17
edits
Changes
Jump to navigation
Jump to search
Document bluetooth pairing and restructure connection setup section.
Line 58:
Line 58:
The Wii Remote does not appear to require any of the authentication or encryption features of the Bluetooth standard. In order to interface with it, it must first be placed in discoverable mode by either pressing the 1 and 2 buttons at the same time, or by pressing the red sync button under the battery cover. Once in this mode, the Wii Remote can be queried by the Bluetooth HID driver on the host. If the HID driver on the host does not connect to the Wii Remote within 20 seconds, the Wii Remote will turn itself off. Holding down the 1 and 2 buttons continuously will force the Wii Remote to stay in discoverable mode without turning off. This does not work with the sync button, however. When in discoverable mode, a number of the player LEDs based on the battery level will blink.
−The "syncing" of a Wii Remote involves standard Bluetooth pairing. When the Sync button is pressed on the remote, it will accept pairing requests. The required PIN is the hosts's Bluetooth address, backwards (last byte first), in binary (6 bytes). Most current Bluetooth implementations don't deal with this correctly, as they usually consider the PIN to be a regular ASCII string (no 00 bytes, etc). Any further steps that need to be taken after the Wii Remote is paired have not been reverse engineered yet.
−Once the Wii Remote is synced, when a button is pressed, it will actively seek out its paired host and try to connect to it, instead of the other way around. Establishing a connection can be done on PSM 0x11 for writing and PSM 0x13 for reading using the Bluetooth L2CAP protocol.
= Bluetooth Communication =
= Bluetooth Communication =
+The wiimote communicates with the host via standard bluetooth protocol. The wiimote can be placed into discoverable mode for 20s by pressing the '''''sync''''' button on its back under the battery cover. Holding down the 1 and 2 button continuously will force the wiimote to stay in discoverable mode without turning off. This does not work with the ''sync'' button, though. When in discoverable mode, a number of the player LEDs based on the battery level will blink. With full battery all four LEDs will blink, the lower the battery the less LEDs will blink. During device inquiry the host will find all discoverable nearby wiimotes. Now the host can establish a bluetooth baseband connection to the wiimote, '''no bluetooth pairing is needed''', however, if bluetooth pairing is performed, the wiimote is able to reconnect to the host if disconnected.
+After a bluetooth baseband connection is established (with or without pairing) the [[#HID Interface | HID channels can be opened]] and used for reading and writing reports from/to the wiimote.
+== Bluetooth Pairing ==
+The wiimote supports the legacy bluetooth pairing methods. This involves sending a PIN to the wiimote. Bluetooth pairing is not required to use a wiimote and you can proceed by establishing a HID connection without pairing at all. However, if the wiimote is paired, it will actively seek out for its last connected host on disconnection and reestablish the connection. The following section explains the bluetooth device pairing, if no pairing is required, [[#HID Interface | skip this section]].
+
+Bluetooth pairing must be initiated by the host by sending a "Require Authentication" HCI command to its bluetooth device. The bluetooth device will ask the host for a link key, which must be rejected so it will ask for a PIN-Code. The PIN-Code is the binary bluetooth address of the wiimote backwards. Following a short piece of C code to calculate the PIN:
+
+<pre>
+Lets assume the Wiimote has the bluetooth address "00:1E:35:3B:7E:6D". If you want the PIN for bluetooth pairing in a simple string, do the following:
+
+char pin[6];
+pin[0] = 0x6D;
+pin[1] = 0x7E;
+pin[2] = 0x3B;
+pin[3] = 0x35;
+pin[4] = 0x1E;
+pin[5] = 0x00;
+
+Now "pin" contains your bluetooth pin that should be used for pairing your devices.
+</pre>
+
+After sending the PIN to the bluetooth device via HCI commands, the wiimote will return a "Authentication Accepted" command and the pairing is established (both devices are '''bonded''' now). After pairing you continue with [[#HID Interface | establishing the HID connection]] the ''same way as without pairing''.
+
+If the host successfully bonded with the wiimote '''and established an HID connection''' the wiimote will save the bluetooth address of the host and enable ''single press reconnection''. That means if the wiimote is now disconnected from the host, it will actively seek out for the host if '''any''' button is pressed and establish a baseband and HID connection. The wiimote will never actively send pairing requests since this is not needed. Also remember that this works with '''any''' button not only the power-button. However, after establishing the connection, the wiimote sends a [[#Data Reporting | button-input-report]] and this allows the host to see what button was pressed. So the host may reject the new connection if any button except the power-button was pressed.
+
+The new bluetooth pairing method SSP (Secure Simple Pairing) is not supported. Also it is not yet investigated whether a link key has to be created (by sending a PIN) on every connection or whether the link key can be saved and reused on new connections. Though, creating a new link key on every connection works fine.
+
+The wiimote has space for several host addresses (at least 3 are known to work) so it can be paired with more than one host (like PC or Wii) and it will try in reverse order to reconnect to the hosts. That is, the last paired host is tried first and so one. If button 1 and 2 or the sync button on its back are pressed, the wiimote will not actively seek out for its host but instead place itself in discoverable mode and wait for incoming connections so bluetooth pairing does not conflict with normal host-side connections.
+
+It is not known how to remove the hosts addresses from the wiimote, however, with some investigation it should be possible to locate them in the EEPROM and manipulate them. If this is considered a security issue, then don't pair your devices.
+
+== SDP information ==
When queried with the Bluetooth Service Discovery Protocol ([http://www.palowireless.com/infotooth/tutorial/sdp.asp SDP]), the Wii Remote reports back a great deal of information. In particular, it reports:
When queried with the Bluetooth Service Discovery Protocol ([http://www.palowireless.com/infotooth/tutorial/sdp.asp SDP]), the Wii Remote reports back a great deal of information. In particular, it reports:
{| style="border: 1px solid #ccc; background-color: #eef; border-collapse: collapse; padding: 0.2em 0.2em 0.2em 0.2em;"
{| style="border: 1px solid #ccc; background-color: #eef; border-collapse: collapse; padding: 0.2em 0.2em 0.2em 0.2em;"
Line 83:
Line 115:
| style="border: 1px solid #ccc; padding: 0.2em;" | 0x002504
| style="border: 1px solid #ccc; padding: 0.2em;" | 0x002504
|}
|}
−== HID Interface ==
== HID Interface ==
+Establishing a HID connection can be done on PSM 0x11 for writing and PSM 0x13 for reading using the Bluetooth L2CAP protocol.
The HID standard allows devices to be self-describing, using a HID descriptor block. This block includes an enumeration of reports that the device understands. A report can be thought of similar to a network port assigned to a particular service. Reports are unidirectional however, and the HID descriptor lists for each port the direction (Input or Output) and the payload size for each port. Like all Bluetooth HID devices, the Wii Remote reports its HID descriptor block when queried using the SDP protocol. However, no information regarding the actual data units within each report is returned, only the length in bytes.
The HID standard allows devices to be self-describing, using a HID descriptor block. This block includes an enumeration of reports that the device understands. A report can be thought of similar to a network port assigned to a particular service. Reports are unidirectional however, and the HID descriptor lists for each port the direction (Input or Output) and the payload size for each port. Like all Bluetooth HID devices, the Wii Remote reports its HID descriptor block when queried using the SDP protocol. However, no information regarding the actual data units within each report is returned, only the length in bytes.