Reverse Engineering the Switch Pro Controller Wired mode

Discussion in 'Switch - Hacking & Homebrew' started by Toad King, Jun 23, 2017.

  1. Toad King
    OP

    Toad King GBAtemp Fan

    Member
    369
    301
    Aug 19, 2009
    United States
    With the new wired mode on the Switch for Pro controllers, I finally dug up my old BeagleBone Black and managed to coax it into getting a USB traffic dump of the Pro controller wired to the Switch.

    Dump: https://toadking.com/switch-pro-wired.pcap

    Interesting notes:
    • All communication is USB interrupt based, no control transfers outside of descriptor stuff.
    • Poll rate is 125Hz, just like your normal USB controller. EDIT: It appears to fluctuate in report speed, and hovers around 75Hz. You get one 8ms between packets then 2-3 of 16ms between packets. Kinda weird.
    • The magic key to start it is "80 02", although I also see a "80 04" very soon after that. Replicating it on a PC didn't require both though. Maybe for selecting which player # it is?
    • There are periodic packets from the host, which appear to be sent every 100ms or so. Some appear larger than others and probably include haptic data.
    • WARNING: The HID descriptor does not match the data in the controller payload at all. My guess is it's just the Bluetooth HID descriptor c/p over. Because of that, if you enable the controller on Windows by poking that enable interrupt packet with your favorite USB tool, Windows will go crazy trying to interpret the packets it gets. I now have this on-screen controller keyboard I don't know how to get rid of.
     

    Attached Files:

    Last edited by Toad King, Jun 23, 2017
    Zacchi4k, zeldaism, DarthDub and 11 others like this.
  2. Toad King
    OP

    Toad King GBAtemp Fan

    Member
    369
    301
    Aug 19, 2009
    United States
    After some more tinkering it appears the startup sequence is a bit more complicated than just those two bytes. Here's a sequence that appears to start it from a cold plugin (all numbers hex):
    1. Make sure USB pipe is empty, read until it is
    2. Write 80 02
    3. Read 40 bytes
    4. Write 80 04
    5. Remaining data is controller data in 40 byte chunks
    Trace of this: https://toadking.com/switch-pro-controller-windows-3.txt

    Packets with controller data start with 30 while there are also packets that start with 81. Not sure what they do yet.
     
    Last edited by Toad King, Jun 23, 2017
    DarthDub likes this.
  3. Fluto

    Fluto A potato in disguise

    Member
    1,282
    287
    Apr 17, 2009
    The Moon
    Awesome work, I'm glad someone's poking around with the controller.
    BTW: The on screen keyboard is from steam big picture.
    It's coming up because its detected that you pressed a button on the controller that's hotkeyed to opening it up.
    You can disable it in your Steam settings, or you can disable using genetic input controllers within big picture itself.
     
  4. Toad King
    OP

    Toad King GBAtemp Fan

    Member
    369
    301
    Aug 19, 2009
    United States
    Yeah I figured that out eventually. I have Big Picture mode controller support enabled since for some reason my SFC30 works better with it enabled.

    Update: Got a quick'n'dirty python script for reading data. Implementing support for all buttons should be doable with this, but there appears to be no motion data in these packets. Probably have to enable motion separately.

    https://gist.github.com/ToadKing/30d65150410df13763f26f45abbd3700

    Works on Windows with pyusb installed and the pro controller driver replaced with zadig. (It must be the libusb-win32 driver, not WinUSB driver, to work with pyusb.) It should work with Linux in theory as well.
     
    I pwned U! and Tybus like this.
  5. shinyquagsire23

    shinyquagsire23 SALT/Sm4sh Leak Guy

    Member
    1,966
    3,249
    Nov 18, 2012
    United States
    Las Vegas
    Oh cool, so they definitely do use that alternate method of talking HID. Was curious what they did after 80 04, before 3.0 it got to 80 04 and just terminated the connection. I actually reversed the firmware and used some weird raw UART command setup with https://github.com/shinyquagsire23/HID-Joy-Con-Whispering/tree/master/hidtest, though it seems it can take the same commands that Bluetooth does normally (with limitations I guess). Accidentally noticed that worked while I was figuring out Bluetooth.

    EDIT: Doing more comparisons, this is weird... they don't seem to shift the baudrate higher? And the controller is sending IMU data much earlier than it should be, it doesn't even enable the IMU nor vibration until much later for some reason, and on top of that they keep enabling vibration for some reason. Sounds like there was a disconnect somewhere and they ran into bugs with USB.
     
    Last edited by shinyquagsire23, Jun 23, 2017
    DarthDub, I pwned U! and peteruk like this.
  6. Tybus

    Tybus Advanced Member

    Newcomer
    57
    7
    Nov 24, 2013
    Hey, can we get a photo/description of your setup?... I wanted to make RE of the dock (by sniffing the usb data between the switch and the dock itself)... But I have a low budget, didnt knew you could get the data using a beaglebone....
     
  7. Zhongtiao1

    Zhongtiao1 GBAtemp Fan

    Member
    483
    132
    Feb 24, 2015
    United States
    Does the Pokken controller have the same attributes when plugged in?

    Sent from my Q5 using Tapatalk 2
     
    Saiyan Lusitano likes this.
  8. Toad King
    OP

    Toad King GBAtemp Fan

    Member
    369
    301
    Aug 19, 2009
    United States
    Nice, looks like there was some work done before me!

    The constant rumble re-enable might just be redundant calls since it was eaiser to just always turn it on rather than track whether it was on or not. I can try potentially getting more traces this weekend if you want.

    It's just a BBB with an OS built for USBProxy installed: https://github.com/dominicgs/USBProxy/releases/tag/2014-03-R1

    The host USB port connects to the Switch dock, the device port connects to the pro controller, and an ethernet connection for SSH/running USBProxy.

    The Pokken controller just appears as a standard HID controller with no special capabilities. It doesn't even have an OUT endpoint for accepting commands from the host.
     
  9. Toad King
    OP

    Toad King GBAtemp Fan

    Member
    369
    301
    Aug 19, 2009
    United States
    Started work on XInput userland drivers for the pro controller. You can find it here: https://github.com/ToadKing/switch-pro-x

    It uses ViGEm (https://github.com/nefarius/ViGEm) to implement a virtual Xbox 360 controller should work with all games that support XInput. For the time being you'll have to install the ViGEm bus driver manually. So far all the buttons work (except XInput doesn't have an equivalent for the share button so it currently does nothing) and while it doesn't support hotplugging at the moment, it should in theory when libusb implements it for Windows. Speaking of which, because the HID descriptor for the controller is busted we can't write to it through the Windows HID driver so you'll have to use Zadig or similar tool to install a libusb/WinUSB driver over the pro controller.
     
    DarthDub, knubie and I pwned U! like this.
  10. knubie

    knubie Newbie

    Newcomer
    6
    1
    Jan 24, 2015
    United States
  11. Toad King
    OP

    Toad King GBAtemp Fan

    Member
    369
    301
    Aug 19, 2009
    United States
    Yeah the HID descriptor for wired mode is complete garbage and doesn't match the actual payloads at all. Right now I'm completely bypassing the OS HID driver and doing it myself.
     
  12. Nemix77

    Nemix77 GBAtemp Advanced Fan

    Member
    666
    137
    May 30, 2009
    Canada
    Just a question:

    Is the input lag any better in wired mode vs wireless for the Switch's Pro Controller?
     
  13. Toad King
    OP

    Toad King GBAtemp Fan

    Member
    369
    301
    Aug 19, 2009
    United States
    Haven't tried it wireless connected to my PC but the input latency is low enough that I can't notice it. The actual refresh rate is weird: It fluctuates between 62.5Hz and 125Hz and averages out around ~75Hz.
     
  14. Nemix77

    Nemix77 GBAtemp Advanced Fan

    Member
    666
    137
    May 30, 2009
    Canada
    Let us know if you're able to test out both wired and wireless mode and how it impacts the input lag, my assumption is wired mode has a slight bit less input lag but it's probably not that significant with the Bluetooth wireless technology offered today for connecting wireless controllers to consoles such as the Switch and PS4.
     
  15. Toad King
    OP

    Toad King GBAtemp Fan

    Member
    369
    301
    Aug 19, 2009
    United States
    To properly test lag I would need to wire up an LED to the PCB and do recording tests. However I can say I don't notice any lag personally between wired and wireless mode so any actual latency is probably very minimal.
     
    Nemix77 likes this.
  16. SeveralArmchair

    SeveralArmchair Newbie

    Newcomer
    1
    1
    Jul 13, 2017
    United States
    How difficult would it be to make a cheap USB device, like a Raspberry Pi, mimic a Pro Controller and send button presses to the Switch?
     
    Hybrixe likes this.
  17. ty41212

    ty41212 Newbie

    Newcomer
    1
    0
    Jul 28, 2017
    Taiwan
    I'm just wondering what does this byte use for?

    86.1 IN 30 17 91 00 80 00 3c 28 7f 49 68 82 09 00 00 00 0.....<(.Ih..... 16ms 34.1.0 23:27:44.644
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 34.1.16
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 34.1.32
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 34.1.48
     
    Last edited by ty41212, Jul 31, 2017
  18. Quixomatic

    Quixomatic Newbie

    Newcomer
    1
    0
    Aug 9, 2017
    United States
    Any luck getting the motion data?
     
  19. MatMaf

    MatMaf Advanced Member

    Newcomer
    61
    74
    Jun 5, 2016
    United States
    Any luck using the Pro Controller on PC via USB? I would love to use mine.