I’ve been playing with the Wii-U Gamepad lately and am trying to figure out how it connects to the Wii U console. Once we get that working, we can start reverse-engineering the protocol and write a linux driver for it. It would make a great remote display for every linux box. So how does it work?
The communication between Wii-U and GamePad is done via 5Ghz Wi-Fi. It uses the range 5150-5250 Mhz (Sony UWA-BR100 is a nice dual-band ath9_htc USB dongle with perfect linux support). The console opens a soft AP without any encryption. SSID is set similar to “WiiU34af2c5fa6134af2c5fa61c_STA1”. The GamePad connects to this AP and then creates some private link. I haven’t figured out how this works, yet.
The IE fields do not advertise any Wifi-Direct (P2P), Wifi-Display (WFD) or Direct-Link (TDLS) features. The only features found are WMM QoS fields.
How to proceed? I need to figure out how to create a soft-AP with the advertised features so I can make the GamePad connect to me. Two Nintendo extensions are advertised “OUI a4:c0:e1” which probably identify the AP. The other vendor IEs are Broadcom/EPIGRAM IDs which can also be found on other networks. After that, I need to test P2P discovery, TDLS discovery or 802.11e DLS setup to find out what kind of direct-link Nintendo uses. According to Broadcom’s Dino Bekis a form a Miracast is used which would mandate P2P or TDLS.
If anyone has more information on that, I’d be very thankful!
Btw., dhcp is provided on the unprotected soft-AP and I can ping the console but my port-scans didn’t return any useful information. I will try connecting to WFD/RTSP default port 7236 next…
Soft-AP during Synchronization: BSS 34:af:2c:5f:a6:1c (on wlan1) TSF: 3126337 usec (0d, 00:00:03) freq: 5180 beacon interval: 100 capability: ESS (0x0001) signal: -55.00 dBm last seen: 3208 ms ago Information elements from Probe Response frame: SSID: WiiU34af2c5fa6134af2c5fa61c_STA1 Supported rates: 6.0* 9.0 12.0* 18.0 24.0* 36.0 48.0 54.0 HT capabilities: Capabilities: 0x1c HT20 SM Power Save disabled RX Greenfield No RX STBC Max AMSDU length: 3839 bytes No DSSS/CCK HT40 Maximum RX AMPDU length 16383 bytes (exponent: 0x001) Minimum RX AMPDU time spacing: 8 usec (0x06) HT RX MCS rate indexes supported: 0-15 HT TX MCS rate indexes are undefined HT operation: * primary channel: 36 * secondary channel offset: no secondary * STA channel width: 20 MHz * RIFS: 1 * HT protection: no * non-GF present: 0 * OBSS non-GF present: 0 * dual beacon: 0 * dual CTS protection: 0 * STBC beacon: 0 * L-SIG TXOP Prot: 0 * PCO active: 0 * PCO phase: 0 Vendor specific: OUI a4:c0:e1, data: f5 00 Vendor specific: OUI a4:c0:e1, data: f4 10 4a 00 01 10 10 44 00 01 02 10 41 00 01 01 10 12 00 02 00 00 10 53 00 02 00 84 10 3b 00 01 03 10 47 00 10 22 21 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 21 00 08 42 72 6f 61 64 63 6f 6d 10 23 00 06 53 6f 66 74 41 50 10 24 00 01 30 10 42 00 01 30 10 54 00 08 00 06 a4 c0 e1 f4 00 01 10 11 00 10 57 69 69 55 33 34 61 66 32 63 35 66 61 36 31 63 10 08 00 02 00 84 Vendor specific: OUI 00:10:18, data: 02 00 00 04 00 00 WMM: * Parameter version 1 * u-APSD * BE: CW 15-31, AIFSN 2, TXOP 1504 usec * BK: CW 15-1023, AIFSN 7 * VI: CW 15-31, AIFSN 3, TXOP 3008 usec * VO: CW 15-31, AIFSN 3, TXOP 1504 usec Soft-AP during normal operation with GamePad: BSS 34:af:2c:5f:a6:1c (on wlan1) TSF: 413388858 usec (0d, 00:06:53) freq: 5180 beacon interval: 100 capability: ESS Privacy (0x0011) signal: -48.00 dBm last seen: 3201 ms ago Information elements from Probe Response frame: SSID: \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 Supported rates: 6.0* 9.0 12.0* 18.0 24.0* 36.0 48.0 54.0 TIM: DTIM Count 1 DTIM Period 3 Bitmap Control 0x0 Bitmap[0] 0x0 RSN: * Version: 1 * Group cipher: a4-c0-e1:4 * Pairwise ciphers: a4-c0-e1:4 * Authentication suites: a4-c0-e1:2 * Capabilities: 4-PTKSA-RC (0x0008) HT capabilities: Capabilities: 0x1c HT20 SM Power Save disabled RX Greenfield No RX STBC Max AMSDU length: 3839 bytes No DSSS/CCK HT40 Maximum RX AMPDU length 16383 bytes (exponent: 0x001) Minimum RX AMPDU time spacing: 8 usec (0x06) HT RX MCS rate indexes supported: 0-15 HT TX MCS rate indexes are undefined HT operation: * primary channel: 36 * secondary channel offset: no secondary * STA channel width: 20 MHz * RIFS: 1 * HT protection: no * non-GF present: 1 * OBSS non-GF present: 0 * dual beacon: 0 * dual CTS protection: 0 * STBC beacon: 0 * L-SIG TXOP Prot: 0 * PCO active: 0 * PCO phase: 0 Vendor specific: OUI 00:90:4c, data: 07 00 45 55 17 Vendor specific: OUI 00:10:18, data: 02 01 00 04 00 00 WMM: * Parameter version 1 * u-APSD * BE: CW 15-31, AIFSN 2, TXOP 1504 usec * BK: CW 15-1023, AIFSN 7 * VI: CW 15-31, AIFSN 3, TXOP 3008 usec * VO: CW 15-31, AIFSN 3, TXOP 1504 usec
Ponyhof 