Difference between revisions of "DualShock 4"

From Eleccelerator Wiki
Jump to: navigation, search
(UART HCI)
(UART HCI)
Line 539: Line 539:
  
 
[http://eleccelerator.com/files/ds4_uart_hci_cap_playroom_needs_sorting.pcap.gz ds4_uart_hci_cap_playroom_needs_sorting.pcap.gz], similar to the file before, but uses data while running "the Playroom" app on the PS4, so that it shows motors, speaker, and LED activity. This file needs to be decompressed using gzip first, then opened with Wireshark. Once opened, it needs to be sorted by timestamp.
 
[http://eleccelerator.com/files/ds4_uart_hci_cap_playroom_needs_sorting.pcap.gz ds4_uart_hci_cap_playroom_needs_sorting.pcap.gz], similar to the file before, but uses data while running "the Playroom" app on the PS4, so that it shows motors, speaker, and LED activity. This file needs to be decompressed using gzip first, then opened with Wireshark. Once opened, it needs to be sorted by timestamp.
 +
 +
==HID Report==
 +
 +
Here's a sample HCI transaction that represents a report from the DS4 to the PS4
 +
<pre>02 15 20 53 00 4F 00 42 00 A1 11 C0 00 83 81 7E 7E 08 00 3C 00 00 83 A2 07 F1 FF F9 FF 04 00 21 03 17 1F 29 F9 00 00 00 00 00 08 00 00 00 00 80 00 00 00 80 00 00 00 00 80 00 00 00 80 00 00 00 00 80 00 00 00 80 00 00 00 00 80 00 00 00 80 00 00 00 00 00 7D 0A 5D 0B</pre>
 +
 +
The header is
 +
<pre>02 15 20 53 00 4F 00 42 00</pre>
 +
 +
Which means this is a Bluetooth HCI ACL packet, connection handle is 0x15, CID is 0x0042, and the length of the HID portion is 79 long.
 +
 +
The 79 byte HID portion is
 +
<pre>A1 11 C0 00 83 81 7E 7E 08 00 3C 00 00 83 A2 07 F1 FF F9 FF 04 00 21 03 17 1F 29 F9 00 00 00 00 00 08 00 00 00 00 80 00 00 00 80 00 00 00 00 80 00 00 00 80 00 00 00 00 80 00 00 00 80 00 00 00 00 80 00 00 00 80 00 00 00 00 00 7D 0A 5D 0B</pre>
 +
 +
===CRC32===
 +
Notice the last 4 bytes, 7D 0A 5D 0B, this value is different for every report packet, it appears to be random but it is actually a CRC32 over the first 75 bytes of the HID report. The CRC32's polynomial is 32 and the initial value of the CRC32 is 0x0B5D0A7D.
 +
 +
You can use [http://www.lammertbies.nl/comm/info/crc-calculation.html] to try this yourself, enter
 +
 +
<pre>A1 11 C0 00 83 81 7E 7E 08 00 3C 00 00 83 A2 07 F1 FF F9 FF 04 00 21 03 17 1F 29 F9 00 00 00 00 00 08 00 00 00 00 80 00 00 00 80 00 00 00 00 80 00 00 00 80 00 00 00 00 80 00 00 00 80 00 00 00 00 80 00 00 00 80 00 00 00 00 00</pre>
 +
 +
into the textbox in [http://www.lammertbies.nl/comm/info/crc-calculation.html]

Revision as of 09:22, 17 December 2013

Review:

It feels really good to hold.

Contents

Hardware

Teardown photo album: http://imgur.com/a/ytRW5

The USB port and LED are on one separate board, connected using a flat flexible cable, this cable is connected to a vertical FFC connector that does not have a locking mechanism.

The touchpad sensor is also detachable, connected using a flat flexible cable, this cable is connected to the main PCB using a connector that has a flip-up locking mechanism.

The speaker is not removable and it connects to the main PCB using some raised contacts.

The battery is 3.65V 1000mAH Li-ion.

Main microcontroller is a Spansion MB9BF002, a ARM Cortex M3 core, BGA package. The reset and SWD signals might be exposed to test points, I am not sure.

The Bluetooth module shows "8LA18366" and "GS-WCM-01" (or maybe it's "GS-WCN-01") and "VR2.0". There is also a QR code that I can't decipher yet. There are a lot of test points near it. Underneath, it is confirmed to be a Qualcomm Atheros AR3002.

There's a chip marked with "BD9200" (in QFN 32 pin footprint) that might be a PMIC because it has some thick traces around it, plus a big inductor. One of the pins near it read 6V, might be for the motor.

There's a shiny small square chip left of the left analog stick, it is marked with "7710" "325A1", I have no idea what this is, but there's some differential signals coming out of it, it might be USB, the activity stops when I disconnect the USB cable. I think this is connected to the USB port. I suspect this is a OTG chip.

There's a rectangular (maybe LGA) chip on the bottom side on the left, marked with "134" "A1322" "333", possibly a sensor. It's got some sort of latch signal around it, or maybe it's a weird clock. It's slow and doesn't seem like a bus. Or it could be a shift register and it's reading blank because I'm not pressing buttons.

There's a QFN 32 pin chip marked with "WM18016" (the M could be a N, the 6 could be a G) "36A0LM6" dead center on the bottom side of the PCB. It has a sine wave logo on it (possibly Wolfson Microelectronics). It is near the audio stuff but it is also near where all the buttons connect. There are 5 test points near it. It appears to be communicating with SPI with constant activity. There's also two resistors that look like I2C pull-up resistors, and there appears to be constant I2C traffic.

Some buttons are active low, some are active high (maybe only the thumbstick push buttons). The sheet of flexible circuit for the buttons are active low.

I'll keep adding to this section

Flexible Film Pin Mapping

The buttons are all on a single sheet of flexible film. The contacts for the flexible film are numbered from 1 to 18, and the numbers are written on the PCB.

The triggers have a resistor printed directly on the film, this appears to form a voltage divider, so that the trigger can have an analog value. The ground side of the voltage divider appears to be oscillating, the frequency and duty cycle are not fixed or predictable.

Pin # Purpose Notes
1 L2 Common oscillating between 0 and 3.3V
2 L1 Sig active High
3 L1 Common fixed at 3.3V
4 L2 Sig voltage divider output, active low
5 DPAD Right active low
6 DPAD Up active low
7 DPAD Left active low
8 DPAD Down active low
9 Common ground
10 PS Button active low
11 X active low
12 Circle active low
13 Triangle active low
14 Square active low
15 R2 Common oscillating between 0 and 3.3V
16 R1 Sig active high
17 R1 Common fixed at 3.3V
18 R2 Sig voltage divider output, active low

USB

Audio definitely does not carry through USB.

The reports arrive once every 4ms.

Device Descriptor

0x12,        // bLength
0x01,        // bDescriptorType (Device)
0x00, 0x02,  // bcdUSB 2.00
0x00,        // bDeviceClass (Use class information in the Interface Descriptors)
0x00,        // bDeviceSubClass 
0x00,        // bDeviceProtocol 
0x40,        // bMaxPacketSize0 64
0x4C, 0x05,  // idVendor 0x054C
0xC4, 0x05,  // idProduct 0x05C4
0x00, 0x01,  // bcdDevice 1.00
0x01,        // iManufacturer (String Index)
0x02,        // iProduct (String Index)
0x00,        // iSerialNumber (String Index)
0x01,        // bNumConfigurations 1

// 18 bytes

Configuration Descriptor

0x09,        // bLength
0x02,        // bDescriptorType (Configuration)
0x29, 0x00,  // wTotalLength 41
0x01,        // bNumInterfaces 1
0x01,        // bConfigurationValue
0x00,        // iConfiguration (String Index)
0xC0,        // bmAttributes Self Powered
0xFA,        // bMaxPower 500mA

0x09,        // bLength
0x04,        // bDescriptorType (Interface)
0x00,        // bInterfaceNumber 0
0x00,        // bAlternateSetting
0x02,        // bNumEndpoints 2
0x03,        // bInterfaceClass
0x00,        // bInterfaceSubClass
0x00,        // bInterfaceProtocol
0x00,        // iInterface (String Index)

0x09,        // bLength
0x21,        // bDescriptorType (HID)
0x11, 0x01,  // bcdHID 1.17
0x00,        // bCountryCode
0x01,        // bNumDescriptors
0x22,        // bDescriptorType[0] (HID)
0xD3, 0x01,  // wDescriptorLength[0] 467

0x07,        // bLength
0x05,        // bDescriptorType (Endpoint)
0x84,        // bEndpointAddress (IN/D2H)
0x03,        // bmAttributes (Interrupt)
0x40, 0x00,  // wMaxPacketSize 64
0x05,        // bInterval 5 (unit depends on device speed)

0x07,        // bLength
0x05,        // bDescriptorType (Endpoint)
0x03,        // bEndpointAddress (OUT/H2D)
0x03,        // bmAttributes (Interrupt)
0x40, 0x00,  // wMaxPacketSize 64
0x05,        // bInterval 5 (unit depends on device speed)

// 41 bytes

HID Report Descriptor

0x05, 0x01,        // Usage Page (Generic Desktop Ctrls)
0x09, 0x05,        // Usage (Game Pad)
0xA1, 0x01,        // Collection (Physical)
0x85, 0x01,        //   Report ID (1)
0x09, 0x30,        //   Usage (X)
0x09, 0x31,        //   Usage (Y)
0x09, 0x32,        //   Usage (Z)
0x09, 0x35,        //   Usage (Rz)
0x15, 0x00,        //   Logical Minimum (0)
0x26, 0xFF, 0x00,  //   Logical Maximum (255)
0x75, 0x08,        //   Report Size (8)
0x95, 0x04,        //   Report Count (4)
0x81, 0x02,        //   Input (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position)
0x09, 0x39,        //   Usage (Hat switch)
0x15, 0x00,        //   Logical Minimum (0)
0x25, 0x07,        //   Logical Maximum (7)
0x35, 0x00,        //   Physical Minimum (0)
0x46, 0x3B, 0x01,  //   Physical Maximum (315)
0x65, 0x14,        //   Unit (System: English Rotation, Length: Centimeter)
0x75, 0x04,        //   Report Size (4)
0x95, 0x01,        //   Report Count (1)
0x81, 0x42,        //   Input (Data,Var,Abs,No Wrap,Linear,Preferred State,Null State)
0x65, 0x00,        //   Unit (None)
0x05, 0x09,        //   Usage Page (Button)
0x19, 0x01,        //   Usage Minimum (0x01)
0x29, 0x0E,        //   Usage Maximum (0x0E)
0x15, 0x00,        //   Logical Minimum (0)
0x25, 0x01,        //   Logical Maximum (1)
0x75, 0x01,        //   Report Size (1)
0x95, 0x0E,        //   Report Count (14)
0x81, 0x02,        //   Input (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position)
0x06, 0x00, 0xFF,  //   Usage Page (Vendor Defined 0xFF00)
0x09, 0x20,        //   Usage (0x20)
0x75, 0x06,        //   Report Size (6)
0x95, 0x01,        //   Report Count (1)
0x15, 0x00,        //   Logical Minimum (0)
0x25, 0x7F,        //   Logical Maximum (127)
0x81, 0x02,        //   Input (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position)
0x05, 0x01,        //   Usage Page (Generic Desktop Ctrls)
0x09, 0x33,        //   Usage (Rx)
0x09, 0x34,        //   Usage (Ry)
0x15, 0x00,        //   Logical Minimum (0)
0x26, 0xFF, 0x00,  //   Logical Maximum (255)
0x75, 0x08,        //   Report Size (8)
0x95, 0x02,        //   Report Count (2)
0x81, 0x02,        //   Input (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position)
0x06, 0x00, 0xFF,  //   Usage Page (Vendor Defined 0xFF00)
0x09, 0x21,        //   Usage (0x21)
0x95, 0x36,        //   Report Count (54)
0x81, 0x02,        //   Input (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position)
0x85, 0x05,        //   Report ID (5)
0x09, 0x22,        //   Usage (0x22)
0x95, 0x1F,        //   Report Count (31)
0x91, 0x02,        //   Output (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85, 0x04,        //   Report ID (4)
0x09, 0x23,        //   Usage (0x23)
0x95, 0x24,        //   Report Count (36)
0xB1, 0x02,        //   Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85, 0x02,        //   Report ID (2)
0x09, 0x24,        //   Usage (0x24)
0x95, 0x24,        //   Report Count (36)
0xB1, 0x02,        //   Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85, 0x08,        //   Report ID (8)
0x09, 0x25,        //   Usage (0x25)
0x95, 0x03,        //   Report Count (3)
0xB1, 0x02,        //   Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85, 0x10,        //   Report ID (16)
0x09, 0x26,        //   Usage (0x26)
0x95, 0x04,        //   Report Count (4)
0xB1, 0x02,        //   Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85, 0x11,        //   Report ID (17)
0x09, 0x27,        //   Usage (0x27)
0x95, 0x02,        //   Report Count (2)
0xB1, 0x02,        //   Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85, 0x12,        //   Report ID (18)
0x06, 0x02, 0xFF,  //   Usage Page (Vendor Defined 0xFF02)
0x09, 0x21,        //   Usage (0x21)
0x95, 0x0F,        //   Report Count (15)
0xB1, 0x02,        //   Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85, 0x13,        //   Report ID (19)
0x09, 0x22,        //   Usage (0x22)
0x95, 0x16,        //   Report Count (22)
0xB1, 0x02,        //   Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85, 0x14,        //   Report ID (20)
0x06, 0x05, 0xFF,  //   Usage Page (Vendor Defined 0xFF05)
0x09, 0x20,        //   Usage (0x20)
0x95, 0x10,        //   Report Count (16)
0xB1, 0x02,        //   Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85, 0x15,        //   Report ID (21)
0x09, 0x21,        //   Usage (0x21)
0x95, 0x2C,        //   Report Count (44)
0xB1, 0x02,        //   Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x06, 0x80, 0xFF,  //   Usage Page (Vendor Defined 0xFF80)
0x85, 0x80,        //   Report ID (128)
0x09, 0x20,        //   Usage (0x20)
0x95, 0x06,        //   Report Count (6)
0xB1, 0x02,        //   Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85, 0x81,        //   Report ID (129)
0x09, 0x21,        //   Usage (0x21)
0x95, 0x06,        //   Report Count (6)
0xB1, 0x02,        //   Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85, 0x82,        //   Report ID (130)
0x09, 0x22,        //   Usage (0x22)
0x95, 0x05,        //   Report Count (5)
0xB1, 0x02,        //   Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85, 0x83,        //   Report ID (131)
0x09, 0x23,        //   Usage (0x23)
0x95, 0x01,        //   Report Count (1)
0xB1, 0x02,        //   Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85, 0x84,        //   Report ID (132)
0x09, 0x24,        //   Usage (0x24)
0x95, 0x04,        //   Report Count (4)
0xB1, 0x02,        //   Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85, 0x85,        //   Report ID (133)
0x09, 0x25,        //   Usage (0x25)
0x95, 0x06,        //   Report Count (6)
0xB1, 0x02,        //   Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85, 0x86,        //   Report ID (134)
0x09, 0x26,        //   Usage (0x26)
0x95, 0x06,        //   Report Count (6)
0xB1, 0x02,        //   Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85, 0x87,        //   Report ID (135)
0x09, 0x27,        //   Usage (0x27)
0x95, 0x23,        //   Report Count (35)
0xB1, 0x02,        //   Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85, 0x88,        //   Report ID (136)
0x09, 0x28,        //   Usage (0x28)
0x95, 0x22,        //   Report Count (34)
0xB1, 0x02,        //   Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85, 0x89,        //   Report ID (137)
0x09, 0x29,        //   Usage (0x29)
0x95, 0x02,        //   Report Count (2)
0xB1, 0x02,        //   Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85, 0x90,        //   Report ID (144)
0x09, 0x30,        //   Usage (0x30)
0x95, 0x05,        //   Report Count (5)
0xB1, 0x02,        //   Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85, 0x91,        //   Report ID (145)
0x09, 0x31,        //   Usage (0x31)
0x95, 0x03,        //   Report Count (3)
0xB1, 0x02,        //   Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85, 0x92,        //   Report ID (146)
0x09, 0x32,        //   Usage (0x32)
0x95, 0x03,        //   Report Count (3)
0xB1, 0x02,        //   Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85, 0x93,        //   Report ID (147)
0x09, 0x33,        //   Usage (0x33)
0x95, 0x0C,        //   Report Count (12)
0xB1, 0x02,        //   Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85, 0xA0,        //   Report ID (160)
0x09, 0x40,        //   Usage (0x40)
0x95, 0x06,        //   Report Count (6)
0xB1, 0x02,        //   Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85, 0xA1,        //   Report ID (161)
0x09, 0x41,        //   Usage (0x41)
0x95, 0x01,        //   Report Count (1)
0xB1, 0x02,        //   Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85, 0xA2,        //   Report ID (162)
0x09, 0x42,        //   Usage (0x42)
0x95, 0x01,        //   Report Count (1)
0xB1, 0x02,        //   Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85, 0xA3,        //   Report ID (163)
0x09, 0x43,        //   Usage (0x43)
0x95, 0x30,        //   Report Count (48)
0xB1, 0x02,        //   Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85, 0xA4,        //   Report ID (164)
0x09, 0x44,        //   Usage (0x44)
0x95, 0x0D,        //   Report Count (13)
0xB1, 0x02,        //   Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85, 0xA5,        //   Report ID (165)
0x09, 0x45,        //   Usage (0x45)
0x95, 0x15,        //   Report Count (21)
0xB1, 0x02,        //   Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85, 0xA6,        //   Report ID (166)
0x09, 0x46,        //   Usage (0x46)
0x95, 0x15,        //   Report Count (21)
0xB1, 0x02,        //   Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85, 0xF0,        //   Report ID (240)
0x09, 0x47,        //   Usage (0x47)
0x95, 0x3F,        //   Report Count (63)
0xB1, 0x02,        //   Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85, 0xF1,        //   Report ID (241)
0x09, 0x48,        //   Usage (0x48)
0x95, 0x3F,        //   Report Count (63)
0xB1, 0x02,        //   Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85, 0xF2,        //   Report ID (242)
0x09, 0x49,        //   Usage (0x49)
0x95, 0x0F,        //   Report Count (15)
0xB1, 0x02,        //   Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85, 0xA7,        //   Report ID (167)
0x09, 0x4A,        //   Usage (0x4A)
0x95, 0x01,        //   Report Count (1)
0xB1, 0x02,        //   Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85, 0xA8,        //   Report ID (168)
0x09, 0x4B,        //   Usage (0x4B)
0x95, 0x01,        //   Report Count (1)
0xB1, 0x02,        //   Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85, 0xA9,        //   Report ID (169)
0x09, 0x4C,        //   Usage (0x4C)
0x95, 0x08,        //   Report Count (8)
0xB1, 0x02,        //   Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85, 0xAA,        //   Report ID (170)
0x09, 0x4E,        //   Usage (0x4E)
0x95, 0x01,        //   Report Count (1)
0xB1, 0x02,        //   Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85, 0xAB,        //   Report ID (171)
0x09, 0x4F,        //   Usage (0x4F)
0x95, 0x39,        //   Report Count (57)
0xB1, 0x02,        //   Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85, 0xAC,        //   Report ID (172)
0x09, 0x50,        //   Usage (0x50)
0x95, 0x39,        //   Report Count (57)
0xB1, 0x02,        //   Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85, 0xAD,        //   Report ID (173)
0x09, 0x51,        //   Usage (0x51)
0x95, 0x0B,        //   Report Count (11)
0xB1, 0x02,        //   Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85, 0xAE,        //   Report ID (174)
0x09, 0x52,        //   Usage (0x52)
0x95, 0x01,        //   Report Count (1)
0xB1, 0x02,        //   Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85, 0xAF,        //   Report ID (175)
0x09, 0x53,        //   Usage (0x53)
0x95, 0x02,        //   Report Count (2)
0xB1, 0x02,        //   Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0x85, 0xB0,        //   Report ID (176)
0x09, 0x54,        //   Usage (0x54)
0x95, 0x3F,        //   Report Count (63)
0xB1, 0x02,        //   Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile)
0xC0,              // End Collection

// 467 bytes

Sample Report

01 81 80 83 7A 08 00 00 00 00 93 5F FB D2 FF DA
FF D8 FF 4F EE 14 1B 99 FE 00 00 00 00 00 05 00
00 00 00 80 00 00 00 80 00 00 00 00 80 00 00 00
80 00 00 00 00 80 00 00 00 80 00 00 00 00 80 00

Report Structure

Data Format
byte index bit 7 bit 6 bit 5 bit 4 bit 3 bit 2 bit 1 bit 0
[0] Report ID (always 0x01)
[1] Left Stick X (0 = left)
[2] Left Stick Y (0 = up)
[3] Right Stick X
[4] Right Stick Y
[5] TRI CIR X SQR D-PAD (hat format, 0x08 is released, 0=N, 1=NE, 2=E, 3=SE, 4=S, 5=SW, 6=W, 7=NW)
[6] R3 L3 OPT SHARE R2 L2 R1 L1
[7] Counter (counts up by 1 per report) T-PAD PS
[8] Left Trigger (0 = released, 0xFF = fully pressed)
[9] Right Trigger
[10] Unknown, seems to count downwards, non-random pattern
[11] Unknown, seems to count upwards by 3, but by 2 when [10] underflows
[12] Unknown yet, 0x03 or 0x04
[13 - 14] Possibly Gyro X (seems to be signed)
[15 - 16] Possibly Gyro Y
[17 - 18] Possibly Gyro Z
[19 - 20] Possibly Accel X
[21 - 22] Possibly Accel Y
[23 - 24] Possibly Accel Z
[25 - 63] TODO, work in progress

Class Requests

This is what happened with a controller that was not previously synced to the PS4

Set Address
Get Device Descriptor:    (Short Device Descriptor)
Get Device Descriptor:    (Full Device Descriptor)
Get String Descriptor[idx=0, langID=0]:      04 03
Get String Descriptor[idx=0, langID=0]:      04 03 09 04
Get String Descriptor[idx=1, langID=0x0409]: 38 03
Get String Descriptor[idx=1, langID=0x0409]: "Sony Computer Entertainment"
Get String Descriptor[idx=2, langID=0x0409]: 
Get String Descriptor[idx=3, langID=0x0409]: "Wireless Controller"
Get Configuration Descriptor: (Short Configuration Descriptor)
Get Configuration Descriptor: (Full Configuration Descriptor)
Get Device Status: 00 00
Set Configuration to 0x01
Get Descriptor:  (HID Report Descriptor)
Set Idle to 0
Get Report 0xA3: A3 41 75 67 20 20 33 20 32 30 31 33 00 00 00 00 00 30 37 3A 30 31 3A 31 32 00 00 00 00 00 00 00 00 00 01 00 31 03 00 00 00 49 00 05 00 00 80 03 00
Get Report 0x02: 02 01 00 00 00 00 00 87 22 7B DD B2 22 47 DD BD 22 43 DD 1C 02 1C 02 7F 1E 2E DF 60 1F 4C E0 3A 1D C6 DE 08 00
Get Report 0xA3: A3 41 75 67 20 20 33 20 32 30 31 33 00 00 00 00 00 30 37 3A 30 31 3A 31 32 00 00 00 00 00 00 00 00 00 01 00 31 03 00 00 00 49 00 05 00 00 80 03 00
Get Report 0x12: 12 8B 09 07 6D 66 1C 08 25 00 00 00 00 00 00 00
Set Report 0x13: 13 AC 9E 17 94 05 B0 56 E8 81 38 08 06 51 41 C0 7F 12 AA D9 66 3C CE
Set Report 0x12: 14 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

The same controller is then disconnected, and this is what happened when it reconnected

... enumeration steps same as before
Get Report 0xA3: A3 41 75 67 20 20 33 20 32 30 31 33 00 00 00 00 00 30 37 3A 30 31 3A 31 32 00 00 00 00 00 00 00 00 00 01 00 31 03 00 00 00 49 00 05 00 00 80 03 00
Get Report 0x02: 02 01 00 00 00 00 00 87 22 7B DD B2 22 47 DD BD 22 43 DD 1C 02 1C 02 7F 1E 2E DF 60 1F 4C E0 3A 1D C6 DE 08 00
Get Report 0xA3: A3 41 75 67 20 20 33 20 32 30 31 33 00 00 00 00 00 30 37 3A 30 31 3A 31 32 00 00 00 00 00 00 00 00 00 01 00 31 03 00 00 00 49 00 05 00 00 80 03 00
Get Report 0x12: 12 8B 09 07 6D 66 1C 08 25 00 AC 9E 17 94 05 B0

report ID 0xA3 seems to be some sort of time-of-manufacture identifier, it contains a date and time as a string in the beginning, ".Aug 3 2013.....07:01:12...........1....I....."

AC 9E 17 94 05 B0 is PS4 (Host) Bluetooth MAC Address (in proper MAC format, it is B0:05:94:17:9E:AC), AC 9E 17 is the LAP and 0x94 is the UAP, 05 B0 is the NAP, this was verified using a Bluetooth sniffer.

I am guessing that 8B 09 07 6D 66 1C means something, it's different on a different controller, it seems to be the Bluetooth MAC Address of the DualShock 4. in proper MAC format it is 1C:66:6D:07:09:8B in this example.

Bluetooth

The DS4 has two modes, one where you can pair it with a computer (hold PS and share at the same time until the light blinks twice in quick succession rapidly), and another mode when it is used with a PS4.

In the PS4 mode, it appears to advertise as two devices, one is a game controller and the other is an audio device. The game controller has a class 0x002508, and the audio device is class 0x200404. Neither has a name.

Only controllers that have previously paired with the PS4 can cause it to wake up. If you spoof a previously paired DS4's BDADDR and class, then using "sudo hcitool cc <ps4's bdaddr>" will wake up the PS4. If the same cc request comes from an unknown BDADDR, nothing happens.

UART HCI

On the DS4 circuit itself is a Qualcomm Atheros AR3002 module and the UART pins have test points. You can clearly see the UART HCI data when you analyze the traffic on the RX and TX pins.

The data seems to be at a baud rate of exactly 3Mbit/s , sticking with HCI standards, meaning it's 8N1.

The report rate seems to be once every 1.3 millisecond, but there are some occasional gaps in between that can reach 15 milliseconds.

File:Ds4 uart hci cap with unpaired better.pcap, this file is a capture of the traffic over the UART HCI, Wireshark is required to view this PCAP file.

ds4_uart_hci_cap_playroom_needs_sorting.pcap.gz, similar to the file before, but uses data while running "the Playroom" app on the PS4, so that it shows motors, speaker, and LED activity. This file needs to be decompressed using gzip first, then opened with Wireshark. Once opened, it needs to be sorted by timestamp.

HID Report

Here's a sample HCI transaction that represents a report from the DS4 to the PS4

02 15 20 53 00 4F 00 42 00 A1 11 C0 00 83 81 7E 7E 08 00 3C 00 00 83 A2 07 F1 FF F9 FF 04 00 21 03 17 1F 29 F9 00 00 00 00 00 08 00 00 00 00 80 00 00 00 80 00 00 00 00 80 00 00 00 80 00 00 00 00 80 00 00 00 80 00 00 00 00 80 00 00 00 80 00 00 00 00 00 7D 0A 5D 0B

The header is

02 15 20 53 00 4F 00 42 00

Which means this is a Bluetooth HCI ACL packet, connection handle is 0x15, CID is 0x0042, and the length of the HID portion is 79 long.

The 79 byte HID portion is

A1 11 C0 00 83 81 7E 7E 08 00 3C 00 00 83 A2 07 F1 FF F9 FF 04 00 21 03 17 1F 29 F9 00 00 00 00 00 08 00 00 00 00 80 00 00 00 80 00 00 00 00 80 00 00 00 80 00 00 00 00 80 00 00 00 80 00 00 00 00 80 00 00 00 80 00 00 00 00 00 7D 0A 5D 0B

CRC32

Notice the last 4 bytes, 7D 0A 5D 0B, this value is different for every report packet, it appears to be random but it is actually a CRC32 over the first 75 bytes of the HID report. The CRC32's polynomial is 32 and the initial value of the CRC32 is 0x0B5D0A7D.

You can use [1] to try this yourself, enter

A1 11 C0 00 83 81 7E 7E 08 00 3C 00 00 83 A2 07 F1 FF F9 FF 04 00 21 03 17 1F 29 F9 00 00 00 00 00 08 00 00 00 00 80 00 00 00 80 00 00 00 00 80 00 00 00 80 00 00 00 00 80 00 00 00 80 00 00 00 00 80 00 00 00 80 00 00 00 00 00

into the textbox in [2]

Personal tools
Namespaces

Variants
Actions
Navigation
Toolbox