Hacking Hardware Picofly - a HWFLY switch modchip

[saladus]

I don't know if the dump is just a raw dump of the flash chip?
If so, then it should be there.

according to the docs, picotool save all dumps the entire flash so unless someone removed it after the fact it's gotta be there

 

[TheSynthax]

OK, I’m all in.

Picked up a junker Switch Lite w/ a bad screen on flea bay. The screen is cracked and the joysticks are shot.

View attachment 349609

Going to put this one piece screen on it and a pair of those garbage Gulikit Hall Effect sticks on it and call it good.
https://www.aliexpress.us/item/3256804496995627.html

Grabbing a HWFLY lite kit…just in case this all turns out to be much ado about nothing.

View attachment 349618

At worst I can resell it on flea bay as a fully modded switch lite for $200 and get my money back.

Let’s go!

Gulikit sticks are anything but garbage, but they also don't make hall effect sticks for Joy-Cons or Switch Lite.

 

[saladus]

getting a second pico in the mail today, gonna use picoprobe and try to see where it breaks. i'll update you guys probably in like 12 hours

 

[binkinator]

Gulikit sticks are anything but garbage, but they also don't make hall effect sticks for Joy-Cons or Switch Lite.

https://gbatemp.net/threads/hall-effect-sensor-joycon-sticks-on-amazon.624698/

 

[TheSynthax]

https://gbatemp.net/threads/hall-effect-sensor-joycon-sticks-on-amazon.624698/

Huh, guess they finally do. That's great to know! Dunno why anyone would call sticks from gulikit garbage though, the ones in my Steam Deck are fantastic and I wish there were a mod for the Elite Series 2 to switch to Hall effect sticks. Anyway, don't want to get too off-topic

 

[binkinator]

Huh, guess they finally do. That's great to know! Dunno why anyone would call sticks from gulikit garbage though, the ones in my Steam Deck are fantastic and I wish there were a mod for the Elite Series 2 to switch to Hall effect sticks. Anyway, don't want to get too off-topic

I took one for the team and bought four of them and put two in my Erista. Keep reading the other thread…they are hot garbage so I have a set left over that I refuse to put in my Mariko. They be perfect for use in this little Franken-project. :-)

 

[TheSynthax]

I took one for the team and bought four of them and put two in my Erista. Keep reading the other thread…they are hot garbage so I have a set left over that I refuse to put in my Mariko. They be perfect for use in this little Franken-project. :-)

You're certain those aren't fake Gulikits? I'd have returned them if they weren't better than pot sticks.

 

[binkinator]

You're certain those aren't fake Gulikits? I'd have returned them if they weren't better than pot sticks.

100% certain. These guys sell Gulikit on Aliexpress and are refunding everyone’s money. Was in the process of returning them but this project came up. They will work great and offset some costs. I’m still down $9.00 for the cost of 2 RP2040-zeros. Lol

 

[CompSciOrBust]

The original id is just a 64bit number and it is retrieved from the flash chip.
The RP2040 does not have an internal id in the cpu itself (according to the documentation) :
https://raspberrypi.github.io/pico-sdk-doxygen/group__pico__unique__id.html
I don't know if the dump is just a raw dump of the flash chip?
If so, then it should be there.

If not, someone will be able to hack it.
Just speculating here but the firmware is probably the same as for the hwfly.
So we know the decoding algorithm. Then it is just a matter of trying all keys and comparing the output.
With a 64bit key, that will be peanuts for a normal cpu.
I'm sure there are smart kids here who can break this encryption on a Sunday afternoon.

Well hey, the Switch firmware signature key is only 128 bits. That's only like double the effort. Why not brute force that instead and then we can all enjoy cold boot CFW curtesy of you?

 

[TheSynthax]

Well hey, the Switch firmware signature key is only 128 bits. That's only like double the effort. Why not brute force that instead and then we can all enjoy cold boot CFW curtesy of you?

Double the effort for a quantum computer perhaps

 

[impeeza]

Well hey, the Switch firmware signature key is only 128 bits. That's only like double the effort. Why not brute force that instead and then we can all enjoy cold boot CFW curtesy of you?

doubling the quantity of bits elevate to square the time needed, IS A LOT of time, by the way that's what the chip mod try to do, some "magic" altorithm to try to get the key that's why the chip at first start "training" the console.

 

[CompSciOrBust]

Double the effort for a quantum computer perhaps

Yes. It is infeasible.

 

[ghjfdtg]

doubling the quantity of bits elevate to square the time needed, IS A LOT of time, by the way that's what the chip mod try to do, some "magic" altorithm to try to get the key that's why the chip at first start "training" the console.

There is no math black magic involved. The CPU is simply glitched to make a check that would fail, pass. The bootrom then loads the modified code despite the checks not passing in reality. But neither code nor CPU know the check didn't pass because the voltage was too low at the time it checked.

 

[Piorjade]

There is no math black magic involved. The CPU is simply glitched to make a check that would fail, pass. The bootrom then loads the modified code despite the checks not passing in reality. But neither code nor CPU know the check didn't pass because the voltage was too low at the time it checked.

AFAIK this
The way I understand HWFLY / SX Core is that the FPGA is merely responsible for finding the correct timing for the glitch. I think it determines that by analysing the data going to/from the NAND chip to/from the CPU.
The code for the microcontroller is open source already anyway and the quick glance I gave it basically confirmed my understanding. So the "hard part" that nobody open-sources to this day is the FPGA logic.

Though I may be wrong..

If I'm (kinda) right though, I wonder if a microcontroller like the Pico really can reliably time this voltage drop. Sure MCs are pretty fast, but FPGAs are just faster and more precise.

Personally, I'd love to get into this kind of stuff, I just don't have the money for the hardware and Switches to throw away. Tegra Dev Kits are available to the public but they're expensive as hell lmao.

 

[evil_santa]

takes a while to bruteforce a 128 bit key

https://crypto.stackexchange.com/qu...g-would-it-take-to-brute-force-an-aes-128-key

 

[Piorjade]

takes a while to bruteforce a 128 bit key

It also depends on what encryption algorithm was used.

Basically with 128bit there are 2^128 possible combinations, so the longest time needed would be 2^18 * (time one test needs, depends on the algorithm and other security measures)

 

[saladus]

If I'm (kinda) right though, I wonder if a microcontroller like the Pico really can reliably time this voltage drop. Sure MCs are pretty fast, but FPGAs are just faster and more precise.

you're right that fpgas are faster and more precise but afaik the pico's programmable io should be fast enough, at least that's what was being said in the thread

 

[Adran_Marit]

Rp2040 работает хорошо, в некоторых случаях лучше hwfly, да и кажется он надежнее

Я про то что hwfly хреновый)
Rp2040 хорошая замена.

English only or the mods will remove your comments

 

[impeeza]

Rp2040 работает хорошо, в некоторых случаях лучше hwfly, да и кажется он надежнее

english only forum please: https://gbatemp.net/help/terms/

 

[IgraBIT1]

difficult to read?) delete it is not a pity.
and you are bald, I will not give the firmware)))