Hacking Hardware Picofly - a HWFLY switch modchip

[renoob]

I'm personally only any good at RE when I have source or at least a legible decompilation.
Having to get into disassembly is outside my wheelhouse.

see unique_id in pico-examples its literally it. You have code and when you compile it you get also .dis file where you can see what its doing (which is literal 1:1 copy of functions in this FW)

 

[Adran_Marit]

Holding both vol buttons triggers it to boot to hos all be it stock?

I wonder......

 

[Tafty]

Holding both vol buttons triggers it to boot to hos all be it stock?

I wonder......

i can confirm this works aswell, i tested it earlier.

 

[hippy dave]

Holding both vol buttons triggers it to boot to hos all be it stock?

I wonder......

Presumably that prevents it from doing the glitching so the Switch uses one of the unmodified copies of the thing (bct?), after verifying the custom copies fails, so you just get a normal clean boot from that point. I don't think there's much to pursue in that direction in terms of fixing the custom boot.

 

[Brunh]

I found long press VOL- & VOL+ boot original HOS
Can play games

I use this diagram

This diagram and to solder chip in v1 and v2?

someone has diagram for V1 and V2? I want to try,
Thanks

 

[thesjaakspoiler]

Well since this is the ID of the chip, maybe it can be spoofed now (really out of my knowledge scope).

If its possible to inject this id into that address (someone with arm asm knowledge would need to do it) maybe it will run.

The Pico has no unique chip id. This is what the documentation says :

RP2040 does not have an on-board unique identifier (all instances of RP2040 silicon are identical and have no persistent state). However, RP2040 boots from serial NOR flash devices which have a 64-bit unique ID as a standard feature, and there is a 1:1 association between RP2040 and flash, so this is suitable for use as a unique identifier for an RP2040-based board.

https://raspberrypi.github.io/pico-sdk-doxygen/group__pico__unique__id.html

 

[binkinator]

This diagram and to solder chip in v1 and v2?

someone has diagram for V1 and V2? I want to try,
Thanks

This post has the chip pin outs: https://gbatemp.net/threads/pikofly-a-probably-fake-hwfly-modchips-or-not.622701/post-10066639

This post has points to attach on emmc: https://gbatemp.net/threads/pikofly-a-probably-fake-hwfly-modchips-or-not.622701/post-10067546
This post is similar to the above points on emmc: https://gbatemp.net/threads/pikofly-a-probably-fake-hwfly-modchips-or-not.622701/post-10067582

 

[renoob]

The Pico has no unique chip id. This is what the documentation says :



https://raspberrypi.github.io/pico-sdk-doxygen/group__pico__unique__id.html

You really needed to write that even we are talking about unique_id for last 30 pages? We are all aware off that

 

[TheSynthax]

Waiting on CPU flex, arrives this week. Excuse the actual swamps of flux, I haven't run it through the board cleaner after reballing the CPU and RAM, and the filthy housing is from some sticky sh!t from the previous owner (who sold it as broken)

BTW, buttons and type-C port are far too thick to fit in the Lite. they'll need to be removed, and we might want to run USB lines to the Switch's type-C port like with SAMD21 chips, and maybe even connect the Switch's vol+ line in place of the BOOT button, just in case we ever need to update the firmware on the RP2040. Given that the Switch isn't terribly far from EoL, and these just load whatever is on the SD, I'm sure that once we have a proper BCT and SD loader there will be no need to update. Even more so due to the fact that the firmware seems to already support dual booting just by holding both vol buttons, but ideally there would be stored boot default like with SAMD21.

 

[Brunh]

This post has the chip pin outs: https://gbatemp.net/threads/pikofly-a-probably-fake-hwfly-modchips-or-not.622701/post-10066639

This post has points to attach on emmc: https://gbatemp.net/threads/pikofly-a-probably-fake-hwfly-modchips-or-not.622701/post-10067546
This post is similar to the above points on emmc: https://gbatemp.net/threads/pikofly-a-probably-fake-hwfly-modchips-or-not.622701/post-10067582

IRFSH8342 do you know what chip this is

I try see on Google and nothing

And thanks

 

[binkinator]

IRFSH8342 do you know what chip this is

I try see on Google and nothing

And thanks

the data sheet for the chip is discussed here: https://gbatemp.net/threads/pikofly-a-probably-fake-hwfly-modchips-or-not.622701/post-10066650

use of the HWFLY flex cable (with mosfet) is discussed in subsequent messages.

 

[lenoa]

the data sheet for the chip is discussed here:

use of the HWFLY flex cable (with mosfet) is discussed in subsequent messages.

isnt mosfet as subtitue if u dont have cpu flex cable?

 

[binkinator]

isnt mosfet as subtitue if u dont have cpu flex cable?

Correct. as per earlier discussion mosfet exists on flex cable already so no need for the additional chip if you already have the flex.

 

[Arakon]

Anyone know of a source of just the flex cables other than aliexpress?

 

[binkinator]

Anyone know of a source of just the flex cables other than aliexpress?

Right next to the modchips that aren’t from Aliexpress…oh wait.

e: might be able to find an installer with a spare set from a failed install or something but it’s going to be one off.

 

[vittorio]

Can anyone convert this to bin me, I don't have a pico currently

 

[nerirififi]

For recapitulate.

We have firmware for erista and Mariko.

All rp040 works it s a unique version.
If I got cpu flex erista and mariko does I need to buy the moffset.
We need 47ohm resistor for 3 points

I will test I got many flex, so what s happen if we update the switch, the rp040 need an update I guess ?

 

[Mansi]

Can anyone convert this to bin me, I don't have a pico currently

You can do it yourself, manually. Just remove the bootloader header.

55 46 32 0A 57 51 5D 9E 00 20 00 00 00 00 00 10 00 01 00 00 00 00 00 00 00 20 00 00 56 FF 8B E4

and

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 6F B1 0A 55 46 32 0A 57 51 5D 9E 00 20 00 00 00 01 00 10 00 01 00 00 01 00 00 00 00 20 00 00 56 FF 8B E4

and next...

 

[vittorio]

Manually it doesn't convert well, ghidra doesn't see me the functions after

 

[saladus]

Can anyone convert this to bin me, I don't have a pico currently

you don't need a pico
https://github.com/microsoft/uf2/tree/master/utils

Post automatically merged: Feb 8, 2023

but yeah I'll do it gimme 2 secs