Build your own dongle (Research and development thread)

Discussion in 'Switch - Backup Loaders & Modchips' started by Wierd_w, May 19, 2018.

  1. Wierd_w
    OP

    Wierd_w GBAtemp Regular

    Member
    3
    May 12, 2018
    United States
    This is the R&D thread. This is for people who want to know the nitty gritty of making their own dongle from sources, and has my thoughts through each stage of my process.
    The user-friendly "Do this, this, this and this" tutorial will come after.

    Disclaimer out of the way-- Here we go.

    First an old post from another discussion topic so it does not get lost--

    I was really hoping to not have to do surgery on the dongle, but looking closely at the pictures of the PCB from the hacking documents/research, I am going to have to.

    There will need to be some slight soldering modifications to the device so that host mode data pins are exposed through the port. This sadly means sacrificing either the ability for the device to read the sdcard slot, or for the device to function as an sdcard reader for the host. I am going to elect sacrificing the ability for the device to read the sdcard slot. (Picking option 1 below.)

    The reasoning is simple:

    The designers included a 2 output select highspeed switch (that is fully bidirectional), that (as currently wired), switches the SDCard reader's data pins between either the SoC's USB root hub, or the USB-A connector. (this means that as wired, the USB-A plug cannot talk to the host's root hub.)

    We have two options:

    1) (Make the USB-A interface become the item that gets switched)
    De-solder the contact going into the highspeed switch where the SDCard interface board talks, and remove the 2 pin header from the daughter board
    Solder 2 patch wires into the header holes on the daughter board
    Solder 2 patch wires onto the USB-A connector's D+ and D- contact pads
    VERY CAREFULLY cut the traces on the motherboard that connect the SW1 D+ and D- pads of the highspeed switch to the USB-A interface
    Run the USB-A patch wires into the switch's input header holes
    Run the SDCard reader's patch wires into the teeeeeny tiny contact points of the surface mount switch's SW1 points. (Or look for testpoints on the PCB, and connect there.)

    2) (Make the SoC host interface become the item that gets switched)
    Hunt down contact points for the SoC's D+ and D- lines, and attach jumper wires
    VERY CAREFULLY cut the traces after the SoC contact points we are using that lead to the switch
    Desolder and remove the 2 pin header from the SDCard daughter board
    Solder jumper wires to the header pin holes on the daughter board
    Solder the SoC jumper wires to the switch input header pin holes
    Solder the CardReader jumper wires to SW2 data pins (look for testpoints)

    I think option 1 is less likely to have issues. (I dont have to hunt for as many test pads, and it should be easier to cut the traces) It will also allow the console to read the SDCard slot after the appropriate GPIO is asserted. Access to the RCM mode console is enabled because the highspeed switch is bidirectional, when the GPIO is low. The downside is that the SoC cannot see or use the card reader.

    Option 2 allows the SoC to see the card reader, but denies the console access to the slot. It is also harder to pull off I think.


    Given the issues I have faced trying to get a suitable bare image for the zsun built (due to small SPI flash, only 16mb), I think "candidate 2" I linked previously is a no-go, (Only 4mb SPI flash) even though it would be solderless. (has fully exposed host interface) I will look into other options that could be done that are fully solderless, but they are more expensive, and I am not made of money. (For the cost of 2 hardware test articles, I could buy a switch game and have much more fun.)[/QUOTE]


    Addendum:

    There's also the "Super easy" choice where we sacrifice both, by unsoldering the two pins to the SDcard reader, jumpering straight to the data pins on the port, and hooking nothing else up. That would make the GPIO toggle basically be "Host connected to port." and "Nothing connected." (actually, port connected to itself, so nothing.)

    For simplicity, I will take this last option until I more completely explore this device.

    ----

    And now for the fun part.

    The dongle has arrived.

    It's much smaller than I expected.

    [​IMG]

    Initial research:

    Device comes stock with an ancient linux kernel, and hyper-minimal embedded linux userspace. (2.6.31 !! BLECH!!)
    Device's USB driver is NOT baked into the kernel; It is loaded as a module.
    Device's root file system is writable!? (No, it's NOT tmpfs! It's totally jffs2!)
    Device has root access via hidden telnet on port 11880. Username: root Password: zsun1188

    This means the option to just recompile ehci-hcd.ko with FoF's patch, and sideload python (without flashing openwrt) is possible, but I wont be doing that. (Already built openwrt, which while an old version, is much newer than this kernel. 3.xxx kernel.)

    I have already dumped the partitions and backed them up. Going to attempt firmware update. (If I fail, I will solder serial console header on, and recover)
    Wish me luck.
     
    Last edited by Wierd_w, May 19, 2018
    leerz, satan89, TheVinAnator and 30 others like this.
  2. Wierd_w
    OP

    Wierd_w GBAtemp Regular

    Member
    3
    May 12, 2018
    United States
    Now then-- Compiling sources.

    I am lazy, and grabbed this Emeryth guy's repo with git.

    Once we start the building process (and get past the initial toolchain build, which takes FOR-EV-ER), we have to add FoF's patch to ehci-hcd.c in the linux kernel source

    You can find the patch here:
    http://github.com/fail0verflow/shofel2/blob/master/linux-ehci-enable-large-ctl-xfers.patch

    You can do this manually (Like I did, since it is just a simple deletion) but you have to be fast before the compiler gets there.

    You will also need to patch bzip2's make file, so that it can be built properly, otherwise the python package will break. You can find the needed patch here:
    http://git.archive.openwrt.org/?p=...ff;h=6a69e3064bdfa320f85d730c8d017f69c0215f6b
     
  3. Wierd_w
    OP

    Wierd_w GBAtemp Regular

    Member
    3
    May 12, 2018
    United States
    Flashing images:

    Emeryth's research is damn useful. He has found that there is a hidden upgrade utility in the stock firmware that is pretty hard to screw up. You can pull his flash update builder script here:
    http://code.hackerspace.pl/informatic/zsun-fw-tools

    I had some issues though. The firmware inside my zsun apparently does not expose the SMB share the auto-flasher uses. Instead, it has an HTTP PUT method based uploader through the web portal. I used that to upload the update file, then used the hidden telnet to move it to the correct location. Then I triggered the update by loading the magic URL.

    Chaos Calmer now running on the zsun.


    Next up, getting nano and python installed using ipkg. The built-in ssh daemon (dropbear) apparently does not like allowing connections over sftp. I DO however, have wget.
     
  4. hippy dave

    hippy dave BBMB

    Member
    11
    Apr 30, 2012
    United Kingdom
    Nice, keep it up.

    I don't know if your USB C adapter arrived yet, but if so have you tested if the dongle can draw power from the Switch without alteration?
     
    H1B1Esquire likes this.
  5. Wierd_w
    OP

    Wierd_w GBAtemp Regular

    Member
    3
    May 12, 2018
    United States
    Arrived at the same time, but have not tested that yet.
     
    hippy dave likes this.
  6. Xandroz

    Xandroz GBAtemp Advanced Fan

    Member
    4
    Mar 19, 2018
    Egypt
    good luck
     
  7. OllieD

    OllieD Member

    Newcomer
    3
    Dec 31, 2008
  8. Wierd_w
    OP

    Wierd_w GBAtemp Regular

    Member
    3
    May 12, 2018
    United States

    Nice to know, but using the built-in flasher worked a treat. Already on Chaos Calmer.

    @hippy dave The converter is now proven to supply power to the dongle. It boots fine. I have gotten nano and python (2.7 but hey... embedded device yo. I can also put python 3 if I need it.)

    Next is hardware modification.
     
    hippy dave likes this.
  9. The Real Jdbye

    The Real Jdbye Always Remember 30/07/08

    Member
    17
    GBAtemp Patron
    The Real Jdbye is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    Mar 17, 2010
    Norway
    Alola
    If this works, you're going to make a lot of people happy.
    Good luck with it.
    I was thinking we would have to make something using a Teensy or something similar, which would be bigger and also would not come in a nice case, this would be a much better solution.

    Also, how much does that dongle cost?
     
  10. Wierd_w
    OP

    Wierd_w GBAtemp Regular

    Member
    3
    May 12, 2018
    United States
    Dongle + 2pack USB-C adapter block == 20$ from amazon with prime.

    This thing can potentially do much more than a teensy. It is a 200mhz-ish SoC (MIPS), with 64mb of RAM and 16mb of SPI flash, with TWO hardware wifi controllers. This thing can run straight up Linux. (That's what OpenWRT is, essentially.)

    This thing can download stuff from bittorrent, host a VPN tunnel, do all sorts of bells and whistles. Right now, I just want it to do the autoinjection payload thing.
     
    GizmoTheGreen and tatumanu like this.
  11. The Real Jdbye

    The Real Jdbye Always Remember 30/07/08

    Member
    17
    GBAtemp Patron
    The Real Jdbye is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    Mar 17, 2010
    Norway
    Alola
    Sure, but for this purpose, none of that is needed or even useful. You could do all that on Switch Linux.
    Price is decent though. A Teensy isn't going to be any cheaper either.
    It'll be a good alternative to SX, once Atmosphere releases and there's a warez loader at least.
    And the extra MicroSD could prove useful.
    Got a link to where to buy this? I'm not going to buy one (at least not now) but I'm curious about this device and what exactly it is.
     
    Last edited by The Real Jdbye, May 19, 2018
  12. Wierd_w
    OP

    Wierd_w GBAtemp Regular

    Member
    3
    May 12, 2018
    United States
    Indeed. Speaking of the shell-- it opens VERY easily. Insert a razor blade into the small crease near the bottom, and gently lever it. It is basically a sleeve over the plastic bottom plug, and all the parts slide apart fairly easily with the right motivation.

    JESUS is this thing tiny inside. I hope I can solder this small.
     
  13. The Real Jdbye

    The Real Jdbye Always Remember 30/07/08

    Member
    17
    GBAtemp Patron
    The Real Jdbye is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    Mar 17, 2010
    Norway
    Alola
    Bonus points if you can integrate the OTG adapter into the device :)
     
  14. TheSynthax

    TheSynthax Advanced Member

    Newcomer
    1
    Apr 29, 2018
    United States
    Have you considered deconstructing this adapter, removing the SD port, USB plug, etc. and placing it in your Switch? Could untether the exploit by flipping a bit somewhere in the bootloader to corrupt it, forces RCM every boot and a custom payload could switch between stock, CFW, Linux boot based on holding vol- or vol+ or something similar.
     
  15. Wierd_w
    OP

    Wierd_w GBAtemp Regular

    Member
    3
    May 12, 2018
    United States

    To be perfectly honest, my hands shake terribly from years of abuse doing computer work. (Carpal tunnel for the lose.) Soldering is not my finest skill. I will leave it at that.

    I am much more proficient with the embedded linux software side of things. As such, the less I have to solder things tinier than .5mm (which is how tiny the contacts on this thing are! ERGH!! I feel like I am about to try soldering a surface mount finger-landing type IC by hand! I dont have a clamp rig either!) the better!

    I am quite happy to have the adapter piggy backed on the dongle. As is, I am going to remove the SD-Card daughter board as carefully and slowly as I can, remove the 2 pin header (which is tiny as shit!), and do a direct wire to the USB data pins. Then I will carefully put the daughter board back on. (It has the 3v regulator and some other goodies on it, so I kinda need it.)

    If some other people in our merry band of cut-throats and villains has extra special soldering skills, and wants to use my software to make and sell these thing, I am totally down with that. First is the proof of concept though.
     
  16. TheSynthax

    TheSynthax Advanced Member

    Newcomer
    1
    Apr 29, 2018
    United States
    Just bought one to experiment with internalization, will report back later on. I'll check back here on your progress!

    Edit: I wonder if that would interfere with docked mode in any way, or drain the Switch measurably faster. Probably not, but worth considering.
     
    Last edited by TheSynthax, May 19, 2018
  17. Retr0id

    Retr0id Member

    Newcomer
    1
    Apr 12, 2018
    United Kingdom
    I just ordered one of these things: http://www.ebay.co.uk/itm/381347616902 (£10 shipped)
    It has an on-board battery, and usb host mode out-of-the box.

    It is also well documented on the openwrt wiki: http://wiki.openwrt.org/toh/unbranded/a5-v11 (See the bottom of the page)

    So in theory, this thing just needs a minor firmware/software change and then it's ready to go!

    This undercuts TX in price, is equally user-friendly, and has way more potential features! (Wi-Fi payload updates anyone? )

    Edit: just found another listing for only £8: http://www.ebay.co.uk/itm/282771298892
     
    Last edited by Retr0id, May 19, 2018
    Zangrief, realjumy and charlieb like this.
  18. Wierd_w
    OP

    Wierd_w GBAtemp Regular

    Member
    3
    May 12, 2018
    United States

    The problem with that one is the flash is too small.

    AND-- I just totally hoosiered the zsun trying to solder something so damn tiny, with shaky assed hands, a shitty soldering iron that had the tip melting off in just a few minutes from rosin core solder, and my abysmally bad luck. (There is a reason I try not to solder anything, and it is because I am all fucking thumbs at it.)

    I will look for a solder-free alternative platform that has immediate host mode access, and has a decent amount of flash.
     
  19. Retr0id

    Retr0id Member

    Newcomer
    1
    Apr 12, 2018
    United Kingdom
    4MB is too small? How come?
     
  20. Wierd_w
    OP

    Wierd_w GBAtemp Regular

    Member
    3
    May 12, 2018
    United States
    Linux kernel = 1.2mb
    EHCI driver = ~200kb
    Python = ~3mb

    See where this is going?
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice