Weekly Report August 16 2014

Nothing geeky to talk about. I managed to rent a 1 BR apartment in San Mateo for about $1725/month in a pretty good spot (but whoever built the place did not seem to own a ruler and whoever painted it didn’t own masking tape). Here’s me planning the layout using SolidWorks and Ikea’s catalog.
ikea floor plan

Weekly Report July 20 2014

My project involving the PlayStation 4 and DualShock 4 has caught the attention of Sony, and after interviewing me, Sony Computer Entertainment America hired me as hardware engineer for PlayStation peripherals. Today is the day I take a one way flight from Toronto to San Francisco, and tomorrow will be my first day! Follow your passion, don’t be afraid to fail, and don’t be afraid to show off your skills.

And since I’m leaving my family… Continue reading

PS4 Laser Cut Stand

Summer is coming so I was worried about cooling the PS4. This stand lifts the PS4 off the desk a bit to give it more airflow. I had this cut by Ponoko, using 9mm thick clear acrylic. If you want to make your own, click here to download the EPS file, follow Ponoko’s instructions.

Another way is to 3D print them using black ABS, but I don’t have a 3D printer. The acrylic is left over from another project, hence why I used it.

Trip to China

I went on a short trip to China, seeing some family and some sightseeing.

No trip is complete without seeing some Chinglish

Chinglish

Some wiring near WuXi (please ignore the camera flash being reflected in the glass window, I was on a moving bus, I didn’t have time to disable my flash)

Some BBQ Pupa


Simple 6X USB Charger with Current Monitor

This is a simple 6 port USB device charger with a individual current monitor on each port. The charging current is indicated using RGB LEDs. Blue means slow charge (under 250mA), green means 250mA to 750mA, red means over 750mA, and purple means over 1500mA (for tablets). This circuit involves an ATmega328P (if you do hobby electronics, I bet you have plenty spares of these), INA169 (check out this breakout board), and a OKR-T10-W12.

While this project is not as impressive as my other projects in terms of difficulty, I soldered and Continue reading

Kinetis Microcontroller SRAM Region Hard Faults

I am doing a project that involves a K10DX128 microcontroller from Freescale, which is advertised to have 128 KB of flash memory and 16 KB of SRAM memory. It’s similar to the microcontroller used by the Teensy 3.0 platform. The project involves a lot of dynamically allocated memory because it deals with a lot of files inside a file system.

I ran into one of those “sometimes it happens, sometimes it doesn’t happen” bugs that causes a hard fault. Tracing the source of the hard fault lead to a few ordinary SRAM storage instructions, and apparently it happened half way through processing the list of files. This made me suspect that the memory was allocated incorrectly, and I checked all the things I should check(the address of the allocation, how much memory I should have, the status of my stack, the linker script, etc).
Continue reading

Keyboard and Mouse for PlayStation 4 Games (second prototype)

Why did you do this?

I like playing shooter games on PC but my laptop is too weak to play them. Game consoles do not support USB keyboards and USB mouse, they only support gamepads. Gamepad controls are not suitable for shooter games, using a keyboard and mouse is much more comfortable for gameplay.

How does it work?

I designed a circuit that features a microcontroller and USB hub. The keyboard and mouse plugs into the USB hub, and then the microcontroller takes the data from the keyboard and mouse, translates them to the data format used by the PlayStation 4. It does the translation in a way as though the mouse was the right thumbstick, and the keys are mapped to buttons (the WASD keys are mapped to the left thumbstick).








If you want to buy one from me, you can’t, I don’t want to sell anything. If you want to buy something similar from somebody else, try the XIM4 (my top choice), CronusMAX, Venom X, etc. (if there’s another product you would like to see on this list, give me one to try out first, and I’ll add it if it works)

Development Story

Latest News – July 20 2014

I wanted to share this story because I am very happy that I finally managed to get this far! Anybody who is attempting this and thought it was impossible to do can now breath a sigh of relief because it definitely can be done.

I have already accomplished a similar project that worked with a PS3 (UsbXlater), something that connected to the PS3 via USB that translated keyboard and mouse data format to gamepad data format.

Once the PS4 launched, I reversed engineered the USB protocol used by the DualShock, and then attempted the same technique. But… Continue reading

Weekly Report February 23 2014

Since the RN42HCI does not support SSP (see previous weekly report post), I’ve switched to using a USB Bluetooth dongle to perform the spoof. This will allow me to get a huge data rate improvement, but at the cost of an USB port. I’ve made massive improvements to the USB host code, and my Total Phase Beagle USB 12 Analyzer really proved itself by telling me exactly how many tokens were sent and how many NAKs were received, which allowed me to gage my maximum sample rate, and see noticeable differences when I make code changes.

But the bad news is that I can only see these tokens and NAK events as “collapsed records”, which means I can see that in the span of 2 seconds, I have gotten X amount of NAK from device A, Y amount from device B. But I can’t see if I get them in the order A B A B or A A B A A B. I’ve contacted Total Phase support about this, and it turns out that their more expensive analyzers support “packet view”. I asked if this was a hardware limitation, they stated that it was not, and I can capture the packets myself if I use their API that they provide. I asked them to update their software to add the support for my model, and they said they’ll pass on the request to their engineers and they’ll consider it.

Progress on the DualShock 4 spoof is great. I managed to get a reliable connection between the DualShock and my UsbXlater circuit via Bluetooth, and my UsbXlater circuit to the PlayStation via Bluetooth. I have a basic man-in-the-middle Bluetooth proxy working completely. The only problem now seems like the PlayStation doesn’t want to take the input yet, although I can see the data being passed, the PlayStation does not respond. The bigger issue is that the data being passed is coming so fast that my monstrous STM32F405RG chip is actually running out of RAM, I need to figure out whether or not this is indeed a performance issue or maybe I’m stupid and caused a memory leak.

Here I have my debug output a millisecond timestamp with the amount of RAM left, then it crashes

8000 FreeRAM 98132
10000 FreeRAM 88364
12000 FreeRAM 80868
14000 FreeRAM 72460
16000 FreeRAM 63092
18000 FreeRAM 53836
20000 FreeRAM 46428
22000 FreeRAM 37364
24000 FreeRAM 27756
26000 FreeRAM 17788
28000 FreeRAM 10068
30000 FreeRAM 716

Exception Handler, source: 1
r0: 0xF0127C08, r1: 0x2000293C, r2: 0x0000000A, r3: 0x0000000A, r12: 0x000002FF
LR: 0x00000000, PC: 0x20002948, PSR: 0xA1000200,

Neat… I’ve worked all weekend on this and got this far, I’m going to take a break and work on something else now. But my next goal is to figure out if I am freeing memory correctly, then maybe improve USB performance even more, and then implement flow control. Once the system doesn’t crash, I can focus on why the PlayStation doesn’t respond.

Weekly Report February 9 2014

I am playing around with BTstack (an open source Bluetooth stack) as a part of my on-going efforts to spoof a DualShock 4. After a bit of coding, I got it compiled into the UsbXlater firmware and now I am testing it.

One huge problem I ran into is that the RN42HCI I purchased from Microchip does not seem to support SSP (simple secure pairing). The Microchip website clearly states that the RN-42 is a “Fully certified Class 2 Bluetooth 2.1 + EDR module”. But using the read_local_version_information and read_local_supported_features commands, it is revealed that it does not support SSP and the version is actually Bluetooth 1.0b.

The PlayStation 4 uses SSP, this means the RN-42 cannot be used. I am hoping that Microchip will owe up to their mistake and either provide a replacement or a firmware update. Meanwhile, I will try doing some hacking to see if I can avoid the pairing problem, and also upgrade my USB stack a bit to see if using a USB BT dongle is still a viable option.

EDIT: According to Microchip tech support: “The current RN42HCI module does not support SSP. Updating the RN42HCI to BT3.0 for SSP support will have implications for our existing RN42HCI customers that do not use SSP.” So I was right, they are falsely advertising the product.

Weekly Report February 2 2014

Spoke too soon about the DualShock 4′s Bluetooth security, although the link level authentication is figured out, it seems like Sony employed a challenge and response authentication mechanism over the HID channel itself. It was hard to spot because it occurs periodically at a slow rate, and it seems to tolerate up to 16 failed attempts before the PlayStation stops responding to an unauthenticated DualShock. 16 failed attempts is 8 minutes, and when I am doing reverse engineering, I only capture a few seconds worth of data. Matlo from GIMX pointed this out to me. Thanks!

This is bad news, the challenge key is huge, cracking it is out of the question. We also tried feeding it the challenge through USB and extracting the response from USB, but the response came back blank, which seems to indicate that the response calculation hasn’t been triggered. We tried replicating the exact series of transaction and it still would not trigger the calculation.

But the good news is that the challenge and response can be passed through. This means that “man in the middle” injection of data is still possible. This is my next goal, because my final goal is to make keyboard and mouse work on the PS4. Thus my next goal is to get Bluetooth passed through, establish a connection to both a DualShock and a PlayStation, becoming the man in the middle. Modify the gaming input packets from the DualShock before sending it to the PlayStation, while passing through all other traffic. Thus, the authentication packets are untouched, which does work because Matlo has already implemented this system as a test.

Weekly Report January 19 2014

Things are going slow on UsbXlater but I am making progress. I’ve written some utilities to store persistent data in flash, with wear leveling! I figured out how to get the hardware CRC peripheral working inside the STM32F4 in a way that will allow it to spoof the CRC used inside a DualShock. I have started writing a minimal Bluetooth implementation for UsbXlater, but this is a huge undertaking and will take up a lot of time.

I got as far as enumerating a USB Bluetooth dongle, and then sending it a reset command and a read BD_ADDR command. I can get the command complete event back, and read the BD_ADDR back.

One obscure problem I faced was that I did not set the right sizes for the host channels. The problem’s symptom was that my code froze after I sent any command to the dongle. The code froze because an ISR was firing repeatedly, further investigation showed that it was firing because the host channel received a babble error (in the code, it is “bblerr”). This error was unhandled and thus the interrupt would repeated fire. The error occured because the host channel size was incorrect and the USB dongle was sending more data than what the size allowed.

I am hoping that I can at least wake up the PS4 next. This should be easy, a baseband connection request should do the trick. I’ve already tested this using a Raspberry Pi.

Another interesting discovery I’ve made during all of this: the Bluetooth link key used to pair and authenticate the DualShock 4 and PS4 is sent over USB. However, you can also perform “simple pairing” without a USB cable by: going into the PS4′s settings menu, then devices, then Bluetooth, and then initiate “PC mode” on the DualShock 4 by holding the share and PS button together.

Since the mystery with the Bluetooth security (or, the lack of security) is solved. From here on, it seems like nothing can prevent me from spoofing a DualShock 4. Full steam ahead! I even purchased some RN42HCI modules, because the USB Bluetooth dongles take up precious host channels. I will probably end up designing another PCB with the RN42HCI on it.

Anyways, I am chatting with Matlo from GIMX during all this hacking, he was able to adapt his old Bluetooth proxy to work with the DualShock 4. This proves that it is indeed easy to spoof a DualShock 4.

I don’t own an Xbox One and I have not kept up with any Xbox news, but the Xbox 360 used an authentication chip for the sole purpose of preventing other people from making knock off Xbox controllers. But as far as we can tell, Sony does not employ the same strategy. This will probably mean we can expect to see some cheaper alternatives to the DualShock 4, although the quality of which will be questionable.

UsbXlater, DualShock 4, PlayStation 4, Weekly Report Dec 15, 2013

I haven’t worked on the firmware for the UsbXlater for a while. This is because I really want it to work on the PlayStation 4 by spoofing the DualShock 4, but after some heavy investigation. It seems like this is impossible (in the sense of spoofing).

On the DualShock 4 circuitry, I have recently found the UART (aka serial port) pins for the Bluetooth module’s HCI (host controller interface). I used my logic analyzer to capture the data from the HCI. The results are posted on my wiki page about the DualShock 4, along with the pcap file with the entire capture.

The PlayStation 4 does not seem to accept input through USB. I did get UsbXlater entirely working and replicating the behaviour of a real DualShock 4, but the PlayStation does not respond. The Bluetooth connection is always active during this time.

Over Bluetooth, it seems that the L2CAP packets that are sent containing the report contains 4 bytes at the end that appears to be random. This could mean it’s a checksum or a hash. Update: it’s a CRC32, with a standard initial value. It’s easy to generate and I’ve already tested it on my sample capture data, so that’s good news. Credit goes to Matlo from GIMX

I do have a new version of the UsbXlater hardware that I can get assembled next week. It will emulate button presses on the DualShock 4 directly using electrical signals connected to the buttons themselves, instead of digitally through spoofing data streams.

I am aware that CronusMax has a “proof of concept” video of his hardware working on the PS4, but that video is a fake, what he did is program it to act as a HID keyboard, which only works in the menus. This is why the video does not show gameplay and why he does not plain outright say that it will be supported. Everybody who is making a device similar to XIM or Cronus or Eagle Eye Converter or UsbXlater is facing the exact same difficulties I am facing. I am disappointed in Cronus because the video’s purposes is probably to drive up pre-orders for people who are hoping for PlayStation 4 support which might never come.

Upgrade a Passive HDMI Switch with 5V Power

I have many things connected to my single computer monitor via HDMI. I use a HDMI switch so I don’t have to unplug and replug cables all the time. But my cheap $6 HDMI switch is an unpowered passive switch, so it has problems working when the video source does not provide enough power to the switch.

For example, when my Mac Mini is plugged in, the 5V pin only supplies about 3 volts. Inside of the switch is a set of diodes and a AMS1117 voltage regulator that is supposed to output 3.3V using 5V, but instead it is only outputting about 2V. This made the LEDs in the switch flicker and blink (which seemed like a symptom of a bad power supply) and switch refused to function (no video output). My solution was to add a USB micro connector so I can add an external 5V power supply.

hdmiswitchpwrupgrade_1
After adding the power supply, the switch is able to function properly with a steady supply of power.
Continue reading

Weekly Report December 1, 2013

The Playstation 4 is great, I got mine from Amazon 2 weeks ago, no problems. USBXLATER is on hold. After weeks of investigation and experimentation and collaborating with other people, it seems that the PS4 only accepts the data from DualShock 4′s Bluetooth interface, and not the USB interface, even if HID reports are sent through USB. This makes emulation via USB impossible. The next possible methods are to emulate the Bluetooth connection instead, or to install an internal modification to the DualShock 4′s hardware.

My Bluetooth module currently does not have some features that allow me to use it for spoofing so I’ll have to get a new one before even attempting it. I have started on the design for this internal modification already.

I attempted to use the Ubertooth One to do Bluetooth sniffing, but it is extremely hard to use and doesn’t seem to work right. I can obtain the LAP and UAP of my Playstation using it, with this information, the Ubertooth is supposed to be able to perform the necessary calculations required to follow the same frequency hopping pattern that the Playstation and DualShock uses. But the Ubertooth cannot successfully do this, and when it does seem to obtain the pattern, it fails to decode every single packet, leading me to think that it miscalculated the hopping pattern.

iOS’s BLE events seems to be polled at a really slow rate. I had to fix a problem which involved using the time when the event handler was fired. The timestamp was not accurate at all and appears to happen at 1 second interval bursts. This problem was fixed by using another method of obtaining the actual time when the notification was sent from the BLE device, I packed a sample interval into the packet I sent.

Improved “Third Hand” Using Coolant Hose

squidhand_2

I don’t really like my “third-hand” tool so I decided to build a better one using flexible ball-jointed coolant spraying pipe hoses. It’s not a totally new idea, SparkFun even sells some of these parts as a kit. But my way is slightly better, and I got the hoses from eBay (look for “Flexible Water Oil Coolant Pipe Hose for Lathe CNC”) instead because SparkFun’s prices were excessively expensive.
Continue reading

Alternative Way to Dual Boot TrueCrypt’ed Windows and Fully Encrypted Linux

I am a mainly Windows 7 user who needs to use Linux only sometimes, so I need a dual boot system. I also want to encrypt my entire hard drive for privacy. I used to have TrueCrypt encrypting my entire hard drive, but TrueCrypt does not really support dual boot systems with GRUB, because TrueCrypt must reside on the Master Boot Record (MBR).

There are several guides on the Internet about how to create a dual boot system with TrueCrypt but all of them involve placing the TrueCrypt rescue disk image into a separate partition. This is an ugly solution as a mainly Windows user because it involves a few extra keystrokes to activate the rescue partition, and the rescue partition is not hidden. I came up with an alternative solution for people who wants to boot directly into Windows with a silent TrueCrypt login most of the time, but needs a few extra keystrokes to get into Linux.

Continue reading

Reverse Engineering and Cloning a S-View Flip Cover

I got a Samsung Galaxy Note 3 as soon as it was released. I wanted a S-View flip cover for it. S-View basically means the screen will automatically turn on and off when you open and close the cover. It is also able to reformat the display to show important notifications through the square viewing window of the cover, etc. The phone knows if the flip cover is opened or closed because there’s a tiny magnet inside the cover.

But all of the official S-View flip covers available are very expensive at about $60 each. The cheap covers might look like S-View covers, but they do not support the actual S-View functionality. But the cheap covers are about $5. I wanted to hack a $5 to give it S-View functionality. Continue reading

Weekly Report Nov 17 2013

USBXLATER is going strong. Constantly improving and new features. During the testing, I picked up another generic USB hub to test…
20131111_194547

Like the picture said, they do not work, I have other generic hubs that do work. These ones seems to exhibit a signalling issue. The strangest thing is that they’ll work if I plug them into my USB traffic analyzer, which means I can’t even debug the signals…

Weekly Report Nov 10 2013

USBXLATER is going great! I’m using it to play through BF4′s single player, to work out bugs. I implemented anti-acceleration for the mouse, plus some filtering, and it feels amazingly like a PC game. I also gave a USBXLATER to Matlo from GIMX because he’s so helpful.

iOS and nRF51 are talking beautifully now. I feel like I can do whatever I want with BLE technology now.

I got a writable NFC tag keychain, I can use a phone app on my Galaxy Note 3 to write my contact info into the tag, and when you scan it, it asks you to import my contact information. Now I keep it with all my keys.

I went to a Freescale seminar. In summary (from the 3 sessions out of many I went to):

  • Kinetis chips do not have any bootloader today, but starting winter of 2013, they will start to add factory stock bootloaders.
  • They are making new ARM Cortex chips with built-in radio transceivers will be released this winter
  • They are going after the Qi wireless charging market, with some NFC involvement too.
  • I learned more about making PCBs that won’t fail due to bad EM characteristics.
  • I think Freescale is slightly behind on the market, I know NXP and ST both already have factory stock bootloaders. ST has their STM32W family already, and I’m already using nRF51 from Nordic.

Had to fight off a wave of spam to my website, because I forgot to turn on account confirmation on my wiki, oops.

Weekly Report Nov 2 2013

I’ve been working with the VS1000D chip, made by VLSI, who has very cool engineers.

Getting closer to the next generation console launch dates. My USB keyboard+mouse-to-console adapter is going great, adding in configurable data translation and such. Still waiting on new PCBs.

I went to the hacklab.to hackerspace in downtown Toronto. I met some great people there. The space is a bit small but they plan on moving to a bigger space soon. I gave away a few spare blank PCBs while I was there.

I played “Journey”. It is one of the must-play titles of the PS3. I suggest you play it in one sitting, with nobody around physically to bother you, and signed into PSN. This is the only way and best way to enjoy this unique game.

UsbXlater Preview

Hi HACKADAY readers, I have some updates: Progress on UsbXlater, DualShock 4 spoofing

This circuit is a STM32F2 chip with a USB host interface and USB device interface. The original goal of this project is to allow me to play Playstation 4 games using a keyboard and mouse (as opposed to using a gamepad, because the PS3/PS4/Xbox360/XboxOne do not support keyboard and mouse directly in games).

20131101_181657 (Large)20131101_181711 (Large)20131101_181722 (Large)20131101_181730 (Large)20131101_181741 (Large)usbxlater

This device has many possible uses…

Continue reading

Booooo CSR

I inquired a company (not CSR, but their product uses chips from CSR) about some WiFi Direct modules, this was their reply:

Please note that we just stop any new WiFi CSR solution. Based on previous experience with CSR, we could not get driver source code from CSR and CSR couldn’t support themselves. So we give up CSR WiFi

If you didn’t know, CSR makes a lot of Bluetooth and WiFi chips, but they absolutely do not ever EVER give you access to any documentation or any software. Usually to get access, you have to pay them big $$$. In this case, even if you pay them, apparently “CSR couldn’t support themselves”, how embarrassing. This was from a friend who have used CSR before:

It took 3 months to get access to the BC4 firmware and that has been deprecated for years.

CSR is on my list of companies to avoid.

Weekly Report Oct 26 2013

Still using a Mac Mini for iOS stuff, and still hating it. I don’t like their troubleshooting ideology. I tried to add Synergy to pre-login startup tasks but I got an error upon logging in saying that the task can’t start because of a security concern. When I tried to find a solution to this error, I was told to simply delete it, not helpful at all.

Synergy is pretty awesome, except for a few bugs.

Learning Objective C syntax from a C/C++/C#/Java background is NOT easy… I’ve done Windows Phone (I won a Xbox 360 in a MS sponsored hackathon, it was my first and only WP7 app) and Android development before, but iOS is still taking time to get used to.

Got my hands on a DualShock 4 controller early, I tore it down and I’m keeping notes on it.

The USB mouse/keyboard-to-PS4 adapter project is going great. I added so many features to the USB stack code, including dynamic host-channel allocation, so more devices can be supported. I got the emulated DualShock 3 enumerated perfectly thanks to Matlo from gimx.fr. I also sent out a revision of the PCB to be made, this revision has no built-in hub, which means it’s cheaper and more flexible, just a bit less convenient.

I finished “Beyond: Two Souls” in three sittings, it’s that good. It’s really hard to say if it is better or worse than Heavy Rain. I’ll be waiting for the DLCs for it. Quantic Dream has made it onto my “buy at release” and “never resell” game companies list.

I moved a few more pages from my old website to this new website. WordPress updated and I had to fix a few things.