Views: 19,998,536 |
Home
| Forums
| Uploader
| Wiki
| Object databases
| IRC
Rules/FAQ | Memberlist | Calendar | Stats | Online users | Last posts | Search |
04-20-24 09:42 AM |
Guest: |
0 users reading WiiU gamepad haxing | 1 bot |
Main - Computers and technology - WiiU gamepad haxing | Hide post layouts | New reply |
Arisotura |
| ||
Star Mario in this room you have a pile of apple pies Level: 163 Posts: 6793/9019 EXP: 56227154 Next: 260490 Since: 07-03-12 From: in a box Last post: 8 days ago Last view: 3 days ago |
Sparsite |
| ||
take your dumb self out of here. thank you. Level: 34 Posts: 211/270 EXP: 238565 Next: 15086 Since: 05-20-16 Last post: 2702 days ago Last view: 2562 days ago |
Posted by StapleButter And then they announced the nintendo switch, which is essentially the Wii U, but portable. ____________________ ASMR: *quietly whispers* move r0 r7 push r4 to r14 load register r4 into r0 POP |
Arisotura |
| ||
Star Mario in this room you have a pile of apple pies Level: 163 Posts: 6941/9019 EXP: 56227154 Next: 260490 Since: 07-03-12 From: in a box Last post: 8 days ago Last view: 3 days ago |
it's been nearly a month, but anyway...
shit's getting somewhere ____________________ NSMBHD - Kafuka - Jul melonDS the most fruity DS emulator there is zafkflzdasd |
Sparsite |
| ||
take your dumb self out of here. thank you. Level: 34 Posts: 232/270 EXP: 238565 Next: 15086 Since: 05-20-16 Last post: 2702 days ago Last view: 2562 days ago |
Posted by StapleButter What exactly is that? The Wii U firmware? ____________________ ASMR: *quietly whispers* move r0 r7 push r4 to r14 load register r4 into r0 POP |
Arisotura |
| ||
Star Mario in this room you have a pile of apple pies Level: 163 Posts: 6942/9019 EXP: 56227154 Next: 260490 Since: 07-03-12 From: in a box Last post: 8 days ago Last view: 3 days ago |
oh right. I owe some gory technical details.
I desoldered the gamepad's Flash chip (in a completely unconventional way, but who cares, it came out okay). Soldered wires to it, hooked it to a raspi. holy fucking miracle, it worked. so I dumped the contents of that Flash chip. the contents are what is shown in the hex editor. it's the WiiU gamepad firmware. (noting that the firmware of the WiiU itself would be encrypted, and more difficult to get in plaintext ) ____________________ NSMBHD - Kafuka - Jul melonDS the most fruity DS emulator there is zafkflzdasd |
Sparsite |
| ||
take your dumb self out of here. thank you. Level: 34 Posts: 233/270 EXP: 238565 Next: 15086 Since: 05-20-16 Last post: 2702 days ago Last view: 2562 days ago |
Posted by StapleButter So how exactly are you going to reverse engineer it? Are you going to have to keep soldering and unsoldering the wires to test it? ____________________ ASMR: *quietly whispers* move r0 r7 push r4 to r14 load register r4 into r0 POP |
Arisotura |
| ||
Star Mario in this room you have a pile of apple pies Level: 163 Posts: 6943/9019 EXP: 56227154 Next: 260490 Since: 07-03-12 From: in a box Last post: 8 days ago Last view: 3 days ago |
I have yet to think of a convenient way to flash it with my own code and test it, yeah. maybe some connector thing for the Flash chip? uploading code via some expansion port?
but eh, before that, there's some RE to do. like, figuring out what the fuck the code does, what the hardware registers are, etc... ____________________ NSMBHD - Kafuka - Jul melonDS the most fruity DS emulator there is zafkflzdasd |
Sparsite |
| ||
take your dumb self out of here. thank you. Level: 34 Posts: 234/270 EXP: 238565 Next: 15086 Since: 05-20-16 Last post: 2702 days ago Last view: 2562 days ago |
Posted by StapleButter Wait, so are you gonna be reverse engineering by that stuff in pure hex? ____________________ ASMR: *quietly whispers* move r0 r7 push r4 to r14 load register r4 into r0 POP |
Arisotura |
| ||
Star Mario in this room you have a pile of apple pies Level: 163 Posts: 6944/9019 EXP: 56227154 Next: 260490 Since: 07-03-12 From: in a box Last post: 8 days ago Last view: 3 days ago |
Sparsite |
| ||
take your dumb self out of here. thank you. Level: 34 Posts: 235/270 EXP: 238565 Next: 15086 Since: 05-20-16 Last post: 2702 days ago Last view: 2562 days ago |
Posted by StapleButter Where your going to start? I can only reverse engineer stuff with real time debugging tools like no$gba, so I'm pretty clueless outside of that. (I feel like placing 20 random NOPs and seeing what happens is the wrong approach) ____________________ ASMR: *quietly whispers* move r0 r7 push r4 to r14 load register r4 into r0 POP |
Arisotura |
| ||
Star Mario in this room you have a pile of apple pies Level: 163 Posts: 6945/9019 EXP: 56227154 Next: 260490 Since: 07-03-12 From: in a box Last post: 8 days ago Last view: 3 days ago |
I built up a basic emulator to run the code and see what it does.
(also, trying to adapt and use code from desmume is a horrible endeavor) at this point, I'm pretty stuck though -- the code waits for an IRQ. and we know zero about IRQs, so... ____________________ NSMBHD - Kafuka - Jul melonDS the most fruity DS emulator there is zafkflzdasd |
Arisotura |
| ||
Star Mario in this room you have a pile of apple pies Level: 163 Posts: 6948/9019 EXP: 56227154 Next: 260490 Since: 07-03-12 From: in a box Last post: 8 days ago Last view: 3 days ago |
at this point, RE is getting complex as-is because the code is agsfagdfagsas
so I want to run shit directly on teh gamepad. multiple possibilities: flashing a code stub that receives shit via a GPIO (for example, setting up more code) + doable right now - blind, chance that shit wouldn't work for some dumb reason (like missing hardware setup) - I only have one GPIO handy. I need atleast 2 to build a somewhat decent transfer protocol. - requires desoldering/resoldering the Flash chip at every attempt if the code stub has to be changed emulating the Flash with a raspi + easy code upload, no soldering each time, no bricking risk - raspi can be used as a SPI slave but it sucks emulating the Flash with an arduino + same as for the raspi - arduino uses 5V and I need 3.3V. need resistors which I don't have. ? can the arduino sync to an external clock, and can it cope with a 32MHz clock? (dunno what the Flash clock is tho, but the chip used is said to support up to 108MHz) ____________________ NSMBHD - Kafuka - Jul melonDS the most fruity DS emulator there is zafkflzdasd |
NintendoFan |
| ||
Normal user Level: 42 Posts: 350/403 EXP: 483156 Next: 38206 Since: 07-15-14 Last post: 2300 days ago Last view: 2294 days ago |
Somehow, the second option sounds safest to me. ____________________ A nobody. |
Arisotura |
| ||
Star Mario in this room you have a pile of apple pies Level: 163 Posts: 6950/9019 EXP: 56227154 Next: 260490 Since: 07-03-12 From: in a box Last post: 8 days ago Last view: 3 days ago |
I found slave SPI code for the raspi, but it's bare-metal (ie: how to send the data to something else??), and seems limited in clock frequency.
Arduino's limited to 4MHz. I don't know what the clock used by the gamepad is, but it's probably 32MHz, so beh. Anyway, I made sorta-connectors, so the Flash chip can be easily connected to the gamepad or to the raspi. Checked with the raspi, it works well. Now trying to see if the gamepad still works. It needs charged. Maybe the battery is crapoed too -- but it did turn on when I got it. It just didn't last long at all. Knowing Nintendo's hardware design, the fucker likely won't turn on without a good battery, so if the battery is crapoed, well, peh. ____________________ NSMBHD - Kafuka - Jul melonDS the most fruity DS emulator there is zafkflzdasd |
Arisotura |
| ||
Star Mario in this room you have a pile of apple pies Level: 163 Posts: 6955/9019 EXP: 56227154 Next: 260490 Since: 07-03-12 From: in a box Last post: 8 days ago Last view: 3 days ago |
Noting that the length of the wires may very well be fucking me over.
On the raspi, the max SPI clock I can set is 15MHz. If I set 31MHz, it shits itself -- the Flash chip receives the commands fine, but the responses are corrupted. The chip is said to support up to 54MHz. Wire length induces a propagation delay, that may start causing issues past a certain clock speed. ie: the response bits are sent after the time the raspi attempts to sample them, and not before. I suspect the gamepad is using a 32MHz clock, so of course it would cause the same issues there. So, what are the possible solutions? 1. slow the clock 2. shorten the wires Or... a more exotic solution, lengthen the clock wire, causing the Flash chip to receive a more offset clock that is closer to the original one, making things "right again"? Let's see. At 32MHz, the clock stays in one state for 15.625 nanoseconds. Which is the maximum delay we can accept before things fuck up.
That's 234cm of wire. Well, according to this shit, I would need over one meter of wire to get effects at 32MHz. That doesn't make sense. My wires aren't nearly that long. dunno ____________________ NSMBHD - Kafuka - Jul melonDS the most fruity DS emulator there is zafkflzdasd |
Arisotura |
| ||
Star Mario in this room you have a pile of apple pies Level: 163 Posts: 6972/9019 EXP: 56227154 Next: 260490 Since: 07-03-12 From: in a box Last post: 8 days ago Last view: 3 days ago |
Status update!
As the doc was getting big, it's been moved to its own page. Linked on the first post. I worked out how to do I2C, how to initialize the LCD and setup the framebuffer. So theoretically I would be able to display shit. Theoretically. There could always be some little dumb thing fucking me over. I'll be able to find out whenever I get a new mobo. Soon, I hope. In the meantime, I guess I can work out more things. ____________________ NSMBHD - Kafuka - Jul melonDS the most fruity DS emulator there is zafkflzdasd |
Sparsite |
| ||
take your dumb self out of here. thank you. Level: 34 Posts: 253/270 EXP: 238565 Next: 15086 Since: 05-20-16 Last post: 2702 days ago Last view: 2562 days ago |
So are you wanting to release a gamepad emu as well as a firmware patch so that people can use to play on their gamepad separate from the Wii U console? ____________________ ASMR: *quietly whispers* move r0 r7 push r4 to r14 load register r4 into r0 POP |
Arisotura |
| ||
Star Mario in this room you have a pile of apple pies Level: 163 Posts: 6975/9019 EXP: 56227154 Next: 260490 Since: 07-03-12 From: in a box Last post: 8 days ago Last view: 3 days ago |
An emulator isn't in the current plans, it would have little point besides helping homebrew dev if that ever caught on.
As for distributing homebrew to the masses, well, the stock firmware can be updated over wifi. The challenge would be replicating the update feature in homebrew, in a safe way so that you can't brick your gamepad. ____________________ NSMBHD - Kafuka - Jul melonDS the most fruity DS emulator there is zafkflzdasd |
Arisotura |
| ||
Star Mario in this room you have a pile of apple pies Level: 163 Posts: 7124/9019 EXP: 56227154 Next: 260490 Since: 07-03-12 From: in a box Last post: 8 days ago Last view: 3 days ago |
Since I won't be able to get back to the hardware before the 7th, I'm digging more into the firmware.
Check out the doc and see by yourself. I'm adding some notes on the audio system. I can't go very far by only looking at the code, but it seems to be a simple streamer with a circular buffer. No idea how stereo would work -- probably by interleaving data for the left and right channels. Input would also be interesting to work out. It relies on the UIC, I have yet to work out the protocol. ____________________ NSMBHD - Kafuka - Jul melonDS the most fruity DS emulator there is zafkflzdasd |
Arisotura |
| ||
Star Mario in this room you have a pile of apple pies Level: 163 Posts: 7155/9019 EXP: 56227154 Next: 260490 Since: 07-03-12 From: in a box Last post: 8 days ago Last view: 3 days ago |
hey hey hey hey
I just ran my first code on the gamepad well, it's very simple. all it does is turn on the rumble motor, since that's the easiest thing to do to verify that the code is running at all (using the screen requires using I2C and setting up framebuffer shit, and I don't know how to control LEDs or shit). code is running! the Flash chip isn't tied to the motherboard. requires moving the Flash chip around. hoping the connections don't break. can't write much shit in the Flash chip. I attempted using 4-byte address mode but it fucks up, no idea what's going on. (gamepad does use 4-byte address mode, look into that you lazy fuck) I fucking burned my thumb. TODO LIST * hopefully, get the screen working * hijack rumble GPIO as a debug/comm line? or look into hijacking UART? * dump the boot ROM, work out system details like CPU ID etc * work out shit like input, audio, SPI, etc... side note: the Flash bootloader is weird first word is the size of the bootloader next 0x40 bytes are the exception vectors, loaded at 0x00000000 the rest (size-0x40) is loaded at 0x003F0000 compiling something right takes some trickery, but eh ____________________ NSMBHD - Kafuka - Jul melonDS the most fruity DS emulator there is zafkflzdasd |
Main - Computers and technology - WiiU gamepad haxing | Hide post layouts | New reply |
Page rendered in 0.077 seconds. (2048KB of memory used) MySQL - queries: 28, rows: 234/234, time: 0.011 seconds. Acmlmboard 2.064 (2018-07-20) © 2005-2008 Acmlm, Xkeeper, blackhole89 et al. |