Talk:DualShock 4: Difference between revisions

From PS4 Developer wiki
Jump to navigation Jump to search
Line 1,019: Line 1,019:


Only controllers that have previously paired with the PS4 can cause it to wake up. If you spoof a previously paired DS4's BDADDR and class, then using "sudo hcitool cc <ps4's bdaddr>" will wake up the PS4. If the same cc request comes from an unknown BDADDR, nothing happens.
Only controllers that have previously paired with the PS4 can cause it to wake up. If you spoof a previously paired DS4's BDADDR and class, then using "sudo hcitool cc <ps4's bdaddr>" will wake up the PS4. If the same cc request comes from an unknown BDADDR, nothing happens.
Capable of streaming 32Khz sound to the controllers speakers for up to 2 players, but that reduces to 16Khz when 3 or more players are hooked up.
==UART HCI==
==UART HCI==



Revision as of 17:20, 8 February 2014

Talk

infos merged from:

Frank's Eleccelerator

Hi, this is Frank, Eleccelerator is my website. I noticed the little message you've sent me (please use email next time, I don't check my own wiki edits, but I can't find your email either lol so I'm a hypocrite right now). Feel free to copy whatever information you want, I want the information to be public. Including a link to my website would be nice though.

Source: http://eleccelerator.com/wiki/index.php?title=DualShock_4 (full paste 17:50 UTC, 18 January 2014 )

Johndrinkwater's git

I’ve been decoding the USB reports independently and appear to have got further along, when I’m happy that most of the packet is described, I’ll integrate my findings, still a few nibbles unaccounted for though… https://gist.github.com/johndrinkwater/7708901 -- Johndrinkwater (talk) 05:22, 3 December 2013 (EST)

Review:

It feels really good to hold.

Hardware

Teardown photo album: http://imgur.com/a/ytRW5

The USB port and LED are on one separate board, connected using a flat flexible cable, this cable is connected to a vertical FFC connector that does not have a locking mechanism.

The touchpad sensor is also detachable, connected using a flat flexible cable, this cable is connected to the main PCB using a connector that has a flip-up locking mechanism.

The speaker is not removable and it connects to the main PCB using some raised contacts.

The battery is 3.65V 1000mAH Li-ion.

Main microcontroller is a Spansion MB9BF002, a ARM Cortex M3 core, BGA package. The reset and SWD signals might be exposed to test points, I am not sure.

The Bluetooth module shows "8LA18366" and "GS-WCM-01" (or maybe it's "GS-WCN-01") and "VR2.0". There is also a QR code that I can't decipher yet. There are a lot of test points near it. Underneath, it is confirmed to be a Qualcomm Atheros AR3002.

There's a chip marked with "BD9200" (in QFN 32 pin footprint) that might be a PMIC because it has some thick traces around it, plus a big inductor. One of the pins near it read 6V, might be for the motor.

There's a shiny small square chip left of the left analog stick, it is marked with "7710" "325A1", I have no idea what this is, but there's some differential signals coming out of it, it might be USB, the activity stops when I disconnect the USB cable. I think this is connected to the USB port. I suspect this is a OTG chip.

There's a rectangular (maybe LGA) chip on the bottom side on the left, marked with "134" "A1322" "333", possibly a sensor. It's got some sort of latch signal around it, or maybe it's a weird clock. It's slow and doesn't seem like a bus. Or it could be a shift register and it's reading blank because I'm not pressing buttons.

There's a QFN 32 pin chip marked with "WM18016" (the M could be a N, the 6 could be a G) "36A0LM6" dead center on the bottom side of the PCB. It has a sine wave logo on it (possibly Wolfson Microelectronics). It is near the audio stuff but it is also near where all the buttons connect. There are 5 test points near it. It appears to be communicating with SPI with constant activity. There's also two resistors that look like I2C pull-up resistors, and there appears to be constant I2C traffic.

Some buttons are active low, some are active high (maybe only the thumbstick push buttons). The sheet of flexible circuit for the buttons are active low.

I'll keep adding to this section

Flexible Film Pin Mapping

The buttons are all on a single sheet of flexible film. The contacts for the flexible film are numbered from 1 to 18, and the numbers are written on the PCB.

The triggers have a resistor printed directly on the film, this appears to form a Voltage divider voltage divider, so that the trigger can have an analog value. The ground side of the voltage divider appears to be oscillating, the frequency and duty cycle are not fixed or predictable.

See main page (skewed button connector) for pins purpose.

USB

Audio definitely does not carry through USB.

The reports arrive once every 4ms.

Device Descriptor

Device Descriptor
Offset Field Size Value Description
0 bLength 1 0x12 Size of this descriptor in bytes (18)
1 bDescriptorType 1 0x01 DEVICE descriptor type (Constant = 1)
2 bcdUSB 2 0x0200 USB Spec release number (2.00):

with which the device and is descriptors are compliant (e.g.: 0x0200 (USB2.0), 0x0300, (USB3.0))

4 bDeviceClass 1 0x00 Class code assigned by USB-IF:

(used by the operating system to find a class driver for your device)

  • 00h means each interface defines its own class (identify itself at the interface level: bInterfaceClass)
  • FFh means vendor-defined class
  • Any other value must be a class code

5 bDeviceSubClass 1 0x00 SubClass Code assigned by USB-IF

(used by the operating system to find a class driver for your device)

6 bDeviceProtocol 1 0x00 Protocol Code assigned by USB-IF

(used by the operating system to find a class driver for your device)

7 bMaxPacketSize0 1 0x40 Max packet size for endpoint 0. (64)

8 idVendor 2 0x054C Vendor ID (VID) (Sony Corp.)

must be obtained from USB-IF

(used by the operating system to find a driver for your device)

10 idProduct 2 0x05C4 Product ID (PID) - (Sony Computer Entertainment Wireless Controller)

assigned by the manufacturer

(used by the operating system to find a driver for your device)

12 bcdDevice 2 0x0100 Device release number (Version: 1.00)

in binary coded decimal

14 iManufacturer 1 0x01 Index of string descriptor describing manufacturer

set to 0 if no string

15 iProduct 1 0x02 Index of string descriptor describing product

set to 0 if no string

16 iSerialNumber 1 0x00 Index of string descriptor describing device serial number
set to 0 if no string
17 bNumConfigurations 1 0x01 Number of possible configurations

Configuration Descriptor

Configuration Descriptor
Offset Field Size Value Description
0 bLength 1 0x09 Size
1 bDescriptorType 1 0x02 (= 2)
2 wTotalLength 2 0x0029 Total number of bytes (41) in this descriptor and all the following descriptors (9+9+9+7+7)
4 bNumInterfaces 1 0x01 Number of interfaces supported by this configuration
5 bConfigurationValue 1 0x01 Value used by Set Configuration to select this configuration
6 iConfiguration 1 0x00 Index of string descriptor describing configuration - set to 0 if no string
7 bmAttributes 1 0xC0 Self Powered & powered by the bus (11000000) (PS3 controller: 0x80)

specify power parameters for the configuration :

msb8-Digit bit binarylsb
7|6|5|4|3|2|1|0

  • D0 - D4: Reserved.
  • D5: The configuration supports remote wakeup.
  • D6: The configuration is self-powered and does not use power from the bus.
  • D7: The configuration is powered by the bus.

8 bMaxPower 1 0xFA Maximum current: 500mA drawn by device in this configuration.
In units of 2mA. So 0x32 (50) means 100 mA
Interface Descriptor
0 bLength 1 0x09 Size
1 bDescriptorType 1 0x04 (= 4)
2 bInterfaceNumber 1 0x00 Number identifying this interface.

Zero-based value

3 bAlternateSetting 1 0x00 The first (and default) value used to select alternative setting is always 0

(An interface can have more than one variant, and these variants can be switched between, while other interfaces are still in operation)

4 bNumEndpoints 1 0x02 Number of Endpoints used for this interface
5 bInterfaceClass 1 0x03 Class code assigned by USB-IF]

  • 00h is a reserved value
  • FFh means vendor-defined class
  • Any other value must be a class code

6 bInterfaceSubClass 1 0x00 SubClass Code assigned by USB-IF
7 bInterfaceProtocol 1 0x00 Protocol Code assigned by USB-IF
8 iInterface 1 0x00 Index of string descriptor describing interface - set to 0 if no string
Human Interface Device (HID) Descriptor
0 bLength 1 0x09 Size
1 bDescriptorType 1 0x21 Constant name specifying type of HID descriptor
2 bcdHID 1.17 2 0x0111 HID class spec version (1.11)
4 bCountryCode 1 0x00 Not supported (Device Class Definition for HID 1.11 6.2.1 p33)
5 bNumDescriptors 1 0x01 Number of Descriptors
6 bDescriptorType 1 0x22 DescriptorType (34): REPORT
7 DescriptorLength 2 0x01D3 total size of the Report descriptor (467)
Endpoint (IN) Descriptor
0 bLength 1 0x07 Size
1 bDescriptorType 1 0x05 (= 5)
2 bEndpointAddress 1 0x84 IN<--(10 00 0100)-->4 (PS3 Controller: 0x81)

The address of this endpoint within the device:

  • D3-D0: Endpoint number
  • D6-D4: Reserved. set to Zero
  • D7: Direction: 0 = OUT, 1 = IN (Ignored for Control Endpoints)

3 bmAttributes 1 0x03 Interrupt (00000011)

(D1:0) Transfer Type:

  • 00 = Control
  • 01 = Isochronous
  • 10 = Bulk
  • 11 = Interrupt

The following only apply to isochronous endpoints. Else set to 0.

(D3:2) Synchronisation Type (ISO mode):

  • 00 = No Synchronisation
  • 01 = Asynchronous
  • 10 = Adaptive
  • 11 = Synchronous

(D5:4) Usage Type (ISO mode):

  • 00 = Data endpoint
  • 01 = Feedback endpoint
  • 10 = Implicit feedback Data endpoint
  • 11 = Reserved

(D7:6) Reserved Set to 0

4 wMaxPacketSize 2 0x0040 (64)
6 bInterval 1 0x05 5 (unit depends on device speed) (PS3 Controller: 1)

Interval for polling endpoint for data transfers. Expressed in frames (ms) for low/full speed or microframes (125µs) for high speed
(ignored for Bulk & Control Endpoints. Isochronous must equal 1 and field may range from 1 to 255 for interrupt endpoints)

Endpoint (OUT) Descriptor
0 bLength 1 0x07 Size
1 bDescriptorType 1 0x05 (= 5)
2 bEndpointAddress 1 0x03 OUT<--(00 00 0011)-->3 (PS3 Controller: 0x02)
3 bmAttributes 1 0x03 Interrupt
4 wMaxPacketSize 2 0x0040 (64)
6 bInterval 1 0x05 5

HID Report Descriptor

HID Usage Tables 1.12 (p.26)

Value Items Remarks
0x05 0x01 - Usage Page (Generic Desktop Controls)
0x09 0x05 - Usage (Game Pad) CA – A manual control or cursor device. A game pad minimally consists of a thumb-activated rocker switch that controls two axes (X and Y) and has four buttons. The rocker switch consists of four contact closures for up, down, right, and left.
0xA1 0x01 - Collection (Application) Start
0x85 0x01 - Report ID (1) Used by the FW to determine what data has been send or need to be transmitted
0x09 0x30 - Usage (X) DV – A linear translation in the X direction. Report values should increase as the control’s position is moved from left to right. (for sticks)
0x09 0x31 - Usage (Y) DV – (Y direction- values should increase from far to near)
0x09 0x32 - Usage (Z) DV – (Z direction- values should increase from high to low)
0x09 0x35 - Usage (Rz) DV – A rotation about the Z axis. Angular position report values follow the righthand rule.
0x15 0x00 - Logical Minimum (0) Value for sticks
0x26 0xFF 0x00 Logical Maximum (255) Value
0x75 0x08 - Report Size (8) 8 bits per variable
0x95 0x04 - Report Count (4) 4 variables
0x81 0x02 - Input (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position) send variables (bytes 01 to 04)
0x09 0x39 - Usage (Hat switch) DV – A specialized mechanical configuration of switches generating a variable value with a null state. The switches are arranged around a springloaded knob. When the knob is tilted in the direction of a switch, its contacts are closed. A typical example is four switches that are capable of generating information about four possible directions in which the knob can be tilted. Intermediate positions can also be decoded if the hardware allows two switches to be reported simultaneously. (for D-pad)
0x15 0x00 - Logical Minimum (0) Value (0=N)
0x25 0x07 - Logical Maximum (7) Value (7=NW)
0x35 0x00 - Physical Minimum (0)
0x46 0x3B 0x01 Physical Maximum (315)
0x65 0x14 - Unit (System: English Rotation, Length: Centimeter)
0x75 0x04 - Report Size (4) (4 bits)
0x95 0x01 - Report Count (1) 1 variable (D-pad)
0x81 0x42 - Input (Data,Var,Abs,No Wrap,Linear,Preferred State,Null State) send (byte 05 low nibble -lsb)
0x65 0x00 - Unit (None)
0x05 0x09 - Usage Page (Button) face buttons
0x19 0x01 - Usage Minimum (0x01) first button
0x29 0x0E - Usage Maximum (0x0E) last button (14)
0x15 0x00 - Logical Minimum (0) Value for each button (status: 0 or 1)
0x25 0x01 - Logical Maximum (1)
0x75 0x01 - Report Size (1) 1 bit per button
0x95 0x0E - Report Count (14) 14 bits
0x81 0x02 - Input (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position) send (byte 05 high nibble msb, 8 bits of byte 06 and binary bit 0 & 1 of byte 07)
0x06 0x00 0xFF Usage Page (Vendor Defined 0xFF00)
0x09 0x20 - Usage (0x20) Counter
0x75 0x06 - Report Size (6) 6 bits
0x95 0x01 - Report Count (1)
0x15 0x00 - Logical Minimum (0)
0x25 0x7F - Logical Maximum (127)
0x81 0x02 - Input (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position) send (byte 07: msb 6 bits)
0x05 0x01 - Usage Page (Generic Desktop Controls) Shoulderpads Trigger
0x09 0x33 - Usage (Rx) DV – A rotation about the X axis. Angular position report values follow the right hand rule (L2 trigger)
0x09 0x34 - Usage (Ry) DV – A rotation about the Z axis. Angular position report values follow the right hand rule (R2 trigger)
0x15 0x00 - Logical Minimum (0)
0x26 0xFF 0x00 Logical Maximum (255)
0x75 0x08 - Report Size (8) 8 bits
0x95 0x02 - Report Count (2) 2 bytes
0x81 0x02 - Input (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position) send bytes 08 & 09
0x06 0x00 0xFF Usage Page (Vendor Defined 0xFF00)
0x09 0x21 - Usage (0x21)
0x95 0x36 - Report Count (54)
0x81 0x02 - Input (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position)
0x85 0x05 - Report ID (5)
0x09 0x22 - Usage (0x22)
0x95 0x1F - Report Count (31)
0x91 0x02 - Output (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85 0x04 - Report ID (4)
0x09 0x23 - Usage (0x23)
0x95 0x24 - Report Count (36)
0xB1 0x02 - Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) DV – declared in an Input report and is used as a notification to the host that the contents of a specific Feature report has changed
0x85 0x02 - Report ID (2)
0x09 0x24 - Usage (0x24)
0x95 0x24 - Report Count (36)
0xB1 0x02 - Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85 0x08 - Report ID (8)
0x09 0x25 - Usage (0x25)
0x95 0x03 - Report Count (3)
0xB1 0x02 - Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85 0x10 - Report ID (16)
0x09 0x26 - Usage (0x26)
0x95 0x04 - Report Count (4)
0xB1 0x02 - Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85 0x11 - Report ID (17)
0x09 0x27 - Usage (0x27)
0x95 0x02 - Report Count (2)
0xB1 0x02 - Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85 0x12 - Report ID (18)
0x06 0x02 0xFF Usage Page (Vendor Defined 0xFF02)
0x09 0x21 - Usage (0x21)
0x95 0x0F - Report Count (15)
0xB1 0x02 - Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85 0x13 - Report ID (19)
0x09 0x22 - Usage (0x22)
0x95 0x16 - Report Count (22)
0xB1 0x02 - Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85 0x14 - Report ID (20)
0x06 0x05 0xFF Usage Page (Vendor Defined 0xFF05)
0x09 0x20 - Usage (0x20)
0x95 0x10 - Report Count (16)
0xB1 0x02 - Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85 0x15 - Report ID (21)
0x09 0x21 - Usage (0x21)
0x95 0x2C - Report Count (44)
0xB1 0x02 - Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x06 0x80 0xFF Usage Page (Vendor Defined 0xFF80)
0x85 0x80 - Report ID (128)
0x09 0x20 - Usage (0x20)
0x95 0x06 - Report Count (6)
0xB1 0x02 - Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85 0x81 - Report ID (129)
0x09 0x21 - Usage (0x21)
0x95 0x06 - Report Count (6)
0xB1 0x02 - Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85 0x82 - Report ID (130)
0x09 0x22 - Usage (0x22)
0x95 0x05 - Report Count (5)
0xB1 0x02 - Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85 0x83 - Report ID (131)
0x09 0x23 - Usage (0x23)
0x95 0x01 - Report Count (1)
0xB1 0x02 - Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85 0x84 - Report ID (132)
0x09 0x24 - Usage (0x24)
0x95 0x04 - Report Count (4)
0xB1 0x02 - Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85 0x85 - Report ID (133)
0x09 0x25 - Usage (0x25)
0x95 0x06 - Report Count (6)
0xB1 0x02 - Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85 0x86 - Report ID (134)
0x09 0x26 - Usage (0x26)
0x95 0x06 - Report Count (6)
0xB1 0x02 - Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85 0x87 - Report ID (135)
0x09 0x27 - Usage (0x27)
0x95 0x23 - Report Count (35)
0xB1 0x02 - Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85 0x88 - Report ID (136)
0x09 0x28 - Usage (0x28)
0x95 0x22 - Report Count (34)
0xB1 0x02 - Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85 0x89 - Report ID (137)
0x09 0x29 - Usage (0x29)
0x95 0x02 - Report Count (2)
0xB1 0x02 - Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85 0x90 - Report ID (144)
0x09 0x30 - Usage (X) DV – A linear translation in the X direction. Report values should increase as the control’s position is moved from left to right.
0x95 0x05 - Report Count (5)
0xB1 0x02 - Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85 0x91 - Report ID (145)
0x09 0x31 - Usage (Y) DV – A linear translation in the Y direction. Report values should increase as the control’s position is moved from far to near.
0x95 0x03 - Report Count (3)
0xB1 0x02 - Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85 0x92 - Report ID (146)
0x09 0x32 - Usage (Z) DV – A linear translation in the Z direction. Report values should increase as the control’s position is moved from high to low (Z).
0x95 0x03 - Report Count (3)
0xB1 0x02 - Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85 0x93 - Report ID (147)
0x09 0x33 - Usage (Rx) DV – A rotation about the X axis. Angular position report values follow the righthand rule.
0x95 0x0C - Report Count (12)
0xB1 0x02 - Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85 0xA0 - Report ID (160)
0x09 0x40 - Usage (Vx) DV – A vector in the X direction. Report values should increase as the vector increases in the positive X direction (from left to right). Negative values represent vectors in the negative X direction.
0x95 0x06 - Report Count (6)
0xB1 0x02 - Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85 0xA1 - Report ID (161)
0x09 0x41 - Usage (Vy) DV – A vector in the Y direction. Report values should increase as the vector increases in the positive Y direction (from far to near). Negative values represent vectors in the negative Y direction.
0x95 0x01 - Report Count (1)
0xB1 0x02 - Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85 0xA2 - Report ID (162)
0x09 0x42 - Usage (Vz) DV – (Z direction -from high to low)
0x95 0x01 - Report Count (1)
0xB1 0x02 - Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85 0xA3 - Report ID (163)
0x09 0x43 - Usage (Vbrx) DV – A vector in the X direction relative to the body of an object. Report values should increase as the vector increases in the positive X direction (forward). Negative values represent vectors in the negative X direction. X is the “forward” axis for an object
0x95 0x30 - Report Count (48)
0xB1 0x02 - Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85 0xA4 - Report ID (164)
0x09 0x44 - Usage (Vbry) DV – (Y direction -to the right from an observer facing forward on the object)
0x95 0x0D - Report Count (13)
0xB1 0x02 - Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85 0xA5 - Report ID (165)
0x09 0x45 - Usage (Vbrz) DV – A vector in the Z direction relative to the body of an object. Report values should increase as the vector increases in the positive Z direction (down from an observer facing forward on the object). Negative values represent vectors in the negative Z direction.
0x95 0x15 - Report Count (21)
0xB1 0x02 - Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85 0xA6 - Report ID (166)
0x09 0x46 - Usage (Vno) DV– A non oriented vector or value. The units define a physical measurement not related to a specific axis or orientation. An example would be pressure or temperature.
0x95 0x15 - Report Count (21)
0xB1 0x02 - Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85 0xF0 - Report ID (240)
0x09 0x47 - Usage (Feature Notification)
0x95 0x3F - Report Count (63)
0xB1 0x02 - Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85 0xF1 - Report ID (241)
0x09 0x48 - Usage (Resolution Multiplier) DV– Defines a (if a device has the capability to vary the resolution of one or more of its controls) Resolution Multiplier for a (all) Control:
0x95 0x3F - Report Count (63)
0xB1 0x02 - Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85 0xF2 - Report ID (242)
0x09 0x49 - Usage (0x49)
0x95 0x0F - Report Count (15)
0xB1 0x02 - Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85 0xA7 - Report ID (167)
0x09 0x4A - Usage (0x4A)
0x95 0x01 - Report Count (1)
0xB1 0x02 - Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85 0xA8 - Report ID (168)
0x09 0x4B - Usage (0x4B)
0x95 0x01 - Report Count (1)
0xB1 0x02 - Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85 0xA9 - Report ID (169)
0x09 0x4C - Usage (0x4C)
0x95 0x08 - Report Count (8)
0xB1 0x02 - Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85 0xAA - Report ID (170)
0x09 0x4E - Usage (0x4E)
0x95 0x01 - Report Count (1)
0xB1 0x02 - Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85 0xAB - Report ID (171)
0x09 0x4F - Usage (0x4F)
0x95 0x39 - Report Count (57)
0xB1 0x02 - Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85 0xAC - Report ID (172)
0x09 0x50 - Usage (0x50)
0x95 0x39 - Report Count (57)
0xB1 0x02 - Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85 0xAD - Report ID (173)
0x09 0x51 - Usage (0x51)
0x95 0x0B - Report Count (11)
0xB1 0x02 - Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85 0xAE - Report ID (174)
0x09 0x52 - Usage (0x52)
0x95 0x01 - Report Count (1)
0xB1 0x02 - Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85 0xAF - Report ID (175)
0x09 0x53 - Usage (0x53)
0x95 0x02 - Report Count (2)
0xB1 0x02 - Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85 0xB0 - Report ID (176)
0x09 0x54 - Usage (0x54)
0x95 0x3F - Report Count (63)
0xB1 0x02 - Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0xC0 - - End Collection End


Total size of the Report descriptor is 0x01D3 (467)

Report Structure

Samples Report

64 bytes
Offset(d) 00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15

00000000  01 81 80 83 7A 08 00 00 00 00 93 5F FB D2 FF DA
00000016  FF D8 FF 4F EE 14 1B 99 FE 00 00 00 00 00 05 00
00000032  00 00 00 80 00 00 00 80 00 00 00 00 80 00 00 00
00000048  80 00 00 00 00 80 00 00 00 80 00 00 00 00 80 00

Data Format

Data Format
byte index bit 7 bit 6 bit 5 bit 4 bit 3 bit 2 bit 1 bit 0
[0] Report ID (USB)
[1] Dualshock Left stick X axis (0 = Stick Left - Move left left)
[2] Dualshock Left stick Y axis (0 = Stick Left - Move up up)
[3] Dualshock Right stick Right Stick axis X
[4] Dualshock Right stick Right Stick axis Y
[5] Dualshock triangle button Dualshock circle button Dualshock cross button Dualshock square button D-PAD : hat format (0x08 is released)
1000
0111 0110 0101 0100 0011 0010 0001 0000
7=NW 6=W 5=SW 4=S 3=SE 2=E 1=NE 0=N
↑← ↓← ↓→ ↑←
[6] Dualshock R3 button Dualshock L3 button Dualshock option button Dualshock share button Dualshock R2 button (8) Dualshock L2 button (4) Dualshock R1 button (2) Dualshock L1 button (1)
[7] Counter (counts up by 1 per report) T-PAD click (2) Dualshock PS button (1)
[8] Dualshock L2 button Trigger (0 = released/unpressed, 0xFF = fully pressed)
[9] Dualshock R2 button Trigger
[10] Unknown, seems to count downwards, non-random pattern
[11] Unknown, seems to count upwards by 3, but by 2 when [10] underflows
[12] Battery Level
[13 - 14] Possibly Gyro X (seems to be signed): orientation measures
[15 - 16] Possibly Gyro Y
[17 - 18] Possibly Gyro Z
[19 - 20] Possibly Accel X: acceleration measures
[21 - 22] Possibly Accel Y
[23 - 24] Possibly Accel Z
[25 - 29] Unknown
[30] EXT/HeadSet/Earset: bitmask
  • 01111011 is headset with mic (0x7B)
  • 00111011 is headphones (0x3B)
  • 00011011 is nothing attached (0x1B)
  • 00001000 is bluetooth? (0x08)
  • 00000101 is ? (0x05)
[31 - 32] Unknown: speculation: theses 5 next (reserved) nibbles for future additional products
[33] Unknown: speculation: could be bitmaps for control commands like volume, etc. T-PAD event active:

(seen only)

  • 0x00: No data for T-PAD[1]
  • 0x01: Set data for 2 current touches
  • 0x02: set data for previous touches at [44-51]

[34] T-PAD: auto incrementing number to track last update?
[35] T-PAD: tracking numbers, unique to each finger (№1) down, so for each lift and repress, it gets a newly incremented figure.
[36 - 38] T-PAD: each finger (№1) location/positional data: static upon finger lifting, to maintain state.

To decode, each coordinated (x & y) is using 12 bits, you need to mask/split and swap the middle byte : e.g: 0x8a 4|0 28 → 0x08a 284 → x= 138 y= 644 [2]

[39] T-PAD: tracking numbers, unique to each finger (№2) down.
[40 - 42] T-PAD: each finger (№2) location.
[44 - 47] T-PAD: the previous touches (№1) track and location
[48 - 51] T-PAD: the previous touches (№2) track and location
[52 - 63] TODO[3]
Notes
  1. if NULL:
  2. T-PAD resolution (retail): 1920x943 → x=0-1919 and y=0-942 (2¹² = 4096 when 2bits¹¹ = 2048 would have been enough to fit into the resolution)
  3. if NULL:

see Button mapping

Speculation: sound, rumble (active: 1-255 / Left-Right small or large?) and LED (Color changing 8 bits for each of the R, G, and B primaries : 13-255?) are only carry through (always enable) blue-tooth.

Class Requests

This is what happened with a controller that was not previously synced to the PS4

Set Address
Get Device Descriptor:    (Short Device Descriptor)
Get Device Descriptor:    (Full Device Descriptor)
Get String Descriptor[idx=0, langID=0]:      04 03
Get String Descriptor[idx=0, langID=0]:      04 03 09 04
Get String Descriptor[idx=1, langID=0x0409]: 38 03
Get String Descriptor[idx=1, langID=0x0409]: "Sony Computer Entertainment"
Get String Descriptor[idx=2, langID=0x0409]: 
Get String Descriptor[idx=3, langID=0x0409]: "Wireless Controller"
Get Configuration Descriptor: (Short Configuration Descriptor)
Get Configuration Descriptor: (Full Configuration Descriptor)
Get Device Status: 00 00
Set Configuration to 0x01
Get Descriptor:  (HID Report Descriptor)
Set Idle to 0
Get Report 0xA3: A3 41 75 67 20 20 33 20 32 30 31 33 00 00 00 00 00 30 37 3A 30 31 3A 31 32 00 00 00 00 00 00 00 00 00 01 00 31 03 00 00 00 49 00 05 00 00 80 03 00
Get Report 0x02: 02 01 00 00 00 00 00 87 22 7B DD B2 22 47 DD BD 22 43 DD 1C 02 1C 02 7F 1E 2E DF 60 1F 4C E0 3A 1D C6 DE 08 00
Get Report 0xA3: A3 41 75 67 20 20 33 20 32 30 31 33 00 00 00 00 00 30 37 3A 30 31 3A 31 32 00 00 00 00 00 00 00 00 00 01 00 31 03 00 00 00 49 00 05 00 00 80 03 00
Get Report 0x12: 12 8B 09 07 6D 66 1C 08 25 00 00 00 00 00 00 00
Set Report 0x14: 13 AC 9E 17 94 05 B0 56 E8 81 38 08 06 51 41 C0 7F 12 AA D9 66 3C CE
Set Report 0x12: 14 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

The same controller is then disconnected, and this is what happened when it reconnected

... enumeration steps same as before
Get Report 0xA3: A3 41 75 67 20 20 33 20 32 30 31 33 00 00 00 00 00 30 37 3A 30 31 3A 31 32 00 00 00 00 00 00 00 00 00 01 00 31 03 00 00 00 49 00 05 00 00 80 03 00
Get Report 0x02: 02 01 00 00 00 00 00 87 22 7B DD B2 22 47 DD BD 22 43 DD 1C 02 1C 02 7F 1E 2E DF 60 1F 4C E0 3A 1D C6 DE 08 00
Get Report 0xA3: A3 41 75 67 20 20 33 20 32 30 31 33 00 00 00 00 00 30 37 3A 30 31 3A 31 32 00 00 00 00 00 00 00 00 00 01 00 31 03 00 00 00 49 00 05 00 00 80 03 00
Get Report 0x12: 12 8B 09 07 6D 66 1C 08 25 00 AC 9E 17 94 05 B0

report ID 0xA3 seems to be some sort of time-of-manufacture identifier, it contains a date and time as a string in the beginning, ".Aug 3 2013.....07:01:12...........1....I....."

AC 9E 17 94 05 B0 is PS4 (Host) Bluetooth MAC Address (in proper MAC format, it is B0:05:94:17:9E:AC), AC 9E 17 is the LAP and 0x94 is the UAP, 05 B0 is the NAP, this was verified using a Bluetooth sniffer.

The 16 bytes that follow immediately after the BD_ADDR is the link key that is used to authenticate the DualShock 4. When a Bluetooth connection is established, this link key is used for authentication.

I am guessing that 8B 09 07 6D 66 1C means something, it's different on a different controller, it seems to be the Bluetooth MAC Address of the DualShock 4. in proper MAC format it is 1C:66:6D:07:09:8B in this example.

Bluetooth

The DS4 has two modes, one where you can pair it with a computer (hold PS and share at the same time until the light blinks twice in quick succession rapidly), and another mode when it is used with a PS4.

In the PS4 mode, it appears to advertise as two devices, one is a game controller and the other is an audio device. The game controller has a class 0x002508, and the audio device is class 0x200404. Neither has a name.

Only controllers that have previously paired with the PS4 can cause it to wake up. If you spoof a previously paired DS4's BDADDR and class, then using "sudo hcitool cc <ps4's bdaddr>" will wake up the PS4. If the same cc request comes from an unknown BDADDR, nothing happens.

Capable of streaming 32Khz sound to the controllers speakers for up to 2 players, but that reduces to 16Khz when 3 or more players are hooked up.

UART HCI

On the DS4 circuit itself is a Qualcomm Atheros AR3002 module and the UART pins have test points.

You can clearly see the UART HCI data when you analyze the traffic on the RX and TX pins (See testpoints).

The data seems to be at a baud rate of exactly 3Mbit/s , sticking with HCI standards, meaning it's 8N1 (8 data bits, No parity, 1 stop bit). The report rate seems to be once every 1.3 millisecond, but there are some occasional gaps in between that can reach 15 milliseconds.

This file is a capture of the traffic over the UART HCI, Wireshark is required to view this PCAP file.

Similar to the file before but uses data while running "the Playroom" app on the PS4, so that it shows motors, speaker, and LED activity. This file needs to be decompressed using gzip first, then opened with Wireshark. Once opened, it needs to be sorted by timestamp.

HID Report header & footer

Examples

Here's a sample HCI transaction that represents a report from the DS4 to the PS4:


Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000  02 15 20 53 00 4F 00 42 00 A1 11 C0 00 83 81 7E
00000010  7E 08 00 3C 00 00 83 A2 07 F1 FF F9 FF 04 00 21
00000020  03 17 1F 29 F9 00 00 00 00 00 08 00 00 00 00 80
00000030  00 00 00 80 00 00 00 00 80 00 00 00 80 00 00 00
00000040  00 80 00 00 00 80 00 00 00 00 80 00 00 00 80 00
00000050  00 00 00 00 7D 0A 5D 0B

(For Packet type 2)

Offset Size Value Description
Header 0x00 0x01 0x02 (2) Packet Type:

  • 0x00: Acknowledgement Packets ?
  • 0x01: HCI Command Packet (send commands to the Host Controller)
  • 0x02: HCI ACL Data Packet (exchange Asynchronous Connection-Less data between the Host and Host Controller)
  • 0x03: HCI SCO Data Packet (exchange Synchronous Connection-Oriented data)
  • 0x04: HCI Event Packet (notify the Host when events occur)

0x01 0x02 0x1520 (0x2015) Control information (msb00 10 000000010101lsb):

for Packet type: 2

  • Broadcast (BC) flag (most significant 2 bits):
00 = point-to-point packet (no broadcast) (only two Bluetooth units involved)
01 = Active Slave Broadcast (Up to 7 slaves can be active in the Piconet)
10 = Parked Slave Broadcast (Up to 255 further slave devices can be inactive)
  • Packet boundary (PB) flag (2 bits):
01 = continuing packet of a higher level message
10 = first packet of a higher level message
  • Connection handle (least significant 12 bits):

0x15

0x03 0x02 0x5300 (For Packet type 2)

(83) Length of Packet

0x05 0x02 0x4F00 (79) Length (Payload+Check)
0x07 0x02 0x4200 (0x0042) Channel ID (CID)
HID portion 0x09 0x03 0xA111C0 Packet Payload header: INPUT DATA protocol code 0x11 (see Structure HID transaction)
0x0C 0x48 0x0083 … 0x00 Data: See (speculation) USB data format for the first 64 bytes + 8 bytes NULL.
Check 0x54 0x04 0x7D0A5D0B (0x0B5D0A7D) Data Integrity Check (CRC-32)

To ensure that the packet is valid, this field is appended onto the end of the packet. Packet Payload is used to compute the Data Integrity Check (the CRC32's polynomial is 0x4C11DB7)

Packet type 4 example:

04 13 05 01 15 00 01 00
Offset Size Value Description
0x00 0x01 0x04 (4) Packet Type:

  • HCI Event Packet

0x01 0x01 0x13 Event code
0x02 0x01 0x05 Parameter total length
0x03 0x01 0x01 Number of Connection handles
0x04 0x02 0x1500 (0x15) Connection handle
0x06 0x02 0x0100 (1) Number of completed packets

CRC32

You can use http://www.lammertbies.nl/comm/info/crc-calculation.html to try this yourself, enter the packet payload into the textbox (hex):

Structure HID transaction (portion)

Input and output reports specify control data and feature reports specify configuration data.

Data Format
byte index bit 7 bit 6 bit 5 bit 4 bit 3 bit 2 bit 1 bit 0
[0] transaction type:

  • 0x04: GET REPORT
  • 0x05: SET REPORT
  • 0x0A: DATA

parameters:

  • 0x00:
  • 0x01:

report type:

  • 0x01: INPUT
  • 0x02: OUTPUT
  • 0x03: FEATURE

[1] protocol code
[2] -
[3-end] report content (e.g. buttons for report type input , see data structure)

HID INPUT reports

Input controls are sources of data relevant to an application, for example, X and Y data (e.g.: axes stick) or buttons obtained from a pointing device.

Protocol code:

0x01

This report is sent until the GET REPORT FEATURE 0x02 is received.

0xa1, 0x01, 0x7d, 0x7d, 0x80, 0x7e, 0x08, 0x00, 0x00, 0x00, 0x00
            ^Left Stick X ...       ^D-PAD

0x11

This report is sent once the GET REPORT FEATURE 0x02 is received. See example

HID output reports

Output controls are a sink for application data, for example, an LED (or sound or rumbles) that indicates the state of a device.

Protocol code:

0x11

0x14

Speculation: contains sound.

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   0000   0f 01 42 00 a2 14 40 a0 f4 69 02 9c 75 19 24 00  [email protected].$.
   0010   00 00 00 00 00 00 00 76 db 6d bb 6d b6 dd b6 db  .......v.m.m....
   0020   6e db 6d b7 6d b6 db b6 db 6d db 6d b6 ed b6 db  n.m.m....m.m....
   0030   76 db 6d bb 6d b6 dd b6 db 6e db 6d b7 6d b6 db  v.m.m....n.m.m..
   0040   b6 db 6d db 6d b6 ed b6 db 76 db 6d bb 6d b6 dd  ..m.m....v.m.m..
   0050   b6 db 6e db 6d b7 6d b6 db b6 db 6d db 6d b6 ed  ..n.m.m....m.m..
   0060   b6 db 76 db 6d bb 6d b6 dd b6 db 6e db 6d b7 6d  ..v.m.m....n.m.m
   0070   b6 db b6 db 6d db 6d b6 ed b6 db 9c 75 19 24 00  ....m.m.....u.$.
   0080   00 00 00 00 00 00 00 76 db 6d bb 6d b6 dd b6 db  .......v.m.m....
   0090   6e db 6d b7 6d b6 db b6 db 6d db 6d b6 ed b6 db  n.m.m....m.m....
   00a0   76 db 6d bb 6d b6 dd b6 db 6e db 6d b7 6d b6 db  v.m.m....n.m.m..
   00b0   b6 db 6d db 6d b6 ed b6 db 76 db 6d bb 6d b6 dd  ..m.m....v.m.m..
   00c0   b6 db 6e db 6d b7 6d b6 db b6 db 6d db 6d b6 ed  ..n.m.m....m.m..
   00d0   b6 db 76 db 6d bb 6d b6 dd b6 db 6e db 6d b7 6d  ..v.m.m....n.m.m
   00e0   b6 db b6 db 6d db 6d b6 ed b6 db 00 00 00 00 00  ....m.m.........
   00f0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   0100   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9f  ................
   0110   42 86 54                                         B.T


0x15

Speculation: contains rumbles, LED color and sound.

0000   4f 01 42 00 a2 15 c0 a0 f3 04 00 00 00 00 00 ff  O.B.............
0010   00 00 00 00 00 00 00 00 00 00 49 49 00 4f 85 00  ..........II.O..
0020   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0030   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0040   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0050   00 00 00 f6 69 02 9c 75 19 24 00 00 00 00 00 00  ....i..u.$......
0060   00 00 76 db 6d bb 6d b6 dd b6 db 6e db 6d b7 6d  ..v.m.m....n.m.m
0070   b6 db b6 db 6d db 6d b6 ed b6 db 76 db 6d bb 6d  ....m.m....v.m.m
0080   b6 dd b6 db 6e db 6d b7 6d b6 db b6 db 6d db 6d  ....n.m.m....m.m
0090   b6 ed b6 db 76 db 6d bb 6d b6 dd b6 db 6e db 6d  ....v.m.m....n.m
00a0   b7 6d b6 db b6 db 6d db 6d b6 ed b6 db 76 db 6d  .m....m.m....v.m
00b0   bb 6d b6 dd b6 db 6e db 6d b7 6d b6 db b6 db 6d  .m....n.m.m....m
00c0   db 6d b6 ed b6 db 9c 75 19 24 00 00 00 00 00 00  .m.....u.$......
00d0   00 00 76 db 6d bb 6d b6 dd b6 db 6e db 6d b7 6d  ..v.m.m....n.m.m
00e0   b6 db b6 db 6d db 6d b6 ed b6 db 76 db 6d bb 6d  ....m.m....v.m.m
00f0   b6 dd b6 db 6e db 6d b7 6d b6 db b6 db 6d db 6d  ....n.m.m....m.m
0100   b6 ed b6 db 76 db 6d bb 6d b6 dd b6 db 6e db 6d  ....v.m.m....n.m
0110   b7 6d b6 db b6 db 6d db 6d b6 ed b6 db 76 db 6d  .m....m.m....v.m
0120   bb 6d b6 dd b6 db 6e db 6d b7 6d b6 db b6 db 6d  .m....n.m.m....m
0130   db 6d b6 ed b6 db 00 00 00 00 00 00 00 00 00 00  .m..............
0140   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b5  ................
0150   98 a9 0f                                         ...
  • 0x4F01: length (335)
  • 0x4200: CID (42)
  • 0xA2: DATA OUTPUT
  • 0x15: Protocol Code
  • 0xC0A0F30400: Unknown
  • 0x00: Rumble right
  • 0x00: Rumble left
  • 0x00: LED (Red)
  • 0x00: LED (Green)
  • 0xFF: LED (Blue)

... 0xB598A90F: Check (CRC-32 (from 0xA2))

0x17

0x18

0x19

HID features reports

A user-mode application can obtain (get) and set feature information by using this report designation.