If you had told me a year ago that I would be inside my Switch Lite with a screwdriver, a spudger, tweezers, and the kind of concentration usually reserved for bomb disposal scenes in movies, I would have laughed. Yet here we are.

Yes, I know the Switch 2 is out, but after owning an OG switch and trading it for a Steam Deck, the Switch Lite cannot be beaten for portability and still have access to Nintendo's huge library.

I recently installed a pair of GuliKit TMR sensing joysticks in the Lite and surprisingly it all worked out. The whole job, including swapping out the white buttons in favour of an all-black setup, took about ninety minutes. I mixed up a few screws, had to reseat ZR because it only registered when held at a weird downward angle, and spent more time than I would like to admit reconnecting tiny ribbon cables.

But the result was absolutely worth it. The TMR sticks feel incredible. The centre position is firm and confident, nothing like the loose, tired feel of stock potentiometer sticks.

This post is not a guide. If you want step by step instructions there are many others online. What I want to do here is talk about two things that stood out during the process.

1. What makes TMR sensing different from standard Hall Effect.
2. How the Picofly inside my Switch actually works on a technical level. Not how to install it, but what it is doing.

What TMR sensing actually is

Most people know Hall Effect sticks because they are marketed as drift resistant. Hall sensors read magnetic field strength without any mechanical contact. No friction means no wear.

TMR stands for Tunnel Magnetoresistance. It uses the same general magnetic principle but in a more sensitive and stable way. The sensor inside the joystick measures resistance changes in a microscopic magnetic tunnel junction. These resistance shifts are significantly more precise than the voltage changes inside traditional potentiometer sticks.

In practice this means:

• A stronger signal.
• Tighter dead zones.
• Better long term stability.
• A more solid recentering feel thanks to GuliKit’s mechanical design.

It is not hype. You feel the difference immediately.

Why the thumb grips are not universal

One thing I discovered is that the interchangeable caps in the kit are not fully interchangeable. The red and blue caps clip in securely. The black ones refused to stay on. The stem geometry is slightly different from standard Joy-Con caps which means generic third party sets may work but GuliKit’s own replacement packs will not help if you want all black. So I opted for a set of Skull & Co covers (in black of course). The CQC Elite is the best fit for me. Slightly concave, slightly more raised, and super grippy around the edges.

Now for the fun part: what the Picofly is actually doing

My Switch Lite has a Picofly installed. It is a tiny RP2040 based board that quietly manipulates the boot process. The way these chips work is often described in simplified terms, such as “it glitches the CPU” or “it bypasses signature checks”. The real mechanism is much more interesting and worth understanding because it reveals how the Tegra X1 boots.

Again this is not an installation guide. This is a technical explanation of the vulnerability and how glitchers use it.

The Switch starts with a boot ROM that cannot be changed

When you turn on the Switch the Tegra X1 does not jump straight into Horizon OS. The process is:

1. The power management system wakes the CPU.
2. The immutable boot ROM executes.
3. The ROM samples hardware straps to choose a boot path.
4. It reads a Boot Configuration Table from storage.
5. It verifies the BCT signature.
6. If verification fails it falls back to a mode called RCM.

The key point is that the boot ROM is baked into silicon at the factory. It cannot be updated with software. Once the chips left Nvidia’s production line the ROM became permanent.

RCM is a factory recovery loader that can run external code

RCM stands for Recovery Mode. It is a small USB controlled loader originally intended for factory testing and provisioning. Nvidia designed it long before Nintendo shipped the Switch. RCM allows a USB host to upload a small block of code into SRAM and execute it.

Under normal conditions the Switch only enters RCM when it fails to verify a signed BCT.

This opens a door. If you can reach RCM before signature enforcement, you can upload a payload into memory.

The vulnerability sits in a timing flaw during BCT verification

The flaw exploited by Picofly style modchips is not simply “RCM exists”. It is that the CPU’s signature verification routine can be destabilised by an electrical fault at a very specific moment.

The boot ROM checks the BCT signature and branches based on the result. If the signature is bad it should reliably fall back to RCM. But there is a race condition between the verification branch and the fallback. If the Tegra experiences a tiny timing fault during this step the signature check may be skipped without cleanly entering the error path.

This creates a weird state where:

• The boot ROM believes it has a valid BCT.
• The data that the CPU now interprets as the bootloader is actually attacker supplied.
• Execution proceeds into memory regions uploaded through RCM.

Nothing is decrypted. No encryption is broken. The CPU is essentially nudged into taking a wrong turn during a critical verification step.

This pattern is common in glitching attacks against smartcards and older game consoles. You make the processor misbehave at the right moment so that otherwise secure checks are bypassed.

What the Picofly actually injects

A glitch chip does not inject code. It injects faults.

The Picofly is wired to specific test pads that expose signals the chip can monitor. When you press power the Picofly:

1. Wakes at the same time as the CPU.
2. Listens for the Tegra reaching the BCT verification stage.
3. Fires a carefully timed voltage disturbance pulse that lasts for a fraction of a microsecond.
4. Checks for signs that the glitch succeeded.
5. If it worked, it hands execution to a payload already placed in memory.

This payload then launches the usual custom bootloader chain like Hekate or Atmosphere.

Why wiring reliability matters so much

These pulses only succeed if they arrive inside a very narrow timing window. If the pulse comes too early the vulnerable function has not begun. If it arrives too late the signature check has already finished. Wire length affects electrical characteristics. Electrical characteristics affect rise time. Rise time affects pulse timing.

This is why Picofly installs are sensitive to solder quality, temperature, board revision, and the exact length of enamel wire. Even a small amount of added resistance can shift the window by hundreds of nanoseconds.

When the glitch does land correctly it feels like magic because the Switch behaves as if it always supported a custom bootloader.

Why Nintendo cannot patch this in software

Nintendo fixed the vulnerability only by producing revised hardware with corrected boot ROM logic. All unpatched Switch units have the flawed ROM permanently baked in. No system update can alter it because no software executes before the ROM.

That is why the RP2040 based Picofly can do its job reliably on older models. The weakness lives at the earliest possible stage of the boot path.

Putting it all together

After surviving a Picofly installation months earlier, installing GuliKit TMR sticks feels almost relaxing. The end result is a Switch Lite that feels completely transformed. The new sticks are precise and durable. The buttons match the dbrand skin. The entire handheld feels like a final form version of the Switch Lite.

The dbrand Area 51 skin is just so gorgeous on this. The white printing is textured and feels amazing in hand. This looks and feels like some kind of factory dev kit.

It is probably as close as you can get to an endgame controller setup without buying a new console. The machine feels better than new and I am happy to not see another ribbon cable again for a while.