Hacking Hardware Picofly - a HWFLY switch modchip

[abal1000x]

I have prod.keys and title.keys only. Lockpick doesn't generates a partialaes.key or any else.

title.keys is the key of the game you purchased in ofw.

i forgot the detail, but theres an option on lockpick, to get the partial aes keys.
as far as i remembered, when you choose it, theres some notification says you need to reboot to hekate or something similar.

Try to screenshot the lockpick menu, i usually instantly remembered the option.

 

[death7lord]

Yes. I got partialaes.keys and decrypt it.

Now I need device_key. prod.keys contains device_key_4x only.
Description of hactoolnet : "Save data options: --sign Sign the save file. (Requires device_key in key file)".
hactoolnet shows error: "Unable to sign save file. Do you have all the required keys?"

Post automatically merged: Dec 28, 2023

.

 

[MegaDeKay]

My hacked Lite is on 2.73 on a Waveshare RP2040-Zero. I have seen people reporting problems when upgrading to 2.75, but it sounded like the real problem was with clone boards and not the upgrade process itself. Is upgrading to 2.75 considered safe for genuine Waveshare boards? It sounds like 2.75 offers lower current consumption in standby so I'd like to upgrade if the risk is low. Everything else works great - my glitch is very fast and always works. Thanks @rehius !!!

https://www.aliexpress.com/item/1005003748305001.html

 

[deesil]

Should I completely remove the motherboard in order to do the soldering work? It's it necessary? I'm doing a V2 and a Lite

 

[Hassal]

Yes. I got partialaes.keys and decrypt it.

Now I need device_key. prod.keys contains device_key_4x only.
Description of hactoolnet : "Save data options: --sign Sign the save file. (Requires device_key in key file)".
hactoolnet shows error: "Unable to sign save file. Do you have all the required keys?"

Post automatically merged: Dec 28, 2023

Use https://vps.suchmeme.nl/git/mudkip/Lockpick_RCM to extract keys

For what exactly are you using hactoolnet for?

 

[deeps]

Should I completely remove the motherboard in order to do the soldering work? It's it necessary? I'm doing a V2 and a Lite

No, you can leave the board in, just need to remove the cpu heatsink and disconnect the battery. only the OLED requires full mainboard removal

 

[death7lord]

For what exactly are you using hactoolnet for?

I wanna replace/transfer file rawnand.bin/SYSTEM/save/80000000000000f0/PlayEvent.dat from 1st rev Unpatched to OLED model.
I want transfer a log of played time and launched titles log.

1. I use this comand
hactoolnet.exe -t save 80000000000000f0 --outdir 8aF0
2. And later
hactoolnet.exe -k prod.keys -t save 80000000000000f0 --replacefile PlayEvent.dat PlayEvent.dat
3. And Switch crashed after boot-logo Atmosphere and Nintendo (before lock screen).

 

[redmagejosh]

Hi guys, first time doing a picofly install.
I got a waveshare rp2040 running 2.73 firmware from here (https://github.com/Ansem-SoD/Picofly/tree/main/Firmwares). I'm installing on a patched V1 and during the process, unfortunately, I lost some pads but luckily there are alternative points for these. So I'm at the point in which I've connected the whole thing but when I turn it on I get blue led then it goes long yellow, then short yellow. Per the documentation here (https://gbatemp.net/download/a-definitive-picofly-install-guide.37968/) this means Dat0 is not connected but it is. I check continuity in other Dat0 points to see if it was connected, and I have continuity all the way to the board. Here are some screenshots of what I've work.

Alternate Dat0 and CLK. Also RST can be seen.

Here is a better view of RST.

Although it looks bridged there is only one pad there so it should be ok, this is CMD

Here is ground

Here is 3.3v althougt not very well focused. That one should be fine since it is turning on the chip.

Any suggestions? I did not include pics of the CPU flex since the error points to DAT0. I believe them not to be relevant but if needed, let me know.

 

[Hassal]

I wanna replace/transfer file rawnand.bin/SYSTEM/save/80000000000000f0/PlayEvent.dat from 1st rev Unpatched to OLED model.
I want transfer a log of played time and launched titles log.

1. I use this comand
hactoolnet.exe -t save 80000000000000f0 --outdir 8aF0
2. And later
hactoolnet.exe -k prod.keys -t save 80000000000000f0 --replacefile PlayEvent.dat PlayEvent.dat
3. And Switch crashed after boot-logo Atmosphere and Nintendo (before lock screen).

Same firmware or you using a different one on both?

If you just want to transfer your save data to your new switch just copy the content of your profile from your old switch and paste it into the new one, DBI should take care of the rest.

 

[death7lord]

.

Yes, the same firmware on both. I did backup of saves. Now I want transfer my playing statistics.

 

[deeps]

Hi guys, first time doing a picofly install.
I got a waveshare rp2040 running 2.73 firmware from here (https://github.com/Ansem-SoD/Picofly/tree/main/Firmwares). I'm installing on a patched V1 and during the process, unfortunately, I lost some pads but luckily there are alternative points for these. So I'm at the point in which I've connected the whole thing but when I turn it on I get blue led then it goes long yellow, then short yellow. Per the documentation here (https://gbatemp.net/download/a-definitive-picofly-install-guide.37968/) this means Dat0 is not connected but it is. I check continuity in other Dat0 points to see if it was connected, and I have continuity all the way to the board. Here are some screenshots of what I've work.

Alternate Dat0 and CLK. Also RST can be seen.
View attachment 410651

Here is a better view of RST.
View attachment 410652
Although it looks bridged there is only one pad there so it should be ok, this is CMD
View attachment 410653

Here is groundView attachment 410654

Here is 3.3v althougt not very well focused. That one should be fine since it is turning on the chip.
View attachment 410655

Any suggestions? I did not include pics of the CPU flex since the error points to DAT0. I believe them not to be relevant but if needed, let me know.

The dat0 connection between emmc and cpu travels through the pads you've ripped off. You need to restore the connection somehow.

 

[redmagejosh]

The dat0 connection between emmc and cpu travels through the pads you've ripped off. You need to restore the connection somehow.

Gotcha. That points me in the right direction. I'll get it fixed.

 

[deeps]

Gotcha. That points me in the right direction. I'll get it fixed.

While on the subject, you'll want 100 ohm resistors for dat0/cmd, especially on a v1, otherwise the likelihood of having ofw problems is very high

 

[insanecrazydude]

Alright so I bought one of these cheap modchips and watched the videos on youtube and I am ready to begin. Do I need to do anything beforehand or is the modchip ready to go? Do I just solder all the pins on and try and boot it up or is the modchip formatted and I need to flash some firmware to it. It came with obviously no instructions.

 

[MoeXzl]

It came with obviously no instructions.

Of course there are no instructions. First solder everything and see if the chip glitches. After that you can still update a firmware.

 

[Nephiel]

Alright so I bought one of these cheap modchips and watched the videos on youtube and I am ready to begin. Do I need to do anything beforehand or is the modchip ready to go? Do I just solder all the pins on and try and boot it up or is the modchip formatted and I need to flash some firmware to it. It came with obviously no instructions.

If you bought a Waveshare RP2040 Tiny or Zero board, it will be blank. You need to flash the firmware and confirm it works before you do any soldering.

After that you can still update a firmware.

But it needs to be flashed with a somewhat recent version first, so it can boot and run the Picofly toolbox. A blank RP2040 won't do.

 

[Myst0gan]

If you bought a Waveshare RP2040 Tiny or Zero board, it will be blank. You need to flash the firmware and confirm it works before you do any soldering.


But it needs to be flashed with a somewhat recent version first, so it can boot and run the Picofly toolbox. A blank RP2040 won't do.

How do you confirm that picofly itself works with the firmware without installing it on a switch??

 

[MoeXzl]

In the original you can see this by looking at the LED when flashing.

Originals have always worked for me.

 

[Nephiel]

How do you confirm that picofly itself works with the firmware without installing it on a switch??

Flash it to the board, then unplug and replug USB, if the LED blinks twice (any of the "not connected" patterns) then you know the firmware is running on the board. IIRC, v2.75 makes three attempts to glitch after booting (so 6 blinks total) and then halts and stays off.

 

[Myst0gan]

In the original you can see this by looking at the LED when flashing.

Originals have always worked for me.

You get the "flashed successfully" LED also with clones. All the rp2040 that I've ordered from Ali has always blinked green, after flashing. I don't think that I'm the luckiest person in the world that always gets original products from china, I'm pretty sure some of the rp2040 that I got, were clones, still worked without any problem.

Post automatically merged: Dec 29, 2023

Flash it to the board, then unplug and replug USB, if the LED blinks twice (any of the "not connected" patterns) then you know the firmware is running on the board. IIRC, v2.75 makes three attempts to glitch after booting (so 6 blinks total) and then halts and stays off.

You mean something like this?? Including the blue flashing, I get in total 7 blinks

Post automatically merged: Dec 29, 2023

Does anyone know the size of those resistors (both, 4,7k and 47K) from cmd line on OLED boards??
I've ordered a bunch of 1206 from eBay, but they're too big