Hacking Reverse Engineering the Switch Pro Controller Wired mode

Toad King

Well-Known Member
OP
Member
Joined
Aug 19, 2009
Messages
374
Trophies
0
XP
546
Country
United States
With the new wired mode on the Switch for Pro controllers, I finally dug up my old BeagleBone Black and managed to coax it into getting a USB traffic dump of the Pro controller wired to the Switch.

Dump: https://toadking.com/switch-pro-wired.pcap

Interesting notes:
  • All communication is USB interrupt based, no control transfers outside of descriptor stuff.
  • Poll rate is 125Hz, just like your normal USB controller. EDIT: It appears to fluctuate in report speed, and hovers around 75Hz. You get one 8ms between packets then 2-3 of 16ms between packets. Kinda weird.
  • The magic key to start it is "80 02", although I also see a "80 04" very soon after that. Replicating it on a PC didn't require both though. Maybe for selecting which player # it is?
  • There are periodic packets from the host, which appear to be sent every 100ms or so. Some appear larger than others and probably include haptic data.
  • WARNING: The HID descriptor does not match the data in the controller payload at all. My guess is it's just the Bluetooth HID descriptor c/p over. Because of that, if you enable the controller on Windows by poking that enable interrupt packet with your favorite USB tool, Windows will go crazy trying to interpret the packets it gets. I now have this on-screen controller keyboard I don't know how to get rid of.
 

Attachments

  • upload_2017-6-22_20-54-13.png
    upload_2017-6-22_20-54-13.png
    60.3 KB · Views: 3,003
Last edited by Toad King,

Toad King

Well-Known Member
OP
Member
Joined
Aug 19, 2009
Messages
374
Trophies
0
XP
546
Country
United States
After some more tinkering it appears the startup sequence is a bit more complicated than just those two bytes. Here's a sequence that appears to start it from a cold plugin (all numbers hex):
  1. Make sure USB pipe is empty, read until it is
  2. Write 80 02
  3. Read 40 bytes
  4. Write 80 04
  5. Remaining data is controller data in 40 byte chunks
Trace of this: https://toadking.com/switch-pro-controller-windows-3.txt

Packets with controller data start with 30 while there are also packets that start with 81. Not sure what they do yet.
 
Last edited by Toad King,
  • Like
Reactions: DarthDub

Fluto

A potato in disguise
Member
Joined
Apr 17, 2009
Messages
1,283
Trophies
0
Location
The Moon
XP
821
Country
Awesome work, I'm glad someone's poking around with the controller.
BTW: The on screen keyboard is from steam big picture.
It's coming up because its detected that you pressed a button on the controller that's hotkeyed to opening it up.
You can disable it in your Steam settings, or you can disable using genetic input controllers within big picture itself.
 

Toad King

Well-Known Member
OP
Member
Joined
Aug 19, 2009
Messages
374
Trophies
0
XP
546
Country
United States
Awesome work, I'm glad someone's poking around with the controller.
BTW: The on screen keyboard is from steam big picture.
It's coming up because its detected that you pressed a button on the controller that's hotkeyed to opening it up.
You can disable it in your Steam settings, or you can disable using genetic input controllers within big picture itself.
Yeah I figured that out eventually. I have Big Picture mode controller support enabled since for some reason my SFC30 works better with it enabled.

Update: Got a quick'n'dirty python script for reading data. Implementing support for all buttons should be doable with this, but there appears to be no motion data in these packets. Probably have to enable motion separately.

https://gist.github.com/ToadKing/30d65150410df13763f26f45abbd3700

Works on Windows with pyusb installed and the pro controller driver replaced with zadig. (It must be the libusb-win32 driver, not WinUSB driver, to work with pyusb.) It should work with Linux in theory as well.
 

shinyquagsire23

SALT/Sm4sh Leak Guy
Member
Joined
Nov 18, 2012
Messages
1,970
Trophies
0
Age
24
Location
Las Vegas
XP
3,638
Country
United States
Oh cool, so they definitely do use that alternate method of talking HID. Was curious what they did after 80 04, before 3.0 it got to 80 04 and just terminated the connection. I actually reversed the firmware and used some weird raw UART command setup with https://github.com/shinyquagsire23/HID-Joy-Con-Whispering/tree/master/hidtest, though it seems it can take the same commands that Bluetooth does normally (with limitations I guess). Accidentally noticed that worked while I was figuring out Bluetooth.

EDIT: Doing more comparisons, this is weird... they don't seem to shift the baudrate higher? And the controller is sending IMU data much earlier than it should be, it doesn't even enable the IMU nor vibration until much later for some reason, and on top of that they keep enabling vibration for some reason. Sounds like there was a disconnect somewhere and they ran into bugs with USB.
 
Last edited by shinyquagsire23,

Tybus

Well-Known Member
Newcomer
Joined
Nov 24, 2013
Messages
60
Trophies
0
Age
26
XP
188
Country
Hey, can we get a photo/description of your setup?... I wanted to make RE of the dock (by sniffing the usb data between the switch and the dock itself)... But I have a low budget, didnt knew you could get the data using a beaglebone....
 

Zhongtiao1

Well-Known Member
Member
Joined
Feb 24, 2015
Messages
815
Trophies
0
Age
24
XP
2,559
Country
United States
Oh cool, so they definitely do use that alternate method of talking HID. Was curious what they did after 80 04, before 3.0 it got to 80 04 and just terminated the connection. I actually reversed the firmware and used some weird raw UART command setup with https://github.com/shinyquagsire23/HID-Joy-Con-Whispering/tree/master/hidtest, though it seems it can take the same commands that Bluetooth does normally (with limitations I guess). Accidentally noticed that worked while I was figuring out Bluetooth.

EDIT: Doing more comparisons, this is weird... they don't seem to shift the baudrate higher? And the controller is sending IMU data much earlier than it should be, it doesn't even enable the IMU nor vibration until much later for some reason, and on top of that they keep enabling vibration for some reason. Sounds like there was a disconnect somewhere and they ran into bugs with USB.

Does the Pokken controller have the same attributes when plugged in?

Sent from my Q5 using Tapatalk 2
 
  • Like
Reactions: Saiyan Lusitano

Toad King

Well-Known Member
OP
Member
Joined
Aug 19, 2009
Messages
374
Trophies
0
XP
546
Country
United States
Oh cool, so they definitely do use that alternate method of talking HID. Was curious what they did after 80 04, before 3.0 it got to 80 04 and just terminated the connection. I actually reversed the firmware and used some weird raw UART command setup with https://github.com/shinyquagsire23/HID-Joy-Con-Whispering/tree/master/hidtest, though it seems it can take the same commands that Bluetooth does normally (with limitations I guess). Accidentally noticed that worked while I was figuring out Bluetooth.

EDIT: Doing more comparisons, this is weird... they don't seem to shift the baudrate higher? And the controller is sending IMU data much earlier than it should be, it doesn't even enable the IMU nor vibration until much later for some reason, and on top of that they keep enabling vibration for some reason. Sounds like there was a disconnect somewhere and they ran into bugs with USB.
Nice, looks like there was some work done before me!

The constant rumble re-enable might just be redundant calls since it was eaiser to just always turn it on rather than track whether it was on or not. I can try potentially getting more traces this weekend if you want.

Hey, can we get a photo/description of your setup?... I wanted to make RE of the dock (by sniffing the usb data between the switch and the dock itself)... But I have a low budget, didnt knew you could get the data using a beaglebone....
It's just a BBB with an OS built for USBProxy installed: https://github.com/dominicgs/USBProxy/releases/tag/2014-03-R1

The host USB port connects to the Switch dock, the device port connects to the pro controller, and an ethernet connection for SSH/running USBProxy.

Does the Pokken controller have the same attributes when plugged in?

Sent from my Q5 using Tapatalk 2
The Pokken controller just appears as a standard HID controller with no special capabilities. It doesn't even have an OUT endpoint for accepting commands from the host.
 

Toad King

Well-Known Member
OP
Member
Joined
Aug 19, 2009
Messages
374
Trophies
0
XP
546
Country
United States
Started work on XInput userland drivers for the pro controller. You can find it here: https://github.com/ToadKing/switch-pro-x

It uses ViGEm (https://github.com/nefarius/ViGEm) to implement a virtual Xbox 360 controller should work with all games that support XInput. For the time being you'll have to install the ViGEm bus driver manually. So far all the buttons work (except XInput doesn't have an equivalent for the share button so it currently does nothing) and while it doesn't support hotplugging at the moment, it should in theory when libusb implements it for Windows. Speaking of which, because the HID descriptor for the controller is busted we can't write to it through the Windows HID driver so you'll have to use Zadig or similar tool to install a libusb/WinUSB driver over the pro controller.
 

Toad King

Well-Known Member
OP
Member
Joined
Aug 19, 2009
Messages
374
Trophies
0
XP
546
Country
United States

Nemix77

Well-Known Member
Member
Joined
May 30, 2009
Messages
851
Trophies
0
XP
756
Country
Canada
Just a question:

Is the input lag any better in wired mode vs wireless for the Switch's Pro Controller?
 

Toad King

Well-Known Member
OP
Member
Joined
Aug 19, 2009
Messages
374
Trophies
0
XP
546
Country
United States
Just a question:

Is the input lag any better in wired mode vs wireless for the Switch's Pro Controller?
Haven't tried it wireless connected to my PC but the input latency is low enough that I can't notice it. The actual refresh rate is weird: It fluctuates between 62.5Hz and 125Hz and averages out around ~75Hz.
 

Nemix77

Well-Known Member
Member
Joined
May 30, 2009
Messages
851
Trophies
0
XP
756
Country
Canada
Let us know if you're able to test out both wired and wireless mode and how it impacts the input lag, my assumption is wired mode has a slight bit less input lag but it's probably not that significant with the Bluetooth wireless technology offered today for connecting wireless controllers to consoles such as the Switch and PS4.
 

Toad King

Well-Known Member
OP
Member
Joined
Aug 19, 2009
Messages
374
Trophies
0
XP
546
Country
United States
Let us know if you're able to test out both wired and wireless mode and how it impacts the input lag, my assumption is wired mode has a slight bit less input lag but it's probably not that significant with the Bluetooth wireless technology offered today for connecting wireless controllers to consoles such as the Switch and PS4.
To properly test lag I would need to wire up an LED to the PCB and do recording tests. However I can say I don't notice any lag personally between wired and wireless mode so any actual latency is probably very minimal.
 
  • Like
Reactions: Nemix77

ty41212

New Member
Newbie
Joined
Jul 28, 2017
Messages
1
Trophies
0
Age
28
XP
35
Country
Taiwan
I'm just wondering what does this byte use for?

86.1 IN 30 17 91 00 80 00 3c 28 7f 49 68 82 09 00 00 00 0.....<(.Ih..... 16ms 34.1.0 23:27:44.644
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 34.1.16
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 34.1.32
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 34.1.48
 
Last edited by ty41212,
General chit-chat
Help Users
  • No one is chatting at the moment.
    KenniesNewName @ KenniesNewName: Afrocandy looks like a good movie