DS4-BT: Difference between revisions
Jump to navigation
Jump to search
Bluetooth module Qualcomm: Qualcomm Atheros AR3002-BL3D
(→0xF2) |
(Gyro and acceleration fix) |
||
| (14 intermediate revisions by 8 users not shown) | |||
| Line 48: | Line 48: | ||
* [[Bluetooth#Overlapping_channels_BT.2FWiFi|Overlapping channels BT/WiFi]] | * [[Bluetooth#Overlapping_channels_BT.2FWiFi|Overlapping channels BT/WiFi]] | ||
=== Bluetooth | === Bluetooth Addressing === | ||
Each Bluetooth unit has a unique 48-bit address (BD_ADDR). | Each Bluetooth unit has a unique 48-bit address (BD_ADDR). | ||
| Line 210: | Line 210: | ||
**0x0100: L2CAP | **0x0100: L2CAP | ||
*0x0800: Maximum Attribute Byte count (2048)? | *0x0800: Maximum Attribute Byte count (2048)? | ||
*0x0A: Data element (type:1, Size index: 2 (4 bytes) | *0x3505: Data element (Type descriptor: 6, Size index: 5) 5 bytes | ||
**0x0A: Data element (type:1, Size index: 2 (4 bytes)) | |||
**0x0000FFFF: Attribute ID list | **0x0000FFFF: Attribute ID list | ||
*0x00: Continuation State | *0x00: Continuation State | ||
| Line 598: | Line 599: | ||
===== 0x01 ===== | ===== 0x01 ===== | ||
The transaction type is DATA (0x0a), and the report type is INPUT (0x01). | The transaction type is DATA (0x0a), and the report type is INPUT (0x01). | ||
The protocol code is | The protocol code is 0x01. | ||
This report is sent until the GET REPORT FEATURE 0x02 is received. | This report is sent until the GET REPORT FEATURE 0x02 is received. | ||
| Line 762: | Line 763: | ||
|- | |- | ||
|[16 - 17] | |[16 - 17] | ||
|colspan="8"| | |colspan="8"|Angular velocity X | ||
|- | |- | ||
|[18 - 19] | |[18 - 19] | ||
|colspan="8"| | |colspan="8"|Angular velocity Y | ||
|- | |- | ||
|[20 - 21] | |[20 - 21] | ||
|colspan="8"| | |colspan="8"|Angular velocity Z | ||
|- | |- | ||
|[22 - 23] | |[22 - 23] | ||
|colspan="8"| | |colspan="8"|Acceleration X | ||
|- | |- | ||
|[24 - 25] | |[24 - 25] | ||
|colspan="8"| | |colspan="8"|Acceleration Y | ||
|- | |- | ||
|[26 - 27] | |[26 - 27] | ||
|colspan="8"| | |colspan="8"|Acceleration Z | ||
|- | |- | ||
|[28 - 32] | |[28 - 32] | ||
| Line 897: | Line 898: | ||
The protocol code is 0x11. | The protocol code is 0x11. | ||
Byte at index 4 | First bit at byte 2 specifies whether to enable control. Byte at index 4 specifies which individual control to enable. | ||
Report example: | Report example: | ||
| Line 905: | Line 906: | ||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, <span style="background:lime">0xd8, 0x8e, 0x94, 0xdd</span> | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, <span style="background:lime">0xd8, 0x8e, 0x94, 0xdd</span> | ||
Speculation: | |||
0x11 may be not a packet ID but encoded packet size. | |||
Lower digit (0x01) satisfies formula: '''((packet_size - 15) >> 6) + 1''' | |||
(packet_size does not include '0xa2'; >> - bit shift right - equivalent to integer division by 64) | |||
This formula seems to work for all packets (0x11..0x18). | |||
Packet 0x19 looks like clamped by max packet size. | |||
{| class="wikitable" | {| class="wikitable" | ||
| Line 927: | Line 935: | ||
|colspan="8"|'''0x11''' | |colspan="8"|'''0x11''' | ||
|- | |- | ||
|[2 - 3] | |[2] | ||
|colspan="1"|Controls | |||
|colspan="7"|Unknown | |||
|- | |||
|[3] | |||
|colspan="8"|Unknown | |colspan="8"|Unknown | ||
|- | |- | ||
|[4] | |[4] | ||
|colspan=" | |colspan="4"|0x0f | ||
|colspan="1"|Unknown | |||
|colspan="1"|Flash | |||
|colspan="1"|Color | |||
|colspan="1"|Rumble | |||
|- | |- | ||
|[5 - 6] | |[5 - 6] | ||
| Line 1,056: | Line 1,072: | ||
0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | 0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | ||
0040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | 0040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | ||
0050 00 00 00 f6 69 02 9c 75 19 24 00 00 00 00 00 00 ....i..u.$...... | 0050 00 00 00 <span style="background:pink;">f6 69</span> 02 <span style="background:#ffff00;">9c 75 19 24</span> 00 00 00 00 00 00 ....i..u.$...... | ||
0060 00 00 76 db 6d bb 6d b6 dd b6 db 6e db 6d b7 6d ..v.m.m....n.m.m | 0060 00 00 76 db 6d bb 6d b6 dd b6 db 6e db 6d b7 6d ..v.m.m....n.m.m | ||
0070 b6 db b6 db 6d db 6d b6 ed b6 db 76 db 6d bb 6d ....m.m....v.m.m | 0070 b6 db b6 db 6d db 6d b6 ed b6 db 76 db 6d bb 6d ....m.m....v.m.m | ||
| Line 1,063: | Line 1,079: | ||
00a0 b7 6d b6 db b6 db 6d db 6d b6 ed b6 db 76 db 6d .m....m.m....v.m | 00a0 b7 6d b6 db b6 db 6d db 6d b6 ed b6 db 76 db 6d .m....m.m....v.m | ||
00b0 bb 6d b6 dd b6 db 6e db 6d b7 6d b6 db b6 db 6d .m....n.m.m....m | 00b0 bb 6d b6 dd b6 db 6e db 6d b7 6d b6 db b6 db 6d .m....n.m.m....m | ||
00c0 db 6d b6 ed b6 db 9c 75 19 24 00 00 00 00 00 00 .m.....u.$...... | 00c0 db 6d b6 ed b6 db <span style="background:#ffff00;">9c 75 19 24</span> 00 00 00 00 00 00 .m.....u.$...... | ||
00d0 00 00 76 db 6d bb 6d b6 dd b6 db 6e db 6d b7 6d ..v.m.m....n.m.m | 00d0 00 00 76 db 6d bb 6d b6 dd b6 db 6e db 6d b7 6d ..v.m.m....n.m.m | ||
00e0 b6 db b6 db 6d db 6d b6 ed b6 db 76 db 6d bb 6d ....m.m....v.m.m | 00e0 b6 db b6 db 6d db 6d b6 ed b6 db 76 db 6d bb 6d ....m.m....v.m.m | ||
| Line 1,326: | Line 1,342: | ||
==== HID features reports ==== | ==== HID features reports ==== | ||
There is a periodic report sequence that consists in 5 0xf0 SET FEATURE reports, 2 0xf2 GET FEATURE reports, and 19 0xf1 GET FEATURE REPORTS. Each sequence takes about 30 seconds, and a new sequence starts about 30 seconds after the end of the last one. There is 1 second between two reports sent by the PS4. | |||
There is another periodic report sequence that consists in one 0x03 SET FEATURE report and 1 0x04 GET FEATURE report. A new sequence starts about 30 seconds after the end of the last one. The 0x03 SET FEATURE report is sent 5 seconds after the 0x04 GET FEATURE report. | |||
These two periodic sequences seem to be independent as they do not have the same period, and they have two distinct sequence counters. | |||
A user-mode application can obtain (get) and set feature information by using this report designation. | |||
===== GET FEATURE===== | |||
Each GET FEATURE report sent by the PS4 is answered by the DS4 with a DATA FEATURE report. | |||
====0x02==== | |||
{| class="wikitable" | {| class="wikitable" | ||
| Line 1,359: | Line 1,370: | ||
|- | |- | ||
|[0] | |[0] | ||
|colspan="4"| | |colspan="4"|0x04 GET REPORT | ||
|colspan=" | |colspan="1"|0x01 | ||
|colspan="4"|0x03 | |colspan="1"|0x00 | ||
|colspan="4"|0x03 FEATURE | |||
|- | |- | ||
|[1] | |[1] | ||
|colspan="8"| | |colspan="8"|Report id | ||
|- | |- | ||
|[2 - | |[2 - 3] | ||
|colspan="8"|Buffer size. | |||
|colspan="8"| | |||
|} | |} | ||
====== | ====== 0x02 ====== | ||
The transaction type is DATA (0x0a), and the report type is FEATURE (0x03). | The transaction type is DATA (0x0a), and the report type is FEATURE (0x03). | ||
The protocol code is | The protocol code is 0x02. | ||
The bytes in this report do not seem to fluctuate. | |||
Report example: | Report example: | ||
<pre>0xa3, | <pre>0xa3, 0x02, 0x01, 0x00, 0xff, 0xff, 0x01, 0x00, 0x5e, 0x22, 0x84, 0x22, 0x9b, 0x22, 0xa6, 0xdd, | ||
0x79, 0xdd, 0x64, 0xdd, 0x1c, 0x02, 0x1c, 0x02, 0x85, 0x1f, 0x9f, 0xe0, 0x92, 0x20, 0xdc, 0xe0, | |||
0x4d, 0x1c, 0x1e, 0xde, 0x08, 0x00</pre> | |||
{| class="wikitable" | {| class="wikitable" | ||
| Line 1,405: | Line 1,413: | ||
|- | |- | ||
|[1] | |[1] | ||
|colspan="8"| | |colspan="8"|0x02 | ||
|- | |- | ||
|[2 - | |[2 - 37] | ||
|colspan="8"| | |colspan="8"|TODO, work in progress. | ||
|} | |} | ||
====== | ====== 0x04 ====== | ||
The transaction type is DATA (0x0a), and the report type is FEATURE (0x03). | The transaction type is DATA (0x0a), and the report type is FEATURE (0x03). | ||
The protocol code is | The protocol code is 0x04. | ||
Most bytes from index 4 change between two reports. | |||
Report example: | Report example: | ||
<pre>0xa3, | <pre>0xa3, 0x04, 0x02, 0x00, 0x38, 0x85, 0x35, 0xd5, 0x7a, 0x81, 0x61, 0x2e, 0x21, 0x13, 0x7b, 0xda, | ||
0xd5, 0x94, 0x25, 0x98, 0x5f, 0x67, 0xd1, 0x60, 0x9d, 0xfb, 0x95, 0xba, 0xff, 0xba, 0x1c, 0x48, | |||
0xbf, 0xe2, 0x15, 0x0d, 0xff, 0x66, 0x63, 0x5f, 0x64, 0xc1, 0x46, 0x47, 0xcd, 0xd1, 0x9c, 0x84</pre> | |||
{| class="wikitable" | {| class="wikitable" | ||
| Line 1,443: | Line 1,450: | ||
|- | |- | ||
|[1] | |[1] | ||
|colspan="8"| | |colspan="8"|0x04 | ||
|- | |- | ||
|[2] | |[2] | ||
|colspan="8"|sequence counter (init = | |colspan="8"|sequence counter (init = 0x02, step = 1) | ||
|- | |- | ||
|[3] | |[3] | ||
|colspan="8"|0x00 | |colspan="8"|0x00 | ||
|- | |- | ||
|[ | |[4 - 43] | ||
|colspan="8"| | |colspan="8"|TODO, work in progress. | ||
|- | |- | ||
|[ | |[44 - 47] | ||
|colspan="8"|CRC-32 of the previous bytes. | |colspan="8"|CRC-32 of the previous bytes. | ||
|} | |} | ||
====== 0x06 ====== | |||
====== | |||
The transaction type is DATA (0x0a), and the report type is FEATURE (0x03). | The transaction type is DATA (0x0a), and the report type is FEATURE (0x03). | ||
The protocol code is | The protocol code is 0x06. | ||
The bytes in this report do not seem to fluctuate. They are the same in two different controllers. | |||
Report example: | Report example: | ||
<pre>0xa3, | <pre>0xa3, 0x06, 0x41, 0x75, 0x67, 0x20, 0x20, 0x33, 0x20, 0x32, 0x30, 0x31, 0x33, 0x00, 0x00, 0x00, | ||
0x00, 0x00, 0x30, 0x37, 0x3a, 0x30, 0x31, 0x3a, 0x31, 0x32, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |||
0x00, 0x00, 0x00, 0x01, 0x00, 0x31, 0x03, 0x00, 0x00, 0x00, 0x49, 0x00, 0x05, 0x00, 0x00, 0x80, | |||
0x03, 0x00, 0x4b, 0x52, 0x02, 0xc7</pre> | |||
{| class="wikitable" | {| class="wikitable" | ||
| Line 1,498: | Line 1,497: | ||
|- | |- | ||
|[1] | |[1] | ||
|colspan="8"| | |colspan="8"|0x06 | ||
|- | |- | ||
|[2] | |[2 - 49] | ||
|colspan="8"| | |colspan="8"|A date: Aug 3 2013 07:01:12 | ||
|- | |- | ||
|[ | |[50 - 53] | ||
|colspan="8"|CRC-32 of the previous bytes. | |colspan="8"|CRC-32 of the previous bytes. | ||
|} | |} | ||
===== | ====== 0xA3 ====== | ||
The transaction type is DATA (0x0a), and the report type is FEATURE (0x03). | |||
The protocol code is 0xa3. | |||
====== 0x03 ====== | It is identical to 0x06 except that there's no CRC-32 at the end of the packet. | ||
Report example: | |||
<pre>0xa3, 0xa3, 0x41, 0x75, 0x67, 0x20, 0x20, 0x33, 0x20, 0x32, 0x30, 0x31, 0x33, 0x00, 0x00, 0x00, | |||
0x00, 0x00, 0x30, 0x37, 0x3a, 0x30, 0x31, 0x3a, 0x31, 0x32, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |||
0x00, 0x00, 0x00, 0x01, 0x00, 0x31, 0x03, 0x00, 0x00, 0x00, 0x49, 0x00, 0x05, 0x00, 0x00, 0x80, | |||
0x03, 0x00</pre> | |||
{| class="wikitable" | |||
|+Data Format | |||
|- | |||
|width="100"|byte index | |||
|width="60"|bit 7 | |||
|width="60"|bit 6 | |||
|width="60"|bit 5 | |||
|width="60"|bit 4 | |||
|width="60"|bit 3 | |||
|width="60"|bit 2 | |||
|width="60"|bit 1 | |||
|width="60"|bit 0 | |||
|- | |||
|[0] | |||
|colspan="4"|0x0a | |||
|colspan="2"|0x00 | |||
|colspan="4"|0x03 | |||
|- | |||
|[1] | |||
|colspan="8"|0xa3 | |||
|- | |||
|[2 - 49] | |||
|colspan="8"|A date: Aug 3 2013 07:01:12 | |||
|} | |||
====== 0xF1 ====== | |||
The transaction type is DATA (0x0a), and the report type is FEATURE (0x03). | |||
The protocol code is 0xf1. | |||
This report is part of the authentication sequence: it contains challenge response data. | |||
Report example: | |||
<pre>0xa3, 0xf1, 0x01, 0x00, 0x00, 0x0c, 0xb2, 0x25, 0x71, 0x82, 0xc3, 0x2e, 0xaa, 0x73, 0xf5, 0x3e, | |||
0x06, 0x72, 0x12, 0xeb, 0xd7, 0xbd, 0xa6, 0x4e, 0xd0, 0x25, 0xd0, 0x4d, 0xd4, 0xe9, 0x3a, 0x8d, | |||
0xb4, 0xf2, 0x3b, 0x5e, 0x82, 0x9c, 0xc7, 0x02, 0x04, 0xa5, 0x44, 0xd5, 0x64, 0x74, 0xc2, 0x03, | |||
0x3b, 0x45, 0xd6, 0x99, 0x9d, 0x79, 0x11, 0xa6, 0x3d, 0x5e, 0x3a, 0xdf, 0xdd, 0x3a, 0x51, 0x8e, | |||
0xb3</pre> | |||
{| class="wikitable" | |||
|+Data Format | |||
|- | |||
|width="100"|byte index | |||
|width="60"|bit 7 | |||
|width="60"|bit 6 | |||
|width="60"|bit 5 | |||
|width="60"|bit 4 | |||
|width="60"|bit 3 | |||
|width="60"|bit 2 | |||
|width="60"|bit 1 | |||
|width="60"|bit 0 | |||
|- | |||
|[0] | |||
|colspan="4"|0x0a | |||
|colspan="2"|0x00 | |||
|colspan="4"|0x03 | |||
|- | |||
|[1] | |||
|colspan="8"|0xf1 | |||
|- | |||
|[2] | |||
|colspan="8"|sequence counter (init = 0x01, step = 1) | |||
|- | |||
|[3] | |||
|colspan="8"|report counter (init = 0x00, step = 1, max = 0x12) | |||
|- | |||
|[4] | |||
|colspan="8"|0x00 | |||
|- | |||
|[5 - 60] | |||
|colspan="8"|Challenge response data. | |||
|- | |||
|[61 - 64] | |||
|colspan="8"|CRC-32 of the previous bytes. | |||
|} | |||
The sequence is 1040 bytes long with the following structure: | |||
<pre> | |||
struct ds4_response { | |||
unsigned char signature[0x100]; | |||
unsigned char serial_num[0x10]; | |||
unsigned char n[0x100]; | |||
unsigned char e[0x100]; | |||
unsigned char casig[0x100]; | |||
}; | |||
</pre> | |||
<u>signature</u> - is a PSS signature of the nonce, signed with DS4's private key<br> | |||
<u>serial_num</u> - is the controller/cert serial number<br> | |||
<u>n</u> - DS4's Public Key prime<br> | |||
<u>e</u> - DS4's Public Key exponent<br> | |||
<u>casig</u> - is a PSS signature (signed by Sony's CA private key) of the <u>serial_num</u>, <u>n</u> and <u>e</u><br> | |||
The last (19th) packet is padded with 24 bytes. | |||
====== 0xF2 ====== | |||
The transaction type is DATA (0x0a), and the report type is FEATURE (0x03). | |||
The protocol code is 0xf2. | |||
This report is part of the authentication sequence: it indicates if the challenge response is ready. | |||
Report example: | |||
<pre>0xa3, 0xf2, 0x01, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0d, 0x6a, 0x3c, | |||
0xef</pre> | |||
{| class="wikitable" | |||
|+Data Format | |||
|- | |||
|width="100"|byte index | |||
|width="60"|bit 7 | |||
|width="60"|bit 6 | |||
|width="60"|bit 5 | |||
|width="60"|bit 4 | |||
|width="60"|bit 3 | |||
|width="60"|bit 2 | |||
|width="60"|bit 1 | |||
|width="60"|bit 0 | |||
|- | |||
|[0] | |||
|colspan="4"|0x0a | |||
|colspan="2"|0x00 | |||
|colspan="4"|0x03 | |||
|- | |||
|[1] | |||
|colspan="8"|0xf2 | |||
|- | |||
|[2] | |||
|colspan="8"|sequence counter (init = 0x01, step = 1) | |||
|- | |||
|[3] | |||
|colspan="3"|0x00 | |||
|colspan="1"|0x01 = not ready | |||
0x00 = ready | |||
|colspan="7"|0x00 | |||
|- | |||
|[4 - 12] | |||
|colspan="8"|padded with 0x00. | |||
|- | |||
|[13 - 16] | |||
|colspan="8"|CRC-32 of the previous bytes. | |||
|} | |||
===== SET FEATURE===== | |||
These reports are sent by the PS4. The DS4 replies with a handshake, which is a packet with a single 0x00 byte. | |||
====== 0x03 ====== | |||
The transaction type is SET REPORT (0x05), and the report type is FEATURE (0x03). | |||
The protocol code is 0x03. | |||
Most bytes from index 4 change between two reports. | |||
Report example: | |||
<pre>0x53, 0x03, 0x02, 0x00, 0xf1, 0xdf, 0xd3, 0x7b, 0x4f, 0x49, 0x0b, 0x0b, 0x7c, 0x79, 0xde, 0xad, | |||
0x5d, 0xa3, 0x41, 0x8a, 0x9c, 0x2e, 0xaf, 0x09, 0xc4, 0xa6, 0x80, 0xb4, 0x82, 0x87, 0x2c, 0xbf, | |||
0x86, 0xe0, 0x2a, 0x86, 0x60, 0xa0, 0x23, 0x33</pre> | |||
{| class="wikitable" | |||
|+Data Format | |||
|- | |||
|width="100"|byte index | |||
|width="60"|bit 7 | |||
|width="60"|bit 6 | |||
|width="60"|bit 5 | |||
|width="60"|bit 4 | |||
|width="60"|bit 3 | |||
|width="60"|bit 2 | |||
|width="60"|bit 1 | |||
|width="60"|bit 0 | |||
|- | |||
|[0] | |||
|colspan="4"|0x05 | |||
|colspan="2"|0x00 | |||
|colspan="4"|0x03 | |||
|- | |||
|[1] | |||
|colspan="8"|0x03 | |||
|- | |||
|[2] | |||
|colspan="8"|sequence counter (init = 0x02, step = 1) | |||
|- | |||
|[3] | |||
|colspan="8"|0x00 | |||
|- | |||
|[4 - 35] | |||
|colspan="8"|TODO, work in progress. | |||
|- | |||
|[36 - 39] | |||
|colspan="8"|CRC-32 of the previous bytes. | |||
|} | |||
====== 0xF0 ====== | ====== 0xF0 ====== | ||
The transaction type is SET REPORT (0x05), and the report type is FEATURE (0x03). | |||
The protocol code is 0xf0. | |||
This report is part of the authentication sequence: it contains challenge data. | |||
Report example: | |||
<pre>0x53, 0xf0, 0x01, 0x00, 0x00, 0x64, 0x01, 0x21, 0x58, 0x26, 0x03, 0xcc, 0xb8, 0x28, 0x78, 0xa9, | |||
0xb5, 0x8c, 0x2c, 0x90, 0x3b, 0xe2, 0xf7, 0xee, 0x1c, 0x91, 0x2b, 0x0c, 0x79, 0xa6, 0xe7, 0xae, | |||
0x7e, 0x49, 0xee, 0x36, 0x72, 0x81, 0xc2, 0x25, 0x41, 0x74, 0x45, 0x01, 0x15, 0xa0, 0x23, 0x1a, | |||
0x4c, 0x27, 0x31, 0xcc, 0xc5, 0xe0, 0x8d, 0x6c, 0x1e, 0x42, 0x83, 0x93, 0x20, 0xa0, 0x35, 0xac, | |||
0x82</pre> | |||
{| class="wikitable" | |||
|+Data Format | |||
|- | |||
|width="100"|byte index | |||
|width="60"|bit 7 | |||
|width="60"|bit 6 | |||
|width="60"|bit 5 | |||
|width="60"|bit 4 | |||
|width="60"|bit 3 | |||
|width="60"|bit 2 | |||
|width="60"|bit 1 | |||
|width="60"|bit 0 | |||
|- | |||
|[0] | |||
|colspan="4"|0x05 | |||
|colspan="2"|0x00 | |||
|colspan="4"|0x03 | |||
|- | |||
|[1] | |||
|colspan="8"|0xf0 | |||
|- | |||
|[2] | |||
|colspan="8"|sequence counter (init = 0x01, step = 1) | |||
|- | |||
|[3] | |||
|colspan="8"|report counter (init = 0x00, step = 1, max = 0x04) | |||
|- | |||
|[4] | |||
|colspan="8"|0x00 | |||
|- | |||
|[5 - 60] | |||
|colspan="8"|Challenge data. | |||
|- | |||
|[61 - 64] | |||
|colspan="8"|CRC-32 of the previous bytes. | |||
|} | |||
The packet with report counter = 0x04 only carries 32 bytes of data (it is padded with zeros). Therefore the length of the challenge message is 4x56+32 = 256 bytes. | |||
{{Reverse Engineering}} | {{Reverse Engineering}} | ||
<noinclude>[[Category:Main]]</noinclude> | <noinclude>[[Category:Main]]</noinclude> | ||
Revision as of 09:48, 1 September 2019
Source: http://eleccelerator.com/wiki/index.php?title=DualShock_4 (full paste 17:50 UTC, 18 January 2014 )
Bluetooth
Bluetooth is a wireless technology for creating personal area networks operating in the 2.4 GHz unlicensed band, with a default range of 10 meters.
Capable of streaming 32Khz sound to the controllers speakers for up to 2 players, but that reduces to 16Khz when 3 or more players are hooked up.
UART HCI
On the DS4 circuit itself is a Qualcomm Atheros AR3002 module and the UART pins have test points.
You can clearly see the UART HCI receiving/transmitting data when you analyze the traffic on the RX and TX pins (See testpoints).
The data seems to be at a baud rate of exactly 3Mbit/s , sticking with HCI standards, meaning it's 8N1 (8 data bits, No parity, 1 stop bit). The report rate seems to be once every 1.3 millisecond, but there are some occasional gaps in between that can reach 15 milliseconds.
This file is a capture of the traffic over the UART HCI, Wireshark can be used for parsing this PCAP file.
Similar to the file before but uses data while running "the Playroom" app on the PS4, so that it shows motors, speaker, and LED activity. This file needs to be decompressed using gzip first, then opened with Wireshark. Once opened, it needs to be sorted by timestamp.
Maximum theoretical update frequency per second (Minimum theoretical latency)
| Controllers | Input+Output disabled | Output enabled | Input enabled |
|---|---|---|---|
| 1 | 800x (1.25ms) | 400 (2.50ms) | 125 (8ms) |
| 2 | 400x (2.50ms) | 200 (5ms) | 62.50 (16ms) |
| 3 | 266x (3,75ms) | 133 (7.5ms) | 41.66 (24ms) |
| 4 | 200x (5ms) | 100 (10ms) | 31.25 (32ms) |
In comparison, USB has 250x (4ms)
Overlapping channels BT/WiFi
Bluetooth Addressing
Each Bluetooth unit has a unique 48-bit address (BD_ADDR).
If you spoof a previously paired DS4's BDADDR (is the unique address of a Bluetooth device, similar to the MAC address of a network card) and class, then using "sudo hcitool cc <ps4's bdaddr>" will wake up the PS4. If the same cc request comes from an unknown BDADDR, nothing happens.
The DualShock 4 has two modes, one where you can pair it with a computer (hold PS and share at the same time until the light blinks twice in quick succession rapidly), and another mode when it is used with a PS4.
| Company_assigned | Company_id | ||||||||||
| Lower Address Part (24-bit) transmitted with every packet as part of the packet header |
Upper Address Part (8-bit) |
Non-Significant Address Part (16-bit) assigned publicly by the IEEE | |||||||||
| lsbxxxx | xxxx | xxxx | xxxx | xxxx | xxxx | xxxx | xxxx | xxxx | xxxx | xxxx | xxxxmsb |
|---|---|---|---|---|---|---|---|---|---|---|---|
Unpairing
Class of Device/Service (CoD)
In the PS4 mode, the DualShock 4 appears to be advertised as two devices (neither has a name), one is a game controller and the other is an audio device:
The game controller has a class of Device/Service (CoD) 0x002508:
- Major Service Class: Limited Discoverable Mode (0x2000)
- Major Device Class : Peripheral (mouse, joystick, keyboards etc) (0x500)
- Minor Device Class : Gamepad (0x08)
The audio device is class 0x200404:
- Major Service Class: Audio (Speaker, Microphone, Headset service, ...)
- Major Device Class : Audio/Video (headset, speaker, stereo, video display, VCR, ...)
- Minor Device Class : Wearable Headset Device
(Online Generator http://bluetooth-pentest.narod.ru/software/bluetooth_class_of_device-service_generator.html)
Service Discovery Protocol (SDP)
SDP used by the PS4 the first time a device tries to connect, whereas the DS4 does it each time it connects to the PS4 (you can use Wireshark for parsing SDP files, but double check manually due to wrong interpretation or not standard protocol).
PDU
- SDP uses a request/response model where each transaction consists of one request PDU (protocol data unit) and one response PDU.
| PDU value | Description |
|---|---|
| 0x00 | Reserved |
| 0x01 | Error Response |
| 0x02 | Search Request |
| 0x03 | Search Response |
| 0x04 | Attribute Request |
| 0x05 | Attribute Response |
| 0x06 | Search Attribute Request |
| 0x07 | Search Attribute Response |
| 0x08-0xFF | Reserved |
Data Element
- an attribute id or an attribute value is often represented as a data element.
- The format of a data element follows the TLV (type-length-value) convention.
| byte index | bit 7 | bit 6 | bit 5 | bit 4 | bit 3 | bit 2 | bit 1 | bit 0 |
|---|---|---|---|---|---|---|---|---|
| [0] | Type | Length | ||||||
| [1-4] | additional field | |||||||
| [x] | Value | |||||||
Type descriptor
| Type Descriptor value | Valid Size descriptor values | type description |
|---|---|---|
| 0 | 0 | Nil |
| 1 | 0, 1, 2, 3, 4 | Unsigned Integer |
| 2 | 0, 1, 2, 3, 4 | Signed twos-complements integer |
| 3 | 1, 2, 4 | Universally Unique Identifier (UUID) |
| 4 | 5, 6, 7 | text string |
| 5 | 0 | booleans |
| 6 | 5, 6, 7 | Data element sequence, a data element whose data field is a sequence of data elements |
| 7 | 5, 6, 7 | Data element alternative, data element whose data filed is a sequence of data elements from which one data elements is to be selected |
| 8 | 5, 6, 7 | Uniform Resource Locator (URL) |
| 9-31 | Reserved |
Length descriptor
| Size Index | Additional bits | Data size |
|---|---|---|
| 0 | 0 | 1 byte |
| 1 | 0 | 2 bytes |
| 2 | 0 | 4 bytes |
| 3 | 0 | 8 bytes |
| 4 | 0 | 16 bytes |
| 5 | 8 | The data size is contained in the additional 8 bits, which are interpreted as an unsigned integer |
| 6 | 16 | The data size is contained in the additional 16 bits, which are interpreted as an unsigned integer |
| 7 | 32 | The data size is contained in the additional 32 bits, which are interpreted as an unsigned integer |
e.g.: 0x35 = 00110101 (binary) = 00110 | 101 = Type 6 | Length size index 5
PS4
Request
(without 0x02 0x1520 0x1800 0x1400 0x4000 see header section)
06 00 01 00 0f 35 03 19 01 00 08 00 35 05 0a 00 00 ff ff 00
- 0x06 PDU Service Search Attribute Request
- 0x0001 Transaction ID
- 0x000F Length
- 0x3503: Data element (Type descriptor: 6, Size index: 5) 3 bytes
- 0x19: Data element (type: 3 (UUID), size index: 1 (2 bytes))
- 0x0100: L2CAP
- 0x0800: Maximum Attribute Byte count (2048)?
- 0x3505: Data element (Type descriptor: 6, Size index: 5) 5 bytes
- 0x0A: Data element (type:1, Size index: 2 (4 bytes))
- 0x0000FFFF: Attribute ID list
- 0x00: Continuation State
Response
(without 0x02 0x1520 0x5C01 0x5801 0x4000), see header section)
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00000000 07 00 01 01 53 01 50 36 01 4D 36 00 32 09 00 00 ....S.P6.M6.2... 00000010 0A 00 01 00 05 09 00 01 35 03 19 11 0A 09 00 04 ........5....... 00000020 35 10 35 06 19 01 00 09 00 19 35 06 19 00 19 09 5.5.......5..... 00000030 01 02 09 00 09 35 08 35 06 19 11 0D 09 01 02 36 .....5.5.......6 00000040 00 32 09 00 00 0A 00 01 00 06 09 00 01 35 03 19 .2...........5.. 00000050 11 0B 09 00 04 35 10 35 06 19 01 00 09 00 19 35 .....5.5.......5 00000060 06 19 00 19 09 01 02 09 00 09 35 08 35 06 19 11 ..........5.5... 00000070 0D 09 01 02 36 00 3B 09 00 00 0A 00 01 00 07 09 ....6.;......... 00000080 00 01 35 06 19 11 0E 19 11 0F 09 00 04 35 10 35 ..5..........5.5 00000090 06 19 01 00 09 00 17 35 06 19 00 17 09 01 03 09 .......5........ 000000A0 00 09 35 08 35 06 19 11 0E 09 01 04 09 03 11 09 ..5.5........... 000000B0 00 02 36 00 4D 09 00 00 0A 00 01 00 08 09 00 01 ..6.M........... 000000C0 35 03 19 11 0C 09 00 04 35 10 35 06 19 01 00 09 5.......5.5..... 000000D0 00 17 35 06 19 00 17 09 01 03 09 00 09 35 08 35 ..5..........5.5 000000E0 06 19 11 0E 09 01 04 09 00 0D 35 10 35 06 19 01 ..........5.5... 000000F0 00 09 00 1B 35 06 19 00 17 09 01 03 09 03 11 09 ....5........... 00000100 00 01 36 00 52 09 00 00 0A 00 01 00 0A 09 00 01 ..6.R........... 00000110 35 03 19 12 00 09 00 04 35 0D 35 06 19 01 00 09 5.......5.5..... 00000120 00 01 35 03 19 00 01 09 00 09 35 08 35 06 19 12 ..5.......5.5... 00000130 00 09 01 03 09 02 00 09 01 03 09 02 01 09 05 4C ...............L 00000140 09 02 02 09 08 1F 09 02 03 09 01 00 09 02 04 28 ...............( 00000150 01 09 02 05 09 00 02 00 ........
Universal Attributes
Universally Unique Identifier (UUID)
UUID Protocol Identifiers(shall be used only in the Profile Descriptor List attribute).
- 07 PDU Service Search Attribute Response
- 00 01 Transaction ID
- 01 53 Length
- 01 50 Length
- 36| 01 4D type:6, size index:6 + Length
See assigned IDs:
36 00 32 Length
- 0x0000 Service Record Handle-->value:
{0x010005 (65541)}
- 0x0001 Service Class ID List-->value:
{0x110A Audio Source} //Advanced Audio Distribution Profile (A2DP)
- 0x0004 Protocol Descriptor List-->value:
{0x0100 L2CAP , 0x0019 } ,{ 0x0019 Audio/Video Distribution Transport Protocol (AVDTP) , 0x0102 (258)}
- 0x0009 Bluetooth Profile Descriptor List-->value:
{0x110D Advanced Audio Distribution , 0x0102 (258)}
36 00 32 Length
- 0x0000 Service Record Handle-->value:
{ 0x010006 (65542) }
- 0x0001 Service Class ID List-->value:
{ 0x110B Audio Sink } //A2DP
- 0x0004 Protocol Descriptor List-->value:
{ 0x0100 L2CAP , 0x0019 (25) } , { 0x0019 Audio/Video Distribution Transport Protocol (AVDTP) , 0x0102 (258) }
- 0x0009 Bluetooth Profile Descriptor List-->value:
{0x110D Advanced Audio Distribution , 0x0102 (258)}
36 00 3B Length
- 0x0000 Service Record Handle-->value:
{ 0x010007 (65543) }
- 0x0001 Service ClassID List-->value:
{ 0x110E Audio/Video Remote Control , 0x110F Video Conferencing / A/V Remote Control Controller } [1]
- 0x0004 Protocol Descriptor List-->value:
{ 0x0100 L2CAP , 0x0017 (23) } , { 0x0017 Audio/Video Control Transport Protocol (AVCTP) , 0x0103 (259) }
- 0x0009 Bluetooth Profile Descriptor List-->value:
{ 0x110E Audio/Video Remote Control , 0x0104 (260) }
- 0x0311 Supported Features-->value:
{ 0x02 }
36 00 4D Length
- 0x0000 Service Record Handle-->value:
{ 0x010008 (65544) }
- 0x0001 Service Class ID List-->value:
{ 0x110C Audio/Video Remote Control Target }
- 0x0004 Protocol Descriptor List-->value:
{ 0x0100 L2CAP , 0x0017 (23) } , { 0x0017 Audio/Video Control Transport Protocol (AVCTP) , 0x0103 (259) }
- 0x0009 Bluetooth Profile Descriptor List-->value:
{ 0x110E Audio/Video Remote Control , 0x0104 (260) }
- 0x000D Additional Protocol Descriptor Lists-->value:
{ 0x0100 L2CAP , 0x001B (27) } { 0x0017 Audio/Video Control Transport Protocol (AVCTP) , 0x0103 (259) }
- 0x0311 Supported Features-->value:
{ 0x01 } }}
36 00 52 Length
- 0x0000 Service Record Handle-->value:
{0x01000A (65546)}
- 0x0001 Service Class ID List-->value:
{ 0x1200 PnP Information }
- 0x0004 Protocol Descriptor List-->value:
{ 0x0100 L2CAP , 0x0001) } , { 0x0001 SDP }
- 0x0009 Bluetooth Profile Descriptor List-->value:
{ 0x1200 PnP Information , 0x0103 (259) }
- 0x0200 Specification ID-->value:
{ 0x0103 (259) }
- 0x0201 Vendor ID[2]-->value:
{ 0x054C } (Sony Corp.)
- 0x0202 Product ID-->value:
{ 0x081F }
- 0x0203 Version-->value:
{ 0x0100 }
- 0x0204 Primary Record-->value:
{ 0x01 }
- 0x0205 Vendor ID Source-->value:
{ 0x0002 }
DS4
Response
This response is 708-byte long: the DS4 does not respect the 672-byte outgoing L2CAP MTU.
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00000000 07 00 01 02 BF 02 BC 36 02 B9 36 02 61 09 00 00 ....¿.¼6.¹6.a... 00000010 0A 00 01 00 01 09 00 01 35 03 19 11 24 09 00 04 ........5...$... 00000020 35 0D 35 06 19 01 00 09 00 11 35 03 19 00 11 09 5.5.......5..... 00000030 00 06 35 09 09 65 6E 09 00 6A 09 01 00 09 00 09 ..5..en..j...... 00000040 35 08 35 06 19 11 24 09 01 00 09 00 0D 35 0F 35 5.5...$......5.5 00000050 0D 35 06 19 01 00 09 00 13 35 03 19 00 11 09 01 .5.......5...... 00000060 00 25 13 57 69 72 65 6C 65 73 73 20 43 6F 6E 74 .%.Wireless Cont 00000070 72 6F 6C 6C 65 72 09 01 01 25 0F 47 61 6D 65 20 roller...%.Game 00000080 43 6F 6E 74 72 6F 6C 6C 65 72 09 01 02 25 1B 53 Controller...%.S 00000090 6F 6E 79 20 43 6F 6D 70 75 74 65 72 20 45 6E 74 ony Computer Ent 000000A0 65 72 74 61 69 6E 6D 65 6E 74 09 02 00 09 01 00 ertainment...... 000000B0 09 02 01 09 01 11 09 02 02 08 08 09 02 03 08 00 ................ 000000C0 09 02 04 28 00 09 02 05 28 01 09 02 06 36 01 6C ...(....(....6.l 000000D0 36 01 69 08 22 26 01 64 05 01 09 05 A1 01 85 01 6.i."&.d....¡.…. 000000E0 09 30 09 31 09 32 09 35 15 00 26 FF 00 75 08 95 .0.1.2.5..&ÿ.u.• 000000F0 04 81 02 09 39 15 00 25 07 75 04 95 01 81 42 05 ....9..%.u.•..B. 00000100 09 19 01 29 0E 15 00 25 01 75 01 95 0E 81 02 75 ...)...%.u.•...u 00000110 06 95 01 81 01 05 01 09 33 09 34 15 00 26 FF 00 .•......3.4..&ÿ. 00000120 75 08 95 02 81 02 06 04 FF 85 02 09 24 95 24 B1 u.•.....ÿ…..$•$± 00000130 02 85 A3 09 25 95 30 B1 02 85 05 09 26 95 28 B1 .…£.%•0±.…..&•(± 00000140 02 85 06 09 27 95 34 B1 02 85 07 09 28 95 30 B1 .…..'•4±.…..(•0± 00000150 02 85 08 09 29 95 2F B1 02 06 03 FF 85 03 09 21 .…..)•/±...ÿ…..! 00000160 95 26 B1 02 85 04 09 22 95 2E B1 02 85 F0 09 47 •&±.….."•.±.…ð.G 00000170 95 3F B1 02 85 F1 09 48 95 3F B1 02 85 F2 09 49 •?±.…ñ.H•?±.…ò.I 00000180 95 0F B1 02 06 00 FF 85 11 09 20 15 00 26 FF 00 •.±...ÿ….. ..&ÿ. 00000190 75 08 95 4D 81 02 09 21 91 02 85 12 09 22 95 8D u.•M...!‘.….."•. 000001A0 81 02 09 23 91 02 85 13 09 24 95 CD 81 02 09 25 ...#‘.…..$•Í...% 000001B0 91 02 85 14 09 26 96 0D 01 81 02 09 27 91 02 85 ‘.…..&–.....'‘.… 000001C0 15 09 28 96 4D 01 81 02 09 29 91 02 85 16 09 2A ..(–M....)‘.…..* 000001D0 96 8D 01 81 02 09 2B 91 02 85 17 09 2C 96 CD 01 –.....+‘.…..,–Í. 000001E0 81 02 09 2D 91 02 85 18 09 2E 96 0D 02 81 02 09 ...-‘.…...–..... 000001F0 2F 91 02 85 19 09 30 96 22 02 81 02 09 31 91 02 /‘.…..0–"....1‘. 00000200 06 80 FF 85 82 09 22 95 3F B1 02 85 83 09 23 B1 .€ÿ…‚."•?±.…ƒ.#± 00000210 02 85 84 09 24 B1 02 85 90 09 30 B1 02 85 91 09 .…„.$±.…..0±.…‘. 00000220 31 B1 02 85 92 09 32 B1 02 85 93 09 33 B1 02 85 1±.…’.2±.…“.3±.… 00000230 A0 09 40 B1 02 85 A4 09 44 B1 02 C0 09 02 07 35 .@±.…¤.D±.À...5 00000240 08 35 06 09 04 09 09 01 00 09 02 08 28 00 09 02 .5..........(... 00000250 09 28 01 09 02 0A 28 01 09 02 0B 09 01 00 09 02 .(....(......... 00000260 0C 09 1F 40 09 02 0D 28 00 09 02 0E 28 00 36 00 ...@...(....(.6. 00000270 52 09 00 00 0A 00 01 00 02 09 00 01 35 03 19 12 R...........5... 00000280 00 09 00 04 35 0D 35 06 19 01 00 09 00 01 35 03 ....5.5.......5. 00000290 19 00 01 09 00 09 35 08 35 06 19 12 00 09 01 03 ......5.5....... 000002A0 09 02 00 09 01 03 09 02 01 09 05 4C 09 02 02 09 ...........L.... 000002B0 05 C4 09 02 03 09 01 00 09 02 04 28 01 09 02 05 .Ä.........(.... 000002C0 09 00 02 00 ....
0x07 PDU
0x0001 Transaction ID
0x02BF Length
0x02BC Length
0x36|02B9 type:6, size index:6 + Length
0x36|0261 type:6, size index:6 + Length first chunk
0x0000 Service Record Handle-->value {0x010001}
- 0x0001 Service Class ID List-->value {0x1124 Human Interface Device (HID)}
- 0x0004 Protocol Descriptor List-->value {0x0100 L2CAP , 0x0011 } ,{ 0x0011 Human Interface Device Profile (HIDP) , 0x0102 (258)}
- 0x0006 Language Base Attribute ID List[3]-->: value = { 0x656E ("en"), 0x6A (106), 0x100(256) }
- 0x0009 Bluetooth Profile Descriptor List--> value = { 0x1124 Human Interface Device Service , 0x100(256)}
- 0x000D Additional Protocol Descriptor Lists--> value = { { 0x0100 L2CAP , 0x0013(19) } , { 0x00 11HIDP } }
- 0X0100 Service Name--> value = "Wireless Controller"
- 0x0101 Service Description--> value = "Game Controller"
- 0x0102 Provider Name--> value = "Sony Computer Entertainment"
- 0x0200 GOEP L2CAP PSM/Group Id/IP Subnet (0x200)--> value = 0x100 (256)
- 0x0201 Service Database State--> value = 273
...
0x36|0052 type:6, size index:6 + Length second chunk
0x0000 Service Record Handle-->value {0x010002}
- 0x0001 Service Class ID List-->value {0x1200 Device Identification (DID)}
- 0x0004 Protocol Descriptor List-->
- 0x0200 Specification ID-->value: 0x0103
- 0x0201 Vendor ID-->value: 0x054C (Sony Corp.)
- 0x0202 Product ID-->value: 0x05C4 (Sony Computer Entertainment Wireless Controller)
- 0x0203 Version-->value: 0x0100
- 0x0204 Primary Record-->value: 0x01
- 0x0205 Vendor ID Source-->value: 0x0002
Notes:
- ↑ The Audio/Video Remote Control Profile (AVRCP) specification v1.3 and later require that 0x110E also be included in the ServiceClassIDList before 0x110F for backwards compatibility
- ↑ See Device Descriptor
- ↑ A list of language bases that contains a language identifier according to ISO 639:1 , a character encoding identifier and a base attribute ID (0x0100) for the languages used in the service record.
Examples
HCI Command Packet example
0000 01 13 0c f8 57 69 72 65 6c 65 73 73 20 43 6f 6e ....Wireless Con 0010 74 72 6f 6c 6c 65 72 00 00 00 00 00 00 00 00 00 troller......... 0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00f0 00 00 00 00 00 00 00 00 00 00 00 00 ............
- 0x01: HCI Command Packet
- 0x130C (0x0C13) Op-code (16 bits): identifies the command:
OGF (Op-code Group Field, most significant 6 bits):
OCF (Op-code Command Field, least significant 10 bits):
- 0xF8 (248) Length of Packet
HCI Event Packet example
04 13 05 01 15 00 01 00
- 0x04 Packet Type: HCI Event Packet
- 0x13 Event code
- 0x05 Parameter total length
- 0x01 Number of Connection handles
- 0x1500 (0x15) Connection handle
- 0x0100 (1) Number of completed packets
Here's a sample HCI ACL Data Packet transaction that represents a report from the DS4 to the PS4:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00000000 02 15 20 53 00 4F 00 42 00 A1 11 C0 00 83 81 7E 00000010 7E 08 00 3C 00 00 83 A2 07 F1 FF F9 FF 04 00 21 00000020 03 17 1F 29 F9 00 00 00 00 00 08 00 00 00 00 80 00000030 00 00 00 80 00 00 00 00 80 00 00 00 80 00 00 00 00000040 00 80 00 00 00 80 00 00 00 00 80 00 00 00 80 00 00000050 00 00 00 00 7D 0A 5D 0B
| Offset | Size | Value | Description | |
|---|---|---|---|---|
| Header | 0x00 | 0x01 | 0x02 | (2) Packet Type:
|
| 0x01 | 0x02 | 0x1520 | (0x2015) Control information (msb00 10 000000010101lsb):
for Packet type: 2
00 = point-to-point packet (no broadcast) (only two Bluetooth units involved) 01 = Active Slave Broadcast (Up to 7 slaves can be active in the Piconet) 10 = Parked Slave Broadcast (Up to 255 further slave devices can be inactive)
01 = continuing packet of a higher level message 10 = first packet of a higher level message
0x15 | |
| 0x03 | 0x02 | 0x5300 | (83) Total length | |
| 0x05 | 0x02 | 0x4F00 | (79) Data Length (Payload+Check) | |
| 0x07 | 0x02 | 0x4200 | (0x0042) Channel ID (CID) | |
| HID portion | 0x09 | 0x03 | 0xA111C0 | Packet Payload header: INPUT DATA protocol code 0x11 (see Structure HID transaction) |
| 0x0C | 0x48 | 0x0083 … 0x00 | Data: See (speculation) USB data format for the first 64 bytes + 8 bytes NULL. | |
| Check | 0x54 | 0x04 | 0x7D0A5D0B | (0x0B5D0A7D) Data Integrity Check (CRC-32)
To ensure that the packet is valid, this field is appended onto the end of the packet. Packet Payload is used to compute the Data Integrity Check (the CRC32's polynomial is 0x4C11DB7). You can use http://www.lammertbies.nl/comm/info/crc-calculation.html to try this yourself, enter the packet payload into the textbox (hex): First 75 bytes of the HID report
A1 11 C0 00 83 81 7E 7E 08 00 3C 00 00 83 A2 07 F1 FF F9 FF 04 00 21 03 17 1F 29 F9 00 00 00 00 00 08 00 00 00 00 80 00 00 00 80 00 00 00 00 80 00 00 00 80 00 00 00 00 80 00 00 00 80 00 00 00 00 80 00 00 00 80 00 00 00 00 00
|
Structure HID transaction (portion)
Input and output reports specify control data and feature reports specify configuration data.
| byte index | bit 7 | bit 6 | bit 5 | bit 4 | bit 3 | bit 2 | bit 1 | bit 0 |
|---|---|---|---|---|---|---|---|---|
| [0] | transaction type:
|
parameters:
|
report type:
| |||||
| [1] | protocol code | |||||||
| [2] | - | |||||||
| [3-end] | report content (e.g. buttons for report type input , see data structure) | |||||||
HID INPUT reports
Input controls are sources of data relevant to an application, for example, X and Y data (e.g.: axes stick) or buttons obtained from a pointing device.
Protocol code:
0x01
The transaction type is DATA (0x0a), and the report type is INPUT (0x01). The protocol code is 0x01.
This report is sent until the GET REPORT FEATURE 0x02 is received.
Supposition: a PC can understand this report?
Report example:
0xa1, 0x01, 0x7d, 0x7d, 0x80, 0x7e, 0x08, 0x00, 0x00, 0x00, 0x00
| byte index | bit 7 | bit 6 | bit 5 | bit 4 | bit 3 | bit 2 | bit 1 | bit 0 | ||
| [0] | 0x0a | 0x00 | 0x01 | |||||||
| [1] | 0x01 | |||||||||
| The following structure is a supposition. | ||||||||||
| [2] | Left Stick X (0 = left) | |||||||||
| [3] | Left Stick Y (0 = up) | |||||||||
| [4] | Right Stick X | |||||||||
| [5] | Right Stick Y | |||||||||
| [6] | TRI | CIR | X | SQR | D-PAD (hat format, 0x08 is released, 0=N, 1=NE, 2=E, 3=SE, 4=S, 5=SW, 6=W, 7=NW) | |||||
| [7] | R3 | L3 | OPT | SHARE | R2 | L2 | R1 | L1 | ||
| [8] | Counter (counts up by 1 per report) | T-PAD | PS | |||||||
| [9] | Left Trigger (0 = released, 0xFF = fully pressed) | |||||||||
| [10] | Right Trigger | |||||||||
0x11
The transaction type is DATA (0x0a), and the report type is INPUT (0x01). The protocol code is 0x11.
This report is sent once the GET REPORT FEATURE 0x02 is received.
Report example:
0xa1, 0x11, 0xc0, 0x00, 0x7d, 0x7d, 0x81, 0x7e, 0x08, 0x00, 0x28, 0x00, 0x00, 0x8c, 0xf3, 0x01, 0x13, 0x00, 0xf8, 0xff, 0x05, 0x00, 0x31, 0xfe, 0x3f, 0x0f, 0xd1, 0xe3, 0x00, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x5e, 0x22, 0x7b, 0xa0
If you look carefully, it is very similar to the reports sent over USB if you ignore the first 3 bytes.
| byte index | bit 7 | bit 6 | bit 5 | bit 4 | bit 3 | bit 2 | bit 1 | bit 0 | ||
| [0] | 0x0a | 0x00 | 0x01 | |||||||
| [1] | 0x11 | |||||||||
| [2] | 0xc0 | |||||||||
| [3] | Report ID (always 0x00) | |||||||||
| [4] | Left Stick X (0 = left) | |||||||||
| [5] | Left Stick Y (0 = up) | |||||||||
| [6] | Right Stick X | |||||||||
| [7] | Right Stick Y | |||||||||
| [8] | TRI | CIR | X | SQR | D-PAD (hat format, 0x08 is released, 0=N, 1=NE, 2=E, 3=SE, 4=S, 5=SW, 6=W, 7=NW) | |||||
| [9] | R3 | L3 | OPT | SHARE | R2 | L2 | R1 | L1 | ||
| [10] | Counter (counts up by 1 per report) | T-PAD | PS | |||||||
| [11] | Left Trigger (0 = released, 0xFF = fully pressed) | |||||||||
| [12] | Right Trigger | |||||||||
| [13 - 14] | Seems to be a timestamp. A common increment value between two reports is 188 (at full rate the report period is 1.25ms). This timestamp is used by the PS4 to process acceleration and gyroscope data. | |||||||||
| [15] | battery (0x00 to 0xff) | |||||||||
| [16 - 17] | Angular velocity X | |||||||||
| [18 - 19] | Angular velocity Y | |||||||||
| [20 - 21] | Angular velocity Z | |||||||||
| [22 - 23] | Acceleration X | |||||||||
| [24 - 25] | Acceleration Y | |||||||||
| [26 - 27] | Acceleration Z | |||||||||
| [28 - 32] | Unknown (seems to be always 0x00) | |||||||||
| [33] | 0x00 | phone | mic | usb | battery level | |||||
| [34 - 35] | Unknown (seems to be always 0x00) | |||||||||
| [36] | number of trackpad packets (0x00 to 0x04) | |||||||||
| [37] | packet counter | |||||||||
| [38] | active low | finger 1 id | ||||||||
| [39 - 41] | finger 1 coordinates | |||||||||
| [42] | active low | finger 2 id | ||||||||
| [43 - 45] | finger 2 coordinates | |||||||||
| [36] | packet counter | |||||||||
| [47] | active low | finger 1 id | ||||||||
| [48 - 50] | finger 1 coordinates | |||||||||
| [51] | active low | finger 2 id | ||||||||
| [52 - 54] | finger 2 coordinates | |||||||||
| [55] | packet counter | |||||||||
| [56] | active low | finger 1 id | ||||||||
| [57 - 59] | finger 1 coordinates | |||||||||
| [60] | active low | finger 2 id | ||||||||
| [61 - 63] | finger 2 coordinates | |||||||||
| [64] | packet counter | |||||||||
| [65] | active low | finger 1 id | ||||||||
| [66 - 68] | finger 1 coordinates | |||||||||
| [69] | active low | finger 2 id | ||||||||
| [70 - 72] | finger 2 coordinates | |||||||||
| [73 - 74] | Unknown 0x00 0x00 or 0x00 0x01 | |||||||||
| [75 - 78] | CRC-32 of the first 75 bytes. | |||||||||
Most of the time there is only 1 trackpad packet per report.
Below is a sample for bytes 36 to 72 with 4 trackpad packets:
0x04, 0x01, 0x04, 0x69, 0x91, 0x1a, 0x06, 0x15, 0x45, 0x1a, 0x05, 0x04, 0x66, 0x11, 0x1a, 0x06, 0x10, 0x15, 0x1a, 0x0a, 0x04, 0x63, 0x81, 0x19, 0x06, 0x0c, 0xe5, 0x19, 0x0f, 0x04, 0x5f, 0xf1, 0x18, 0x06, 0x08, 0xc5, 0x19
HID OUTPUT reports
Output controls are a sink for application data, for example, an LED (or sound or rumbles) that indicates the state of a device.
Protocol code:
0x11
The transaction type is DATA (0x0a), and the report type is OUTPUT (0x02). The protocol code is 0x11.
First bit at byte 2 specifies whether to enable control. Byte at index 4 specifies which individual control to enable.
Report example:
0xa2, 0x11, 0xc0, 0x20, 0xf0, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x43, 0x43, 0x00, 0x4d, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xd8, 0x8e, 0x94, 0xdd
Speculation: 0x11 may be not a packet ID but encoded packet size. Lower digit (0x01) satisfies formula: ((packet_size - 15) >> 6) + 1 (packet_size does not include '0xa2'; >> - bit shift right - equivalent to integer division by 64) This formula seems to work for all packets (0x11..0x18). Packet 0x19 looks like clamped by max packet size.
| byte index | bit 7 | bit 6 | bit 5 | bit 4 | bit 3 | bit 2 | bit 1 | bit 0 | ||
| [0] | 0x0a | 0x00 | 0x02 | |||||||
| [1] | 0x11 | |||||||||
| [2] | Controls | Unknown | ||||||||
| [3] | Unknown | |||||||||
| [4] | 0x0f | Unknown | Flash | Color | Rumble | |||||
| [5 - 6] | Unknown | |||||||||
| [7] | Rumble (right / weak) | |||||||||
| [8] | Rumble (left / strong) | |||||||||
| [9] | RGB color (Red) | |||||||||
| [10] | RGB color (Green) | |||||||||
| [11] | RGB color (Blue) | |||||||||
| [12] | Flash LED bright | |||||||||
| [13] | Flash LED dark | |||||||||
| [14 - 21] | Unknown | |||||||||
| [22] | Volume left | |||||||||
| [23] | Volume right | |||||||||
| [24] | Volume mic - speculation | |||||||||
| [25] | Volume speaker | |||||||||
| [26-74] | Unknown | |||||||||
| [75 - 78] | CRC-32 of the previous bytes. | |||||||||
0x14
Contains sound.
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 0000 0f 01 42 00 a2 14 40 a0 f4 69 02 9c 75 19 24 00 [email protected].$. 0010 00 00 00 00 00 00 00 76 db 6d bb 6d b6 dd b6 db .......v.m.m.... 0020 6e db 6d b7 6d b6 db b6 db 6d db 6d b6 ed b6 db n.m.m....m.m.... 0030 76 db 6d bb 6d b6 dd b6 db 6e db 6d b7 6d b6 db v.m.m....n.m.m.. 0040 b6 db 6d db 6d b6 ed b6 db 76 db 6d bb 6d b6 dd ..m.m....v.m.m.. 0050 b6 db 6e db 6d b7 6d b6 db b6 db 6d db 6d b6 ed ..n.m.m....m.m.. 0060 b6 db 76 db 6d bb 6d b6 dd b6 db 6e db 6d b7 6d ..v.m.m....n.m.m 0070 b6 db b6 db 6d db 6d b6 ed b6 db 9c 75 19 24 00 ....m.m.....u.$. 0080 00 00 00 00 00 00 00 76 db 6d bb 6d b6 dd b6 db .......v.m.m.... 0090 6e db 6d b7 6d b6 db b6 db 6d db 6d b6 ed b6 db n.m.m....m.m.... 00a0 76 db 6d bb 6d b6 dd b6 db 6e db 6d b7 6d b6 db v.m.m....n.m.m.. 00b0 b6 db 6d db 6d b6 ed b6 db 76 db 6d bb 6d b6 dd ..m.m....v.m.m.. 00c0 b6 db 6e db 6d b7 6d b6 db b6 db 6d db 6d b6 ed ..n.m.m....m.m.. 00d0 b6 db 76 db 6d bb 6d b6 dd b6 db 6e db 6d b7 6d ..v.m.m....n.m.m 00e0 b6 db b6 db 6d db 6d b6 ed b6 db 00 00 00 00 00 ....m.m......... 00f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9f ................ 0110 42 86 54 B.T
Bluetooth SBC header http://tools.ietf.org/html/draft-hoene-avt-rtp-sbc-05#section-6.2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | SYNCWORD |SF.|BL.|CM.|A|S|BITPOOL |CRC_CHECK | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Legend: SF.=SAMPLING FREQUENCY, BL.=BLOCKS, CM.=CHANNEL_MODE, A.=ALLOCATION_METHOD, S.=SUBBANDS
0x9c = 156 syncword (always set to 156)
1 byte - sf bl cm a s (msb..lsb)
* frequency:
00-16000
01-32000
10-44100
11-48000
* blocks:
00-4
01-8
10-12
11-16
* channels:
00-MONO
01-DUAL_CHANNEL
10-STEREO
11-JOINT_STEREO
* allocation method:
0-loudnes
1-SNR
* subbands:
0-4
1-8
1 byte - bitpool
This unsigned integer indicates the size of the bit
allocation pool that has been used for encoding the current
block.The value of the bit - pool field MUST NOT exceed 16
times the number of subbands for the MONO and DUAL_CHANNEL
channel modes and 32 times the number of subbands for the
STEREO and JOINT_STEREO channel modes.The bitpool value
MAY change from SBC frame to the next.In addition, the
bitpool value MUST be restricted such that it does not
result in excess of maximum bit rate, which is 320kb / s for
mono and 512kb / s for two - channel modes.
0x15
Speculation: contains rumbles, LED color and sound.
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 0000 4f 01 42 00 a2 15 c0 a0 f3 04 00 00 00 00 00 ff O.B............. 0010 00 00 00 00 00 00 00 00 00 00 49 49 00 4f 85 00 ..........II.O.. 0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0050 00 00 00 f6 69 02 9c 75 19 24 00 00 00 00 00 00 ....i..u.$...... 0060 00 00 76 db 6d bb 6d b6 dd b6 db 6e db 6d b7 6d ..v.m.m....n.m.m 0070 b6 db b6 db 6d db 6d b6 ed b6 db 76 db 6d bb 6d ....m.m....v.m.m 0080 b6 dd b6 db 6e db 6d b7 6d b6 db b6 db 6d db 6d ....n.m.m....m.m 0090 b6 ed b6 db 76 db 6d bb 6d b6 dd b6 db 6e db 6d ....v.m.m....n.m 00a0 b7 6d b6 db b6 db 6d db 6d b6 ed b6 db 76 db 6d .m....m.m....v.m 00b0 bb 6d b6 dd b6 db 6e db 6d b7 6d b6 db b6 db 6d .m....n.m.m....m 00c0 db 6d b6 ed b6 db 9c 75 19 24 00 00 00 00 00 00 .m.....u.$...... 00d0 00 00 76 db 6d bb 6d b6 dd b6 db 6e db 6d b7 6d ..v.m.m....n.m.m 00e0 b6 db b6 db 6d db 6d b6 ed b6 db 76 db 6d bb 6d ....m.m....v.m.m 00f0 b6 dd b6 db 6e db 6d b7 6d b6 db b6 db 6d db 6d ....n.m.m....m.m 0100 b6 ed b6 db 76 db 6d bb 6d b6 dd b6 db 6e db 6d ....v.m.m....n.m 0110 b7 6d b6 db b6 db 6d db 6d b6 ed b6 db 76 db 6d .m....m.m....v.m 0120 bb 6d b6 dd b6 db 6e db 6d b7 6d b6 db b6 db 6d .m....n.m.m....m 0130 db 6d b6 ed b6 db 00 00 00 00 00 00 00 00 00 00 .m.............. 0140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b5 ................ 0150 98 a9 0f ...
- 0x4F01: length (335)
- 0x4200: CID (42)
- 0xA2: DATA OUTPUT
- 0x15: Protocol Code
- 0xC0A0F30400: Unknown
- 0x00: Rumble right
- 0x00: Rumble left
- 0x00: LED (Red)
- 0x00: LED (Green)
- 0xFF: LED (Blue)
... 0xB598A90F: Check (CRC-32 from offset 0x04 to 0x14E)
0x17
The transaction type is DATA (0x0a), and the report type is OUTPUT (0x02). The protocol code is 0x17.
Report example:
0xa2, 0x17, 0x40, 0xa0, 0xb4, 0x00, 0x02, 0x9c, 0x75, 0x19, 0x24, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x9c, 0x75, 0x19, 0x24, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x9c, 0x75, 0x19, 0x24, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x9c, 0x75, 0x19, 0x24, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x00, 0x00, 0x00, 0x00, 0x6b, 0xa2, 0x38, 0xe6
| byte index | bit 7 | bit 6 | bit 5 | bit 4 | bit 3 | bit 2 | bit 1 | bit 0 | ||
| [0] | 0x0a | 0x00 | 0x02 | |||||||
| [1] | 0x17 | |||||||||
| [2 - 3] | TODO, work in progress. | |||||||||
| [4-5] | Audio frame count - Increases the number of frames in packet(4 for this) | |||||||||
| [6] | Audio header | |||||||||
| [6 - 458] | Bluetooth SBC Data | |||||||||
| [459 - 462] | CRC-32 of the previous bytes. | |||||||||
0x18
The transaction type is DATA (0x0a), and the report type is OUTPUT (0x02). The protocol code is 0x18.
Report example:
0xa2, 0x18, 0x48, 0xa1, 0xb4, 0x06, 0x22, 0x9c, 0x7d, 0x33, 0xda, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x77, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xed, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdd, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x76, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xee, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xbb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x77, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xed, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdd, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x76, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xee, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xbb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x9c, 0x7d, 0x33, 0xda, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x77, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xed, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdd, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x76, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xee, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xbb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x77, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xed, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdd, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x76, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xee, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xbb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x9c, 0x7d, 0x33, 0xda, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x77, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xed, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdd, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x76, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xee, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xbb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x77, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xed, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdd, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x76, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xee, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xbb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x9c, 0x7d, 0x33, 0xda, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x77, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xed, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdd, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x76, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xee, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xbb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x77, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xed, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdd, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x76, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xee, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xbb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x5e, 0x3b, 0x16, 0xec
| byte index | bit 7 | bit 6 | bit 5 | bit 4 | bit 3 | bit 2 | bit 1 | bit 0 | ||
| [0] | 0x0a | 0x00 | 0x02 | |||||||
| [1] | 0x18 | |||||||||
| [2 - 3] | TODO, work in progress. | |||||||||
| [4-5] | Audio frame count - Increases the number of frames in packet(4 for this) | |||||||||
| [6] | Audio header | |||||||||
| [7 - 471] | Bluetooth SBC Data | |||||||||
| [472 - 526] | Paddind - speculation | |||||||||
| [527 - 530] | CRC-32 of the previous bytes. | |||||||||
0x19
The transaction type is DATA (0x0a), and the report type is OUTPUT (0x02). The protocol code is 0x19.
Report example:
0xa2, 0x19, 0xc0, 0xa0, 0xf3, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x43, 0x43, 0x00, 0x4d, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc2, 0x00, 0x02, 0x9c, 0x75, 0x19, 0x24, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x9c, 0x75, 0x19, 0x24, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x9c, 0x75, 0x19, 0x24, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x9c, 0x75, 0x19, 0x24, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0x86, 0x51, 0x90
| byte index | bit 7 | bit 6 | bit 5 | bit 4 | bit 3 | bit 2 | bit 1 | bit 0 | ||
| [0] | 0x0a | 0x00 | 0x02 | |||||||
| [1] | 0x19 | |||||||||
| [2 - 78] | Same as output report 0x11. | |||||||||
| [79] | Unknown | |||||||||
| [80-81] | Audio frame count - Increases the number of frames in packet(4 for this) | |||||||||
| [82] | Audio header | |||||||||
| [83-533] | Bluetooth SBC Data | |||||||||
| [533 - 547] | Paddind - speculation | |||||||||
| [548 - 551] | CRC-32 of the previous bytes. | |||||||||
HID features reports
There is a periodic report sequence that consists in 5 0xf0 SET FEATURE reports, 2 0xf2 GET FEATURE reports, and 19 0xf1 GET FEATURE REPORTS. Each sequence takes about 30 seconds, and a new sequence starts about 30 seconds after the end of the last one. There is 1 second between two reports sent by the PS4.
There is another periodic report sequence that consists in one 0x03 SET FEATURE report and 1 0x04 GET FEATURE report. A new sequence starts about 30 seconds after the end of the last one. The 0x03 SET FEATURE report is sent 5 seconds after the 0x04 GET FEATURE report.
These two periodic sequences seem to be independent as they do not have the same period, and they have two distinct sequence counters.
A user-mode application can obtain (get) and set feature information by using this report designation.
GET FEATURE
Each GET FEATURE report sent by the PS4 is answered by the DS4 with a DATA FEATURE report.
0x02
| byte index | bit 7 | bit 6 | bit 5 | bit 4 | bit 3 | bit 2 | bit 1 | bit 0 | ||
| [0] | 0x04 GET REPORT | 0x01 | 0x00 | 0x03 FEATURE | ||||||
| [1] | Report id | |||||||||
| [2 - 3] | Buffer size. | |||||||||
0x02
The transaction type is DATA (0x0a), and the report type is FEATURE (0x03). The protocol code is 0x02.
The bytes in this report do not seem to fluctuate.
Report example:
0xa3, 0x02, 0x01, 0x00, 0xff, 0xff, 0x01, 0x00, 0x5e, 0x22, 0x84, 0x22, 0x9b, 0x22, 0xa6, 0xdd, 0x79, 0xdd, 0x64, 0xdd, 0x1c, 0x02, 0x1c, 0x02, 0x85, 0x1f, 0x9f, 0xe0, 0x92, 0x20, 0xdc, 0xe0, 0x4d, 0x1c, 0x1e, 0xde, 0x08, 0x00
| byte index | bit 7 | bit 6 | bit 5 | bit 4 | bit 3 | bit 2 | bit 1 | bit 0 | ||
| [0] | 0x0a | 0x00 | 0x03 | |||||||
| [1] | 0x02 | |||||||||
| [2 - 37] | TODO, work in progress. | |||||||||
0x04
The transaction type is DATA (0x0a), and the report type is FEATURE (0x03). The protocol code is 0x04.
Most bytes from index 4 change between two reports.
Report example:
0xa3, 0x04, 0x02, 0x00, 0x38, 0x85, 0x35, 0xd5, 0x7a, 0x81, 0x61, 0x2e, 0x21, 0x13, 0x7b, 0xda, 0xd5, 0x94, 0x25, 0x98, 0x5f, 0x67, 0xd1, 0x60, 0x9d, 0xfb, 0x95, 0xba, 0xff, 0xba, 0x1c, 0x48, 0xbf, 0xe2, 0x15, 0x0d, 0xff, 0x66, 0x63, 0x5f, 0x64, 0xc1, 0x46, 0x47, 0xcd, 0xd1, 0x9c, 0x84
| byte index | bit 7 | bit 6 | bit 5 | bit 4 | bit 3 | bit 2 | bit 1 | bit 0 | ||
| [0] | 0x0a | 0x00 | 0x03 | |||||||
| [1] | 0x04 | |||||||||
| [2] | sequence counter (init = 0x02, step = 1) | |||||||||
| [3] | 0x00 | |||||||||
| [4 - 43] | TODO, work in progress. | |||||||||
| [44 - 47] | CRC-32 of the previous bytes. | |||||||||
0x06
The transaction type is DATA (0x0a), and the report type is FEATURE (0x03). The protocol code is 0x06.
The bytes in this report do not seem to fluctuate. They are the same in two different controllers.
Report example:
0xa3, 0x06, 0x41, 0x75, 0x67, 0x20, 0x20, 0x33, 0x20, 0x32, 0x30, 0x31, 0x33, 0x00, 0x00, 0x00, 0x00, 0x00, 0x30, 0x37, 0x3a, 0x30, 0x31, 0x3a, 0x31, 0x32, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x31, 0x03, 0x00, 0x00, 0x00, 0x49, 0x00, 0x05, 0x00, 0x00, 0x80, 0x03, 0x00, 0x4b, 0x52, 0x02, 0xc7
| byte index | bit 7 | bit 6 | bit 5 | bit 4 | bit 3 | bit 2 | bit 1 | bit 0 | ||
| [0] | 0x0a | 0x00 | 0x03 | |||||||
| [1] | 0x06 | |||||||||
| [2 - 49] | A date: Aug 3 2013 07:01:12 | |||||||||
| [50 - 53] | CRC-32 of the previous bytes. | |||||||||
0xA3
The transaction type is DATA (0x0a), and the report type is FEATURE (0x03). The protocol code is 0xa3.
It is identical to 0x06 except that there's no CRC-32 at the end of the packet.
Report example:
0xa3, 0xa3, 0x41, 0x75, 0x67, 0x20, 0x20, 0x33, 0x20, 0x32, 0x30, 0x31, 0x33, 0x00, 0x00, 0x00, 0x00, 0x00, 0x30, 0x37, 0x3a, 0x30, 0x31, 0x3a, 0x31, 0x32, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x31, 0x03, 0x00, 0x00, 0x00, 0x49, 0x00, 0x05, 0x00, 0x00, 0x80, 0x03, 0x00
| byte index | bit 7 | bit 6 | bit 5 | bit 4 | bit 3 | bit 2 | bit 1 | bit 0 | ||
| [0] | 0x0a | 0x00 | 0x03 | |||||||
| [1] | 0xa3 | |||||||||
| [2 - 49] | A date: Aug 3 2013 07:01:12 | |||||||||
0xF1
The transaction type is DATA (0x0a), and the report type is FEATURE (0x03). The protocol code is 0xf1.
This report is part of the authentication sequence: it contains challenge response data.
Report example:
0xa3, 0xf1, 0x01, 0x00, 0x00, 0x0c, 0xb2, 0x25, 0x71, 0x82, 0xc3, 0x2e, 0xaa, 0x73, 0xf5, 0x3e, 0x06, 0x72, 0x12, 0xeb, 0xd7, 0xbd, 0xa6, 0x4e, 0xd0, 0x25, 0xd0, 0x4d, 0xd4, 0xe9, 0x3a, 0x8d, 0xb4, 0xf2, 0x3b, 0x5e, 0x82, 0x9c, 0xc7, 0x02, 0x04, 0xa5, 0x44, 0xd5, 0x64, 0x74, 0xc2, 0x03, 0x3b, 0x45, 0xd6, 0x99, 0x9d, 0x79, 0x11, 0xa6, 0x3d, 0x5e, 0x3a, 0xdf, 0xdd, 0x3a, 0x51, 0x8e, 0xb3
| byte index | bit 7 | bit 6 | bit 5 | bit 4 | bit 3 | bit 2 | bit 1 | bit 0 | ||
| [0] | 0x0a | 0x00 | 0x03 | |||||||
| [1] | 0xf1 | |||||||||
| [2] | sequence counter (init = 0x01, step = 1) | |||||||||
| [3] | report counter (init = 0x00, step = 1, max = 0x12) | |||||||||
| [4] | 0x00 | |||||||||
| [5 - 60] | Challenge response data. | |||||||||
| [61 - 64] | CRC-32 of the previous bytes. | |||||||||
The sequence is 1040 bytes long with the following structure:
struct ds4_response {
unsigned char signature[0x100];
unsigned char serial_num[0x10];
unsigned char n[0x100];
unsigned char e[0x100];
unsigned char casig[0x100];
};
signature - is a PSS signature of the nonce, signed with DS4's private key
serial_num - is the controller/cert serial number
n - DS4's Public Key prime
e - DS4's Public Key exponent
casig - is a PSS signature (signed by Sony's CA private key) of the serial_num, n and e
The last (19th) packet is padded with 24 bytes.
0xF2
The transaction type is DATA (0x0a), and the report type is FEATURE (0x03). The protocol code is 0xf2.
This report is part of the authentication sequence: it indicates if the challenge response is ready.
Report example:
0xa3, 0xf2, 0x01, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0d, 0x6a, 0x3c, 0xef
| byte index | bit 7 | bit 6 | bit 5 | bit 4 | bit 3 | bit 2 | bit 1 | bit 0 | |||
| [0] | 0x0a | 0x00 | 0x03 | ||||||||
| [1] | 0xf2 | ||||||||||
| [2] | sequence counter (init = 0x01, step = 1) | ||||||||||
| [3] | 0x00 | 0x01 = not ready
0x00 = ready |
0x00 | ||||||||
| [4 - 12] | padded with 0x00. | ||||||||||
| [13 - 16] | CRC-32 of the previous bytes. | ||||||||||
SET FEATURE
These reports are sent by the PS4. The DS4 replies with a handshake, which is a packet with a single 0x00 byte.
0x03
The transaction type is SET REPORT (0x05), and the report type is FEATURE (0x03). The protocol code is 0x03.
Most bytes from index 4 change between two reports.
Report example:
0x53, 0x03, 0x02, 0x00, 0xf1, 0xdf, 0xd3, 0x7b, 0x4f, 0x49, 0x0b, 0x0b, 0x7c, 0x79, 0xde, 0xad, 0x5d, 0xa3, 0x41, 0x8a, 0x9c, 0x2e, 0xaf, 0x09, 0xc4, 0xa6, 0x80, 0xb4, 0x82, 0x87, 0x2c, 0xbf, 0x86, 0xe0, 0x2a, 0x86, 0x60, 0xa0, 0x23, 0x33
| byte index | bit 7 | bit 6 | bit 5 | bit 4 | bit 3 | bit 2 | bit 1 | bit 0 | ||
| [0] | 0x05 | 0x00 | 0x03 | |||||||
| [1] | 0x03 | |||||||||
| [2] | sequence counter (init = 0x02, step = 1) | |||||||||
| [3] | 0x00 | |||||||||
| [4 - 35] | TODO, work in progress. | |||||||||
| [36 - 39] | CRC-32 of the previous bytes. | |||||||||
0xF0
The transaction type is SET REPORT (0x05), and the report type is FEATURE (0x03). The protocol code is 0xf0.
This report is part of the authentication sequence: it contains challenge data.
Report example:
0x53, 0xf0, 0x01, 0x00, 0x00, 0x64, 0x01, 0x21, 0x58, 0x26, 0x03, 0xcc, 0xb8, 0x28, 0x78, 0xa9, 0xb5, 0x8c, 0x2c, 0x90, 0x3b, 0xe2, 0xf7, 0xee, 0x1c, 0x91, 0x2b, 0x0c, 0x79, 0xa6, 0xe7, 0xae, 0x7e, 0x49, 0xee, 0x36, 0x72, 0x81, 0xc2, 0x25, 0x41, 0x74, 0x45, 0x01, 0x15, 0xa0, 0x23, 0x1a, 0x4c, 0x27, 0x31, 0xcc, 0xc5, 0xe0, 0x8d, 0x6c, 0x1e, 0x42, 0x83, 0x93, 0x20, 0xa0, 0x35, 0xac, 0x82
| byte index | bit 7 | bit 6 | bit 5 | bit 4 | bit 3 | bit 2 | bit 1 | bit 0 | ||
| [0] | 0x05 | 0x00 | 0x03 | |||||||
| [1] | 0xf0 | |||||||||
| [2] | sequence counter (init = 0x01, step = 1) | |||||||||
| [3] | report counter (init = 0x00, step = 1, max = 0x04) | |||||||||
| [4] | 0x00 | |||||||||
| [5 - 60] | Challenge data. | |||||||||
| [61 - 64] | CRC-32 of the previous bytes. | |||||||||
The packet with report counter = 0x04 only carries 32 bytes of data (it is padded with zeros). Therefore the length of the challenge message is 4x56+32 = 256 bytes.
| |||||||||||||||||||||||||||||||||||||
