When the WiiU was released, a few console hackers and I were talking about potential uses for the WiiU gamepad. However, before being able to use a WiiU gamepad as a remote controller for a robot or a quadricopter, the first step was to understand how it worked and how to communicate with it. This started our long journey of soldering wires on Flash chips, reading the h.264 specification and complaining about the lack of features in most Wi-Fi drivers and devices (on all platforms, Linux and ath9k devices being the least horrible).
While some “journalists” reported that the WiiU gamepad is using the Miracast™ technology, a Wi-Fi standard, it turned out that this was never the case. Instead, Nintendo decided to reinvent four different protocols (video streaming, audio streaming, input streaming as well as a light request-reply RPC protocol), and embed them in a slightly obfuscated version of WPA2, sent over the air using 5GHz Wi-Fi 802.11n. A small ARM CPU is embedded in the WiiU Gamepad (codenamed DRC) and runs a realtime operating system to handle network communication. In the WiiU, another ARM CPU (codenamed DRH) does the same thing.
In this presentation, we will go into the details of how we went from a 32MB binary blob to a proof of concept of WiiU gamepad “emulation” on a PC, including full documentation of the wireless communications obfuscation layer and partial documentation of the four data exchange protocols used on the gamepad.