended against it.
Trying to remember who did it and where I saw it.

thanks, if you remember where you saw it please let me know, I'm interested to know

 

[jv_233]

Is it me or does it seem that sk hynix switches glitching is not as consistent as the other ones with the pico?

 

[haipro287]

then there was defenitly something wrong with ur soldering job
but good to hear

I don't think my soldering job had something wrong. I think the problem is the mosfet, yesterday It couldn't glitch anymore, so I replaced it.

 

[calishooter]

Can someone please tell me what voltage the RST point needs to be when checking it to ground? I'm getting around 3.5v...is that normal on a switch lite? Thanks!

 

[malgamer]

Can someone please tell me what voltage the RST point needs to be when checking it to ground? I'm getting around 3.5v...is that normal on a switch lite? Thanks!

rst line 1.8v

Post automatically merged: Apr 25, 2023

Can someone please tell me what voltage the RST point needs to be when checking it to ground? I'm getting around 3.5v...is that normal on a switch lite? Thanks!

rst line 1.8v

 

[calishooter]

rst line 1.8v

Post automatically merged: Apr 25, 2023

rst line 1.8v

I'm checking it from the switch motherboard.

Post automatically merged: Apr 25, 2023

I'm checking it from the switch motherboard.

Should I check it from the rp2040 or does it make a difference?

 

[POPOLO]

Hello. I've tried 3 different MOSFET types, and two different wires (0.1mm and 0.3mm). I just won't get a CPU value on diode mode.

I've tried the close GND ground and tried two MOSFETs at once. Same thing.


Any advice? Thank you.
View attachment 366932

"Both capacitors should be connected at the point."。

 

[leerz]

Hello @FreeLander, looks like you found the dangerous incorrect diagram by sthetix where the 3.3v point is actually direct 4.2v right from the battery. Be careful, such overvoltage may fry your RP Pico and the console. Please use the proper 3.3v point here:
View attachment 366724

i'm curious where that 4.2v is? XD i've always used the 3.3v

 

[FreeLander]

"Both capacitors should be connected at the point."。

Hello, POPO. Thank you.
I did this and I'm still getting zero on diode mode. I can't tell what is it I'm doing wrong.
I even removed the caps entirely and soldered to the pads directly, but still no luck, and even worse, the console wouldn't boot.
Thankfully, @rehius anticipated noobs like me would do this, so I did his trick by salvaging the caps off an rp2040 and re-soldering them to the console. Now it boots fine, but I'm still determined to figure out how to get a successful glitch with MOSFETs.

I followed every step. 0.2mm enameled, two MOSFETs, short wires, close grounds.

 

[Dee87]

Hello, POPO. Thank you.
I did this and I'm still getting zero on diode mode. I can't tell what is it I'm doing wrong.
I even removed the caps entirely and soldered to the pads directly, but still no luck, and even worse, the console wouldn't boot.
Thankfully, @rehius anticipated noobs like me would do this, so I did his trick by salvaging the caps off an rp2040 and re-soldering them to the console. Now it boots fine, but I'm still determined to figure out how to get a successful glitch with MOSFETs.

I followed every step. 0.2mm enameled, two MOSFETs, short wires, close grounds.

View attachment 366978

since its runing fine now with the 2 caps stollen from the rp go ahead and reinstall the pico with the caps on it should work

 

[ecko4711]

Your first and third link would be acceptable, but your second one is for a 470 ohm resistor again

Alright, so I ordered from the third one and this is what I got. 47R0, hope that's the right ones now

 

[Adran_Marit]

Hello, POPO. Thank you.
I did this and I'm still getting zero on diode mode. I can't tell what is it I'm doing wrong.
I even removed the caps entirely and soldered to the pads directly, but still no luck, and even worse, the console wouldn't boot.
Thankfully, @rehius anticipated noobs like me would do this, so I did his trick by salvaging the caps off an rp2040 and re-soldering them to the console. Now it boots fine, but I'm still determined to figure out how to get a successful glitch with MOSFETs.

I followed every step. 0.2mm enameled, two MOSFETs, short wires, close grounds.

View attachment 366978

Do you have a clearer photo of your firsts? Also have you tried the flex?

 

[FreeLander]

since its runing fine now with the 2 caps stollen from the rp go ahead and reinstall the pico with the caps on it should work

Hello, Dee.
Okay, but shouldn't I be getting a 0.6- 0.9.0v diode reading on the G point?

Post automatically merged: Apr 25, 2023

Do you have a clearer photo of your firsts? Also have you tried the flex?

Wil try to do a better pic. I have not tried the flex on it since it's a v1 experimental console, I'm kind of hesitant about wasting a cable on it. I'm interested in doing MOSFETs moving forward, that's why I'm experimenting with this v1. I guess my question is, shouldn't I be getting a diode reading on G point?