Hacking Hardware Picofly - a HWFLY switch modchip

[BlueBeans]

me neither,im also new to it and will order soon. i dont think you need to do any settings? pretty sure everything is in gerber files and it loads automatically. Right @abal1000x ?

It auto populated 2 layers so I’m assuming that fine. Can’t beat $2 for 5 boards.

Post automatically merged: Nov 4, 2023

Have two switches here that have been modded (not by me). Apparently he brought them to my partner and tried to get him to fix them. He tried for about an hour and determined the emmc had somehow been wiped. He then brought it to me not knowing we work together. It boots into hekate but won’t boot into ofw. How is this even possible? I haven’t done anything with them. Are they bricks?

 

[thesjaakspoiler]

Have two switches here that have been modded (not by me). Apparently he brought them to my partner and tried to get him to fix them. He tried for about an hour and determined the emmc had somehow been wiped. He then brought it to me not knowing we work together. It boots into hekate but won’t boot into ofw. How is this even possible? I haven’t done anything with them. Are they bricks?

Wild guess but maybe the eFuses? (The user burnt the fuses with a newer firmware than the OFW/)

 

[Crung]

It auto populated 2 layers so I’m assuming that fine. Can’t beat $2 for 5 boards.

Post automatically merged: Nov 4, 2023

Have two switches here that have been modded (not by me). Apparently he brought them to my partner and tried to get him to fix them. He tried for about an hour and determined the emmc had somehow been wiped. He then brought it to me not knowing we work together. It boots into hekate but won’t boot into ofw. How is this even possible? I haven’t done anything with them. Are they bricks?

on the oled , you dont have the proper files set up on the sd card. on the other one it looks like you dont have emummc created. im just stating the obvious. if you have determined that in heckate->emmc info you have partitions missing (there should be 10 in total), you can try to restore nand data. If you are able to get prodinfo this would be great. If not, from what i can remember you can get a donor prodinfo but these consoles will be banned (i think).
for a complete tutorial to restore nand memory, you can youtube sthentix guide. I would start straight away with the lvl 2 one if you get prodinfo, if not go to lvl 3.
Again this is only in case the nand memory is bricked,and if your problem doenst lie somewhere else.

Post automatically merged: Nov 4, 2023

Wild guess but maybe the eFuses? (The user burnt the fuses with a newer firmware than the OFW/)

that does not make sense. if you install a fw on OFw and burn fuses, it wont matter unless you change the fw on OFW AGAIN to an older version

 

[deeps]

Great. Thank you! Do you know how many layers the board is? I’m assuming at least 2 right?

Post automatically merged: Nov 3, 2023

I’ve never done this before. Does anything need to change?

it's two layers (just top and bottom, nothing inside), and you will want pcb thickness 0.6mm for it to fit under the emmc cover

 

[thesjaakspoiler]

that does not make sense. if you install a fw on OFw and burn fuses, it wont matter unless you change the fw on OFW AGAIN to an older version

You never know what the previous owner did with it.
Afaik if you don't have a modchip installed and the fuse count is too high, the Switch just won't boot with a lower firmware and therefore you just can't upgrade to a higher firmware as well.

Another thing I just realize, you mentioned that the entire emmc is somehow wiped.
That would also include your BOOT0 partition. Hekate doesn't need it, OFW does require it.
In Hekate you can select to dump the Boot0/1 partition.
If the emmc is completely wiped, then Hekate will show an error.
There were some reports of people messing up their emmc in this thread if I recall correctly.
Not sure how they fixed that but there is a manual for rebuilding the NAND with a donor switch :
https://gbatemp.net/threads/switch-unbricking-guide-for-dead-or-replaced-emmc-consoles.609891/

Someone mentioned that he could not boot into OFW when his battery was dead.
For Hekate 0% battery was no problem but the OFW/CFW does not boot with 0% left.
Hekate shows the battery level so that would be an easy check.

 

[BlueBeans]

it's two layers (just top and bottom, nothing inside), and you will want pcb thickness 0.6mm for it to fit under the emmc cover

Ok that’s what I figured. Someone is sending me one. If it works out I’ll order some more to have on hand. Have you ordered some before?

Post automatically merged: Nov 5, 2023

on the oled , you dont have the proper files set up on the sd card. on the other one it looks like you dont have emummc created. im just stating the obvious. if you have determined that in heckate->emmc info you have partitions missing (there should be 10 in total), you can try to restore nand data. If you are able to get prodinfo this would be great. If not, from what i can remember you can get a donor prodinfo but these consoles will be banned (i think).
for a complete tutorial to restore nand memory, you can youtube sthentix guide. I would start straight away with the lvl 2 one if you get prodinfo, if not go to lvl 3.
Again this is only in case the nand memory is bricked,and if your problem doenst lie somewhere else.

Post automatically merged: Nov 4, 2023

that does not make sense. if you install a fw on OFw and burn fuses, it wont matter unless you change the fw on OFW AGAIN to an older version

So the lite actually ended up being a kiosk model so I have to install a special atmosphere to get it to boot and even then it wouldn’t go to cfw. Only the sysnand. So it’ll just get banned. But at least it’s usable. The oled on the other hand is toast. Has a bad emmc. I spent the better part of the last 24 hours trying to fix someone else’s mistake so im done.

 

[ErickRayan]

Hello, does anyone have a link for a good quality dat0 adapter? I want the flex ones, not the reballing ones. The store i used to buy from on aliexpress doesn't have any products for sale anymore for some reason.

 

[Myst0gan]

Hello, does anyone have a link for a good quality dat0 adapter? I want the flex ones, not the reballing ones. The store i used to buy from on aliexpress doesn't have any products for sale anymore for some reason.

You mean this one??https://a.aliexpress.com/_EIVbGAF

From what I know, there isn't one where you'll have to reflow/reball everything.
There is only the one from my link, you just put it under the chip, solder the grounds and you're good to go

Post automatically merged: Nov 5, 2023

Latest firmware here

ChangeLog:

v2.0 + Active MMC communication
v2.1 + Toshiba support
v2.2 + Fix Toshiba boot fail
v2.3 + SanDisk support
v2.4 + Faster Toshiba boot
v2.5 + fix OFW boot
v2.6 + software update, xiao & itsy support
v2.61 + Instinct-NX sdloader, bug fixes
v2.62 + Make 16.0.1 happy (fix OFW boot)
v2.63 + roll back some 2.62 boot speed tricks
v2.64 + enable back the board detection
v2.65 + RP Pico support, double reset removed
v2.66 + Bypass to OFW after update for proper fuse burning
v2.67 + Don't bypass to OFW on first install
v2.70 + new LED indication, i2c undervoltage hack
v2.71 + support for SQc open-source board
v2.72 + disable CLK check, it's unstable
v2.73 + add LED signal on success
v2.74 + 300 mhz precision rp2040 may be not stable at 300mhz
v2.75 + back to 200mhz, remove SRAM powerdown

Spoiler: LED indication

= is long pulse, * is short pulse:

= USB flashing done

** RST is not connected
*= CMD is not connected
=* D0 is not connected
== CLK is not connected

*** No eMMC CMD1 responce (bad eMMC?)
**= No eMMC block 1 read (should not happen)
*=* No eMMC block 0 read (eMMC init failure?)
*== No eMMC CMD1 request (poor wiring, or dead CPU)

=** eMMC init failure during glitch process
=*= CPU never reach BCT check, should not happen
==* CPU always reach BCT check (no glitch reaction, check mosfet)
=== Glitch attempt limit reached, cannot glitch

=*** eMMC init failure
=**= eMMC write failure - comparison failed
=*=* eMMC write failure - write failed
=*== eMMC test failure - read failed
==** eMMC read failed during firmware update
==*= BCT copy failed - write failure
===* BCT copy failed - comparison failure
==== BCT copy failed - read failure

Spoiler: i2c undervoltage hack

If your glitch is unstable (==* error), and the proper boot happens only when you press Reset after joycon logo, you can add two more wires to make glitch much better.

board pins:
Waveshare rp2040: SDA=12, SCL=13
Pi Pico: SDA = 19, SCL = 20
XIAO 2040: SDA=3, SCL=4
ItsyBitsy 2040: SDA = 18, SCL = 19

NS points (v2, Lite, OLED):
View attachment 372191
View attachment 372192
View attachment 372193

Spoiler: Diagrams + by Dee87

View attachment 357132
View attachment 363821
View attachment 364242
View attachment 364990
View attachment 357133
View attachment 357135
View attachment 357134
View attachment 357136

Spoiler: Solder example

View attachment 357137
View attachment 357138
View attachment 360187
View attachment 363817
View attachment 357139
View attachment 357140
View attachment 360186
View attachment 364818

Spoiler: Issues, questions

Q: What is supported?
A: Erista (v1), Mariko (v2, Lite, OLED)

Q: eMMC types support?
A: Tested on Hynix, Samsung, Toshiba, SanDisk

Q: rp2040 boards support
A: WaveShare 2040-zero/one, xiao-rp2040, adafruit itsybitsy (Pi Pico is not supported for now)

Q: GREEN, but instant reset
A: Clean flux near the RST point

Q: Do I really need 47 Ohm resistors?
A: You can skip them, however in this case you will have to use emuMMC due to the line interference, sysNAND would not boot (sysNAND data can be damaged).

Q: Does the firmware has learning? How to reset statistics
A: Short pin 0 to either 1 or GND during start for chip reset. The statistics is collected each boot. The more you start it - the better it boots.

Q: open source?
A: https://github.com/rehius

Q: why you made it?
A: to prove it possible!

Q: run Atmosphere?
A: no piracy

Spoiler: Reboot to OFW / Vol+ & Vol- doesn't work, blue/black screen

v2.5 firmware had a bug with BOOT0 corruption. To recover it:
- boot "Full Stock" using hekate
- update to the latest official firmware over Wi-Fi

Spoiler: Sleep mode does not work

- boot "Full Stock" using hekate
- perform a full system reset

Spoiler: Toolbox 0.2 features

- show firmware information
- update firmware from SD card (place update.bin into the root folder)
- rollback to the backup firmware slot
- reset learning statistics
- dump / write sdloader

Spoiler: RGB LED explanation by lightninjay

if you have an rp2040-zero from waveshare/ali then it has a neopixel. It is used for diagnosing proper firmware flashes as well as console glitching. If you plug it in, and flash the uf2 firmware to it and immediately see a red light after flashing (this is not the same as flashing, then unplugging and replugging), then no rgb jumper needs to be made. If on the other hand, you get one quick green flashing light, then you need to bridge the jumper pads indicated to swap the LED colors for proper diagnoses capability.

Do I need to put also update.bin in the rp2040 or only uf2 file??
Is there a way to know if the flashing was good (other than the folder on windows closing itself automatically)??

 

[Crung]

You mean this one??https://a.aliexpress.com/_EIVbGAF

From what I know, there isn't one where you'll have to reflow/reball everything.
There is only the one from my link, you just put it under the chip, solder the grounds and you're good to go

Post automatically merged: Nov 5, 2023

Do I need to put also update.bin in the rp2040 or only uf2 file??
Is there a way to know if the flashing was good (other than the folder on windows closing itself automatically)??

the uf2 file is for FLASHING FROM PC.
the update.bin is for FLASHING FROM CONSOLE MICROSD
you can verify if it was a succes from payloads->toolbox->info and you will have your version displayed

 

[Myst0gan]

the uf2 file is for FLASHING FROM PC.
the update.bin is for FLASHING FROM CONSOLE MICROSD
you can verify if it was a succes from payloads->toolbox->info and you will have your version displayed

Where?? From hekate??

 

[Vigintiduo]

Guys I did my first Switch Lite install with the trusty mosfet on the back.
However the glitch is quite slow, rarely taking less than 10 seconds.
Should I go for a double mosfet on the front or just accept that some Lites can be like this? (I hope for the second, lol)

 

[RoyalYeo]

Guys i have an OLED that been working fine for about 2-3 months now, but i had to restart it. and now my modchip just lights purple and it boots straight to ofw even with no sd card inside, does this mean my connection is loose or is there any other troubleshooting i could do before i open it up and dig inside?

Any help is appreciated

 

[Vigintiduo]

Guys i have an OLED that been working fine for about 2-3 months now, but i had to restart it. and now my modchip just lights purple and it boots straight to ofw even with no sd card inside, does this mean my connection is loose or is there any other troubleshooting i could do before i open it up and dig inside?

Any help is appreciated

Multi-colour blinking was used in the early version of the firmware, you probably haven't upgraded in quite a long time.
If I recall correctly, purple led means that there are problems on the Dat0 line.
If you're using a dat0 adapter on OLED, it makes sense

 

[RoyalYeo]

Multi-colour blinking was used in the early version of the firmware, you probably haven't upgraded in quite a long time.
If I recall correctly, purple led means that there are problems on the Dat0 line.
If you're using a dat0 adapter on OLED, it makes sense

Yeah tbh i have only been upgrading my hekate and atmosphere, no idea how to mess with the modchip didn't want to do anything to dmg it. but i guess i gotta open it up and wiggle some wires, thank you!

 

[CarlosCruz]

Done. Thx @abal1000x

 

[TheBad]

Done. Thx @abal1000x

You can do it without cutting the shield if you want to, nice work btw

 

[Vigintiduo]

Done. Thx @abal1000x

Would you say this is now your preferred install method or do you still like drilling?

 

[CarlosCruz]

Would you say this is now your preferred install method or do you still like drilling?

Yes. I prefer do that with adaptor, dat0, clk, cmd. And by the way, I specialize in reballing.

 

[Twiggs4625]

You mean this one??https://a.aliexpress.com/_EIVbGAF

From what I know, there isn't one where you'll have to reflow/reball everything.
There is only the one from my link, you just put it under the chip, solder the grounds and you're good to go

Post automatically merged: Nov 5, 2023

Do I need to put also update.bin in the rp2040 or only uf2 file??
Is there a way to know if the flashing was good (other than the folder on windows closing itself automatically)??

I have a version 2.76 that I downloaded from somwhere on here... is 2.75 or 2.76 the latest firmware? I'm thinking I should stick with 2.75 yes?

 

[Hassal]

A friend sent these to me. I only tested the adapter on an old HWFLY modchip and its giving me conflicting results. I'm still waiting for my batch of rp2040 tiny to arrive tomorrow or after tomorrow to fully test on a fresh console.