Hacking Joy-Con HID Reverse Engineering

[shinyquagsire23]

I commented out

    printf("Switching baudrate...\n");

   memset(buf_r, 0x00, 0x40);
   buf_r[0] = 0x80;
   buf_r[1] = 0x03;
   hid_exchange(handle_r, buf_r, 0x2);
 
   memset(buf_r, 0x00, 0x40);
   buf_r[0] = 0x80;
   buf_r[1] = 0x02;
   hid_exchange(handle_r, buf_r, 0x2);

but it does the same thing, I ran the program a few times and noticed the output is different each time, but it still prints mostly the same random line over and over with a different random line about every second.

08ms delay,  left 80 92 00 01 01 00 00 00 1f 08 00 00 01 00 00 00 a8 21 60 5b 68 7f 00 00 b0 f6 5f 5b 68 7f 00 00 a0 7d 3c 70 fe 7f 00 00 00 25 60 5b 68 7f 00 00 c8 7d 3c 70 fe 7f 00 00 a8 21 60 5b 68
            right 81 01 00 03 56 2c fa 8a bb 7c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
08ms delay,  left 80 92 00 01 01 00 00 00 1f 08 00 00 01 00 00 00 a8 21 60 5b 68 7f 00 00 b0 f6 5f 5b 68 7f 00 00 a0 7d 3c 70 fe 7f 00 00 00 25 60 5b 68 7f 00 00 c8 7d 3c 70 fe 7f 00 00 a8 21 60 5b 68
            right 81 01 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
08ms delay,  left 80 92 00 01 01 00 00 00 1f 08 00 00 01 00 00 00 a8 21 60 5b 68 7f 00 00 b0 f6 5f 5b 68 7f 00 00 a0 7d 3c 70 fe 7f 00 00 00 25 60 5b 68 7f 00 00 c8 7d 3c 70 fe 7f 00 00 a8 21 60 5b 68
            right 80 92 00 01 01 00 00 00 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Run it again and it prints

08ms delay,  left 80 92 00 01 01 00 00 00 1f 08 00 00 01 00 00 00 a8 a1 b6 b1 06 7f 00 00 b0 d6 b6 b1 06 7f 00 00 30 85 6b 27 ff 7f 00 00 00 a5 b6 b1 06 7f 00 00 58 85 6b 27 ff 7f 00 00 a8 a1 b6 b1 06
            right 80 92 00 01 01 00 00 00 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
08ms delay,  left 80 92 00 01 01 00 00 00 1f 08 00 00 01 00 00 00 a8 a1 b6 b1 06 7f 00 00 b0 d6 b6 b1 06 7f 00 00 30 85 6b 27 ff 7f 00 00 00 a5 b6 b1 06 7f 00 00 58 85 6b 27 ff 7f 00 00 a8 a1 b6 b1 06
            right 81 01 00 03 56 2c fa 8a bb 7c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

OK I found a solution for Pro Controllers, add this after the last 80 02 handshake:

//Only talk HID from now on
    memset(buf_l, 0x00, 0x40);
    buf_l[0] = 0x80;
    buf_l[1] = 0x04;
    hid_exchange(handle_l, buf_l, 0x2);

I found this while messing with vibrations (by stealing the vibrate enable flag from the Bluetooth session). While I was messing with vibration, my controller would time out the right Joy-Con if I talked exclusively with the left Joy-Con for too long, 80 04 stopped that, and 80 05 can allow the controller to connect back to Bluetooth again.

Weird vibration stuff if anyone is curious:


With that fix found though I'll try and see if I can make some nicer code which works better for Pro Controllers, should be able to sign in each Joy-Con one at a time now.

 

[Maschell]

The interface_number for the pro controller is -1

Edit: Yay got working now with the pro controller! It sometimes takes a few tries, but then it's working
That vibration test is really spooky. WTF

 

[shinyquagsire23]

The interface_number for the pro controller is -1

Edit: Yay got working now with the pro controller! It sometimes takes a few tries, but then it's working
That vibration test is really spooky. WTF

If it sometimes takes a few tries I'd place bets on the baudrate switching, have a feeling the Pro Controller defaults to a higher baudrate so maybe that doesn't need to be done. Or maybe I just need to place the 80 04 call after the first handshake but before the baudrate switch. Or you just had the vibration test on, that does some dumb stuff to keep the Bluetooth states.

 

[normal19]

OK I found a solution for Pro Controllers, add this after the last 80 02 handshake:

//Only talk HID from now on
    memset(buf_l, 0x00, 0x40);
    buf_l[0] = 0x80;
    buf_l[1] = 0x04;
    hid_exchange(handle_l, buf_l, 0x2);

I found this while messing with vibrations (by stealing the vibrate enable flag from the Bluetooth session). While I was messing with vibration, my controller would time out the right Joy-Con if I talked exclusively with the left Joy-Con for too long, 80 04 stopped that, and 80 05 can allow the controller to connect back to Bluetooth again.

Weird vibration stuff if anyone is curious:


With that fix found though I'll try and see if I can make some nicer code which works better for Pro Controllers, should be able to sign in each Joy-Con one at a time now.

This works now, ther'es a lot of randomly changing numbers in the output now and pressing buttons and moving the analogs causes constant changes. Sso it does actually read inputs through USB, interesting, can't wait for drivers. SPI dump doesn't work anymore though.

What are those random numbers, just noise? would itbe possible to read acceleormeters too?

 

[shinyquagsire23]

This works now, ther'es a lot of randomly changing numbers in the output now and pressing buttons and moving the analogs causes constant changes. Sso it does actually read inputs through USB, interesting, can't wait for drivers.

What are those random numbers, just noise? would itbe possible to read acceleormeters too?

No, they aren't motion data, motion data is at the very end of the packet from what I've gathered. Managed to see some motion data doing the same trick I did to get vibration to work.

 

[Kekskrümel]

Would it be later also possible to send commands to the switch?

So pc with bt adapter could send commands to the switch ?

Thx for the work