Hacking Hacking the WiiU gamepad

  • Thread starter Thread starter Arisotura
  • Start date Start date
  • Views Views 100,789
  • Replies Replies 161
  • Likes Likes 46
Nice work! Definitely a really cool project.
I actually started working on something similar a while back, but instead of replacing the flash I just used the existing flash and used my Pi to write to the flash.
I started patching some stuff in the existing firmware, but decided to start working on a firmware replacement instead.
Looks like you're already a lot further than I ever got with display initialization working.
1730483831393.png
 
@GaryOderNichts

Oh hey, a fellow hacker! Super interesting!

Interesting that you were able to program the FLASH in-situ, because I was never able to get that working reliably.

Is your picture a hack based on the stock firmware, or something entirely custom? I'm guessing the former given what you've said, but I wanna be sure :) am also curious as to how it works and what it does.
 
Last edited by Arisotura,
  • Like
Reactions: GaryOderNichts
Interesting that you were able to program the FLASH in-situ, because I was never able to get that working reliably.
There's an issue with flashrom I had to fix, which prevents writing to the flash reliably: https://github.com/GaryOderNichts/flashrom/commit/10b5ed793ab2185d044988f31b022e8768752be4

Is your picture a hack based on the stock firmware, or something entirely custom? I'm guessing the former given what you've said, but I wanna be sure :) am also curious as to how it works and what it does.
There's a hidden menu in the firmware which can be opened, if a flag is set in the UIC EEPROM. You can probably find it by searching for the "DK Menu" string in the firmware.
I just wrote some firmware patches which add additional entries to this menu, to test out some code.

Also can anyone edit pages on the wiki? I can document some of the things I have RE'd.
Is there a way to get in contact with you? Discord?
 
  • Like
Reactions: Pismire
Oh, I see. I had custom code to read and write the FLASH on the raspi. Later I tried with an ICSP header and a MiniPro. But I had issues where whatever I was writing wasn't being written reliably...

Oh well, I got no such problems with the FPGA.

re: hidden menu

So you've been hacking the diagnostics firmware, interesting. I had a feeling since I recognized the font.

I thought it required a specific debugger device to be present on the expansion port, no idea it was possible to trigger it with an EEPROM flag, so that's good to know!

I'm currently messing with a quick and dirty gamepad emulator, I want to see if I can emulate the diagnostics firmware and see what it can do.

re: wiki

I haven't opened it to the public to keep things safer for now. That being said, I'd happily give you access!

You can contact me on Discord -- Arisotura.
 
Nice work! Definitely a really cool project.
I actually started working on something similar a while back, but instead of replacing the flash I just used the existing flash and used my Pi to write to the flash.
I started patching some stuff in the existing firmware, but decided to start working on a firmware replacement instead.
Looks like you're already a lot further than I ever got with display initialization working.
View attachment 468687
will this be a way to easily access the Test Mode?
 
Little update. Not much to say, other than I figured out why I was getting error 165-8418 on my hacked gamepad. The language bank setting didn't match what was in my firmware dump, causing the firmware to fail to load localized assets.

I still don't know why or how that gamepad motherboard bricked itself, though. Either I made a mistake while adding write support to my FLASH emulator, or it was whatever fault that motherboard had. I remember having had other odd problems with it.

Oh well.

I ordered another motherboard from eBay, but it was damaged and nonfunctional. And it turns out that my soldering skills are no match for anything that is 0.5mm in pitch, so... yeah.

I have other plans instead. This kinda implies more delay tho...

I made a quick attempt at a gamepad emulator mostly for scentific purposes. I want to get it to run the diagnostics firmware (the DK Menu).
 
In the meantime, I did manage to temporarily resurrect the FPGApad with a UIC transplant that, for once, mostly worked. I backed up that UIC's EEPROM and reflashed it with the previous UIC's data, so it has the correct calibration data.

I've been at work with the wifi card. I'm able to scan for APs and get some data out of it, so there's that. Still haven't figured out how to get it to actually connect to an AP, but we'll get there. I also need to rework and clean up my code, it's a huge mess atm as I'm testing stuff.

Either way, this is looking good, as getting wifi working is the biggest goal to reach before I can release something people can play with.

However, I'm in a bit of a conundrum. The BCM4319 firmware Nintendo shipped with the gamepad firmware seems to only support the 5GHz band. I found some other BCM4319 firmwares that work, but they have the opposite issue -- they only support the 2.4GHz band.

It kinda sucks. I guess it would make sense to have a 5GHz compatible AP/thing if you're going to mess with the gamepad, but I'd kinda like to also have 2.4GHz compatibility, especially as the BCM4319 supports that (and also because I have nothing that can provide a 5GHz network, here).

So I'd need to either find a firmware that supports both bands, or go with 5GHz.

In other news, I will be getting surgery soon, and likely won't have access to my FPGApad for a while. I have another idea -- I think I'll try emulating the UIC in my little emulator thing. Emulating a STM8 seems cute and sounds like the perfect distraction while recovering from surgery :P

Another reason is that the ideas I have for the gamepad will require messing with the UIC, and having an emulator for that will definitely be useful, especially given how easy it is to brick a UIC.
 
  • Like
Reactions: Slayerkodi
Long time no see! I've been taken by the surgery and recovery, but thankfully all is going well. I'm working on the STM8 emulator in the meantime.

I'm trying to get the gamepad's UIC firmware to boot. I'm reaching the point where it tries to communicate with the PMIC over I2C. I have to improve my I2C emulation to get that working.

I want to get this to the point I can insert it into pomelopad (my gamepad emulator) and feed it real world data. Then we'll see how it fares, I guess.

I thought I had uncovered a bug with the UIC timer code, but I had just assumed the wrong thing :P

Regardless, if I can figure out why the gamepad takes so long to boot, maybe making it quicker would be worthwhile.
 
I've never so much as touched a Wii U (I got a 2DS instead lol, but now I suddenly want one) but this is so interesting!!! I would love to see how this turns out! Good job so far, and best of luck to you!
 
I was thinking maybe Nintendo will at some point think about updating the gamepad firmware, so we can probably update the firmware with a homebrew app.

I really want to hack my gamepad, it would be great to have some emulators or be able to stream to a PC more easily, or even better, have micropython run on it
Post automatically merged:

yeah, umm
i just found this
 

Attachments

  • 16676154816644476585072004642787.jpg
    16676154816644476585072004642787.jpg
    1.3 MB · Views: 85
Last edited by mikodraws,
Very true. I didn't have that in mind at first, but there are probably ways to, like, reduce the gamepad's idle power usage, or other quality of life improvements.

Emulators could be another fun idea, although the gamepad isn't exactly a powerhouse.
 
Very true. I didn't have that in mind at first, but there are probably ways to, like, reduce the gamepad's idle power usage, or other quality of life improvements.

Emulators could be another fun idea, although the gamepad isn't exactly a powerhouse.

If you can reverse the firmware maybe just reduce the "checking communication" frequency with the console when the pad is powered off? Like, if by default the pad wakes up every 15 min to check if there are updates/news/friend messages from the console, and you change this interval to 48 hours?
 
That's probably not very hard to do. Just matter of figuring out how this all works.

Speaking of, I thought I'd work on audio stuff as a change of pace. So far I figured out a few things about the audio hardware, but I have yet to get the gamepad to output any sound.

I also received 4 gamepads I had ordered a while ago, for eventual testing purposes. Did a quick test and 2 of them work (or atleast boot), one boots but turns off, and one doesn't work at all.

The gamepad that turns off might just have a bad connection, or it might be a bad LCD.

For the one that doesn't work at all, the failure seems related to the power system. I'm realizing that the insight gained into the WiiU gamepad's hardware may help fix dead gamepads, too. I looked at it quickly, and there's no sign of life at all.

I have observed that even a bare gamepad motherboard will atleast show activity on the SPI bus when powered. This one does not. So it might be a dead PMIC or something related, we'll see if I can figure it out.
Post automatically merged:

The gamepad that turns off might just have a bad connection, or it might be a bad LCD.
As I was trying to rebuild a FPGApad that is less buggy, I ran into a similar fault with the spare motherboard I was envisioning.

Turns out this fault is caused by a bad Flash chip. Kinda interesting (and worrying) that it seems to be a common failure mode in WiiU gamepads.

Not a concern for me because the FPGA completely replaces the bad Flash chip, but for a proper gamepad repair one would have to get a new Flash chip and flash the bootloader and firmware onto it. I don't even know if you can find these on the internets at all...
 
Last edited by Arisotura,
  • Like
Reactions: NestorM
Hi. I think this question may be offtopic, but was wondering if you know how to enable Factory test menu on the gamepad? There is a a flag in the gamepad OS to enable this menu, but it's unknown which one, so wanted to ask you
 
Status update, been looking into wifi again.

Good news is, I might finally have gotten it to attempt to connect to an AP.

Bad news is, the cheapo dongle thing I'm using to make an AP seems to do something wrong, and nothing can actually connect to it, all I get is "AP not found" errors. The gamepad is able to find the AP's MAC address and attempt to connect, but it seems to either disconnect for some reason, or get nowhere...

So I need to either fix this issue or get a proper 5GHz AP.

Still haven't figured out how to support 2.4GHz... Also unknown if Nintendo's modifications would prevent normal WPA auth from working.

But once I'm able to get a connection going, I can refine this API a bit and port a TCP/IP stack and have network functionality. That would be a milestone.
 

Site & Scene News

Popular threads in this forum