Wii-mote guts


I promise. No more 'Wii' jokes. My brother sent me the link to www.WiiHaveAProblem.com featuring all the damage caused by thrown remotes, which sparked my interest in how the Wii remote worked. I had to tear one open! This new gaming system from Nintendo is the first maker to really flood the market with a triple-axis accelerometer with Bluetooth? connectivity. Simple right? We've had this for a couple years now. Checkout the our WiTilt product. It featured the MMA7260Q, the first commercially available tri-ax chip from Freescale connected with a Bluetooth? module for wireless accelerometer sensing. Nintendo made it so much more fun...

My apologies for the large pictures causing the page layout to crunch. It's more important to be able to read the IC markings!


 

Good bye friend.

Care of Ebay. I think we paid ~$55. Not bad for the Christmas crazy time of year. This unit had a Target sticker on the back of the packaging.

This is the piece of string that started all the craze. My unit is the original, thin line, not safe for humans, version. If you don't already know, Nintendo has had problems with players using the Wii far more energetically than expected. The players are 'bowling' or boxing or swinging the Wii remote so hard during a game, that the remote is coming out of their hands. Well, that's what the strap was made for! Unfortunately the itty bitty piece of string connecting the wrist strap to the remote snaps and the Wii remote goes rocketing across the room killing TVs, breaking glasses, light fixtures, and in some cases causing mild black eyes. I must play these games!

Japanese engineering at its best. Poo.

Hurdle number 1 was getting the plastic retail packaging open without loosing a finger. Hurdle numero dos is getting these fun 'y' shaped screws out. Luckily, while these screws are not standard, they are not exotic either. Any security bit set should have this type of bit. I also liked the FCC ID : POO-WC45.

Slight modification

I had the bit, but the lower two holes where too small. So a little drilling and I was able to remove the four screws. There were two plastic latches at the top of the remote as well. Nothing a flat head screw driver couldn't take care of.

Finally inside, we start to see some of the features Nintendo is purporting. The speaker is the black disc with two tabs. The accelerometer (ok, I'll spoil it) ADXL330 from analog devices is picture at the head of the screw driver.

On the flip side we see the various other components. Further down we have the small vibrator motor for that 'rumble' feeling. And finally the IR sensor at the end of the board.

I couldn't identify the Nintendo connector off the bat. I hate proprietary connectors. When will they learn to follow the iRobot/Roomba way? Next we have a 4V 3300uF cap. What would this big cap be used for? Must be for cleaning up a DC to DC switcher circuit. But with two AAs, you get ~3V. One should be able to run the Bluetooth? IC and ADXL330 off of 2.8 or even 1.8V. Normally, engs de-rate capacitors by 50%. So if the circuit runs at 5V, you need at least a 10V cap. Following that logic, this cap must sit on a 1.8V bus, but 3300uF? That's a lot of smoothing.

12-20-06: One reviewer suggested the cap acted as a small power supply when the play action got heated. If a user is playing actively enough, the AA batteries may compress the springs enough to temporarily disconnect the batteries from the system - at least for a split second. The large cap supplies the power for the system momentarily - a mini UPS if you will. Interesting theory. In reality, I'm not sure if the batteries ever compress the springs entirely (causing disconnect) but the movement may be enough to increase the point resistance where the batts touch the power connectors - decreasing the battery voltage momentarily. Your guess is as good as mine.

Next we have the scan push button and fancy AA battery clips (very nicely designed).

Broadcom Bluetooth?

U7849 6Q63 could be anything. All those flat round things (330, 100, 4R7) are inductors 33uH, 10uH, and 4.7uH. These are predominantly used for DC to DC step-up or step-down (also called boost and buck respectively). They can also be used for filtering - probably both on this board. Filtering is crucial for a clean RF signal out of the Broadcom Bluetooth? IC (center).

BCM2042 is a low-cost Bluetooth? wireless keyboard/mouse IC. It features an 8051 core and RAM/ROM memory featuring the HID Bluetooth? profile and stack. Any chance they used a flash part that we can hack instead of the masked ROM (un-changeable) version? Highly unlikely. But lemme know if someone figures out how to get into the core. The small crystal is 24MHz. They make it look so easy don't they?

IR sensor, vibe motor, and lots of Test Points.

Top side - connector end.

Here you get a feel for the pinout of the connector. The small LEDs are shown. I can't identify M 626 3322 IC but it has the Mitsumi logo - seems to be connected to something on the power system.

Hitting Digikey, the H7824HE comes up as an MSOP-8pin Mobile Phone Audio device from Rohm - that seems very plausible as it is located near the speaker connection.

Accelerometer and EEPROM

Finally, the ADXL330 with date code 0614 (my chip was manufactured the 1st week of April of 2006!) with the 'to be expected' three axis filtering caps and power decoupling cap. The ST 4128 BWP part seems to be a 128kbit I2C serial EEPROM - datasheet is here. This agrees with the pinout of the ST datasheet. Pins 1 through 4 are grounded (address lines E0,1,2 are 0), VCC is pin 8. Pin 7 is WC (write control) and is tied to resistor R38. Pins 6/5 are the Serial Data (SDA) and Serial Clock (SCL) lines. Anyone feel like clocking out the internals of the I2C EEPROM? My guess is that it contains mundane info like a Bluetooth? identifier, perhaps a serial number, and some trimming values for the accelerometer and IR sensor. A task for another tutorial some day...

Okay so we couldn't wait that long.

The M24128 128kbit EEPROM from the Wii Remote

We hot-aired off the EEPROM and soldered it down to our SSOP breakout board. We then hooked up the unit to an AVR micro that could handle the I2C communication and clocked out all the I2C data from the M24128 into the AVR and down the serial pipe to the computer and captured it. You will find the binary file here. My bet was that the EEPROM contained all constants like Bluetooth? ID, firmware revision, etc. And that all the fun Wii Remote functionality was burned into the Broadcom part. David's bet was that the Broadcom part was just the Bluetooth?   HID stack and protocol and that it pinged the EEPROM during boot up for actual Wii Controller firmware. We were both right!

Looking at the binary file, the fun thing to note is the word 'Nintendo' a couple thousand bytes into the file. Boy would that be fun to alter. The real kicker was that we found unencrypted 8051 code in the file. We don't know if it is checksumed or anything, but you should be able to hack away. This seems to indicate that the entire Wii Remote functionality is contained on this M24128 EEPROM. Nifty.

12-20-06: Savvy Nintendo reviewers claim the EEPROM also probably contains 'Miis' - I've never played Wii before so I had to ask about this 'Mii'. To my understanding, it's a type of Avatar or user settings that are stored on the Wii Remote iteself. Perhaps we could use this Mii storage to get the Wii to change the EEPROM contents, thus giving us two binary files to compare and to backout checksum info.

And just so you know, there are two test points on the board that allow access to SDA and SCL. We didn't reprogram the EEPROM in circuit, but one could do so relatively easily. We haven't located the WC test point. We're pretty sure the resistor near the EEPROM is pulling WC high to write protect it. Hot-airing off this resistor and tying that pin to ground would permanently put the EEPROM in writeable mode - or you could find the WP pin test point and control it off board.

While the firmware seems to be pulled open, we haven't found the checksum. We would need to crack open another Wii with a different firmware version - compare the two, and back-out the checksum. Once this is done, it's happy coding time. We don't have plans for doing this, but then again, if someone else pulls their firmware off, please let us know what you find! 


So there are the internals of the infamous Wii Remote. Happy holidays and watch out for wii-motes flying at your head! -NES

December 19th 2006

Comments 7 comments

  • this is a very old post but i still hoping to get answer(s) i want to use multiple wiimotes at the same time but i have a big problem with their “Nintendo "RVL-CNT-01” names that computer can detect only one of them and i don’t know how to rename them i found out that EEPROM contains the name from your binary file and now i want to rename it with changing EEPROM content but I’m not much familiar with programming stuff i should read EEPROM to bin and then open it with notepad++ and change the name (RVL-CNT-01) and save it and then write it back to EEPROM? or i should edit it’s hex format? should i choose the same length as “RVL-CNT-01” has? hex length or decimal type?

    sorry if it is so noob question and thank you in advance

  • Hi nate. It is an interesting article. I really like it. I have some problems with my WiiMote and i need some help to fix it. It is dead. No power. Nothing. Its not battery problem or another “simple” problem. could you please give me your email or something to contact you? I would really appreciate it.
    I hope you help me…

  • (oops, double post) if the whole data.bin file is 8051 code, I disassembled the bin file, so here is the assembly.

  • if the whole data.bin

  • Do you think one could order one of the IR sensors as a “replacement” as I want to try one out without destroying my wiimote (not from you). Else could you list the part Name.

  • The U7849 6Q63 chip is ROHM’s ADPCM decoder LSI (BU7849?) and 6Q63 is Lot No., I guess. See here. –Demo-n 00:52, 5 January 2007 (EST)
    (http://www.wiili.org)

  • It’s a very interesting article about wiimote. It has more details than howstuffworks! congratulations!