Here’s the guts of wii dissected by Sparkfun team showing all the parts including some type of I2C
interface and Broadcom wireless solution as you can see in the above pics.
U7849 6Q63 could be anything. All those flat round things (330, 100, 4R7) are inductors 33uH, 10uH, and 4.7uH. These are predominantly used for DC to DC step-up or step-down (also called boost and buck respectively). They can also be used for filtering – probably both on this board. Filtering is crucial for a clean RF signal out of the Broadcom Bluetooth IC (center).
BCM2042 is a low-cost Bluetooth wireless keyboard/mouse IC. It features an 8051 core and RAM/ROM memory featuring the HID bluetooth profile and stack. Any chance they used a flash part that we can hack instead of the masked ROM (un-changeable) version? Highly unlikely. But lemme know if someone figures out how to get into the core. The small crystal is 24MHz. They make it look so easy don’t they?
Here you get a feel for the pinout of the connector. The small LEDs are shown. I can’t identify M 626 3322 IC but it has the Mitsumi logo – seems to be connected to something on the power system.
Hitting Digikey, the H7824HE comes up as an MSOP-8pin Mobile Phone Audio device from Rohm – that seems very plausible as it is located near the speaker connection.
Accelerometer and EEPROM
Finally, the ADXL330 with date code 0614 (my chip was manufactured the 1st week of April of 2006!) with the ‘to be expected’ three axis filtering caps and power decoupling cap. The ST 4128 BWP part seems to be a 128kbit I2C serial EEPROM – datasheet is here. This agrees with the pinout of the ST datasheet. Pins 1 through 4 are grounded (address lines E0,1,2 are 0), VCC is pin 8. Pin 7 is WC (write control) and is tied to resistor R38. Pins 6/5 are the Serial Data (SDA) and Serial Clock (SCL) lines. Anyone feel like clocking out the internals of the I2C EEPROM? My guess is that it contains mundane info like a Bluetooth identifier, perhaps a serial number, and some trimming values for the accelerometer and IR sensor. A task for another tutorial some day…
Okay so we couldn’t wait that long.
We hot-aired off the EEPROM and soldered it down to our SSOP breakout board. We then hooked up the unit to an AVR micro that could handle the I2C communication and clocked out all the I2C data from the M24128 into the AVR and down the serial pipe to the computer and captured it. You will find the binary file here. My bet was that the EEPROM contained all constants like Bluetooth ID, firmware revision, etc. And that all the fun Wii Remote functionality was burned into the Broadcom part. David’s bet was that the Broadcom part was just the Bluetooth HID stack and protocol and that it pinged the EEPROM during boot up for actual Wii Controller firmware. We were both right!
Looking at the binary file, the fun thing to note is the word ‘Nintendo’ a couple thousand bytes into the file. Boy would that be fun to alter. The real kicker was that we found unencrypted 8051 code in the file. We don’t know if it is checksumed or anything, but you should be able to hack away. This seems to indicate that the entire Wii Remote functionality is contained on this M24128 EEPROM. Nifty.