UsbXlater Preview

Hi HACKADAY readers, I have some updates: Progress on UsbXlater, DualShock 4 spoofing

This circuit is a STM32F2 chip with a USB host interface and USB device interface. The original goal of this project is to allow me to play Playstation 4 games using a keyboard and mouse (as opposed to using a gamepad, because the PS3/PS4/Xbox360/XboxOne do not support keyboard and mouse directly in games).

20131101_181657 (Large)20131101_181711 (Large)20131101_181722 (Large)20131101_181730 (Large)20131101_181741 (Large)usbxlater

This device has many possible uses…

This circuit can input/output from a USB device while simultaneously input/output with a USB host. So I can take input from a USB mouse and USB keyboard, translate the data into a format that the Playstation accepts, and send it to the Playstation.

Other possibilities:

  • Act as a test signal generator for USB devices, by being a USB host
  • Act as a test signal generator for USB hosts, by being a USB device
  • Log and analyze traffic between a USB device and USB host, even manipulate the data or inject data
  • Block write attempts to USB media, turning any USB drive into read-only, ensuring that data will not be altered or lost
  • There are countless more possibilities, use your imagination

The project is open source, click here to download hardware version 20131021. The zip package contains EAGLE schematics, PCB, and a part list.

There is also a github repo for this project.

You can load precompiled firmware without any tools using a bootloader. This means any user can perform firmware updates without needing any tools. However, a firmware developer will find that using some programming and debugging tools is more convenient and helpful:

  • Serial port of some sort
    • maybe a FT232 or FT230X breakout board? FTDI cable? Anything similar will work
  • Debugger (any one of these is good, but I’ve listed them in my order of recommendation)
    1. J-Link (or J-Link EDU)
    2. J-Link LITE CortexM
    3. ST-Link V2
    4. any other SWD capable debugger
      • SWO capability highly recommended
  • USB traffic analyzer. This will help a lot, but they can be expensive

The header exposes the SWD interface (SWCLK, SWDIO, SWO), the reset signal, and a serial port (RX and TX). This header is meant for use by firmware developers. There is a jumper header used to select the bootloader. There is a reset button. There are 4 LED indicators.

Internally, the STM32F205RGT runs at 120MHz, has 1 megabyte of flash memory, and 132 kilobytes of RAM. This chip was selected because of its high performance, which means less latency in video gaming applications.

The current work-in-progress firmware is capable of handling unlimited number of slave USB devices (you need a USB hub for more than one device), and the firmware is capable of fully emulating the behaviour of a Playstation controller. The USB framework code is completely ready. It is smooth sailing from here, but it’s not 100% done. The code will be open source once I get a basic demonstration working.

I have many spare blank PCBs of this circuit right now. I plan on giving them away. I will give some to members of the local hackerspaces who are interested. I will also give them to anybody who is interested, but you will have to convince me that you deserve one…

  • Preference given to people who will use it for Playstation or Xbox gaming
    • Please play a lot of different games, the calibration settings for each game may need to be adjusted
    • Personally I only have a Playstation 4 on preorder, not a Xbox One, so preference is given to a Xbox One owner
  • Do you have any good ideas?
  • Do you already have a USB traffic analyzer? This will help tremendously.
  • Can you code a little bit? Do you have any tools that I suggested?
  • Must be willing to share your work with me and the public

I encourage you to contact me privately if you want a spare blank PCB. If you want an assembled circuit, you will need to pay for the parts.

Also if you help out, I’ll let you suggest a better name for it. USB Xlater is supposed to be USB Translator, but cooler…

Just in case you feel the urge to tell me that this idea is not new… Let me assure you that I know, there are plenty of products out there like this. But mine is made by me for fun, and it is also open source and hackable

11 thoughts on “UsbXlater Preview

  1. Gibkeeg

    It’s my understanding that the Dualshock controller does all of it’s communication via Bluetooth. All of the communication over usb is disabled. Do you plan to tackle this with a bluetooth solution?

    1. Admin Post author

      I have come to this conclusion as well. I will be investigating the Bluetooth solution, as well as simply installing something inside the DualShock itself. I actually have a “weekly report” blog post that discusses the Bluetooth topic next week.

  2. mrasmus

    I’m not 100% sure, but IIRC the DS4 actually *does* operate radio-free when plugged in, just like the DS3/SIXAXIS did. I know for a fact that MS claimed to have moved to this style of operation with the XBO controller, though. That said, it’s also my understanding that (sadly) both controllers are now protected by security chips (similar to how the 360 was protected last generation), so homebrew controller boards aren’t going to be working any time soon. This is a major problem/point of frustration for the custom arcade stick scene, who has had to go back to the old practice of ‘padhacking’ instead of making custom boards (see the DualStrike/Cthulhu/UPCB/PS360 projects) for their designs for next-gen systems.

    I believe it’s *possible* for PS4 devs to support non-PS4 controllers (normal HID’s like the PS3 did), but it’s on a game-by-game basis. “Native” support, though (which would work in every game) seems protected (I could be mistaken).

    The XBO I know has this kind of protection, so this is sadly dead in the water for that. I’m pretty sure that I heard Sony went the same way, but I haven’t tinkered in the controllers myself to confirm.

    Sadly, this is some hardcore HW DRM, not easily circumvented — it’s implemented to prevent unlicensed third-party controllers from companies in China, so it’s not something that can be just hacked around; last time (the 360 controller) took time, a few hundred grand, and some real fancy tools to take care of (scanning electron microscopes and the like).

    That all being said, your board looks pretty nice. I’d love to play with one for controls injection/playback purposes (make a “macro adapter” for any old controller; could be pretty nice). Good luck with the project!

    1. Admin Post author

      Microsoft disables their radio while plugged in to save precious battery power since they are using off-the-shelf AA batteries. I don’t own a Xbox One or the controller so I can’t be sure of anything I say here. In the last generation, the Xbox 360 used a simple handshake with DES encryption to authenticate genuine Xbox 360 gamepads. I assume they’ve done the same thing this time. The data should still be unencrypted. The only thing stopping a device like UsbXlater from working on it is that a real genuine gamepad must be present to handle the authentication handshake, while the actual HID reports would be generated by UsbXlater.

      The PlayStation 4 is different, the HID reports over Bluetooth seems to end in 4 bytes that appears to be random, the same 4 bytes do not appear in the USB data packets. The PlayStation 4 does not shutdown the radio while plugged in, it also does not accept USB inputs. These ending 4 bytes could be a checksum or hash that makes it hard or impossible to make a 3rd party controller for the PlayStation 4.

      As you said, native support for other 3rd party controllers may depend on the game developers. Sony might license somebody to make a keyboard and mouse specifically for the PlayStation 4 but the developers of the game might decide to make it incompatible.

  3. fpga_nugga

    I have a Beagle superspeed analyzer and a PS4. Let me know if I can log something (I’ve already done camera which was itneresting)

    1. Admin Post author

      Superspeed? Man you’ve got cash, I have the Beagle 12, it’s enough for this job.

      You should post some information about the camera.

  4. Chris Maderia

    As an owner of both the PS4 and the XB1 I want one controller that can be used on both platforms. I cannot stand the PS4 controller and have been looking high,low and everywhere in between to find an XB1 Style controller that will work on the PS4 or some type of adapter that can be plugged into the XB1 control to allow it to be used on an XB1.

    1. Admin Post author

      I tried out the XB1 controller in the store, I find it too uncomfortable to use the shoulder buttons. I’ve also seen a teardown of the internals of the XB1 controller and I think it’s needlessly complicated and expensive in comparison to a DualShock. The proprietary audio connector for the XB1 controller is also annoying.

      It’s actually easier to get a XB1 controller spoof working because I wouldn’t have to mess with Bluetooth so much. There’s no reason why I can’t add XB1 support for the firmware, and then have an XB1 controller work for PS4, or a DS4 working on XB1. However, the authentication security used by Sony and Microsoft means you’ll need to connect the controller you want to spoof somehow.

      However I don’t have a XB1 and I don’t plan on getting one too soon, maybe later.

      There are other people working on this stuff besides me. For example, XIM have XB1 support working first already.

      1. Amma

        Is it possible to connect original controller to the hub authenticate PS with it and then disable it and use its identification to send a third-party data? Or are communications encrypted?

        1. Admin Post author

          The authentication happens continuously forever, once every few seconds, so you can’t disable it ever.


Leave a Reply

Your email address will not be published. Required fields are marked *