WiiLi.org

mmmlinux · Joined: 09 Nov 2006 Posts: 5 Location: Maryland

i will mess with my wiimote on my mac later... i will let you know how its goes.

Maxious · Joined: 17 Nov 2006 Posts: 26 Location: Australia

apullin · Joined: 22 Nov 2006 Posts: 1

Hey guys. So I've been playing around with the bluetooth capabilities and here's what I've found; I'll apologize for not having much code or output to paste, as I am in Windows right now. I'll repeat some of this in linux tomorrow and put up some more details:

I don't know much about how Bluetooth is implemented; it is clearly very complex. However:

If I hold down the SYNC button on the remote and do "hcitool scan" , I can indeed detect the remote (and read its bdaddr). I think it was something like 00:17:ae:##:##:##.
I can connect to it with hcitool cc <bdaddr> , although the connection dies a few seconds after releasing the SYNC button.

I then tried holding the SYNC button, and doing "hidd --search" ; this finds the remote, and automatically initiates a connection to it. This connection lasts, and the 4 blue LED's continue to flash.
Here's the EXITING part:
If I do "hcidump" which I connect, I can see the torrent of bluetooth packets come across, which is all about the connection negotiation and service discovery.
HOWEVER if I do hcidump -R (for raw dump), after all of the negotiation, when I pretty buttons on the Wiimote, I can see output!

That is, there is a long string (15 bytes? maybe more), and the last few chane based on which button I press. So there's a proof of concept already. Motion control doesnt seem to be on, as moving it doesn't change these values.

Plugging in the nunchuck gives some similar code across the BT, but after that I see no more button presses.

I'm no superhacker, but I did find PyBluez, which is python binding for the bluetooth stack. They have some example code that does service dicovery and enumeration, and it lists all sorts of stuff (will post tomorrow). This should give me a good basis, once I get my crap together, to start reading / sending data to the remote.

So, I also tried bluetooth in Windows. Windows claims that is has a "Human Interface Device" service. In fact, when I connect to it (have to hold down sync button), windows detects it as a Bluetooth Joystick, and installs some driver for it (don't know from where). If I go to the Game Controller properties for it, no widgets of any sort are present in the configutation window. Oh well. I know some insiders at Microsoft that have access to the Windows source, but I doubt they are going to help me write a driver for this Smile

I was unable to detect the Wii console's bluetooth activity at all. I tried to emulate the remote with my BT adapter, by using some sneaky code I found online (bdaddr.c) to change my bluetooth MAC, and then changed the config in gentoo to match the class / services of the remote, and then seeing if the console tried to initiate a connection to me. Like I said, I saw nothing, but I perhaps forgot a minor detail in the setup.
I'm also going to go and grab an Action Replay tomorrow and see what kind of damage I can do to this system with SDLoad.

Speculation:
-- There is a software handshaking between the remote and the console that determines which controller # that wiimote is. I have no idea how to figure out what it wants other than sniffing bluetooth packets from the air? Considering its an MS-backed standard, I think bluetooth sniffers are going to be "underdeveloped"
-- There is something about an hidd connection as opposed to an hci connection that I don't understand, and I suppose there is some sort of keepalive sent? But I don't see it on hcidump, so perhaps the connection is initiated with different codes that keeps it on
-- The handshaking may be what turns the motion control on in the remote?
-- Or perhaps the remote stores its orientation internally, and only reports it upon request
-It seems kinds funny, that the remote has the letters "RVL" it it's device name, almost as if it were a controller for a Nintendo Revolution....

So, if you are a savvy bluetooth hacker, or can get a BT packet sniffer working, this is probably going to be really easy to sort out......

(edit) Oh, I just thought of something... if PPC linux (perhaps even the GC linux project) can get running on the Wii, that would likely let us find the console's bdaddr, and possibly get a terminate-and-stay-resident program in there that would record a negotiation between the console and the remote?
I don't really want to take my wiimote apart until there are more in stock at stores in case I buggar this one up.

andy753421 · Site Admin Joined: 22 Nov 2006 Posts: 21

apullin: Thanks for the info about using -R

When you attempt to initiate a connection to the Wii itself I believe you'll need to press the buttons on the wiimote and then press the sync button on the Wii (or use the temporary sync option from the menu). See the manual section on synchronization for more info. http://www.gamepro.com/news.cfm?article_id=86491

If you could post any information you obtain on the wiki (I made a couple sections, "Wiimote drivers" and "Wii bluetooth specs") I would be grateful since I only have a wiimote and no Wii.

Another thing to look into is why the data from -R is not put though regularly and why nothing shows up in /dev/input/eventX.

As for the handshake part, if you use hcidump without -R you'll see a line towards the end that says "HIDP: Handshake: Unsupported request". I'm not sure what it does, but it looks important and the communication stops right afterwards.

If you happen to have two wiimotes could you also run 'sdptool records --tree bdaddr' on both of them? Specifically in "Attribute Identifier : 0x204 - VirtualCable"

[edit]
I did some looking around with hcidump and you can get values with 'hcidump -[xX]' as well. The numbers being put out seem to be integers, I'm not sure what the first two bytes do but the last 2 are mask values for the buttons. I put up a list of them on the wiki under the 'wii bluetooth spec' section.

What is actually happening is that whenever you press/release a button the controller sends it's state across bluetooth. Someone with a Wii, are any of the buttons on the controller pressure sensitive? The values I'm getting seem to be entirely digital. I was also surprised that the power button does not send events..

andy753421 · Site Admin Joined: 22 Nov 2006 Posts: 21

I was reading though the BT HID spec and found some interesting things:

The "HIDP: Handshake: Unsupported request" is the remote telling the PC that it doesnt support the HID Boot protocol, I'm not yet sure if that matters. I tried changing the hidp kernel module so that it attempted to set the protocol to "Report Protocol", and then left out the setting all together. Report protocol generated the same errors, while nothing simply left out all the hcidump messages following the set protocol request.

My guess is that you have to request the positional data from time to time, since it's always being updated it would make more sense than constantly sending it.

I haven't looked into BT libraries much, does the python code you were talking about replace hidd or work after the connection is set up by hidd?

lucas · Joined: 25 Nov 2006 Posts: 4

Hey guys. I did some logging between my Mac and a Wiimote last night, and I found some interesting stuff. From what I can tell, the reason the Wiimote flashes is because it is connected but not actually paired or "deep paired", as it were. In order to pair properly, I think a pin needs to be used. It's possible that this pin could be up to 128-bits, so it's very important for someone to get a log of the Bluetooth pairing setup between a Wiimote and a Wii using a Bluetooth sniffer.

Here is a translated log of the Bluetooth communication between my Mac and a Wiimote. I expanded the authentication failure command for emphasis: