Views: 8,816,892 Home | Forums | Uploader | Wiki | Object databases | IRC
Rules/FAQ | Memberlist | Calendar | Stats | Online users | Last posts | Search
10-18-18 03:26 AM
Guest:

0 users reading WiiU gamepad haxing | 1 bot

Main - Computers and technology - WiiU gamepad haxing New reply

Pages: 1 2
StapleButter
Posted on 10-13-16 03:52 PM Link | #78694
I would, but I don't have the original firmware handy and don't know the full hardware specs of the thing.

____________________
NSMBHD - Kafuka - Jul

communism

Sparsite
Posted on 10-21-16 09:21 PM Link | #79024
Posted by StapleButter
The idea is to program a WiiU gamepad, but as a standalone device.


And then they announced the nintendo switch, which is essentially the Wii U, but portable.

____________________
ASMR:
*quietly whispers*
move r0 r7
push r4 to r14
load register r4 into r0
POP

StapleButter
Posted on 11-05-16 06:04 PM Link | #79512
it's been nearly a month, but anyway...

shit's getting somewhere

____________________
NSMBHD - Kafuka - Jul

communism

Sparsite
Posted on 11-05-16 08:24 PM Link | #79513
Posted by StapleButter
it's been nearly a month, but anyway...

shit's getting somewhere


What exactly is that? The Wii U firmware?

____________________
ASMR:
*quietly whispers*
move r0 r7
push r4 to r14
load register r4 into r0
POP

StapleButter
Posted on 11-05-16 08:27 PM Link | #79514
oh right. I owe some gory technical details.

I desoldered the gamepad's Flash chip (in a completely unconventional way, but who cares, it came out okay). Soldered wires to it, hooked it to a raspi.

holy fucking miracle, it worked. so I dumped the contents of that Flash chip.

the contents are what is shown in the hex editor. it's the WiiU gamepad firmware.

(noting that the firmware of the WiiU itself would be encrypted, and more difficult to get in plaintext :P )

____________________
NSMBHD - Kafuka - Jul

communism

Sparsite
Posted on 11-05-16 08:31 PM Link | #79515
Posted by StapleButter
oh right. I owe some gory technical details.

I desoldered the gamepad's Flash chip (in a completely unconventional way, but who cares, it came out okay). Soldered wires to it, hooked it to a raspi.

holy fucking miracle, it worked. so I dumped the contents of that Flash chip.

the contents are what is shown in the hex editor. it's the WiiU gamepad firmware.

(noting that the firmware of the WiiU itself would be encrypted, and more difficult to get in plaintext :P )


So how exactly are you going to reverse engineer it? Are you going to have to keep soldering and unsoldering the wires to test it?

____________________
ASMR:
*quietly whispers*
move r0 r7
push r4 to r14
load register r4 into r0
POP

StapleButter
Posted on 11-05-16 08:34 PM (rev. 2 of 11-05-16 08:34 PM) Link | #79516
I have yet to think of a convenient way to flash it with my own code and test it, yeah. maybe some connector thing for the Flash chip? uploading code via some expansion port?

but eh, before that, there's some RE to do. like, figuring out what the fuck the code does, what the hardware registers are, etc...

____________________
NSMBHD - Kafuka - Jul

communism

Sparsite
Posted on 11-05-16 08:56 PM Link | #79517
Posted by StapleButter
I have yet to think of a convenient way to flash it with my own code and test it, yeah. maybe some connector thing for the Flash chip? uploading code via some expansion port?

but eh, before that, there's some RE to do. like, figuring out what the fuck the code does, what the hardware registers are, etc...


Wait, so are you gonna be reverse engineering by that stuff in pure hex?

____________________
ASMR:
*quietly whispers*
move r0 r7
push r4 to r14
load register r4 into r0
POP

StapleButter
Posted on 11-05-16 08:57 PM Link | #79518
nah. I extracted the code and threw it in IDA :P

____________________
NSMBHD - Kafuka - Jul

communism

Sparsite
Posted on 11-05-16 09:01 PM Link | #79519
Posted by StapleButter
nah. I extracted the code and threw it in IDA :P


Where your going to start? I can only reverse engineer stuff with real time debugging tools like no$gba, so I'm pretty clueless outside of that. (I feel like placing 20 random NOPs and seeing what happens is the wrong approach)

____________________
ASMR:
*quietly whispers*
move r0 r7
push r4 to r14
load register r4 into r0
POP

StapleButter
Posted on 11-05-16 09:04 PM Link | #79520
I built up a basic emulator to run the code and see what it does.

(also, trying to adapt and use code from desmume is a horrible endeavor)

at this point, I'm pretty stuck though -- the code waits for an IRQ. and we know zero about IRQs, so...

____________________
NSMBHD - Kafuka - Jul

communism

StapleButter
Posted on 11-06-16 07:45 PM (rev. 2 of 11-06-16 07:45 PM) Link | #79544
at this point, RE is getting complex as-is because the code is agsfagdfagsas

so I want to run shit directly on teh gamepad.

multiple possibilities:


flashing a code stub that receives shit via a GPIO (for example, setting up more code)

+ doable right now
- blind, chance that shit wouldn't work for some dumb reason (like missing hardware setup)
- I only have one GPIO handy. I need atleast 2 to build a somewhat decent transfer protocol.
- requires desoldering/resoldering the Flash chip at every attempt if the code stub has to be changed


emulating the Flash with a raspi

+ easy code upload, no soldering each time, no bricking risk
- raspi can be used as a SPI slave but it sucks


emulating the Flash with an arduino

+ same as for the raspi
- arduino uses 5V and I need 3.3V. need resistors which I don't have.
? can the arduino sync to an external clock, and can it cope with a 32MHz clock? (dunno what the Flash clock is tho, but the chip used is said to support up to 108MHz)

____________________
NSMBHD - Kafuka - Jul

communism

NintendoFan
Posted on 11-07-16 02:53 AM Link | #79555
Somehow, the second option sounds safest to me. :P

____________________
A nobody.

StapleButter
Posted on 11-08-16 12:17 PM Link | #79564
I found slave SPI code for the raspi, but it's bare-metal (ie: how to send the data to something else??), and seems limited in clock frequency.

Arduino's limited to 4MHz.

I don't know what the clock used by the gamepad is, but it's probably 32MHz, so beh.


Anyway, I made sorta-connectors, so the Flash chip can be easily connected to the gamepad or to the raspi.

Checked with the raspi, it works well. Now trying to see if the gamepad still works. It needs charged. Maybe the battery is crapoed too -- but it did turn on when I got it. It just didn't last long at all.

Knowing Nintendo's hardware design, the fucker likely won't turn on without a good battery, so if the battery is crapoed, well, peh.

____________________
NSMBHD - Kafuka - Jul

communism

StapleButter
Posted on 11-09-16 12:39 PM Link | #79598
Noting that the length of the wires may very well be fucking me over.

On the raspi, the max SPI clock I can set is 15MHz. If I set 31MHz, it shits itself -- the Flash chip receives the commands fine, but the responses are corrupted.

The chip is said to support up to 54MHz.

Wire length induces a propagation delay, that may start causing issues past a certain clock speed. ie: the response bits are sent after the time the raspi attempts to sample them, and not before.


I suspect the gamepad is using a 32MHz clock, so of course it would cause the same issues there.


So, what are the possible solutions?

1. slow the clock
2. shorten the wires

Or... a more exotic solution, lengthen the clock wire, causing the Flash chip to receive a more offset clock that is closer to the original one, making things "right again"?

Let's see. At 32MHz, the clock stays in one state for 15.625 nanoseconds. Which is the maximum delay we can accept before things fuck up.

Wires have an approximate propagation delay of 1 ns for every 6 inches (15 cm) of length.


That's 234cm of wire.

Well, according to this shit, I would need over one meter of wire to get effects at 32MHz. That doesn't make sense. My wires aren't nearly that long.

dunno

____________________
NSMBHD - Kafuka - Jul

communism

StapleButter
Posted on 11-13-16 08:33 PM Link | #79693
Status update!

As the doc was getting big, it's been moved to its own page. Linked on the first post.

I worked out how to do I2C, how to initialize the LCD and setup the framebuffer. So theoretically I would be able to display shit.

Theoretically. There could always be some little dumb thing fucking me over.

I'll be able to find out whenever I get a new mobo. Soon, I hope.

In the meantime, I guess I can work out more things.

____________________
NSMBHD - Kafuka - Jul

communism

Sparsite
Posted on 11-13-16 09:49 PM Link | #79695
So are you wanting to release a gamepad emu as well as a firmware patch so that people can use to play on their gamepad separate from the Wii U console?

____________________
ASMR:
*quietly whispers*
move r0 r7
push r4 to r14
load register r4 into r0
POP

StapleButter
Posted on 11-14-16 06:13 PM Link | #79707
An emulator isn't in the current plans, it would have little point besides helping homebrew dev if that ever caught on.

As for distributing homebrew to the masses, well, the stock firmware can be updated over wifi. The challenge would be replicating the update feature in homebrew, in a safe way so that you can't brick your gamepad.

____________________
NSMBHD - Kafuka - Jul

communism

StapleButter
Posted on 12-29-16 08:24 AM Link | #80604
Since I won't be able to get back to the hardware before the 7th, I'm digging more into the firmware.

Check out the doc and see by yourself. I'm adding some notes on the audio system. I can't go very far by only looking at the code, but it seems to be a simple streamer with a circular buffer. No idea how stereo would work -- probably by interleaving data for the left and right channels.

Input would also be interesting to work out. It relies on the UIC, I have yet to work out the protocol.

____________________
NSMBHD - Kafuka - Jul

communism

StapleButter
Posted on 01-08-17 09:35 PM (rev. 3 of 01-08-17 11:03 PM) Link | #80856
hey hey hey hey


I just ran my first code on the gamepad


well, it's very simple. all it does is turn on the rumble motor, since that's the easiest thing to do to verify that the code is running at all (using the screen requires using I2C and setting up framebuffer shit, and I don't know how to control LEDs or shit).


:UP: code is running!
:UP: the Flash chip isn't tied to the motherboard.

:DOWN: requires moving the Flash chip around. hoping the connections don't break.
:DOWN: can't write much shit in the Flash chip. I attempted using 4-byte address mode but it fucks up, no idea what's going on. (gamepad does use 4-byte address mode, look into that you lazy fuck)
:DOWN: I fucking burned my thumb.


TODO LIST

* hopefully, get the screen working
* hijack rumble GPIO as a debug/comm line? or look into hijacking UART?
* dump the boot ROM, work out system details like CPU ID etc
* work out shit like input, audio, SPI, etc...


side note: the Flash bootloader is weird

first word is the size of the bootloader
next 0x40 bytes are the exception vectors, loaded at 0x00000000
the rest (size-0x40) is loaded at 0x003F0000

compiling something right takes some trickery, but eh

____________________
NSMBHD - Kafuka - Jul

communism
Pages: 1 2

Main - Computers and technology - WiiU gamepad haxing New reply

Page rendered in 0.025 seconds. (2048KB of memory used)
MySQL - queries: 28, rows: 229/229, time: 0.014 seconds.
[powered by Acmlm] Acmlmboard 2.064 (2018-07-20)
© 2005-2008 Acmlm, Xkeeper, blackhole89 et al.