Hacking Hardware Picofly - a HWFLY switch modchip

[thesjaakspoiler]

Has anyone asked CTCaer or SciresM for their expertise? Perhaps they would know of a workaround.

These guys steer clear from anything that might give Nintendo any reasons to sue them.

 

[renoob]

... removed

 

[Brunh]

does anyone know if i can use one mosfet trash board nintendo switch
Or need by IRFHS8342?

 

[Piorjade]

So, I hooked up RST to my Pico to see how RST works and when I set the output to HIGH the switch restarts, however, it only restarts if it changes from HIGH to LOW or from LOW to HIGH. How would I prevent the CPU from continuing? Do I really have to keep RST switching between HIGH and LOW?

 

[juanvlc]

Maybe we can just use 1206 47R to reduce the whole size

Does someone is trying onto oled?
I don't have lite but oled yes

 

[ghjfdtg]

So, I hooked up RST to my Pico to see how RST works and when I set the output to HIGH the switch restarts, however, it only restarts if it changes from HIGH to LOW or from LOW to HIGH. How would I prevent the CPU from continuing? Do I really have to keep RST switching between HIGH and LOW?

Reset signals are usually active low. Meaning the SoC is under reset when low. You have to hold reset low for a minimum amount of time and then high so the CPU can start booting. I don't know the minimum reset time for the Tegra X1 but it's possibly in the datasheet.

 

[TheStonedModder]

Maybe we can just use 1206 47R to reduce the whole size

Does someone is trying onto oled?
I don't have lite but oled yes

Of course they are also trying for OLED

The same modchip should work for both once it’s figured out

 

[Piorjade]

Reset signals are usually active low. Meaning the SoC is under reset when low. You have to hold reset low for a minimum amount of time and then high so the CPU can start booting. I don't know the minimum reset time for the Tegra X1 but it's possibly in the datasheet.

So basically the Switch won't boot as long as I keep RST low?

 

[ghjfdtg]

@Piorjade
Yes. Unless NVIDIA implemented this differently. But it almost always works this way.

 

[OMAR1982]

can anyone try to test and analyse this uf2 file and see whether it works

 

[Doodka]

can anyone try to test and analyse this uf2 file and see whether it works

I don't think it has anything to do with picofly, the file has a completely different size and is very different from the dumps that we have + picotool gave this:

File RP2040ZERO-pico-v1.19.1-878.uf2:



Program Information

 name:            MicroPython

 version:         v1.19.1-878-g4598b89ce

 features:        thread support

                  USB REPL

 frozen modules:  neopixel, dht, ds18x20, onewire, uasyncio/stream, uasyncio/lock, uasyncio/funcs, uasyncio/event, uasyncio/core, uasyncio, _boot_fat, _boot, rp2

 binary start:    0x10000000

 binary end:      0x1004dc70

 embedded drive:  0x100a0000-0x10200000 (1408K): MicroPython



Fixed Pin Information

 none



Build Information

 sdk version:       1.5.0

 pico_board:        pico

 boot2_name:        boot2_w25q080

 build date:        Feb 17 2023

 build attributes:  MinSizeRel

My pico comes with ali, so I can't check if the code works, but it seems to me that this is a REPL example of Pico,
its builded yesterday, so it's looks like stuffing
Where did you find it?

 

[Kingdedede]

can anyone try to test and analyse this uf2 file and see whether it works

Can i test when return ti home

 

[szubiennica]

i just discovered that on one v2 switch it boots straight into hos, this is weird

 

[renoob]

i just discovered that on one v2 switch it boots straight into hos, this is weird

This above is not firmware (for the switch) if you are referring to that. Its a micropython. Not sure why he even posted that

 

[TheStonedModder]

This above is not firmware (for the switch) if you are referring to that. Its a micropython. Not sure why he even posted that

Plus it uses “neopixel” which is for WLEDs

I feel like that user was just trolling and trying to waste time cause what else would make them think it’s for a switch ha

 

[KAAAsS]

Try to run the firmware by emulating RP2040 but so far had no luck. The program just keeps decrypting and never triggers 0x20020440. The problem might occur in emulating peripherals, since the decryption code uses them everywhere (like disabling the irq, and using PPB_VTOR to pass data, if I read it correctly), and it's hard to reimplement all of them. Plan to buy one RP2040 Zero and check them in the real world.

btw, @renoob could you pls try running your patched firmware in a real RP2040, breakpoint at 0x2002096C, and check the R3 and R6? In my case, R3 is 0x20000000 and R6 is 0x2B. It should be same if the unique id got injected currectly.

 

[Kingdedede]

can anyone try to test and analyse this uf2 file and see whether it works

Don t work all led Is off

 

[renoob]

Isn't that memory (SDRAM) address? I dont see any references in ghidra regarding that address anywhere.
@KAAAsS
Anyway you wont get much with the chip on its own. It seems that rest of the functions are called when it receives some signal.
For example it does not call get_unique_id function at all while its not soldered to unit, chip just dies fast after boot

 

[KAAAsS]

Isn't that memory (SDRAM) address? I dont see any references in ghidra regarding that address anywhere.

Yes. It's a mapped address. 0x200200C0 ~ 0x200212F0 is loaded from .bin offset 0x1591C.

It seems that rest of the functions are called when it receives some signal.
For example it does not call get_unique_id function at all while its not soldered to unit, chip just dies fast after boot

Yes but not that mysterious, most of them are just the normal boot process. Like 0x10002608 is _retrieve_unique_id_on_boot, and triggered during the boot. The chip could hang in a loop check about hardware (e.g. XOSC) when not soldered to a unit, or say when peripherals are not correctly configured.

 

[renoob]

@KAAAsS Cant trigger that breakpoint at that address