See below for updates.

IF YOU BREAK YOUR BOOT0 PIN. DO NOT DM ME ASKING FOR HELP. THAT'S IT. YOU BREAK THAT PIN AND YOU CANT FLASH. YOUR CHIP IS STUCK WITH WHATEVER HWFLY PUT ON IT


Pre-requisites:

---

• Raspberry Pi Zero W
  • You may use another flasher if you desire.
• Pinout Diagram
• Modchip Diagram
• FULL_CHIP_STOCK.bin
• Modchip Diagram, find the PA9(TX) and the PA10(RX) pins on your modchip, and do the following:
  • Connect GPIO14(TX) on your Raspberry Pi Zero W to the PA10(RX) pin on your modchip.
  • Connect GPIO15(RX) on your Raspberry Pi Zero W to the PA9(TX) pin on your modchip.

1. Solder a wire to each of the following pinouts on the Raspberry Pi Zero W:
   • 3.3V
   • Ground
   • GPIO 14 (UART TX)
   • GPIO 15 (UART RX)
2. Do the following to prepare the modchip:
   1. Lift pin 44 (also known as BOOT0).
   2. You will need a way to power the chip, so you need to find two 3.3v points. It can be on a MOSFET, but it will differ based on the revision of the modchip.
   3. Connect Ground on your Raspberry Pi Zero W to the Ground pin on your modchip.
   4. Check the Modchip Diagram, find the PA9(TX) and the PA10(RX) pins on your modchip, and do the following:
      • Connect GPIO14(TX) on your Raspberry Pi Zero W to the PA10(RX) pin on your modchip.
      • Connect GPIO15(RX) on your Raspberry Pi Zero W to the PA9(TX) pin on your modchip.
3. Boot your Raspberry Pi Zero W and do the following:
   1. In the terminal, type the following command, and press enter:
      

      sudo nano /boot/config.txt

   2. Add the following line to the end of the file:
      

      dtoverlay=pi3-miniuart-bt

   3. Press CTRL + X to save and exit the editor.
   4. In the terminal, type the following command, and press enter:
      

      sudo nano /boot/cmdline.txt

   5. Remove the following line from the file:
      

      console=serial0,115200

   6. Press CTRL + X to save and exit the editor.
   7. Restart your Raspberry Pi with this command
      

      sudo /sbin/reboot

   8. In the terminal, type the following commands, and press enter after each command:
      
      

      git clone https://github.com/Pheeeeenom/stm32flash.git
      cd stm32flash
      sudo make install

4. Now you will flash the modchip.
   Note: This will remove read protection, and the modchip will wipe itself (that is what we want).
   1. In the terminal, type the following command, and press enter:
      

      stm32flash -k /dev/serial0

   2. Now to flash Spacecraft-NX Version 0.2.0, type the following, and press enter:
      

      stm32flash -v -w ./FULL_CHIP_STOCK.bin /dev/serial0

5. Once you're done flashing your modchip, remove the wiring from the modchip, and restore the 3.3v pin on the modchip to its original position.

Please post pictures of your work here to further the identification of the different board revisions!


UPDATE: So it seems like stitching the spacecraft bootloader and firmware together from the repo causes unstable glitching behaviors. For now, consistent glitching behavior works with this bootload/firmware combo. This is the original file on the OLED variant chip which has 0.2.0 spacecraft. As for glitching, I'll figure it out, give me some time...unless someone else wants to hop in and reverse the differences.

For now, this at least solves the 0.1.0 HWFLY gen 3 issue. More to come.

UPDATE 2: This is only going to work on some HWFLY chips. Older ones use higher protection than the new revisions that seem to use the QFN FPGA.

UPDATE 3: This should fully work on OLED modchips with the QFN FPGA. https://github.com/Pheeeeenom/firmware

 

[0x3000027E]

This is a godsend for installers, thank you. Not surprised the hwfly were locked, as this is usually the case with clones.

 

[PamanX]

Hi @Mena , thanks for your help. Can i use a CP2102 USB to UART TTL485 232 Module Serial Converter Adapter?

 

[Mena]

Hi @Mena , thanks for your help. Can i use a CP2102 USB to UART TTL485 232 Module Serial Converter Adapter?

You may be able to get away with using it with STM32CubeProgrammer. Don't forget to set your parity bit

 

[sean222]

Time for the moment of truth

 

[PamanX]

Time for the moment of truth

Pin44 must be soldered?

 

[Magnus Hydra]

Hi @Mena , thanks for your help. Can i use a CP2102 USB to UART TTL485 232 Module Serial Converter Adapter?

Thank you!! I’ve been trying to figure what this was. I bought it way back in the 360 days for something. I’ve got this an another I hope we can use them some how.

 

[yee]

Hi Mena, would this work for connecting the Pi to the hwfly? Would these GPIO female to male cables work to connect them?

 

[Mena]

Hi Mena, would this work for connecting the Pi to the hwfly? Would these GPIO female to male cables work to connect them?

Believe me when I tell you these points are much smaller than you think

 

[yee]

Believe me when I tell you these points are much smaller than you think

Thanks. Just had these left over for my Pi. Thought it would be possible and I don't have the hwfly yet to judge.

 

[SmallBoss]

Pin44 must be soldered?

according to the instruction, it only said to lift it up lol

 

[sean222]

Time for the moment of truth

Didn't work out for me...my Raspberry Pi wouldn't read the chip (thus could not flash it). I was pretty confident with my pins and soldering...but no luck This was a fun exercise...but I can't spend more time on this now...may try again next week.

Lifting up this pin was the hardest part of this process! Also soldering the wire to the RX/TX is tricky too...everything is so small.
I'm an amateur at soldering...so I think others with more experience may have more luck.


And yes, you have to lift up the pin #44 and solder 3.3v power to it. Pin #44 is grounded, lifting it up off the pad disconnects the grounding.

 

[sean222]

And @Mena thanks for your help and great work. It's not worth my time and stress to figure this out, I make enough money, I bought an OLED specific chip. Since you don't have a HWFLY Lite, I'd like to donate mine to you for research purposes

 

[james194zt2]

Likely, it's not that complex honestly. it's eMMC <-> FPGA <-> SPI <-> GD32 iirc. Some random bytes, some unique bytes (CID), some other nonsense. Don't wanna go into too much detail

Nope the whole thing is just a standard glitch and injection attack, the magic is in the timing of the attack, so the most impressive part of the original chip was its in essence ability to learn your unique console and tune itself. Shame they couldn't be bothered to implement that especially when charging 2-3 x as much as the original chip, but then why bother I suppose when you are the only ones out there with a working solution.

Is what it is , my chip normally glitches my console within 2-3 seconds anyway so hardly a chore! Thank goodness it is not like the 360 days with all that messing around with wires, resistors etc... trying to improve the glitch time.

Will give this a go later today and report back.

 

[mathieulh]

we know it doesn't work out the best glitch values for your console.

Actually it does, the code is there and implemented, but they are idiots and made the storage that contains the glitch values configuration read only, so it can never store the new values. It is quite obvious that whoever cloned the SX didn't know what he/she was doing.

 

[Sandmann]

Hi @Mena - not working
am I doing something wrong?

 

[power_ps]

Hi @Mena - not working
is all right:

Hey, @Sandmann have you seen your IMG_2054.jpg ? You moved 103 resistor =[
Pin #44 seems grounded. You need lift it up off the pad for disconnecting the grounding.

 

[FAKEdemicBioPYSCHONANOWAR]

If someone manages to do this, id be willing to buy their oled off them with the chip correcty installed

 

[Sandmann]

Lift pin 44:
look picture: IMG_2055.jpg

Ground has no contact

----

"You moved 103 resistor"

No, is a new revision:
https://psxtools.de/forum/index.php...xecuter-klone-hwfly/&postID=871766#post871766

 

[Mena]

Hi @Mena - not working
am I doing something wrong?

You didn’t lift and solder 3v3 to pin 44

 

[Sandmann]

Ok i fix it! not working