Hacking Hardware Picofly - a HWFLY switch modchip

[Piorjade]

Exactly, it's all part of the cycle. Now in 2-3 weeks someone will leak on obfuscated and encrypted firmware that only works on one Pico and everyone will spend 50 pages discussing the reverse engineering and reimplementation of it, and so it continues.

And in reality it has been you all the time, creating new accounts and leaking obfuscated .uf2 files that don't do anything

Post automatically merged: Feb 27, 2023

Btw has anyone already used a logic analyzer with a HWFLY setup? If yes, I'd be interested in ideally a sigrok file or something that I can load into Pulseview. Logic analyzer files used with the unlocked ubuntu fw would be even more ideal.

 

[Adran_Marit]

@Tafty I saw after running the nuke flasher fw you couldn't boot anymore using the ubuntu firm yea?

Did you try reflashing the original firm, booting with that then booting the unbuntu firm again?

 

[DarkKnight_TJ]

sorry for beign dumb but where are the points on motherboard to solder on a lite?
Nvm I found it on page 10

 

[d.b]

i tried pico to 3 different consoles 1 lite 2 oled...exact same behavior blue-white-green light and black screen...both oled have previously hwfly installed and worked fine , i put back hwfly after that and work absolute fine...i have intalled close to triple digit hwfly so no bad installation...
@Tafty , to the video you posted the console boot up without pressing anything while you show that is turned off , how is that possible? maybe i didn't see something right...

 

[Nagaa]

i tried pico to 3 different consoles 1 lite 2 oled...exact same behavior blue-white-green light and black screen...both oled have previously hwfly installed and worked fine , i put back hwfly after that and work absolute fine...i have intalled close to triple digit hwfly so no bad installation...
@Tafty , to the video you posted the console boot up without pressing anything while you show that is turned off , how is that possible? maybe i didn't see something right...

Your eMMC is probably not compatible with the firmware on page 34

 

[Piorjade]

i tried pico to 3 different consoles 1 lite 2 oled...exact same behavior blue-white-green light and black screen...both oled have previously hwfly installed and worked fine , i put back hwfly after that and work absolute fine...i have intalled close to triple digit hwfly so no bad installation...
@Tafty , to the video you posted the console boot up without pressing anything while you show that is turned off , how is that possible? maybe i didn't see something right...

Do your consoles perhaps have a Samsung or Toshiba / Kioxia eMMC?

 

[Tafty]

@Tafty I saw after running the nuke flasher fw you couldn't boot anymore using the ubuntu firm yea?

Did you try reflashing the original firm, booting with that then booting the unbuntu firm again?

No this isn't correct,

I updated the firmware on my lite, after doing this I could still get into hekate but couldn't get into OFW by holding volume down and up on boot, how i fixed this using the flash nuke, then letting the console boot into OFW. After that I reflashed the Ubuntu firmware and everything went back to working as before(minus the hos with cfw loading)

Post automatically merged: Feb 27, 2023

i tried pico to 3 different consoles 1 lite 2 oled...exact same behavior blue-white-green light and black screen...both oled have previously hwfly installed and worked fine , i put back hwfly after that and work absolute fine...i have intalled close to triple digit hwfly so no bad installation...
@Tafty , to the video you posted the console boot up without pressing anything while you show that is turned off , how is that possible? maybe i didn't see something right...

It was because I knocked the charging cable...which caused it to boot the chip up, try it on yours with your console turned off, plug the charger in and the console will turn on

 

[d.b]

No this isn't correct,

I updated the firmware on my lite, after doing this I could still get into hekate but couldn't get into OFW by holding volume down and up on boot, how i fixed this using the flash nuke, then letting the console boot into OFW. After that I reflashed the Ubuntu firmware and everything went back to working as before(minus the hos with cfw loading)

Post automatically merged: Feb 27, 2023

It was because I knocked the charging cable...which caused it to boot the chip up, try it on yours with your console turned off, plug the charger in and the console will turn on

i know that if you plug the charger the console will turn on but you didnt plug it , it was already plugged thats why i asked...

Post automatically merged: Feb 27, 2023

Do your consoles perhaps have a Samsung or Toshiba / Kioxia eMMC?

they have samsung all of them..

 

[TheSynthax]

i know that if you plug the charger the console will turn on but you didnt plug it , it was already plugged thats why i asked...

Post automatically merged: Feb 27, 2023

they have samsung all of them..

Well, you'll have to wait then, Samsung support will be released eventually, same with Horizon support. No eta. Certain Samsung chips may work, I don't recall.

 

[d.b]

Well, you'll have to wait then, Samsung support will be released eventually, same with Horizon support. No eta. Certain Samsung chips may work, I don't recall.

thx bro..

 

[renoob]

Someone should try unlocked fw on normal pico / pico w. It should behave the same except no led (zero uses rgb on pin 16 while normal uses standard led on pin 25). But wiring ws2812 led on pin 16 should do the trick.
Anyway normal pico has SWD output which is not present on Zero, pins are removed but can be soldered back on chip pins . I did it but you need special equpment for that and works fine. What would that allow is to halt the chip when its almost done and then dump the memory which should be decrypted then. Also another normal pico is needed to debug he first one or Rpi3/Rpi4.

I would do it but I dont have flex cable (ordered one)

 

[MusicCanKill]

From the new NYX update:

• Added support for bpmpclock=3 which further reduces clock speed for the worst binned SoCs
  Additionally, the first boot clock test now lasts fro 10s on first boot, instead of 5s.
  To change bpmpclock, you need to manually edit nyx.ini, since it’s not in the GUI options.

Doesn't that mean that it could be a clocking issue and not an emmc issue?

 

[TheSynthax]

From the new NYX update:

• Added support for bpmpclock=3 which further reduces clock speed for the worst binned SoCs
  Additionally, the first boot clock test now lasts fro 10s on first boot, instead of 5s.
  To change bpmpclock, you need to manually edit nyx.ini, since it’s not in the GUI options.

Doesn't that mean that it could be a clocking issue and not an emmc issue?

No. We aren't even getting anywhere near launching the SD loader, let alone NYX and Hekate. SoC isn't even running, it's held in reset.

 

[MusicCanKill]

No. We aren't even getting anywhere near launching the SD loader, let alone NYX and Hekate. SoC isn't even running, it's held in reset.

How are you expecting anything on screen if you are holding the SoC in reset?
What you said doesn't make sense to me.

 

[Adran_Marit]

No this isn't correct,

I updated the firmware on my lite, after doing this I could still get into hekate but couldn't get into OFW by holding volume down and up on boot, how i fixed this using the flash nuke, then letting the console boot into OFW. After that I reflashed the Ubuntu firmware and everything went back to working as before(minus the hos with cfw loading)

Post automatically merged: Feb 27, 2023

It was because I knocked the charging cable...which caused it to boot the chip up, try it on yours with your console turned off, plug the charger in and the console will turn on

Ahh cool, I was only skimming and didnt see that

 

[TheSynthax]

How are you expecting anything on screen if you are holding the SoC in reset?
What you said doesn't make sense to me.

The SoC is held in reset during the early boot sequence while the chip checks the eMMC contents for the custom BCT and boot0 "sd loader" which is where the firmware fails on some consoles. On others, it is able to communicate with the eMMC just fine, it writes the bootloader and control table in place, and only then is the SoC allowed to start.

 

[MusicCanKill]

The SoC is held in reset during the early boot sequence while the chip checks the eMMC contents for the custom BCT and boot0 "sd loader" which is where the firmware fails on some consoles. On others, it is able to communicate with the eMMC just fine, it writes the bootloader and control table in place, and only then is the SoC allowed to start.

Has anybody done any logic analyzer measurements to confirm that?
All i see is led sequence ending in green light (which in reality could be RED if the led is the opposite of what the original dev worked with (GRB vs RGB) on their board) and black screen.
That doesn't conclude that the SoC is in reset .It could be , bad timing, incorrect glitching , no glitching at all, SoC halted cause of error , etc...
The SoC is held in reset only to check if the emmc actually contains the correct data so i believe that it is not in reset when the led of the pico pcb turns off and so it should have booted , right?
If no boot (either hekate/nosd or ofw) then it seems that a glitching attempt had taken place and it failed for some reason while the fw of the chip maybe thought that it was successful (maybe not as we can't be sure cause of the LED).
Just writing down what i m thinking inside my head. I may be totally wrong.

 

[TheSynthax]

Has anybody done any logic analyzer measurements to confirm that?

Yes, across both booting and non-booting consoles

The SoC is held in reset only to check if the emmc actually contains the correct data so i believe that it is not in reset when the led of the pico pcb turns off and so it should have booted , right?
If no boot (either hekate/nosd or ofw) then it seems that a glitching attempt had taken place and it failed for some reason while the fw of the chip maybe thought that it was successful (maybe not as we can't be sure cause of the LED).
Just writing down what i m thinking inside my head. I may be totally wrong.

It's not booting after the RST line is released because the default state of RP2040 GPIO pins is low, and the console can't boot with eMMC lines held low. Not sure why it ends up in that state once the eMMC init fails, you'd have to ask the original dev XD

It doesn't attempt to boot because it enters APX boot mode when no eMMC is detected or Tegra fails to init eMMC.

 

[MusicCanKill]

Yes, across both booting and non-booting consoles

It's not booting after the RST line is released because the default state of RP2040 GPIO pins is low, and the console can't boot with eMMC lines held low. Not sure why it ends up in that state once the eMMC init fails, you'd have to ask the original dev XD

It doesn't attempt to boot because it enters APX boot mode when no eMMC is detected or Tegra fails to init eMMC.

Now that makes sense...
If the fw doesn't release (hi-z) the pins and keep them low, it makes perfect sense!
Thank you very much for explaining.
So it could still be a timing issue and the led actually getting RED and not GREEN cause of the different led model..
Only a person who has a pico board with the fw working on one console and not on another one will be able to confirm/reject this i think (except if somebody does probe the led communication to figure out if it should be red or green if possible).

 

[TheSynthax]

Now that makes sense...
If the fw doesn't release (hi-z) the pins and keep them low, it makes perfect sense!
Thank you very much for explaining.
So it could still be a timing issue and the led actually getting RED and not GREEN cause of the different led model..
Only a person who has a pico board with the fw working on one console and not on another one will be able to confirm/reject this i think (except if somebody does probe the led communication to figure out if it should be red or green if possible).

So here's another confusing layer to all this- some Pico have a different LED, which has the pin for red and green opposite of the others. Some consoles fail green, some fail red. If someone has one that fails but is green, or succeeds but is red, then they need to solder the "RGB/GRB" jumper on the backside of their RP2040.