Toggle sidebar

Hacking Hardware Picofly - a HWFLY switch modchip

  • Thread starter Thread starter mathew77
  • Start date Start date
  • Views Views 3,679,420
  • Replies Replies 17,052
  • Likes Likes 15
binkinator said:
OK, I’m all in.

Picked up a junker Switch Lite w/ a bad screen on flea bay. The screen is cracked and the joysticks are shot.

View attachment 349609

Going to put this one piece screen on it and a pair of those garbage Gulikit Hall Effect sticks on it and call it good.
https://www.aliexpress.us/item/3256804496995627.html

Grabbing a HWFLY lite kit…just in case this all turns out to be much ado about nothing.

View attachment 349618

At worst I can resell it on flea bay as a fully modded switch lite for $200 and get my money back.

Let’s go!
Click to expand...
Gulikit sticks are anything but garbage, but they also don't make hall effect sticks for Joy-Cons or Switch Lite.
 
TheSynthax said:
Huh, guess they finally do. That's great to know! Dunno why anyone would call sticks from gulikit garbage though, the ones in my Steam Deck are fantastic and I wish there were a mod for the Elite Series 2 to switch to Hall effect sticks. Anyway, don't want to get too off-topic :)
Click to expand...
I took one for the team and bought four of them and put two in my Erista. Keep reading the other thread…they are hot garbage so I have a set left over that I refuse to put in my Mariko. They be perfect for use in this little Franken-project. :-)
 
  • Love
  • Like
Reactions: impeeza and peteruk
binkinator said:
I took one for the team and bought four of them and put two in my Erista. Keep reading the other thread…they are hot garbage so I have a set left over that I refuse to put in my Mariko. They be perfect for use in this little Franken-project. :-)
Click to expand...
You're certain those aren't fake Gulikits? I'd have returned them if they weren't better than pot sticks.
 
TheSynthax said:
You're certain those aren't fake Gulikits? I'd have returned them if they weren't better than pot sticks.
Click to expand...
100% certain. These guys sell Gulikit on Aliexpress and are refunding everyone’s money. Was in the process of returning them but this project came up. They will work great and offset some costs. I’m still down $9.00 for the cost of 2 RP2040-zeros. Lol
 
  • Haha
Reactions: impeeza
thesjaakspoiler said:
The original id is just a 64bit number and it is retrieved from the flash chip.
The RP2040 does not have an internal id in the cpu itself (according to the documentation) :
https://raspberrypi.github.io/pico-sdk-doxygen/group__pico__unique__id.html
I don't know if the dump is just a raw dump of the flash chip?
If so, then it should be there.

If not, someone will be able to hack it.
Just speculating here but the firmware is probably the same as for the hwfly.
So we know the decoding algorithm. Then it is just a matter of trying all keys and comparing the output.
With a 64bit key, that will be peanuts for a normal cpu.
I'm sure there are smart kids here who can break this encryption on a Sunday afternoon.
Click to expand...
Well hey, the Switch firmware signature key is only 128 bits. That's only like double the effort. Why not brute force that instead and then we can all enjoy cold boot CFW curtesy of you? :lol:
 
  • Like
  • Haha
Reactions: jester_, impeeza, Adran_Marit and 3 others
CompSciOrBust said:
Well hey, the Switch firmware signature key is only 128 bits. That's only like double the effort. Why not brute force that instead and then we can all enjoy cold boot CFW curtesy of you? :lol:
Click to expand...
doubling the quantity of bits elevate to square the time needed, IS A LOT of time, by the way that's what the chip mod try to do, some "magic" altorithm to try to get the key that's why the chip at first start "training" the console.
 
TheSynthax said:
Double the effort for a quantum computer perhaps :)
Click to expand...
Yes. It is infeasible.
thats-the-joke-ranier-wolfcastle.gif
 
  • Like
  • Haha
Reactions: binkinator and impeeza
impeeza said:
doubling the quantity of bits elevate to square the time needed, IS A LOT of time, by the way that's what the chip mod try to do, some "magic" altorithm to try to get the key that's why the chip at first start "training" the console.
Click to expand...
There is no math black magic involved. The CPU is simply glitched to make a check that would fail, pass. The bootrom then loads the modified code despite the checks not passing in reality. But neither code nor CPU know the check didn't pass because the voltage was too low at the time it checked.
 
  • Like
  • Love
Reactions: some1ne, ByteFun, impeeza and 1 other person
ghjfdtg said:
There is no math black magic involved. The CPU is simply glitched to make a check that would fail, pass. The bootrom then loads the modified code despite the checks not passing in reality. But neither code nor CPU know the check didn't pass because the voltage was too low at the time it checked.
Click to expand...
AFAIK this
The way I understand HWFLY / SX Core is that the FPGA is merely responsible for finding the correct timing for the glitch. I think it determines that by analysing the data going to/from the NAND chip to/from the CPU.
The code for the microcontroller is open source already anyway and the quick glance I gave it basically confirmed my understanding. So the "hard part" that nobody open-sources to this day is the FPGA logic.

Though I may be wrong..

If I'm (kinda) right though, I wonder if a microcontroller like the Pico really can reliably time this voltage drop. Sure MCs are pretty fast, but FPGAs are just faster and more precise.

Personally, I'd love to get into this kind of stuff, I just don't have the money for the hardware and Switches to throw away. Tegra Dev Kits are available to the public but they're expensive as hell lmao.
 
  • Love
Reactions: impeeza
evil_santa said:
takes a while to bruteforce a 128 bit key 😅
Click to expand...
It also depends on what encryption algorithm was used.

Basically with 128bit there are 2^128 possible combinations, so the longest time needed would be 2^18 * (time one test needs, depends on the algorithm and other security measures)
 
Piorjade said:
If I'm (kinda) right though, I wonder if a microcontroller like the Pico really can reliably time this voltage drop. Sure MCs are pretty fast, but FPGAs are just faster and more precise.
Click to expand...
you're right that fpgas are faster and more precise but afaik the pico's programmable io should be fast enough, at least that's what was being said in the thread
 
Last edited by saladus,
IgraBIT1 said:
Rp2040 работает хорошо, в некоторых случаях лучше hwfly, да и кажется он надежнее
Click to expand...
IgraBIT1 said:
Я про то что hwfly хреновый)
Rp2040 хорошая замена.
Click to expand...
English only or the mods will remove your comments
 

Site & Scene News

Go to forum More news

Popular threads in this forum

Dusk for switch (TLoZ Twilight Princess port)

Homebrew  Full List of N64 Recompilation Switch ports

Homebrew  New Homebrew "Foil Server"?

Homebrew Tutorial Translation Project  CS2SX — Write Nintendo Switch Homebrew in C#

Hacking  WiFi chip failing and can't boot. is it possible to enable Airplane Mode by editing system save files directly?

Homebrew Homebrew game Project  So... Dan didn't want to reveal his Vulkan, so I made mine.

Homebrew  Sonic Unleashed Recompiled (Homebrew Port)

Feedback Homebrew  Essential Homebrew