Logitech USB steering wheel

Overview

The Logitech Speed Force Wireless Wheel system uses a USB dongle to connect to the wheel using a propriatory 2.4GHz wireless link. The wheel is intended to sit on one's lap and is powered by a 'wall wart'. The wheel has D pad, 7 buttons and 2 analogue paddles on the rear of the wheel.

The dongle contains a micro controller and nRF24L01 transceiver, the circuit is similar to this. The switch is used to trigger a re-bonding, although the link is not active to start with. The LED flashes initially to indicate 'not bonded' and then goes out when the link is established, it flashes briefly as data is received from the wheel.

The wheel hardware contains the nRF24L01, a ATMEGA micro, and a PWM/Full-bridge driver (for controlling the motor). The micro scans the buttons mounted on the wheel, digitised the wheel/acc/brake positions and sends them to the PC/Dongle.

Supported games are (reputed to be):

F1 2009
Speed Zone
Dirt 2
Ferrari Challenge
Need for Speed Undercover

This wheel is currently (Sept 2010) on clearance for less than $10, an obvious attraction to the hard-core hacker. This page described the protocol in an attempt to make this wheel work with other systems.

Protocol

The dongle is a standard USB HID device. The feature port is used to configure the dongle/wireless link, the in-port reads data from the wheel and the out-port is used to send Force Feedback commands.

HID Joystick

The dongle has the USB ID 0x046D:0xC29C, the HID descriptor is (unfortunately) corrupt. Under Windows XP the device is seen as a HID device with a combined X/Y axis, Z axis and 11 buttons. Under Linux the device is seen as HID device with X, Y and Z axis, but no buttons.

05 01 09 04 A1 01 A1 02 95 01 75 0A 15 00 26 FF
03 35 00 46 FF 03 09 30 81 02 06 00 FF 95 02 75
01 25 01 45 01 09 01 81 02 95 0B 19 01 29 0B 05
09 81 02 06 00 FF 95 01 75 01 09 02 81 02 05 01
75 08 26 FF 00 46 FF 00 09 31 09 32 95 02 81 02
C0 A1 02 06 00 FF 95 07 09 03 91 02 C0 0A FF FF
95 08 B1 02 C0

The solution (on Linux) is to re-write the descriptor on the fly, after that the axis/buttons are recognized correctly (even though the wireless link is not active yet).

       if ((quirks & LG_WIIWHEEL) && rsize >= 101 && 
                       rdesc[41] == 0x95 && rdesc[42] == 0x0B &&
                       rdesc[47] == 0x05 && rdesc[48] == 0x09) {
               dev_info(&hdev->dev, "fixing up Logitech WiiWheel button "
                               "descriptor\n");
               rdesc[41] = 0x05;
               rdesc[42] = 0x09;
               rdesc[47] = 0x95;
               rdesc[48] = 0x0B;
       }

Configuration

The Wheel/Dongle are configured by writing to the feature port of the USB dongle. This allows the control of the 'on-air' features, such as initiating the wireless link, controlling the RF channel/hooping sequence and RF addressing (sub-channel coding).

When first plugged in the wireless link between the dongle and the wheel is not active, the link can be 'brought up' with writing the '0xAF Command' followed by the '0xB2 Command'.

Configure RX/TX Address?: Byte 1 - 0xA9; Byte 2 - 2nd and 4th Address/Sub-Channel Bytes; Byte 3 = 3rd and 5th Address/Sub-Channel Bytes; Note 1st Sub-Channel byte is always 0xAE

RF Test Mode: Byte 1 = 0xAC; Byte 2 = Test Mode; 0 - Normal Mode (LED flashes on/off as normal); 1 - Constant TX (LED on), RF channel in 'P3' (can kill WiFi ;-); 2 - Pulsed TX (LED flashes long-on/short-off); 3 - Receive Only? (LED off), RF channel in 'P3'. Continually polls nRF24L01 status and clears; Byte 3 - RF Channel/Frequency

Initialise communications: Byte 1 - 0xAF; Byte 2 - Hopping Sequence (0x00..0x0F)

Change RX/TX Address: Byte 1 - 0xB2; Byte 2 - 2nd and 4th Address/Sub-Channel Bytes; Byte 3 = 3rd and 5th Address/Sub-Channel Bytes; Note 1st Sub-Channel byte is always 0xAE

The following do not cause SPI activity to the nRF24L01

Check Status?: Byte 1 - 0xA8; Returns RX/TX Address bytes in Byte 5 and Byte 6; Returns 'button' pressed in Byte 7 bit 5; Returns something in Byte 7 bits 4..0 related to 'LED mode' (not a direct map); Returns something in Byte 8 which depends on Byte 2 sent

LED Mode: Byte 1 - 0xAA; Byte 2 - changes the way the LED flashes, unknown what is actually happening

Unknown: Byte 1 - 0xAE; Doesn't clear Byte 1 bit 7, like the other commands. Perhaps it is waiting for something...; Returns 0x14 in Byte 5 and 0x00 in Byte 6

Active Address?: Byte 1 - 0xB3; Only clears Byte 1 bit 7 if Command '0xAF' is issued first; Returns values in Byte 5 and Byte 6 which are the values from Command '0xB2' Bytes 2 & 3

Force Feedback

There are a number of force feed back codes which can be written to the USB out-port, some of these are know/understood but assistance is required to further reverse engineer the rest.

The Force Feedback configuration is sent continuously over the wireless link, which takes the form of a 31 byte payload. The wheel is capable of supporting 4 simultaneous effects, plus an additional auto-center effect. The various effects are upload into 'slots', the format is as follows:

Bytes 1..4 - Unknown

Bytes 5..10 - Effect Slot 1

Bytes 11..16 - Effect Slot 2

Bytes 17..22 - Effect Slot 3

Bytes 23..28 - Effect Slot 4

Bytes 29..30 - Auto Center

Bytes 31.. - Unknown

The selected slot for an effect is encoded into the 1st byte of the OUT-Endpoint write. Multiple effects can be active at any time, but it is unknown how multiple forces are rationalized by the wheel.

0x11 : Slot 1

0x21 : Slot 2

0x31 : Slots 1 + 2

0x41 : Slot 3

0x51 : Slots 3 + 1

0x61 : Slots 3 + 2

0x71 : Slots 3 + 2 + 1

0x81 : Slot 4

0x91 : Slots 4 + 1

0xA1 : Slots 4 + 2

0xB1 : Slots 4 + 2 + 1

0xC1 : Slots 4 + 3

0xD1 : Slots 4 + 3 + 1

0xE1 : Slots 4 + 3 + 2

0xF1 : Slots 4 + 3 + 2 + 1

0x_E : Auto Center

The type of effect is encoded in the second byte of the out-port write, with specific settings for the effect in the further bytes.

AutoCenter: Byte 2 - 0x0D; Byte 3 - Proportion of force anti-clockwise (0x00..0x07); Byte 4 - Proportion of force clockwise (0x00..0x07); Byte 5 - Force (0x00..0xFF); Byte 6 & 7 - 0x00

Constant Force: Byte 2 - 0x10; Byte 3 - Force Clockwise and Anticlock (0x00..0xFF - 00x00 is to right, 0x80 is zero force, 0xFF is to left); Byte 4..7 - set 0x00

Auto/Anti Center (Complex): This is similar to a spring force; Byte 2 - 0x11; Byte 3 - Clockwise angle, nominally on left (0x00..0xFF - 0x00 if fully left); Byte 4 - Anti-Clockwise angle, nominally on right(0x00..0xFF); Byte 5 - Proportional force, upper nymble Clockwise + lower nymble Anticlockwise (each 0x0..0xF); Byte 6 - Reverse Direction; upper nymble Clockwise + lower nymble Anticlockwise (each 0x0..0x1); Byte 7 - Force (0x00..0xFF)

Friction Force: Byte 2 - 0x12; Byte 3 - Clockwise force (0x00..0x0F); Byte 4 - Clockwise Resist = 0x00, Assist = 0x01..0x0F; Byte 5 - Anticlockwise force (0x00..0x0F); Byte 6 - Anticlockwise Resist = 0x00, Assist = 0x01..0x0F; Byte 7 - Unknown mystery command, pulls to center/left/right dependent on value.

Auto/Anti Center (Complex): Is this any different to '0x11'?; Byte 2 - 0x13; Byte 3 - Clockwise angle, nominally on left (0x00..0xFF); Byte 4 - Anti-Clockwise angle, nominally on right(0x00..0xFF); Byte 5 - Proportional force, upper nymble Clockwise + lower nymble Anticlockwise (each 0x0..0xF); Byte 6 - Reverse Direction; upper nymble Clockwise + lower nymble Anticlockwise (each 0x0..0x1); Byte 7 - Force (0x00..0xFF)

De-associate: this is probably unintentional, the result of not correctly understanding the proper operation of the wheel.; Byte 2 - 0x_F; Byte 3, 4, 5, 6 & 7 - anything (set 0x00)

Testing/Hacking

A simple Linux/Python script for testing these codes can be found here. --Mungewell 17:14, 8 September 2010 (CEST)

Apparently there is a port of LibUSB to Windows, it may be possible to produce a small application which would enable the wireless interface without the need to write a full Windows driver.

Interestingly the dongle/wheel remain bonded through a reboot of a PC, so the link can be enable in Linux and then the wheel will work under XP (with the corrupted axis mapping).