Scene developer Zecoxao might be known for their contributions to the PlayStation hacking world, but this time around, they've got something major for the Nintendo scene. The longtime scener teased the existence of what they claim to be a $3 modchip for the Nintendo Switch, and which is said to work with Mariko and OLED systems, though not patched Erista consoles. A teaser video was also uploaded, where the modchip itself was revealed to be a Raspberry Pi--specifically, a RP2040 Zero unit, soldered into the Switch board, demonstrating Hekate launching on an OLED unit.

Given the tease of "coming soon", we can expect to see more details about the exploit eventually.

Failed to fetch tweet https://twitter.com/notzecoxao/status/1602079473628856320

Failed to fetch tweet https://twitter.com/notzecoxao/status/1602199810358083587

 

[VDDZ]

Ummm... I bought 2... And they came in today! But I don't know what to do with them ... Any info?

 

[Adran_Marit]

Ummm... I bought 2... And they came in today! But I don't know what to do with them ... Any info?

Nothing yet. No software has been released yet and I don't think full wiring diagrams have been posted either

 

[thesjaakspoiler]

What about memory training and such?

As far as I have seen the HWFly code, the memory training is done with the MPU, not the FPGA.
The FPGA is there to inject some patched code.
The MPU used by the HWFly is a very simple MPU like an ATmega328 on a Arduino Nano.
It has a clock speed of something like 8~16Mhz.
The Raspberry is running at 133Mhz and has much more features to natively interface with other hardware.

 

[Chonay]

If only the developer will release the code to us at least in alpha phase and we refine it

 

[whisky9]

As far as I have seen the HWFly code, the memory training is done with the MPU, not the FPGA.
The FPGA is there to inject some patched code.

The FPGA does some of the heavy lifting for the MCU. A MCU is most likely too slow for dealing with the high speed signals that are involved to get access to the Switch. The MCU just uses SPI to communicate with the FPGA. That is just a standard way of communication between a microcontroller and an FPGA.

 

[Sw1chGuy]

RP2040 users reports 32MHz Gpio speed and total maximum theoretical speed of 64MHz. That is pretty fast. As someone mentioned with smart dma tweaking accessing multiple pins at the same time 8bit parralel lines can be driven theoretically. 15-30ns timing can be reach so seems like a good base for injecting something. Fpga sometimes runs from 16MHz or 32MHz crystals and their power is the parralel signal processing and small clock jitter capability for precise timings. I do not know what is the exact time frame for injecting the data but hope the best. Anyway I bought a x5 pack of boards, until it is available for cheap

 

[DoctorBagPhD]

Fantastic news!

 

[szubiennica]

hwfly clones uses GD32f350 arm processor (costs around 5$). Does anybody have a flash image for them?

 

[algolsaturn]

hwfly clones uses GD32f350 arm processor (costs around 5$). Does anybody have a flash image for them?

Yes, you can get the firmware used on that chip here: https://github.com/hwfly-nx/firmware

However, that is only one part of the puzzle. Without the FPGA which actually glitches the chip which we are unable to read the contents of. We cannot make our own modchips, this is the reason why the hwfly clones are so expensive. No one besides those people are able to make them.

 

[Sw1chGuy]

Yes, you can get the firmware used on that chip here:

However, that is only one part of the puzzle. Without the FPGA which actually glitches the chip which we are unable to read the contents of. We cannot make our own modchips, this is the reason why the hwfly clones are so expensive. No one besides those people are able to make them.

Has anyone tried to hook up a logic analyzer and check what is going on? If a timing diagram would be available from the bits on the lanes then it can be easily reproduced, isn't it? So a logic analyzer and an oscilloscope should do the job. But probably Nintendo nijas will hunt down these information.

 

[thesjaakspoiler]

Has anyone tried to hook up a logic analyzer and check what is going on? If a timing diagram would be available from the bits on the lanes then it can be easily reproduced, isn't it? So a logic analyzer and an oscilloscope should do the job. But probably Nintendo nijas will hunt down these information.

Spacecraft-NX is the firmware that runs on the MPU of the HWFly.
This part is open source already.
It takes care of the learning process and it hands over the payload that needs to be injected by the FPGA.
The source code for the FPGA was available for a while on Chinese sites but I don't know if someone published it somewhere.
But with Spacecraft-NX, you know everything there is to know about how the glitching works.

Post automatically merged: Dec 25, 2022

Yes, you can get the firmware used on that chip here: https://github.com/hwfly-nx/firmware

However, that is only one part of the puzzle. Without the FPGA which actually glitches the chip which we are unable to read the contents of. We cannot make our own modchips, this is the reason why the hwfly clones are so expensive. No one besides those people are able to make them.

There is enough information on how this glitching works and as the MPU (not the FGPA) is used for the learning process, everything is already open source with Spacecraft-NX.
The PSP was also glitched and there is very details information on blogs on how that works.

 

[zakwarrior]

Has anyone tried to hook up a logic analyzer and check what is going on? If a timing diagram would be available from the bits on the lanes then it can be easily reproduced, isn't it? So a logic analyzer and an oscilloscope should do the job. But probably Nintendo nijas will hunt down these information.

If this can help you to understand better here is what you get with an analyzer

As for the other replies, you guys know there are many ways to hack the ICE40 chips, didn't take long to find the solution
Now the problem is the way you can hack it (the FPGA) is only to make a copy to another ICE40 same model (ICE40LP1K)

There are ways to make your own chips, if i had the same contact like back when i made the chips for xbox360 i would of probably got into it but i was really hoping for others to get into it since my work now takes a lot more of time and really it's not that hard to understand and get this made since it's really similar to what we used on xbox360...

Now i'm glad i didn't get into it now that the RP2040 solution is out someplace

 

[Sw1chGuy]

If this can help you to understand better here is what you get with an analyzer

View attachment 344453

As for the other replies, you guys know there are many ways to hack the ICE40 chips, did take long to find the solution
Now the problem is the way you can hack it (the FPGA) is only to make a copy to another ICE40 same model (ICE40LP1K)

There are ways to make your own chips, if i had the same contact like back when i made the chips for xbox360 i would of probably got into it but i was really hoping for others to get into it since my work now takes a lot more of time and really it's not that hard to understand and get this made since it's really similar to what we used on xbox360...

Now i'm glad i didn't get into it now that the RP2040 solution is out someplace

Cool, do you have by any chance the dsl file of this measurement?

 

[Jefix]

If this can help you to understand better here is what you get with an analyzer

View attachment 344453

As for the other replies, you guys know there are many ways to hack the ICE40 chips, did take long to find the solution
Now the problem is the way you can hack it (the FPGA) is only to make a copy to another ICE40 same model (ICE40LP1K)

There are ways to make your own chips, if i had the same contact like back when i made the chips for xbox360 i would of probably got into it but i was really hoping for others to get into it since my work now takes a lot more of time and really it's not that hard to understand and get this made since it's really similar to what we used on xbox360...

Now i'm glad i didn't get into it now that the RP2040 solution is out someplace

Are such measurements made with multichannel oscilloscopes? What is your model and how much does it cost?

 

[JaapDaniels]

Are such measurements made with multichannel oscilloscopes? What is your model and how much does it cost?

Looks like it's a DreamSourceLab DSLogic U3Pro16 costing about $299.00
Seeing 12 signals read, and numbers go up to 15 it's the DSLogic U3Pro16.
Seeing the picture fits thier UI.

 

[RealYoti]

The MPU used by the HWFly is a very simple MPU like an ATmega328 on a Arduino Nano.
It has a clock speed of something like 8~16Mhz.

Lol, no.

 

[Sw1chGuy]

Looks like it's a DreamSourceLab DSLogic U3Pro16 costing about $299.00
Seeing 12 signals read, and numbers go up to 15 it's the DSLogic U3Pro16.
Seeing the picture fits thier UI.

You can buy a Chinese dslogic analyzer for $80-120 and it works the same. I think it was an open source project and Chinese people just copied it.

 

[JaapDaniels]

You can buy a Chinese dslogic analyzer for $80-120 and it works the same. I think it was an open source project and Chinese people just copied it.

aha, fits the profile of the webpage, to be a kickstarter open-source... so, yeah maybe

 

[szubiennica]

Ummm... I bought 2... And they came in today! But I don't know what to do with them ... Any info?

can't do shit at this time, but:
PSX ODE
PSX memcard
GC modchip
GB videograbber
etc

 

[Adran_Marit]

n64 flashcard, xbox360 nandflasher