Weekly Report January 19 2014

Things are going slow on UsbXlater but I am making progress. I’ve written some utilities to store persistent data in flash, with wear leveling! I figured out how to get the hardware CRC peripheral working inside the STM32F4 in a way that will allow it to spoof the CRC used inside a DualShock. I have started writing a minimal Bluetooth implementation for UsbXlater, but this is a huge undertaking and will take up a lot of time.

I got as far as enumerating a USB Bluetooth dongle, and then sending it a reset command and a read BD_ADDR command. I can get the command complete event back, and read the BD_ADDR back.

One obscure problem I faced was that I did not set the right sizes for the host channels. The problem’s symptom was that my code froze after I sent any command to the dongle. The code froze because an ISR was firing repeatedly, further investigation showed that it was firing because the host channel received a babble error (in the code, it is “bblerr”). This error was unhandled and thus the interrupt would repeated fire. The error occured because the host channel size was incorrect and the USB dongle was sending more data than what the size allowed.

I am hoping that I can at least wake up the PS4 next. This should be easy, a baseband connection request should do the trick. I’ve already tested this using a Raspberry Pi.

Another interesting discovery I’ve made during all of this: the Bluetooth link key used to pair and authenticate the DualShock 4 and PS4 is sent over USB. However, you can also perform “simple pairing” without a USB cable by: going into the PS4’s settings menu, then devices, then Bluetooth, and then initiate “PC mode” on the DualShock 4 by holding the share and PS button together.

Since the mystery with the Bluetooth security (or, the lack of security) is solved. From here on, it seems like nothing can prevent me from spoofing a DualShock 4. Full steam ahead! I even purchased some RN42HCI modules, because the USB Bluetooth dongles take up precious host channels. I will probably end up designing another PCB with the RN42HCI on it.

Anyways, I am chatting with Matlo from GIMX during all this hacking, he was able to adapt his old Bluetooth proxy to work with the DualShock 4. This proves that it is indeed easy to spoof a DualShock 4.

I don’t own an Xbox One and I have not kept up with any Xbox news, but the Xbox 360 used an authentication chip for the sole purpose of preventing other people from making knock off Xbox controllers. But as far as we can tell, Sony does not employ the same strategy. This will probably mean we can expect to see some cheaper alternatives to the DualShock 4, although the quality of which will be questionable.

Leave a Reply

Your email address will not be published. Required fields are marked *