Hacking Hardware Picofly - a HWFLY switch modchip

[giovany86]

Since im just getting a v2 and the timing is convenient, might as well ask here

Is this project headed in the right way? Any ETAs or confirmations that it works/exists?Or can i buy a HWFLY without looking back?

Thanks in advance.

Hello there, As lots of people already said before, it might be today or in a year, we don't know when it will be working as it needs to be reverse-engineered (as i understand) and not only patched.

If you want something to mod your switch "fast", you better buy a HWFly but if you like to tinker around and try to help the community and don't mind briking / damaging your device, you can stay here and give some help.

 

[PicoPro]

Phew... This thread is hot! I wonder how much time it will take to crack the code :^

 

[IgraBIT1]

Уф... Эта тема горячая! Интересно, сколько времени потребуется, чтобы взломать код :^

Post automatically merged: Feb 13, 2023

Posting your messages here will not make it go faster

пока вы тут свои сообщения швыряете, быстрее не станет

 

[vittorio]

Phew... This thread is hot! I wonder how much time it will take to crack the code :^

are you trying to reverse the code?

 

[Piorjade]

Since im just getting a v2 and the timing is convenient, might as well ask here

Is this project headed in the right way? Any ETAs or confirmations that it works/exists?Or can i buy a HWFLY without looking back?

Thanks in advance.

If you don't like waiting for a currently unknown amount of time (as has been already said, could be in a few weeks or could be in a couple of years), I'd recommend to just buy a HWFLY.

The HWFLY also makes soldering (at least for normal v2 Switch, not Lite or OLED) as easy as possible (you just pop the eMMC directly on the chip and solder the CPU flex cable on the two caps), the "Picofly" would need you to solder cables directly to all the points on also an incredibly small MOSFET, this MOSFET then also to one of the caps (Or you can use a HWFLY CPU flex cable for the cap part, it has MOSFETs included).

I have a HWFLY soldered successfully myself on another Switch and even now I still haven't tried soldering my Pico to the stock v2 Switch that I also have. Though if I want to test eMMC communication at some point, I'll have to do that

 

[NoXe]

Is this only boot0 that fail the firmware to boot hos ? Or there is also sdloader ?

 

[Piorjade]

Is this only boot0 that fail the firmware to boot hos ? Or there is also sdloader ?

Basically, the current firmware writes the payload (also known as "sdloader" I think) to boot0. sdloader then loads hekate etc. etc.

The sdloader (and the public key) that the current firmware writes is not the same as HWFLY-NX or Spacecraft-NX, which means whoever coded it made a custom one and I think that this sdloader disables access to the BEK.

Now, the reason why this sdloader blocks access to the BEK is most likely that the developer did not want people to be able to boot atmosphere on purpose. If it wasn't on purpose, I can't explain myself why the developer would even make a custom BCT and custom payload in the first place.

So, there are currently two possible solutions: Somebody finds the BCT and sdloader inside the .uf2 file and replaces it with the HWFLY-NX one, but I couldn't find it myself and I think it's compressed and/or encrypted inside the .uf2 OR Somebody writes the picofly firmware from scratch.

Honestly, I don't know what's harder but at least we got a lot of knowledge of how the firmware should work.

 

[NoXe]

Basically, the current firmware writes the payload (also known as "sdloader" I think) to boot0. sdloader then loads hekate etc. etc.

The sdloader (and the public key) that the current firmware writes is not the same as HWFLY-NX or Spacecraft-NX, which means whoever coded it made a custom one and I think that this sdloader disables access to the BEK.

Now, the reason why this sdloader blocks access to the BEK is most likely that the developer did not want people to be able to boot atmosphere on purpose. If it wasn't on purpose, I can't explain myself why the developer would even make a custom BCT and custom payload in the first place.

So, there are currently two possible solutions: Somebody finds the BCT and sdloader inside the .uf2 file and replaces it with the HWFLY-NX one, but I couldn't find it myself and I think it's compressed and/or encrypted inside the .uf2 OR Somebody writes the picofly firmware from scratch.

Honestly, I don't know what's harder but at least we got a lot of knowledge of how the firmware should work.

sdloader is write into boot0 ? I thought that he was written in a random free space in emmc. Okay intersting.

 

[Piorjade]

sdloader is write into boot0 ? I thought that he was written in a random free space in emmc. Okay intersting.

boot0 is on the eMMC.

The eMMC has two boot partitions, boot0 and boot1. After that there's the user space partition.
https://switchbrew.org/wiki/Flash_Filesystem#Boot_Partitions

Post automatically merged: Feb 13, 2023

I thought that he was written in a random free space in emmc. Okay intersting.

sdloader gets written into random free space inside boot0. To be precise, it gets written into 0x3F0000 I think.

 

[NoXe]

boot0 is on the eMMC.

The eMMC has two boot partitions, boot0 and boot1. After that there's the user space partition.
https://switchbrew.org/wiki/Flash_Filesystem#Boot_Partitions

Yes yes I know. I know how spacecraft nx work, but on the emmc write function, the offset was controlled by the fpga and was not visible. So I wasn't sure where the payload was written.

 

[Piorjade]

Yes yes I know. I know how spacecraft nx work, but on the emmc write function, the offset was controlled by the fpga and was not visible. So I wasn't sure where the payload was written.

Ah, no, Spacecraft-/HWFLY-NX control where the payload gets written.

https://github.com/hwfly-nx/firmware/blob/master/firmware/src/payload.c

Look at line 69, it writes the sdloader into 0x1F80. This is a block offset and the HWFLY talks in 512 byte blocks. So multiply with 512 and you get 0x3F0000, this is where the sdloader lies inside boot0.

The BCTs, however, talk in 16KiB blocks instead of 512bytes. Which is why the BCT points to 0x000000FC. (0x000000FC * 16Kib = 0x3F0000)

Yes, I lost my sanity over the last couple of weeks trying to wrap this whole damn firmware around my head.

 

[NoXe]

Ah, no, Spacecraft-/HWFLY-NX control where the payload gets written.

https://github.com/hwfly-nx/firmware/blob/master/firmware/src/payload.c

Look at line 69, it writes the sdloader into 0x1F80. This is a block offset and the HWFLY talks in 512 byte blocks. So multiply with 512 and you get 0x3F0000, this is where the sdloader lies inside boot0.

The BCTs, however, talk in 16KiB blocks instead of 512bytes. Which is why the BCT points to 0x000000FC. (0x000000FC * 16Kib = 0x3F0000)

Yes, I lost my sanity over the last couple of weeks trying to wrap this whole damn firmware around my head.

ooooh its a block offset ! okay (i'm begginer)

 

[Chonay]

Ah, no, Spacecraft-/HWFLY-NX control where the payload gets written.

https://github.com/hwfly-nx/firmware/blob/master/firmware/src/payload.c

Look at line 69, it writes the sdloader into 0x1F80. This is a block offset and the HWFLY talks in 512 byte blocks. So multiply with 512 and you get 0x3F0000, this is where the sdloader lies inside boot0.

The BCTs, however, talk in 16KiB blocks instead of 512bytes. Which is why the BCT points to 0x000000FC. (0x000000FC * 16Kib = 0x3F0000)

Yes, I lost my sanity over the last couple of weeks trying to wrap this whole damn firmware around my head.

Do you do all this based on the spacecraft code or by logic? If you do it based on spacecraft, then everything may be on the right track because it is more secure, now if you do it based on logic, let's hope it works, I'm still looking for a lite to test picofly, because I only have a V1

 

[Piorjade]

Do you do all this based on the spacecraft code or by logic? If you do it based on spacecraft, then everything may be on the right track because it is more secure, now if you do it based on logic, let's hope it works, I'm still looking for a lite to test picofly, because I only have a V1

You mean how I learned the HWFLY chip? Mostly it‘s all the videos that got posted here, documents on the Tegra X1, the HWLY code and a couple of leaked confidential documents.

 

[FruithatMods]

I am sure there will be exciting discoveries in the coming days. Too bad the original dev didn't release the code because he thinks that some people here are just some vile idiots. Personally I have hope for the people here and don't think they are as bad as they appear.

 

[impeeza]

I am sure there will be exciting discoveries in the coming days. Too bad the original dev didn't release the code because he thinks that some people here are just some vile idiots. Personally I have hope for the people here and don't think they are as bad as they appear.

For the people here, yes there is hope, but for the average Internet user....

Even here we had a few shitposts, you look some people DEMANDING a quick solution and even threatening about a full working solution.

 

[rcpd]

For the people here, yes there is hope, but for the average Internet user....

Even here we had a few shitposts, you look some people DEMANDING a quick solution and even threatening about a full working solution.

Mostly those are kids and idiots. Generally they are the same people that “demand” their iPhones get jailbroken RIGHT NOW!

Anyone who’s ever had a console that can be hacked but had to wait has gone through this and are usually much more patient. It’ll get done eventually. And once it is, some kind soul will also take up the job of designing custom circuit boards so that it’s an easy enough install.

I’m new to GBATemp, but I’ve used this site for years for a plethora of insightful and helpful tutorials. It’ll happen.

 

[l7777]

For the people here, yes there is hope, but for the average Internet user....

Even here we had a few shitposts, you look some people DEMANDING a quick solution and even threatening about a full working solution.

Entitlement culture. We smack them down when they pop up here so they end up on twitbookfacegram and the like.

 

[szubiennica]

i would like to remind you about ps4 9.00 webkit exploit. people was complaining about USB DRIVE was needed to perform the exploit. Such a vile idiots

 

[icantfly]

the vid only shows pico booting hekate, prolly never even booted hos to begin with