According to the wiibrew wiki the following is true.

decrypted_byte = (encrypted_byte XOR table1[address%8]) + table2[address%8]

if the host key is 16 zero bytes, table1[x] and table2[x] are all 0x97.

So i set the key to zero and simplified my decryption function and started pulling some more data. When I approached the board with the pen I saw byte 5 go from 0x80 to 0x00 and when i applied pressure it counted up from 0 to 7.

I think this is the first useful bit of structure i've gotten so far. I can detect a pen and sense pressure with 3 bits of sensitivity. There is totally more pressure data in byte 5 but it looks like there might be something else. it's not counting from 00 to FF correctly.