Author Archives: Admin

FrSky X4R-SB S.BUS anti-invert hack

I am building a quadcopter using a FrSky Taranis X9D radio. It came with a FrSky X8R receiver. I wanted to keep my wiring clean by using the S.BUS feature on the FrSky receivers, I purchased a smaller FrSky X4R-SB receiver. The X8R has 8 PWM channel pins and the X4R-SB has 3 PWM channel pins, but if I use S.BUS (which is serial, not PWM), I can access 16 channels using only 1 pin, on both X8R and X4R-SB. The X4R-SB is much smaller, making it more ideal. (do not confuse the X4R-SB with the D4R-II, this is important, D4R-II uses CPPM, not S.BUS)

(update 10/25/2014: a follow up hack for Smart Port)

I want to use a Naze32 flight controller, which is open source and does have code to interpret S.BUS protocol. S.BUS is UART communication but it is inverted and the Naze32’s UART cannot accept inverted input. Some flight controllers, such as the Pixhawk, has a dedicated inverter just to solve this problem, but the Naze32 does not.

The first option is to buy a “S.BUS to CPPM converter” but CPPM is not a serial bus like S.BUS and thus does not have the advantages of being a serial bus. CPPM uses timing, timing needs to be measured (measuring things = possible error) and the signal edges can be affected by capacitance, noise, etc. Also having such a converter means there will be a tiny bit more latency in the system. These two disadvantages are probably too insignificant to notice performance wise. But I still didn’t want to spend another $13 + tax + shipping just to solve a problem that shouldn’t have existed in the first place.

The second solution is to buy an “inverter cable” which is a cable that has a NOT gate inline and then shrink wrapped. Or I can just buy a NOT gate and make the cable myself. I still didn’t want to spend the money. I opted to hunt down the inverter on the X4R-SB circuit instead, and connect a wire to the input of the inverter (labelled as “A” in the datasheet). This provides me access to the un-inverted signal that I can directly connect to the Naze32.

See the pictures below to understand how this hack was done.


And just in case I confused you even more, all you need to do is connect a wire to the “A” pin.

I have tested it with Naze32 Rev5 and firmware f4d556c68876ccd5902bddf1cade32f1bb382c9f. Works like a charm.

It is probably possible to perform the same hack on a X8R but the X8R is constructed using two PCBs and the inverter is covered up by one of them. Separating the two PCBs is very difficult and risky.

The Smart Port (I think it’s also called S.PORT) is another inverted serial bus available on the X4R-SB and X8R but it is bidirectional. Since whatever you want to connect to it will need a bidirectional circuit anyways, it is not worth it to perform another surgery on the Smart Port. Also, the Naze32 can use SoftSerial to transmit in an inverted fashion, so a dedicated inverter isn’t even required. (SoftSerial would not work well for taking inputs, but outputs is OK)

3D Printed Raspberry Pi Case + Camera Case + Server

There is a law of the universe which states that if you own a Raspberry Pi and a 3D printer, you must print a case for it.

3d_trans20141018_193540 (Large)20141018_193504 (Large)20141018_193521 (Large)20141018_193530 (Large)3d_exp_bot3d_exp_top20141018_005438 (Large)20141018_005336 (Large)3d.fw

There are plenty of case designs for the original R-Pi Model B, and some for the R-Pi Model B+, but there are a few minor annoyances I noticed about them. Plus I really like DIY my own designs, so I designed my own case to suit my own needs.

  • Designed specifically for 3D printing, meaning careful attention to how plastic is extruded, no weak spots, and no overhangs. Plenty of fillets and chamfers.
  • No screws required. The case is held together using latches that take advantage of the plastic’s natural flexibility. It is designed for just sitting on a desk, or attached via velcro/double-sided-tape.
  • I also designed a small case for the camera, which follows the same principles.

These parts are because I am going to set up a web server for my 3D printer, running OctoPrint and also serving live video through the camera. I also setup a cron job to take a picture periodically and upload it to this server. I can also stream video to my Ustream channel. (neither of these servers are 24/7)

I am sharing all of the source files for the models, not just STL files. It is very annoying when people only share STL files, because STL are not import or editing friendly. With my SLDPRT file, you can change one height dimension inside and it will re-adjust the entire case, maybe if you need more clearance on the bottom for screws.

files for R-Pi case

files for camera case

Ultimaker2 Improved Filament Feeder

The Ultimaker2 3D printer has a problematic filament feeder mechanism assembly. When the filament is stuck and the feeder motor turns, it can grind away the filament, causing a gouge in the filament. The gouge makes the problem worse since the tensioner bearing will force the gouge into the feeder’s knurled wheel more, causing even more grinding. This jam happens frequently because sometimes even if the temperature sensor reports that the print head hot end has heated up, the plastic hasn’t melted yet and can’t move yet.

The Ultimaker2’s feeder design is both beautiful and disappointing. It is beautiful in the sense that is is symmetrical and compact. If you had a dual extruder, you can use the same feeder mechanism for both feeders, cutting down on manufacturing costs. But it is impossible to disassemble without removing the stepper motor because the same 4 screws that holds the feeder together also holds the stepper motor in place. If you attempt to open the feeder mechanism to clear a jam, the motor will fall off. The motor is also covered by a metal casing so you need to remove the casing as well. This is very annoying.

There is no other way to move the tensioner bearing because the design is so compact and the spring is tight. There is no other way to remove the feed tube either.

What I needed was a feeder mechanism that can be opened up without removing the stepper motor, and also allow the tensioner bearing to be moved out of the way easily. I came up with the following design:


Continue reading

3D Printed Tripod Adapter for Smartphones

I got a new 3D printer, a Ultimaker 2. After testing it out with some small test prints, I printed my first own custom design on this printer. (I’ve only designed for SLT printing previously and not extrusion printing before, this is my first design for extrusion printing).

It’s an adapter that holds my smartphone (Samsung Galaxy Note 3 with a wireless charging S-View flip cover case) and has threads (a 1/4″-20 threaded nut) so it can be mounted to a standard camera tripod. This phone has 4K video recording so why not?

The design is very custom because I need to consider the fact that I have a S-View flip cover case.

(I know I could also use threaded metal inserts, but nuts are easier to buy at the local Home Depot)

Continue reading

Weekly Report August 16 2014

Nothing geeky to talk about. I managed to rent a 1 BR apartment in San Mateo for about $1725/month in a pretty good spot (but whoever built the place did not seem to own a ruler and whoever painted it didn’t own masking tape). Here’s me planning the layout using SolidWorks and Ikea’s catalog.
ikea floor plan

Weekly Report July 20 2014

My project involving the PlayStation 4 and DualShock 4 has caught the attention of Sony, and after interviewing me, Sony Computer Entertainment America hired me as hardware engineer for PlayStation peripherals. Today is the day I take a one way flight from Toronto to San Francisco, and tomorrow will be my first day! Follow your passion, don’t be afraid to fail, and don’t be afraid to show off your skills.

And since I’m leaving my family… Continue reading

PS4 Laser Cut Stand

Summer is coming so I was worried about cooling the PS4. This stand lifts the PS4 off the desk a bit to give it more airflow. I had this cut by Ponoko, using 9mm thick clear acrylic. If you want to make your own, click here to download the EPS file, follow Ponoko’s instructions.

Another way is to 3D print them using black ABS, but I don’t have a 3D printer. The acrylic is left over from another project, hence why I used it.

Trip to China

I went on a short trip to China, seeing some family and some sightseeing.

No trip is complete without seeing some Chinglish


Some wiring near WuXi (please ignore the camera flash being reflected in the glass window, I was on a moving bus, I didn’t have time to disable my flash)

Some BBQ Pupa

Simple 6X USB Charger with Current Monitor

This is a simple 6 port USB device charger with a individual current monitor on each port. The charging current is indicated using RGB LEDs. Blue means slow charge (under 250mA), green means 250mA to 750mA, red means over 750mA, and purple means over 1500mA (for tablets). This circuit involves an ATmega328P (if you do hobby electronics, I bet you have plenty spares of these), INA169 (check out this breakout board), and a OKR-T10-W12.

While this project is not as impressive as my other projects in terms of difficulty, I soldered and Continue reading

Kinetis Microcontroller SRAM Region Hard Faults

I am doing a project that involves a K10DX128 microcontroller from Freescale, which is advertised to have 128 KB of flash memory and 16 KB of SRAM memory. It’s similar to the microcontroller used by the Teensy 3.0 platform. The project involves a lot of dynamically allocated memory because it deals with a lot of files inside a file system.

I ran into one of those “sometimes it happens, sometimes it doesn’t happen” bugs that causes a hard fault. Tracing the source of the hard fault lead to a few ordinary SRAM storage instructions, and apparently it happened half way through processing the list of files. This made me suspect that the memory was allocated incorrectly, and I checked all the things I should check(the address of the allocation, how much memory I should have, the status of my stack, the linker script, etc).
Continue reading

Keyboard and Mouse for PlayStation 4 Games (second prototype)

Why did you do this?

I like playing shooter games on PC but my laptop is too weak to play them. Game consoles do not support USB keyboards and USB mouse, they only support gamepads. Gamepad controls are not suitable for shooter games, using a keyboard and mouse is much more comfortable for gameplay.

How does it work?

I designed a circuit that features a microcontroller and USB hub. The keyboard and mouse plugs into the USB hub, and then the microcontroller takes the data from the keyboard and mouse, translates them to the data format used by the PlayStation 4. It does the translation in a way as though the mouse was the right thumbstick, and the keys are mapped to buttons (the WASD keys are mapped to the left thumbstick).

If you want to buy one from me, you can’t, I don’t want to sell anything. If you want to buy something similar from somebody else, try the XIM4 (my top choice), CronusMAX, Venom X, etc. (if there’s another product you would like to see on this list, give me one to try out first, and I’ll add it if it works)

Development Story

Latest News – July 20 2014

I wanted to share this story because I am very happy that I finally managed to get this far! Anybody who is attempting this and thought it was impossible to do can now breath a sigh of relief because it definitely can be done.

I have already accomplished a similar project that worked with a PS3 (UsbXlater), something that connected to the PS3 via USB that translated keyboard and mouse data format to gamepad data format.

Once the PS4 launched, I reversed engineered the USB protocol used by the DualShock, and then attempted the same technique. But… Continue reading

Weekly Report February 23 2014

Since the RN42HCI does not support SSP (see previous weekly report post), I’ve switched to using a USB Bluetooth dongle to perform the spoof. This will allow me to get a huge data rate improvement, but at the cost of an USB port. I’ve made massive improvements to the USB host code, and my Total Phase Beagle USB 12 Analyzer really proved itself by telling me exactly how many tokens were sent and how many NAKs were received, which allowed me to gage my maximum sample rate, and see noticeable differences when I make code changes.

But the bad news is that I can only see these tokens and NAK events as “collapsed records”, which means I can see that in the span of 2 seconds, I have gotten X amount of NAK from device A, Y amount from device B. But I can’t see if I get them in the order A B A B or A A B A A B. I’ve contacted Total Phase support about this, and it turns out that their more expensive analyzers support “packet view”. I asked if this was a hardware limitation, they stated that it was not, and I can capture the packets myself if I use their API that they provide. I asked them to update their software to add the support for my model, and they said they’ll pass on the request to their engineers and they’ll consider it.

Progress on the DualShock 4 spoof is great. I managed to get a reliable connection between the DualShock and my UsbXlater circuit via Bluetooth, and my UsbXlater circuit to the PlayStation via Bluetooth. I have a basic man-in-the-middle Bluetooth proxy working completely. The only problem now seems like the PlayStation doesn’t want to take the input yet, although I can see the data being passed, the PlayStation does not respond. The bigger issue is that the data being passed is coming so fast that my monstrous STM32F405RG chip is actually running out of RAM, I need to figure out whether or not this is indeed a performance issue or maybe I’m stupid and caused a memory leak.

Here I have my debug output a millisecond timestamp with the amount of RAM left, then it crashes

8000 FreeRAM 98132
10000 FreeRAM 88364
12000 FreeRAM 80868
14000 FreeRAM 72460
16000 FreeRAM 63092
18000 FreeRAM 53836
20000 FreeRAM 46428
22000 FreeRAM 37364
24000 FreeRAM 27756
26000 FreeRAM 17788
28000 FreeRAM 10068
30000 FreeRAM 716

Exception Handler, source: 1
r0: 0xF0127C08, r1: 0x2000293C, r2: 0x0000000A, r3: 0x0000000A, r12: 0x000002FF
LR: 0x00000000, PC: 0x20002948, PSR: 0xA1000200,

Neat… I’ve worked all weekend on this and got this far, I’m going to take a break and work on something else now. But my next goal is to figure out if I am freeing memory correctly, then maybe improve USB performance even more, and then implement flow control. Once the system doesn’t crash, I can focus on why the PlayStation doesn’t respond.

Weekly Report February 9 2014

I am playing around with BTstack (an open source Bluetooth stack) as a part of my on-going efforts to spoof a DualShock 4. After a bit of coding, I got it compiled into the UsbXlater firmware and now I am testing it.

One huge problem I ran into is that the RN42HCI I purchased from Microchip does not seem to support SSP (simple secure pairing). The Microchip website clearly states that the RN-42 is a “Fully certified Class 2 Bluetooth 2.1 + EDR module”. But using the read_local_version_information and read_local_supported_features commands, it is revealed that it does not support SSP and the version is actually Bluetooth 1.0b.

The PlayStation 4 uses SSP, this means the RN-42 cannot be used. I am hoping that Microchip will owe up to their mistake and either provide a replacement or a firmware update. Meanwhile, I will try doing some hacking to see if I can avoid the pairing problem, and also upgrade my USB stack a bit to see if using a USB BT dongle is still a viable option.

EDIT: According to Microchip tech support: “The current RN42HCI module does not support SSP. Updating the RN42HCI to BT3.0 for SSP support will have implications for our existing RN42HCI customers that do not use SSP.” So I was right, they are falsely advertising the product.

Weekly Report February 2 2014

Spoke too soon about the DualShock 4’s Bluetooth security, although the link level authentication is figured out, it seems like Sony employed a challenge and response authentication mechanism over the HID channel itself. It was hard to spot because it occurs periodically at a slow rate, and it seems to tolerate up to 16 failed attempts before the PlayStation stops responding to an unauthenticated DualShock. 16 failed attempts is 8 minutes, and when I am doing reverse engineering, I only capture a few seconds worth of data. Matlo from GIMX pointed this out to me. Thanks!

This is bad news, the challenge key is huge, cracking it is out of the question. We also tried feeding it the challenge through USB and extracting the response from USB, but the response came back blank, which seems to indicate that the response calculation hasn’t been triggered. We tried replicating the exact series of transaction and it still would not trigger the calculation.

But the good news is that the challenge and response can be passed through. This means that “man in the middle” injection of data is still possible. This is my next goal, because my final goal is to make keyboard and mouse work on the PS4. Thus my next goal is to get Bluetooth passed through, establish a connection to both a DualShock and a PlayStation, becoming the man in the middle. Modify the gaming input packets from the DualShock before sending it to the PlayStation, while passing through all other traffic. Thus, the authentication packets are untouched, which does work because Matlo has already implemented this system as a test.

Weekly Report January 19 2014

Things are going slow on UsbXlater but I am making progress. I’ve written some utilities to store persistent data in flash, with wear leveling! I figured out how to get the hardware CRC peripheral working inside the STM32F4 in a way that will allow it to spoof the CRC used inside a DualShock. I have started writing a minimal Bluetooth implementation for UsbXlater, but this is a huge undertaking and will take up a lot of time.

I got as far as enumerating a USB Bluetooth dongle, and then sending it a reset command and a read BD_ADDR command. I can get the command complete event back, and read the BD_ADDR back.

One obscure problem I faced was that I did not set the right sizes for the host channels. The problem’s symptom was that my code froze after I sent any command to the dongle. The code froze because an ISR was firing repeatedly, further investigation showed that it was firing because the host channel received a babble error (in the code, it is “bblerr”). This error was unhandled and thus the interrupt would repeated fire. The error occured because the host channel size was incorrect and the USB dongle was sending more data than what the size allowed.

I am hoping that I can at least wake up the PS4 next. This should be easy, a baseband connection request should do the trick. I’ve already tested this using a Raspberry Pi.

Another interesting discovery I’ve made during all of this: the Bluetooth link key used to pair and authenticate the DualShock 4 and PS4 is sent over USB. However, you can also perform “simple pairing” without a USB cable by: going into the PS4’s settings menu, then devices, then Bluetooth, and then initiate “PC mode” on the DualShock 4 by holding the share and PS button together.

Since the mystery with the Bluetooth security (or, the lack of security) is solved. From here on, it seems like nothing can prevent me from spoofing a DualShock 4. Full steam ahead! I even purchased some RN42HCI modules, because the USB Bluetooth dongles take up precious host channels. I will probably end up designing another PCB with the RN42HCI on it.

Anyways, I am chatting with Matlo from GIMX during all this hacking, he was able to adapt his old Bluetooth proxy to work with the DualShock 4. This proves that it is indeed easy to spoof a DualShock 4.

I don’t own an Xbox One and I have not kept up with any Xbox news, but the Xbox 360 used an authentication chip for the sole purpose of preventing other people from making knock off Xbox controllers. But as far as we can tell, Sony does not employ the same strategy. This will probably mean we can expect to see some cheaper alternatives to the DualShock 4, although the quality of which will be questionable.

UsbXlater, DualShock 4, PlayStation 4, Weekly Report Dec 15, 2013

I haven’t worked on the firmware for the UsbXlater for a while. This is because I really want it to work on the PlayStation 4 by spoofing the DualShock 4, but after some heavy investigation. It seems like this is impossible (in the sense of spoofing).

On the DualShock 4 circuitry, I have recently found the UART (aka serial port) pins for the Bluetooth module’s HCI (host controller interface). I used my logic analyzer to capture the data from the HCI. The results are posted on my wiki page about the DualShock 4, along with the pcap file with the entire capture.

The PlayStation 4 does not seem to accept input through USB. I did get UsbXlater entirely working and replicating the behaviour of a real DualShock 4, but the PlayStation does not respond. The Bluetooth connection is always active during this time.

Over Bluetooth, it seems that the L2CAP packets that are sent containing the report contains 4 bytes at the end that appears to be random. This could mean it’s a checksum or a hash. Update: it’s a CRC32, with a standard initial value. It’s easy to generate and I’ve already tested it on my sample capture data, so that’s good news. Credit goes to Matlo from GIMX

I do have a new version of the UsbXlater hardware that I can get assembled next week. It will emulate button presses on the DualShock 4 directly using electrical signals connected to the buttons themselves, instead of digitally through spoofing data streams.

I am aware that CronusMax has a “proof of concept” video of his hardware working on the PS4, but that video is a fake, what he did is program it to act as a HID keyboard, which only works in the menus. This is why the video does not show gameplay and why he does not plain outright say that it will be supported. Everybody who is making a device similar to XIM or Cronus or Eagle Eye Converter or UsbXlater is facing the exact same difficulties I am facing. I am disappointed in Cronus because the video’s purposes is probably to drive up pre-orders for people who are hoping for PlayStation 4 support which might never come.

Upgrade a Passive HDMI Switch with 5V Power

I have many things connected to my single computer monitor via HDMI. I use a HDMI switch so I don’t have to unplug and replug cables all the time. But my cheap $6 HDMI switch is an unpowered passive switch, so it has problems working when the video source does not provide enough power to the switch.

For example, when my Mac Mini is plugged in, the 5V pin only supplies about 3 volts. Inside of the switch is a set of diodes and a AMS1117 voltage regulator that is supposed to output 3.3V using 5V, but instead it is only outputting about 2V. This made the LEDs in the switch flicker and blink (which seemed like a symptom of a bad power supply) and switch refused to function (no video output). My solution was to add a USB micro connector so I can add an external 5V power supply.

After adding the power supply, the switch is able to function properly with a steady supply of power.
Continue reading

Weekly Report December 1, 2013

The Playstation 4 is great, I got mine from Amazon 2 weeks ago, no problems. USBXLATER is on hold. After weeks of investigation and experimentation and collaborating with other people, it seems that the PS4 only accepts the data from DualShock 4’s Bluetooth interface, and not the USB interface, even if HID reports are sent through USB. This makes emulation via USB impossible. The next possible methods are to emulate the Bluetooth connection instead, or to install an internal modification to the DualShock 4’s hardware.

My Bluetooth module currently does not have some features that allow me to use it for spoofing so I’ll have to get a new one before even attempting it. I have started on the design for this internal modification already.

I attempted to use the Ubertooth One to do Bluetooth sniffing, but it is extremely hard to use and doesn’t seem to work right. I can obtain the LAP and UAP of my Playstation using it, with this information, the Ubertooth is supposed to be able to perform the necessary calculations required to follow the same frequency hopping pattern that the Playstation and DualShock uses. But the Ubertooth cannot successfully do this, and when it does seem to obtain the pattern, it fails to decode every single packet, leading me to think that it miscalculated the hopping pattern.

iOS’s BLE events seems to be polled at a really slow rate. I had to fix a problem which involved using the time when the event handler was fired. The timestamp was not accurate at all and appears to happen at 1 second interval bursts. This problem was fixed by using another method of obtaining the actual time when the notification was sent from the BLE device, I packed a sample interval into the packet I sent.

Improved “Third Hand” Using Coolant Hose


I don’t really like my “third-hand” tool so I decided to build a better one using flexible ball-jointed coolant spraying pipe hoses. It’s not a totally new idea, SparkFun even sells some of these parts as a kit. But my way is slightly better, and I got the hoses from eBay (look for “Flexible Water Oil Coolant Pipe Hose for Lathe CNC”) instead because SparkFun’s prices were excessively expensive.
Continue reading

Alternative Way to Dual Boot TrueCrypt’ed Windows and Fully Encrypted Linux

    I am a mainly Windows 7 user who needs to use Linux only sometimes, so I need a dual boot system. I also want to encrypt my entire hard drive for privacy. I used to have TrueCrypt encrypting my entire hard drive, but TrueCrypt does not really support dual boot systems with GRUB, because TrueCrypt must reside on the Master Boot Record (MBR).

    There are several guides on the Internet about how to create a dual boot system with TrueCrypt but all of them involve placing the TrueCrypt rescue disk image into a separate partition. This is an ugly solution as a mainly Windows user because it involves a few extra keystrokes to activate the rescue partition, and the rescue partition is not hidden. I came up with an alternative solution for people who wants to boot directly into Windows with a silent TrueCrypt login most of the time, but needs a few extra keystrokes to get into Linux.

    Continue reading

Reverse Engineering and Cloning a S-View Flip Cover

I got a Samsung Galaxy Note 3 as soon as it was released. I wanted a S-View flip cover for it. S-View basically means the screen will automatically turn on and off when you open and close the cover. It is also able to reformat the display to show important notifications through the square viewing window of the cover, etc. The phone knows if the flip cover is opened or closed because there’s a tiny magnet inside the cover.

But all of the official S-View flip covers available are very expensive at about $60 each. The cheap covers might look like S-View covers, but they do not support the actual S-View functionality. But the cheap covers are about $5. I wanted to hack a $5 to give it S-View functionality. Continue reading

Weekly Report Nov 17 2013

USBXLATER is going strong. Constantly improving and new features. During the testing, I picked up another generic USB hub to test…

Like the picture said, they do not work, I have other generic hubs that do work. These ones seems to exhibit a signalling issue. The strangest thing is that they’ll work if I plug them into my USB traffic analyzer, which means I can’t even debug the signals…