Hacking Hardware Picofly - a HWFLY switch modchip

[abal1000x]

Thanks! So given the state of the pico, like you said it writes the packet with the white flash and the packet should be executed by the CPU when it is undervolted

Actually no. The terms undervoltage means before glitching decrease the voltage the power ic supplied. This is done by sending some instruction via i2c to the power ic (cmiiw).

But in my switch, the signal to undervolt is being sent to the mosfets, but for some reason the undervolt isn't happening.

I am confused with your sentences.
You might search 'Fault Injection' to understand the idea of voltage glitching.
In simplicity, you 'stole' the power that goes to the cpu.

And its done by splitting the current to our beloved mosfet.
The mosfet itself used as a switch (connect/disconnect). When the D and S connected, then the major current will goes to our beloved mosfet straight to GND, and small current goes to the cpu. When its disconnected, the cpu got the power intact.

If you measure the cap resistance is around 10-30 Ohms. That is why the Rds(on) logically speaking must <10ohms, so we could 'steal' the current to our beloved mosfet.

Faulty mosfets? Bad flex cable? Wire to the flex cable poor quality? Is it worth using larger gauge wire or attempting to replace the flex cable with my spare? I'm a little worried about removing caps if I attempt it

I am not sure what is your issue actually. The timeout glitch?
To understand fully you could read the source code (Thx for rehius to share the code). Its better reading his code than spacecraft-nx, which is more cryptic.

If you have flex cable, its more than enough. I use it twice (given by someone) and its working, the quality is best. I recommend it for someone whose less experience with microsoldering.

Reading your history message, i recommend you use flex, and avoiding using the mosfet directly. It will become very2 dificult to solder it.

 

[parjolik]

How about with this chip how to install it
I want to but I can't find a tutorial

 

[ppeach]

How about with this chip how to install it
I want to but I can't find a tutorial

hwfly with rp2040 is not supported by this thread.

 

[cgtchy0412]

I've got a v2 switch here that I'm fixing for a customer, after a failed install the switch no longer boots, it looks like they toasted the D0 line.

I *think* that via is still ok, but if it isn't is there another point I run a wire from that trace to?

View attachment 378768

Hi jump here to here.. it should boot if thats the only issue.

 

[Dandan0404]

Tried 2.74 but it goes directly to OFW(like turning on button and Nintendo logo immediately) and split second later the success or yellow blink. Cant go to hekate anymore. Need help, i want to roll back.

 

[Uberfish]

Actually no. The terms undervoltage means before glitching decrease the voltage the power ic supplied. This is done by sending some instruction via i2c to the power ic (cmiiw).

I am confused with your sentences.
You might search 'Fault Injection' to understand the idea of voltage glitching.
In simplicity, you 'stole' the power that goes to the cpu.

And its done by splitting the current to our beloved mosfet.
The mosfet itself used as a switch (connect/disconnect). When the D and S connected, then the major current will goes to our beloved mosfet straight to GND, and small current goes to the cpu. When its disconnected, the cpu got the power intact.

If you measure the cap resistance is around 10-30 Ohms. That is why the Rds(on) logically speaking must <10ohms, so we could 'steal' the current to our beloved mosfet.

I am not sure what is your issue actually. The timeout glitch?
To understand fully you could read the source code (Thx for rehius to share the code). Its better reading his code than spacecraft-nx, which is more cryptic.

If you have flex cable, its more than enough. I use it twice (given by someone) and its working, the quality is best. I recommend it for someone whose less experience with microsoldering.

Reading your history message, i recommend you use flex, and avoiding using the mosfet directly. It will become very2 dificult to solder it.

I'm using a flex and the error I'm getting is === according to the error codes it's 'cannot glitch.'

Unfortunately I don't know which file to begin looking into for the source. I gave up coding years ago I'm guessing it's this code:

while(!time_reached(tio_full)) {
		if (time_reached(tio_cmd1))
		{
		if (reset_attempts > 4)
		{
		halt_with_error(0, 3);
		}
		reset_attempts++;
		reset_cpu();
		tio_cmd1 = tio_full;
		}

 

[cgtchy0412]

Tried 2.74 but it goes directly to OFW(like turning on button and Nintendo logo immediately) and split second later the success or yellow blink. Cant go to hekate anymore. Need help, i want to rollback

Solder back the usb port, flash old firmware.

 

[cicci084]

yes, just put the update.bin from 2.67 in in the root of your sd card, start picofly toolbox and press update. works fine.

hi guys, i can't find 2.67 update.bin.

 

[abal1000x]

hi guys, i can't find 2.67 update.bin.

I have it, but never use it. Can't confirm its working.
Just backup whenever rehius release some version.

 

[cicci084]

I have it, but never use it. Can't confirm its working.
Just backup whenever rehius release some version.

Yes me too. I think I read that the 274 requires emno energy, and that the 2.67 is more "reliable", did I get it wrong?

 

[abal1000x]

Yes me too. I think I read that the 274 requires emno energy, and that the 2.67 is more "reliable", did I get it wrong?

2.74 more reliable.

Post automatically merged: Jun 19, 2023

I'm using a flex and the error I'm getting is === according to the error codes it's 'cannot glitch.'

Unfortunately I don't know which file to begin looking into for the source. I gave up coding years ago I'm guessing it's this code:

while(!time_reached(tio_full)) {
		if (time_reached(tio_cmd1))
		{
		if (reset_attempts > 4)
		{
		halt_with_error(0, 3);
		}
		reset_attempts++;
		reset_cpu();
		tio_cmd1 = tio_full;
		}

I have once get that error code === solve it by shift the dat0 adapter little bit to right (away from dat1). I can't recommend this to someone who doesn't know the thing about it, since it really2 dangerous and risky. But thats how it is.

In my measurement Dat0 adapter will glitch perfectly when the diode value around 600. (I don't know why different, people says 700, but it is what it is). When the error === shows, i checked the diode value is less than 600 around 590. I shift it again, so its back 600. And 600-620 is the highest value i could get, whenever i shift it left and right. The black probe to gnd and the red probe to the dat0 check point.

 

[frozenboy]

2.74 more reliable.

Post automatically merged: Jun 19, 2023

I have once get that error code === solve it by shift the dat0 adapter little bit to right (away from dat1). I can't recommend this to someone who doesn't know the thing about it, since it really2 dangerous and risky. But thats how it is.

In my measurement Dat0 adapter will glitch perfectly when the diode value around 600. (I don't know why different, people says 700, but it is what it is). When the error === shows, i checked the diode value is less than 600 around 590. I shift it again, so its back 600. And 600-620 is the highest value i could get, whenever i shift it left and right. The black probe to gnd and the red probe to the dat0 check point.

i got 2 oled, one with dat0 resistor around 600 and it boot within a sec, another one with black adapter and much higher 800 ohm i guess. This second one struggle with data0 error, after some reflow, the resistor drop a bit but still way slower than the first one

 

[Dee87]

i got 2 oled, one with dat0 resistor around 600 and it boot within a sec, another one with black adapter and much higher 800 ohm i guess. This second one struggle with data0 error, after some reflow, the resistor drop a bit but still way slower than the first one

the resistance is different on different emmc just so u know
what did u reflow? emmc?
ifso why would u reflow it if u didnt take it of?
doesnt make sense

if u have dat0 error then it is because ur dat0 adapter isnt set properly what adaptors are u using?
maybe ur shorting with another pin, and if u reflowed the emmc the adapter is most likley solder to eather on or to balls if it was shorting.

if u havent set a permanent dat0 adaptor or did not take of the emmc there is no reason for reflowing the emmc

 

[Danook28]

I've got a v2 switch here that I'm fixing for a customer, after a failed install the switch no longer boots, it looks like they toasted the D0 line.

I *think* that via is still ok, but if it isn't is there another point I run a wire from that trace to?

View attachment 378768

Safe way about rip pad you must use solder paste little bit and heat from 200 to 250 c 300 350 c. Soldring mask. Microscope. Very thin iron tip. Dont press to much on pad teak your time. The wiers must be same size to pads no more short or long time heat. Very good flux and use magnate copper wier 0.2 mm cmd clk rst dat0 /and 30 gw wires 3v3 GND. You can see in pic the size for good soldring tip.

 

[Switxh]

Safe way about rip pad you must use solder paste little bit and heat from 200 to 250 c 300 350 c. Soldring mask. Microscope. Very thin iron tip. Dont press to much on pad teak your time. The wiers must be same size to pads no more short or long time heat. Very good flux and use magnate copper wier 0.2 mm cmd clk rst dat0 /and 30 gw wires 3v3 GND. You can see in pic the size for good soldring tip.

I saw a guy on reddit once who did the whole install of every wire with solder paste and a heat gun but with NO iron lol. Pretty sure it was an OLED and his first every soldering related attempt. Obviously all his joints looked cold because he had no iron to touch them up but I just thought it was kind of funny and I was surprised that it fired up without any issues.

 

[Uberfish]

i got 2 oled, one with dat0 resistor around 600 and it boot within a sec, another one with black adapter and much higher 800 ohm i guess. This second one struggle with data0 error, after some reflow, the resistor drop a bit but still way slower than the first one

What emmc do you have on your switches? I have a samsung on mine, so if yours is also samsung with 600 it would I do indeed have an issue with the dat0. I honestly wouldn't be surprised since I had to use a OATO dat0 adaptor. Ordered 2 from two different suppliers who said it was the good quality one and they send me crap. Many people here have made the OATO work, though. I guess I should order again and try get the quality DAT0 adaptor to test the theroy. I've actually trimmed back the 'claw' that contacts the dat0 pin to try prevent shorting too since the shape is more like Ω than U (closed at the end).

 

[abal1000x]

What emmc do you have on your switches? I have a samsung on mine, so if yours is also samsung with 600 it would I do indeed have an issue with the dat0. I honestly wouldn't be surprised since I had to use a OATO dat0 adaptor. Ordered 2 from two different suppliers who said it was the good quality one and they send me crap. Many people here have made the OATO work, though. I guess I should order again and try get the quality DAT0 adaptor to test the theroy. I've actually trimmed back the 'claw' that contacts the dat0 pin to try prevent shorting too since the shape is more like Ω than U (closed at the end).

You might do this on your own risk:

Thats already correct to modify the circle point. With that original shape, highly probable it will short circuit the D1.

When you insert it exactly like the guide line, you will get the value, means its connected maybe to d0 only or short d0 and d1. Now shift it little bit right, and check again the diode mode, repeat until you find it zero. That is the edge.

Now you approach it from the edge to the left, slowly until it shows a value. That will be the most probable d0 point without shorting to d1. Do this while you take the power off (battery connector plug off).

And if you're confident, you might try to power it on, to test wether the glitch work or not. And turn it off immediately after it failed (by pressing the power button 20sec or shorting the power pin to gnd for 20sec). Dont forgot to plug off the battery connector, after it.

And if your hunch feels is incorrect, then trust your hunch. Usually experience made our body have a reflex, about something is not right, even thouh our brain cannot find the logical explanation. That what usually happened to me.

Again i warn, this is dangerous only do it on your own risk. I recommend you read the datasheet to understand a gist about it.

 

[Dandan0404]

2.74 more reliable.

Post automatically merged: Jun 19, 2023

I have once get that error code === solve it by shift the dat0 adapter little bit to right (away from dat1). I can't recommend this to someone who doesn't know the thing about it, since it really2 dangerous and risky. But thats how it is.

In my measurement Dat0 adapter will glitch perfectly when the diode value around 600. (I don't know why different, people says 700, but it is what it is). When the error === shows, i checked the diode value is less than 600 around 590. I shift it again, so its back 600. And 600-620 is the highest value i could get, whenever i shift it left and right. The black probe to gnd and the red probe to the dat0 check point.

2.67 more reliable been using for months and i have issues on day 2 on 2.74

 

[abal1000x]

2.67 more reliable been using for months and i have issues on day 2 on 2.74

What is your reason of updating to 2.74?
And what issues ?

 

[Dandan0404]

What is your reason of updating to 2.74?
And what issues ?

Of course its normal to think that far far latest update would be better. So thats my reason.

Problem is, it would immediately boot to OFW. Rather than glitch glitch sucees then START. When you press on, the switch turns on and shows nintendo logo(OFW) while simultaneously glitching(of course glitch is already late)