Hacking Hardware Picofly - a HWFLY switch modchip

M

mian_85_

Member
Newcomer
Level 1
Joined
Mar 15, 2023
Messages
7
Trophies
0
XP
33
Country
Spain
QuiTim said:
the resistor should be ok now. remove the dat0 cable from pico and lets see what error code you get
Click to expand...
I disconnected the dat0 cable and I received a " =* D0 is not connected " error in the picofly.

I'm guessing that I used one of the "bad" dat0 adapters from aliexpress. I have these spare ones but I'm not trusting any of them at all. Any recommendation?

Dat0Adapters.jpg

Thank you in advance.
 
  • Like
Reactions: Danook28
QuiTim

QuiTim

Well-Known Member
Member
Level 7
Joined
Mar 30, 2023
Messages
758
Trophies
0
XP
1,189
Country
Albania
mian_85_ said:
I disconnected the dat0 cable and I received a " =* D0 is not connected " error in the picofly.

I'm guessing that I used one of the "bad" dat0 adapters from aliexpress. I have these spare ones but I'm not trusting any of them at all. Any recommendation?

View attachment 378667

Thank you in advance.
Click to expand...
The first one on the left is very bad, the second one could be used with some modification (see abal100x post about that) and the small black one is OK, you just need to use some solder mask to secure it in place but the contact point under emmc is ok
 
  • Like
Reactions: mian_85_ and Danook28
D

detilmalala

Well-Known Member
Member
Level 2
Joined
Mar 21, 2023
Messages
145
Trophies
0
Age
45
XP
212
Country
Uruguay
Hello, does anyone know the value of that capacitor? The one inside the white circle
Post automatically merged:

the capacitor inside the white circle, in an oled switch, is gone and the console turns off after a few minutes, does anyone know the value of that component?
 

Attachments

  • condensador.png
    condensador.png
    1.6 MB · Views: 54
  • condensador.png
    condensador.png
    1.6 MB · Views: 54
Last edited by detilmalala,
  • Like
Reactions: Danook28
Uberfish

Uberfish

Active Member
Newcomer
Level 1
Joined
Jan 5, 2014
Messages
44
Trophies
0
Location
Tangerang
XP
101
Country
Indonesia
I was wondering is there any documentation on how the picofly actually glitches the console and loads hekate? I've tried searching but can't dig up a single source. As far as I know, the basic glitch is that the pico interrupts the tegra's secure boot using MOSFET wizardry and then takes advantage of the CPU's vulnerable state by sending some code to the emmc, which boots hekate. I'm more specifically looking for which pins on the pico are used when and what they do, so I can help troubleshoot my own issues.

3.3v/Gnd = power
CMD ~ not sure.
CLK = to enable timing of the glitch/data t/x
RST ~ not sure.
DAT0 = dump to EMMC
SDA/SCL = literally no idea

Thanks!
 
Last edited by Uberfish,
P

POPOLO

Active Member
Newcomer
Level 2
Joined
Apr 17, 2023
Messages
34
Trophies
0
Age
44
XP
194
Country
Japan
Uberfish said:
I was wondering is there any documentation on how the picofly actually glitches the console and loads hekate? I've tried searching but can't dig up a single source. As far as I know, the basic glitch is that the pico interrupts the tegra's secure boot using MOSFET wizardry and then takes advantage of the CPU's vulnerable state by sending some code to the emmc, which boots hekate. I'm more specifically looking for which pins on the pico are used when and what they do, so I can help troubleshoot my own issues.

3.3v/Gnd = power
CMD ~ not sure.
CLK = to enable timing of the glitch/data t/x
RST ~ not sure.
DAT0 = dump to EMMC
SDA/SCL = literally no idea

Thanks!
Click to expand...
The principle is very simple
dat0~3+ CLK+ CMD is equal to EMMC
Power on Priority unlock Obtain BOOT authority
If it fails, it will be remade and it will be RST
The MOSFET is to pull down the CPU voltage VCC 1.1V and pull down 0.9V
NEW CPU 0.9V pull down 0.8V
User S cable is too thin to effectively pull down voltage steadily (unstable MOSFET quality mount)
 

Attachments

  • 0619.mp4
    2.5 MB
  • 06192.mp4
    1.5 MB
  • Like
  • Love
Reactions: bilalhassan341, abal1000x, Dee87 and 3 others
Adran_Marit

Adran_Marit

Walküre's Hacker
Member
Level 14
Joined
Oct 3, 2015
Messages
3,781
Trophies
1
Location
42*South
XP
4,575
Country
Australia
Uberfish said:
I was wondering is there any documentation on how the picofly actually glitches the console and loads hekate? I've tried searching but can't dig up a single source. As far as I know, the basic glitch is that the pico interrupts the tegra's secure boot using MOSFET wizardry and then takes advantage of the CPU's vulnerable state by sending some code to the emmc, which boots hekate. I'm more specifically looking for which pins on the pico are used when and what they do, so I can help troubleshoot my own issues.

3.3v/Gnd = power
CMD ~ not sure.
CLK = to enable timing of the glitch/data t/x
RST ~ not sure.
DAT0 = dump to EMMC
SDA/SCL = literally no idea

Thanks!
Click to expand...
you can also read the sourcecode on github
 
Uberfish

Uberfish

Active Member
Newcomer
Level 1
Joined
Jan 5, 2014
Messages
44
Trophies
0
Location
Tangerang
XP
101
Country
Indonesia
POPOLO said:
The principle is very simple
dat0~3+ CLK+ CMD is equal to EMMC
Power on Priority unlock Obtain BOOT authority
If it fails, it will be remade and it will be RST
The MOSFET is to pull down the CPU voltage VCC 1.1V and pull down 0.9V
NEW CPU 0.9V pull down 0.8V
User S cable is too thin to effectively pull down voltage steadily (unstable MOSFET quality mount)
Click to expand...
Thanks for the info. I'm having a problem with === error on my pico. It stays in blue flash state for 45 seconds, flashes white, then goes back to blue flash for about a minute ending with ===. CMD/CLK are for sure fine. I just tried resoldering RST and added SDA SCL connections but still the same result. I've checked the DAT0 by wiggling it and looking for variations in the diode value (around 700) but still seems fine. The flex cable on the CPU had an error which I think I solved (14ohm on one side of the caps, <0.1 ohm on the other).

Kind of at a loss what could be causing the issue now...
 
bilalhassan341

bilalhassan341

Well-Known Member
Member
Level 3
Joined
Apr 1, 2023
Messages
138
Trophies
0
XP
271
Country
United States
LazarusGX4 said:
...nope, blackscreen also... :(
Click to expand...
I think you have a corrupted backup also. try to follow the Sthetix level 1 unbricking guide. It mostly covered the system partition side. If the user is also not showning follow the level 2 or 3. But first try the level 1 first it is easy just follow the steps.

Edit: This method helped me with my switch with same the issue.
 
Switxh

Switxh

Well-Known Member
Member
Level 3
Joined
Mar 11, 2023
Messages
110
Trophies
0
Age
28
XP
273
Country
United Kingdom
Uberfish said:
Thanks for the info. I'm having a problem with === error on my pico. It stays in blue flash state for 45 seconds, flashes white, then goes back to blue flash for about a minute ending with ===. CMD/CLK are for sure fine. I just tried resoldering RST and added SDA SCL connections but still the same result. I've checked the DAT0 by wiggling it and looking for variations in the diode value (around 700) but still seems fine. The flex cable on the CPU had an error which I think I solved (14ohm on one side of the caps, <0.1 ohm on the other).

Kind of at a loss what could be causing the issue now...
Click to expand...
14ohm on one side and 0.1~ on other side of each cap doesn't sound out of the ordinary to me. Mine always measure around 0 ohms on one side and then around 20 ohms on the other side of each cap. I find that the side showing resistance shows more resistance depending on what color probe you put on ground. I usually put black probe on ground
 
jkyoho

jkyoho

Well-Known Member
Member
Level 10
Joined
Sep 2, 2020
Messages
1,350
Trophies
0
Age
39
Location
TORONTO
Website
form.jotform.com
XP
2,283
Country
Canada
I found my rp2040-zero doesn't like the 1k ohm resistor between Gate and Source on tpn8r903nl MOSFET. It will do ==* with 1k ohm resistor and boots into OFW just like glitching disappeared.(I had rp2040zero initial setup without any pull down resistor)
Then I tried 10k ohm and 33kohm both works, will make couple cold start glitching training and see which setup works best.
 
  • Like
Reactions: abal1000x
abal1000x

abal1000x

Well-Known Member
Member
Level 8
Joined
Jun 5, 2022
Messages
1,070
Trophies
0
XP
1,419
Country
Gaza Strip
Uberfish said:
I was wondering is there any documentation on how the picofly actually glitches the console and loads hekate? I've tried searching but can't dig up a single source. As far as I know, the basic glitch is that the pico interrupts the tegra's secure boot using MOSFET wizardry and then takes advantage of the CPU's vulnerable state by sending some code to the emmc, which boots hekate. I'm more specifically looking for which pins on the pico are used when and what they do, so I can help troubleshoot my own issues.

3.3v/Gnd = power
CMD ~ not sure.
CLK = to enable timing of the glitch/data t/x
RST ~ not sure.
DAT0 = dump to EMMC
SDA/SCL = literally no idea

Thanks!
Click to expand...
CMD/CLK/Dat0 is for emmc.
You could read datasheet from the emmc.

3.3V, Gnd to power up pico.

Mosfet G to control the mosfet. The mosfet function as a switch on/off based on the G signal given by pico.

RST to reset the cpu

SDA/SCL to give instruction (i2c) to the power ic to goes undervoltage.
 
Last edited by abal1000x,
abal1000x

abal1000x

Well-Known Member
Member
Level 8
Joined
Jun 5, 2022
Messages
1,070
Trophies
0
XP
1,419
Country
Gaza Strip
cgtchy0412 said:
To each their own i guess , as i ussually instal mosfet first as its the easiest for me. :grog:
Click to expand...
Yeah its preferential subjective things. For me the mosfet is the most dangerous part so its the last.

1. First check, firmware flashed. then power off, power on. Should be blue and yellow **
2. Connect the 3.3V and GND, turn on the switch should be blue and yellow **
3. Connect the CMD/CLK/Dat0 + RST, should be blue and long white. (then yellow some error).
4. Connect the mosfet, should be blue and short yellow. done.
 
Last edited by abal1000x,
  • Like
Reactions: bilalhassan341 and cgtchy0412
K

kronicd

Member
Newcomer
Level 2
Joined
Feb 15, 2007
Messages
20
Trophies
1
XP
219
Country
I've got a v2 switch here that I'm fixing for a customer, after a failed install the switch no longer boots, it looks like they toasted the D0 line.

I *think* that via is still ok, but if it isn't is there another point I run a wire from that trace to?

1687148310085.png
 
Uberfish

Uberfish

Active Member
Newcomer
Level 1
Joined
Jan 5, 2014
Messages
44
Trophies
0
Location
Tangerang
XP
101
Country
Indonesia
abal1000x said:
CMD/CLK/Dat0 is for emmc.
You could read datasheet from the emmc.

3.3V, Gnd to power up pico.

Mosfet G to control the mosfet. The mosfet function as a switch on/off based on the G signal given by pico.

RST to reset the cpu

SDA/SCL to give instruction (i2c) to the power ic to goes undervoltage.
Click to expand...
Thanks! So given the state of the pico, like you said it writes the packet with the white flash and the packet should be executed by the CPU when it is undervolted. But in my switch, the signal to undervolt is being sent to the mosfets, but for some reason the undervolt isn't happening. If I'm not wrong, this points to a fault with the flex cable install.

Faulty mosfets? Bad flex cable? Wire to the flex cable poor quality? Is it worth using larger gauge wire or attempting to replace the flex cable with my spare? I'm a little worried about removing caps if I attempt it :D
 

Site & Scene News

Go to forum More news

Popular threads in this forum

Paper Mario TTYD 60fps patch?

Paper Mario Thousand Year Door got leaked

Tutorial  How to play Pokerogue on Nintendo Switch

Emulation Hardware  Shin Megami Tensei V: Vengeance. romfs 60FPS + 1080p Mod

TTYD patch for AMD black screen sewer issue?

Emulation Gaming Hardware Emulator  SHIN MEGAMI TENSEI V: Vengeance | FPS Mods (Mainly made for Switch Emulators)

Is there any point upgrading to 18.0?

Paper Mario: The Thousand Year Door (Switch) save editor request

General chit-chat
Help Users
    NinStar @ NinStar: what's up woke boy