Wii-Mote Firmware Dumped
SparkFun has ripped apart their wiimote and was able to dump the data on the EEPROM. Here is what they had to say:
For more close up pics of the wii mote and an in depth description of all of it's chips and traces visit SparkFunWe hot-aired off the EEPROM and soldered it down to our SSOP breakout board. We then hooked up the unit to an AVR micro that could handle the I2C communication and clocked out all the I2C data from the M24128 into the AVR and down the serial pipe to the computer and captured it. My bet was that the EEPROM contained all constants like Bluetooth ID, firmware revision, etc. And that all the fun Wii Remote functionality was burned into the Broadcom part. David's bet was that the Broadcom part was just the Bluetooth HID stack and protocol and that it pinged the EEPROM during boot up for actual Wii Controller firmware. We were both right!
Looking at the binary file, the fun thing to note is the word 'Nintendo' a couple thousand bytes into the file. Boy would that be fun to alter. The real kicker was that we found unencrypted 8051 code in the file. We don't know if it is checksumed or anything, but you should be able to hack away. This seems to indicate that the entire Wii Remote functionality is contained on this M24128 EEPROM. Nifty.
1 Comment:
From an old blog news thingy, it said that homebrew was possible on the wii through an exploit, I was just wondering if it meant backups of GC games were playable...
Click Here to Post a Comment