Toggle sidebar

Hacking Hardware Picofly - a HWFLY switch modchip

  • Thread starter Thread starter mathew77
  • Start date Start date
  • Views Views 3,673,390
  • Replies Replies 17,052
  • Likes Likes 15
QuiTim said:
the resistor should be ok now. remove the dat0 cable from pico and lets see what error code you get
Click to expand...
I disconnected the dat0 cable and I received a " =* D0 is not connected " error in the picofly.

I'm guessing that I used one of the "bad" dat0 adapters from aliexpress. I have these spare ones but I'm not trusting any of them at all. Any recommendation?

Dat0Adapters.jpg

Thank you in advance.
 
  • Like
Reactions: Danook28
mian_85_ said:
I disconnected the dat0 cable and I received a " =* D0 is not connected " error in the picofly.

I'm guessing that I used one of the "bad" dat0 adapters from aliexpress. I have these spare ones but I'm not trusting any of them at all. Any recommendation?

View attachment 378667

Thank you in advance.
Click to expand...
The first one on the left is very bad, the second one could be used with some modification (see abal100x post about that) and the small black one is OK, you just need to use some solder mask to secure it in place but the contact point under emmc is ok
 
  • Like
Reactions: mian_85_ and Danook28
Hello, does anyone know the value of that capacitor? The one inside the white circle
Post automatically merged:

the capacitor inside the white circle, in an oled switch, is gone and the console turns off after a few minutes, does anyone know the value of that component?
 

Attachments

  • condensador.png
    condensador.png
    1.6 MB · Views: 140
  • condensador.png
    condensador.png
    1.6 MB · Views: 135
Last edited by detilmalala,
  • Like
Reactions: Danook28
I was wondering is there any documentation on how the picofly actually glitches the console and loads hekate? I've tried searching but can't dig up a single source. As far as I know, the basic glitch is that the pico interrupts the tegra's secure boot using MOSFET wizardry and then takes advantage of the CPU's vulnerable state by sending some code to the emmc, which boots hekate. I'm more specifically looking for which pins on the pico are used when and what they do, so I can help troubleshoot my own issues.

3.3v/Gnd = power
CMD ~ not sure.
CLK = to enable timing of the glitch/data t/x
RST ~ not sure.
DAT0 = dump to EMMC
SDA/SCL = literally no idea

Thanks!
 
Last edited by Uberfish,
Uberfish said:
I was wondering is there any documentation on how the picofly actually glitches the console and loads hekate? I've tried searching but can't dig up a single source. As far as I know, the basic glitch is that the pico interrupts the tegra's secure boot using MOSFET wizardry and then takes advantage of the CPU's vulnerable state by sending some code to the emmc, which boots hekate. I'm more specifically looking for which pins on the pico are used when and what they do, so I can help troubleshoot my own issues.

3.3v/Gnd = power
CMD ~ not sure.
CLK = to enable timing of the glitch/data t/x
RST ~ not sure.
DAT0 = dump to EMMC
SDA/SCL = literally no idea

Thanks!
Click to expand...
The principle is very simple
dat0~3+ CLK+ CMD is equal to EMMC
Power on Priority unlock Obtain BOOT authority
If it fails, it will be remade and it will be RST
The MOSFET is to pull down the CPU voltage VCC 1.1V and pull down 0.9V
NEW CPU 0.9V pull down 0.8V
User S cable is too thin to effectively pull down voltage steadily (unstable MOSFET quality mount)
 

Attachments

  • 0619.mp4
    2.5 MB
  • 06192.mp4
    1.5 MB
  • Like
  • Love
Reactions: bilalhassan341, abal1000x, Dee87 and 3 others
Uberfish said:
I was wondering is there any documentation on how the picofly actually glitches the console and loads hekate? I've tried searching but can't dig up a single source. As far as I know, the basic glitch is that the pico interrupts the tegra's secure boot using MOSFET wizardry and then takes advantage of the CPU's vulnerable state by sending some code to the emmc, which boots hekate. I'm more specifically looking for which pins on the pico are used when and what they do, so I can help troubleshoot my own issues.

3.3v/Gnd = power
CMD ~ not sure.
CLK = to enable timing of the glitch/data t/x
RST ~ not sure.
DAT0 = dump to EMMC
SDA/SCL = literally no idea

Thanks!
Click to expand...
you can also read the sourcecode on github
 
POPOLO said:
The principle is very simple
dat0~3+ CLK+ CMD is equal to EMMC
Power on Priority unlock Obtain BOOT authority
If it fails, it will be remade and it will be RST
The MOSFET is to pull down the CPU voltage VCC 1.1V and pull down 0.9V
NEW CPU 0.9V pull down 0.8V
User S cable is too thin to effectively pull down voltage steadily (unstable MOSFET quality mount)
Click to expand...
Thanks for the info. I'm having a problem with === error on my pico. It stays in blue flash state for 45 seconds, flashes white, then goes back to blue flash for about a minute ending with ===. CMD/CLK are for sure fine. I just tried resoldering RST and added SDA SCL connections but still the same result. I've checked the DAT0 by wiggling it and looking for variations in the diode value (around 700) but still seems fine. The flex cable on the CPU had an error which I think I solved (14ohm on one side of the caps, <0.1 ohm on the other).

Kind of at a loss what could be causing the issue now...
 
LazarusGX4 said:
...nope, blackscreen also... :(
Click to expand...
I think you have a corrupted backup also. try to follow the Sthetix level 1 unbricking guide. It mostly covered the system partition side. If the user is also not showning follow the level 2 or 3. But first try the level 1 first it is easy just follow the steps.

Edit: This method helped me with my switch with same the issue.
 
Uberfish said:
Thanks for the info. I'm having a problem with === error on my pico. It stays in blue flash state for 45 seconds, flashes white, then goes back to blue flash for about a minute ending with ===. CMD/CLK are for sure fine. I just tried resoldering RST and added SDA SCL connections but still the same result. I've checked the DAT0 by wiggling it and looking for variations in the diode value (around 700) but still seems fine. The flex cable on the CPU had an error which I think I solved (14ohm on one side of the caps, <0.1 ohm on the other).

Kind of at a loss what could be causing the issue now...
Click to expand...
14ohm on one side and 0.1~ on other side of each cap doesn't sound out of the ordinary to me. Mine always measure around 0 ohms on one side and then around 20 ohms on the other side of each cap. I find that the side showing resistance shows more resistance depending on what color probe you put on ground. I usually put black probe on ground
 
I found my rp2040-zero doesn't like the 1k ohm resistor between Gate and Source on tpn8r903nl MOSFET. It will do ==* with 1k ohm resistor and boots into OFW just like glitching disappeared.(I had rp2040zero initial setup without any pull down resistor)
Then I tried 10k ohm and 33kohm both works, will make couple cold start glitching training and see which setup works best.
 
  • Like
Reactions: abal1000x
I've got a v2 switch here that I'm fixing for a customer, after a failed install the switch no longer boots, it looks like they toasted the D0 line.

I *think* that via is still ok, but if it isn't is there another point I run a wire from that trace to?

1687148310085.png
 
abal1000x said:
CMD/CLK/Dat0 is for emmc.
You could read datasheet from the emmc.

3.3V, Gnd to power up pico.

Mosfet G to control the mosfet. The mosfet function as a switch on/off based on the G signal given by pico.

RST to reset the cpu

SDA/SCL to give instruction (i2c) to the power ic to goes undervoltage.
Click to expand...
Thanks! So given the state of the pico, like you said it writes the packet with the white flash and the packet should be executed by the CPU when it is undervolted. But in my switch, the signal to undervolt is being sent to the mosfets, but for some reason the undervolt isn't happening. If I'm not wrong, this points to a fault with the flex cable install.

Faulty mosfets? Bad flex cable? Wire to the flex cable poor quality? Is it worth using larger gauge wire or attempting to replace the flex cable with my spare? I'm a little worried about removing caps if I attempt it :D
 

Site & Scene News

Go to forum More news

Popular threads in this forum

Dusk for switch (TLoZ Twilight Princess port)

Homebrew  Full List of N64 Recompilation Switch ports

Homebrew  New Homebrew "Foil Server"?

Hacking  WiFi chip failing and can't boot. is it possible to enable Airplane Mode by editing system save files directly?

Homebrew Tutorial Translation Project  CS2SX — Write Nintendo Switch Homebrew in C#

Homebrew  Sonic Unleashed Recompiled (Homebrew Port)

Homebrew Homebrew game Project  So... Dan didn't want to reveal his Vulkan, so I made mine.

Is it fixable