Spoke too soon about the DualShock 4’s Bluetooth security, although the link level authentication is figured out, it seems like Sony employed a challenge and response authentication mechanism over the HID channel itself. It was hard to spot because it occurs periodically at a slow rate, and it seems to tolerate up to 16 failed attempts before the PlayStation stops responding to an unauthenticated DualShock. 16 failed attempts is 8 minutes, and when I am doing reverse engineering, I only capture a few seconds worth of data. Matlo from GIMX pointed this out to me. Thanks!
This is bad news, the challenge key is huge, cracking it is out of the question. We also tried feeding it the challenge through USB and extracting the response from USB, but the response came back blank, which seems to indicate that the response calculation hasn’t been triggered. We tried replicating the exact series of transaction and it still would not trigger the calculation.
But the good news is that the challenge and response can be passed through. This means that “man in the middle” injection of data is still possible. This is my next goal, because my final goal is to make keyboard and mouse work on the PS4. Thus my next goal is to get Bluetooth passed through, establish a connection to both a DualShock and a PlayStation, becoming the man in the middle. Modify the gaming input packets from the DualShock before sending it to the PlayStation, while passing through all other traffic. Thus, the authentication packets are untouched, which does work because Matlo has already implemented this system as a test.