Hacking Hardware Picofly - a HWFLY switch modchip

Viktorsilva

Well-Known Member
Newcomer
Joined
May 6, 2020
Messages
97
Trophies
0
Age
44
XP
318
Country
Portugal
where can we get

does someone know if this is compatible with OLED ?


Yes it is. That model in particular uses a pinout especially dedicated to V1 and v2 consoles but the outputs are there for any model. If you use a Multimeter you can find the right pinout for the Oled. Keep in mind that Oled are very special because you will need to acess very delicate points such has the CLK or Dat0. Do your homework before put your hands on it.
Post automatically merged:

You can get all most the pin out from this image :
 

Attachments

  • IMG_7480.jpeg
    IMG_7480.jpeg
    1.2 MB · Views: 13
Last edited by Viktorsilva,

linkref

Well-Known Member
Member
Joined
Apr 14, 2019
Messages
141
Trophies
0
Age
44
XP
490
Country
France
Yes it is. That model in particular uses a pinout especially dedicated to V1 and v2 consoles but the outputs are there for any model. If you use a Multimeter you can find the right pinout for the Oled. Keep in mind that Oled are very special because you will need to acess very delicate points such has the CLK or Dat0. Do your homework before put your hands on it.
Post automatically merged:

You can get all most the pin out from this image :
How can I use the multimeter to find the points? The diagram you provided is not exactly the same unfortunately...

Last question do you know if I can use v2 cpu flex cable and then wire the nand points on oled?

Otherwise yes I know which point I need to expose on oled I do it regularly but I am waiting for chips to be ship and I have only core chips left...
 

Viktorsilva

Well-Known Member
Newcomer
Joined
May 6, 2020
Messages
97
Trophies
0
Age
44
XP
318
Country
Portugal
How can I use the multimeter to find the points? The diagram you provided is not exactly the same unfortunately...

Last question do you know if I can use v2 cpu flex cable and then wire the nand points on oled?

Otherwise yes I know which point I need to expose on oled I do it regularly but I am waiting for chips to be ship and I have only core chips left...



Those chips are all clones from each other. I’m pretty shure the pins are the same.
Post automatically merged:

How can I use the multimeter to find the points? The diagram you provided is not exactly the same unfortunately...

Last question do you know if I can use v2 cpu flex cable and then wire the nand points on oled?

Otherwise yes I know which point I need to expose on oled I do it regularly but I am waiting for chips to be ship and I have only core chips left...


Yes, you can use the CPU Flex from the V2 on Oled without any problem. I personally prefer tor use single mosfet directly on Tegra, but you can use the flex too.
 

Attachments

  • E7AF8262-2967-4417-A4B5-EE181DCD9853.jpeg
    E7AF8262-2967-4417-A4B5-EE181DCD9853.jpeg
    1.2 MB · Views: 11
Last edited by Viktorsilva,
  • Love
Reactions: impeeza

linuxares

The inadequate, autocratic beast!
Global Moderator
Joined
Aug 5, 2007
Messages
13,757
Trophies
3
XP
19,151
Country
Sweden
Isn't it supposed to run for just a few seconds on boot, and enter deep sleep after that?
I doubt it will make a noticeable difference in battery life for this use.
Yes, if you check the video. Pico doesn't have as good sleep mode as the Pico 2 will have.
 
  • Like
Reactions: Nephiel

abal1000x

Well-Known Member
Member
Joined
Jun 5, 2022
Messages
1,091
Trophies
0
XP
1,520
Country
Gaza Strip
Isn't it supposed to run for just a few seconds on boot, and enter deep sleep after that?
I doubt it will make a noticeable difference in battery life for this use.
No, the pico cannot be shutdown totally. Only partial shutdown. Thats why its drain the battery.
The ideal solution for example using some mechanical switch put into the Game Card slot to switch it on/off.
 

Nephiel

Artificer
Member
Joined
Nov 3, 2002
Messages
356
Trophies
2
XP
1,154
Yes, if you check the video. Pico doesn't have as good sleep mode as the Pico 2 will have.
I admit I hadn't watched it that far. That's interesting.

However, at 1mA, a 3570mAh battery from a Lite could last 4-5 months. I'd say that an unmodded system, even in sleep mode, draws several times that? So it would be difficult to notice.
 
  • Like
Reactions: Takezo-San

linuxares

The inadequate, autocratic beast!
Global Moderator
Joined
Aug 5, 2007
Messages
13,757
Trophies
3
XP
19,151
Country
Sweden
I admit I hadn't watched it that far. That's interesting.

However, at 1mA, a 3570mAh battery from a Lite could last 4-5 months. I'd say that an unmodded system, even in sleep mode, draws several times that? So it would be difficult to notice.
true, it's not much! I just suspect some chips are not totally correctly programmed and keeps being on. Since I read somes switches seem to drain faster (might be early days tho)
 

Nephiel

Artificer
Member
Joined
Nov 3, 2002
Messages
356
Trophies
2
XP
1,154
Just for kicks, I measured a Waveshare RP2040 Tiny that I have right here on my bench, flashed with 2.75, and not installed yet.
It draws 0.05A (50mA) for the few seconds it takes to attempt glitching 3 times.
After that, it drops to 0.00A, and I'm using a cheap USB meter, so that can be anything up to 5mA... but that includes the red LED on the USB adapter board that stays lit.
 
  • Like
Reactions: linuxares

linuxares

The inadequate, autocratic beast!
Global Moderator
Joined
Aug 5, 2007
Messages
13,757
Trophies
3
XP
19,151
Country
Sweden
Just for kicks, I measured a Waveshare RP2040 Tiny that I have right here on my bench, flashed with 2.75, and not installed yet.
It draws 0.05A (50mA) for the few seconds it takes to attempt glitching 3 times.
After that, it drops to 0.00A, and I'm using a cheap USB meter, so that can be anything up to 5mA... but that includes the red LED on the USB adapter board that stays lit.
hehe that red led is probably driven by a capicator for like 24 hrs or more.
 
  • Haha
Reactions: Nephiel

jkyoho

Well-Known Member
Member
Joined
Sep 2, 2020
Messages
1,493
Trophies
2
Age
39
Website
form.jotform.com
XP
2,487
Country
Canada
Just for kicks, I measured a Waveshare RP2040 Tiny that I have right here on my bench, flashed with 2.75, and not installed yet.
It draws 0.05A (50mA) for the few seconds it takes to attempt glitching 3 times.
After that, it drops to 0.00A, and I'm using a cheap USB meter, so that can be anything up to 5mA... but that includes the red LED on the USB adapter board that stays lit.
You mean that usb PCB red LED? 6mA on my side.
when glitching, 48mA then, 18mA when short error code, and 1mA when stop
 

Attachments

  • PXL_20240808_144448884.jpg
    PXL_20240808_144448884.jpg
    1.9 MB · Views: 13

Nephiel

Artificer
Member
Joined
Nov 3, 2002
Messages
356
Trophies
2
XP
1,154
You mean that usb PCB red LED? 6mA on my side
That meter is way nicer than what I was using. Could you check power draw of RP2040 Tiny, after it attempts glitch 3 times and goes to sleep?
Post automatically merged:

Timeout de glitch fallido recucido de 20 a 17 ms
Timeout de lectura de emmc reducido de 2500ms a 500
Voltaje de la pi reducido a 1.10v , no hacen falta 1.3 para 280mhz.

Ahora los efuses se guardan en la flash de la pico no en la cpu , conservaremos la pico despues de muchos updates xD

Failed glitch timeout reduced from 20 to 17 ms
emmc read timeout reduced from 2500ms to 500
Pi voltage reduced to 1.10v, 1.3 is not needed for 280mhz.

Now the efuses are saved in the pico flash, not in the cpu, we will keep the pico after many updates xD

I'm checking this out, and I know next to nothing of the timing required for the glitch, but these changes... kind of make sense? Maybe they're worth a try.
Looking at the code, I can see where to make the first three, but I do not have enough experience to attempt the last one.
Fortunately, it's infrequent to update firmware on a working Picofly, but still, burning fuses on every update doesn't sound good for the hardware.

@josete2k Any chance you could ask MLT to share that code somewhere, so we can try it out and open a PR?
 
Last edited by Nephiel,

linkref

Well-Known Member
Member
Joined
Apr 14, 2019
Messages
141
Trophies
0
Age
44
XP
490
Country
France
Those chips are all clones from each other. I’m pretty shure the pins are the same.
Post automatically merged:




Yes, you can use the CPU Flex from the V2 on Oled without any problem. I personally prefer tor use single mosfet directly on Tegra, but you can use the flex too.
Yeah they are clones but some pins you sent me are basicly not present on the clone ^^
 

Ganesha0112

Well-Known Member
Newcomer
Joined
Jan 22, 2023
Messages
60
Trophies
0
Age
28
XP
323
Country
Mexico
I have this problema with my personal Nintendo switch that I replace the EMMC for another that I bought from aliexpressthe model is: KLMCG4JETD-KLMCG4JETD-B041.

The console just boot on Hekate and the EMMC info looks good, I tried to put the backup from Hekate in the brand new nand but the Nintendo don’t boot OFW keeps on Nintendo logo and then nothing, when I put the prod.keys on NXNand manager and open the nand back up the program says “BAD CRYPTO” like the prod.keys don’t match.

And when I try to crate a Emunand Hekate show this error


So any idea what’s happening here?
 

Attachments

  • IMG_5021.jpeg
    IMG_5021.jpeg
    1.2 MB · Views: 11
  • IMG_5022.jpeg
    IMG_5022.jpeg
    1.2 MB · Views: 10
  • IMG_5023.jpeg
    IMG_5023.jpeg
    1.5 MB · Views: 11
  • IMG_5025.jpeg
    IMG_5025.jpeg
    1.1 MB · Views: 11

Viktorsilva

Well-Known Member
Newcomer
Joined
May 6, 2020
Messages
97
Trophies
0
Age
44
XP
318
Country
Portugal
Yeah they are clones but some pins you sent me are basicly not present on the clone ^^



Yes, they are. Only GRD and VCC are masked. Just strip it a little bit and you get the pad to solder it. If you use a multimeter in diode mode you would find it by yourself easy.
 

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
    ShantaeFan123 @ ShantaeFan123: i don't smoke silly! @AncientBoi...