[CNLohr] Reverses Vive, Valve Engineers Play Along

[CNLohr] needs no introduction around these parts. He’s pulled off a few really epic hacks. Recently, he’s set his sights on writing a simple, easy to extend library to work with the HTC Vive VR controller equipment, and in particular the Watchman controller.

There’s been a lot of previous work on the device, so [Charles] wasn’t starting from scratch, and he live-streamed his work, allowing others to play along. In the process, two engineers who actually worked on the hardware in question, [Alan Yates] and [Ben Jackson], stopped by and gave some oblique hints and “warmer-cooler” guidance. A much-condensed version is up on YouTube (and embedded below). In the links, you’ll find code and the live streams in their original glory, if you want to see what went down blow by blow. Code and more docs are in this Gist.

reverse-engineering-the-htc-vive-ohjkpnakswmmkv-shot0001In the end, it all ended up being a lot of hard work because the Watchman controller needs to send its orientation and accelerometer data wirelessly, and this means compressing a lot of data down into a tiny trickle. All possible tricks were used, including variable-length fields where one bit indicates whether the next byte still belongs to this sample or the next, and packing the data into a frame from both ends. We see why figuring out the protocol drove [Charles] nuts! His dissection begins ten minutes into the summary video.

Besides the hints, the community involvement, and sheer persistence, [Charles] was also helped by being able to generate his own data. Instead of relying on the placement of the device in space, an AVR blinked IR LEDs into the controller to generate known timing deltas. Remember this general technique if you’re reverse engineering anything.

We think the Vive is very cool, and we’ve covered hacks into it before. From [Trammell Hudson]’s early hacks to this recent jaw-dropping drone orientation demo, hackers have been figuring out how to use the Lighthouses on their own. Now [CNLohr] (and the community) have decoded one of the last remaining parts of the OEM hardware. Woot!

9 thoughts on “[CNLohr] Reverses Vive, Valve Engineers Play Along

  1. Blizzard file format for replays actually stores integers in a similar or I think identical way. It’s a great way of compression considering so many different integers fields or unknown size are stored in a replay. The file formats in there actually use bitpacked streams, for even more craziness.

    Search github for heroprotocol from the Blizzard guys, and look in decoders.py for function _vint:

    Or the URL if allowed here: https://github.com/Blizzard/heroprotocol/blob/master/decoders.py#L195

    1. Variable-length integer coding pops up all sorts of places. Some other places are string encoding (UTF-8) and many of the fields in an EBML (Matroska/WebM) file. In the latter case tag IDs, field lengths and the contents themselves (for integer payloads) are all packed in this way.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s