DualShock 4
Review:
It feels really good to hold.
Contents |
Hardware
Teardown photo album: http://imgur.com/a/ytRW5
The USB port and LED are on one separate board, connected using a flat flexible cable, this cable is connected to a vertical FFC connector that does not have a locking mechanism.
The touchpad sensor is also detachable, connected using a flat flexible cable, this cable is connected to the main PCB using a connector that has a flip-up locking mechanism.
The speaker is not removable and it connects to the main PCB using some raised contacts.
The battery is 3.65V 1000mAH Li-ion.
Main microcontroller is a Spansion MB9BF002, a ARM Cortex M3 core, BGA package. The reset and SWD signals might be exposed to test points, I am not sure.
The Bluetooth module shows "8LA18366" and "GS-WCM-01" (or maybe it's "GS-WCN-01") and "VR2.0". There is also a QR code that I can't decipher yet. There are a lot of test points near it. Underneath, it is confirmed to be a Qualcomm Atheros AR3002.
There's a chip marked with "BD9200" (in QFN 32 pin footprint) that might be a PMIC because it has some thick traces around it, plus a big inductor. One of the pins near it read 6V, might be for the motor.
There's a shiny small square chip left of the left analog stick, it is marked with "7710" "325A1", I have no idea what this is, but there's some differential signals coming out of it, it might be USB, the activity stops when I disconnect the USB cable. I think this is connected to the USB port. I suspect this is a OTG chip.
There's a rectangular (maybe LGA) chip on the bottom side on the left, marked with "134" "A1322" "333", possibly a sensor. It's got some sort of latch signal around it, or maybe it's a weird clock. It's slow and doesn't seem like a bus. Or it could be a shift register and it's reading blank because I'm not pressing buttons.
There's a QFN 32 pin chip marked with "WM18016" (the M could be a N, the 6 could be a G) "36A0LM6" dead center on the bottom side of the PCB. It has a sine wave logo on it (possibly Wolfson Microelectronics). It is near the audio stuff but it is also near where all the buttons connect. There are 5 test points near it. It appears to be communicating with SPI with constant activity. There's also two resistors that look like I2C pull-up resistors, and there appears to be constant I2C traffic.
Some buttons are active low, some are active high (maybe only the thumbstick push buttons). The sheet of flexible circuit for the buttons are active low.
I'll keep adding to this section
Flexible Film Pin Mapping
The buttons are all on a single sheet of flexible film. The contacts for the flexible film are numbered from 1 to 18, and the numbers are written on the PCB.
The triggers have a resistor printed directly on the film, this appears to form a voltage divider, so that the trigger can have an analog value. The ground side of the voltage divider appears to be oscillating, the frequency and duty cycle are not fixed or predictable.
Pin # | Purpose | Notes |
1 | L2 Common | oscillating between 0 and 3.3V |
2 | L1 Sig | active High |
3 | L1 Common | fixed at 3.3V |
4 | L2 Sig | voltage divider output, active low |
5 | DPAD Right | active low |
6 | DPAD Up | active low |
7 | DPAD Left | active low |
8 | DPAD Down | active low |
9 | Common | ground |
10 | PS Button | active low |
11 | X | active low |
12 | Circle | active low |
13 | Triangle | active low |
14 | Square | active low |
15 | R2 Common | oscillating between 0 and 3.3V |
16 | R1 Sig | active high |
17 | R1 Common | fixed at 3.3V |
18 | R2 Sig | voltage divider output, active low |
USB
Audio definitely does not carry through USB.
The reports arrive once every 4ms.
Device Descriptor
0x12, // bLength 0x01, // bDescriptorType (Device) 0x00, 0x02, // bcdUSB 2.00 0x00, // bDeviceClass (Use class information in the Interface Descriptors) 0x00, // bDeviceSubClass 0x00, // bDeviceProtocol 0x40, // bMaxPacketSize0 64 0x4C, 0x05, // idVendor 0x054C 0xC4, 0x05, // idProduct 0x05C4 0x00, 0x01, // bcdDevice 1.00 0x01, // iManufacturer (String Index) 0x02, // iProduct (String Index) 0x00, // iSerialNumber (String Index) 0x01, // bNumConfigurations 1 // 18 bytes
Configuration Descriptor
0x09, // bLength 0x02, // bDescriptorType (Configuration) 0x29, 0x00, // wTotalLength 41 0x01, // bNumInterfaces 1 0x01, // bConfigurationValue 0x00, // iConfiguration (String Index) 0xC0, // bmAttributes Self Powered 0xFA, // bMaxPower 500mA 0x09, // bLength 0x04, // bDescriptorType (Interface) 0x00, // bInterfaceNumber 0 0x00, // bAlternateSetting 0x02, // bNumEndpoints 2 0x03, // bInterfaceClass 0x00, // bInterfaceSubClass 0x00, // bInterfaceProtocol 0x00, // iInterface (String Index) 0x09, // bLength 0x21, // bDescriptorType (HID) 0x11, 0x01, // bcdHID 1.17 0x00, // bCountryCode 0x01, // bNumDescriptors 0x22, // bDescriptorType[0] (HID) 0xD3, 0x01, // wDescriptorLength[0] 467 0x07, // bLength 0x05, // bDescriptorType (Endpoint) 0x84, // bEndpointAddress (IN/D2H) 0x03, // bmAttributes (Interrupt) 0x40, 0x00, // wMaxPacketSize 64 0x05, // bInterval 5 (unit depends on device speed) 0x07, // bLength 0x05, // bDescriptorType (Endpoint) 0x03, // bEndpointAddress (OUT/H2D) 0x03, // bmAttributes (Interrupt) 0x40, 0x00, // wMaxPacketSize 64 0x05, // bInterval 5 (unit depends on device speed) // 41 bytes
HID Report Descriptor
0x05, 0x01, // Usage Page (Generic Desktop Ctrls) 0x09, 0x05, // Usage (Game Pad) 0xA1, 0x01, // Collection (Physical) 0x85, 0x01, // Report ID (1) 0x09, 0x30, // Usage (X) 0x09, 0x31, // Usage (Y) 0x09, 0x32, // Usage (Z) 0x09, 0x35, // Usage (Rz) 0x15, 0x00, // Logical Minimum (0) 0x26, 0xFF, 0x00, // Logical Maximum (255) 0x75, 0x08, // Report Size (8) 0x95, 0x04, // Report Count (4) 0x81, 0x02, // Input (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position) 0x09, 0x39, // Usage (Hat switch) 0x15, 0x00, // Logical Minimum (0) 0x25, 0x07, // Logical Maximum (7) 0x35, 0x00, // Physical Minimum (0) 0x46, 0x3B, 0x01, // Physical Maximum (315) 0x65, 0x14, // Unit (System: English Rotation, Length: Centimeter) 0x75, 0x04, // Report Size (4) 0x95, 0x01, // Report Count (1) 0x81, 0x42, // Input (Data,Var,Abs,No Wrap,Linear,Preferred State,Null State) 0x65, 0x00, // Unit (None) 0x05, 0x09, // Usage Page (Button) 0x19, 0x01, // Usage Minimum (0x01) 0x29, 0x0E, // Usage Maximum (0x0E) 0x15, 0x00, // Logical Minimum (0) 0x25, 0x01, // Logical Maximum (1) 0x75, 0x01, // Report Size (1) 0x95, 0x0E, // Report Count (14) 0x81, 0x02, // Input (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position) 0x06, 0x00, 0xFF, // Usage Page (Vendor Defined 0xFF00) 0x09, 0x20, // Usage (0x20) 0x75, 0x06, // Report Size (6) 0x95, 0x01, // Report Count (1) 0x15, 0x00, // Logical Minimum (0) 0x25, 0x7F, // Logical Maximum (127) 0x81, 0x02, // Input (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position) 0x05, 0x01, // Usage Page (Generic Desktop Ctrls) 0x09, 0x33, // Usage (Rx) 0x09, 0x34, // Usage (Ry) 0x15, 0x00, // Logical Minimum (0) 0x26, 0xFF, 0x00, // Logical Maximum (255) 0x75, 0x08, // Report Size (8) 0x95, 0x02, // Report Count (2) 0x81, 0x02, // Input (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position) 0x06, 0x00, 0xFF, // Usage Page (Vendor Defined 0xFF00) 0x09, 0x21, // Usage (0x21) 0x95, 0x36, // Report Count (54) 0x81, 0x02, // Input (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position) 0x85, 0x05, // Report ID (5) 0x09, 0x22, // Usage (0x22) 0x95, 0x1F, // Report Count (31) 0x91, 0x02, // Output (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0x04, // Report ID (4) 0x09, 0x23, // Usage (0x23) 0x95, 0x24, // Report Count (36) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0x02, // Report ID (2) 0x09, 0x24, // Usage (0x24) 0x95, 0x24, // Report Count (36) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0x08, // Report ID (8) 0x09, 0x25, // Usage (0x25) 0x95, 0x03, // Report Count (3) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0x10, // Report ID (16) 0x09, 0x26, // Usage (0x26) 0x95, 0x04, // Report Count (4) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0x11, // Report ID (17) 0x09, 0x27, // Usage (0x27) 0x95, 0x02, // Report Count (2) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0x12, // Report ID (18) 0x06, 0x02, 0xFF, // Usage Page (Vendor Defined 0xFF02) 0x09, 0x21, // Usage (0x21) 0x95, 0x0F, // Report Count (15) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0x13, // Report ID (19) 0x09, 0x22, // Usage (0x22) 0x95, 0x16, // Report Count (22) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0x14, // Report ID (20) 0x06, 0x05, 0xFF, // Usage Page (Vendor Defined 0xFF05) 0x09, 0x20, // Usage (0x20) 0x95, 0x10, // Report Count (16) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0x15, // Report ID (21) 0x09, 0x21, // Usage (0x21) 0x95, 0x2C, // Report Count (44) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x06, 0x80, 0xFF, // Usage Page (Vendor Defined 0xFF80) 0x85, 0x80, // Report ID (128) 0x09, 0x20, // Usage (0x20) 0x95, 0x06, // Report Count (6) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0x81, // Report ID (129) 0x09, 0x21, // Usage (0x21) 0x95, 0x06, // Report Count (6) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0x82, // Report ID (130) 0x09, 0x22, // Usage (0x22) 0x95, 0x05, // Report Count (5) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0x83, // Report ID (131) 0x09, 0x23, // Usage (0x23) 0x95, 0x01, // Report Count (1) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0x84, // Report ID (132) 0x09, 0x24, // Usage (0x24) 0x95, 0x04, // Report Count (4) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0x85, // Report ID (133) 0x09, 0x25, // Usage (0x25) 0x95, 0x06, // Report Count (6) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0x86, // Report ID (134) 0x09, 0x26, // Usage (0x26) 0x95, 0x06, // Report Count (6) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0x87, // Report ID (135) 0x09, 0x27, // Usage (0x27) 0x95, 0x23, // Report Count (35) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0x88, // Report ID (136) 0x09, 0x28, // Usage (0x28) 0x95, 0x22, // Report Count (34) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0x89, // Report ID (137) 0x09, 0x29, // Usage (0x29) 0x95, 0x02, // Report Count (2) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0x90, // Report ID (144) 0x09, 0x30, // Usage (0x30) 0x95, 0x05, // Report Count (5) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0x91, // Report ID (145) 0x09, 0x31, // Usage (0x31) 0x95, 0x03, // Report Count (3) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0x92, // Report ID (146) 0x09, 0x32, // Usage (0x32) 0x95, 0x03, // Report Count (3) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0x93, // Report ID (147) 0x09, 0x33, // Usage (0x33) 0x95, 0x0C, // Report Count (12) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0xA0, // Report ID (160) 0x09, 0x40, // Usage (0x40) 0x95, 0x06, // Report Count (6) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0xA1, // Report ID (161) 0x09, 0x41, // Usage (0x41) 0x95, 0x01, // Report Count (1) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0xA2, // Report ID (162) 0x09, 0x42, // Usage (0x42) 0x95, 0x01, // Report Count (1) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0xA3, // Report ID (163) 0x09, 0x43, // Usage (0x43) 0x95, 0x30, // Report Count (48) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0xA4, // Report ID (164) 0x09, 0x44, // Usage (0x44) 0x95, 0x0D, // Report Count (13) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0xA5, // Report ID (165) 0x09, 0x45, // Usage (0x45) 0x95, 0x15, // Report Count (21) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0xA6, // Report ID (166) 0x09, 0x46, // Usage (0x46) 0x95, 0x15, // Report Count (21) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0xF0, // Report ID (240) 0x09, 0x47, // Usage (0x47) 0x95, 0x3F, // Report Count (63) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0xF1, // Report ID (241) 0x09, 0x48, // Usage (0x48) 0x95, 0x3F, // Report Count (63) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0xF2, // Report ID (242) 0x09, 0x49, // Usage (0x49) 0x95, 0x0F, // Report Count (15) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0xA7, // Report ID (167) 0x09, 0x4A, // Usage (0x4A) 0x95, 0x01, // Report Count (1) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0xA8, // Report ID (168) 0x09, 0x4B, // Usage (0x4B) 0x95, 0x01, // Report Count (1) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0xA9, // Report ID (169) 0x09, 0x4C, // Usage (0x4C) 0x95, 0x08, // Report Count (8) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0xAA, // Report ID (170) 0x09, 0x4E, // Usage (0x4E) 0x95, 0x01, // Report Count (1) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0xAB, // Report ID (171) 0x09, 0x4F, // Usage (0x4F) 0x95, 0x39, // Report Count (57) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0xAC, // Report ID (172) 0x09, 0x50, // Usage (0x50) 0x95, 0x39, // Report Count (57) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0xAD, // Report ID (173) 0x09, 0x51, // Usage (0x51) 0x95, 0x0B, // Report Count (11) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0xAE, // Report ID (174) 0x09, 0x52, // Usage (0x52) 0x95, 0x01, // Report Count (1) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0xAF, // Report ID (175) 0x09, 0x53, // Usage (0x53) 0x95, 0x02, // Report Count (2) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0xB0, // Report ID (176) 0x09, 0x54, // Usage (0x54) 0x95, 0x3F, // Report Count (63) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0xC0, // End Collection // 467 bytes
Sample Report
01 81 80 83 7A 08 00 00 00 00 93 5F FB D2 FF DA FF D8 FF 4F EE 14 1B 99 FE 00 00 00 00 00 05 00 00 00 00 80 00 00 00 80 00 00 00 00 80 00 00 00 80 00 00 00 00 80 00 00 00 80 00 00 00 00 80 00
Report Structure
byte index | bit 7 | bit 6 | bit 5 | bit 4 | bit 3 | bit 2 | bit 1 | bit 0 |
[0] | Report ID (always 0x01) | |||||||
[1] | Left Stick X (0 = left) | |||||||
[2] | Left Stick Y (0 = up) | |||||||
[3] | Right Stick X | |||||||
[4] | Right Stick Y | |||||||
[5] | TRI | CIR | X | SQR | D-PAD (hat format, 0x08 is released, 0=N, 1=NE, 2=E, 3=SE, 4=S, 5=SW, 6=W, 7=NW) | |||
[6] | R3 | L3 | OPT | SHARE | R2 | L2 | R1 | L1 |
[7] | Counter (counts up by 1 per report) | T-PAD | PS | |||||
[8] | Left Trigger (0 = released, 0xFF = fully pressed) | |||||||
[9] | Right Trigger | |||||||
[10] | Unknown, seems to count downwards, non-random pattern | |||||||
[11] | Unknown, seems to count upwards by 3, but by 2 when [10] underflows | |||||||
[12] | Unknown yet, 0x03 or 0x04 | |||||||
[13 - 14] | Possibly Gyro X (seems to be signed) | |||||||
[15 - 16] | Possibly Gyro Y | |||||||
[17 - 18] | Possibly Gyro Z | |||||||
[19 - 20] | Possibly Accel X | |||||||
[21 - 22] | Possibly Accel Y | |||||||
[23 - 24] | Possibly Accel Z | |||||||
[25 - 63] | TODO, work in progress |
Class Requests
This is what happened with a controller that was not previously synced to the PS4
Set Address Get Device Descriptor: (Short Device Descriptor) Get Device Descriptor: (Full Device Descriptor) Get String Descriptor[idx=0, langID=0]: 04 03 Get String Descriptor[idx=0, langID=0]: 04 03 09 04 Get String Descriptor[idx=1, langID=0x0409]: 38 03 Get String Descriptor[idx=1, langID=0x0409]: "Sony Computer Entertainment" Get String Descriptor[idx=2, langID=0x0409]: Get String Descriptor[idx=3, langID=0x0409]: "Wireless Controller" Get Configuration Descriptor: (Short Configuration Descriptor) Get Configuration Descriptor: (Full Configuration Descriptor) Get Device Status: 00 00 Set Configuration to 0x01 Get Descriptor: (HID Report Descriptor) Set Idle to 0 Get Report 0xA3: A3 41 75 67 20 20 33 20 32 30 31 33 00 00 00 00 00 30 37 3A 30 31 3A 31 32 00 00 00 00 00 00 00 00 00 01 00 31 03 00 00 00 49 00 05 00 00 80 03 00 Get Report 0x02: 02 01 00 00 00 00 00 87 22 7B DD B2 22 47 DD BD 22 43 DD 1C 02 1C 02 7F 1E 2E DF 60 1F 4C E0 3A 1D C6 DE 08 00 Get Report 0xA3: A3 41 75 67 20 20 33 20 32 30 31 33 00 00 00 00 00 30 37 3A 30 31 3A 31 32 00 00 00 00 00 00 00 00 00 01 00 31 03 00 00 00 49 00 05 00 00 80 03 00 Get Report 0x12: 12 8B 09 07 6D 66 1C 08 25 00 00 00 00 00 00 00 Set Report 0x13: 13 AC 9E 17 94 05 B0 56 E8 81 38 08 06 51 41 C0 7F 12 AA D9 66 3C CE Set Report 0x12: 14 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
The same controller is then disconnected, and this is what happened when it reconnected
... enumeration steps same as before Get Report 0xA3: A3 41 75 67 20 20 33 20 32 30 31 33 00 00 00 00 00 30 37 3A 30 31 3A 31 32 00 00 00 00 00 00 00 00 00 01 00 31 03 00 00 00 49 00 05 00 00 80 03 00 Get Report 0x02: 02 01 00 00 00 00 00 87 22 7B DD B2 22 47 DD BD 22 43 DD 1C 02 1C 02 7F 1E 2E DF 60 1F 4C E0 3A 1D C6 DE 08 00 Get Report 0xA3: A3 41 75 67 20 20 33 20 32 30 31 33 00 00 00 00 00 30 37 3A 30 31 3A 31 32 00 00 00 00 00 00 00 00 00 01 00 31 03 00 00 00 49 00 05 00 00 80 03 00 Get Report 0x12: 12 8B 09 07 6D 66 1C 08 25 00 AC 9E 17 94 05 B0
report ID 0xA3 seems to be some sort of time-of-manufacture identifier, it contains a date and time as a string in the beginning, ".Aug 3 2013.....07:01:12...........1....I....."
AC 9E 17 94 05 B0 is PS4 (Host) Bluetooth MAC Address (in proper MAC format, it is B0:05:94:17:9E:AC), AC 9E 17 is the LAP and 0x94 is the UAP, 05 B0 is the NAP, this was verified using a Bluetooth sniffer.
I am guessing that 8B 09 07 6D 66 1C means something, it's different on a different controller, it seems to be the Bluetooth MAC Address of the DualShock 4. in proper MAC format it is 1C:66:6D:07:09:8B in this example.
Bluetooth
The DS4 has two modes, one where you can pair it with a computer (hold PS and share at the same time until the light blinks twice in quick succession rapidly), and another mode when it is used with a PS4.
In the PS4 mode, it appears to advertise as two devices, one is a game controller and the other is an audio device. The game controller has a class 0x002508, and the audio device is class 0x200404. Neither has a name.
Only controllers that have previously paired with the PS4 can cause it to wake up. If you spoof a previously paired DS4's BDADDR and class, then using "sudo hcitool cc <ps4's bdaddr>" will wake up the PS4. If the same cc request comes from an unknown BDADDR, nothing happens.
UART HCI
On the DS4 circuit itself is a Qualcomm Atheros AR3002 module and the UART pins have test points. You can clearly see the UART HCI data when you analyze the traffic on the RX and TX pins.
The data seems to be at a baud rate of exactly 3Mbit/s , sticking with HCI standards, meaning it's 8N1.
The report rate seems to be once every 1.3 millisecond, but there are some occasional gaps in between that can reach 15 milliseconds.
File:Ds4 uart hci cap with unpaired better.pcap, this file is a capture of the traffic over the UART HCI, Wireshark is required to view this PCAP file.
ds4_uart_hci_cap_playroom_needs_sorting.pcap.gz, similar to the file before, but uses data while running "the Playroom" app on the PS4, so that it shows motors, speaker, and LED activity. This file needs to be decompressed using gzip first, then opened with Wireshark. Once opened, it needs to be sorted by timestamp.
HID Report
Here's a sample HCI transaction that represents a report from the DS4 to the PS4
02 15 20 53 00 4F 00 42 00 A1 11 C0 00 83 81 7E 7E 08 00 3C 00 00 83 A2 07 F1 FF F9 FF 04 00 21 03 17 1F 29 F9 00 00 00 00 00 08 00 00 00 00 80 00 00 00 80 00 00 00 00 80 00 00 00 80 00 00 00 00 80 00 00 00 80 00 00 00 00 80 00 00 00 80 00 00 00 00 00 7D 0A 5D 0B
The header is
02 15 20 53 00 4F 00 42 00
Which means this is a Bluetooth HCI ACL packet, connection handle is 0x15, CID is 0x0042, and the length of the HID portion is 79 long.
The 79 byte HID portion is
A1 11 C0 00 83 81 7E 7E 08 00 3C 00 00 83 A2 07 F1 FF F9 FF 04 00 21 03 17 1F 29 F9 00 00 00 00 00 08 00 00 00 00 80 00 00 00 80 00 00 00 00 80 00 00 00 80 00 00 00 00 80 00 00 00 80 00 00 00 00 80 00 00 00 80 00 00 00 00 00 7D 0A 5D 0B
CRC32
Notice the last 4 bytes, 7D 0A 5D 0B, this value is different for every report packet, it appears to be random but it is actually a CRC32 over the first 75 bytes of the HID report. The CRC32's polynomial is 0x04C11DB7.
You can use http://www.lammertbies.nl/comm/info/crc-calculation.html to try this yourself, enter
A1 11 C0 00 83 81 7E 7E 08 00 3C 00 00 83 A2 07 F1 FF F9 FF 04 00 21 03 17 1F 29 F9 00 00 00 00 00 08 00 00 00 00 80 00 00 00 80 00 00 00 00 80 00 00 00 80 00 00 00 00 80 00 00 00 80 00 00 00 00 80 00 00 00 80 00 00 00 00 00
into the textbox in http://www.lammertbies.nl/comm/info/crc-calculation.html