From WiiLi

Contents 1 What we need to know 2 What you can do right now 3 This is why we need a Bluetooth Air Sniffer 3.1 Tasks to Record 4 Please, ask around and try to get access to an Air Sniffer! 4.1 There might be some alternatives, and you're probably not the first to think about them 4.2 What we know already 4.3 What would be nice to know 4.4 What would be really nice to know but we probably never will

[edit] What we need to know

• How to enable the Classic Controller and read all events from it (buttons and joysticks)
• How to get the Power Button to work
• How to play sound without horrible distortion

[edit] What you can do right now

• Call around and gain access to a Bluetooth Air Sniffer - try your local university!
• Call around and get a price for renting a Bluetooth Air Sniffer
• Write tasks to be sniffed and logged

[edit] This is why we need a Bluetooth Air Sniffer

We need specialized test equipment that can sniff the communication between the Wii and the Wiimote, and record it in a time-stamped log. Supposedly, customized firmware will enable certain $20 Bluetooth usb dongles to work as a sniffer ([Doc]), however finding the firmware has proven problematic. Wireshark (aka Ethereal) already has support for bluetooth capture files, but getting capture files from the dongle is still unknown. So a $20 dongle won't work for now.

The FTS4BT sniffer would be perfect. Much of what we know today about the Wiimote protocol, was discovered by somebody who once had access to an FTS4BT. However, he never came back, and never provided us with logs. It is my understanding the FTS4BT is able to record complete Bluetooth Air Sniffing logs, and that FTS provides a free viewer for these logs.

Now, we don't need to purchase one - and I hear that the FTS4BT costs 4000$ (somebody please confirm that). Can the FTS4BT be rented, where, when and how much? We only need somebody with access to a BT Air Sniffer to run some tests - it shouldn't take very long, if you know how to use an Air Sniffer.

Note: The FTS4BT is available from Rohde & Schwarz at a starting price of € 8000 plus VAT. A premium service package that contains all software and firmware updates for a year is included or around 10,500.8 U.S. dollars, while FTE.com suggests range of around $9,995 U.S.

There's also the CATC/LeCroy "Merlin II" Bluetooth Protocol Analyzer. It looks like it could meet our requirements as well... However, the log viewer software might not be free. The Merlin II is quite expensive as well; on Ebay, the Merlin goes for over 5000$.

You would have to provide task logs with timestamps. Each of the following tasks should be a different log:

[edit] Tasks to Record

These tasks should be easy to reproduce with anybody who has a Wii, a Wiimote, a Nunchuk, a Classic Controller, Zelda, Wii Sports, Mario64 and a NES VC game. The goal is to write tasks that can be reproduced with fairly precise timing, and that can then be sniffed and recorded with a BT Air Sniffer. The sniffer logs should then contain everything we need to reverse engineer the missing features listed above in "thing we need to know"

During these tasks, the Wiimote should be standing undisturbed on a flat surface, pointed away from any IR Source

1. Plugging in a Classic Controller in a NES VC Game
2. Using a Classic Controller to play a N64 VC Game, ie to navigate the Mario64 main menu
3. Using a Classic Controller to navigate the Wii Menu right after a "Go back to Wii Menu" from a VC Game
4. Plugging in a Nunchuk when asked to by the Wii, ie right after starting Zelda with A+B, or in Wii Sports Boxing
5. Using a Nunchuk in Zelda and/or Wii Sports Boxing

During these, you obviously have to be using the Wiimote

1. Playing sounds - what is the best way to generate sounds? Precise time logs will be useful. Perhaps sniff communications while the Wiimote is playing sound both in Zelda and Wii Sports.
2. Wii is on, in the main menu, paired with a single Wiimote. Point Wiimote away from the sensor bar, start sniffing, and at T+5s, turn off the Wii using the power button of the Wiimote.
3. Wii and Wiimote have been turned off for at least 30s. Start sniffing. At T+5s, turn on the Wii using the power button of the Wiimote. Wait until the health warning screen appears, then wait 5s, then press "A" on the Wiimote to start the Wii Menu. Once the Wii Menu appears, point at the center of the screen, then go to Calibrate Sensor Bar in the Wii configuration menu, and try all calibration settings.

[edit] Please, ask around and try to get access to an Air Sniffer!

[edit] There might be some alternatives, and you're probably not the first to think about them

What if we don't have access to a Bluetooth Air Sniffer? What are our other options?

Our second best bet, after a BT Air Sniffer, is to use an USB Sniffer to sniff communications between the Wii and the BCM2045 Bluetooth module that is built into the Wii. We have confirmed that the module uses USB. This means that we need to open up a Wii and observe all traffic to and from the BCM2045 module. We know some people who have the technical ability to do this, but they would need them to have access to a USB sniffer for a few days. We don't know if USB1 is okay, or if USB2 is necessary. Several companies have USB sniffer for $400, including Ellisys and TotalPhase.

Let's not discount these possibilities either.

1. We could create a Bluetooth device that emulates a Wiimote, and pairs with a Wii. ch0p says it might be possible. I've heard that conventional Bluetooth chipsets can't do it, but nobody knows for sure.
2. We could design our own Air Sniffer, possibly using a software radio. This would be, I understand, incredibly hard as Bluetooth is a complex frequency-hopping protocol. Only a mad man would attempt to design his own Bluetooth Air Sniffer! (But see http://www.usenix.org/event/woot07/tech/full_papers/spill/spill_html )
3. We could hack the firmware of an existing USB Bluetooth adapter and give it the ability to Air-Sniff Bluetooth communications. This would require knowledge of those adapters far beyond that which we have. We'd need documentation that does not appear to be available at any price.
4. We could do a Man-in-the-Middle attack: connect to the Wiimote with a normal PC Bluetooth adapter, and bridge that adapter to a second one which we would pair to the Wii, hence relaying all data from the Wii to the Wiimote and back. However, we might not be able to do that using conventional PC Bluetooth Chipsets.

[edit] What we know already

Well, the information is on the Wiimote page, but to summarize, we know:

• How to control the LEDs
• How to control the Rumble
• How to change the Wiimote mode (Basic, Accelerometer-only, IR+Accelerometer, Half-rate IR, etc...)
• How to read the button states
• How to read the IR sensor data
• How to read the accelerometer data
• How to read the battery status
• How to detect when somebody plugs in an expansion controller
• How to read and write memory
• How to get distorted sound to play on the speaker
• The main parts of the storage format for Miis
• How to enable the Nunchuk and read all events from it (buttons, joystick, accelerometer)

[edit] What would be nice to know

• A full map of all available registers
• The format of half-rate IR reports

[edit] What would be really nice to know but we probably never will

• How to gain direct and complete control of the expansion port
• How to run arbitrary code on the 8051 processor