FrSky X4R-SB S.BUS anti-invert hack

I am building a quadcopter using a FrSky Taranis X9D radio. It came with a FrSky X8R receiver. I wanted to keep my wiring clean by using the S.BUS feature on the FrSky receivers, I purchased a smaller FrSky X4R-SB receiver. The X8R has 8 PWM channel pins and the X4R-SB has 3 PWM channel pins, but if I use S.BUS (which is serial, not PWM), I can access 16 channels using only 1 pin, on both X8R and X4R-SB. The X4R-SB is much smaller, making it more ideal. (do not confuse the X4R-SB with the D4R-II, this is important, D4R-II uses CPPM, not S.BUS)

(update 10/25/2014: a follow up hack for Smart Port)

I want to use a Naze32 flight controller, which is open source and does have code to interpret S.BUS protocol. S.BUS is UART communication but it is inverted and the Naze32’s UART cannot accept inverted input. Continue reading

Weekly Report July 20 2014

My project involving the PlayStation 4 and DualShock 4 has caught the attention of Sony, and after interviewing me, Sony Computer Entertainment America hired me as hardware engineer for PlayStation peripherals. Today is the day I take a one way flight from Toronto to San Francisco, and tomorrow will be my first day! Follow your passion, don’t be afraid to fail, and don’t be afraid to show off your skills.

And since I’m leaving my family… Continue reading

PS4 Laser Cut Stand

Summer is coming so I was worried about cooling the PS4. This stand lifts the PS4 off the desk a bit to give it more airflow. I had this cut by Ponoko, using 9mm thick clear acrylic. If you want to make your own, click here to download the EPS file, follow Ponoko’s instructions.

Another way is to 3D print them using black ABS, but I don’t have a 3D printer. The acrylic is left over from another project, hence why I used it.

Simple 6X USB Charger with Current Monitor

This is a simple 6 port USB device charger with a individual current monitor on each port. The charging current is indicated using RGB LEDs. Blue means slow charge (under 250mA), green means 250mA to 750mA, red means over 750mA, and purple means over 1500mA (for tablets). This circuit involves an ATmega328P (if you do hobby electronics, I bet you have plenty spares of these), INA169 (check out this breakout board), and a OKR-T10-W12.

While this project is not as impressive as my other projects in terms of difficulty, I soldered and Continue reading

Kinetis Microcontroller SRAM Region Hard Faults

I am doing a project that involves a K10DX128 microcontroller from Freescale, which is advertised to have 128 KB of flash memory and 16 KB of SRAM memory. It’s similar to the microcontroller used by the Teensy 3.0 platform. The project involves a lot of dynamically allocated memory because it deals with a lot of files inside a file system.

I ran into one of those “sometimes it happens, sometimes it doesn’t happen” bugs that causes a hard fault. Tracing the source of the hard fault lead to a few ordinary SRAM storage instructions, and apparently it happened half way through processing the list of files. This made me suspect that the memory was allocated incorrectly, and I checked all the things I should check(the address of the allocation, how much memory I should have, the status of my stack, the linker script, etc).
Continue reading

Keyboard and Mouse for PlayStation 4 Games (second prototype)

Why did you do this?

I like playing shooter games on PC but my laptop is too weak to play them. Game consoles do not support USB keyboards and USB mouse, they only support gamepads. Gamepad controls are not suitable for shooter games, using a keyboard and mouse is much more comfortable for gameplay.

How does it work?

I designed a circuit that features a microcontroller and USB hub. The keyboard and mouse plugs into the USB hub, and then the microcontroller takes the data from the keyboard and mouse, translates them to the data format used by the PlayStation 4. It does the translation in a way as though the mouse was the right thumbstick, and the keys are mapped to buttons (the WASD keys are mapped to the left thumbstick).








If you want to buy one from me, you can’t, I don’t want to sell anything. If you want to buy something similar from somebody else, try the XIM4 (my top choice), CronusMAX, Venom X, etc. (if there’s another product you would like to see on this list, give me one to try out first, and I’ll add it if it works)

Development Story

Latest News – July 20 2014

I wanted to share this story because I am very happy that I finally managed to get this far! Anybody who is attempting this and thought it was impossible to do can now breath a sigh of relief because it definitely can be done.

I have already accomplished a similar project that worked with a PS3 (UsbXlater), something that connected to the PS3 via USB that translated keyboard and mouse data format to gamepad data format.

Once the PS4 launched, I reversed engineered the USB protocol used by the DualShock, and then attempted the same technique. But… Continue reading

Weekly Report February 23 2014

Since the RN42HCI does not support SSP (see previous weekly report post), I’ve switched to using a USB Bluetooth dongle to perform the spoof. This will allow me to get a huge data rate improvement, but at the cost of an USB port. I’ve made massive improvements to the USB host code, and my Total Phase Beagle USB 12 Analyzer really proved itself by telling me exactly how many tokens were sent and how many NAKs were received, which allowed me Continue reading

Weekly Report February 9 2014

I am playing around with BTstack (an open source Bluetooth stack) as a part of my on-going efforts to spoof a DualShock 4. After a bit of coding, I got it compiled into the UsbXlater firmware and now I am testing it.

One huge problem I ran into is that the RN42HCI I purchased from Microchip does not seem to support SSP (simple secure pairing). The Microchip website clearly states that the RN-42 is a Continue reading

Weekly Report February 2 2014

Spoke too soon about the DualShock 4’s Bluetooth security, although the link level authentication is figured out, it seems like Sony employed a challenge and response authentication mechanism over the HID channel itself. It was hard to spot because it occurs periodically at a slow rate, and it seems to tolerate up to 16 failed attempts before the PlayStation stops responding to an unauthenticated DualShock. 16 failed attempts is 8 minutes, and when I am doing reverse engineering, I only capture a few seconds worth of data. Matlo from GIMX pointed this out to me. Thanks!

This is bad news, the challenge key is huge, cracking it is out of the question. Continue reading

Weekly Report January 19 2014

Things are going slow on UsbXlater but I am making progress. I’ve written some utilities to store persistent data in flash, with wear leveling! I figured out how to get the hardware CRC peripheral working inside the STM32F4 in a way that will allow it to spoof the CRC used inside a DualShock. I have started writing a minimal Bluetooth implementation for UsbXlater, but this is a huge undertaking and will take up a lot of time.

I got as far as enumerating a USB Bluetooth dongle, and then sending it a reset command and a read BD_ADDR command. I can get the command complete event back, and Continue reading

UsbXlater, DualShock 4, PlayStation 4, Weekly Report Dec 15, 2013

I haven’t worked on the firmware for the UsbXlater for a while. This is because I really want it to work on the PlayStation 4 by spoofing the DualShock 4, but after some heavy investigation. It seems like this is impossible (in the sense of spoofing).

On the DualShock 4 circuitry, I have recently found the UART (aka serial port) pins for the Bluetooth module’s HCI (host controller interface). I used my logic analyzer to capture the data from the HCI. The results are posted on my wiki page about the DualShock 4, along with the pcap file with the entire capture.

The PlayStation 4 does not seem to accept input through USB. I did get UsbXlater entirely working and replicating the behaviour of a real DualShock 4, but the PlayStation does not respond. The Bluetooth connection is always active during this time.

Over Bluetooth, it seems that the L2CAP packets that are sent containing the report contains 4 bytes at the end that appears to be random. This could mean it’s a checksum or a hash. Update: it’s a CRC32, with a standard initial value. It’s easy to generate and I’ve already tested it on my sample capture data, so that’s good news. Credit goes to Matlo from GIMX

I do have a new version of the UsbXlater hardware that I can get assembled next week. It will emulate button presses on the DualShock 4 directly using electrical signals connected to the buttons themselves, instead of digitally through spoofing data streams.

I am aware that CronusMax has a “proof of concept” video of his hardware working on the PS4, but that video is a fake, what he did is program it to act as a HID keyboard, which only works in the menus. This is why the video does not show gameplay and why he does not plain outright say that it will be supported. Everybody who is making a device similar to XIM or Cronus or Eagle Eye Converter or UsbXlater is facing the exact same difficulties I am facing. I am disappointed in Cronus because the video’s purposes is probably to drive up pre-orders for people who are hoping for PlayStation 4 support which might never come.

Upgrade a Passive HDMI Switch with 5V Power

I have many things connected to my single computer monitor via HDMI. I use a HDMI switch so I don’t have to unplug and replug cables all the time. But my cheap $6 HDMI switch is an unpowered passive switch, so it has problems working when the video source does not provide enough power to the switch.

For example, when my Mac Mini is plugged in, the 5V pin only supplies about 3 volts. Inside of the switch is a set of diodes and a AMS1117 voltage regulator that is supposed to output 3.3V using 5V, but instead it is only outputting about 2V. This made the LEDs in the switch flicker and blink (which seemed like a symptom of a bad power supply) and switch refused to function (no video output). My solution was to add a USB micro connector so I can add an external 5V power supply.

hdmiswitchpwrupgrade_1
After adding the power supply, the switch is able to function properly with a steady supply of power.
Continue reading

Weekly Report December 1, 2013

The Playstation 4 is great, I got mine from Amazon 2 weeks ago, no problems. USBXLATER is on hold. After weeks of investigation and experimentation and collaborating with other people, it seems that the PS4 only accepts the data from DualShock 4’s Bluetooth interface, and not the USB interface, even if HID reports are sent through USB. This makes emulation via USB impossible. The next possible methods are to emulate the Bluetooth connection instead, or to install an internal modification to the DualShock 4’s hardware.

My Bluetooth module currently does not have some features that allow me to use it for spoofing so I’ll have to get a new one before even attempting it. I have started on the design for this internal modification already.

I attempted to use the Ubertooth One to do Bluetooth sniffing, but it is extremely hard to use and doesn’t seem to work right. I can obtain the LAP and UAP of my Playstation using it, with this information, the Ubertooth is supposed to be able to perform the necessary calculations required to follow the same frequency hopping pattern that the Playstation and DualShock uses. But the Ubertooth cannot successfully do this, and when it does seem to obtain the pattern, it fails to decode every single packet, leading me to think that it miscalculated the hopping pattern.

iOS’s BLE events seems to be polled at a really slow rate. I had to fix a problem which involved using the time when the event handler was fired. The timestamp was not accurate at all and appears to happen at 1 second interval bursts. This problem was fixed by using another method of obtaining the actual time when the notification was sent from the BLE device, I packed a sample interval into the packet I sent.

Improved “Third Hand” Using Coolant Hose

squidhand_2

I don’t really like my “third-hand” tool so I decided to build a better one using flexible ball-jointed coolant spraying pipe hoses. It’s not a totally new idea, SparkFun even sells some of these parts as a kit. But my way is slightly better, and I got the hoses from eBay (look for “Flexible Water Oil Coolant Pipe Hose for Lathe CNC”) instead because SparkFun’s prices were excessively expensive.
Continue reading

Alternative Way to Dual Boot TrueCrypt’ed Windows and Fully Encrypted Linux

    I am a mainly Windows 7 user who needs to use Linux only sometimes, so I need a dual boot system. I also want to encrypt my entire hard drive for privacy. I used to have TrueCrypt encrypting my entire hard drive, but TrueCrypt does not really support dual boot systems with GRUB, because TrueCrypt must reside on the Master Boot Record (MBR).

    There are several guides on the Internet about how to create a dual boot system with TrueCrypt but all of them involve placing the TrueCrypt rescue disk image into a separate partition. This is an ugly solution as a mainly Windows user because it involves a few extra keystrokes to activate the rescue partition, and the rescue partition is not hidden. I came up with an alternative solution for people who wants to boot directly into Windows with a silent TrueCrypt login most of the time, but needs a few extra keystrokes to get into Linux.

    Continue reading