Hacking Hardware Picofly - a HWFLY switch modchip

[brecht6]

Wouldn't it be easier to "just" port spacecraft-nx to the rp2040?

 

[TheSynthax]

Wouldn't it be easier to "just" port spacecraft-nx to the rp2040?

no.

 

[Piorjade]

Wouldn't it be easier to "just" port spacecraft-nx to the rp2040?

that's not how mafia works

 

[impeeza]

Wouldn't it be easier to "just" port spacecraft-nx to the rp2040?

nop, because Spacecraft is only the last part of the trick, the SX-ish clones have a FPGA code which does great part of the magic and "That" code is the one has getting our hair pulled.

 

[thesjaakspoiler]

I honestly think it really was CMD63

I saw you redacted your comment but interestingly the ASIC that sits in between the Tegra and the cartridge also uses that CMD63 command.
The ASIC cart reader uses an encrypted firmware that is provided by the Tegra cpu when the cart reader is initialized.
The ASIC, which contains a Cortex M3 cpu, only has a bootrom and then waits for a firmware to be uploaded.
The ASIC is also waiting for the Tegra to issue a CMD63 command in order to upload the firmware.
In the source code it says : wait for CMD60 or CMD63 command.

 

[Piorjade]

nop, because Spacecraft is only the last part of the trick, the SX-ish clones have a FPGA code which does great part of the magic and "That" code is the one has getting our hair pulled.

Tbh the hair pulling is mostly the emmc communication

The glitching is kind-of too, at least we basically now know when it approximately triggers

 

[NoXe]

Glitch is not so complex, its easy to analyze, the most complicated is to communicate with all existing emmc on each switch models (especially samsung emmc is garbage)

 

[ghjfdtg]

speaking of which, this is in the HWFLY-NX source code in glitch.c at line 217:

    const uint16_t erista_offsets[] = {825, 830, 835, 840, 845, 850, 855, 860, 865, 870, 875, 880, 885, 890, 895, 900, 905};
    const uint16_t mariko_offsets[] = {800, 805, 810, 815, 820, 825, 830, 835, 840, 845, 850, 855, 860, 865, 870, 875, 880};

these are the timing offsets for the glitching, that's cool and all but I've got one question:
What time scale is that? Like, is the first mariko offset 800ns or is it 800 * X ns or what?

Considering these are for the FPGA and FPGAs don't really count in time but clock pulses these may be clock pulse counts. Probably offsets from a certain glitch start point.

 

[Adran_Marit]

So we are getting progress slowly?

Is that what I've gotten from this last few pages (its after midnight when I posted this and need sleep)

 

[deeps]

So we are getting progress slowly?

Is that what I've gotten from this last few pages (its after midnight when I posted this and need sleep)

This thread consists of 99% children asking "is it done yet" in various ways, so no, barely

 

[rcpd]

This thread consists of 99% children asking "is it done yet" in various ways, so no, barely

Don’t know about that. There’s a few here that have posted interesting tidbits that make me believe they’ll figure it out eventually, they’re just not updating us as quickly as some of us would like or with as much detail as some of us require. Work like this very rarely happens in the open.

 

[Mansi]

This thread consists of 99% children asking "is it done yet" in various ways, so no, barely

Even if they are children, they will still not be able to put this chip on their console.

 

[eseldiem]

they’re just not updating us as quickly as some of us would like or with as much detail as some of us require.

I’m not sure it was meant that way… but this reads as if you (or someone else here) are owed something.

Which would be rather unfortunate frame of reference.

 

[rcpd]

I’m not sure it was meant that way… but this reads as if you (or someone else here) are owed something.

Which would be rather unfortunate frame of reference.

It wasn’t. Being honest, I have zero skin in this game. I’ve got two unpatched Switches and zero patched Switches. Just interested in these kinds of things and like to see progress.

 

[evil_santa]

This is maybe useful for decompiling whit ghydra.

https://hackaday.com/2023/03/01/making-ghidra-play-nice-with-rp2040/

 

[Piorjade]

Considering these are for the FPGA and FPGAs don't really count in time but clock pulses these may be clock pulse counts. Probably offsets from a certain glitch start point.

right, makes sense
I thought the FPGA has its own clock, guess not.

 

[halfashark]

right, makes sense
I thought the FPGA has its own clock, guess not.

base clock of the target hardware is also often used.
there's typically a base clock, the clock derived from the base and then the top-level clock.

 

[Adran_Marit]

This thread consists of 99% children asking "is it done yet" in various ways, so no, barely

I wish I was still a child.
I don't understand much of the programming speak and after 20 hours awake reading the few pages information wasn't sinking in.

I've also bricked my own personal hardware on purpose to help this scene out soo take that as you will.

 

[Blavla]

I have a fresh Lite with soldered Hwfly. I could test some things if that is important. Bought 2 Pi´s too a while ago. I presume the solder points on the motherboard are the same

 

[binkinator]

I have a fresh Lite with soldered Hwfly. I could test some things if that is important. Bought 2 Pi´s too a while ago. I presume the solder points on the motherboard are the same

Yes, they are the same. The reference is on page 34. The firmware there doesn’t work btw…yet.