Hacking Hacking the WiiU gamepad

GaryOderNichts

Well-Known Member
Member
Joined
Aug 9, 2018
Messages
812
Trophies
1
XP
5,809
Country
Germany
Nice work! Definitely a really cool project.
I actually started working on something similar a while back, but instead of replacing the flash I just used the existing flash and used my Pi to write to the flash.
I started patching some stuff in the existing firmware, but decided to start working on a firmware replacement instead.
Looks like you're already a lot further than I ever got with display initialization working.
1730483831393.png
 

Arisotura

rise of melonism
OP
Member
Joined
Dec 5, 2009
Messages
848
Trophies
2
Age
30
Location
center of the Sun
Website
kuribo64.net
XP
2,610
Country
France
@GaryOderNichts

Oh hey, a fellow hacker! Super interesting!

Interesting that you were able to program the FLASH in-situ, because I was never able to get that working reliably.

Is your picture a hack based on the stock firmware, or something entirely custom? I'm guessing the former given what you've said, but I wanna be sure :) am also curious as to how it works and what it does.
 
Last edited by Arisotura,
  • Like
Reactions: GaryOderNichts

GaryOderNichts

Well-Known Member
Member
Joined
Aug 9, 2018
Messages
812
Trophies
1
XP
5,809
Country
Germany
Interesting that you were able to program the FLASH in-situ, because I was never able to get that working reliably.
There's an issue with flashrom I had to fix, which prevents writing to the flash reliably: https://github.com/GaryOderNichts/flashrom/commit/10b5ed793ab2185d044988f31b022e8768752be4

Is your picture a hack based on the stock firmware, or something entirely custom? I'm guessing the former given what you've said, but I wanna be sure :) am also curious as to how it works and what it does.
There's a hidden menu in the firmware which can be opened, if a flag is set in the UIC EEPROM. You can probably find it by searching for the "DK Menu" string in the firmware.
I just wrote some firmware patches which add additional entries to this menu, to test out some code.

Also can anyone edit pages on the wiki? I can document some of the things I have RE'd.
Is there a way to get in contact with you? Discord?
 

Arisotura

rise of melonism
OP
Member
Joined
Dec 5, 2009
Messages
848
Trophies
2
Age
30
Location
center of the Sun
Website
kuribo64.net
XP
2,610
Country
France
Oh, I see. I had custom code to read and write the FLASH on the raspi. Later I tried with an ICSP header and a MiniPro. But I had issues where whatever I was writing wasn't being written reliably...

Oh well, I got no such problems with the FPGA.

re: hidden menu

So you've been hacking the diagnostics firmware, interesting. I had a feeling since I recognized the font.

I thought it required a specific debugger device to be present on the expansion port, no idea it was possible to trigger it with an EEPROM flag, so that's good to know!

I'm currently messing with a quick and dirty gamepad emulator, I want to see if I can emulate the diagnostics firmware and see what it can do.

re: wiki

I haven't opened it to the public to keep things safer for now. That being said, I'd happily give you access!

You can contact me on Discord -- Arisotura.
 

LatteWiiU

New Member
Newbie
Joined
May 16, 2024
Messages
1
Trophies
0
XP
42
Country
United Kingdom
Nice work! Definitely a really cool project.
I actually started working on something similar a while back, but instead of replacing the flash I just used the existing flash and used my Pi to write to the flash.
I started patching some stuff in the existing firmware, but decided to start working on a firmware replacement instead.
Looks like you're already a lot further than I ever got with display initialization working.
View attachment 468687
will this be a way to easily access the Test Mode?
 

Arisotura

rise of melonism
OP
Member
Joined
Dec 5, 2009
Messages
848
Trophies
2
Age
30
Location
center of the Sun
Website
kuribo64.net
XP
2,610
Country
France
Little update. Not much to say, other than I figured out why I was getting error 165-8418 on my hacked gamepad. The language bank setting didn't match what was in my firmware dump, causing the firmware to fail to load localized assets.

I still don't know why or how that gamepad motherboard bricked itself, though. Either I made a mistake while adding write support to my FLASH emulator, or it was whatever fault that motherboard had. I remember having had other odd problems with it.

Oh well.

I ordered another motherboard from eBay, but it was damaged and nonfunctional. And it turns out that my soldering skills are no match for anything that is 0.5mm in pitch, so... yeah.

I have other plans instead. This kinda implies more delay tho...

I made a quick attempt at a gamepad emulator mostly for scentific purposes. I want to get it to run the diagnostics firmware (the DK Menu).
 

Arisotura

rise of melonism
OP
Member
Joined
Dec 5, 2009
Messages
848
Trophies
2
Age
30
Location
center of the Sun
Website
kuribo64.net
XP
2,610
Country
France
In the meantime, I did manage to temporarily resurrect the FPGApad with a UIC transplant that, for once, mostly worked. I backed up that UIC's EEPROM and reflashed it with the previous UIC's data, so it has the correct calibration data.

I've been at work with the wifi card. I'm able to scan for APs and get some data out of it, so there's that. Still haven't figured out how to get it to actually connect to an AP, but we'll get there. I also need to rework and clean up my code, it's a huge mess atm as I'm testing stuff.

Either way, this is looking good, as getting wifi working is the biggest goal to reach before I can release something people can play with.

However, I'm in a bit of a conundrum. The BCM4319 firmware Nintendo shipped with the gamepad firmware seems to only support the 5GHz band. I found some other BCM4319 firmwares that work, but they have the opposite issue -- they only support the 2.4GHz band.

It kinda sucks. I guess it would make sense to have a 5GHz compatible AP/thing if you're going to mess with the gamepad, but I'd kinda like to also have 2.4GHz compatibility, especially as the BCM4319 supports that (and also because I have nothing that can provide a 5GHz network, here).

So I'd need to either find a firmware that supports both bands, or go with 5GHz.

In other news, I will be getting surgery soon, and likely won't have access to my FPGApad for a while. I have another idea -- I think I'll try emulating the UIC in my little emulator thing. Emulating a STM8 seems cute and sounds like the perfect distraction while recovering from surgery :P

Another reason is that the ideas I have for the gamepad will require messing with the UIC, and having an emulator for that will definitely be useful, especially given how easy it is to brick a UIC.
 
  • Like
Reactions: Slayerkodi

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
    Xdqwerty @ Xdqwerty: @IC_, that was a response to what you said