Looking at the registers I noticed something. the first 24 bytes look like they have data and the last 6 bytes look like they have data. This looks like what a WII peripheral in encrypted mode would look like. The fixed 8 byte pattern repeating every bit is due to the "scrambling protocoll" only using the lower 3 bits of the address. A repeating 8 byte pattern is what you would get if you encrypted a constant (like 0 or FF).

0x00A40000: 32 68 0F 15 47 2C 34 3E  89 6D D7 1A 46 65 34 3E 
0x00A40010: 89 6D D7 1A 46 64 3B 3F  88 6E C8 1B 47 64 3B 3F 
0x00A400F0: 88 6E C8 1B 47 64 3B 3F  88 6E C8 19 E2 45 34 CB

I'm assuming that the Wii brought up the tablet in encrypted mode. In that case, there is no point in trying to figure out data structure beyond what bits might hold what.

I did some experiments. Maybe the tablet needs to be brought up in encrypted mode.

I tried the old init mehtod of writing 0x00 to address 0x40. This didn't work. got FFs.

I then found this blog post https://billgrundmann.wordpress.com/tag/i2c-sniffer/ in which bill writes an i2c sniffer and uses it to spy on a nunchuck. He posts a log of what his WII did.

Init in unencrypted mode. write 55 to f0 and 00 to fb
(3):A4+ F0+ 55+
(3):A4+ FB+ 00+

Read ID bits. Write address FA. read 6 bytes from FA-FF
(2):A4+ FA+
(7):A5+ 00+ 00+ A4+ 20+ 00+ 00-

Write AA to F0. (Enable encryption?)
(3):A4+ F0+ AA+

Write 16 bytes of encryption tables.
(8):A4+ 40+ AC+ B9+ 8B+ 35+ 1F+ C8+
(8):A4+ 46+ 28+ BE+ B2+ 89+ 07+ 18+
(6):A4+ 4C+ 19+ FF+ 01+ C6+

... normal reads and writes after this point.

I modified my code to bring up the tablet the same way only with an encryption table of 0.

I'm probably not decryption it right because the data was almost identical to what i was getting using the F0 55 FB 00 procedure. Everything was in the same place but the byte was different.

I'm concluding that somehting needs to be done to kick the tablet into a mode where it reports it's position. I'll give bill's i2c decode code a shot after i port it to a teensy 3.2.