USB Initialization

These commands are send to the bulk endpoint (Unless specified HID) in order. Acks are laid out for your viewing pleasure.

Initialization Command 0x03

After this is sent, the controller will begin outputting over its HID endpoint at 4ms intervals with no motion inputs. This also tells the controller the MAC address of the game console.

Byte	Value	Notes
0	0x03	Command
1	0x91
2	0x00
3	0x0D
4	0x00
5	0x08
6-7	0x00
8	0x01
9	0x00
10-15	0x00-0xFF	Console MAC Address (Little Endian)

ACK

Byte	Value	Notes
0	0x03	Command
1	0x01
2	0x00
3	0x0D
4	0x00
5	0xF8	0xF0 \|= Byte 4?
6-7	0x00
8	0x01
9-11	0x00

Unknown Command 0x07

Byte	Value	Notes
0	0x07	Command
1	0x91
2	0x00
3	0x01
4-7	0x00

ACK

Byte	Value	Notes
0	0x07	Command
1	0x01
2	0x00
3	0x01
4	0x00
5	0xF8	ACK
6-7	0x00

Unknown Command 0x16

Byte	Value	Notes
0	0x16	Command
1	0x91
2	0x00
3	0x01
4-7	0x00

ACK

Byte	Value	Notes
0	0x16	Command
1	0x01
2	0x00
3	0x01
4	0x00
5	0xF8	ACK
6-31	0x00

Request Controller MAC Command 0x15 Arg 0x01

This seems to respond with the console’s MAC, with a bit masked off.

Controller is still reporting at 4ms interval via HID during all of this. (No motion data)

Byte	Value	Notes
0	0x15	Command
1	0x91
2	0x00
3	0x01	Argument
4	0x00
5	0x0E
6-8	0x00
9	0x02
10-15	0x00-0xFF	Console MAC Address(Little Endian)
16	Byte 14, with bit 0 masked off?	If byte was 0x31, it’s 0x30 here
17-21	0x00-0xFF	Remainder of Console MAC Address (Little Endian)

ACK

Byte	Value	Notes
0	0x15	Command
1	0x01
2	0x00
3	0x01
4	0x00
5	0xF8	ACK
6-7	0x00
8	0x01
9	0x04
10	0x01
11-16	0x00-0xFF	Gamepad MAC Address (Little Endian)

LTK Request Command 0x15 Arg 0x02 (Unconfirmed)

This may be the reply with the long-term key for Bluetooth pairing

Byte	Value	Notes
0	0x15	Command
1	0x91
2	0x00
3	0x02	Argument
4	0x00
5	0x11
6-8	0x00
9-24	0x00-0xFF	LTK (?) Some 16 byte key

ACK

Byte	Value	Notes
0	0x15	Command
1	0x01
2	0x00
3	0x02	Argument
4	0x00
5	0xF8	ACK
6-7	0x00
8	0x01
9-24	0x00-0xFF	LTK (?) Some 16 byte key

Unknown Command 0x15 Arg 0x03

Byte	Value	Notes
0	0x15	Command
1	0x91
2	0x00
3	0x03	Argument
4	0x00
5	0x01
6-8	0x00

ACK

Byte	Value	Notes
0	0x15	Command
1	0x01
2	0x00
3	0x03	Argument
4	0x00
5	0xF8	ACK
6-7	0x00
8	0x01	Success flag?

Unknown Command 0x09

Byte	Value	Notes
0	0x09	Command
1	0x91
2	0x00
3	0x07
4	0x00
5	0x08
6-15	0x00

ACK

Byte	Value	Notes
0	0x09	Command
1	0x01
2	0x00
3	0x07
4	0x00
5	0xF8	ACK
6-7	0x00

IMU Command 0x0C Arg 0x02

Byte	Value	Notes
0	0x0C	Command
1	0x91
2	0x00
3	0x02
4	0x00
5	0x04	Ack not needed?
6-7	0x00
8	0x27
9-11	0x00

ACK

No ACK sent back.

SPI/FLASH/DATA Read Command 0x02 (ADDR 0x00013080)

Used for reading some kind of configuration data.

Byte	Value	Notes
0	0x02	Command
1	0x91
2	0x00
3	0x04
4	0x00
5	0x08
6-7	0x00
8	0x40	Length (64 bytes)
9	0x7e	Read
10-11	0x00
12	0x80	Address field 3
13	0x30	Address field 2
14	0x01	Address field 1
15	0x00	Address field 0 (Little endian)

Here, we finally get some input that is interesting and has a new report ID. I will have to compare this between different gamepads. This is likely the configuration information, or details on controller colors, model, etc. Unconfirmed.

Part 1 and 2 are likely the factory config, then the user config.

Pro Con 2 Example 1 (Consistent between plugs)

0000   02 01 00 04 00 f8 00 00 40 00 00 00 80 30 01 00
0010   01 ad d9 9a 55 56 65 a0 00 0a a0 00 0a e2 20 0e
0020   e2 20 0e 9a ad d9 9a ad d9 0a a5 50 0a a5 50 2f
0030   f6 62 2f f6 62 0a ff ff a3 a7 87 35 06 5f 1c c6
0040   5c ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff

GC NSO Example 1

0000   02 01 00 04 00 f8 00 00 40 00 00 00 80 30 01 00
0010   ff 47 79 94 b8 86 6b a0 00 0a a0 00 0a ff ff ff
0020   ff ff ff ff ff ff ff ff ff be e3 3b be e3 3b 06
0030   65 50 06 65 50 0a ff ff ef 37 7f fa f4 4c b2 54
0040   4c ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff

SPI Read 2 (ADDR 0x000130C0)

Byte	Value	Notes
0	0x02	Command
1	0x91
2	0x00
3	0x04
4	0x00
5	0x08
6-7	0x00
8	0x40	Length (64 bytes)
9	0x7e	Read?
10-11	0x00
12	0xC0	Addr
13	0x30	Addr
14	0x01	Addr
15	0x00	Addr

Pro Con 2 Example 1 (Consistent between plugs)

0000   02 01 00 04 00 f8 00 00 40 00 00 00 c0 30 01 00
0010   01 ad d9 9a 55 56 65 a0 00 0a a0 00 0a e2 20 0e
0020   e2 20 0e 9a ad d9 9a ad d9 0a a5 50 0a a5 50 2f
0030   f6 62 2f f6 62 0a ff ff b1 a8 83 b6 35 5e 27 26
0040   64 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff

GC NSO Example 1

0000   02 01 00 04 00 f8 00 00 40 00 00 00 c0 30 01 00
0010   ff 47 79 94 b8 86 6b a0 00 0a a0 00 0a ff ff ff
0020   ff ff ff ff ff ff ff ff ff 18 83 31 18 83 31 5f
0030   f4 45 5f f4 45 0a ff ff 17 08 80 4b f4 43 ab b4
0040   48 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff

SPI Read 3 (ADDR 0x001FC040)

Byte	Value	Notes
0	0x02	Command
1	0x91
2	0x00
3	0x04
4	0x00
5	0x08
6-7	0x00
8	0x40	Length (64 bytes)
9	0x7e	Read?
10-11	0x00
12	0x40	Addr
13	0xC0	Addr
14	0x1F	Addr
15	0x00	Addr

Pro Con 2 Example 1 (Consistent between plugs)

0000   02 01 00 04 00 f8 00 00 40 00 00 00 40 c0 1f 00
0010   ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
0020   ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
0030   ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
0040   ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff

GC NSO Example 1

0000   02 01 00 04 00 f8 00 00 40 00 00 00 40 c0 1f 00
0010   b2 a1 f1 97 7f f8 44 4c ae f4 4d ff ff ff ff ff
0020   ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
0030   b2 a1 13 48 80 52 04 45 a5 c4 48 ff ff ff ff ff
0040   ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff

SPI Read 4 (ADDR 0x00013040)

Byte	Value	Notes
0	0x02	Command
1	0x91
2	0x00
3	0x04
4	0x00
5	0x08
6-7	0x00
8	0x40	Length (64 bytes)
9	0x7e	Read?
10-11	0x00
12	0x40	Addr
13	0x30	Addr
14	0x01	Addr
15	0x00	Addr

Pro Con 2 Example 1 (Consistent between plugs)

0000   02 01 00 04 00 f8 00 00 10 00 00 00 40 30 01 00
0010   16 f4 d3 41 48 ce 85 ba f1 05 71 ba 1f 27 cb 3b

GC NSO Example 1

0000   02 01 00 04 00 f8 00 00 10 00 00 00 40 30 01 00
0010   4c fe c3 41 7c 11 df 3a 4b ce 41 bc 93 35 4e bc

SPI Read 5 (ADDR 0x00013100)

Byte	Value	Notes
0	0x02	Command
1	0x91
2	0x00
3	0x04
4	0x00
5	0x08
6-7	0x00
8	0x40	Length (64 bytes)
9	0x7e	Read?
10-11	0x00
12	0x00	Addr
13	0x31	Addr
14	0x01	Addr
15	0x00	Addr

Pro Con 2 Example 1 (Consistent between plugs)

0000   02 01 00 04 00 f8 00 00 18 00 00 00 00 31 01 00
0010   00 00 00 00 00 00 00 00 00 00 00 00 2d 10 a7 3d
0020   e7 49 35 3c a4 2d 20 41

GC NSO Example 1

0000   02 01 00 04 00 f8 00 00 18 00 00 00 00 31 01 00
0010   00 00 00 00 00 00 00 00 00 00 00 00 e3 75 ae bc
0020   5b b6 da be 1f 9f 1e 41

OUT Unknown Command 0x11

Byte	Value	Notes
0	0x11	Command
1	0x91
2	0x00	Unknown
3	0x03	Command?
4-7	0x00

Pro Con 2 Example 1 (Consistent between plugs)

0000   11 01 00 03 00 f8 00 00 01 20 03 00 00 0a e8 1c
0010   3b 79 7d 8b 3a 0a e8 9c 42 58 a0 0b 42 0a e8 9c
0020   41 58 a0 0b 41

SPI Read 6 (ADDR 0x00013060)

Byte	Value	Notes
0	0x02	Command
1	0x91
2	0x00
3	0x04
4	0x00
5	0x08
6-7	0x00
8	0x40	Length (64 bytes)
9	0x7e	Read?
10-11	0x00
12	0x60	Addr
13	0x30	Addr
14	0x01	Addr
15	0x00	Addr

Pro Con 2 Example 1 (Consistent between plugs)

0000   02 01 00 04 00 f8 00 00 20 00 00 00 60 30 01 00
0010   ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
0020   ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff

Unknown Command 0x0A

Byte	Value	Notes
0	0x0A	Command
1	0x91
2	0x00
3	0x08
4	0x00
5	0x14
6-7	0x00
8	0x01
9-16	0xFF
17	0x35
18	0x00
19	0x46
20-27	0x00

ACK

Byte	Value	Notes
0	0x0A	Command
1	0x01
2	0x00
3	0x08	Command (Matches)
4	0x00	Maybe unused
5	0xF8	ACK
6-7	0x00

IMU Command 0x0C Arg 0x04

Byte	Value	Notes
0	0x0C	Command
1	0x91
2	0x00
3	0x04
4	0x00
5	0x04
6-7	0x00
8	0x27
9-11	0x00

ACK

Byte	Value	Notes
0	0x0C	Command
1	0x01
2	0x00
3	0x04
4	0x00
5	0xF8	ACK
6-11	0x00

From here on, the motion control data is enabled and being sent.

Enable Haptics (Probably) 0x03

Byte	Value	Notes
0	0x03	Command
1	0x91
2	0x00
3	0x0A
4	0x00
5	0x04	Value
6-7	0x00
8	0x09
9-11	0x00

ACK

Byte	Value	Notes
0	0x03	Command
1	0x01
2	0x00
3	0x0A
4	0x00
5	0xF8	ACK
6-7	0x00

Haptic OUTPUT Report (HID) 0x02

Byte	Value	Notes
0	0x02	Report ID
1-5	??	Haptic Data L/R
6-16	0x00	Unused
17-22	??	Haptic Data L/R
23-63	0x00

OUT Unknown Command 0x10

Byte	Value	Notes
0	0x10	Command
1	0x91
2	0x00
3	0x01
4-7	0x00

No ACK

OUT Unknown Command 0x01

Byte	Value	Notes
0	0x01	Command
1	0x91
2	0x00	Unknown
3	0x0C	Command?
4-7	0x00

ACK

Byte	Value	Notes
0	0x01	Command
1	0x01
2	0x00
3	0x0C	Command (Matches)
4	0x00	Maybe unused
5	0xF8	ACK
6-7	0x00
8	0x61
9	0x12
10	0x50
11	0x10

OUT Unknown Command 0x03

Byte	Value	Notes
0	0x03	Command
0	0x91
1	0x00	Unknown
2	0x01	Command?
3-6	0x00

ACK

Byte	Value	Notes
0	0x03	Command
1	0x01
2	0x00
3	0x01	Command (Matches)
4	0x00	Maybe unused
5	0xF8	ACK
6-9	0x00
10	0x40
11	0xF0
12-13	0x00
14	0x60
15	0x00

OUT Unknown Command 0x0A

Byte	Value	Notes
0	0x0A	Command
0	0x91
1	0x00	Unknown
2	0x02
3	0x00
4	0x04
5-6	0x00
7	0x03
8-10	0x00

ACK

Byte	Value	Notes
0	0x0A	Command
0	0x01
1	0x00
2	0x02
3	0x00
4	0xF8	ACK
5-6	0x00

Set Player LED 0x09

Byte	Value	Notes
0	0x09	Command
1	0x91
2	0x00	Unknown
3	0x07
4	0x00
5	0x08
6-7	0x00
8	Varies	LED To Light Up (Bitfield) 0x0, 0x1, 0x3, 0x7 etc.
9-15	0x00

ACK

Byte	Value	Notes
0	0x09	Command
0	0x01
1	0x00
2	0x07
3	0x00
4	0xF8	ACK
5-7	0x00