Hacking Hardware Picofly - a HWFLY switch modchip

[cgtchy0412]

I also consider to make the picofly repeatedly reboot until it got maxiumum success programatically.

Thats unnecessary, as we better have 3s-5s manual boot than to force the soc to auto glitch 2k times just to enjoy 1s-2s boot time.
It can be years of manual boot for that number to burnout.

The algorithm is already good. The improvement might be the OFFSET_DIV change to 1, but it will be slower than using 10.

I also see in the code for every glitch, the offset will be shifted a little bit by a random number. I might remove this code. I once made a government simulation about oil spill. And this random stuff usually forbidden to be used. Since it make the simulation not repeatable. Its less scientific.

That should be the way. Optimize the randomizer/divider, also remove any adjustment even a little after succesfull offset found.
But may there is some offset variations, so the recorded offset is not for exact but to narrow down some address range, and with that range we can try to glitch faster.

Any rough calculation ? about what if we search/try every addresses in 32GB emmc , it will take how much time for a 300mhz cpu?

 

[abal1000x]

Thats unnecessary, as we better have 3s-5s manual boot than to force the soc to auto glitch 2k times just to enjoy 1s-2s boot time.
It can be years of manual boot for that number to burnout.

Its not for production thing. Its for RnD, to prove that the best statistics might reduce the possibility of the strange >6s glitch time.

My hunch says it doesn't correlate with the statistics.

That should be the way. Optimize the randomizer/divider, also remove any adjustment even a little after succesfull offset found.

What i mean is the random AFTER the offset founded. Its illogical to shift the value little bit, when its founded on that offset in the first place.

The first initialization random thing is already correct. I also use this kind of algorithm for faster searching on some project.

What i mean is this.

Kind of disagree, shifting the offset little bit in there.

But for this random initialization is an okay.

Since the offset is unknown. So the fast way is just pick it up randomly, rather than try it in orderly sequence.

But may there is some offset variations, so the recorded offset is not for exact but to narrow down some address range, and with that range we can try to glitch faster.

I am not quite agree on that. The introduction of random in there just make the glitch to have undefined behaviour. Prefer exact then shift than make it random nature on it.

Any rough calculation ? about what if we search/try every addresses in 32GB emmc , it will take how much time for a 300mhz cpu?

I think you misunderstand the intent of the code
That offset is not emmc offset. Its a 'time offset' of when the glitch will be executed. I assume the Origin is selected from when the emmc initialized after reset (CMIIW). Thats why when you change the clock, you need to change the OFFSET_MIN and OFFSET_MAX accordingly.

I think the best way to get the parameter is by using logic analyzer. But i am not so sure, since i don't have it. I am gonna buy it though. Have bookmarked the logic analyzer Rehius used. Doesn't have spare time on it. But strongly intent to buy and learn to use it.

You could deduce the parameter by comparing when the offset when its 200Mhz and when its 300Mhz. Then by assuming its linier, you could regressed it to find the parameter for 250Mhz for example.

 

[cgtchy0412]

You could deduce the parameter by comparing when the offset when its 200Mhz and when its 300Mhz. Then by assuming its linier, you could regressed it to find the parameter for 250Mhz for example.

Yup, already did that.

Post automatically merged: Jun 26, 2023

I think you misunderstand the intent of the code

Yes .. you are correct.

 

[abal1000x]

Yup, already did that.

Post automatically merged: Jun 26, 2023

Yes .. you are correct.

Something like this
200Mhz
6200 - 6900

250Mhz
7700-8600

300Mhz
9200 - 10300

 

[cgtchy0412]

That offset is not emmc offset. Its a 'time offset' of when the glitch will be executed. I assume the Origin is selected from when the emmc initialized after reset (CMIIW). Thats why when you change the clock, you need to change the OFFSET_MIN and OFFSET_MAX accordingly.

I think the best way to get the parameter is by using logic analyzer. But i am not so sure, since i don't have it. I am gonna buy it though. Have bookmarked the logic analyzer Rehius used. Doesn't have spare time on it. But strongly intent to buy and learn to use it.

If thats the case then even slight variation in wires length will effect the glitch time.
This is why in code there is some randomizer even with last succesfull offset.

Post automatically merged: Jun 26, 2023

If we can find time offsets that will make us able to externalize the Mosfet from soc header. Any experiment on that yet?

 

[bilalhassan341]

I kind of lazy to open the shield. Might update it, when have a chance.
My body sick lately, will play on software right now, than hardware.

Post automatically merged: Jun 26, 2023

0.9v is too low, theres might be some short circuit somewhere.
If 1.8 is considered high bit than half of it 0.9 is considered low bit.

Are you sure with that RST voltage (0.9v) everything works normally? Such that OFW working normally, reboot normally, etc.

The RST pad is ripped off. Will it be the issue?

 

[abal1000x]

Yup, already did that.

Post automatically merged: Jun 26, 2023

Yes .. you are correct.

I still need to confirm what time reference the firmware used.
It seems the time reference is when the picofly run.

If thats the case then even slight variation in wires length will effect the glitch time.
This is why in code there is some randomizer even with last succesfull offset.

Theres youtube someone experiment about the effect of length wire on the signal, and its on the range of 10-50meter. And theres no significant change like in microseconds range. Also changing the diameter also doesn't delay the signal. The only one who could significatnly delay the signal is the material surround the cable. Thats why rehius says, clean the flux. Maybe some flux is a dipole material, which might disturbed the electromagnetic working on the wire. The youtube video he submerge the wire on water, and its reduce significantly.

So in conclusion, no. Scientifically the wires length (in cm range) wont significanlty change the time in microseconds range.

You might more worried on the thermal paste on disturbing the glitch time offset then the length.

 

[cgtchy0412]

The RST pad is ripped off. Will it be the issue?

which pad exactly? any pic?
rst on lite can be ripped without problem as theres no connection.

Post automatically merged: Jun 26, 2023

You might more worried on the thermal paste on disturbing the glitch time offset then the length.

This only affects when its sorrounded/submerged in the medium right?, but it wont have effect if its only on the vicinity.
So to much thermal cannot be good at least in this case.

 

[bilalhassan341]

Great. So this is a hardware issue, the code is solid. What do you think is the most stable programmer device?

Post automatically merged: Jun 25, 2023

Rehius only mention the RP2040 that it is not stable. So, other boards might be.

finally did one of these RP2040 installs; good learning experience after several years since my last SAMD21 install. went with a seeed xiao RP2040, dual mosfet. relocated the status LED to the front of the board where the (nearly) unused home button LED was, so it can act as an external status indicator. boot times seem good. quite pleased

View attachment 379924 View attachment 379925

View attachment 379927

It is Feautibul

Post automatically merged: Jun 26, 2023

which pad exactly? any pic?
rst on lite can be ripped without problem as theres no connection.

Post automatically merged: Jun 26, 2023

It looks like its been ripped off.

 

[abal1000x]

If we can find time offsets that will make us able to externalize the Mosfet from soc header. Any experiment on that yet?

The problem is not the offset. But delivering the current. To use more length, means higher diameter. But higher diameter wire make it difficult to solder, and easier to ripped the cap.

The best solution is using flat wire like flex cable. The probable way to put the mosfet outside from the apu is by using flex cable, and use a huge area on D and GND part, but still the huge area (flat wire) should be continued until connected to the mosfet. Means the shield of the apu that will be cut also huge. And again its bad to cut shield too much, since the temp paste rely on it.

So basically we can't get the mosfet out from the apu because of the current purposes. Maybe you have other idea, how to deliver the high current to the mosfet?

 

[bilalhassan341]

Can we see a pic of your single mosfets? I can’t get a single to work to save my life lol

me too. Thats why I uses the stronger single mosfet like AON7506. My single mosfet(IRF8342) also always work with SDA and SCL wires.

 

[cgtchy0412]

The problem is not the offset. But delivering the current. To use more length, means higher diameter. But higher diameter wire make it difficult to solder, and easier to ripped the cap.

The best solution is using flat wire like flex cable. The probable way to put the mosfet outside from the apu is by using flex cable, and use a huge area on D and GND part, but still the huge area (flat wire) should be continued until connected to the mosfet. Means the shield of the apu that will be cut also huge. And again its bad to cut shield too much, since the temp paste rely on it.

So basically we can't get the mosfet out from the apu because of the current purposes. Maybe you have other idea, how to deliver the high current to the mosfet?

We cannot go higher as the margin with the soc metal cover already thin, only option is to go wide(like flex cable).
Lets see what i can come up to test this, but most definetly it will need the soc metal cover to be scrapped away and nt installed at all, or better we make a hole just for the big cable to go through it.

Some idea is the wire itself we can make it 0.3 at <=1cm soldered on caps then joined with 10 cm bigger wire to the outside mosfet.

 

[abal1000x]

If thats the case then even slight variation in wires length will effect the glitch time.
This is why in code there is some randomizer even with last succesfull offset.

Post automatically merged: Jun 26, 2023

If we can find time offsets that will make us able to externalize the Mosfet from soc header. Any experiment on that yet?

Another idea is to find, whether those D in the cap is connected to somewhere for example on the PMIC. I have trace in front pcb and there is none. But i have not yet examine the back pcb. If the D line is in there, we might use it rather than open the apu shield.

 

[deeps]

Can we see a pic of your single mosfets? I can’t get a single to work to save my life lol

see this post https://gbatemp.net/threads/picofly-a-hwfly-switch-modchip.622701/page-532#post-10189919

 

[bilalhassan341]

I had a new successful installs since I last posted but now I'm running into an issue again

I am getting the ** (RST not connected error) on a switch lite.

Maybe coincidentally, this is the first time I'm trying an installation without MOSFETs. I am using a cheap flex cable from AliExpress.

I understand the ** error appears when the voltage from RST is not 1.6v. The issue is I have a good connection to RST but the voltage is too low. I measure 0.9v from RST when I turn the system on.

Any advice?

Check your RST pad the other rst is ripped off. So, I think there is no connection between them.

Post automatically merged: Jun 26, 2023

see this post https://gbatemp.net/threads/picofly-a-hwfly-switch-modchip.622701/page-532#post-10189919

Cap solder is very good. That's the reason why single mosfet not work. Because it didn't looked that good.

 

[cgtchy0412]

Another idea is to find, whether those D in the cap is connected to somewhere for example on the PMIC. I have trace in front pcb and there is none. But i have not yet examine the back pcb. If the D line is in there, we might use it rather than open the apu shield.

That idea was like 2 months ago right, but at that time Rehius didnt release the code yet.
But even if you find it it will be like the trace is for low current only .. so you can burnout that trace if its used for high current.

 

[abal1000x]

Some idea is the wire itself we can make it 0.3 at <=1cm soldered on caps then joined with 10 cm bigger wire to the outside mosfet.

Need to find a shorter mosfet then IR8342 so the shield could close perfectly.

Post automatically merged: Jun 26, 2023

That idea was like 2 months ago right, but at that time Rehius didnt release the code yet.
But even if you find it it will be like the trace is for low current only .. so you can burnout that trace if its used for high current.

Its okay, if you could point me where is the trace is.
The high current is not continuous.

 

[cgtchy0412]

Need to find a shorter mosfet then IR8342 so the shield could close perfectly.

Post automatically merged: Jun 26, 2023

Its okay, if you could point me where is the trace is.
The high current is not continuous.

If you say okay then it acctually conflict with the other statement that you need bigger wire for longer distance.
I cannot imagine that the via/trace in switch mobo can have higher current capability than lets say 0.3mm wire which even cannot exceed 5cm apart from the caps solder for it to work.

 

[abal1000x]

If you say okay then it acctually conflict with the other statement that you need bigger wire for longer distance.
I cannot imagine that the via/trace in switch mobo can have higher current capability than lets say 0.3mm wire which even cannot exceed 5cm apart from the caps solder for it to work.

The TDP of the cpu is around 10Watt. So for 1.8V it will be use something like 5Amps maxed.

So the design of the pcb must make sure the power line could handle 10 watt of electricity goes to the cpu. The area and the thickness play a role part in the design.

The trace of power line usually different. Its bigger than the data line. If you know the trace, please direct me the position.

The Principle of 'stealing' the power is by paralleling it, and direct the most current to our mosfet, dump the electricity to GND. In parallel you need to make the resistance on one cable way lower than the others to take the current. Longer wire, higher resistance. To counter it you need bigger diameter to lower the resistance. Or use silver, which is little bit better than copper on conductivity.

 

[cgtchy0412]

The TDP of the cpu is around 10Watt. So for 1.8V it will be use something like 5Amps maxed.

So the design of the pcb must make sure the power line could handle 10 watt of electricity goes to the cpu. The area and the thickness play a role part in the design.

The trace of power line usually different. Its bigger than the data line. If you know the trace, please direct me the position.

The Principle of 'stealing' the power is by paralleling it, and direct the most current to our mosfet, dump the electricity to GND. In parallel you need to make the resistance on one cable way lower than the others to take the current. Longer wire, higher resistance. To counter it you need bigger diameter to lower the resistance. Or use silver, which is little bit better than copper on conductivity.

I believe somebody who reball the SOC itself can test in which soc pin that this caps is connected, and unfortunaltely i dont have access to that.
If i have to take a guess then it should be one of those.
It seems that number 2 is ground.
Anyone have a link for Tegra X1 pinout?