In memory of Ben “bushing” Byer, who passed away on Monday, February 8th, 2016.

Difference between revisions of "/dev/usb/btrm"

From WiiUBrew
Jump to navigation Jump to search
m (Minor wording change)
(Add structure for →‎0x0a - Set btConfig)
 
(4 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 +
{{DEFAULTSORT:dev/usb/btrm}}
 +
[[Category:Wii U Filesystem]]
 
/dev/usb/btrm is the IOSU device node for the internal Bluetooth module. It provides an interface to communicate with the Wii Remote, Wii Balance Board, and Wii U Pro controller, which is exposed to Cafe OS by [[padscore.rpl]]. Inside IOSU, it uses [[:/dev/uhs|/dev/uhs/1]] to talk to the Bluetooth module, which is connected via internal USB.
 
/dev/usb/btrm is the IOSU device node for the internal Bluetooth module. It provides an interface to communicate with the Wii Remote, Wii Balance Board, and Wii U Pro controller, which is exposed to Cafe OS by [[padscore.rpl]]. Inside IOSU, it uses [[:/dev/uhs|/dev/uhs/1]] to talk to the Bluetooth module, which is connected via internal USB.
 +
 +
==ioctl() interface==
 +
===0x01 - Init smd===
 +
Initializes the Simply Message Dequeue(?) used to send HID packages between the IOSU and PPC.
 +
===0x02 - Create disconnect timer===
 +
===0x03===
 +
Sends an event to the resource queue
 +
===0x04 - Isolate channels===
 +
Sets the afh channels
 +
===0x05 - Sys update===
 +
Flashes a bluetooth firmware image
 +
===0x06 - Init OHCI===
 +
===0x07 - Report process data===
 +
===0x08 - Set devInfo===
 +
===0x09 - BT Disconnect===
 +
===0x0a - Set btConfig===
 +
Sends the following 0x10 byte structure:
 +
<syntaxhighlight lang="C">
 +
typedef struct {
 +
    uint32_t wbc_enabled; // enable / disable Wii Balance Board communication
 +
    uint32_t urrc_enabled; // enable / disable Wii U Pro Controller communication
 +
    uint32_t wii_remote_enabled; // enable / disable Wii Remote communication
 +
    uint8_t max_controllers; // the maximum amount of controllers that can be connected
 +
    uint8_t padding[3];
 +
} btConfig_t;
 +
</syntaxhighlight>
 +
 +
==ioctlv() interface==
 +
===0x00 - Execute function===
 +
This function is used to execute some sort of function call. It takes two buffers through the ioctlv interface: a [[#Function request|function request]] as input and a [[#Function result|function result]] as output.
 +
 +
==Structures==
 +
===Function request===
 +
This structure identifies which function call to make. It is 0x1008 bytes long, with a request buffer passed to each function. The main identifiers for a function call are two bytes, a library and a function.
 +
<syntaxhighlight lang="C">
 +
/* Function request */
 +
typedef struct
 +
{
 +
    uint8_t request_data[0x1000];
 +
    uint8_t lib, func;
 +
    char unknown1002[0x1004-0x1002];
 +
    uint32_t unknown1004;
 +
} btrm_request_t;
 +
</syntaxhighlight>
 +
 +
===Function result===
 +
This structure contains the output of a function executed by the Bluetooth resource manager.
 +
 +
<syntaxhighlight lang="C">
 +
/* Function result */
 +
typedef struct
 +
{
 +
    uint8_t result_data[0x1000];
 +
    uint8_t some_id;
 +
    char unknown1001[0x1004-0x1001];
 +
    uint32_t unknown1004;
 +
    uint32_t unknown1008;
 +
} btrm_result_t;
 +
</syntaxhighlight>
 +
 +
==Libraries and Functions==
 +
These are the different lib and func parameters which are set in the request struct.
 +
 +
=== Libraries ===
 +
{| class="wikitable sortable"
 +
! Library
 +
! Name
 +
! Notes
 +
|-
 +
| 0x01
 +
|
 +
| Initializes some internal flags
 +
|-
 +
| 0x02
 +
|
 +
| Sets the Bluetooth visibility to connectable
 +
|-
 +
| 0x03
 +
| CMD_WUD
 +
|
 +
|-
 +
| 0x04
 +
| CMD_BTE
 +
|
 +
|-
 +
| 0x05
 +
|
 +
| Sends a message to the resource queue and waits for a reply
 +
|}
 +
 +
=== Functions ===
 +
The function names are only guessed based on their behavior.
 +
 +
==== CMD_WUD (3) ====
 +
{| class="wikitable sortable"
 +
! Function
 +
! Name
 +
! Notes
 +
|-
 +
| 0x04
 +
| start_sync_device
 +
|
 +
|-
 +
| 0x05
 +
|
 +
| Also device sync related
 +
|-
 +
| 0x06
 +
| purge_device_info
 +
| Removes the UC entries for devInfo and devInfoExt
 +
|-
 +
| 0x07
 +
| set_loop_count
 +
| Sets the loop count used when pairing new controllers
 +
|-
 +
| 0x08
 +
| cancel_sync_device
 +
|
 +
|-
 +
| 0x09
 +
| set_disable_channel_imm
 +
| Sets the afh channels
 +
|-
 +
| 0x0a
 +
| start_cleardevice
 +
| Clears all devInfo and devInfoExt entries in UC to 0
 +
|-
 +
| 0x0b
 +
| set_visibility
 +
|
 +
|-
 +
| 0x0c
 +
| set_sniff_mode
 +
|
 +
|-
 +
| 0x0d
 +
| register_new_device
 +
| Adds a new device pairing using it's BDA, name and link key
 +
|-
 +
| 0x0e
 +
| enable_cleardevice_callback
 +
| If enabled, send a callback to the resource queue when cleardevice is done
 +
|-
 +
| 0x0f
 +
| enable_sync_callback
 +
| If enabled, send a callback to the resource queue when a device is synced
 +
|-
 +
| 0x10
 +
| enable_wbc
 +
| Enables WBC (Wii Balance Board connections)
 +
|-
 +
| 0x11
 +
|
 +
| Serial flash related
 +
|-
 +
| 0x12
 +
| serial_flash_mode
 +
|
 +
|-
 +
| 0x13
 +
| serial_flash_write
 +
|
 +
|-
 +
| 0x14
 +
| serial_flash_read
 +
|
 +
|-
 +
| 0x16
 +
|
 +
|
 +
|-
 +
| 0x17
 +
| start_sync_device
 +
|
 +
|-
 +
| 0x19
 +
| store_entry
 +
| Stores an entry in the devInfo array
 +
|-
 +
| 0x1a
 +
| delete_controller_order
 +
| Deletes the controller order
 +
|-
 +
| 0x1b
 +
| disable_sync_callback
 +
| See enable_sync_callback
 +
|-
 +
| 0x1c
 +
|
 +
|
 +
|-
 +
| 0x1e
 +
| disable_wbc
 +
| See enable_wbc
 +
|-
 +
| 0x1d
 +
|
 +
| Returns 0
 +
|}
 +
 +
==== CMD_BTE (4) ====
 +
{| class="wikitable sortable"
 +
! Function
 +
! Name
 +
! Notes
 +
|-
 +
| 0x00
 +
| remove_acl
 +
| Disconnects an acl connection
 +
|-
 +
| 0x01
 +
|
 +
| Returns 0
 +
|-
 +
| 0x02
 +
| hh_close
 +
| Closes an HID host connection
 +
|-
 +
| 0x03
 +
| retrieve_oob
 +
| Retrieves OOB data from the host controller
 +
|}

Latest revision as of 15:38, 11 October 2021

/dev/usb/btrm is the IOSU device node for the internal Bluetooth module. It provides an interface to communicate with the Wii Remote, Wii Balance Board, and Wii U Pro controller, which is exposed to Cafe OS by padscore.rpl. Inside IOSU, it uses /dev/uhs/1 to talk to the Bluetooth module, which is connected via internal USB.

ioctl() interface

0x01 - Init smd

Initializes the Simply Message Dequeue(?) used to send HID packages between the IOSU and PPC.

0x02 - Create disconnect timer

0x03

Sends an event to the resource queue

0x04 - Isolate channels

Sets the afh channels

0x05 - Sys update

Flashes a bluetooth firmware image

0x06 - Init OHCI

0x07 - Report process data

0x08 - Set devInfo

0x09 - BT Disconnect

0x0a - Set btConfig

Sends the following 0x10 byte structure: 

typedef struct {
    uint32_t wbc_enabled; // enable / disable Wii Balance Board communication
    uint32_t urrc_enabled; // enable / disable Wii U Pro Controller communication
    uint32_t wii_remote_enabled; // enable / disable Wii Remote communication
    uint8_t max_controllers; // the maximum amount of controllers that can be connected
    uint8_t padding[3];
} btConfig_t;

ioctlv() interface

0x00 - Execute function

This function is used to execute some sort of function call. It takes two buffers through the ioctlv interface: a function request as input and a function result as output.

Structures

Function request

This structure identifies which function call to make. It is 0x1008 bytes long, with a request buffer passed to each function. The main identifiers for a function call are two bytes, a library and a function. 

/* Function request */
typedef struct
{
    uint8_t request_data[0x1000];
    uint8_t lib, func;
    char unknown1002[0x1004-0x1002];
    uint32_t unknown1004;
} btrm_request_t;

Function result

This structure contains the output of a function executed by the Bluetooth resource manager. 

/* Function result */
typedef struct
{
    uint8_t result_data[0x1000];
    uint8_t some_id;
    char unknown1001[0x1004-0x1001];
    uint32_t unknown1004;
    uint32_t unknown1008;
} btrm_result_t;

Libraries and Functions

These are the different lib and func parameters which are set in the request struct.

Libraries

Library Name Notes
0x01 Initializes some internal flags
0x02 Sets the Bluetooth visibility to connectable
0x03 CMD_WUD
0x04 CMD_BTE
0x05 Sends a message to the resource queue and waits for a reply

Functions

The function names are only guessed based on their behavior.

CMD_WUD (3)

Function Name Notes
0x04 start_sync_device
0x05 Also device sync related
0x06 purge_device_info Removes the UC entries for devInfo and devInfoExt
0x07 set_loop_count Sets the loop count used when pairing new controllers
0x08 cancel_sync_device
0x09 set_disable_channel_imm Sets the afh channels
0x0a start_cleardevice Clears all devInfo and devInfoExt entries in UC to 0
0x0b set_visibility
0x0c set_sniff_mode
0x0d register_new_device Adds a new device pairing using it's BDA, name and link key
0x0e enable_cleardevice_callback If enabled, send a callback to the resource queue when cleardevice is done
0x0f enable_sync_callback If enabled, send a callback to the resource queue when a device is synced
0x10 enable_wbc Enables WBC (Wii Balance Board connections)
0x11 Serial flash related
0x12 serial_flash_mode
0x13 serial_flash_write
0x14 serial_flash_read
0x16
0x17 start_sync_device
0x19 store_entry Stores an entry in the devInfo array
0x1a delete_controller_order Deletes the controller order
0x1b disable_sync_callback See enable_sync_callback
0x1c
0x1e disable_wbc See enable_wbc
0x1d Returns 0

CMD_BTE (4)

Function Name Notes
0x00 remove_acl Disconnects an acl connection
0x01 Returns 0
0x02 hh_close Closes an HID host connection
0x03 retrieve_oob Retrieves OOB data from the host controller
Retrieved from "https://wiiubrew.org/w/index.php?title=/dev/usb/btrm&oldid=3294"