Author Archives: Admin

FrSky X4R-SB S.BUS anti-invert hack

I am building a quadcopter using a FrSky Taranis X9D radio. It came with a FrSky X8R receiver. I wanted to keep my wiring clean by using the S.BUS feature on the FrSky receivers, I purchased a smaller FrSky X4R-SB receiver. The X8R has 8 PWM channel pins and the X4R-SB has 3 PWM channel pins, but if I use S.BUS (which is serial, not PWM), I can access 16 channels using only 1 pin, on both X8R and X4R-SB. The X4R-SB is much smaller, making it more ideal. (do not confuse the X4R-SB with the D4R-II, this is important, D4R-II uses CPPM, not S.BUS)

(update 10/25/2014: a follow up hack for Smart Port)

I want to use a Naze32 flight controller, which is open source and does have code to interpret S.BUS protocol. S.BUS is UART communication but it is inverted and the Naze32’s UART cannot accept inverted input. Continue reading

3D Printed Raspberry Pi Case + Camera Case + Server

There is a law of the universe which states that if you own a Raspberry Pi and a 3D printer, you must print a case for it.

3d_trans20141018_193540 (Large)20141018_193504 (Large)20141018_193521 (Large)20141018_193530 (Large)3d_exp_bot3d_exp_top20141018_005438 (Large)20141018_005336 (Large)3d.fw

There are plenty of case designs for the original R-Pi Model B, and some for the R-Pi Model B+, but there are a few minor annoyances I noticed about them. Plus I really like DIY my own designs, so I designed my own case to suit my own needs.

  • Designed specifically for 3D printing, meaning careful attention to how plastic is extruded, no weak spots, and no overhangs. Plenty of fillets and chamfers.
  • No screws required. The case is held together using latches that take advantage of the plastic’s natural flexibility. It is designed for just sitting on a desk, or attached via velcro/double-sided-tape.
  • I also designed a small case for the camera, which follows the same principles.

These parts are because I am going to set up a web server for my 3D printer, running OctoPrint and also serving live video through the camera. I also setup a cron job to take a picture periodically and upload it to this server. I can also stream video to my Ustream channel. (neither of these servers are 24/7)

I am sharing all of the source files for the models, not just STL files. It is very annoying when people only share STL files, because STL are not import or editing friendly. With my SLDPRT file, you can change one height dimension inside and it will re-adjust the entire case, maybe if you need more clearance on the bottom for screws.

files for R-Pi case

files for camera case

Ultimaker2 Improved Filament Feeder

The Ultimaker2 3D printer has a problematic filament feeder mechanism assembly. When the filament is stuck and the feeder motor turns, it can grind away the filament, causing a gouge in the filament. The gouge makes the problem worse since the tensioner bearing will force the gouge into the feeder’s knurled wheel more, causing even more grinding. This jam happens frequently because sometimes even if the temperature sensor reports that the print head hot end has heated up, the plastic hasn’t melted yet and can’t move yet.

The Ultimaker2’s feeder design is both beautiful and disappointing. It is beautiful in the sense that is is symmetrical and compact. If you had a dual extruder, you can use the same feeder mechanism for both feeders, cutting down on manufacturing costs. But it is impossible to disassemble without removing the stepper motor because the same 4 screws that holds the feeder together also holds the stepper motor in place. If you attempt to open the feeder mechanism to clear a jam, the motor will fall off. The motor is also covered by a metal casing so you need to remove the casing as well. This is very annoying.

There is no other way to move the tensioner bearing because the design is so compact and the spring is tight. There is no other way to remove the feed tube either.

What I needed was a feeder mechanism that can be opened up without removing the stepper motor, and also allow the tensioner bearing to be moved out of the way easily. I came up with the following design:


Continue reading

3D Printed Tripod Adapter for Smartphones

I got a new 3D printer, a Ultimaker 2. After testing it out with some small test prints, I printed my first own custom design on this printer. (I’ve only designed for SLT printing previously and not extrusion printing before, this is my first design for extrusion printing).

It’s an adapter that holds my smartphone (Samsung Galaxy Note 3 with a wireless charging S-View flip cover case) and has threads (a 1/4″-20 threaded nut) so it can be mounted to a standard camera tripod. This phone has 4K video recording so why not?

The design is very custom because I need to consider the fact that I have a S-View flip cover case.

(I know I could also use threaded metal inserts, but nuts are easier to buy at the local Home Depot)

Continue reading

Weekly Report August 16 2014

Nothing geeky to talk about. I managed to rent a 1 BR apartment in San Mateo for about $1725/month in a pretty good spot (but whoever built the place did not seem to own a ruler and whoever painted it didn’t own masking tape). Here’s me planning the layout using SolidWorks and Ikea’s catalog.
ikea floor plan

Weekly Report July 20 2014

My project involving the PlayStation 4 and DualShock 4 has caught the attention of Sony, and after interviewing me, Sony Computer Entertainment America hired me as hardware engineer for PlayStation peripherals. Today is the day I take a one way flight from Toronto to San Francisco, and tomorrow will be my first day! Follow your passion, don’t be afraid to fail, and don’t be afraid to show off your skills.

And since I’m leaving my family… Continue reading

PS4 Laser Cut Stand

Summer is coming so I was worried about cooling the PS4. This stand lifts the PS4 off the desk a bit to give it more airflow. I had this cut by Ponoko, using 9mm thick clear acrylic. If you want to make your own, click here to download the EPS file, follow Ponoko’s instructions.

Another way is to 3D print them using black ABS, but I don’t have a 3D printer. The acrylic is left over from another project, hence why I used it.

Trip to China

I went on a short trip to China, seeing some family and some sightseeing.

No trip is complete without seeing some Chinglish


Some wiring near WuXi (please ignore the camera flash being reflected in the glass window, I was on a moving bus, I didn’t have time to disable my flash)

Some BBQ Pupa

Simple 6X USB Charger with Current Monitor

This is a simple 6 port USB device charger with a individual current monitor on each port. The charging current is indicated using RGB LEDs. Blue means slow charge (under 250mA), green means 250mA to 750mA, red means over 750mA, and purple means over 1500mA (for tablets). This circuit involves an ATmega328P (if you do hobby electronics, I bet you have plenty spares of these), INA169 (check out this breakout board), and a OKR-T10-W12.

While this project is not as impressive as my other projects in terms of difficulty, I soldered and Continue reading

Kinetis Microcontroller SRAM Region Hard Faults

I am doing a project that involves a K10DX128 microcontroller from Freescale, which is advertised to have 128 KB of flash memory and 16 KB of SRAM memory. It’s similar to the microcontroller used by the Teensy 3.0 platform. The project involves a lot of dynamically allocated memory because it deals with a lot of files inside a file system.

I ran into one of those “sometimes it happens, sometimes it doesn’t happen” bugs that causes a hard fault. Tracing the source of the hard fault lead to a few ordinary SRAM storage instructions, and apparently it happened half way through processing the list of files. This made me suspect that the memory was allocated incorrectly, and I checked all the things I should check(the address of the allocation, how much memory I should have, the status of my stack, the linker script, etc).
Continue reading

Keyboard and Mouse for PlayStation 4 Games (second prototype)

Why did you do this?

I like playing shooter games on PC but my laptop is too weak to play them. Game consoles do not support USB keyboards and USB mouse, they only support gamepads. Gamepad controls are not suitable for shooter games, using a keyboard and mouse is much more comfortable for gameplay.

How does it work?

I designed a circuit that features a microcontroller and USB hub. The keyboard and mouse plugs into the USB hub, and then the microcontroller takes the data from the keyboard and mouse, translates them to the data format used by the PlayStation 4. It does the translation in a way as though the mouse was the right thumbstick, and the keys are mapped to buttons (the WASD keys are mapped to the left thumbstick).

If you want to buy one from me, you can’t, I don’t want to sell anything. If you want to buy something similar from somebody else, try the XIM4 (my top choice), CronusMAX, Venom X, etc. (if there’s another product you would like to see on this list, give me one to try out first, and I’ll add it if it works)

Development Story

Latest News – July 20 2014

I wanted to share this story because I am very happy that I finally managed to get this far! Anybody who is attempting this and thought it was impossible to do can now breath a sigh of relief because it definitely can be done.

I have already accomplished a similar project that worked with a PS3 (UsbXlater), something that connected to the PS3 via USB that translated keyboard and mouse data format to gamepad data format.

Once the PS4 launched, I reversed engineered the USB protocol used by the DualShock, and then attempted the same technique. But… Continue reading

Weekly Report February 23 2014

Since the RN42HCI does not support SSP (see previous weekly report post), I’ve switched to using a USB Bluetooth dongle to perform the spoof. This will allow me to get a huge data rate improvement, but at the cost of an USB port. I’ve made massive improvements to the USB host code, and my Total Phase Beagle USB 12 Analyzer really proved itself by telling me exactly how many tokens were sent and how many NAKs were received, which allowed me Continue reading

Weekly Report February 9 2014

I am playing around with BTstack (an open source Bluetooth stack) as a part of my on-going efforts to spoof a DualShock 4. After a bit of coding, I got it compiled into the UsbXlater firmware and now I am testing it.

One huge problem I ran into is that the RN42HCI I purchased from Microchip does not seem to support SSP (simple secure pairing). The Microchip website clearly states that the RN-42 is a Continue reading

Weekly Report February 2 2014

Spoke too soon about the DualShock 4’s Bluetooth security, although the link level authentication is figured out, it seems like Sony employed a challenge and response authentication mechanism over the HID channel itself. It was hard to spot because it occurs periodically at a slow rate, and it seems to tolerate up to 16 failed attempts before the PlayStation stops responding to an unauthenticated DualShock. 16 failed attempts is 8 minutes, and when I am doing reverse engineering, I only capture a few seconds worth of data. Matlo from GIMX pointed this out to me. Thanks!

This is bad news, the challenge key is huge, cracking it is out of the question. Continue reading

Weekly Report January 19 2014

Things are going slow on UsbXlater but I am making progress. I’ve written some utilities to store persistent data in flash, with wear leveling! I figured out how to get the hardware CRC peripheral working inside the STM32F4 in a way that will allow it to spoof the CRC used inside a DualShock. I have started writing a minimal Bluetooth implementation for UsbXlater, but this is a huge undertaking and will take up a lot of time.

I got as far as enumerating a USB Bluetooth dongle, and then sending it a reset command and a read BD_ADDR command. I can get the command complete event back, and Continue reading

UsbXlater, DualShock 4, PlayStation 4, Weekly Report Dec 15, 2013

I haven’t worked on the firmware for the UsbXlater for a while. This is because I really want it to work on the PlayStation 4 by spoofing the DualShock 4, but after some heavy investigation. It seems like this is impossible (in the sense of spoofing).

On the DualShock 4 circuitry, I have recently found the UART (aka serial port) pins for the Bluetooth module’s HCI (host controller interface). I used my logic analyzer to capture the data from the HCI. The results are posted on my wiki page about the DualShock 4, along with the pcap file with the entire capture.

The PlayStation 4 does not seem to accept input through USB. I did get UsbXlater entirely working and replicating the behaviour of a real DualShock 4, but the PlayStation does not respond. The Bluetooth connection is always active during this time.

Over Bluetooth, it seems that the L2CAP packets that are sent containing the report contains 4 bytes at the end that appears to be random. This could mean it’s a checksum or a hash. Update: it’s a CRC32, with a standard initial value. It’s easy to generate and I’ve already tested it on my sample capture data, so that’s good news. Credit goes to Matlo from GIMX

I do have a new version of the UsbXlater hardware that I can get assembled next week. It will emulate button presses on the DualShock 4 directly using electrical signals connected to the buttons themselves, instead of digitally through spoofing data streams.

I am aware that CronusMax has a “proof of concept” video of his hardware working on the PS4, but that video is a fake, what he did is program it to act as a HID keyboard, which only works in the menus. This is why the video does not show gameplay and why he does not plain outright say that it will be supported. Everybody who is making a device similar to XIM or Cronus or Eagle Eye Converter or UsbXlater is facing the exact same difficulties I am facing. I am disappointed in Cronus because the video’s purposes is probably to drive up pre-orders for people who are hoping for PlayStation 4 support which might never come.

Upgrade a Passive HDMI Switch with 5V Power

I have many things connected to my single computer monitor via HDMI. I use a HDMI switch so I don’t have to unplug and replug cables all the time. But my cheap $6 HDMI switch is an unpowered passive switch, so it has problems working when the video source does not provide enough power to the switch.

For example, when my Mac Mini is plugged in, the 5V pin only supplies about 3 volts. Inside of the switch is a set of diodes and a AMS1117 voltage regulator that is supposed to output 3.3V using 5V, but instead it is only outputting about 2V. This made the LEDs in the switch flicker and blink (which seemed like a symptom of a bad power supply) and switch refused to function (no video output). My solution was to add a USB micro connector so I can add an external 5V power supply.

After adding the power supply, the switch is able to function properly with a steady supply of power.
Continue reading

Weekly Report December 1, 2013

The Playstation 4 is great, I got mine from Amazon 2 weeks ago, no problems. USBXLATER is on hold. After weeks of investigation and experimentation and collaborating with other people, it seems that the PS4 only accepts the data from DualShock 4’s Bluetooth interface, and not the USB interface, even if HID reports are sent through USB. This makes emulation via USB impossible. The next possible methods are to emulate the Bluetooth connection instead, or to install an internal modification to the DualShock 4’s hardware.

My Bluetooth module currently does not have some features that allow me to use it for spoofing so I’ll have to get a new one before even attempting it. I have started on the design for this internal modification already.

I attempted to use the Ubertooth One to do Bluetooth sniffing, but it is extremely hard to use and doesn’t seem to work right. I can obtain the LAP and UAP of my Playstation using it, with this information, the Ubertooth is supposed to be able to perform the necessary calculations required to follow the same frequency hopping pattern that the Playstation and DualShock uses. But the Ubertooth cannot successfully do this, and when it does seem to obtain the pattern, it fails to decode every single packet, leading me to think that it miscalculated the hopping pattern.

iOS’s BLE events seems to be polled at a really slow rate. I had to fix a problem which involved using the time when the event handler was fired. The timestamp was not accurate at all and appears to happen at 1 second interval bursts. This problem was fixed by using another method of obtaining the actual time when the notification was sent from the BLE device, I packed a sample interval into the packet I sent.

Improved “Third Hand” Using Coolant Hose


I don’t really like my “third-hand” tool so I decided to build a better one using flexible ball-jointed coolant spraying pipe hoses. It’s not a totally new idea, SparkFun even sells some of these parts as a kit. But my way is slightly better, and I got the hoses from eBay (look for “Flexible Water Oil Coolant Pipe Hose for Lathe CNC”) instead because SparkFun’s prices were excessively expensive.
Continue reading

Alternative Way to Dual Boot TrueCrypt’ed Windows and Fully Encrypted Linux

    I am a mainly Windows 7 user who needs to use Linux only sometimes, so I need a dual boot system. I also want to encrypt my entire hard drive for privacy. I used to have TrueCrypt encrypting my entire hard drive, but TrueCrypt does not really support dual boot systems with GRUB, because TrueCrypt must reside on the Master Boot Record (MBR).

    There are several guides on the Internet about how to create a dual boot system with TrueCrypt but all of them involve placing the TrueCrypt rescue disk image into a separate partition. This is an ugly solution as a mainly Windows user because it involves a few extra keystrokes to activate the rescue partition, and the rescue partition is not hidden. I came up with an alternative solution for people who wants to boot directly into Windows with a silent TrueCrypt login most of the time, but needs a few extra keystrokes to get into Linux.

    Continue reading

Reverse Engineering and Cloning a S-View Flip Cover

I got a Samsung Galaxy Note 3 as soon as it was released. I wanted a S-View flip cover for it. S-View basically means the screen will automatically turn on and off when you open and close the cover. It is also able to reformat the display to show important notifications through the square viewing window of the cover, etc. The phone knows if the flip cover is opened or closed because there’s a tiny magnet inside the cover.

But all of the official S-View flip covers available are very expensive at about $60 each. The cheap covers might look like S-View covers, but they do not support the actual S-View functionality. But the cheap covers are about $5. I wanted to hack a $5 to give it S-View functionality. Continue reading

Weekly Report Nov 17 2013

USBXLATER is going strong. Constantly improving and new features. During the testing, I picked up another generic USB hub to test…

Like the picture said, they do not work, I have other generic hubs that do work. These ones seems to exhibit a signalling issue. The strangest thing is that they’ll work if I plug them into my USB traffic analyzer, which means I can’t even debug the signals…