Skip to content

Document valve protocol, and other related stuff. #25

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
roblabla wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Document valve protocol, and other related stuff. #25

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
ce01bd6
Add valve protocol information
roblabla Apr 3, 2020
d5ce08f
Add dongle information
roblabla Apr 3, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
42 changes: 21 additions & 21 deletions ReverseEngineering/Luna_maiboard_V000456-00_rev3.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,9 +10,9 @@ Note that this [Teardown of Steam Controller](https://www.ifixit.com/Teardown/St

# LPC11U37F/501

This is an ARM Cortex-M0, and seems to be the main/master processor of the Steam Controller.
This is an ARM Cortex-M0, and seems to be the main/master processor of the Steam Controller.

## Resources
## Resources

This sections tracks useful documentation related to the processor.

Expand Down Expand Up @@ -43,7 +43,7 @@ This sections details how the pins of the process are configured and (potentiall
| 13 | PIO0_2 | PIO0_2 | In | Interrupt (PINT1) setup to monitor if this changes (trace leads to C56, continues to...). Seems to have something to do with Brown Out Detection. |
| 14 | PIO1_26 | PIO1_26 | In | S2 - Left trackpad click |
| 15 | PIO1_27 | PIO1_27 | In | S3 - LT (Left trigger digital) |
| 16 | PIO1_4 | PIO1_4 | In | S8 - LB (Left bumper) |
| 16 | PIO1_4 | PIO1_4 | In | S8 - LB (Left bumper) |
| 17 | PIO1_1 | PIO1_1 | Out | Active low enable for analog triggers (Left = AD0, Right = AD2) |
| 18 | PIO1_20 | PIO1_20 | In | S17 - FRONT_L (Front left arrow button) |
| 19 | PIO0_3 | USB_VBUS | In | Monitors the presence of USB bus power. Interrupt (PINT0) set to monitor if this changes. |
Expand All @@ -55,13 +55,13 @@ This sections details how the pins of the process are configured and (potentiall
| 25 | USB_DM | | | |
| 26 | USB_DP | | | |
| 27 | PIO1_24 | PIO1_24 | In? | Related to PIO1_8. Related to USART maybe? TODO |
| 28 | PIO1_18 | TXD (USART) | Out | Connected to Nordic Semiconductor nRF51822 Bluetooth Smart and 2.4GHz proprietary SoC Pin 20 |
| 28 | PIO1_18 | TXD (USART) | Out | Connected to Nordic Semiconductor nRF51822 Bluetooth Smart and 2.4GHz proprietary SoC Pin 20 |
| 29 | PIO0_6 | not(USB_CONNECT) | Out | Signal used to switch an external 1.5 k resistor under software control. Used with the SoftConnect USB feature. |
| 30 | PIO0_7 | PIO0_7 | Out | Set as output GPIO and driven low during init (trace leads to R9 (no-pop)). Related/similar to GPIO1_28? Any other purpose? More details? TODO|
| 31 | PIO1_28 | PIO1_28 | Out | Set as output GPIO and driven low during init (trace leads to R8 (no-pop)). Related/similar to GPIO0_7? Any other purpose? More details? TODO |
| 32 | PIO1_5 | PIO1_5 | In | USART/Radio Chip Related. PINT2 setup to monitor change. Trace leads to TODO|
| 33 | V<sub>DD</sub> | V<sub>DD</sub> | In | V<sub>DD</sub> |
| 34 | PIO1_2 | PIO1_2 | In | S19 - FRONT_R (Front right arrow button) |
| 34 | PIO1_2 | PIO1_2 | In | S19 - FRONT_R (Front right arrow button) |
| 35 | PIO1_21 | PIO1_21 | In | S5 - Right trackpad click |
| 36 | PIO0_8 | MISO0 | In | Master In Slave Out for SSP0. Connected to MISO on Right Trackpad/Haptic and Left Trackpad/Haptic. |
| 37 | PIO0_9 | MOSI0 | Out | Master Out Slave In for SSP0. Connected to MOSI on Right Trackpad/Haptic and Left Trackpad/Haptic. |
Expand All @@ -77,18 +77,18 @@ This sections details how the pins of the process are configured and (potentiall
| 47 | PIO1_13 | PIO1_13 | In | S6 - RT (Right trigger digital) |
| 48 | V<sub>DD</sub> | V<sub>DD</sub> | In | V<sub>DD</sub> |
| 49 | PIO1_14 | PIO1_14 | In | S10 - RB (Right bumper) |
| 50 | PIO1_3 | PIO1_3 | In | S16 - Right inner grip button |
| 50 | PIO1_3 | PIO1_3 | In | S16 - Right inner grip button |
| 51 | PIO1_22 | PIO1_22 | In | S4 - B Button |
| 52 | SWDIO/PIO0_15 | SWDIO? | | Connected to DEBUG interface for LPC11U37F |
| 53 | PIO0_16 | | | |
| 53 | PIO0_16 | | | |
| 54 | V<sub>SS</sub> | V<sub>SS</sub> | In | V<sub>SS</sub> |
| 55 | PIO1_9 | PIO1_9 | In | S7 - X Button |
| 56 | PIO0_23 | PIO0_23 | In | Input with pull-down resistor enabled. Connected to Data Ready on Right Trackpad/Haptic. |
| 57 | PIO1_15 | PIO1_15 | Out | Chip Select/SS for Right Trackpad/Haptic (active low) |
| 58 | V<sub>DD</sub> | V<sub>DD</sub> | In | V<sub>DD</sub> |
| 59 | PIO1_12 | PIO1_12 | Out | Right Haptic Activate. Toggle to generate vibrations (TODO: need better details on this). Initially input. Read during init to check if it is logic low or not. (trace leads to VDD on Trackpad/Haptics). If low PIO0_18 is checked. Later set to output and driven low (before PIO0_18 is set to output and driven low). |
| 60 | PIO0_17 | PIO0_17 | In | S1 - A Button |
| 61 | PIO0_18 | PIO0_18 | Out | Left Haptic Activate. Toggle to generate vibrations (TODO: need better details on this). Initially input (If PIO1_12 is low this is read during init to check if it is logic low or not. (trace leads to R43 on front of PCB))? Later output related to haptics? |
| 61 | PIO0_18 | PIO0_18 | Out | Left Haptic Activate. Toggle to generate vibrations (TODO: need better details on this). Initially input (If PIO1_12 is low this is read during init to check if it is logic low or not. (trace leads to R43 on front of PCB))? Later output related to haptics? |
| 62 | PIO0_19 | PIO0_19 | Out | Active high enable for powering Joystick to produce X and Y position ADC values. |
| 63 | PIO1_16 | PIO1_16 | In | Input with pull-down resistor enabled. Connected to Data Ready on Left Trackpad/Haptic. |
| 64 | PIO1_6 | PIO1_6 | Out | Chip Select/SS for Left Trackpad/Haptic (active low) |
Expand All @@ -98,7 +98,7 @@ This sections details how the pins of the process are configured and (potentiall
This section details what peripherals are used for on this processor.

* I2C Bus
* Interface to MPU-6650?
* Interface to MPU-6500?
* TODO: Not confirmed yet.
* WWDT
* TODO: unknown.
Expand Down Expand Up @@ -179,7 +179,7 @@ This section details what peripherals are used for on this processor.

This is a 6-axis motion tracking device (i.e. accelerometer, gyroscope).

## Resources
## Resources

* TODO: datasheet, etc.

Expand Down Expand Up @@ -213,13 +213,13 @@ This is a 6-axis motion tracking device (i.e. accelerometer, gyroscope).
| 24 | SDA/SDI | I2C SDA | Connected to Pin 21 on LPC11U37F |


# nRF51822
# nRF51822

This is the powerful, highly flexible multiprotocol SoC ideally suited for
This is the powerful, highly flexible multiprotocol SoC ideally suited for
Bluetooth® low energy and 2.4GHz ultra low-power wireless applications. The
silkscreen labels this as RADIO.

## Resources
## Resources

* TODO: datasheet, etc.

Expand Down Expand Up @@ -277,16 +277,16 @@ This is the powerful, highly flexible multiprotocol SoC ideally suited for
| 48 | | | |


# Cirque 1CA027
# Cirque 1CA027

This is the processor on the haptics board, which seems to be a custom design
This is the processor on the haptics board, which seems to be a custom design
similar to the [GlidePoint TM040040](http://www.cirque.com/glidepoint-circle-trackpads).

## Resources
## Resources

* TODO: datasheet, etc.

## Pinout
## Pinout

| Pin Number | Datasheet Name | Pin Function | Notes |
|--------------:|-----------------------|---------------|---------------|
Expand All @@ -309,11 +309,11 @@ This is the processor on the haptics board, which seems to be a custom design
| 17 | | | |
| 18 | | | |
| 19 | | | |
| 20 | | | |
| 21 | | | |
| 20 | | | |
| 21 | | | |
| 22 | | | |
| 23 | | | |
| 24 | | | |
| 23 | | | |
| 24 | | | |
| 25 | | | |
| 26 | | | |
| 26 | | | |
Expand Down
25 changes: 13 additions & 12 deletions ReverseEngineering/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,16 +1,16 @@
# Reverse Engineering

Welcome to Reverse Engineering Subproject portion the Open Steam Controller effort.
Welcome to Reverse Engineering Subproject portion the Open Steam Controller effort.

The work in this directory is the result of trying to understand the hardware
and its capabilities based on the available resources. In this case the resources
available were the circuit board itself and the raw binary firmware for the
controller's main processor (the LPC11U37F).
controller's main processor (the LPC11U37F).

There is a lot of really neat and useful information captured here (i.e. the
fact that there is a section of EEPROM where Jingle Data can be stored to
change the official firmware's default behavior, how the interface to the
Trackpads works) and the result of these efforts are the basis of many of the
Trackpads works) and the result of these efforts are the basis of many of the
Subprojects in the Open Steam Controller effort. If anything is unclear, or
you think I am not drawing proper attention to feature I have unearthed,
please be sure to let me know.
Expand All @@ -19,7 +19,7 @@ See the sections below for further details on the data that has been captured
in regards to the hardware and software, but please note that this is my first attempt
at reverse engineering. I may have not gone about this in the most efficient
or understandable manner, but I have done my best to make sure the results
are captured concisely so that others may benefit from it.
are captured concisely so that others may benefit from it.


# Understanding the Hardware
Expand All @@ -28,26 +28,27 @@ This section captures details on the controller hardware (i.e. what pins are
connected to what peripherals or pins on other chips). This data was sometimes
obtained simply by using digital multimeter to ohm out connections. Other times
reverse engineering the firmware, or running tests with custom firmware were
required to fully understand how the hardware was designed.
required to fully understand how the hardware was designed.

See [Luna_maiboard_V000456-00_rev3.md](./Luna_maiboard_V000456-00_rev3.md)
for information regarding the Steam Controller hardware pertaining to
See [Luna_maiboard_V000456-00_rev3.md](./Luna_maiboard_V000456-00_rev3.md)
for information regarding the Steam Controller hardware pertaining to
Luna_mainboard V000456-00 rev3.

See [d0ggle.md](./d0ggle.md) for information regarding the Steam Controller
Dongle hardware.

# Understanding the Software

This section captures details on the software running on the controller
This section captures details on the software running on the controller
processors. This data was primarily obtained by using a modified version
of [pinkySim](https://github.com/greggersaurus/pinkySim), which allowed for
simulating the main processor (LPC11U37F) and logging relevant actions.
simulating the main processor (LPC11U37F) and logging relevant actions.
Verification of different behaviors often required running custom firmware
to ensure the proper paths were being simulated.
to ensure the proper paths were being simulated.

See [LPC11U37F_Software.md](./LPC11U37F_Software.md) for information regarding
the software running on the LPC11U37 main/master processor.


# TODO

See [TODO](./TODO.md) for details.
77 changes: 77 additions & 0 deletions ReverseEngineering/d0ggle.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,77 @@
# D0ggle Hardware

The d0ggle is the dongle that comes with the steam controller. It is a very
simple, off-the-shelf nRF24LU1+ USB device capable of sending radio packets. It
comes preloaded with Valve's `d0ggle.bin` firmware, that can be found in the
Steam client files inside a folder named `controller_base`.

# nRF24LU1+

The nRF24LU1+ is an Intel 8051 microcontroller coupled with an nRF24L01 2.4GHz
Transceiver. This chip is used in a lot of similar hardware, such as the
Logitech Unifying dongles, or many other proprietary wireless keyboard/mouse
dongles.

## Resources

- [Product Specification v1.0](https://web.archive.org/web/20191011024449/https://www.sparkfun.com/datasheets/Wireless/Nordic/nRF24LU1P_1_0.pdf)

## Pinout

| Pin Number | Datasheet Name | Pin Function | Pin Direction | Notes |
|--------------:|-----------------------|------------------|---------------|---------------|
| 1 | VDD | | | |
| 2 | VBUS | | | |
| 3 | VDD | | | |
| 4 | D+ | | | |
| 5 | D- | | | |
| 6 | VSS | | | |
| 7 | PROG | | | |
| 8 | RESET | | | |
| 9 | VDD | | | |
| 10 | P0.0 | | | |
| 11 | P0.1 | | | |
| 12 | VSS | | | |
| 13 | P0.2 | | | |
| 14 | P0.3 | | | |
| 15 | P0.4 | | | |
| 16 | P0.5 | | | |
| 17 | VSS | | | |
| 18 | VSS | | | |
| 19 | VDD | | | |
| 20 | VDD_PA | | | |
| 21 | ANT1 | | | |
| 22 | ANT2 | | | |
| 23 | VSS | | | |
| 24 | VDD | | | |
| 25 | IREF | | | |
| 26 | VSS | | | |
| 27 | VDD | | | |
| 28 | DEC1 | | | |
| 29 | DEC2 | | | |
| 30 | VSS | | | |
| 31 | XC2 | | | |
| 32 | XC1 | | | |

## Software

The software running on the dongle can be found in a file called d0ggle.bin in
Steam's client files. TODO: Find where it can be downloaded.

The dongle exposes a USB device with VID 0x28de and PID 0x1104. It exposes four
HID interfaces, each corresponding to a single controller connection. They can
be manipulated mostly independently (e.g. when pairing, it's recommended to send
the "pairing packet" to all four interfaces).

Each HID interface follows the Valve Controller Abstraction Protocol. The Packet
IDs accepted by the dongle are documented in the [valve protocol documentation].

The dongle also features a USB Bootloader mode that can be used to flash
alternative firmwares. To enter this bootloader mode, one must send the
[RebootToISP] packet. This bootloader is a derivative of the [Nordic nRF24
Bootloader], modified to use USB HID instead of raw USB. It has the VID 0x28de
and PID 0x1004.

[valve protocol documentation]: valve_protocol.md
[Nordic nRF24 Bootloader]: https://www.sparkfun.com/datasheets/Wireless/Nordic/nRF24LU1P_1_0.pdf#G1308975
[RebootToISP]: valve_protocol.md#RebootToISP
Binary file added ReverseEngineering/media/doggle_face_a.jpeg
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added ReverseEngineering/media/doggle_face_b.jpeg
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
16 changes: 9 additions & 7 deletions ReverseEngineering/usbInterface.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,13 +1,16 @@
# USB Interface

The purpose of this document is to track details on the USB interface for the
Steam Controller. This is done so that EP actions on the firmware side,
Steam Controller. This is done so that EP actions on the firmware side,
observed in simulation, can match up to real-world behavior. This will be
used to categorize more actions, memory usage, etc.

The steam controller exposes an USB device with VID=0x28de and PID=0x1102. It
has three different interfaces:

## EP1 (Keyboard)

This interface mimics a USB keyboard.
This interface mimics a USB keyboard.

Below are the messages received via usbmod related to different controller actions:

Expand Down Expand Up @@ -38,7 +41,7 @@ Below are the messages received via usbmod related to different controller actio

## EP2 (Mouse)

This interface mimics a USB mouse.
This interface mimics a USB mouse.

Below are the messages received via usbmod related to different controller actions:

Expand All @@ -58,15 +61,14 @@ Below are the messages received via usbmod related to different controller actio

## EP3 (Controller)

This does not produce output by default (since custom HID only steam knows how
to interact??).

TODO: Map out messages with Steam running and controller in EP3 mode, or look online for people who mapped this all out already

See the [valve_protocol.md](./valve_protocol.md) file for more information on

# Booting

This section details booting the controller via USB connection, with the focus
being on what may be causing the jingle to play.
being on what may be causing the jingle to play.

* Connecting to wall adaptor (i.e. no OS interaction)
* LED illuminates, but no jingle and Right Trackpad is not in mouse mode (not haptic feedback)
Expand Down
Loading