Hacking the Wii U Gamepad

[Arisotura]

Could be nifty for small homebrew, or even just improving the original functionality. I don't know, but this project scratches a very specific itch for me, and who knows what people will come up with?

Regarding wifi, it's a bit of a weird thing. Either way, you'd need a Wii U or a special wifi network to be able to flash anything onto the gamepad in the first place. But maybe supporting regular wifi networks could make things more convenient later on. I don't know, I just don't like not having the option.

[lidnariq]

Do we know how fast the main CPU in the gamepad is? In other words, how much could rely on it instead of the h.264 decoder in it?

[Arisotura]

It's an ARM9, and runs at 108MHz. Could probably be overclocked but not sure how high it can go.

The limiting factor would mostly be RAM, there's only 4MB and the framebuffer has to be in there...

[lidnariq]

With only 100MHz it's going to be hard to do much of general interest. Maybe some of the less accurate emulators?

[nocash]

100MHz is a lot, and the display is probably a lot better than Sony's 32x32 pixel Pocketstation.
Being compatible with normal access points would be certainly nice!

The initial installation with needing a Wii U or special network might be an extra obstacle.
At least when not having such things, but I guess most people who have a Wii U gamepad do also have a Wii U console, so that's propably no big issue.

And I assume that there are some options, like installing via serial cable, or perhaps installing from a NDS/DSi/3DS console, or anything that is capable of sending more or less custom wifi packets(?)

[stan423321]

Last time I checked, it was easier to get a working Wii U console without a GamePad than a working GamePad without a Wii U console. While this could be an advantage for installation purposes, it feels very much like a disadvantage for the sourcability purposes - one would imagine the GamePad owners want to keep their Wii U set fully operational, I know I do. (There is a lot of software, including the firmware, that could gracefully handle the lack of GamePad, but just doesn't.) A game tech-adjacent YouTuber MattKC has announced looking into making an open PC/Android app or add-on that would work as a practical replacement of official GamePad uses, but disregarding the chances of outright failure I think it's going to take a while, and even then the remaining GamePads would probably be important for figuring out emulation inaccuracies. In the meantime, there are a lot of new devices with significantly more power, better user programmability, and prices that many find reasonable. Sure, 100 MHz ARM9 beats PocketStation, but that's not really what people will compare it to.

This is not intended as a discouragement of looking into the low-level workings of the device, just as a note that hacking it is unlikely to ever be practical for a typical amateur hackery enthusiast, unless it interacts with the rest of Wii U.

[Arisotura]

The gamepad has an IR transceiver that can function as a serial interface, so that could be a way to load stuff to it.

Of course, you'd still need a Wii U or special network to load custom code in the first place, because the only purely software way is via the firmware update functionality. Unless there's an exploit in the firmware that could be exploited over IR or whatever.

[calima]

It's mostly pre-2000 laptops and phones that even had IR, so may be even less convenient that way.

[Pokun]

IR LEDs and receivers can easily be bought and used with an Arduino or something.

[calima]

Yes, which was my point - buying a wireless stick is easier than buying an IR setup nowadays.

[Pokun]

Wireless stick? My point was that IR hardware is easy to buy and use. There seems to be USB adapters for use with a modern computer as well but I have no idea how well they work or if they are expensive or hard to get hold of.

[Arisotura]

a bit of a late status update: I did manage to get the gamepad to connect to a regular 5GHz wifi network, with a patched wifi firmware.

I was informed that the gamepad's wifi card uses a 5GHz-only amplifier, which would explain why I had so much trouble receiving 2.4GHz frames. that means 2.4GHz is off the table unless the hardware is modified.

haven't been doing a lot of work on this due to bad mental health. been trying to think of the best way to make a boot menu work...

[Arisotura]

Status update: applied a bunch of fixes to the FPGA Flash emulator.

There were specific situations where SPI read commands returned incorrect data, I managed to figure out why and how to fix it. Long story short, according to my theory there was just enough time to receive the data from SDRAM before having to answer a SPI read command even in the worst case, but in practice it wasn't always the case. However, clever interleaving let me get around the issue. Basically, since we know we're always sending bit 7 first, I grouped together the bits so that within a given 8-byte chunk, all bit 7's come first, then all bit 6's, all bit 5's, and so on.

I also implemented erase and page program commands in a way that actually works. My previous attempt was unreliable because I wasn't buffering the SPI chipselect line, which caused metastability problems and sometimes broke the logic. The new attempt also uses simpler logic, too.

It's on Github if that's of any interest. https://github.com/Arisotura/spi_flash

I also did some reverse-engineering work on the gamepad itself. Figured out a whole bunch of registers: video timings, clock circuitry, etc.

[Arisotura]

Been working on putting together a screen for scanning for wifi access points...



Reminder that if it's easy to quickly hack things together and test stuff, putting it all together in a coherent form is harder.

I started porting lwIP. 'Fun', in a way. This aspect isn't very well documented, a lot of the documentation and example code you can find online seems outdated or plain wrong, so I kind of had to guess how to put things together...

Regardless, I got it to the point that it can connect to an AP and obtain an IP address, so that's nice.

Basic feature set for this menu would be:

* install software over wifi (via TFTP)
* boot installed software (or stock firmware)
* boot software from wifi directly (without installing to FLASH, for testing)
* screen w/ hardware info
* network configuration (enter manual wifi config or scan for networks, IP address etc)
* uninstall menu (revert to stock config)

Possible future extra features:

* install/boot from IR
* boot settings (whether to show the boot menu at all times or require a specific key combo)