/dev/usb/btrm: Difference between revisions

From WiiUBrew
Jump to navigation Jump to search
← Older editNewer edit →
Neobrain (talk | contribs)
47 edits
No edit summary
Add more info about lib and function requests
Line 5: Line 5:
==ioctlv() interface==
==ioctlv() interface==
===0x00 - Execute function===
===0x00 - Execute function===
This function is used to execute some sort of function call. It takes two buffers through the ioctlv interface: a [[#Function identifier buffer|function identifier buffer]] as input and a [[#Function result buffer|function result buffer]] as output.
This function is used to execute some sort of function call. It takes two buffers through the ioctlv interface: a [[#Function request|function request]] as input and a [[#Function result|function result]] as output.


==Structures==
==Structures==
===Function identifier buffer===
===Function request===
This structure identifies which function call to make. It is 0x1008 bytes long, with many unknown (unused?) fields set to 0. The main identifiers for a function call are two bytes, a library and a function.
This structure identifies which function call to make. It is 0x1008 bytes long, with a request buffer passed to each function. The main identifiers for a function call are two bytes, a library and a function.
<syntaxhighlight lang="C">
<syntaxhighlight lang="C">
/* Function identifier */
/* Function identifier */
typedef struct
typedef struct
{
{
     char unknown0[0x1000-0x0];
     uint8_t request_data[0x1000];
     uint8_t lib, func;
     uint8_t lib, func;
     char unknown1002[0x1004-0x1002];
     char unknown1002[0x1004-0x1002];
     uint32_t unknown1004;
     uint32_t unknown1004;
} bt_funcid_t;
} btrm_request_t;
</syntaxhighlight>
</syntaxhighlight>


===Function result buffer===
===Function result===
This structure contains the output of a function executed by the Bluetooth resource manager.
This structure contains the output of a function executed by the Bluetooth resource manager.


Line 28: Line 28:
typedef struct
typedef struct
{
{
     char unknown0[0x1000-0x0];
     uint8_t result_data[0x1000];
     uint8_t some_id;
     uint8_t some_id;
     char unknown1001[0x1004-0x1001];
     char unknown1001[0x1004-0x1001];
     uint32_t unknown1004;
     uint32_t unknown1004;
     uint32_t unknown1008;
     uint32_t unknown1008;
} bt_funcres_t;
} btrm_result_t;
</syntaxhighlight>
</syntaxhighlight>
==Libraries and Functions==
These are the different lib and func parameters which are set in the request struct.
=== Libraries ===
{| class="wikitable sortable"
! Library
! Name
! Notes
|-
| 0x01
|
| Initializes some internal flags
|-
| 0x02
|
| Sets the Bluetooth visibility to connectable
|-
| 0x03
| CMD_WUD
|
|-
| 0x04
| CMD_BTE
|
|-
| 0x05
|
| Waits for an event from the resource queue
|}
=== Functions ===
The function names are only guessed based on their behavior.
==== CMD_WUD (3) ====
{| class="wikitable sortable"
! Function
! Name
! Notes
|-
| 0x04
| start_sync_device
|
|-
| 0x05
|
| Also device sync related
|-
| 0x06
| purge_device_info
| Removes the UC entries for devInfo and devInfoExt
|-
| 0x07
| set_loop_count
| Sets the loop count used when pairing new controllers
|-
| 0x08
| cancel_sync_device
|
|-
| 0x09
| set_disable_channel_imm
| Sets the afh channels
|-
| 0x0a
| start_cleardevice
| Clears all devInfo and devInfoExt entries in UC to 0
|-
| 0x0b
| set_visibility
|
|-
| 0x0c
| set_sniff_mode
|
|-
| 0x0d
| register_new_device
| Adds a new device pairing using it's BDA, name and link key
|-
| 0x0e
| enable_cleardevice_callback
| If enabled, send a callback to the resource queue when cleardevice is done
|-
| 0x0f
| enable_sync_callback
| If enabled, send a callback to the resource queue when a device is synced
|-
| 0x10
| enable_wbc
| Enables WBC (Wii Balance Board connections)
|-
| 0x11
|
| Serial flash related
|-
| 0x12
| serial_flash_mode
|
|-
| 0x13
| serial_flash_write
|
|-
| 0x14
| serial_flash_read
|
|-
| 0x16
|
|
|-
| 0x17
| start_sync_device
|
|-
| 0x19
| store_entry
| Stores an entry in the devInfo array
|-
| 0x1a
| delete_controller_order
| Deletes the controller order
|-
| 0x1b
| disable_sync_callback
| See enable_sync_callback
|-
| 0x1c
|
|
|-
| 0x1e
| disable_wbc
| See enable_wbc
|-
| 0x1d
|
| Returns 0
|}
==== CMD_BTE (4) ====
{| class="wikitable sortable"
! Function
! Name
! Notes
|-
| 0x00
| remove_acl
| Disconnects an acl connection
|-
| 0x01
|
| Returns 0
|-
| 0x02
| hh_close
| Closes an HID host connection
|-
| 0x03
| retrieve_oob
| Retrieves OOB data from the host controller
|}

Revision as of 21:49, 9 October 2021

/dev/usb/btrm is the IOSU device node for the internal Bluetooth module. It provides an interface to communicate with the Wii Remote, Wii Balance Board, and Wii U Pro controller, which is exposed to Cafe OS by padscore.rpl. Inside IOSU, it uses /dev/uhs/1 to talk to the Bluetooth module, which is connected via internal USB.

ioctlv() interface

0x00 - Execute function

This function is used to execute some sort of function call. It takes two buffers through the ioctlv interface: a function request as input and a function result as output.

Structures

Function request

This structure identifies which function call to make. It is 0x1008 bytes long, with a request buffer passed to each function. The main identifiers for a function call are two bytes, a library and a function. 

/* Function identifier */
typedef struct
{
    uint8_t request_data[0x1000];
    uint8_t lib, func;
    char unknown1002[0x1004-0x1002];
    uint32_t unknown1004;
} btrm_request_t;

Function result

This structure contains the output of a function executed by the Bluetooth resource manager. 

/* Function result */
typedef struct
{
    uint8_t result_data[0x1000];
    uint8_t some_id;
    char unknown1001[0x1004-0x1001];
    uint32_t unknown1004;
    uint32_t unknown1008;
} btrm_result_t;

Libraries and Functions

These are the different lib and func parameters which are set in the request struct.

Libraries

Library Name Notes
0x01 Initializes some internal flags
0x02 Sets the Bluetooth visibility to connectable
0x03 CMD_WUD
0x04 CMD_BTE
0x05 Waits for an event from the resource queue

Functions

The function names are only guessed based on their behavior.

CMD_WUD (3)

Function Name Notes
0x04 start_sync_device
0x05 Also device sync related
0x06 purge_device_info Removes the UC entries for devInfo and devInfoExt
0x07 set_loop_count Sets the loop count used when pairing new controllers
0x08 cancel_sync_device
0x09 set_disable_channel_imm Sets the afh channels
0x0a start_cleardevice Clears all devInfo and devInfoExt entries in UC to 0
0x0b set_visibility
0x0c set_sniff_mode
0x0d register_new_device Adds a new device pairing using it's BDA, name and link key
0x0e enable_cleardevice_callback If enabled, send a callback to the resource queue when cleardevice is done
0x0f enable_sync_callback If enabled, send a callback to the resource queue when a device is synced
0x10 enable_wbc Enables WBC (Wii Balance Board connections)
0x11 Serial flash related
0x12 serial_flash_mode
0x13 serial_flash_write
0x14 serial_flash_read
0x16
0x17 start_sync_device
0x19 store_entry Stores an entry in the devInfo array
0x1a delete_controller_order Deletes the controller order
0x1b disable_sync_callback See enable_sync_callback
0x1c
0x1e disable_wbc See enable_wbc
0x1d Returns 0

CMD_BTE (4)

Function Name Notes
0x00 remove_acl Disconnects an acl connection
0x01 Returns 0
0x02 hh_close Closes an HID host connection
0x03 retrieve_oob Retrieves OOB data from the host controller
Retrieved from "https://wiiubrew.org/w/index.php?title=/dev/usb/btrm&oldid=3286"