Trying into the Stadia Controller Bluetooth Mode Web site
This appears fairly cool, however there are two factors listed underneath “Essential issues to know” which I did not like:
- Switching is everlasting
As soon as you turn your controller to Bluetooth mode, you’ll be able to’t change it
again to make use of Wi-Fi on Stadia. You’ll be able to nonetheless play wired with USB in
Bluetooth mode. - Obtainable till December 31, 2023
You’ll be able to swap to Bluetooth mode, examine the controller mode, and examine for Bluetooth updates till Dec 31, 2023.
Whereas everlasting switching shouldn’t be an enormous challenge, since Stadia is not out there anymore, and the Bluetooth mode is far more helpful, I nonetheless wished to
have the choice to modify again.
For the reason that Stadia Controller’s WiFi
method is fairly distinctive, I did not need to simply disable it and no
longer have the choice to look into it.
However just one 12 months to replace the firmware and then you definitely’re caught in “Wi-Fi mode”
perpetually? I suppose Google actually desires to neglect about Stadia perpetually, and eliminate the positioning after a 12 months.
So I began wanting into the switching course of on the positioning, to attempt to keep away from these limitations. I additionally reverse engineered some components of the binaries hosted on the positioning, extra about that later.
Analyzing the Bluetooth mode web site
Be aware that a lot of the flashing course of appears to be normal NXP stuff, and solely comprises some minor changes by Google.
The location makes use of WebUSB and WebHID to speak with the controller. It filters for a number of completely different Vendor and Product ID combos, to find out the state/mode the controller is presently in.
The switcher hundreds a number of information from the information endpoint, which we’ll check out in additional element later. From taking a tough take a look at the information and the logs within the JS, the “Bluetooth mode switcher” truly flashes a firmware replace to the controller. So to any extent further I will be referring to this as “flashing the Bluetooth firmware” and the positioning as “flashing software/website”.
The location begins by checking the firmware revision and battery share whereas the controller is within the regular, powered on mode, that is known as “OEM Mode”.
OEM Mode
Whereas in OEM mode, after plugging within the controller to the PC with out holding down any buttons, the positioning communicates with the controller utilizing WebUSB.
It begins by checking the primary two bytes of the serial quantity from the USB string descriptor. There are some prefixes which aren’t allowed to be flashed. The serial prefix can also be used to find out if this controller is a growth controller (dvt) or a manufacturing controller (pvt).
It then retrieves the present firmware revisions utilizing USB management request 0x81.
Firmware revisions lower than 0x4E3E0 are known as gotham, whereas all later revisions are known as bruce. gotham being the outdated Wi-Fi firmware, whereas bruce is the brand new Bluetooth firmware.
After that the battery share is requested utilizing management request 0x83 and retrieved with request 0x84. This worth is used to examine if the controller has sufficient cost (greater than 10%) to carry out the flashing course of.
In spite of everything that data has been retrieved, the positioning asks us to unplug the controller and switch it off.
Bootloader
The location now desires the consumer to carry down the Choices button, whereas plugging the controller again in. This can enter the Bootloader.
Not a lot to say about this mode. The location asks us to press Choices + Assistant + A + Y whereas within the Bootloader, which is able to enter the SDP Mode.
SDP Mode
SDP (Serial Obtain Protocol) Mode permits sending a number of low-level instructions to the controller.
The flasher makes use of WebHID to ship and obtain instructions.
It begins by importing a signed Flashloader binary (restricted_ivt_flashloader.bin) into the controller’s reminiscence (@0x20000000), through the use of the SDP WRITE_FILE command.
It then jumps to the uploaded Flashloader binary (@0x20000400) utilizing a JUMP_ADDRESS command.
The controller is now operating the Flashloader.
Flashloader
The Flashloader is a little more superior than the earlier modes. It could possibly additionally obtain and ship a number of instructions through USB, and the flasher website as soon as once more makes use of WebHID to ship and obtain these instructions.
Google appears to have chosen a restricted model of this Flashloader although, since only some instructions truly utilized by the flasher can be found.
Additionally only some, small reminiscence areas are allowed to be learn and written utilizing the WriteMemory and ReadMemory instructions.
The Flashloader is used to truly write the brand new firmware into the controllers flash storage.
Detecting the MCU Kind
The location begins by detecting the MCU sort, by studying from 0x400D8260. There are two supported sorts (106XA0 and 106XA1), if the detected sort does not match certainly one of them it’ll throw an error.
Detecting the Flash Kind
Since completely different Stadia Controller fashions appear to have completely different flash storage sorts, the precise chip is now detected. Detecting the flash sort is a little bit of an attention-grabbing method.
To speak with the flash storage a FlexSPI configuration block must be loaded and utilized. To find out the flash sort, the positioning retrieves the system ID from the flash. It begins by importing a particular configuration block for figuring out this ID (flashloader_fcb_get_vendor_id.bin) into reminiscence (@0x00002000), and applies this configuration utilizing the ConfigureMemory command.
This configuration block comprises some sane values for the completely different flash chips, and likewise comprises a lookup desk (LUT) with completely different FlexSPI sequences which can be despatched to the flash chip.
For the get_vendor_id configuration the primary sequence within the LUT, often used for studying from flash, has been changed with a Learn Manufacture ID/ Machine ID command.
Now comes the attention-grabbing half: The location now straight configures the FlexSPI registers utilizing ReadMemory/WriteMemory Flashloader instructions through USB.
It configures the FlexSPI FIFO and sends the Learn Machine ID command from the LUT sequence.
It then retrieves the end result from the primary RX FIFO Knowledge Register.
It looks like writing to and studying from these few FlexSPI registers is explicitly allowed within the flashloader.
Organising the Flash Storage
Now that the flash sort is understood the positioning can load the correct configuration block for that chip.
There are two supported flash sorts (Giga-16m and Winbond-16m).
To setup the Winbond chip a complete flash configuration block (flashloader_fcb_w25q128jw.bin) is loaded and utilized.
For the Giga the flash is mechanically configured by the Flashloader based mostly on a easy configuration worth (0xC0000206).
Flashing the Firmware
Now that every part is prepared the precise firmware flashing can start.
After clearing GPR Flags 4-6, the positioning hundreds the signed goal firmware picture (<bruce/gotham>_<dvt/pvt>_a_<dev/stage/prod>_signed.bin) and parses some construct data values from it.
It additionally determines the place within the flash the firmware must be flashed to. To flash information the positioning sends a FlashEraseRegion command to erase and unlock the flash, adopted by a WriteMemory command to jot down to the flash mapped in reminiscence @0x60040000.
The IVT (Picture Vector Desk) is now flashed to @0x60001000 (provided that the picture comprises one), and the precise firmware software will get flashed to the correct slot location (Software A / Software B).
Cleansing up
Now that the firmware is flashed, GPR6 is ready to the correct software slot and a Reset command is issued to restart the controller.
And that is principally it, the controller is now operating the newly flashed firmware.
Dumping the outdated Firmware
As talked about to start with, it isn’t doable to revert to the outdated Wi-Fi firmware utilizing the Stadia mode switching website, as soon as the brand new Bluetooth firmware has been flashed.
Whereas the positioning does appear to technically help flashing the outdated Wi-Fi firmware, and likewise has references to the firmware information required for it, all these information result in a 404 and cannot be downloaded.
So to protect the outdated Firmware I needed to dump it from the controller itself.
I attempted to learn from the flash reminiscence area whereas within the Flashloader, which solely leads to errors. It looks like studying from flash shouldn’t be allowed by the restricted Flashloader.
However I had one other concept…
Keep in mind that now we have direct entry to among the FlexSPI registers, that are used to find out the flash sort?
As an alternative of making use of the get_vendor_id configuration block and sending the Learn Machine ID command, I attempted making use of the correct flash configuration and sending a Learn Knowledge command over the registers.
That surprisingly did work with none points. I might now challenge FlexSPI learn instructions through USB and dump the flash.
Since solely studying the primary register of the RX FIFO Knowledge Registers is allowed by the restricted Flashloader, I needed to dump the flash 4-bytes at a time, which did take a number of hours.
On the finish I had a full dump of the Stadia controller flash although!
Ending up
In the course of the testing I began reimplementing components of the positioning in Python which I known as stadiatool, which additionally allowed me to fiddle with the Flashloader instructions.
After dumping the flash, I prolonged the software to permit flashing the firmware as properly.
Be aware that this was a fairly fast venture which is why the code may appear rushed.
That is it for now, I would check out analyzing the firmwares themselves subsequent.
Particular because of cmplx for some assist whereas analyzing this and for listening to my random concepts!