Toggle sidebar

Hacking Hardware Picofly - a HWFLY switch modchip

  • Thread starter Thread starter mathew77
  • Start date Start date
  • Views Views 3,671,291
  • Replies Replies 17,052
  • Likes Likes 15
So, I hooked up RST to my Pico to see how RST works and when I set the output to HIGH the switch restarts, however, it only restarts if it changes from HIGH to LOW or from LOW to HIGH. How would I prevent the CPU from continuing? Do I really have to keep RST switching between HIGH and LOW?
 
Maybe we can just use 1206 47R to reduce the whole size
6kZf3sN.jpg

Does someone is trying onto oled?
I don't have lite but oled yes
 
  • Like
  • Love
Reactions: ifgfgfgfgfgfg, swutch, binkinator and 3 others
Piorjade said:
So, I hooked up RST to my Pico to see how RST works and when I set the output to HIGH the switch restarts, however, it only restarts if it changes from HIGH to LOW or from LOW to HIGH. How would I prevent the CPU from continuing? Do I really have to keep RST switching between HIGH and LOW?
Click to expand...
Reset signals are usually active low. Meaning the SoC is under reset when low. You have to hold reset low for a minimum amount of time and then high so the CPU can start booting. I don't know the minimum reset time for the Tegra X1 but it's possibly in the datasheet.
 
Last edited by ghjfdtg,
  • Like
Reactions: Donnie-Burger
ghjfdtg said:
Reset signals are usually active low. Meaning the SoC is under reset when low. You have to hold reset low for a minimum amount of time and then high so the CPU can start booting. I don't know the minimum reset time for the Tegra X1 but it's possibly in the datasheet.
Click to expand...
So basically the Switch won't boot as long as I keep RST low?
 
OMAR1982 said:
can anyone try to test and analyse this uf2 file and see whether it works
Click to expand...
I don't think it has anything to do with picofly, the file has a completely different size and is very different from the dumps that we have + picotool gave this:
Code: 
File RP2040ZERO-pico-v1.19.1-878.uf2:



Program Information

 name:            MicroPython

 version:         v1.19.1-878-g4598b89ce

 features:        thread support

                  USB REPL

 frozen modules:  neopixel, dht, ds18x20, onewire, uasyncio/stream, uasyncio/lock, uasyncio/funcs, uasyncio/event, uasyncio/core, uasyncio, _boot_fat, _boot, rp2

 binary start:    0x10000000

 binary end:      0x1004dc70

 embedded drive:  0x100a0000-0x10200000 (1408K): MicroPython



Fixed Pin Information

 none



Build Information

 sdk version:       1.5.0

 pico_board:        pico

 boot2_name:        boot2_w25q080

 build date:        Feb 17 2023

 build attributes:  MinSizeRel
My pico comes with ali, so I can't check if the code works, but it seems to me that this is a REPL example of Pico,
its builded yesterday, so it's looks like stuffing
Where did you find it?
 
Last edited by Doodka,
renoob said:
This above is not firmware (for the switch) if you are referring to that. Its a micropython. Not sure why he even posted that
Click to expand...
Plus it uses “neopixel” which is for WLEDs

I feel like that user was just trolling and trying to waste time cause what else would make them think it’s for a switch ha
 
  • Like
Reactions: Mansi and DreedPL
Try to run the firmware by emulating RP2040 but so far had no luck. The program just keeps decrypting and never triggers 0x20020440. The problem might occur in emulating peripherals, since the decryption code uses them everywhere (like disabling the irq, and using PPB_VTOR to pass data, if I read it correctly), and it's hard to reimplement all of them. Plan to buy one RP2040 Zero and check them in the real world.

btw, @renoob could you pls try running your patched firmware in a real RP2040, breakpoint at 0x2002096C, and check the R3 and R6? In my case, R3 is 0x20000000 and R6 is 0x2B. It should be same if the unique id got injected currectly.
 
Isn't that memory (SDRAM) address? I dont see any references in ghidra regarding that address anywhere.
@KAAAsS
Anyway you wont get much with the chip on its own. It seems that rest of the functions are called when it receives some signal.
For example it does not call get_unique_id function at all while its not soldered to unit, chip just dies fast after boot
 
Last edited by renoob,
renoob said:
Isn't that memory (SDRAM) address? I dont see any references in ghidra regarding that address anywhere.
Click to expand...
Yes. It's a mapped address. 0x200200C0 ~ 0x200212F0 is loaded from .bin offset 0x1591C.
renoob said:
It seems that rest of the functions are called when it receives some signal.
For example it does not call get_unique_id function at all while its not soldered to unit, chip just dies fast after boot
Click to expand...
Yes but not that mysterious, most of them are just the normal boot process. Like 0x10002608 is _retrieve_unique_id_on_boot, and triggered during the boot. The chip could hang in a loop check about hardware (e.g. XOSC) when not soldered to a unit, or say when peripherals are not correctly configured.
 
  • Like
Reactions: impeeza

Site & Scene News

Go to forum More news

Popular threads in this forum

Dusk for switch (TLoZ Twilight Princess port)

Homebrew  Full List of N64 Recompilation Switch ports

Homebrew  New Homebrew "Foil Server"?

Hacking  WiFi chip failing and can't boot. is it possible to enable Airplane Mode by editing system save files directly?

Homebrew Tutorial Translation Project  CS2SX — Write Nintendo Switch Homebrew in C#

Homebrew  Sonic Unleashed Recompiled (Homebrew Port)

Homebrew Homebrew game Project  So... Dan didn't want to reveal his Vulkan, so I made mine.

Is it fixable