Hacking INSTINCT-NX Chip

[SylverReZ]

I wish one day for a chip that doesn't need soldering

We've already got unpatched Switches and RCM jigs.

the gateway girl ?

I don't understand what you mean.

 

[Asia81]

We've already got unpatched Switches and RCM jigs.


I don't understand what you mean.

I found a old "official" video published by the gateway 3ds team.


You'll see what I meant.

Edit: That wasn't the same person actually

 

[SylverReZ]

I found a old "official" video published by the gateway 3ds team.


You'll see what I meant.

Edit: That wasn't the same person actually

I've heard about Gateway many years ago in the 3DS scene when it was relatively popular.

 

[Mena]

Probably just a redesigned PCB.

Question is: can it run community hwfly-nx FW?

I've spent the better part of 10 hours looking at it in IDA and the best way I can describe this firmware is "hwfly-nx on steroids". There's a lot going on in this firmware. I'll keep digging

 

[kairi033]

Wow.

Literally about to press buy in Ali. Will wait for more feedback then.

 

[Nagaa]

My seller told me it only work on samsung emmc at the moment, can anyone confirm this ?

 

[Mena]

There's an additional list on top of the typical glitch config list. It looks like it stores the last configuration that successfully glitched the console and then attempts to use that last successful config first upon the next boot a couple of times. This would benefit long term especially if you've seen consoles that change the values at which they glitch at depending on their environment. (There was an individual on GBATemp that messaged me a while back about this. It was quite bizarre.)

It seemingly has better debug too. There are LED patterns to help you determine what issue you're having.

1 blue blink for an RST issue
3 blue blinks for a CPU flex issue
1 white blink for a CLK issue
3 white blinks for a CMD issue
1 red blink for DAT0 issue
3 red blinks for...unknown? issue

It verifies each block written to the eMMC during the 'p' command. If I had to guess, it's to make absolutely sure there's no corruption going on. (good thing tbh) you throw out all signal integrity out the window the instant you install one of these chips, whether it be a hwfly chip or this chip (some of the installs i've seen look like y'all have soldered with your damn feet).

TL;DR
There's a ton of safety checks in this thing and a lot of user-friendliness for debugging install issues. I haven't looked at the sdloader with the new INSTINCT-NX logo, but it looks like a rehash of the one used in hwfly-nx. If I had to guess based on how it handles the glitch configs, it starts out good with 25 trains, but only improves the more you boot it over time.

Post automatically merged: Mar 19, 2023

Alright, things have gotten spicy. looking into the glitch function... it has settable timeouts based on emmc type.

  emmc_type = *(unsigned __int8 *)(a4 + 189);
  switch ( emmc_type )
  {
    case 0x11:
      emmc_timeout = 105;
      break;
    case 0x90:
      emmc_timeout = 65;
      break;
    case 0x15:
      emmc_timeout = 55;
      break;
    default:
      emmc_timeout = 100;
      break;
  }

This is HUGE. This means this chip supports even the troublesome toshiba. In my fork of hwfly-nx I specifically set my timeout to 100 due to the fact I have a Toshiba eMMC and Toshiba is straight-up dogshit. I have a pull request for this on hwfly-nx but the creator doesn't want to merge it. This is likely due to the fact while it'd benefit Toshiba users (get the damn thing to boot) it'd slow down the speed of glitching for all other eMMC types. I'd bet money this has out of box toshiba support.

EDIT 2: I snagged one. Gotta see this thing in person

 

[doom95]

toshiba vendor is 0x11, hynix = 0x90, samsung = 0x15?
interesting idea, probably improves glitch speeds a lot, at least for the faster emmcs

 

[Mena]

toshiba vendor is 0x11, hynix = 0x90, samsung = 0x15?
interesting idea, probably improves glitch speeds a lot, at least for the faster emmcs

Yup!

I recognised it immediately from hekates src here: https://github.com/CTCaer/hekate/bl...de14f3f/nyx/nyx_gui/frontend/gui_info.c#L1594

strange to see there wasn't a sandisk case, but i guess that's why there's a default case to cover everything else

 

[rcpd]

Alright, things have gotten spicy. looking into the glitch function... it has settable timeouts based on emmc type.

  emmc_type = *(unsigned __int8 *)(a4 + 189);
  switch ( emmc_type )
  {
    case 0x11:
      emmc_timeout = 105;
      break;
    case 0x90:
      emmc_timeout = 65;
      break;
    case 0x15:
      emmc_timeout = 55;
      break;
    default:
      emmc_timeout = 100;
      break;
  }

This is HUGE. This means this chip supports even the troublesome toshiba. In my fork of hwfly-nx I specifically set my timeout to 100 due to the fact I have a Toshiba eMMC and Toshiba is straight-up dogshit. I have a pull request for this on hwfly-nx but the creator doesn't want to merge it. This is likely due to the fact while it'd benefit Toshiba users (get the damn thing to boot) it'd slow down the speed of glitching for all other eMMC types. I'd bet money this has out of box toshiba support.

Some of us are rewriting firmware for the RP2040 to glitch. We came to the same conclusion with similar timings.

Can I ask, where did you obtain the firmware? I would not mind having a look at it in IDA to verify some things for my 2040 firmware.

 

[doom95]

it's attached to the youtube video a few posts back

 

[rcpd]

it's attached to the youtube video a few posts back

Yes, I found it. Thanks!

 

[rehius]

This is HUGE

Huge, huh? Instead of silly workarounds with timeouts they could implement something really new.
picofly algorithms reduced the cycle time down to 20ms in the best case, that is 50 attempts per second.

 

[Mena]

Huge, huh? Instead of silly workarounds with timeouts they could implement something really new.
picofly algorithms reduced the cycle time down to 20ms in the best case, that is 50 attempts per second.

Compared to what we have, it's huge. hwfly chips suck and rp2040 doesn't boot atmo so....better than nothing

 

[ryan1109]

It looks like a HWFLY clone

View attachment 359736

Hi, do you have the firmware package for this chip? Can you post it and take a look?

 

[rcpd]

So I had a look at this in Ghidra at home and yeah. It’s definitely better than HWFly’s firmware. Elegant. Not sure who the developer is, but they know their microcontroller code.

Huge, huh? Instead of silly workarounds with timeouts they could implement something really new.
picofly algorithms reduced the cycle time down to 20ms in the best case, that is 50 attempts per second.

Actually, it is huge compared to the public firmware we have now. Yours could be better, we aren’t sure without having access to your source. I’m not asking for it, merely commenting that yes, this is damn good. This firmware should cut the learning phase down quite a bit as well as “remember” the last working glitch state meaning much much faster booting times since it can just reuse that one instead of multiple attempts.

This is damn damn good work.

 

[binkinator]

Hi, do you have the firmware package for this chip? Can you post it and take a look?

Look at the YouTube

 

[ryan1109]

Look at the YouTube

Is there a firmware file?

 

[Hayato213]

Hi, do you have the firmware package for this chip? Can you post it and take a look?

It is in the youtube video.

 

[rcpd]

Is there a firmware file?

There is. Where do you think I got it to look at it decompiled?