This is an issue to gather information about the HID Controller Interface protocol, as described here.
Look at #25 for my current progress.
Old information
The HID Controller Interface is interfaced either via Firmware USB EP3 , Bootloader USB EP1, or via some currently unknown wireless mechanism. It works by transferring buffers of 0x40 bytes. The first byte is a packet id, while the second byte is the length of the additional data. Here is a packetid table containing both bootloader and firmware packets as of 57bf5c10.
Host->Controller:
| Packet ID |
Name |
Controller Bootloader |
Controller Firmware |
Dongle |
Description |
| 0x80 |
|
⛔️ |
✅ |
|
|
| 0x81 |
ExitLizardMode |
⛔️ |
✅ |
❓ |
Exits the "lizard mode" - Tells the steam controller to acting like a dumb keyboard/mouse combo. Might need to be sent periodically? |
| 0x82 |
|
⛔️ |
✅ |
|
|
| 0x83 |
ControllerInfoRequest |
✅ |
✅ |
|
Asks the controller to send its ControllerInfo. |
| 0x85 |
|
⛔️ |
✅ |
|
|
| 0x87 |
SetSettings |
⛔️ |
✅ |
❓ |
Sets the controller settings |
| 0x89 |
|
⛔️ |
✅ |
|
|
| 0x8d |
|
⛔️ |
✅ |
|
|
| 0x8e |
|
⛔️ |
✅ |
|
|
| 0x8f |
TriggerHapticPulse |
⛔️ |
✅ |
|
|
| 0x90 |
ReinvokeISP |
✅ |
✅ |
❓ |
Reinvokes the LPC ISP Firmware (ISP being what happens when you boot while holding the right trigger). Seems to also work on the dongle? |
| 0x91 |
EraseLPCFirmware |
✅ |
⛔️ |
|
Erases the LPC firmware. |
| 0x92 |
FlashLPCFirmware |
✅ |
⛔️ |
|
Flashes a chunk of LPC firmware. |
| 0x93 |
VerifyLPCFirmware |
✅ |
⛔️ |
|
Finishes flashing the LPC firmware, and validates it against a checksum. |
| 0x95 |
ResetSOC |
✅ |
✅ |
|
Restarts both LPC and NRF CPUs. |
| 0x96 |
SetPrngEntropy |
⛔️ |
⛔️ |
✅ |
Sends a block of 0x10 random bytes to the device. |
| 0x97 |
EraseNRFFirmware |
✅ |
✅ |
|
(Supposedly, no RE) Erases the NRF Firmware |
| 0x98 |
FlashNRFFirmware |
✅ |
✅ |
|
(Supposedly, no RE) Flashes a chunk of NRF Firmware |
| 0x99 |
VerifyNRFFirmware |
✅ |
✅ |
|
(Supposedly, no RE) Finishes flashing the NRF firmware, and validates it against a checksum. |
| 0x9a |
|
⛔️ |
✅ |
|
Sends data to the nRF chip, wrapped in a packet ']'. |
| 0x9f |
TurnOffController |
⛔️ |
✅ |
✅ |
|
| 0xa7 |
CalibrateTrackpads |
⛔️ |
✅ |
|
|
| 0xa9 |
|
⛔️ |
✅ |
|
|
| 0xa0 |
SetHardwareVersion |
✅ |
⛔️ |
|
THIS COMMAND IS EXTREMELY DANGEROUS |
| 0xaa |
|
⛔️ |
✅ |
|
|
| 0xab |
|
⛔️ |
✅ |
|
|
| 0xac |
|
⛔️ |
✅ |
|
|
| 0xad |
SetDonglePairingMode |
⛔️ |
⛔️ |
✅ |
2 byte args |
| 0xae |
ControllerInfoRequest |
⛔️ |
✅ |
|
|
| 0xb1 |
SetControllerKeyboardMouseInputState |
⛔️ |
⛔️ |
✅ |
|
| 0xb2 |
PairingFailed |
⛔️ |
⛔️ |
✅ |
|
| 0xb3 |
PairingSuccess |
⛔️ |
⛔️ |
✅ |
|
| 0xb4 |
GetControllerInfo |
⛔️ |
⛔️ |
✅ |
|
| 0xb5 |
CalibrateIMU |
⛔️ |
✅ |
|
|
| 0xb6 |
PlayAudio |
⛔️ |
✅ |
|
Plays the selected jingle |
| 0xb7 |
StartFlashJingle |
⛔️ |
✅ |
|
Does something weird with the jingle_data_ptr 👀 |
| 0xb8 |
FlashJingle |
⛔️ |
✅ |
|
Writes data to the jingle flash buffer |
| 0xb9 |
EndFlashJingle |
⛔️ |
✅ |
|
Finishes flashing a jingle, writing it to eeprom after making sure it looks somewhat valid. |
| 0xba |
GetChipID |
⛔️ |
✅ |
|
|
| 0xbb |
ReadUID |
⛔️ |
✅ |
|
Returns the result of ISP ReadUID. |
| 0xbf |
CalibrateJoystick |
⛔️ |
✅ |
|
Sets eeprom field 0x34 with some computed data |
| 0xc1 |
SetAudioMapping |
⛔️ |
✅ |
|
Sets the jingle to play for various events |
| 0xc5 |
SetUserLedColor |
⛔️ |
⛔️ |
|
|
| 0xc6 |
SendIRCode |
⛔️ |
⛔️ |
|
|
| 0xc7 |
StopIR |
⛔️ |
⛔️ |
|
|
ControllerInfoRequest/ControllerInfoResponse
When sent from Host to Controller, takes no data and asks the controller to send its ControllerInfo.
When sent from Controller to Host: The additional data is an array of HardwareInfo, where HardwareInfo is a structure of one byte (Type) and 4 byte (Data). Here are the different types byte observed:
| Type ID |
Name |
Bootloader |
Description |
| 1 |
USB PID |
✅ |
The same as the USB PID. Likely more useful for wireless transmission. |
| 2 |
Unknown |
⛔️ |
Firmware always returns 3 |
| 4 |
Firmware Version |
✅ |
Version/timestamp of the firmware running on the LPC side (e.g. 57bf5c10). |
| 5 |
NRF Firmware Version |
⛔️ |
Version/timestamp of the firmware running on the NRF side |
| 9 |
Hardware Version |
✅ |
Version of the controller hardware (as stored in EEPROM) |
| 10 |
Unknown |
⛔️ |
Firmware returns the data stored at DAT_10000078 |
SetSettings
When sent from Host to Controller: Sets the controller settings. The additional data is an array of ControllerSetting, where ControllerSetting is a structure of one byte (type) and 2 bytes (value). Here are some observed type bytes:
| Type ID |
Name |
Description |
| 0x3 |
? |
|
| 0x8 |
? |
Lizard mode related? Data is 7 when sent to dongle. |
| 0x2d |
? |
Sent periodically |
SetDonglePairingMode
Arguments:
- Don't pair: 0x00 0x00
- Start pairing: 0x2 0x3c
This is an issue to gather information about the HID Controller Interface protocol, as described here.
Look at #25 for my current progress.
Old information
The HID Controller Interface is interfaced either via Firmware USB EP3 , Bootloader USB EP1, or via some currently unknown wireless mechanism. It works by transferring buffers of 0x40 bytes. The first byte is a packet id, while the second byte is the length of the additional data. Here is a packetid table containing both bootloader and firmware packets as of 57bf5c10.Host->Controller:
ControllerInfoRequest/ControllerInfoResponse
When sent from Host to Controller, takes no data and asks the controller to send its ControllerInfo.
When sent from Controller to Host: The additional data is an array of HardwareInfo, where HardwareInfo is a structure of one byte (Type) and 4 byte (Data). Here are the different types byte observed:
SetSettings
When sent from Host to Controller: Sets the controller settings. The additional data is an array of ControllerSetting, where ControllerSetting is a structure of one byte (type) and 2 bytes (value). Here are some observed type bytes:
SetDonglePairingMode
Arguments: