/dev/usb/btrm
/dev/usb/btrm is the IOSU device node for the internal Bluetooth module. It provides an interface to communicate with the Wii Remote, Wii Balance Board, and Wii U Pro controller, which is exposed to Cafe OS by padscore.rpl. Inside IOSU, it uses /dev/uhs/1 to talk to the Bluetooth module, which is connected via internal USB.
ioctl() interface
0x01 - Init smd
Initializes the Simply Message Dequeue(?) used to send HID packages between the IOSU and PPC.
0x02 - Create disconnect timer
0x03
Sends an event to the resource queue
0x04 - Isolate channels
Sets the afh channels
0x05 - Sys update
Flashes a bluetooth firmware image
0x06 - Init OHCI
0x07 - Report process data
0x08 - Set devInfo
0x09 - BT Disconnect
0x0a - Set btConfig
Sends the following 0x10 byte structure:
typedef struct {
uint32_t wbc_enabled; // enable / disable Wii Balance Board communication
uint32_t urrc_enabled; // enable / disable Wii U Pro Controller communication
uint32_t wii_remote_enabled; // enable / disable Wii Remote communication
uint8_t max_controllers; // the maximum amount of controllers that can be connected
uint8_t padding[3];
} btConfig_t;ioctlv() interface
0x00 - Execute function
This function is used to execute some sort of function call. It takes two buffers through the ioctlv interface: a function request as input and a function result as output.
Structures
Function request
This structure identifies which function call to make. It is 0x1008 bytes long, with a request buffer passed to each function. The main identifiers for a function call are two bytes, a library and a function.
/* Function request */
typedef struct
{
uint8_t request_data[0x1000];
uint8_t lib, func;
char unknown1002[0x1004-0x1002];
uint32_t unknown1004;
} btrm_request_t;Function result
This structure contains the output of a function executed by the Bluetooth resource manager.
/* Function result */
typedef struct
{
uint8_t result_data[0x1000];
uint8_t some_id;
char unknown1001[0x1004-0x1001];
uint32_t unknown1004;
uint32_t unknown1008;
} btrm_result_t;Libraries and Functions
These are the different lib and func parameters which are set in the request struct.
Libraries
| Library | Name | Notes |
|---|---|---|
| 0x01 | Initializes some internal flags | |
| 0x02 | Sets the Bluetooth visibility to connectable | |
| 0x03 | CMD_WUD | |
| 0x04 | CMD_BTE | |
| 0x05 | Sends a message to the resource queue and waits for a reply |
Functions
The function names are only guessed based on their behavior.
CMD_WUD (3)
| Function | Name | Notes |
|---|---|---|
| 0x04 | start_sync_device | |
| 0x05 | Also device sync related | |
| 0x06 | purge_device_info | Removes the UC entries for devInfo and devInfoExt |
| 0x07 | set_loop_count | Sets the loop count used when pairing new controllers |
| 0x08 | cancel_sync_device | |
| 0x09 | set_disable_channel_imm | Sets the afh channels |
| 0x0a | start_cleardevice | Clears all devInfo and devInfoExt entries in UC to 0 |
| 0x0b | set_visibility | |
| 0x0c | set_sniff_mode | |
| 0x0d | register_new_device | Adds a new device pairing using it's BDA, name and link key |
| 0x0e | enable_cleardevice_callback | If enabled, send a callback to the resource queue when cleardevice is done |
| 0x0f | enable_sync_callback | If enabled, send a callback to the resource queue when a device is synced |
| 0x10 | enable_wbc | Enables WBC (Wii Balance Board connections) |
| 0x11 | Serial flash related | |
| 0x12 | serial_flash_mode | |
| 0x13 | serial_flash_write | |
| 0x14 | serial_flash_read | |
| 0x16 | ||
| 0x17 | start_sync_device | |
| 0x19 | store_entry | Stores an entry in the devInfo array |
| 0x1a | delete_controller_order | Deletes the controller order |
| 0x1b | disable_sync_callback | See enable_sync_callback |
| 0x1c | ||
| 0x1e | disable_wbc | See enable_wbc |
| 0x1d | Returns 0 |
CMD_BTE (4)
| Function | Name | Notes |
|---|---|---|
| 0x00 | remove_acl | Disconnects an acl connection |
| 0x01 | Returns 0 | |
| 0x02 | hh_close | Closes an HID host connection |
| 0x03 | retrieve_oob | Retrieves OOB data from the host controller |