WiiLi.org

[beeloot]

Hello all,

In reference to the disassembly of the Wiimote made by Sparkfun, I would like to know if somebody already went further and tried to modify the firmware of the 8051 microcontroller. They provide a raw dump of the I2C EEPROM on their website.

My idea is to use the PCB of the Wiimote as the basis for some robotics project.

Any info on 8051 firmware reverse-engineering? Anyone interested?

[beeloot]

I started to reverse engineer the firmware of the 8051 microcontroller.

Here is some random info, just starting:

- EEPROM offset 0x1770 is mapped at address 0x7F35 in 8051 program space (this is not the entry point of the firmware though)

- Bluetooth class number is at 0x7F3F

- Bluetooth HID descriptor table is at 0x80BC

- Found three jump tables:

* Address 0x8714, size 32 entries
* Address 0x8781, size 32 entries
* Address 0x87EE, size 11 entries

The last table is a table of command handlers for Bluetooth output reports (i.e. address 0x87EE has a jump to the command handler of output report 0x10, address 0x87F1 jumps to command handler of output report 0x11, etc).

I am curious to see if there is some sort of CRC built-in. For example, does altering the string at EEPROM offset 0x178C (Nintendo RVL-CNT-01) actually changes the Bluetooth name of the device? Or perhaps changing some unused values just to see if the Wiimote still functions correctly.

Does anyone have the possibility to easily backup / modify the contents of the I2C EEPROM? I don't own a Wiimote so at the moment I am not able to try this myself.