Reverse Engineering the Nintendo Switch Joy-Cons

The Switch is Nintendo’s latest effort in the console world. One of its unique features is the Joy-Cons, a pair of controllers that can either attach directly to the console’s screen or be removed and used individually. But how do they work? [dekuNukem] decided to find out.

The reverse engineering efforts begin with disassembly. Surprisingly, there is no silkscreen present on the board to highlight test points or part numbers. This is likely to conflate intended to stymie community efforts to work with the hardware, as different teams may create their own designations for components. Conversely, the chips inside still have their identifying markings present, which does ease identification somewhat.

There are some interesting choices made – the majority of the buttons are scanned in a matrix configuration by the on-board microcontroller, making it harder to spoof button presses. The controllers communicate over Bluetooth, switching to a physical serial connection when attached directly to the screen. This runs at a blistering 3,125,000 BPS after the initial handshake is completed.

Overall it’s a fairly comprehensive reverse engineering effort, and [dekuNukem] has provided excellent detail in the writeup for anyone else looking to get involved. There’s still some work left to do, like investigating the rumble messages, but it’s an excellent start and very comprehensive.

Perhaps you’re more interested in older Nintendo hardware? Check out this comprehensive effort to figure out NES console-to-cartridge security methods.

24 thoughts on “Reverse Engineering the Nintendo Switch Joy-Cons

  1. >They used the keypad scanner built-in inside the BCM20734 with 128KHz clock for reading the buttons. That means it would be extremely hard to spoof button presses

    extremely hard as in use $0.1 transistor?

      1. I’m a very amateur electronics hobbiest. Could you explain to me how a mosfet would help in this situation? I’d love to do a project to be able to trigger button presses on a joycon, but don’t have the full understanding of this specific part about the keypad scanner thing and whatnot.

      2. If the sense voltage alternates across the contacts, which is common, in my experience, a simple transistor or mosfet won’t do it.

        Last time I had to simulate button presses on a key matrix that did this, I had to use magnetic relays to actually make the contact, because every solid state relay I could find at the time conducted in one direction when “open”. It was a noisy mess.

  2. Oh hey!

    If anyone wants to crack open their own Joy-Con (non-invasively) I built a Unity library for Mac and PC which can read and visualize IMU data and send waveforms to the HD Rumble motors. Makes a great 6axis VR controller / antitheft device / interactive art installation component / baby monitor / couple’s vibrator / you name it.

    https://gbatemp.net/threads/joy-con-unity-library.486629/
    https://hackaday.io/project/27986-joyconlib
    https://github.com/Looking-Glass/JoyconLib

    Pull requests welcome!

    1. It was however a quite dastardly plan back in 1998 before the ubiquity of digital cameras when you couldn’t post a pic with a red circle around the component saying “That one”

      Kinda like that bit in the movie “Timeline” when they tried to imply it was a dastardly trick for the archers NOT to light their arrows on fire at night so they could see incoming.

        1. Sorry but yes, and no. That isn’t silkscreen which would be yet another layer. They just reused the solder mask layer which is a total freebie as all your SMT parts need it anyways.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s