Hacking My Joycon reverse engineering resources

[dekuNukem]

I've been spending the last few days reverse engineering the Joycon, and documented findings at this repo:

https://github.com/dekuNukem/Nintendo_Switch_Reverse_Engineering

Interesting bits so far:

1. Nintendo is using keypad scanning for buttons instead of just reading each one.
2. When attached to the console, Joycon talks to it through a physical connection instead of bluetooth
3. That connection is simple serial, except at really fast speeds.
4. Console asks Joycon for an update every 15ms.
5. Handshake and data packets are really small and unencrypted.
6. An SPI flash capture is included
7. I already figured out the button status and joystick value data.

I'll add more to the repo as I keep working on it. In the mean time feel free to ask questions, or take a shot at decoding the data yourself.

 

[Nezztor]

I've been spending the last few days reverse engineering the Joycon, and documented findings at this repo:

https://github.com/dekuNukem/Nintendo_Switch_Reverse_Engineering

Interesting bits so far:

1. Nintendo is using keypad scanning for buttons instead of just reading each one.
2. When attached to the console, Joycon talks to it through a physical connection instead of bluetooth
3. That connection is simple serial, except at really fast speeds.
4. Console asks Joycon for an update every 15ms.
5. Handshake and data packets are really small and unencrypted.
6. An SPI flash capture is included
7. I already figured out the button status and joystick value data.

I'll add more to the repo as I keep working on it. In the mean time feel free to ask questions, or take a shot at decoding the data yourself.

And just wondering have you tried some exploits on the web browser? And i was reading somewhere that the joycons had kernel acces it is true?

 

[adrifcastr]

And just wondering have you tried some exploits on the web browser? And i was reading somewhere that the joycons had kernel acces it is true?

thats not how things work. we will have to wait 2-3 years until we get homebrew or even code exeq

 

[TiMeBoMb4u2]

And just wondering have you tried some exploits on the web browser? And i was reading somewhere that the joycons had kernel acces it is true?

thats not how things work. we will have to wait 2-3 years until we get homebrew or even code exeq
It is still very early. You never know when someone may crack it!

FIXED!

 

[DeadlyFoez]

thats not how things work. we will have to wait 2-3 years until we get homebrew or even code exeq

Where is the dislike button?

It may be that amount of time before anyone publicly announces anything, but I am willing to bet that someone has already gotten custom code execution running on the switch.

We will soon learn how much of a bitch the switch really is. Nintendo has already made obvious mistakes in their execution of this console, but they will patch their holes in upcoming firmware. So if you want to ever get homebrew then your best bet is to stay on the earliest firmware possible.

 

[scottyb323]

I've been spending the last few days reverse engineering the Joycon, and documented findings at this repo:

https://github.com/dekuNukem/Nintendo_Switch_Reverse_Engineering

Interesting bits so far:

1. Nintendo is using keypad scanning for buttons instead of just reading each one.
2. When attached to the console, Joycon talks to it through a physical connection instead of bluetooth
3. That connection is simple serial, except at really fast speeds.
4. Console asks Joycon for an update every 15ms.
5. Handshake and data packets are really small and unencrypted.
6. An SPI flash capture is included
7. I already figured out the button status and joystick value data.

I'll add more to the repo as I keep working on it. In the mean time feel free to ask questions, or take a shot at decoding the data yourself.

This is awesome! I'm currently trying to utilize these joy cons for a different purpose and struggling figuring out the button mapping. I'm trying to get them to work fully with a MS Hololens. Right now they are connected and all of the buttons are mapped correctly, but the joysticks are being weird.

On the Desktop the devices are registered as "Wireless Gamepad" and for mapping them to Unity joystick axis X is 10 and axis Y is 9. But when I connected them to the HL they register as JoyCon (R) and JoyCon(L) which is much more specific, and then the joystick mapping is off. axis 10 is still working but the results are wonky. dead value is 1 and then on activation either -1 or 0.4445687 and y axis is not responding at all. I've run through all of the axis values and am not getting any results. Another interesting issue is that the 0-5 value button (middle 4 and SL and SR) all register a 1 for axis's 1,2,3,4. But only on the HL.

Not being a hardware hacker and only having a very limited knowledge of reading hardware logic over a bitstream do you have any idea why a device would read out different values based on the device its connected to? Both the desktop and HL are running windows 10, but the HL is using Holographic and an obviously different chipset. Is there anyway that you know of to take your research and figure out what the joycon sticks actually map out as when registered as a none generic device? If I install wireshark on a linux build of my PC would I be able to sniff the bluetooth traffic and make sense of what it is doing?

I hope this is making sense and I'm really hoping to get these working on the Hololens just because the amount of interactions these would open up in AR would be immense.

Thanks for everything you have looked into so far and thanks for any help you can offer.

 

[cosmicdice]

Great job dekuNukem!

If I install wireshark on a linux build of my PC would I be able to sniff the bluetooth traffic and make sense of what it is doing?

Yes, you will be able to sniff bluetooth packets.

Using the bluetooth packet logger coming with Xcode, for Joycon(R) I got :

For CENTER/Release:
[L2CAP RECEIVE] Channel ID: 0x0041 Length: 0x000D (13) [ A1 3F 00 00 08 00 80 00 80 00 80 00 80 ]
For UP:
[L2CAP RECEIVE] Channel ID: 0x0041 Length: 0x000D (13) [ A1 3F 00 00 02 00 80 00 80 00 80 00 80 ]
For DOWN:
[L2CAP RECEIVE] Channel ID: 0x0041 Length: 0x000D (13) [ A1 3F 00 00 06 00 80 00 80 00 80 00 80 ]
For LEFT:
[L2CAP RECEIVE] Channel ID: 0x0041 Length: 0x000D (13) [ A1 3F 00 00 00 00 80 00 80 00 80 00 80 ]
For RIGHT:
[L2CAP RECEIVE] Channel ID: 0x0041 Length: 0x000D (13) [ A1 3F 00 00 04 00 80 00 80 00 80 00 80 ]
For A Pressed:
[L2CAP RECEIVE] Channel ID: 0x0041 Length: 0x000D (13) [ A1 3F 01 00 08 00 80 00 80 00 80 00 80 ]
For A Released:
[L2CAP RECEIVE] Channel ID: 0x0041 Length: 0x000D (13) [ A1 3F 00 00 08 00 80 00 80 00 80 00 80 ]
For B Pressed:
[L2CAP RECEIVE] Channel ID: 0x0041 Length: 0x000D (13) [ A1 3F 04 00 08 00 80 00 80 00 80 00 80 ]
For B Released:
[L2CAP RECEIVE] Channel ID: 0x0041 Length: 0x000D (13) [ A1 3F 00 00 08 00 80 00 80 00 80 00 80 ]

The only thing I could make of it was that only the physical buttons are sending packets when pressed. No accelerometer or gyroscope data.
If it's anything like the wiimote, you need to send commands to the device to change its mode and use the advanced features.

Additionally, for me (HTML5 gamepad API on a mac), all the Joycon(R) stick directions are reported on the same axis like a D-Pad.

I hope someone will be able to figure out how to make a device driver for these things !

 

[Heran Bago]

Good stuff OP! Keep at it.

And just wondering have you tried some exploits on the web browser? And i was reading somewhere that the joycons had kernel acces it is true?

This is SO not what this thread is about.

 

[adam235]

I've converted your SPI log into a binary

Seems to be valid but the Flash should be 4MB so I'm not sure if your log is missing something

Some strings:

ROM:0001190B aNintendoSwitch DCB "Nintendo Switch",0
ROM:0001191B aNintendorobson DCB "NintendoRobson",0
ROM:0001192B aNintendo DCB "Nintendo",0
ROM:0001317B aNintendoUkyoep DCB "nintendo/ukyoEP2/../ukyo/dimmerleddriver.cpp",0
ROM:00013967 aNintendoUkyo_0 DCB "nintendo/ukyoEP2/../ukyo/mypcm2driver.cpp",0
ROM:00017158 aWirelessGamepa DCB "%",0x1B,"Wireless Gamepad PnP ServerÎ"

 

[shinyquagsire23]

If anyone can get a solid SPI flash dump (it sounds like everything here is intercepted?), I'd be curious to try comparing it to HID shared memory. Don't have the resources to take apart my Joy-Con at the moment, but I'll probably get my own dumps later.

 

[scottyb323]

Great job dekuNukem!



Yes, you will be able to sniff bluetooth packets.

Using the bluetooth packet logger coming with Xcode, for Joycon(R) I got :

For CENTER/Release:
[L2CAP RECEIVE] Channel ID: 0x0041 Length: 0x000D (13) [ A1 3F 00 00 08 00 80 00 80 00 80 00 80 ]
For UP:
[L2CAP RECEIVE] Channel ID: 0x0041 Length: 0x000D (13) [ A1 3F 00 00 02 00 80 00 80 00 80 00 80 ]
For DOWN:
[L2CAP RECEIVE] Channel ID: 0x0041 Length: 0x000D (13) [ A1 3F 00 00 06 00 80 00 80 00 80 00 80 ]
For LEFT:
[L2CAP RECEIVE] Channel ID: 0x0041 Length: 0x000D (13) [ A1 3F 00 00 00 00 80 00 80 00 80 00 80 ]
For RIGHT:
[L2CAP RECEIVE] Channel ID: 0x0041 Length: 0x000D (13) [ A1 3F 00 00 04 00 80 00 80 00 80 00 80 ]
For A Pressed:
[L2CAP RECEIVE] Channel ID: 0x0041 Length: 0x000D (13) [ A1 3F 01 00 08 00 80 00 80 00 80 00 80 ]
For A Released:
[L2CAP RECEIVE] Channel ID: 0x0041 Length: 0x000D (13) [ A1 3F 00 00 08 00 80 00 80 00 80 00 80 ]
For B Pressed:
[L2CAP RECEIVE] Channel ID: 0x0041 Length: 0x000D (13) [ A1 3F 04 00 08 00 80 00 80 00 80 00 80 ]
For B Released:
[L2CAP RECEIVE] Channel ID: 0x0041 Length: 0x000D (13) [ A1 3F 00 00 08 00 80 00 80 00 80 00 80 ]

The only thing I could make of it was that only the physical buttons are sending packets when pressed. No accelerometer or gyroscope data.
If it's anything like the wiimote, you need to send commands to the device to change its mode and use the advanced features.

Additionally, for me (HTML5 gamepad API on a mac), all the Joycon(R) stick directions are reported on the same axis like a D-Pad.

I hope someone will be able to figure out how to make a device driver for these things !

Great thanks for the info, The fact that you would have to send a signal to the joycons to activate motion capture makes sense. I really hope someone gets that working, I doubt I have the knowledge to figure that out but was planning on looking at what people have done with the wii motes in the past for reference.
I also noticed the weirdness with the axis direction as well. I thought it was just a different axis but it would make sense if they are somehow all just mapped to the same value as to why the values are not from -1 to 1. I didn't get to work with the joycons on Friday but hopefully will have some time monday to look at them more.

 

[forerofore]

ive been experimenting with pj64 and the joycons. apparently the nrage plugin detects any button press from any joycon separately, which means you can keybind two joycons as a single controller.

the only problem is i couldnt find a way to make it detect the joystick sensitivity as anything different than button presses and the other plugins behave the same way or dont work at all.
either this is a plugin problem (maybe not, since the nrage plugin is pretty good) or a calibration feature is needed on a 3rd party driver.
keep up the reverse engineering, maybe a driver could be written?

 

[WiiUBricker]

What's this? An actual thread that is not conjecture or total bs, but rather contributes something. Props to be OP.

 

[scottyb323]

ive been experimenting with pj64 and the joycons. apparently the nrage plugin detects any button press from any joycon separately, which means you can keybind two joycons as a single controller.

the only problem is i couldnt find a way to make it detect the joystick sensitivity as anything different than button presses and the other plugins behave the same way or dont work at all.
either this is a plugin problem (maybe not, since the nrage plugin is pretty good) or a calibration feature is needed on a 3rd party driver.
keep up the reverse engineering, maybe a driver could be written?

I'm only tracking the devices into Unity as HIDs and seeing similar results. The joysticks are treated as axis but the sensitivity even if I crank it down super low is still mostly just 0 or 1. I am unsure if this is a Unity setting or on the JoyCons but they are definitely treating the joystick and button input very similarly as far as I can see in Debug statements.

Not that it's very useful to you all as you seem to have a stronger handle on this than I do.



But this is what I was able to get working so far on the Hololens. As you can sort of see when I start using the joysticks that the x and y axis are acting very funky.

 

[scottyb323]

I just want to say this is awesome DekuNukem! Seeing all of the progressive and all the data logging you have made in just a week is fantastic. Keep it up!

 

[yeddish]

Nice. Time to mess with people using my HackRF One and some replays.

 

[forerofore]

A program that allows you to use vjoy with the joycons has been written by mfosse, since i havent compiled anything in a long time i couldnt figure out how to use it.
heres the github page
https://github.com/mfosse/JoyCon-Driver
can anyone get it to work/precompile it?
thanks in advance

 

[TotalInsanity4]

Sorry for resurrecting this, but what are the odds of an APK coming out for Android that would allow for natively using two Joycon as single player?

 

[bennyman123abc]

Where is the dislike button?

It may be that amount of time before anyone publicly announces anything, but I am willing to bet that someone has already gotten custom code execution running on the switch.

We will soon learn how much of a bitch the switch really is. Nintendo has already made obvious mistakes in their execution of this console, but they will patch their holes in upcoming firmware. So if you want to ever get homebrew then your best bet is to stay on the earliest firmware possible.

Pluto seems kind of close. Closer than anyone else tbh