DualShock 4
Review:
It feels really good to hold.
Contents |
Hardware
Teardown photo album: http://imgur.com/a/ytRW5
The USB port and LED are on one separate board, connected using a flat flexible cable, this cable is connected to a vertical FFC connector that does not have a locking mechanism.
The touchpad sensor is also detachable, connected using a flat flexible cable, this cable is connected to the main PCB using a connector that has a flip-up locking mechanism.
The speaker is not removable and it connects to the main PCB using some raised contacts.
The battery is 3.65V 1000mAH Li-ion.
Main microcontroller is a Spansion MB9BF002, a ARM Cortex M3 core, BGA package. The reset and SWD signals might be exposed to test points, I am not sure.
The Bluetooth module shows "8LA18366" and "GS-WCM-01" (or maybe it's "GS-WCN-01") and "VR2.0". There is also a QR code that I can't decipher yet. There are a lot of test points near it. Underneath, it is confirmed to be a Qualcomm Atheros AR3002.
There's a chip marked with "BD9200" (in QFN 32 pin footprint) that might be a PMIC because it has some thick traces around it, plus a big inductor. One of the pins near it read 6V, might be for the motor.
There's a shiny small square chip left of the left analog stick, it is marked with "7710" "325A1", I have no idea what this is, but there's some differential signals coming out of it, it might be USB, the activity stops when I disconnect the USB cable. I think this is connected to the USB port. I suspect this is a OTG chip.
There's a rectangular (maybe LGA) chip on the bottom side on the left, marked with "134" "A1322" "333", possibly a sensor. It's got some sort of latch signal around it, or maybe it's a weird clock. It's slow and doesn't seem like a bus. Or it could be a shift register and it's reading blank because I'm not pressing buttons.
There's a QFN 32 pin chip marked with "WM18016" (the M could be a N, the 6 could be a G) "36A0LM6" dead center on the bottom side of the PCB. It has a sine wave logo on it (possibly Wolfson Microelectronics). It is near the audio stuff but it is also near where all the buttons connect. There are 5 test points near it. It appears to be communicating with SPI with constant activity. There's also two resistors that look like I2C pull-up resistors, and there appears to be constant I2C traffic.
Some buttons are active low, some are active high (maybe only the thumbstick push buttons). The sheet of flexible circuit for the buttons are active low.
I'll keep adding to this section
Flexible Film Pin Mapping
The buttons are all on a single sheet of flexible film. The contacts for the flexible film are numbered from 1 to 18, and the numbers are written on the PCB.
The triggers have a resistor printed directly on the film, this appears to form a voltage divider, so that the trigger can have an analog value. The ground side of the voltage divider appears to be oscillating, the frequency and duty cycle are not fixed or predictable.
Pin # | Purpose | Notes |
1 | L2 Common | oscillating between 0 and 3.3V |
2 | L1 Sig | active High |
3 | L1 Common | fixed at 3.3V |
4 | L2 Sig | voltage divider output, active low |
5 | DPAD Right | active low |
6 | DPAD Up | active low |
7 | DPAD Left | active low |
8 | DPAD Down | active low |
9 | Common | ground |
10 | PS Button | active low |
11 | X | active low |
12 | Circle | active low |
13 | Triangle | active low |
14 | Square | active low |
15 | R2 Common | oscillating between 0 and 3.3V |
16 | R1 Sig | active high |
17 | R1 Common | fixed at 3.3V |
18 | R2 Sig | voltage divider output, active low |
USB
Audio definitely does not carry through USB.
The reports arrive once every 4ms.
Device Descriptor
0x12, // bLength 0x01, // bDescriptorType (Device) 0x00, 0x02, // bcdUSB 2.00 0x00, // bDeviceClass (Use class information in the Interface Descriptors) 0x00, // bDeviceSubClass 0x00, // bDeviceProtocol 0x40, // bMaxPacketSize0 64 0x4C, 0x05, // idVendor 0x054C 0xC4, 0x05, // idProduct 0x05C4 0x00, 0x01, // bcdDevice 1.00 0x01, // iManufacturer (String Index) 0x02, // iProduct (String Index) 0x00, // iSerialNumber (String Index) 0x01, // bNumConfigurations 1 // 18 bytes
Configuration Descriptor
0x09, // bLength 0x02, // bDescriptorType (Configuration) 0x29, 0x00, // wTotalLength 41 0x01, // bNumInterfaces 1 0x01, // bConfigurationValue 0x00, // iConfiguration (String Index) 0xC0, // bmAttributes Self Powered 0xFA, // bMaxPower 500mA 0x09, // bLength 0x04, // bDescriptorType (Interface) 0x00, // bInterfaceNumber 0 0x00, // bAlternateSetting 0x02, // bNumEndpoints 2 0x03, // bInterfaceClass 0x00, // bInterfaceSubClass 0x00, // bInterfaceProtocol 0x00, // iInterface (String Index) 0x09, // bLength 0x21, // bDescriptorType (HID) 0x11, 0x01, // bcdHID 1.17 0x00, // bCountryCode 0x01, // bNumDescriptors 0x22, // bDescriptorType[0] (HID) 0xD3, 0x01, // wDescriptorLength[0] 467 0x07, // bLength 0x05, // bDescriptorType (Endpoint) 0x84, // bEndpointAddress (IN/D2H) 0x03, // bmAttributes (Interrupt) 0x40, 0x00, // wMaxPacketSize 64 0x05, // bInterval 5 (unit depends on device speed) 0x07, // bLength 0x05, // bDescriptorType (Endpoint) 0x03, // bEndpointAddress (OUT/H2D) 0x03, // bmAttributes (Interrupt) 0x40, 0x00, // wMaxPacketSize 64 0x05, // bInterval 5 (unit depends on device speed) // 41 bytes
HID Report Descriptor
0x05, 0x01, // Usage Page (Generic Desktop Ctrls) 0x09, 0x05, // Usage (Game Pad) 0xA1, 0x01, // Collection (Application) 0x85, 0x01, // Report ID (1) 0x09, 0x30, // Usage (X) 0x09, 0x31, // Usage (Y) 0x09, 0x32, // Usage (Z) 0x09, 0x35, // Usage (Rz) 0x15, 0x00, // Logical Minimum (0) 0x26, 0xFF, 0x00, // Logical Maximum (255) 0x75, 0x08, // Report Size (8) 0x95, 0x04, // Report Count (4) 0x81, 0x02, // Input (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position) 0x09, 0x39, // Usage (Hat switch) 0x15, 0x00, // Logical Minimum (0) 0x25, 0x07, // Logical Maximum (7) 0x35, 0x00, // Physical Minimum (0) 0x46, 0x3B, 0x01, // Physical Maximum (315) 0x65, 0x14, // Unit (System: English Rotation, Length: Centimeter) 0x75, 0x04, // Report Size (4) 0x95, 0x01, // Report Count (1) 0x81, 0x42, // Input (Data,Var,Abs,No Wrap,Linear,Preferred State,Null State) 0x65, 0x00, // Unit (None) 0x05, 0x09, // Usage Page (Button) 0x19, 0x01, // Usage Minimum (0x01) 0x29, 0x0E, // Usage Maximum (0x0E) 0x15, 0x00, // Logical Minimum (0) 0x25, 0x01, // Logical Maximum (1) 0x75, 0x01, // Report Size (1) 0x95, 0x0E, // Report Count (14) 0x81, 0x02, // Input (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position) 0x06, 0x00, 0xFF, // Usage Page (Vendor Defined 0xFF00) 0x09, 0x20, // Usage (0x20) 0x75, 0x06, // Report Size (6) 0x95, 0x01, // Report Count (1) 0x15, 0x00, // Logical Minimum (0) 0x25, 0x7F, // Logical Maximum (127) 0x81, 0x02, // Input (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position) 0x05, 0x01, // Usage Page (Generic Desktop Ctrls) 0x09, 0x33, // Usage (Rx) 0x09, 0x34, // Usage (Ry) 0x15, 0x00, // Logical Minimum (0) 0x26, 0xFF, 0x00, // Logical Maximum (255) 0x75, 0x08, // Report Size (8) 0x95, 0x02, // Report Count (2) 0x81, 0x02, // Input (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position) 0x06, 0x00, 0xFF, // Usage Page (Vendor Defined 0xFF00) 0x09, 0x21, // Usage (0x21) 0x95, 0x36, // Report Count (54) 0x81, 0x02, // Input (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position) 0x85, 0x05, // Report ID (5) 0x09, 0x22, // Usage (0x22) 0x95, 0x1F, // Report Count (31) 0x91, 0x02, // Output (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0x04, // Report ID (4) 0x09, 0x23, // Usage (0x23) 0x95, 0x24, // Report Count (36) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0x02, // Report ID (2) 0x09, 0x24, // Usage (0x24) 0x95, 0x24, // Report Count (36) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0x08, // Report ID (8) 0x09, 0x25, // Usage (0x25) 0x95, 0x03, // Report Count (3) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0x10, // Report ID (16) 0x09, 0x26, // Usage (0x26) 0x95, 0x04, // Report Count (4) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0x11, // Report ID (17) 0x09, 0x27, // Usage (0x27) 0x95, 0x02, // Report Count (2) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0x12, // Report ID (18) 0x06, 0x02, 0xFF, // Usage Page (Vendor Defined 0xFF02) 0x09, 0x21, // Usage (0x21) 0x95, 0x0F, // Report Count (15) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0x13, // Report ID (19) 0x09, 0x22, // Usage (0x22) 0x95, 0x16, // Report Count (22) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0x14, // Report ID (20) 0x06, 0x05, 0xFF, // Usage Page (Vendor Defined 0xFF05) 0x09, 0x20, // Usage (0x20) 0x95, 0x10, // Report Count (16) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0x15, // Report ID (21) 0x09, 0x21, // Usage (0x21) 0x95, 0x2C, // Report Count (44) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x06, 0x80, 0xFF, // Usage Page (Vendor Defined 0xFF80) 0x85, 0x80, // Report ID (128) 0x09, 0x20, // Usage (0x20) 0x95, 0x06, // Report Count (6) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0x81, // Report ID (129) 0x09, 0x21, // Usage (0x21) 0x95, 0x06, // Report Count (6) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0x82, // Report ID (130) 0x09, 0x22, // Usage (0x22) 0x95, 0x05, // Report Count (5) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0x83, // Report ID (131) 0x09, 0x23, // Usage (0x23) 0x95, 0x01, // Report Count (1) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0x84, // Report ID (132) 0x09, 0x24, // Usage (0x24) 0x95, 0x04, // Report Count (4) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0x85, // Report ID (133) 0x09, 0x25, // Usage (0x25) 0x95, 0x06, // Report Count (6) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0x86, // Report ID (134) 0x09, 0x26, // Usage (0x26) 0x95, 0x06, // Report Count (6) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0x87, // Report ID (135) 0x09, 0x27, // Usage (0x27) 0x95, 0x23, // Report Count (35) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0x88, // Report ID (136) 0x09, 0x28, // Usage (0x28) 0x95, 0x22, // Report Count (34) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0x89, // Report ID (137) 0x09, 0x29, // Usage (0x29) 0x95, 0x02, // Report Count (2) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0x90, // Report ID (144) 0x09, 0x30, // Usage (0x30) 0x95, 0x05, // Report Count (5) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0x91, // Report ID (145) 0x09, 0x31, // Usage (0x31) 0x95, 0x03, // Report Count (3) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0x92, // Report ID (146) 0x09, 0x32, // Usage (0x32) 0x95, 0x03, // Report Count (3) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0x93, // Report ID (147) 0x09, 0x33, // Usage (0x33) 0x95, 0x0C, // Report Count (12) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0xA0, // Report ID (160) 0x09, 0x40, // Usage (0x40) 0x95, 0x06, // Report Count (6) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0xA1, // Report ID (161) 0x09, 0x41, // Usage (0x41) 0x95, 0x01, // Report Count (1) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0xA2, // Report ID (162) 0x09, 0x42, // Usage (0x42) 0x95, 0x01, // Report Count (1) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0xA3, // Report ID (163) 0x09, 0x43, // Usage (0x43) 0x95, 0x30, // Report Count (48) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0xA4, // Report ID (164) 0x09, 0x44, // Usage (0x44) 0x95, 0x0D, // Report Count (13) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0xA5, // Report ID (165) 0x09, 0x45, // Usage (0x45) 0x95, 0x15, // Report Count (21) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0xA6, // Report ID (166) 0x09, 0x46, // Usage (0x46) 0x95, 0x15, // Report Count (21) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0xF0, // Report ID (240) 0x09, 0x47, // Usage (0x47) 0x95, 0x3F, // Report Count (63) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0xF1, // Report ID (241) 0x09, 0x48, // Usage (0x48) 0x95, 0x3F, // Report Count (63) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0xF2, // Report ID (242) 0x09, 0x49, // Usage (0x49) 0x95, 0x0F, // Report Count (15) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0xA7, // Report ID (167) 0x09, 0x4A, // Usage (0x4A) 0x95, 0x01, // Report Count (1) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0xA8, // Report ID (168) 0x09, 0x4B, // Usage (0x4B) 0x95, 0x01, // Report Count (1) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0xA9, // Report ID (169) 0x09, 0x4C, // Usage (0x4C) 0x95, 0x08, // Report Count (8) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0xAA, // Report ID (170) 0x09, 0x4E, // Usage (0x4E) 0x95, 0x01, // Report Count (1) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0xAB, // Report ID (171) 0x09, 0x4F, // Usage (0x4F) 0x95, 0x39, // Report Count (57) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0xAC, // Report ID (172) 0x09, 0x50, // Usage (0x50) 0x95, 0x39, // Report Count (57) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0xAD, // Report ID (173) 0x09, 0x51, // Usage (0x51) 0x95, 0x0B, // Report Count (11) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0xAE, // Report ID (174) 0x09, 0x52, // Usage (0x52) 0x95, 0x01, // Report Count (1) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0xAF, // Report ID (175) 0x09, 0x53, // Usage (0x53) 0x95, 0x02, // Report Count (2) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0x85, 0xB0, // Report ID (176) 0x09, 0x54, // Usage (0x54) 0x95, 0x3F, // Report Count (63) 0xB1, 0x02, // Feature (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position,Non-volatile) 0xC0, // End Collection // 467 bytes
Sample Report
01 81 80 83 7A 08 00 00 00 00 93 5F FB D2 FF DA FF D8 FF 4F EE 14 1B 99 FE 00 00 00 00 00 05 00 00 00 00 80 00 00 00 80 00 00 00 00 80 00 00 00 80 00 00 00 00 80 00 00 00 80 00 00 00 00 80 00
Report Structure
byte index | bit 7 | bit 6 | bit 5 | bit 4 | bit 3 | bit 2 | bit 1 | bit 0 |
[0] | Report ID (always 0x01) | |||||||
[1] | Left Stick X (0 = left) | |||||||
[2] | Left Stick Y (0 = up) | |||||||
[3] | Right Stick X | |||||||
[4] | Right Stick Y | |||||||
[5] | TRI | CIR | X | SQR | D-PAD (hat format, 0x08 is released, 0=N, 1=NE, 2=E, 3=SE, 4=S, 5=SW, 6=W, 7=NW) | |||
[6] | R3 | L3 | OPT | SHARE | R2 | L2 | R1 | L1 |
[7] | Counter (counts up by 1 per report) | T-PAD | PS | |||||
[8] | Left Trigger (0 = released, 0xFF = fully pressed) | |||||||
[9] | Right Trigger | |||||||
[10] | Unknown, seems to count downwards, non-random pattern | |||||||
[11] | Unknown, seems to count upwards by 3, but by 2 when [10] underflows | |||||||
[12] | Unknown yet, 0x03 or 0x04 | |||||||
[13 - 14] | Possibly Gyro X (seems to be signed) | |||||||
[15 - 16] | Possibly Gyro Y | |||||||
[17 - 18] | Possibly Gyro Z | |||||||
[19 - 20] | Possibly Accel X | |||||||
[21 - 22] | Possibly Accel Y | |||||||
[23 - 24] | Possibly Accel Z | |||||||
[25 - 63] | TODO, work in progress |
Class Requests
This is what happened with a controller that was not previously synced to the PS4
Set Address Get Device Descriptor: (Short Device Descriptor) Get Device Descriptor: (Full Device Descriptor) Get String Descriptor[idx=0, langID=0]: 04 03 Get String Descriptor[idx=0, langID=0]: 04 03 09 04 Get String Descriptor[idx=1, langID=0x0409]: 38 03 Get String Descriptor[idx=1, langID=0x0409]: "Sony Computer Entertainment" Get String Descriptor[idx=2, langID=0x0409]: Get String Descriptor[idx=3, langID=0x0409]: "Wireless Controller" Get Configuration Descriptor: (Short Configuration Descriptor) Get Configuration Descriptor: (Full Configuration Descriptor) Get Device Status: 00 00 Set Configuration to 0x01 Get Descriptor: (HID Report Descriptor) Set Idle to 0 Get Report 0xA3: A3 41 75 67 20 20 33 20 32 30 31 33 00 00 00 00 00 30 37 3A 30 31 3A 31 32 00 00 00 00 00 00 00 00 00 01 00 31 03 00 00 00 49 00 05 00 00 80 03 00 Get Report 0x02: 02 01 00 00 00 00 00 87 22 7B DD B2 22 47 DD BD 22 43 DD 1C 02 1C 02 7F 1E 2E DF 60 1F 4C E0 3A 1D C6 DE 08 00 Get Report 0xA3: A3 41 75 67 20 20 33 20 32 30 31 33 00 00 00 00 00 30 37 3A 30 31 3A 31 32 00 00 00 00 00 00 00 00 00 01 00 31 03 00 00 00 49 00 05 00 00 80 03 00 Get Report 0x12: 12 8B 09 07 6D 66 1C 08 25 00 00 00 00 00 00 00 Set Report 0x13: 13 AC 9E 17 94 05 B0 56 E8 81 38 08 06 51 41 C0 7F 12 AA D9 66 3C CE Set Report 0x14: 14 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
The same controller is then disconnected, and this is what happened when it reconnected
... enumeration steps same as before Get Report 0xA3: A3 41 75 67 20 20 33 20 32 30 31 33 00 00 00 00 00 30 37 3A 30 31 3A 31 32 00 00 00 00 00 00 00 00 00 01 00 31 03 00 00 00 49 00 05 00 00 80 03 00 Get Report 0x02: 02 01 00 00 00 00 00 87 22 7B DD B2 22 47 DD BD 22 43 DD 1C 02 1C 02 7F 1E 2E DF 60 1F 4C E0 3A 1D C6 DE 08 00 Get Report 0xA3: A3 41 75 67 20 20 33 20 32 30 31 33 00 00 00 00 00 30 37 3A 30 31 3A 31 32 00 00 00 00 00 00 00 00 00 01 00 31 03 00 00 00 49 00 05 00 00 80 03 00 Get Report 0x12: 12 8B 09 07 6D 66 1C 08 25 00 AC 9E 17 94 05 B0
report ID 0xA3 seems to be some sort of time-of-manufacture identifier, it contains a date and time as a string in the beginning, ".Aug 3 2013.....07:01:12...........1....I....."
AC 9E 17 94 05 B0 is PS4 (Host) Bluetooth MAC Address (in proper MAC format, it is B0:05:94:17:9E:AC), AC 9E 17 is the LAP and 0x94 is the UAP, 05 B0 is the NAP, this was verified using a Bluetooth sniffer.
The 16 bytes that follow immediately after the BD_ADDR is the link key that is used to authenticate the DualShock 4. When a Bluetooth connection is established, this link key is used for authentication.
I am guessing that 8B 09 07 6D 66 1C means something, it's different on a different controller, it seems to be the Bluetooth MAC Address of the DualShock 4. in proper MAC format it is 1C:66:6D:07:09:8B in this example.
Bluetooth
The DS4 has two modes, one where you can pair it with a computer (hold PS and share at the same time until the light blinks twice in quick succession rapidly), and another mode when it is used with a PS4.
In the PS4 mode, it appears to advertise as two devices, one is a game controller and the other is an audio device. The game controller has a class 0x002508, and the audio device is class 0x200404. Neither has a name.
Only controllers that have previously paired with the PS4 can cause it to wake up. If you spoof a previously paired DS4's BDADDR and class, then using "sudo hcitool cc <ps4's bdaddr>" will wake up the PS4. If the same cc request comes from an unknown BDADDR, nothing happens.
UART HCI
On the DS4 circuit itself is a Qualcomm Atheros AR3002 module and the UART pins have test points. You can clearly see the UART HCI data when you analyze the traffic on the RX and TX pins. See File:Ds4_testpoints_hci_uart_1.jpg
The data seems to be at a baud rate of exactly 3Mbit/s , sticking with HCI standards, meaning it's 8N1.
The report rate seems to be once every 1.3 millisecond, but there are some occasional gaps in between that can reach 15 milliseconds.
File:Ds4 uart hci cap with unpaired better.pcap, this file is a capture of the traffic over the UART HCI, Wireshark is required to view this PCAP file.
ds4_uart_hci_cap_playroom_needs_sorting.pcap.gz, similar to the file before, but uses data while running "the Playroom" app on the PS4, so that it shows motors, speaker, and LED activity. This file needs to be decompressed using gzip first, then opened with Wireshark. Once opened, it needs to be sorted by timestamp.
Service Discovery Protocol (SDP)
Each device can send a service attribute search request to the other. The PS4 does it once (the first time a device tries to connect), whereas the DS4 does it each time it connects to the PS4.
PS4 service attribute search response
0x07, 0x00, 0x01, 0x01, 0x53, 0x01, 0x50, 0x36, 0x01, 0x4d, 0x36, 0x00, 0x32, 0x09, 0x00, 0x00, 0x0a, 0x00, 0x01, 0x00, 0x05, 0x09, 0x00, 0x01, 0x35, 0x03, 0x19, 0x11, 0x0a, 0x09, 0x00, 0x04, 0x35, 0x10, 0x35, 0x06, 0x19, 0x01, 0x00, 0x09, 0x00, 0x19, 0x35, 0x06, 0x19, 0x00, 0x19, 0x09, 0x01, 0x02, 0x09, 0x00, 0x09, 0x35, 0x08, 0x35, 0x06, 0x19, 0x11, 0x0d, 0x09, 0x01, 0x02, 0x36, 0x00, 0x32, 0x09, 0x00, 0x00, 0x0a, 0x00, 0x01, 0x00, 0x06, 0x09, 0x00, 0x01, 0x35, 0x03, 0x19, 0x11, 0x0b, 0x09, 0x00, 0x04, 0x35, 0x10, 0x35, 0x06, 0x19, 0x01, 0x00, 0x09, 0x00, 0x19, 0x35, 0x06, 0x19, 0x00, 0x19, 0x09, 0x01, 0x02, 0x09, 0x00, 0x09, 0x35, 0x08, 0x35, 0x06, 0x19, 0x11, 0x0d, 0x09, 0x01, 0x02, 0x36, 0x00, 0x3b, 0x09, 0x00, 0x00, 0x0a, 0x00, 0x01, 0x00, 0x07, 0x09, 0x00, 0x01, 0x35, 0x06, 0x19, 0x11, 0x0e, 0x19, 0x11, 0x0f, 0x09, 0x00, 0x04, 0x35, 0x10, 0x35, 0x06, 0x19, 0x01, 0x00, 0x09, 0x00, 0x17, 0x35, 0x06, 0x19, 0x00, 0x17, 0x09, 0x01, 0x03, 0x09, 0x00, 0x09, 0x35, 0x08, 0x35, 0x06, 0x19, 0x11, 0x0e, 0x09, 0x01, 0x04, 0x09, 0x03, 0x11, 0x09, 0x00, 0x02, 0x36, 0x00, 0x4d, 0x09, 0x00, 0x00, 0x0a, 0x00, 0x01, 0x00, 0x08, 0x09, 0x00, 0x01, 0x35, 0x03, 0x19, 0x11, 0x0c, 0x09, 0x00, 0x04, 0x35, 0x10, 0x35, 0x06, 0x19, 0x01, 0x00, 0x09, 0x00, 0x17, 0x35, 0x06, 0x19, 0x00, 0x17, 0x09, 0x01, 0x03, 0x09, 0x00, 0x09, 0x35, 0x08, 0x35, 0x06, 0x19, 0x11, 0x0e, 0x09, 0x01, 0x04, 0x09, 0x00, 0x0d, 0x35, 0x10, 0x35, 0x06, 0x19, 0x01, 0x00, 0x09, 0x00, 0x1b, 0x35, 0x06, 0x19, 0x00, 0x17, 0x09, 0x01, 0x03, 0x09, 0x03, 0x11, 0x09, 0x00, 0x01, 0x36, 0x00, 0x52, 0x09, 0x00, 0x00, 0x0a, 0x00, 0x01, 0x00, 0x0a, 0x09, 0x00, 0x01, 0x35, 0x03, 0x19, 0x12, 0x00, 0x09, 0x00, 0x04, 0x35, 0x0d, 0x35, 0x06, 0x19, 0x01, 0x00, 0x09, 0x00, 0x01, 0x35, 0x03, 0x19, 0x00, 0x01, 0x09, 0x00, 0x09, 0x35, 0x08, 0x35, 0x06, 0x19, 0x12, 0x00, 0x09, 0x01, 0x03, 0x09, 0x02, 0x00, 0x09, 0x01, 0x03, 0x09, 0x02, 0x01, 0x09, 0x05, 0x4c, 0x09, 0x02, 0x02, 0x09, 0x08, 0x1f, 0x09, 0x02, 0x03, 0x09, 0x01, 0x00, 0x09, 0x02, 0x04, 0x28, 0x01, 0x09, 0x02, 0x05, 0x09, 0x00, 0x02, 0x00
DS4 service attribute search response
This response is 708-byte long: the DS4 does not respect the 672-byte outgoing L2CAP MTU.
0x07, 0x00, 0x01, 0x02, 0xbf, 0x02, 0xbc, 0x36, 0x02, 0xb9, 0x36, 0x02, 0x61, 0x09, 0x00, 0x00, 0x0a, 0x00, 0x01, 0x00, 0x01, 0x09, 0x00, 0x01, 0x35, 0x03, 0x19, 0x11, 0x24, 0x09, 0x00, 0x04, 0x35, 0x0d, 0x35, 0x06, 0x19, 0x01, 0x00, 0x09, 0x00, 0x11, 0x35, 0x03, 0x19, 0x00, 0x11, 0x09, 0x00, 0x06, 0x35, 0x09, 0x09, 0x65, 0x6e, 0x09, 0x00, 0x6a, 0x09, 0x01, 0x00, 0x09, 0x00, 0x09, 0x35, 0x08, 0x35, 0x06, 0x19, 0x11, 0x24, 0x09, 0x01, 0x00, 0x09, 0x00, 0x0d, 0x35, 0x0f, 0x35, 0x0d, 0x35, 0x06, 0x19, 0x01, 0x00, 0x09, 0x00, 0x13, 0x35, 0x03, 0x19, 0x00, 0x11, 0x09, 0x01, 0x00, 0x25, 0x13, 0x57, 0x69, 0x72, 0x65, 0x6c, 0x65, 0x73, 0x73, 0x20, 0x43, 0x6f, 0x6e, 0x74, 0x72, 0x6f, 0x6c, 0x6c, 0x65, 0x72, 0x09, 0x01, 0x01, 0x25, 0x0f, 0x47, 0x61, 0x6d, 0x65, 0x20, 0x43, 0x6f, 0x6e, 0x74, 0x72, 0x6f, 0x6c, 0x6c, 0x65, 0x72, 0x09, 0x01, 0x02, 0x25, 0x1b, 0x53, 0x6f, 0x6e, 0x79, 0x20, 0x43, 0x6f, 0x6d, 0x70, 0x75, 0x74, 0x65, 0x72, 0x20, 0x45, 0x6e, 0x74, 0x65, 0x72, 0x74, 0x61, 0x69, 0x6e, 0x6d, 0x65, 0x6e, 0x74, 0x09, 0x02, 0x00, 0x09, 0x01, 0x00, 0x09, 0x02, 0x01, 0x09, 0x01, 0x11, 0x09, 0x02, 0x02, 0x08, 0x08, 0x09, 0x02, 0x03, 0x08, 0x00, 0x09, 0x02, 0x04, 0x28, 0x00, 0x09, 0x02, 0x05, 0x28, 0x01, 0x09, 0x02, 0x06, 0x36, 0x01, 0x6c, 0x36, 0x01, 0x69, 0x08, 0x22, 0x26, 0x01, 0x64, 0x05, 0x01, 0x09, 0x05, 0xa1, 0x01, 0x85, 0x01, 0x09, 0x30, 0x09, 0x31, 0x09, 0x32, 0x09, 0x35, 0x15, 0x00, 0x26, 0xff, 0x00, 0x75, 0x08, 0x95, 0x04, 0x81, 0x02, 0x09, 0x39, 0x15, 0x00, 0x25, 0x07, 0x75, 0x04, 0x95, 0x01, 0x81, 0x42, 0x05, 0x09, 0x19, 0x01, 0x29, 0x0e, 0x15, 0x00, 0x25, 0x01, 0x75, 0x01, 0x95, 0x0e, 0x81, 0x02, 0x75, 0x06, 0x95, 0x01, 0x81, 0x01, 0x05, 0x01, 0x09, 0x33, 0x09, 0x34, 0x15, 0x00, 0x26, 0xff, 0x00, 0x75, 0x08, 0x95, 0x02, 0x81, 0x02, 0x06, 0x04, 0xff, 0x85, 0x02, 0x09, 0x24, 0x95, 0x24, 0xb1, 0x02, 0x85, 0xa3, 0x09, 0x25, 0x95, 0x30, 0xb1, 0x02, 0x85, 0x05, 0x09, 0x26, 0x95, 0x28, 0xb1, 0x02, 0x85, 0x06, 0x09, 0x27, 0x95, 0x34, 0xb1, 0x02, 0x85, 0x07, 0x09, 0x28, 0x95, 0x30, 0xb1, 0x02, 0x85, 0x08, 0x09, 0x29, 0x95, 0x2f, 0xb1, 0x02, 0x06, 0x03, 0xff, 0x85, 0x03, 0x09, 0x21, 0x95, 0x26, 0xb1, 0x02, 0x85, 0x04, 0x09, 0x22, 0x95, 0x2e, 0xb1, 0x02, 0x85, 0xf0, 0x09, 0x47, 0x95, 0x3f, 0xb1, 0x02, 0x85, 0xf1, 0x09, 0x48, 0x95, 0x3f, 0xb1, 0x02, 0x85, 0xf2, 0x09, 0x49, 0x95, 0x0f, 0xb1, 0x02, 0x06, 0x00, 0xff, 0x85, 0x11, 0x09, 0x20, 0x15, 0x00, 0x26, 0xff, 0x00, 0x75, 0x08, 0x95, 0x4d, 0x81, 0x02, 0x09, 0x21, 0x91, 0x02, 0x85, 0x12, 0x09, 0x22, 0x95, 0x8d, 0x81, 0x02, 0x09, 0x23, 0x91, 0x02, 0x85, 0x13, 0x09, 0x24, 0x95, 0xcd, 0x81, 0x02, 0x09, 0x25, 0x91, 0x02, 0x85, 0x14, 0x09, 0x26, 0x96, 0x0d, 0x01, 0x81, 0x02, 0x09, 0x27, 0x91, 0x02, 0x85, 0x15, 0x09, 0x28, 0x96, 0x4d, 0x01, 0x81, 0x02, 0x09, 0x29, 0x91, 0x02, 0x85, 0x16, 0x09, 0x2a, 0x96, 0x8d, 0x01, 0x81, 0x02, 0x09, 0x2b, 0x91, 0x02, 0x85, 0x17, 0x09, 0x2c, 0x96, 0xcd, 0x01, 0x81, 0x02, 0x09, 0x2d, 0x91, 0x02, 0x85, 0x18, 0x09, 0x2e, 0x96, 0x0d, 0x02, 0x81, 0x02, 0x09, 0x2f, 0x91, 0x02, 0x85, 0x19, 0x09, 0x30, 0x96, 0x22, 0x02, 0x81, 0x02, 0x09, 0x31, 0x91, 0x02, 0x06, 0x80, 0xff, 0x85, 0x82, 0x09, 0x22, 0x95, 0x3f, 0xb1, 0x02, 0x85, 0x83, 0x09, 0x23, 0xb1, 0x02, 0x85, 0x84, 0x09, 0x24, 0xb1, 0x02, 0x85, 0x90, 0x09, 0x30, 0xb1, 0x02, 0x85, 0x91, 0x09, 0x31, 0xb1, 0x02, 0x85, 0x92, 0x09, 0x32, 0xb1, 0x02, 0x85, 0x93, 0x09, 0x33, 0xb1, 0x02, 0x85, 0xa0, 0x09, 0x40, 0xb1, 0x02, 0x85, 0xa4, 0x09, 0x44, 0xb1, 0x02, 0xc0, 0x09, 0x02, 0x07, 0x35, 0x08, 0x35, 0x06, 0x09, 0x04, 0x09, 0x09, 0x01, 0x00, 0x09, 0x02, 0x08, 0x28, 0x00, 0x09, 0x02, 0x09, 0x28, 0x01, 0x09, 0x02, 0x0a, 0x28, 0x01, 0x09, 0x02, 0x0b, 0x09, 0x01, 0x00, 0x09, 0x02, 0x0c, 0x09, 0x1f, 0x40, 0x09, 0x02, 0x0d, 0x28, 0x00, 0x09, 0x02, 0x0e, 0x28, 0x00, 0x36, 0x00, 0x52, 0x09, 0x00, 0x00, 0x0a, 0x00, 0x01, 0x00, 0x02, 0x09, 0x00, 0x01, 0x35, 0x03, 0x19, 0x12, 0x00, 0x09, 0x00, 0x04, 0x35, 0x0d, 0x35, 0x06, 0x19, 0x01, 0x00, 0x09, 0x00, 0x01, 0x35, 0x03, 0x19, 0x00, 0x01, 0x09, 0x00, 0x09, 0x35, 0x08, 0x35, 0x06, 0x19, 0x12, 0x00, 0x09, 0x01, 0x03, 0x09, 0x02, 0x00, 0x09, 0x01, 0x03, 0x09, 0x02, 0x01, 0x09, 0x05, 0x4c, 0x09, 0x02, 0x02, 0x09, 0x05, 0xc4, 0x09, 0x02, 0x03, 0x09, 0x01, 0x00, 0x09, 0x02, 0x04, 0x28, 0x01, 0x09, 0x02, 0x05, 0x09, 0x00, 0x02, 0x00
HID report example
Here's a sample HCI transaction that represents a HID report from the DS4 to the PS4
02 15 20 53 00 4F 00 42 00 A1 11 C0 00 83 81 7E 7E 08 00 3C 00 00 83 A2 07 F1 FF F9 FF 04 00 21 03 17 1F 29 F9 00 00 00 00 00 08 00 00 00 00 80 00 00 00 80 00 00 00 00 80 00 00 00 80 00 00 00 00 80 00 00 00 80 00 00 00 00 80 00 00 00 80 00 00 00 00 00 7D 0A 5D 0B
The header is
02 15 20 53 00 4F 00 42 00
Which means this is a Bluetooth HCI ACL packet, connection handle is 0x15, CID is 0x0042, and the length of the HID portion is 79 long.
The 79 byte HID portion is
A1 11 C0 00 83 81 7E 7E 08 00 3C 00 00 83 A2 07 F1 FF F9 FF 04 00 21 03 17 1F 29 F9 00 00 00 00 00 08 00 00 00 00 80 00 00 00 80 00 00 00 00 80 00 00 00 80 00 00 00 00 80 00 00 00 80 00 00 00 00 80 00 00 00 80 00 00 00 00 00 7D 0A 5D 0B
CRC32
Notice the last 4 bytes, 7D 0A 5D 0B, this value is different for every report packet, it appears to be random but it is actually a CRC32 over the first 75 bytes of the HID report. The CRC32's polynomial is 0x4C11DB7.
You can use http://www.lammertbies.nl/comm/info/crc-calculation.html to try this yourself, enter
A1 11 C0 00 83 81 7E 7E 08 00 3C 00 00 83 A2 07 F1 FF F9 FF 04 00 21 03 17 1F 29 F9 00 00 00 00 00 08 00 00 00 00 80 00 00 00 80 00 00 00 00 80 00 00 00 80 00 00 00 00 80 00 00 00 80 00 00 00 00 80 00 00 00 80 00 00 00 00 00
into the textbox in http://www.lammertbies.nl/comm/info/crc-calculation.html
HID transaction structure
byte index | bit 7 | bit 6 | bit 5 | bit 4 | bit 3 | bit 2 | bit 1 | bit 0 | ||
[0] | Transaction Type | Parameter | Report Type | |||||||
[1] | Protocol Code | |||||||||
[2 - end] | Report Contents |
HID control reports
There is a periodic report sequence that consists in 5 0xf0 SET FEATURE reports, 2 0xf2 GET FEATURE reports, and 19 0xf1 GET FEATURE REPORTS. Each sequence takes about 30 seconds, and a new sequence starts about 30 seconds after the end of the last one. There is 1 second between two reports sent by the PS4.
There is another periodic report sequence that consists in one 0x03 SET FEATURE report and 1 0x04 GET FEATURE report. A new sequence starts about 30 seconds after the end of the last one. The 0x03 SET FEATURE report is sent 5 seconds after the 0x04 GET FEATURE report.
These two periodic sequences seem to be independent as they do not have the same period, and they have two distinct sequence counters.
GET FEATURE
Each GET FEATURE report sent by the PS4 is anwsered by the DS4 with a DATA FEATURE report.
byte index | bit 7 | bit 6 | bit 5 | bit 4 | bit 3 | bit 2 | bit 1 | bit 0 | ||
[0] | 0x04 GET REPORT | 0x01 | 0x00 | 0x03 FEATURE | ||||||
[1] | Report id | |||||||||
[2 - 3] | Buffer size. |
0x02
The transaction type is DATA (0x0a), and the report type is FEATURE (0x03). The protocol code is 0x02.
The bytes in this report do not seem to fluctuate.
Report example:
0xa3, 0x02, 0x01, 0x00, 0xff, 0xff, 0x01, 0x00, 0x5e, 0x22, 0x84, 0x22, 0x9b, 0x22, 0xa6, 0xdd, 0x79, 0xdd, 0x64, 0xdd, 0x1c, 0x02, 0x1c, 0x02, 0x85, 0x1f, 0x9f, 0xe0, 0x92, 0x20, 0xdc, 0xe0, 0x4d, 0x1c, 0x1e, 0xde, 0x08, 0x00
byte index | bit 7 | bit 6 | bit 5 | bit 4 | bit 3 | bit 2 | bit 1 | bit 0 | ||
[0] | 0x0a | 0x00 | 0x03 | |||||||
[1] | 0x02 | |||||||||
[2 - 37] | TODO, work in progress. |
0x04
The transaction type is DATA (0x0a), and the report type is FEATURE (0x03). The protocol code is 0x04.
Most bytes from index 4 change between two reports.
Report example:
0xa3, 0x04, 0x02, 0x00, 0x38, 0x85, 0x35, 0xd5, 0x7a, 0x81, 0x61, 0x2e, 0x21, 0x13, 0x7b, 0xda, 0xd5, 0x94, 0x25, 0x98, 0x5f, 0x67, 0xd1, 0x60, 0x9d, 0xfb, 0x95, 0xba, 0xff, 0xba, 0x1c, 0x48, 0xbf, 0xe2, 0x15, 0x0d, 0xff, 0x66, 0x63, 0x5f, 0x64, 0xc1, 0x46, 0x47, 0xcd, 0xd1, 0x9c, 0x84
byte index | bit 7 | bit 6 | bit 5 | bit 4 | bit 3 | bit 2 | bit 1 | bit 0 | ||
[0] | 0x0a | 0x00 | 0x03 | |||||||
[1] | 0x04 | |||||||||
[2] | sequence counter (init = 0x02, step = 1) | |||||||||
[3] | 0x00 | |||||||||
[4 - 43] | TODO, work in progress. | |||||||||
[44 - 47] | CRC-32 of the previous bytes. |
0x06
The transaction type is DATA (0x0a), and the report type is FEATURE (0x03). The protocol code is 0x06.
The bytes in this report do not seem to fluctuate. They are the same in two different controllers.
Report example:
0xa3, 0x06, 0x41, 0x75, 0x67, 0x20, 0x20, 0x33, 0x20, 0x32, 0x30, 0x31, 0x33, 0x00, 0x00, 0x00, 0x00, 0x00, 0x30, 0x37, 0x3a, 0x30, 0x31, 0x3a, 0x31, 0x32, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x31, 0x03, 0x00, 0x00, 0x00, 0x49, 0x00, 0x05, 0x00, 0x00, 0x80, 0x03, 0x00, 0x4b, 0x52, 0x02, 0xc7
byte index | bit 7 | bit 6 | bit 5 | bit 4 | bit 3 | bit 2 | bit 1 | bit 0 | ||
[0] | 0x0a | 0x00 | 0x03 | |||||||
[1] | 0x06 | |||||||||
[2 - 49] | A date: Aug 3 2013 07:01:12 | |||||||||
[50 - 53] | CRC-32 of the previous bytes. |
0xa3
The transaction type is DATA (0x0a), and the report type is FEATURE (0x03). The protocol code is 0xa3.
It is identical to 0x06 except that there's no CRC-32 at the end of the packet.
Report example:
0xa3, 0xa3, 0x41, 0x75, 0x67, 0x20, 0x20, 0x33, 0x20, 0x32, 0x30, 0x31, 0x33, 0x00, 0x00, 0x00, 0x00, 0x00, 0x30, 0x37, 0x3a, 0x30, 0x31, 0x3a, 0x31, 0x32, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x31, 0x03, 0x00, 0x00, 0x00, 0x49, 0x00, 0x05, 0x00, 0x00, 0x80, 0x03, 0x00
byte index | bit 7 | bit 6 | bit 5 | bit 4 | bit 3 | bit 2 | bit 1 | bit 0 | ||
[0] | 0x0a | 0x00 | 0x03 | |||||||
[1] | 0xa3 | |||||||||
[2 - 49] | A date: Aug 3 2013 07:01:12 |
0xf1
The transaction type is DATA (0x0a), and the report type is FEATURE (0x03). The protocol code is 0xf1.
This report is part of the authentication sequence: it contains challenge response data.
Report example:
0xa3, 0xf1, 0x01, 0x00, 0x00, 0x0c, 0xb2, 0x25, 0x71, 0x82, 0xc3, 0x2e, 0xaa, 0x73, 0xf5, 0x3e, 0x06, 0x72, 0x12, 0xeb, 0xd7, 0xbd, 0xa6, 0x4e, 0xd0, 0x25, 0xd0, 0x4d, 0xd4, 0xe9, 0x3a, 0x8d, 0xb4, 0xf2, 0x3b, 0x5e, 0x82, 0x9c, 0xc7, 0x02, 0x04, 0xa5, 0x44, 0xd5, 0x64, 0x74, 0xc2, 0x03, 0x3b, 0x45, 0xd6, 0x99, 0x9d, 0x79, 0x11, 0xa6, 0x3d, 0x5e, 0x3a, 0xdf, 0xdd, 0x3a, 0x51, 0x8e, 0xb3
byte index | bit 7 | bit 6 | bit 5 | bit 4 | bit 3 | bit 2 | bit 1 | bit 0 | ||
[0] | 0x0a | 0x00 | 0x03 | |||||||
[1] | 0xf1 | |||||||||
[2] | sequence counter (init = 0x01, step = 1) | |||||||||
[3] | report counter (init = 0x00, step = 1, max = 0x12) | |||||||||
[4] | 0x00 | |||||||||
[5 - 60] | Challenge response data. | |||||||||
[61 - 64] | CRC-32 of the previous bytes. |
The packets with report counter from 0x00 to 0x09 carry 528 bytes of data.
Packet 0x09 contains 24 bytes of data and is padded with zeros.
The packets with report counter from 0x0a to 0x0c are padded with zeros.
Packet 0x0d is padded with zeros, except bytes 58 and 60 (both are 0x01).
The packets with report counter from 0x0e to 0x12 carry 256 bytes of data.
Packet 0x12 contains 32 bytes of data and is padded with zeros.
0xf2
The transaction type is DATA (0x0a), and the report type is FEATURE (0x03). The protocol code is 0xf2.
This report is part of the authentication sequence: it indicates if the challenge response is ready.
Report example:
0xa3, 0xf2, 0x01, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0d, 0x6a, 0x3c, 0xef
byte index | bit 7 | bit 6 | bit 5 | bit 4 | bit 3 | bit 2 | bit 1 | bit 0 | |||
[0] | 0x0a | 0x00 | 0x03 | ||||||||
[1] | 0xf2 | ||||||||||
[2] | sequence counter (init = 0x01, step = 1) | ||||||||||
[3] | 0x00 | 0x01 = not ready
0x00 = ready |
0x00 | ||||||||
[4 - 12] | padded with 0x00. | ||||||||||
[13 - 16] | CRC-32 of the previous bytes. |
SET FEATURE
These reports are sent by the PS4. The DS4 replies with a handshake, which is a packet with a single 0x00 byte.
0x03
The transaction type is SET REPORT (0x05), and the report type is FEATURE (0x03). The protocol code is 0x03.
Most bytes from index 4 change between two reports.
Report example:
0x53, 0x03, 0x02, 0x00, 0xf1, 0xdf, 0xd3, 0x7b, 0x4f, 0x49, 0x0b, 0x0b, 0x7c, 0x79, 0xde, 0xad, 0x5d, 0xa3, 0x41, 0x8a, 0x9c, 0x2e, 0xaf, 0x09, 0xc4, 0xa6, 0x80, 0xb4, 0x82, 0x87, 0x2c, 0xbf, 0x86, 0xe0, 0x2a, 0x86, 0x60, 0xa0, 0x23, 0x33
byte index | bit 7 | bit 6 | bit 5 | bit 4 | bit 3 | bit 2 | bit 1 | bit 0 | ||
[0] | 0x05 | 0x00 | 0x03 | |||||||
[1] | 0x03 | |||||||||
[2] | sequence counter (init = 0x02, step = 1) | |||||||||
[3] | 0x00 | |||||||||
[4 - 35] | TODO, work in progress. | |||||||||
[36 - 39] | CRC-32 of the previous bytes. |
0xf0
The transaction type is SET REPORT (0x05), and the report type is FEATURE (0x03). The protocol code is 0xf0.
This report is part of the authentication sequence: it contains challenge data.
Report example:
0x53, 0xf0, 0x01, 0x00, 0x00, 0x64, 0x01, 0x21, 0x58, 0x26, 0x03, 0xcc, 0xb8, 0x28, 0x78, 0xa9, 0xb5, 0x8c, 0x2c, 0x90, 0x3b, 0xe2, 0xf7, 0xee, 0x1c, 0x91, 0x2b, 0x0c, 0x79, 0xa6, 0xe7, 0xae, 0x7e, 0x49, 0xee, 0x36, 0x72, 0x81, 0xc2, 0x25, 0x41, 0x74, 0x45, 0x01, 0x15, 0xa0, 0x23, 0x1a, 0x4c, 0x27, 0x31, 0xcc, 0xc5, 0xe0, 0x8d, 0x6c, 0x1e, 0x42, 0x83, 0x93, 0x20, 0xa0, 0x35, 0xac, 0x82
byte index | bit 7 | bit 6 | bit 5 | bit 4 | bit 3 | bit 2 | bit 1 | bit 0 | ||
[0] | 0x05 | 0x00 | 0x03 | |||||||
[1] | 0xf0 | |||||||||
[2] | sequence counter (init = 0x01, step = 1) | |||||||||
[3] | report counter (init = 0x00, step = 1, max = 0x04) | |||||||||
[4] | 0x00 | |||||||||
[5 - 60] | Challenge data. | |||||||||
[61 - 64] | CRC-32 of the previous bytes. |
The packet with report counter = 0x04 only carries 32 bytes of data (it is padded with zeros). Therefore the length of the challenge message is 4x56+32 = 256 bytes.
HID interrupt reports
HID INPUT
These reports are sent asynchronously from the DS4 to the PS4.
0x01
The transaction type is DATA (0x0a), and the report type is INPUT (0x01). The protocol code is 0x11.
This report is sent until the GET REPORT FEATURE 0x02 is received.
Supposition: a PC can understand this report?
Report example:
0xa1, 0x01, 0x7d, 0x7d, 0x80, 0x7e, 0x08, 0x00, 0x00, 0x00, 0x00
byte index | bit 7 | bit 6 | bit 5 | bit 4 | bit 3 | bit 2 | bit 1 | bit 0 | ||
[0] | 0x0a | 0x00 | 0x01 | |||||||
[1] | 0x01 | |||||||||
The following structure is a supposition. | ||||||||||
[2] | Left Stick X (0 = left) | |||||||||
[3] | Left Stick Y (0 = up) | |||||||||
[4] | Right Stick X | |||||||||
[5] | Right Stick Y | |||||||||
[6] | TRI | CIR | X | SQR | D-PAD (hat format, 0x08 is released, 0=N, 1=NE, 2=E, 3=SE, 4=S, 5=SW, 6=W, 7=NW) | |||||
[7] | R3 | L3 | OPT | SHARE | R2 | L2 | R1 | L1 | ||
[8] | Counter (counts up by 1 per report) | T-PAD | PS | |||||||
[9] | Left Trigger (0 = released, 0xFF = fully pressed) | |||||||||
[10] | Right Trigger |
0x11
The transaction type is DATA (0x0a), and the report type is INPUT (0x01). The protocol code is 0x11.
This report is sent once the GET REPORT FEATURE 0x02 is received.
Report example:
0xa1, 0x11, 0xc0, 0x00, 0x7d, 0x7d, 0x81, 0x7e, 0x08, 0x00, 0x28, 0x00, 0x00, 0x8c, 0xf3, 0x01, 0x13, 0x00, 0xf8, 0xff, 0x05, 0x00, 0x31, 0xfe, 0x3f, 0x0f, 0xd1, 0xe3, 0x00, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x5e, 0x22, 0x7b, 0xa0
If you look carefully, it is very similar to the reports sent over USB if you ignore the first 3 bytes.
byte index | bit 7 | bit 6 | bit 5 | bit 4 | bit 3 | bit 2 | bit 1 | bit 0 | ||
[0] | 0x0a | 0x00 | 0x01 | |||||||
[1] | 0x11 | |||||||||
[2] | 0xc0 | |||||||||
[3] | Report ID (always 0x00) | |||||||||
[4] | Left Stick X (0 = left) | |||||||||
[5] | Left Stick Y (0 = up) | |||||||||
[6] | Right Stick X | |||||||||
[7] | Right Stick Y | |||||||||
[8] | TRI | CIR | X | SQR | D-PAD (hat format, 0x08 is released, 0=N, 1=NE, 2=E, 3=SE, 4=S, 5=SW, 6=W, 7=NW) | |||||
[9] | R3 | L3 | OPT | SHARE | R2 | L2 | R1 | L1 | ||
[10] | Counter (counts up by 1 per report) | T-PAD | PS | |||||||
[11] | Left Trigger (0 = released, 0xFF = fully pressed) | |||||||||
[12] | Right Trigger | |||||||||
[13 - 14] | Seems to be a timestamp. A common increment value between two reports is 188 (at full rate the report period is 1.25ms). This timestamp is used by the PS4 to process acceleration and gyroscope data. | |||||||||
[15] | battery (0x00 to 0xff) | |||||||||
[16 - 17] | Acceleration X | |||||||||
[18 - 19] | Acceleration Y | |||||||||
[20 - 21] | Acceleration Z | |||||||||
[22 - 23] | Gyroscope Roll? | |||||||||
[24 - 25] | Gyroscope Yaw? | |||||||||
[26 - 27] | Gyroscope Pitch? | |||||||||
[28 - 32] | Unknown (seems to be always 0x00) | |||||||||
[33] | 0x00 | phone | mic | usb | battery level | |||||
[34 - 35] | Unknown (seems to be always 0x00) | |||||||||
[36] | number of trackpad packets (0x00 to 0x04) | |||||||||
[37] | packet counter | |||||||||
[38] | active low | finger 1 id | ||||||||
[39 - 41] | finger 1 coordinates | |||||||||
[42] | active low | finger 2 id | ||||||||
[43 - 45] | finger 2 coordinates | |||||||||
[36] | packet counter | |||||||||
[47] | active low | finger 1 id | ||||||||
[48 - 50] | finger 1 coordinates | |||||||||
[51] | active low | finger 2 id | ||||||||
[52 - 54] | finger 2 coordinates | |||||||||
[55] | packet counter | |||||||||
[56] | active low | finger 1 id | ||||||||
[57 - 59] | finger 1 coordinates | |||||||||
[60] | active low | finger 2 id | ||||||||
[61 - 63] | finger 2 coordinates | |||||||||
[64] | packet counter | |||||||||
[65] | active low | finger 1 id | ||||||||
[66 - 68] | finger 1 coordinates | |||||||||
[69] | active low | finger 2 id | ||||||||
[70 - 72] | finger 2 coordinates | |||||||||
[73 - 74] | Unknown 0x00 0x00 or 0x00 0x01 | |||||||||
[75 - 78] | CRC-32 of the first 75 bytes. |
Most of the time there is only 1 trackpad packet per report.
Below is a sample for bytes 36 to 72 with 4 trackpad packets:
0x04, 0x01, 0x04, 0x69, 0x91, 0x1a, 0x06, 0x15, 0x45, 0x1a, 0x05, 0x04, 0x66, 0x11, 0x1a, 0x06, 0x10, 0x15, 0x1a, 0x0a, 0x04, 0x63, 0x81, 0x19, 0x06, 0x0c, 0xe5, 0x19, 0x0f, 0x04, 0x5f, 0xf1, 0x18, 0x06, 0x08, 0xc5, 0x19
HID OUTPUT
These reports are sent asynchronously from the PS4 to the DS4.
0x11
The transaction type is DATA (0x0a), and the report type is OUTPUT (0x02). The protocol code is 0x11.
Byte at index 4 changes from 0xf0 to 0xf3 in the first reports. Making it always 0xf0 does not seem to change something.
Report example:
0xa2, 0x11, 0xc0, 0x20, 0xf0, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x43, 0x43, 0x00, 0x4d, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xd8, 0x8e, 0x94, 0xdd
byte index | bit 7 | bit 6 | bit 5 | bit 4 | bit 3 | bit 2 | bit 1 | bit 0 | ||
[0] | 0x0a | 0x00 | 0x02 | |||||||
[1] | 0x11 | |||||||||
[2 - 3] | Unknown | |||||||||
[4] | 0xf0 disables the rumble motors, 0xf3 enables them | |||||||||
[5 - 6] | Unknown | |||||||||
[7] | Rumble (right / weak) | |||||||||
[8] | Rumble (left / strong) | |||||||||
[9] | RGB color (Red) | |||||||||
[10] | RGB color (Green) | |||||||||
[11] | RGB color (Blue) | |||||||||
[12 - 74] | Unknown | |||||||||
[75 - 78] | CRC-32 of the previous bytes. |
0x14
The transaction type is DATA (0x0a), and the report type is OUTPUT (0x02). The protocol code is 0x14.
Byte at index 4 is a counter (step=4).
Supposition: this report contains audio data.
Report example:
0xa2, 0x14, 0x40, 0xa0, 0x04, 0x00, 0x02, 0x9c, 0x75, 0x19, 0x24, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x9c, 0x75, 0x19, 0x24, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3e, 0xe5, 0xe4, 0x0b
byte index | bit 7 | bit 6 | bit 5 | bit 4 | bit 3 | bit 2 | bit 1 | bit 0 | ||
[0] | 0x0a | 0x00 | 0x02 | |||||||
[1] | 0x14 | |||||||||
[2 - 267] | TODO, work in progress. | |||||||||
[268 - 271] | CRC-32 of the previous bytes. |
0x15
The transaction type is DATA (0x0a), and the report type is OUTPUT (0x02). The protocol code is 0x15.
Supposition: this report also contains audio data.
Report example:
0xa2, 0x15, 0xc0, 0xa0, 0xf3, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x43, 0x43, 0x00, 0x4d, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x9c, 0x75, 0x19, 0x24, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x9c, 0x75, 0x19, 0x24, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x24, 0xc5, 0x3e, 0xfc
byte index | bit 7 | bit 6 | bit 5 | bit 4 | bit 3 | bit 2 | bit 1 | bit 0 | ||
[0] | 0x0a | 0x00 | 0x02 | |||||||
[1] | 0x15 | |||||||||
[2 - 74] | Same as output report 0x11. | |||||||||
[75 - 330] | TODO, work in progress. | |||||||||
[331 - 334] | CRC-32 of the previous bytes. |
0x17
The transaction type is DATA (0x0a), and the report type is OUTPUT (0x02). The protocol code is 0x17.
Supposition: this report contains audio data.
Report example:
0xa2, 0x17, 0x40, 0xa0, 0xb4, 0x00, 0x02, 0x9c, 0x75, 0x19, 0x24, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x9c, 0x75, 0x19, 0x24, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x9c, 0x75, 0x19, 0x24, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x9c, 0x75, 0x19, 0x24, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x00, 0x00, 0x00, 0x00, 0x6b, 0xa2, 0x38, 0xe6
byte index | bit 7 | bit 6 | bit 5 | bit 4 | bit 3 | bit 2 | bit 1 | bit 0 | ||
[0] | 0x0a | 0x00 | 0x02 | |||||||
[1] | 0x17 | |||||||||
[2 - 458] | TODO, work in progress. | |||||||||
[459 - 462] | CRC-32 of the previous bytes. |
0x18
The transaction type is DATA (0x0a), and the report type is OUTPUT (0x02). The protocol code is 0x18.
Supposition: this report contains audio data.
Report example:
0xa2, 0x18, 0x48, 0xa1, 0xb4, 0x06, 0x22, 0x9c, 0x7d, 0x33, 0xda, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x77, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xed, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdd, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x76, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xee, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xbb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x77, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xed, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdd, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x76, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xee, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xbb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x9c, 0x7d, 0x33, 0xda, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x77, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xed, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdd, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x76, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xee, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xbb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x77, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xed, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdd, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x76, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xee, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xbb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x9c, 0x7d, 0x33, 0xda, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x77, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xed, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdd, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x76, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xee, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xbb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x77, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xed, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdd, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x76, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xee, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xbb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x9c, 0x7d, 0x33, 0xda, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x77, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xed, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdd, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x76, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xee, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xbb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x77, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xed, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdd, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x76, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xee, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xbb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x5e, 0x3b, 0x16, 0xec
byte index | bit 7 | bit 6 | bit 5 | bit 4 | bit 3 | bit 2 | bit 1 | bit 0 | ||
[0] | 0x0a | 0x00 | 0x02 | |||||||
[1] | 0x18 | |||||||||
[2 - 527] | TODO, work in progress. | |||||||||
[527 - 530] | CRC-32 of the previous bytes. |
0x19
The transaction type is DATA (0x0a), and the report type is OUTPUT (0x02). The protocol code is 0x19.
Supposition: this report also contains audio data.
Report example:
0xa2, 0x19, 0xc0, 0xa0, 0xf3, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x43, 0x43, 0x00, 0x4d, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc2, 0x00, 0x02, 0x9c, 0x75, 0x19, 0x24, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x9c, 0x75, 0x19, 0x24, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x9c, 0x75, 0x19, 0x24, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x9c, 0x75, 0x19, 0x24, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0x86, 0x51, 0x90
byte index | bit 7 | bit 6 | bit 5 | bit 4 | bit 3 | bit 2 | bit 1 | bit 0 | ||
[0] | 0x0a | 0x00 | 0x02 | |||||||
[1] | 0x19 | |||||||||
[2 - 74] | Same as output report 0x11. | |||||||||
[75 - 547] | TODO, work in progress. | |||||||||
[548 - 551] | CRC-32 of the previous bytes. |