Editing DS4-BT

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 1: Line 1:
{{wikify}}
See also {{talk}} page
'''Source:''' http://eleccelerator.com/wiki/index.php?title=DualShock_4 (full paste 17:50 UTC, 18 January 2014 )
'''Source:''' http://eleccelerator.com/wiki/index.php?title=DualShock_4 (full paste 17:50 UTC, 18 January 2014 )


Line 12: Line 16:
}}
}}


[[File:Bluetooth.png|15px]] [[Bluetooth]] is a [[Wireless|wireless]] technology for creating personal area networks operating in the 2.4 GHz unlicensed band, with a default range of 10 meters.
[[File:Bluetooth.png|15px]] Bluetooth is a [[Wireless|wireless]] technology for creating personal area networks operating in the 2.4 GHz unlicensed band, with a default range of 10 meters.
 
An overview of Bluetooth:
 
*http://engineeringagenda.com/agenda/2013/09/bluetooth/ An introduction to Bluetooth <!-- the formatting on that article is so 1990 -->
*http://www.eetimes.com/document.asp?doc_id=1200909 An introduction to debugging Bluetooth in embedded systems


Capable of streaming 32Khz sound to the controllers speakers for up to 2 players, but that reduces to 16Khz when 3 or more players are hooked up.
Capable of streaming 32Khz sound to the controllers speakers for up to 2 players, but that reduces to 16Khz when 3 or more players are hooked up.
Line 45: Line 54:
In comparison, USB has 250x (4ms)
In comparison, USB has 250x (4ms)


=== Overlapping channels BT/Wi-Fi ===
=== Overlapping channels BT/WiFi ===


* [[Wireless#Overlapping_channels_BT.2FWi-Fi|Overlapping channels BT/Wi-Fi]]
*[http://www.psdevwiki.com/ps4/File:BT-Wifi-channels.png archaic BT/Wifi channels]


=== Bluetooth Addressing ===
{| class="wikitable"
|-
! Center Frequency<br />(2.4xx Ghz) !! BT 2.0<br />Channel !! BT 4.0<br />Channel !! colspan="5" | WiFi channel<br />(center freq. in GHz)
|-
| 00 || rowspan="2" | Guard || rowspan="2" | Guard
|-
| 01 || rowspan="23" style="background-color: #afafaf;" | 1<br />(2.412)
|-
| 02 || 0 || rowspan="2" style="background-color: #6666ff;" | 0
|-
| 03 || 1
|-
| 04 || 2 || rowspan="2" style="background-color: #6666ff;" | 1
|-
| 05 || 3
|-
| 06 || 4 || rowspan="2" style="background-color: #6666ff;" | 2 || rowspan="23" style="background-color: #afafaf;" | 2<br />(2.417)
|-
| 07 || 5
|-
| 08 || 6 || rowspan="2" style="background-color: #6666ff;" | 3
|-
| 09 || 7
|-
| 10 || 8 || rowspan="2" style="background-color: #6666ff;" | 4
|-
| 11 || 9 || rowspan="23" style="background-color: #afafaf;" | 3<br />(2.422)
|-
| 12 || 10 || rowspan="2" style="background-color: #6666ff;" | 5
|-
| 13 || 11
|-
| 14 || 12 || rowspan="2" style="background-color: #6666ff;" | 6
|-
| 15 || 13
|-
| 16 || 14 || rowspan="2" style="background-color: #6666ff;" | 7 || rowspan="23" style="background-color: #afafaf;" | 4<br />(2.427)
|-
| 17 || 15
|-
| 18 || 16 || rowspan="2" style="background-color: #6666ff;" | 8
|-
| 19 || 17
|-
| 20 || 18 || rowspan="2" style="background-color: #6666ff;" | 9
|-
| 21 || 19 || rowspan="23" style="background-color: #afafaf;" | 5<br />(2.432)
|-
| 22 || 20 || rowspan="2" style="background-color: #6666ff;" | 10
|-
| 23 || 21
|-
| 24 || 22 || rowspan="2" style="background-color: #6666ff;" | 11
|-
| 25 || 23
|-
| 26 || 24 || rowspan="2" style="background-color: #6666ff;" | 12 || rowspan="23" style="background-color: #afafaf;" | 6<br />(2.437)
|-
| 27 || 25
|-
| 28 || 26 || rowspan="2" style="background-color: #6666ff;" | 13
|-
| 29 || 27
|-
| 30 || 28 || rowspan="2" style="background-color: #6666ff;" | 14
|-
| 31 || 29 || rowspan="23" style="background-color: #afafaf;" | 7<br />(2.442)
|-
| 32 || 30 || rowspan="2" style="background-color: #6666ff;" | 15
|-
| 33 || 31
|-
| 34 || 32 || rowspan="2" style="background-color: #6666ff;" | 16
|-
| 35 || 33
|-
| 36 || 34 || rowspan="2" style="background-color: #6666ff;" | 17 || rowspan="23" style="background-color: #afafaf;" | 8<br />(2.447)
|-
| 37 || 35
|-
| 38 || 36 || rowspan="2" style="background-color: #6666ff;" | 18
|-
| 39 || 37
|-
| 40 || 38 || rowspan="2" style="background-color: #6666ff;" | 19
|-
| 41 || 39 || rowspan="23" style="background-color: #afafaf;" | 9<br />(2.452)
|-
| 42 || 40 || rowspan="2" style="background-color: #6666ff;" | 20
|-
| 43 || 41
|-
| 44 || 42 || rowspan="2" style="background-color: #6666ff;" | 21
|-
| 45 || 43
|-
| 46 || 44 || rowspan="2" style="background-color: #6666ff;" | 22 || rowspan="23" style="background-color: #afafaf;" | 10<br />(2.457)
|-
| 47 || 45
|-
| 48 || 46 || rowspan="2" style="background-color: #6666ff;" | 23
|-
| 49 || 47
|-
| 50 || 48 || rowspan="2" style="background-color: #6666ff;" | 24
|-
| 51 || 49 || rowspan="23" style="background-color: #afafaf;" | 11<br />(2.462)
|-
| 52 || 50 || rowspan="2" style="background-color: #6666ff;" | 25
|-
| 53 || 51
|-
| 54 || 52 || rowspan="2" style="background-color: #6666ff;" | 26
|-
| 55 || 53
|-
| 56 || 54 || rowspan="2" style="background-color: #6666ff;" | 27 || rowspan="23" style="background-color: #afafaf;" | 12<br />(2.467)
|-
| 57 || 55
|-
| 58 || 56 || rowspan="2" style="background-color: #6666ff;" | 28
|-
| 59 || 57
|-
| 60 || 58 || rowspan="2" style="background-color: #6666ff;" | 29
|-
| 61 || 59 || rowspan="23" style="background-color: #afafaf;" | 13<br />(2.472)
|-
| 62 || 60 || rowspan="2" style="background-color: #6666ff;" | 30
|-
| 63 || 61
|-
| 64 || 62 || rowspan="2" style="background-color: #6666ff;" | 31
|-
| 65 || 63
|-
| 66 || 64 || rowspan="2" style="background-color: #6666ff;" | 32
|-
| 67 || 65
|-
| 68 || 66 || rowspan="2" style="background-color: #6666ff;" | 33
|-
| 69 || 67
|-
| 70 || 68 || rowspan="2" style="background-color: #6666ff;" | 34
|-
| 71 || 69
|-
| 72 || 70 || rowspan="2" style="background-color: #6666ff;" | 35
|-
| 73 || 71
|-
| 74 || 72 || rowspan="2" style="background-color: #6666ff;" | 36
|-
| 75 || 73
|-
| 76 || 74 || rowspan="2" style="background-color: #6666ff;" | 37
|-
| 77 || 75
|-
| 78 || 76 || rowspan="2" style="background-color: #6666ff;" | 38
|-
| 79 || 77
|-
| 80 || 78 || rowspan="2" style="background-color: #6666ff;" | 39
|-
| 81 || rowspan="3" | Guard
|-
| 82 || rowspan="2" | Guard
|-
| 83
|-
|}
 
=== Bluetooth Adressing ===


Each Bluetooth unit has a unique 48-bit address (BD_ADDR).
Each Bluetooth unit has a unique 48-bit address (BD_ADDR).
If you spoof a previously paired DS4's BDADDR (is the unique address of a Bluetooth device, similar to the MAC address of a network card) and class, then using "[http://www.linux-commands-examples.com/hcitool sudo hcitool cc <ps4's bdaddr>]" will wake up the PS4. If the same cc request comes from an unknown BDADDR, nothing happens.
The [[DualShock 4]] has two modes, one where you can pair it with a computer (hold PS and share at the same time until the light blinks twice in quick succession rapidly), and another mode when it is used with a PS4.


{| class="wikitable" style="text-align: center;border:3px solid #123AAA;"
{| class="wikitable" style="text-align: center;border:3px solid #123AAA;"
Line 62: Line 241:
|colspan="6"|'''Company_id'''
|colspan="6"|'''Company_id'''
|-
|-
|colspan="6"|'''L'''ower '''A'''ddress '''P'''art (24-bit)<br />transmitted with every packet as part of the packet header
|colspan="6"|'''L'''ower '''A'''dress '''P'''art (24-bit)
|colspan="2"|'''U'''pper '''A'''ddress '''P'''art  (8-bit)<br />
|colspan="2"|'''U'''pper '''A'''dress '''P'''art  (8-bit)
|colspan="4"|'''N'''on-Significant '''A'''ddress '''P'''art (16-bit)<br />[http://standards-oui.ieee.org/oui.txt assigned  publicly by the IEEE]
|colspan="4"|'''N'''on-Significant '''A'''dress '''P'''art (16-bit)
|-=
|-
!width="70"|<sub>lsb</sub>xxxx
!width="60"|<sub>lsb</sub>xxxx
!width="70"|xxxx
!width="60"|xxxx
!width="70"|xxxx
!width="60"|xxxx
!width="70"|xxxx
!width="60"|xxxx
!width="70"|xxxx
!width="60"|xxxx
!width="70"|xxxx
!width="60"|xxxx
!width="70"|xxxx
!width="60"|xxxx
!width="70"|xxxx
!width="60"|xxxx
!width="70"|xxxx
!width="60"|xxxx
!width="70"|xxxx
!width="60"|xxxx
!width="70"|xxxx
!width="60"|xxxx
!width="70"|xxxx<sup>msb</sup>
!width="60"|xxxx<sup>msb</sup>
|-
|-
|}
|}


==== Unpairing ====
If you spoof a previously paired DS4's BDADDR (is the unique address of a Bluetooth device, similar to the MAC address of a network card) and class, then using "[http://www.linux-commands-examples.com/hcitool sudo hcitool cc <ps4's bdaddr>]" will wake up the PS4. If the same cc request comes from an unknown BDADDR, nothing happens.


*http://eleccelerator.com/unpairing-a-dualshock-4-and-setting-a-new-bdaddr/
The [[DualShock 4]] has two modes, one where you can pair it with a computer (hold PS and share at the same time until the light blinks twice in quick succession rapidly), and another mode when it is used with a PS4.


===Class of Device/Service (CoD)===
===Class of Device/Service (CoD)===
In practice, most Bluetooth clients scan their surroundings in two successive steps: they first look for all bluetooth devices around them and find out their "class". You can do this on Linux with the hcitool scan command. Then, they use SDP in order to check if a device in a given class offers the type of service that they want.


In the PS4 mode, the DualShock 4 appears to be advertised as two devices (neither has a name), one is a game controller and the other is an audio device:
In the PS4 mode, the DualShock 4 appears to be advertised as two devices (neither has a name), one is a game controller and the other is an audio device:
Line 211: Line 391:
**0x0100: L2CAP
**0x0100: L2CAP
*0x0800: Maximum Attribute Byte count (2048)?
*0x0800: Maximum Attribute Byte count (2048)?
*0x3505: Data element (Type descriptor: 6, Size index: 5) 5 bytes
*0x0A: Data element (type:1, Size index: 2 (4 bytes)
**0x0A: Data element (type:1, Size index: 2 (4 bytes))
**0x0000FFFF: Attribute ID list
**0x0000FFFF: Attribute ID list
*0x00: Continuation State
*0x00: Continuation State
Line 599: Line 778:
Protocol code:
Protocol code:
===== 0x01 =====
===== 0x01 =====
The transaction type is DATA (0x0a), and the report type is INPUT (0x01).
The protocol code is 0x01.
This report is sent until the GET REPORT FEATURE 0x02 is received.
This report is sent until the GET REPORT FEATURE 0x02 is received.
 
                                     
Supposition: a PC can understand this report?
0xa1, '''0x01''', 0x7d, 0x7d, 0x80, 0x7e, 0x08, 0x00, 0x00, 0x00, 0x00
 
            ^Left Stick X ...      ^D-PAD
Report example:
<pre>0xa1, 0x01, 0x7d, 0x7d, 0x80, 0x7e, 0x08, 0x00,
0x00, 0x00, 0x00</pre>
 
{| class="wikitable"
|+Data Format
|-
|width="100"|byte index
|width="60"|bit 7
|width="60"|bit 6
|width="60"|bit 5
|width="60"|bit 4
|width="60"|bit 3
|width="60"|bit 2
|width="60"|bit 1
|width="60"|bit 0
|-
|[0]
|colspan="4"|0x0a
|colspan="2"|0x00
|colspan="4"|0x01
|-
|[1]
|colspan="8"|0x01
|-
|
|colspan="8"|The following structure is a supposition.
|-
|[2]
|colspan="8"|Left Stick X (0 = left)
|-
|[3]
|colspan="8"|Left Stick Y (0 = up)
|-
|[4]
|colspan="8"|Right Stick X
|-
|[5]
|colspan="8"|Right Stick Y
|-
|[6]
|TRI
|CIR
|X
|SQR
|colspan="4"|D-PAD (hat format, 0x08 is released, 0=N, 1=NE, 2=E, 3=SE, 4=S, 5=SW, 6=W, 7=NW)
|-
|[7]
|R3
|L3
|OPT
|SHARE
|R2
|L2
|R1
|L1
|-
|[8]
|colspan="6"|Counter (counts up by 1 per report)
|T-PAD
|PS
|-
|[9]
|colspan="8"|Left Trigger (0 = released, 0xFF = fully pressed)
|-
|[10]
|colspan="8"|Right Trigger
|}


===== 0x11 =====
===== 0x11 =====
The transaction type is DATA (0x0a), and the report type is INPUT (0x01).
The protocol code is 0x11.
This report is sent once the GET REPORT FEATURE 0x02 is received.
This report is sent once the GET REPORT FEATURE 0x02 is received.
 
See example
Report example:
<pre>0xa1, 0x11, 0xc0, 0x00, 0x7d, 0x7d, 0x81, 0x7e, 0x08, 0x00, 0x28, 0x00, 0x00, 0x8c, 0xf3, 0x01,
0x13, 0x00, 0xf8, 0xff, 0x05, 0x00, 0x31, 0xfe, 0x3f, 0x0f, 0xd1, 0xe3, 0x00, 0x00, 0x00, 0x00,
0x00, 0x09, 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x00, 0x80,
0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00,
0x00, 0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x5e, 0x22, 0x7b, 0xa0</pre>
 
If you look carefully, it is very similar to the reports sent over USB if you ignore the first 3 bytes.
 
{| class="wikitable"
|+Data Format
|-
|width="100"|byte index
|width="60"|bit 7
|width="60"|bit 6
|width="60"|bit 5
|width="60"|bit 4
|width="60"|bit 3
|width="60"|bit 2
|width="60"|bit 1
|width="60"|bit 0
|-
|[0]
|colspan="4"|0x0a
|colspan="2"|0x00
|colspan="4"|0x01
|-
|[1]
|colspan="8"|0x11
|-
|[2]
|colspan="8"|0xc0
|-
|[3]
|colspan="8"|Report ID (always 0x00)
|-
|[4]
|colspan="8"|Left Stick X (0 = left)
|-
|[5]
|colspan="8"|Left Stick Y (0 = up)
|-
|[6]
|colspan="8"|Right Stick X
|-
|[7]
|colspan="8"|Right Stick Y
|-
|[8]
|TRI
|CIR
|X
|SQR
|colspan="4"|D-PAD (hat format, 0x08 is released, 0=N, 1=NE, 2=E, 3=SE, 4=S, 5=SW, 6=W, 7=NW)
|-
|[9]
|R3
|L3
|OPT
|SHARE
|R2
|L2
|R1
|L1
|-
|[10]
|colspan="6"|Counter (counts up by 1 per report)
|T-PAD
|PS
|-
|[11]
|colspan="8"|Left Trigger (0 = released, 0xFF = fully pressed)
|-
|[12]
|colspan="8"|Right Trigger
|-
|[13 - 14]
|colspan="8"|Seems to be a timestamp. A common increment value between two reports is 188 (at full rate the report period is 1.25ms). This timestamp is used by the PS4 to process acceleration and gyroscope data.
|-
|[15]
|colspan="8"|battery (0x00 to 0xff)
|-
|[16 - 17]
|colspan="8"|Angular velocity X
|-
|[18 - 19]
|colspan="8"|Angular velocity Y
|-
|[20 - 21]
|colspan="8"|Angular velocity Z
|-
|[22 - 23]
|colspan="8"|Acceleration X
|-
|[24 - 25]
|colspan="8"|Acceleration Y
|-
|[26 - 27]
|colspan="8"|Acceleration Z
|-
|[28 - 32]
|colspan="8"|Unknown (seems to be always 0x00)
|-
|[33]
|0x00
|phone
|mic
|usb
|colspan="4"|battery level
|-
|[34 - 35]
|colspan="8"|Unknown (seems to be always 0x00)
|-
|[36]
|colspan="8"|number of trackpad packets (0x00 to 0x04)
|-
|[37]
|colspan="8"|packet counter
|-
|[38]
|active low
|colspan="7"|finger 1 id
|-
|[39 - 41]
|colspan="8"|finger 1 coordinates
|-
|[42]
|active low
|colspan="7"|finger 2 id
|-
|[43 - 45]
|colspan="8"|finger 2 coordinates
|-
|[46]
|colspan="8"|packet counter
|-
|[47]
|active low
|colspan="7"|finger 1 id
|-
|[48 - 50]
|colspan="8"|finger 1 coordinates
|-
|[51]
|active low
|colspan="7"|finger 2 id
|-
|[52 - 54]
|colspan="8"|finger 2 coordinates
|-
|[55]
|colspan="8"|packet counter
|-
|[56]
|active low
|colspan="7"|finger 1 id
|-
|[57 - 59]
|colspan="8"|finger 1 coordinates
|-
|[60]
|active low
|colspan="7"|finger 2 id
|-
|[61 - 63]
|colspan="8"|finger 2 coordinates
|-
|[64]
|colspan="8"|packet counter
|-
|[65]
|active low
|colspan="7"|finger 1 id
|-
|[66 - 68]
|colspan="8"|finger 1 coordinates
|-
|[69]
|active low
|colspan="7"|finger 2 id
|-
|[70 - 72]
|colspan="8"|finger 2 coordinates
|-
|[73 - 74]
|colspan="8"|Unknown 0x00 0x00 or 0x00 0x01
|-
|[75 - 78]
|colspan="8"|CRC-32 of the first 75 bytes.
|}
 
Most of the time there is only 1 trackpad packet per report.
 
Below is a sample for bytes 36 to 72 with 4 trackpad packets:
 
<pre>0x04,
0x01,
0x04, 0x69, 0x91, 0x1a,
0x06, 0x15, 0x45, 0x1a,
0x05,
0x04, 0x66, 0x11, 0x1a,
0x06, 0x10, 0x15, 0x1a,
0x0a,
0x04, 0x63, 0x81, 0x19,
0x06, 0x0c, 0xe5, 0x19,
0x0f,
0x04, 0x5f, 0xf1, 0x18,
0x06, 0x08, 0xc5, 0x19</pre>


==== HID OUTPUT reports ====
==== HID OUTPUT reports ====
Line 895: Line 792:
Protocol code:
Protocol code:
===== 0x11 =====
===== 0x11 =====
The transaction type is DATA (0x0a), and the report type is OUTPUT (0x02).
The protocol code is 0x11.
First bit at byte 2 specifies whether to enable control. Byte at index 4 specifies which individual control to enable.
Report example:
0xa2, '''0x11''', 0xc0, 0x20, 0xf0, 0x04, 0x00, 0x00, 0x00, <span style="color:#ff0000">0x00</span>, <span style="color:#008000">0x00</span>, <span style="color:#0000ff">0x00</span>, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x43, 0x43, 0x00, 0x4d, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, <span style="background:lime">0xd8, 0x8e, 0x94, 0xdd</span>
Speculation:
0x11 may be not a packet ID but encoded packet size.
Lower digit (0x01) satisfies formula: '''((packet_size - 15) >> 6) + 1'''
(packet_size does not include '0xa2'; >> - bit shift right - equivalent to integer division by 64)
This formula seems to work for all packets (0x11..0x18).
Packet 0x19 looks like clamped by max packet size.
{| class="wikitable"
|+Data Format
|-
|width="100"|byte index
|width="60"|bit 7
|width="60"|bit 6
|width="60"|bit 5
|width="60"|bit 4
|width="60"|bit 3
|width="60"|bit 2
|width="60"|bit 1
|width="60"|bit 0
|-
|[0]
|colspan="4"|0x0a
|colspan="2"|0x00
|colspan="4"|0x02
|-
|'''[1]'''
|colspan="8"|'''0x11'''
|-
|[2]
|colspan="1"|Controls
|colspan="7"|Unknown
|-
|[3]
|colspan="8"|Unknown
|-
|[4]
|colspan="4"|0x0f
|colspan="1"|Unknown
|colspan="1"|Flash
|colspan="1"|Color
|colspan="1"|Rumble
|-
|[5 - 6]
|colspan="8"|Unknown
|-
|[7]
|colspan="8"|Rumble (right / weak)
|-
|[8]
|colspan="8"|Rumble (left / strong)
|-
|[9]
|colspan="8"|RGB color (<span style="color:#ff0000">R</span>ed)
|-
|[10]
|colspan="8"|RGB color (<span style="color:#008000">G</span>reen)
|-
|[11]
|colspan="8"|RGB color (<span style="color:#0000ff">B</span>lue)
|-
|[12]
|colspan="8"|Flash LED bright
|-
|[13]
|colspan="8"|Flash LED dark
|-
|[14 - 21]
|colspan="8"|Unknown
|-
|[22]
|colspan="8"|Volume left
|-
|[23]
|colspan="8"|Volume right
|-
|[24]
|colspan="8"|Volume mic - speculation
|-
|[25]
|colspan="8"|Volume speaker
|-
|[26-74]
|colspan="8"|Unknown
|-
|<span style="background:lime">[75 - 78]</span>
|colspan="8"|CRC-32 of the previous bytes.
|}


===== 0x14 =====
===== 0x14 =====
Contains sound.
Speculation: contains sound.


  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
   
     0000  <span style="background:#ff6666;">0f 01 42 00</span> a2 '''14''' 40 a0 f4 69 02 <span style="background:#ffff00;">9c 75 19 24</span> 00  [email protected].$.
     0000  <span style="background:#ff6666;">0f 01 42 00</span> a2 '''14''' 40 a0 f4 69 02 9c 75 19 24 00  [email protected].$.
     0010  00 00 00 00 00 00 00 76 db 6d bb 6d b6 dd b6 db  .......v.m.m....
     0010  00 00 00 00 00 00 00 76 db 6d bb 6d b6 dd b6 db  .......v.m.m....
     0020  6e db 6d b7 6d b6 db b6 db 6d db 6d b6 ed b6 db  n.m.m....m.m....
     0020  6e db 6d b7 6d b6 db b6 db 6d db 6d b6 ed b6 db  n.m.m....m.m....
Line 1,008: Line 805:
     0050  b6 db 6e db 6d b7 6d b6 db b6 db 6d db 6d b6 ed  ..n.m.m....m.m..
     0050  b6 db 6e db 6d b7 6d b6 db b6 db 6d db 6d b6 ed  ..n.m.m....m.m..
     0060  b6 db 76 db 6d bb 6d b6 dd b6 db 6e db 6d b7 6d  ..v.m.m....n.m.m
     0060  b6 db 76 db 6d bb 6d b6 dd b6 db 6e db 6d b7 6d  ..v.m.m....n.m.m
     0070  b6 db b6 db 6d db 6d b6 ed b6 db <span style="background:#ffff00;">9c 75 19 24</span> 00  ....m.m.....u.$.
     0070  b6 db b6 db 6d db 6d b6 ed b6 db 9c 75 19 24 00  ....m.m.....u.$.
     0080  00 00 00 00 00 00 00 76 db 6d bb 6d b6 dd b6 db  .......v.m.m....
     0080  00 00 00 00 00 00 00 76 db 6d bb 6d b6 dd b6 db  .......v.m.m....
     0090  6e db 6d b7 6d b6 db b6 db 6d db 6d b6 ed b6 db  n.m.m....m.m....
     0090  6e db 6d b7 6d b6 db b6 db 6d db 6d b6 ed b6 db  n.m.m....m.m....
Line 1,019: Line 816:
     0100  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 <span style="background:lime;">9f</span>  ................
     0100  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 <span style="background:lime;">9f</span>  ................
     0110  <span style="background:lime;">42 86 54</span>                                        B.T
     0110  <span style="background:lime;">42 86 54</span>                                        B.T
    <span style="background:#ffff00;">Bluetooth SBC header</span>  http://tools.ietf.org/html/draft-hoene-avt-rtp-sbc-05#section-6.2
   
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    | SYNCWORD      |SF.|BL.|CM.|A|S|BITPOOL        |CRC_CHECK      |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    Legend: SF.=SAMPLING FREQUENCY, BL.=BLOCKS, CM.=CHANNEL_MODE, A.=ALLOCATION_METHOD, S.=SUBBANDS
    0x9c = 156 syncword (always set to 156)
    1 byte - sf bl cm a s (msb..lsb)
      * frequency:
          00-16000
          01-32000
          10-44100
          11-48000
      * blocks:
          00-4
          01-8
          10-12
          11-16
      * channels:
          00-MONO
          01-DUAL_CHANNEL
          10-STEREO
          11-JOINT_STEREO
      * allocation method:
          0-loudnes
          1-SNR
      * subbands:
          0-4
          1-8
    1 byte - bitpool
            This unsigned integer indicates the size of the bit
            allocation pool that has been used for encoding the current
            block.The value of the bit - pool field MUST NOT exceed 16
            times the number of subbands for the MONO and DUAL_CHANNEL
            channel modes and 32 times the number of subbands for the
            STEREO and JOINT_STEREO channel modes.The bitpool value
            MAY change from SBC frame to the next.In addition, the
            bitpool value MUST be restricted such that it does not
            result in excess of maximum bit rate, which is 320kb / s for
            mono and 512kb / s for two - channel modes.


===== 0x15 =====
===== 0x15 =====
Line 1,073: Line 827:
     0030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
     0030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
     0040  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
     0040  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
     0050  00 00 00 <span style="background:pink;">f6 69</span> 02 <span style="background:#ffff00;">9c 75 19 24</span> 00 00 00 00 00 00  ....i..u.$......
     0050  00 00 00 f6 69 02 9c 75 19 24 00 00 00 00 00 00  ....i..u.$......
     0060  00 00 76 db 6d bb 6d b6 dd b6 db 6e db 6d b7 6d  ..v.m.m....n.m.m
     0060  00 00 76 db 6d bb 6d b6 dd b6 db 6e db 6d b7 6d  ..v.m.m....n.m.m
     0070  b6 db b6 db 6d db 6d b6 ed b6 db 76 db 6d bb 6d  ....m.m....v.m.m
     0070  b6 db b6 db 6d db 6d b6 ed b6 db 76 db 6d bb 6d  ....m.m....v.m.m
Line 1,080: Line 834:
     00a0  b7 6d b6 db b6 db 6d db 6d b6 ed b6 db 76 db 6d  .m....m.m....v.m
     00a0  b7 6d b6 db b6 db 6d db 6d b6 ed b6 db 76 db 6d  .m....m.m....v.m
     00b0  bb 6d b6 dd b6 db 6e db 6d b7 6d b6 db b6 db 6d  .m....n.m.m....m
     00b0  bb 6d b6 dd b6 db 6e db 6d b7 6d b6 db b6 db 6d  .m....n.m.m....m
     00c0  db 6d b6 ed b6 db <span style="background:#ffff00;">9c 75 19 24</span> 00 00 00 00 00 00  .m.....u.$......
     00c0  db 6d b6 ed b6 db 9c 75 19 24 00 00 00 00 00 00  .m.....u.$......
     00d0  00 00 76 db 6d bb 6d b6 dd b6 db 6e db 6d b7 6d  ..v.m.m....n.m.m
     00d0  00 00 76 db 6d bb 6d b6 dd b6 db 6e db 6d b7 6d  ..v.m.m....n.m.m
     00e0  b6 db b6 db 6d db 6d b6 ed b6 db 76 db 6d bb 6d  ....m.m....v.m.m
     00e0  b6 db b6 db 6d db 6d b6 ed b6 db 76 db 6d bb 6d  ....m.m....v.m.m
Line 1,105: Line 859:


===== 0x17 =====
===== 0x17 =====
The transaction type is DATA (0x0a), and the report type is OUTPUT (0x02).
The protocol code is 0x17.
Report example:
0xa2, 0x17, 0x40, 0xa0, <span style="background:pink;">0xb4, 0x00</span>, 0x02, <span style="background:#ffff00;">0x9c, 0x75, 0x19, 0x24</span>, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7,
0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb,
0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb,
0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb,
0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb,
0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb,
0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, <span style="background:#ffff00;">0x9c, 0x75, 0x19, 0x24</span>, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7,
0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb,
0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb,
0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb,
0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb,
0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb,
0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, <span style="background:#ffff00;">0x9c, 0x75, 0x19, 0x24</span>, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7,
0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb,
0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb,
0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb,
0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb,
0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb,
0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, <span style="background:#ffff00;">0x9c, 0x75, 0x19, 0x24</span>, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7,
0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb,
0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb,
0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb,
0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb,
0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb,
0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x00, 0x00, 0x00, 0x00, 0x6b, 0xa2, 0x38, 0xe6
{| class="wikitable"
|+Data Format
|-
|width="100"|byte index
|width="60"|bit 7
|width="60"|bit 6
|width="60"|bit 5
|width="60"|bit 4
|width="60"|bit 3
|width="60"|bit 2
|width="60"|bit 1
|width="60"|bit 0
|-
|[0]
|colspan="4"|0x0a
|colspan="2"|0x00
|colspan="4"|0x02
|-
|[1]
|colspan="8"|0x17
|-
|[2 - 3]
|colspan="8"|TODO, work in progress.
|-
|<span style="background:pink;">[4-5]</span>
|colspan="8"| Audio frame count - Increases the number of frames in packet(4 for this)
|-
|[6]
|colspan="8"|Audio header
|-
|[6 - 458]
|colspan="8"|Bluetooth SBC Data
|-
|[459 - 462]
|colspan="8"|CRC-32 of the previous bytes.
|}


===== 0x18 =====
===== 0x18 =====
The transaction type is DATA (0x0a), and the report type is OUTPUT (0x02).
The protocol code is 0x18.
Report example:
0xa2, '''0x18''', 0x48, 0xa1, <span style="background:pink;">0xb4, 0x06</span>, 0x22, <span style="background:#ffff00;">0x9c, 0x7d, 0x33, 0xda</span>, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x77, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xed, 0xb6, 0xdb, 0xb6, 0xdb,
0x6d, 0xdd, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x76, 0xdb,
0x6d, 0xdb, 0x6d, 0xb6, 0xee, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6,
0xdb, 0xbb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x77, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xed, 0xb6,
0xdb, 0xb6, 0xdb, 0x6d, 0xdd, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d,
0xb7, 0x76, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xee, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xdb, 0x6d,
0xb7, 0x6d, 0xb6, 0xdb, 0xbb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, <span style="background:#ffff00;">0x9c, 0x7d, 0x33, 0xda</span>, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x77, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xed, 0xb6,
0xdb, 0xb6, 0xdb, 0x6d, 0xdd, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d,
0xb7, 0x76, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xee, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xdb, 0x6d,
0xb7, 0x6d, 0xb6, 0xdb, 0xbb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x77, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb,
0x6e, 0xed, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdd, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0xb6, 0xdb,
0x6e, 0xdb, 0x6d, 0xb7, 0x76, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xee, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6,
0xdd, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xbb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, <span style="background:#ffff00;">0x9c, 0x7d, 0x33,
0xda</span>, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x77, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb,
0x6e, 0xed, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdd, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0xb6, 0xdb,
0x6e, 0xdb, 0x6d, 0xb7, 0x76, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xee, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6,
0xdd, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xbb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x77, 0x6d, 0xb6,
0xdd, 0xb6, 0xdb, 0x6e, 0xed, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdd, 0xb6, 0xdb, 0x76, 0xdb, 0x6d,
0xbb, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x76, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xee, 0xdb, 0x6d,
0xbb, 0x6d, 0xb6, 0xdd, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xbb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb,
<span style="background:#ffff00;">0x9c, 0x7d, 0x33</span>, 0xda, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x77, 0x6d, 0xb6,
0xdd, 0xb6, 0xdb, 0x6e, 0xed, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdd, 0xb6, 0xdb, 0x76, 0xdb, 0x6d,
0xbb, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x76, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xee, 0xdb, 0x6d,
0xbb, 0x6d, 0xb6, 0xdd, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xbb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb,
0x77, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xed, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdd, 0xb6, 0xdb,
0x76, 0xdb, 0x6d, 0xbb, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x76, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6,
0xee, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xbb, 0x6d, 0xb6,
0xed, 0xb6, 0xdb, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x5e, 0x3b, 0x16, 0xec
{| class="wikitable"
|+Data Format
|-
|width="100"|byte index
|width="60"|bit 7
|width="60"|bit 6
|width="60"|bit 5
|width="60"|bit 4
|width="60"|bit 3
|width="60"|bit 2
|width="60"|bit 1
|width="60"|bit 0
|-
|[0]
|colspan="4"|0x0a
|colspan="2"|0x00
|colspan="4"|0x02
|-
|'''[1]'''
|colspan="8"|'''0x18'''
|-
|[2 - 3]
|colspan="8"|TODO, work in progress.
|-
|<span style="background:pink;">[4-5]</span>
|colspan="8"| Audio frame count - Increases the number of frames in packet(4 for this)
|-
|[6]
|colspan="8"|Audio header
|-
|[7 - 471]
|colspan="8"|Bluetooth SBC Data
|-
|[472 - 526]
|colspan="8"|Paddind - speculation
|-
|[527 - 530]
|colspan="8"|CRC-32 of the previous bytes.
|}


===== 0x19 =====
===== 0x19 =====
The transaction type is DATA (0x0a), and the report type is OUTPUT (0x02).
The protocol code is 0x19.
Report example:
0xa2, '''0x19''', 0xc0, 0xa0, 0xf3, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x43, 0x43, 0x00, 0x4d, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, <span style="background:pink;">0xc2,
0x00</span>, 0x02, <span style="background:#ffff00;">0x9c, 0x75, 0x19, 0x24</span>, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x76, 0xdb,
0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb,
0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb,
0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb,
0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb,
0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd,
0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed,
0xb6, 0xdb, <span style="background:#ffff00;">0x9c, 0x75, 0x19, 0x24</span>, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x76, 0xdb,
0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb,
0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb,
0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb,
0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb,
0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd,
0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed,
0xb6, 0xdb, <span style="background:#ffff00;">0x9c, 0x75, 0x19, 0x24</span>, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x76, 0xdb,
0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb,
0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb,
0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb,
0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb,
0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd,
0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed,
0xb6, 0xdb, <span style="background:#ffff00;">0x9c, 0x75, 0x19, 0x24</span>, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x76, 0xdb,
0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb,
0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb,
0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb,
0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb,
0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd,
0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed,
0xb6, 0xdb, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x46, 0x86, 0x51, 0x90
{| class="wikitable"
|+Data Format
|-
|width="100"|byte index
|width="60"|bit 7
|width="60"|bit 6
|width="60"|bit 5
|width="60"|bit 4
|width="60"|bit 3
|width="60"|bit 2
|width="60"|bit 1
|width="60"|bit 0
|-
|[0]
|colspan="4"|0x0a
|colspan="2"|0x00
|colspan="4"|0x02
|-
|'''[1]'''
|colspan="8"|'''0x19'''
|-
|[2 - 78]
|colspan="8"|Same as [[DS4-BT#0x11_2|output report 0x11]].
|-
|[79]
|colspan="8"|Unknown
|-
|<span style="background:pink;">[80-81]</span>
|colspan="8"| Audio frame count - Increases the number of frames in packet(4 for this)
|-
|[82]
|colspan="8"| Audio header
|-
|[83-533]
|colspan="8"| Bluetooth SBC Data
|-
|[533 - 547]
|colspan="8"| Paddind - speculation
|-
|[548 - 551]
|colspan="8"|CRC-32 of the previous bytes.
|}


==== HID features reports ====
==== HID features reports ====
There is a periodic report sequence that consists in 5 0xf0 SET FEATURE reports, 2 0xf2 GET FEATURE reports, and 19 0xf1 GET FEATURE REPORTS. Each sequence takes about 30 seconds, and a new sequence starts about 30 seconds after the end of the last one. There is 1 second between two reports sent by the PS4.
There is another periodic report sequence that consists in one 0x03 SET FEATURE report and 1 0x04 GET FEATURE report. A new sequence starts about 30 seconds after the end of the last one. The 0x03 SET FEATURE report is sent 5 seconds after the 0x04 GET FEATURE report.
These two periodic sequences seem to be independent as they do not have the same period, and they have two distinct sequence counters.
A user-mode application can obtain (get) and set feature information by using this report designation.
A user-mode application can obtain (get) and set feature information by using this report designation.
===== GET FEATURE=====
===== GET FEATURE=====
Each GET FEATURE report sent by the PS4 is answered by the DS4 with a DATA FEATURE report.
====0x02====
{| class="wikitable"
|+Data Format
|-
|width="100"|byte index
|width="60"|bit 7
|width="60"|bit 6
|width="60"|bit 5
|width="60"|bit 4
|width="60"|bit 3
|width="60"|bit 2
|width="60"|bit 1
|width="60"|bit 0
|-
|[0]
|colspan="4"|0x04 GET REPORT
|colspan="1"|0x01
|colspan="1"|0x00
|colspan="4"|0x03 FEATURE
|-
|[1]
|colspan="8"|Report id
|-
|[2 - 3]
|colspan="8"|Buffer size.
|}
====== 0x02 ======
====== 0x02 ======
The transaction type is DATA (0x0a), and the report type is FEATURE (0x03).
The protocol code is 0x02.
The bytes in this report do not seem to fluctuate.
Report example:
<pre>0xa3, 0x02, 0x01, 0x00, 0xff, 0xff, 0x01, 0x00, 0x5e, 0x22, 0x84, 0x22, 0x9b, 0x22, 0xa6, 0xdd,
0x79, 0xdd, 0x64, 0xdd, 0x1c, 0x02, 0x1c, 0x02, 0x85, 0x1f, 0x9f, 0xe0, 0x92, 0x20, 0xdc, 0xe0,
0x4d, 0x1c, 0x1e, 0xde, 0x08, 0x00</pre>
{| class="wikitable"
|+Data Format
|-
|width="100"|byte index
|width="60"|bit 7
|width="60"|bit 6
|width="60"|bit 5
|width="60"|bit 4
|width="60"|bit 3
|width="60"|bit 2
|width="60"|bit 1
|width="60"|bit 0
|-
|[0]
|colspan="4"|0x0a
|colspan="2"|0x00
|colspan="4"|0x03
|-
|[1]
|colspan="8"|0x02
|-
|[2 - 37]
|colspan="8"|TODO, work in progress.
|}


====== 0x04 ======
====== 0x04 ======
The transaction type is DATA (0x0a), and the report type is FEATURE (0x03).
The protocol code is 0x04.
Most bytes from index 4 change between two reports.
Report example:
<pre>0xa3, 0x04, 0x02, 0x00, 0x38, 0x85, 0x35, 0xd5, 0x7a, 0x81, 0x61, 0x2e, 0x21, 0x13, 0x7b, 0xda,
0xd5, 0x94, 0x25, 0x98, 0x5f, 0x67, 0xd1, 0x60, 0x9d, 0xfb, 0x95, 0xba, 0xff, 0xba, 0x1c, 0x48,
0xbf, 0xe2, 0x15, 0x0d, 0xff, 0x66, 0x63, 0x5f, 0x64, 0xc1, 0x46, 0x47, 0xcd, 0xd1, 0x9c, 0x84</pre>
{| class="wikitable"
|+Data Format
|-
|width="100"|byte index
|width="60"|bit 7
|width="60"|bit 6
|width="60"|bit 5
|width="60"|bit 4
|width="60"|bit 3
|width="60"|bit 2
|width="60"|bit 1
|width="60"|bit 0
|-
|[0]
|colspan="4"|0x0a
|colspan="2"|0x00
|colspan="4"|0x03
|-
|[1]
|colspan="8"|0x04
|-
|[2]
|colspan="8"|sequence counter (init = 0x02, step = 1)
|-
|[3]
|colspan="8"|0x00
|-
|[4 - 43]
|colspan="8"|TODO, work in progress.
|-
|[44 - 47]
|colspan="8"|CRC-32 of the previous bytes.
|}


====== 0x06 ======
====== 0x06 ======
The transaction type is DATA (0x0a), and the report type is FEATURE (0x03).
The protocol code is 0x06.
The bytes in this report do not seem to fluctuate. They are the same in two different controllers.
Report example:
<pre>0xa3, 0x06, 0x41, 0x75, 0x67, 0x20, 0x20, 0x33, 0x20, 0x32, 0x30, 0x31, 0x33, 0x00, 0x00, 0x00,
0x00, 0x00, 0x30, 0x37, 0x3a, 0x30, 0x31, 0x3a, 0x31, 0x32, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x01, 0x00, 0x31, 0x03, 0x00, 0x00, 0x00, 0x49, 0x00, 0x05, 0x00, 0x00, 0x80,
0x03, 0x00, 0x4b, 0x52, 0x02, 0xc7</pre>
{| class="wikitable"
|+Data Format
|-
|width="100"|byte index
|width="60"|bit 7
|width="60"|bit 6
|width="60"|bit 5
|width="60"|bit 4
|width="60"|bit 3
|width="60"|bit 2
|width="60"|bit 1
|width="60"|bit 0
|-
|[0]
|colspan="4"|0x0a
|colspan="2"|0x00
|colspan="4"|0x03
|-
|[1]
|colspan="8"|0x06
|-
|[2 - 49]
|colspan="8"|A date: Aug 3 2013 07:01:12
|-
|[50 - 53]
|colspan="8"|CRC-32 of the previous bytes.
|}


====== 0xA3 ======
====== 0xA3 ======
The transaction type is DATA (0x0a), and the report type is FEATURE (0x03).
The protocol code is 0xa3.
It is identical to 0x06 except that there's no CRC-32 at the end of the packet.
Report example:
<pre>0xa3, 0xa3, 0x41, 0x75, 0x67, 0x20, 0x20, 0x33, 0x20, 0x32, 0x30, 0x31, 0x33, 0x00, 0x00, 0x00,
0x00, 0x00, 0x30, 0x37, 0x3a, 0x30, 0x31, 0x3a, 0x31, 0x32, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x01, 0x00, 0x31, 0x03, 0x00, 0x00, 0x00, 0x49, 0x00, 0x05, 0x00, 0x00, 0x80,
0x03, 0x00</pre>
{| class="wikitable"
|+Data Format
|-
|width="100"|byte index
|width="60"|bit 7
|width="60"|bit 6
|width="60"|bit 5
|width="60"|bit 4
|width="60"|bit 3
|width="60"|bit 2
|width="60"|bit 1
|width="60"|bit 0
|-
|[0]
|colspan="4"|0x0a
|colspan="2"|0x00
|colspan="4"|0x03
|-
|[1]
|colspan="8"|0xa3
|-
|[2 - 49]
|colspan="8"|A date: Aug 3 2013 07:01:12
|}


====== 0xF1 ======
====== 0xF1 ======
The transaction type is DATA (0x0a), and the report type is FEATURE (0x03).
The protocol code is 0xf1.


This report is part of the authentication sequence: it contains challenge response data.
02 15 20 08 00 04 00 41 00 4b f1 40 00
 
Report example:
<pre>0xa3, 0xf1, 0x01, 0x00, 0x00, 0x0c, 0xb2, 0x25, 0x71, 0x82, 0xc3, 0x2e, 0xaa, 0x73, 0xf5, 0x3e,
0x06, 0x72, 0x12, 0xeb, 0xd7, 0xbd, 0xa6, 0x4e, 0xd0, 0x25, 0xd0, 0x4d, 0xd4, 0xe9, 0x3a, 0x8d,
0xb4, 0xf2, 0x3b, 0x5e, 0x82, 0x9c, 0xc7, 0x02, 0x04, 0xa5, 0x44, 0xd5, 0x64, 0x74, 0xc2, 0x03,
0x3b, 0x45, 0xd6, 0x99, 0x9d, 0x79, 0x11, 0xa6, 0x3d, 0x5e, 0x3a, 0xdf, 0xdd, 0x3a, 0x51, 0x8e,
0xb3</pre>
 
{| class="wikitable"
|+Data Format
|-
|width="100"|byte index
|width="60"|bit 7
|width="60"|bit 6
|width="60"|bit 5
|width="60"|bit 4
|width="60"|bit 3
|width="60"|bit 2
|width="60"|bit 1
|width="60"|bit 0
|-
|[0]
|colspan="4"|0x0a
|colspan="2"|0x00
|colspan="4"|0x03
|-
|[1]
|colspan="8"|0xf1
|-
|[2]
|colspan="8"|sequence counter (init = 0x01, step = 1)
|-
|[3]
|colspan="8"|report counter (init = 0x00, step = 1, max = 0x12)
|-
|[4]
|colspan="8"|0x00
|-
|[5 - 60]
|colspan="8"|Challenge response data.
|-
|[61 - 64]
|colspan="8"|CRC-32 of the previous bytes.
|}
 
The sequence is 1040 bytes long with the following structure:
 
<pre>
struct ds4_response {
unsigned char signature[0x100];
unsigned char serial_num[0x10];
unsigned char n[0x100];
unsigned char e[0x100];
unsigned char casig[0x100];
};
</pre>
 
<u>signature</u> - is a PSS signature of the nonce, signed with DS4's private key<br>
<u>serial_num</u> - is the controller/cert serial number<br>
<u>n</u> - DS4's Public Key prime<br>
<u>e</u> - DS4's Public Key exponent<br>
<u>casig</u> - is a PSS signature (signed by Sony's CA private key) of the <u>serial_num</u>, <u>n</u> and <u>e</u><br>
 
The last (19th) packet is padded with 24 bytes.


====== 0xF2 ======
====== 0xF2 ======
The transaction type is DATA (0x0a), and the report type is FEATURE (0x03).
The protocol code is 0xf2.
This report is part of the authentication sequence: it indicates if the challenge response is ready.
Report example:
<pre>0xa3, 0xf2, 0x01, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0d, 0x6a, 0x3c,
0xef</pre>
{| class="wikitable"
|+Data Format
|-
|width="100"|byte index
|width="60"|bit 7
|width="60"|bit 6
|width="60"|bit 5
|width="60"|bit 4
|width="60"|bit 3
|width="60"|bit 2
|width="60"|bit 1
|width="60"|bit 0
|-
|[0]
|colspan="4"|0x0a
|colspan="2"|0x00
|colspan="4"|0x03
|-
|[1]
|colspan="8"|0xf2
|-
|[2]
|colspan="8"|sequence counter (init = 0x01, step = 1)
|-
|[3]
|colspan="3"|0x00
|colspan="1"|0x01 = not ready
0x00 = ready
|colspan="7"|0x00
|-
|[4 - 12]
|colspan="8"|padded with 0x00.
|-
|[13 - 16]
|colspan="8"|CRC-32 of the previous bytes.
|}


===== SET FEATURE=====
===== SET FEATURE=====
These reports are sent by the PS4. The DS4 replies with a handshake, which is a packet with a single 0x00 byte.


====== 0x03 ======
====== 0x03 ======
The transaction type is SET REPORT (0x05), and the report type is FEATURE (0x03).
The protocol code is 0x03.
Most bytes from index 4 change between two reports.
Report example:
<pre>0x53, 0x03, 0x02, 0x00, 0xf1, 0xdf, 0xd3, 0x7b, 0x4f, 0x49, 0x0b, 0x0b, 0x7c, 0x79, 0xde, 0xad,
0x5d, 0xa3, 0x41, 0x8a, 0x9c, 0x2e, 0xaf, 0x09, 0xc4, 0xa6, 0x80, 0xb4, 0x82, 0x87, 0x2c, 0xbf,
0x86, 0xe0, 0x2a, 0x86, 0x60, 0xa0, 0x23, 0x33</pre>
{| class="wikitable"
|+Data Format
|-
|width="100"|byte index
|width="60"|bit 7
|width="60"|bit 6
|width="60"|bit 5
|width="60"|bit 4
|width="60"|bit 3
|width="60"|bit 2
|width="60"|bit 1
|width="60"|bit 0
|-
|[0]
|colspan="4"|0x05
|colspan="2"|0x00
|colspan="4"|0x03
|-
|[1]
|colspan="8"|0x03
|-
|[2]
|colspan="8"|sequence counter (init = 0x02, step = 1)
|-
|[3]
|colspan="8"|0x00
|-
|[4 - 35]
|colspan="8"|TODO, work in progress.
|-
|[36 - 39]
|colspan="8"|CRC-32 of the previous bytes.
|}


====== 0xF0 ======
====== 0xF0 ======
The transaction type is SET REPORT (0x05), and the report type is FEATURE (0x03).
The protocol code is 0xf0.
This report is part of the authentication sequence: it contains challenge data.
Report example:
<pre>0x53, 0xf0, 0x01, 0x00, 0x00, 0x64, 0x01, 0x21, 0x58, 0x26, 0x03, 0xcc, 0xb8, 0x28, 0x78, 0xa9,
0xb5, 0x8c, 0x2c, 0x90, 0x3b, 0xe2, 0xf7, 0xee, 0x1c, 0x91, 0x2b, 0x0c, 0x79, 0xa6, 0xe7, 0xae,
0x7e, 0x49, 0xee, 0x36, 0x72, 0x81, 0xc2, 0x25, 0x41, 0x74, 0x45, 0x01, 0x15, 0xa0, 0x23, 0x1a,
0x4c, 0x27, 0x31, 0xcc, 0xc5, 0xe0, 0x8d, 0x6c, 0x1e, 0x42, 0x83, 0x93, 0x20, 0xa0, 0x35, 0xac,
0x82</pre>
{| class="wikitable"
|+Data Format
|-
|width="100"|byte index
|width="60"|bit 7
|width="60"|bit 6
|width="60"|bit 5
|width="60"|bit 4
|width="60"|bit 3
|width="60"|bit 2
|width="60"|bit 1
|width="60"|bit 0
|-
|[0]
|colspan="4"|0x05
|colspan="2"|0x00
|colspan="4"|0x03
|-
|[1]
|colspan="8"|0xf0
|-
|[2]
|colspan="8"|sequence counter (init = 0x01, step = 1)
|-
|[3]
|colspan="8"|report counter (init = 0x00, step = 1, max = 0x04)
|-
|[4]
|colspan="8"|0x00
|-
|[5 - 60]
|colspan="8"|Challenge data.
|-
|[61 - 64]
|colspan="8"|CRC-32 of the previous bytes.
|}
The packet with report counter = 0x04 only carries 32 bytes of data (it is padded with zeros). Therefore the length of the challenge message is 4x56+32 = 256 bytes.




{{Reverse Engineering}}
{{Reverse Engineering}}
<noinclude>[[Category:Main]]</noinclude>
<noinclude>[[Category:Main]]</noinclude>
Please note that all contributions to PS4 Developer wiki are considered to be released under the GNU Free Documentation License 1.2 (see PS4 Developer wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:

Cancel Editing help (opens in new window)

Templates used on this page:

Retrieved from "http://www.psdevwiki.com/ps4/DS4-BT"