-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathhowto.txt
164 lines (130 loc) · 7.74 KB
/
howto.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
https://github.com/dekuNukem/Nintendo_Switch_Reverse_Engineering/issues/7#issuecomment-328680285
Please read the documentation here.
The x02 at the end is the subcmd that requests device info.
You need to reply to this with a 0x21 input report.
To register your controller you need to forge the following subcmd replies when asked:
Send 82 02 reply that contains a forged device info
Send 90 10 00 60 00 00 10 spi reply that contains a forged serial number or just zeroes
Send 80 08 reply (ack for receiving the set shipment command)
Send 80 03 reply (ack that you changed input report format)
Now you need to start sending forged 0x30 input reports every 15ms. I don't know what switch will do if you don't, so try both.
Send 83 04 reply that contains the elapsed time after pressing a trigger. Better not be zero.
Send 90 10 80 60 00 00 18 spi reply that contains forged Factory Sensor and Stick device parameters
Send 90 10 98 60 00 00 12 spi reply that contains forged Factory Stick device parameters 2
Send 90 10 10 80 00 00 18 spi reply that contains forged User Analog sticks calibration. Send zeroes.
Send 90 10 3d 60 00 00 19 spi reply that contains forged Factory configuration & calibration 2.
Send 90 10 20 60 00 00 18 spi reply that contains forged Factory configuration & calibration 1.
Send 80 48 reply (ack that you enabled vibration)
Send 80 40 reply (ack that you enabled 6-Axis sensor)
Send 80 30 reply (ack that you set Player lights)
Send 80 48 reply (ack that you enabled vibration again)
Congrats, you just paired your device with Switch.
Have in mind, that if switch lost a packet it will send the same command again. So you should send them according to the output report you received from Switch. Not sequentially.
===
Docs ::
https://github.com/timmeh87/switchnotes/blob/master/console_pairing_session
communication of sucessful pairing with nintendo switch console.
(from the perspective of the controller)
only the significant bytes of packets are shown. they are all padded out to 49 bytes with zeros
the packets are broken onto two lines for ease of reading. the first line is the payload,
and the second line is the subcommand section
Once the controller is paired, its color appears black on the switch menu screen.
Obviously this is because the SPI reads are returning zero for personal data such as color.
It would be best to emulate these areas with EEPROM. looking at this session,
the bare minimum eeprom emulator should work for these addresses
6000
6020
603d (twice)
6080
6098 (twice)
8010
the range (0x6000 - 0x8fff) could be easily emulated to cover this small region.
its not clear what will happen later on if the wii tries to use the other 512k of
the joycon eeprom memory range
-------------------------------------
Successful pairing session follows
-------------------------------------
rcvd: 0x01 0x0E 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x02 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
Received subcommand 02 : Request device info
Sent: 0x21 0x05 0x8E 0x84 0x00 0x12 0x01 0x18 0x80 0x01 0x18 0x80 0x80
0x82 0x02 0x03 0x48 0x01 0x02 0xA2 0x55 0x79 0xAB 0x78 0xCC 0x01 0x01
rcvd: 0x01 0x0F 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x08 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
Received subcommand 08 : set shipment
Sent: 0x21 0x06 0x8E 0x84 0x00 0x12 0x01 0x18 0x80 0x01 0x18 0x80 0x80
0x80 0x08 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
rcvd: 0x01 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x10 0x00 0x60 0x00 0x00 0x10 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
Received subcommand 10 : SPI flash read
Sent: 0x21 0x07 0x8E 0x84 0x00 0x12 0x01 0x18 0x80 0x01 0x18 0x80 0x80
0x90 0x10 0x00 0x60 0x00 0x00 0x00 0x00 0x00 0x00 0x00
rcvd: 0x01 0x01 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x10 0x3D 0x60 0x00 0x00 0x19 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
Received subcommand 10 : SPI flash read
Sent: 0x21 0x08 0x8E 0x84 0x00 0x12 0x01 0x18 0x80 0x01 0x18 0x80 0x80
0x90 0x10 0x3D 0x60 0x00 0x00 0x00 0x00 0x00 0x00 0x00
rcvd: 0x01 0x02 0x00 0x01 0x40 0x40 0x00 0x01 0x40 0x40
0x03 0x30 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
Received subcommand 03 : Set input report mode
Sent: 0x21 0x09 0x8E 0x84 0x00 0x12 0x01 0x18 0x80 0x01 0x18 0x80 0x80
0x80 0x03 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
rcvd: 0x01 0x03 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x04 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
Received subcommand 04 : Trigger buttons elapsed time
Sent: 0x21 0x0A 0x8E 0x84 0x00 0x12 0x01 0x18 0x80 0x01 0x18 0x80 0x80
0x83 0x04 0x00 0xCC 0x00 0xEE 0x00 0xFF 0x00 0x00 0x00
rcvd: 0x01 0x04 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x10 0x80 0x60 0x00 0x00 0x18 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
Received subcommand 10 : SPI flash read
Sent: 0x21 0x0B 0x8E 0x84 0x00 0x12 0x01 0x18 0x80 0x01 0x18 0x80 0x80
0x90 0x10 0x80 0x60 0x00 0x00 0x00 0x00 0x00 0x00 0x00
rcvd: 0x01 0x05 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x10 0x98 0x60 0x00 0x00 0x12 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
Received subcommand 10 : SPI flash read
Sent: 0x21 0x0C 0x8E 0x84 0x00 0x12 0x01 0x18 0x80 0x01 0x18 0x80 0x80
0x90 0x10 0x98 0x60 0x00 0x00 0x00 0x00 0x00 0x00 0x00
rcvd: 0x01 0x06 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x10 0x10 0x80 0x00 0x00 0x18 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
Received subcommand 10 : SPI flash read
Sent: 0x21 0x0D 0x8E 0x84 0x00 0x12 0x01 0x18 0x80 0x01 0x18 0x80 0x80
0x90 0x10 0x10 0x80 0x00 0x00 0x00 0x00 0x00 0x00 0x00
rcvd: 0x01 0x07 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x10 0x3D 0x60 0x00 0x00 0x19 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
Received subcommand 10 : SPI flash read
Sent: 0x21 0x0E 0x8E 0x84 0x00 0x12 0x01 0x18 0x80 0x01 0x18 0x80 0x80
0x90 0x10 0x3D 0x60 0x00 0x00 0x00 0x00 0x00 0x00 0x00
rcvd: 0x01 0x08 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x10 0x20 0x60 0x00 0x00 0x18 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
Received subcommand 10 : SPI flash read
Sent: 0x21 0x00 0x8E 0x84 0x00 0x12 0x01 0x18 0x80 0x01 0x18 0x80 0x80
0x90 0x10 0x20 0x60 0x00 0x00 0x00 0x00 0x00 0x00 0x00
rcvd: 0x01 0x09 0x00 0x01 0x40 0x40 0x00 0x01 0x40 0x40
0x48 0x01 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
Received subcommand 48 : Enable vibration
Sent: 0x21 0x02 0x8E 0x84 0x00 0x12 0x01 0x18 0x80 0x01 0x18 0x80 0x80
0x80 0x48 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
rcvd: 0x01 0x0A 0x00 0x01 0x40 0x40 0x00 0x01 0x40 0x40
0x40 0x01 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
Received subcommand 40 : Enable 6-Axis sensor
Sent: 0x21 0x03 0x8E 0x84 0x00 0x12 0x01 0x18 0x80 0x01 0x18 0x80 0x80
0x80 0x40 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
rcvd: 0x01 0x0B 0xC2 0x00 0x0F 0x40 0xC2 0x00 0x0F 0x40
0x48 0x01 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
Received subcommand 48 : Enable vibration
Sent: 0x21 0x04 0x8E 0x84 0x00 0x12 0x01 0x18 0x80 0x01 0x18 0x80 0x80
0x80 0x48 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
rcvd: 0x01 0x0C 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x30 0x01 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
Received subcommand 30 : Set player lights
Sent: 0x21 0x05 0x8E 0x84 0x00 0x12 0x01 0x18 0x80 0x01 0x18 0x80 0x80
0x80 0x30 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
<console goes to sleep after a time...>
rcvd: 0x01 0x0D 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x06 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
Received subcommand 06 : Reset connection (Disconnect)
Sent: 0x21 0x07 0x8E 0x84 0x00 0x12 0x01 0x18 0x80 0x01 0x18 0x80 0x80
0x80 0x06 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
// Docs
https://gist.github.com/shuffle2/5c986313c9c45e952f80af79dde7f435
https://github.com/dekuNukem/Nintendo_Switch_Reverse_Engineering/blob/master/packet_parse/bt_over_usb_wireshark_dissector.lua