Category Archives: Weekly

RoboGames 2015

I went to spectate RoboGames 2015. If you didn’t go, WHY THE HELL NOT?!

I live literally a 10 minute walk away so I went both Saturday and Sunday. Since I walked in, I accidentally walked through the back entrance, so I snuck into the pits without a badge 😀 but I did still pay for a ticket after. I got some pictures in the pits, not stuff I see every day.

I put together a highlights video. Actually probably only missed Friday, and missed 4 matches from Saturday and Sunday, I have about 20 GB of video… I’m putting a few up just as teasers but you should really come check out RoboGames next time or buy their DVD when they release it.

The combat is the only event where I could get good video without raising my arms. There were a ton of other competitions, like minisumo, line following, humanoids, soccer, hockey, etc. It really reminds me of the Canadian National Robot Games back in 2007, which I entered as a highschool student. The Canadian competition has long since been cancelled but it’s amazing how alive the Silicon Valley competition is.

Continue reading for more videos and pictures

Continue reading

Weekly Report August 16 2014

Nothing geeky to talk about. I managed to rent a 1 BR apartment in San Mateo for about $1725/month in a pretty good spot (but whoever built the place did not seem to own a ruler and whoever painted it didn’t own masking tape). Here’s me planning the layout using SolidWorks and Ikea’s catalog.
ikea floor plan

Weekly Report July 20 2014

My project involving the PlayStation 4 and DualShock 4 has caught the attention of Sony, and after interviewing me, Sony Computer Entertainment America hired me as hardware engineer for PlayStation peripherals. Today is the day I take a one way flight from Toronto to San Francisco, and tomorrow will be my first day! Follow your passion, don’t be afraid to fail, and don’t be afraid to show off your skills.

And since I’m leaving my family… Continue reading

Weekly Report February 23 2014

Since the RN42HCI does not support SSP (see previous weekly report post), I’ve switched to using a USB Bluetooth dongle to perform the spoof. This will allow me to get a huge data rate improvement, but at the cost of an USB port. I’ve made massive improvements to the USB host code, and my Total Phase Beagle USB 12 Analyzer really proved itself by telling me exactly how many tokens were sent and how many NAKs were received, which allowed me Continue reading

Weekly Report February 9 2014

I am playing around with BTstack (an open source Bluetooth stack) as a part of my on-going efforts to spoof a DualShock 4. After a bit of coding, I got it compiled into the UsbXlater firmware and now I am testing it.

One huge problem I ran into is that the RN42HCI I purchased from Microchip does not seem to support SSP (simple secure pairing). The Microchip website clearly states that the RN-42 is a Continue reading

Weekly Report February 2 2014

Spoke too soon about the DualShock 4’s Bluetooth security, although the link level authentication is figured out, it seems like Sony employed a challenge and response authentication mechanism over the HID channel itself. It was hard to spot because it occurs periodically at a slow rate, and it seems to tolerate up to 16 failed attempts before the PlayStation stops responding to an unauthenticated DualShock. 16 failed attempts is 8 minutes, and when I am doing reverse engineering, I only capture a few seconds worth of data. Matlo from GIMX pointed this out to me. Thanks!

This is bad news, the challenge key is huge, cracking it is out of the question. Continue reading

Weekly Report January 19 2014

Things are going slow on UsbXlater but I am making progress. I’ve written some utilities to store persistent data in flash, with wear leveling! I figured out how to get the hardware CRC peripheral working inside the STM32F4 in a way that will allow it to spoof the CRC used inside a DualShock. I have started writing a minimal Bluetooth implementation for UsbXlater, but this is a huge undertaking and will take up a lot of time.

I got as far as enumerating a USB Bluetooth dongle, and then sending it a reset command and a read BD_ADDR command. I can get the command complete event back, and Continue reading

UsbXlater, DualShock 4, PlayStation 4, Weekly Report Dec 15, 2013

I haven’t worked on the firmware for the UsbXlater for a while. This is because I really want it to work on the PlayStation 4 by spoofing the DualShock 4, but after some heavy investigation. It seems like this is impossible (in the sense of spoofing).

On the DualShock 4 circuitry, I have recently found the UART (aka serial port) pins for the Bluetooth module’s HCI (host controller interface). I used my logic analyzer to capture the data from the HCI. The results are posted on my wiki page about the DualShock 4, along with the pcap file with the entire capture.

The PlayStation 4 does not seem to accept input through USB. I did get UsbXlater entirely working and replicating the behaviour of a real DualShock 4, but the PlayStation does not respond. The Bluetooth connection is always active during this time.

Over Bluetooth, it seems that the L2CAP packets that are sent containing the report contains 4 bytes at the end that appears to be random. This could mean it’s a checksum or a hash. Update: it’s a CRC32, with a standard initial value. It’s easy to generate and I’ve already tested it on my sample capture data, so that’s good news. Credit goes to Matlo from GIMX

I do have a new version of the UsbXlater hardware that I can get assembled next week. It will emulate button presses on the DualShock 4 directly using electrical signals connected to the buttons themselves, instead of digitally through spoofing data streams.

I am aware that CronusMax has a “proof of concept” video of his hardware working on the PS4, but that video is a fake, what he did is program it to act as a HID keyboard, which only works in the menus. This is why the video does not show gameplay and why he does not plain outright say that it will be supported. Everybody who is making a device similar to XIM or Cronus or Eagle Eye Converter or UsbXlater is facing the exact same difficulties I am facing. I am disappointed in Cronus because the video’s purposes is probably to drive up pre-orders for people who are hoping for PlayStation 4 support which might never come.

Weekly Report December 1, 2013

The Playstation 4 is great, I got mine from Amazon 2 weeks ago, no problems. USBXLATER is on hold. After weeks of investigation and experimentation and collaborating with other people, it seems that the PS4 only accepts the data from DualShock 4’s Bluetooth interface, and not the USB interface, even if HID reports are sent through USB. This makes emulation via USB impossible. The next possible methods are to emulate the Bluetooth connection instead, or to install an internal modification to the DualShock 4’s hardware.

My Bluetooth module currently does not have some features that allow me to use it for spoofing so I’ll have to get a new one before even attempting it. I have started on the design for this internal modification already.

I attempted to use the Ubertooth One to do Bluetooth sniffing, but it is extremely hard to use and doesn’t seem to work right. I can obtain the LAP and UAP of my Playstation using it, with this information, the Ubertooth is supposed to be able to perform the necessary calculations required to follow the same frequency hopping pattern that the Playstation and DualShock uses. But the Ubertooth cannot successfully do this, and when it does seem to obtain the pattern, it fails to decode every single packet, leading me to think that it miscalculated the hopping pattern.

iOS’s BLE events seems to be polled at a really slow rate. I had to fix a problem which involved using the time when the event handler was fired. The timestamp was not accurate at all and appears to happen at 1 second interval bursts. This problem was fixed by using another method of obtaining the actual time when the notification was sent from the BLE device, I packed a sample interval into the packet I sent.

Weekly Report Nov 17 2013

USBXLATER is going strong. Constantly improving and new features. During the testing, I picked up another generic USB hub to test…

Like the picture said, they do not work, I have other generic hubs that do work. These ones seems to exhibit a signalling issue. The strangest thing is that they’ll work if I plug them into my USB traffic analyzer, which means I can’t even debug the signals…

Weekly Report Nov 10 2013

USBXLATER is going great! I’m using it to play through BF4’s single player, to work out bugs. I implemented anti-acceleration for the mouse, plus some filtering, and it feels amazingly like a PC game. I also gave a USBXLATER to Matlo from GIMX because he’s so helpful.

iOS and nRF51 are talking beautifully now. I feel like I can do whatever I want with BLE technology now.

I got a writable NFC tag keychain, I can use a phone app on my Galaxy Note 3 to write my contact info into the tag, and when you scan it, it asks you to import my contact information. Now I keep it with all my keys.

I went to a Freescale seminar. In summary (from the 3 sessions out of many I went to):

  • Kinetis chips do not have any bootloader today, but starting winter of 2013, they will start to add factory stock bootloaders.
  • They are making new ARM Cortex chips with built-in radio transceivers will be released this winter
  • They are going after the Qi wireless charging market, with some NFC involvement too.
  • I learned more about making PCBs that won’t fail due to bad EM characteristics.
  • I think Freescale is slightly behind on the market, I know NXP and ST both already have factory stock bootloaders. ST has their STM32W family already, and I’m already using nRF51 from Nordic.

Had to fight off a wave of spam to my website, because I forgot to turn on account confirmation on my wiki, oops.

Weekly Report Nov 2 2013

I’ve been working with the VS1000D chip, made by VLSI, who has very cool engineers.

Getting closer to the next generation console launch dates. My USB keyboard+mouse-to-console adapter is going great, adding in configurable data translation and such. Still waiting on new PCBs.

I went to the hackerspace in downtown Toronto. I met some great people there. The space is a bit small but they plan on moving to a bigger space soon. I gave away a few spare blank PCBs while I was there.

I played “Journey”. It is one of the must-play titles of the PS3. I suggest you play it in one sitting, with nobody around physically to bother you, and signed into PSN. This is the only way and best way to enjoy this unique game.

Weekly Report Oct 26 2013

Still using a Mac Mini for iOS stuff, and still hating it. I don’t like their troubleshooting ideology. I tried to add Synergy to pre-login startup tasks but I got an error upon logging in saying that the task can’t start because of a security concern. When I tried to find a solution to this error, I was told to simply delete it, not helpful at all.

Continue reading

Weekly Report September 1

I’ve been playing with a nRF dev kit from Nordic Semiconductors. The bad news is that they require a product key to access downloads. The kind-of-good news is that their code is designed to be compiled under Eclipse with GCC (hurray for open source). The bad news is that they’ve designed the files to use assumed toolchain install paths, their makefile literally says:

ifeq ($(findstring 86, $(ProgramFiles)), )
PROGFILES := C:/Program Files
PROGFILES := C:/Program Files (x86)
GNU_INSTALL_ROOT := $(PROGFILES)/GNU Tools ARM Embedded/4.7 2013q1

So… it only works on the default install path of “GNU Tools ARM Embedded”, and only works for one version. Continue reading

Weekly Report August 25 2013

I got my STM32F2 to jump to the built-in system bootloader. Also figured out that the default function for sending out SWO debug messages will freeze my code if no debugger is attached, which is kind of stupid but I fixed it with a simple check. Last week I got blocking UART working, this week I got non-blocking UART working.

It’ve got a TUSB2036 chip that won’t start the oscillator for the 6 MHz crystal, but sometimes it does start. This is holding up the Xim clone project.

I’ve begun 3D modeling the KSP Kontroller, the parts are going to be super expensive but industrial, it’ll look pretty cool.

I’m working a lot on XMEGA stuff, it seems to be great if you need complex behaviour at a low speed. It’s got peripherals with as much (or more) features as most ARM Cortex M chips, but still uses 8 bit instructions and capped at 32 MHz. No oscillator required for full speed USB because the internal oscillator can be auto-calibrated using USB SOF.

Weekly Report August 18 2013

I’m going to document stuff I’ve learned every week, new stuff I’ve obtained, small progress I’ve made, etc.

How to design exposed conductive traces meant for silicone keypads:

I obtained a nRF51822-DK, a Bluetooth dev kit using Nordic’s nRF51822, which is a ARM Cortex M0 microcontroller with a built-in 2.4GHz radio transceiver. Once you own the kit, Nordic gives you access to the software you need, which is kind of annoying. Continue reading