From WiiBrew
Jump to navigation Jump to search

The entire (8051-based) firmware of the Wiimote was dumped by User:Beeloot in January, 2009. It is available in binary form here: File:B37F523.zip

The README from that archive is:

beeloot - 07/01/2009

This is a complete dump of the firmware of my Wiimote.
This archive includes a dump of the I2C EEPROM.
By modifying the code in the EEPROM I have been able to dump the full
address range of code memory, as well as the various code banks.

Code memory uses banking mechanism to extend 8051 addressing space
beyond 64K.
Common area is at 0x0000-0x7FFF, banked area is at 0x8000-0xFFFF.
Current code bank is selected via bits 3-2 of port 1.

P1[3:2] = 00 => code bank 0
P1[3:2] = 01 => code bank 1
P1[3:2] = 10 => code bank 2
P1[3:2] = 11 => code bank 3

It seems like KEIL C51 compiler has been used to compile the firmware.
For example inter-banks function calls use patterns identical to those
generated by the C51 compiler.

I hope that this material will be useful and will help the community
to further understand the inner workings of the Wiimote. Perhaps
also some fun things will come out of this (there is for example a
serial interrupt handler).

Have fun!


       Dump of the code memory 0x8000-0xFFFF bank 0
       Dump of the code memory 0x8000-0xFFFF bank 1
       Dump of the code memory 0x8000-0xFFFF bank 2
       Dump of the code memory 0x8000-0xFFFF bank 3
       Dump of the common code memory 0x0000-0x7FFF
       Dump of the I2C EEPROM contents
       Dump of the external data memory