Editing DS4-BT

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 1: Line 1:
'''Source:''' http://eleccelerator.com/wiki/index.php?title=DualShock_4 (full paste 17:50 UTC, 18 January 2014 )
'''Source:''' http://eleccelerator.com/wiki/index.php?title=DualShock_4 (full paste 17:50 UTC, 18 January 2014 )
[[File:DS4 CUHZCT1 03 Glacier White top.png|thumbnail|right]]


== Bluetooth ==
== Bluetooth ==
 
Bluetooth is a wireless technology for creating personal networks operating in the 2.4 GHz unlicensed band, with a range of 10 meters.
{{Panorama
|image  = File:Atheros_AR3002.jpg
|height  = 200
|alt    = Bluetooth module Qualcomm: [http://www.qca.qualcomm.com/wp-content/uploads/2013/11/AR3002.pdf Qualcomm Atheros AR3002-BL3D]
|caption = Bluetooth module Qualcomm: [http://www.qca.qualcomm.com/wp-content/uploads/2013/11/AR3002.pdf Qualcomm Atheros AR3002-BL3D]
}}
 
[[File:Bluetooth.png|15px]] [[Bluetooth]] is a [[Wireless|wireless]] technology for creating personal area networks operating in the 2.4 GHz unlicensed band, with a default range of 10 meters.
 
Capable of streaming 32Khz sound to the controllers speakers for up to 2 players, but that reduces to 16Khz when 3 or more players are hooked up.
 
===UART HCI===
[[File:DS4 testpoints hci uart 1.jpg|thumbnail|150px|right|Testpoints]]
 
On the DS4 circuit itself is a [http://www.qca.qualcomm.com/wp-content/uploads/2013/11/AR3002.pdf Qualcomm Atheros AR3002] module and the {{G|UART}} pins have test points.
 
You can clearly see the UART HCI receiving/transmitting data when you analyze the traffic on the RX and TX pins (See testpoints).
 
The data seems to be at a baud rate of exactly 3Mbit/s , sticking with HCI standards, meaning it's 8N1 (8 data bits, No parity, 1 stop bit). The report rate seems to be once every 1.3 millisecond, but there are some occasional gaps in between that can reach 15 milliseconds.
 
[http://eleccelerator.com/wiki/index.php?title=File:Ds4_uart_hci_cap_with_unpaired_better.pcap This file] is a capture of the traffic over the UART HCI, [http://www.wireshark.org/ Wireshark] can be used for parsing this PCAP file.
 
[http://eleccelerator.com/files/ds4_uart_hci_cap_playroom_needs_sorting.pcap.gz Similar] to the file before but uses data while running "the Playroom" app on the PS4, so that it shows motors, speaker, and LED activity. This file needs to be decompressed using gzip first, then opened with Wireshark. Once opened, it needs to be sorted by timestamp.
 
=== Maximum theoretical update frequency per second (Minimum theoretical latency) ===
{| class="wikitable sortable"
|-
! Controllers !! Input+Output disabled !! Output enabled !! Input enabled
|-
| 1 || 800x (1.25ms) || 400 (2.50ms) || 125 (8ms)
|-
| 2 || 400x (2.50ms) || 200 (5ms) || 62.50 (16ms)
|-
| 3 || 266x (3,75ms)|| 133 (7.5ms)|| 41.66 (24ms)
|-
| 4 || 200x (5ms) || 100 (10ms) || 31.25 (32ms)
|-
|}
In comparison, USB has 250x (4ms)
 
=== Overlapping channels BT/Wi-Fi ===
 
* [[Wireless#Overlapping_channels_BT.2FWi-Fi|Overlapping channels BT/Wi-Fi]]
 
=== Bluetooth Addressing ===
 
Each Bluetooth unit has a unique 48-bit address (BD_ADDR).
 
If you spoof a previously paired DS4's BDADDR (is the unique address of a Bluetooth device, similar to the MAC address of a network card) and class, then using "[http://www.linux-commands-examples.com/hcitool sudo hcitool cc <ps4's bdaddr>]" will wake up the PS4. If the same cc request comes from an unknown BDADDR, nothing happens.


The [[DualShock 4]] has two modes, one where you can pair it with a computer (hold PS and share at the same time until the light blinks twice in quick succession rapidly), and another mode when it is used with a PS4.
The [[DualShock 4]] has two modes, one where you can pair it with a computer (hold PS and share at the same time until the light blinks twice in quick succession rapidly), and another mode when it is used with a PS4.


{| class="wikitable" style="text-align: center;border:3px solid #123AAA;"
In the PS4 mode, it appears to advertise as two devices (neither has a name), one is a game controller and the other is an audio device:
|-
|colspan="6"|'''Company_assigned'''
|colspan="6"|'''Company_id'''
|-
|colspan="6"|'''L'''ower '''A'''ddress '''P'''art (24-bit)<br />transmitted with every packet as part of the packet header
|colspan="2"|'''U'''pper '''A'''ddress '''P'''art  (8-bit)<br />
|colspan="4"|'''N'''on-Significant '''A'''ddress '''P'''art (16-bit)<br />[http://standards-oui.ieee.org/oui.txt assigned  publicly by the IEEE]
|-=
!width="70"|<sub>lsb</sub>xxxx
!width="70"|xxxx
!width="70"|xxxx
!width="70"|xxxx
!width="70"|xxxx
!width="70"|xxxx
!width="70"|xxxx
!width="70"|xxxx
!width="70"|xxxx
!width="70"|xxxx
!width="70"|xxxx
!width="70"|xxxx<sup>msb</sup>
|-
|}
 
==== Unpairing ====
 
*http://eleccelerator.com/unpairing-a-dualshock-4-and-setting-a-new-bdaddr/
 
===Class of Device/Service (CoD)===
 
In the PS4 mode, the DualShock 4 appears to be advertised as two devices (neither has a name), one is a game controller and the other is an audio device:


The game controller has a [https://www.bluetooth.org/en-us/specification/assigned-numbers/baseband class of Device/Service (CoD)] 0x002508:
The game controller has a [https://www.bluetooth.org/en-us/specification/assigned-numbers/baseband class of Device/Service (CoD)] 0x002508:
Line 103: Line 22:
<small>(Online Generator http://bluetooth-pentest.narod.ru/software/bluetooth_class_of_device-service_generator.html)</small>
<small>(Online Generator http://bluetooth-pentest.narod.ru/software/bluetooth_class_of_device-service_generator.html)</small>


=== Service Discovery Protocol (SDP) ===
Only controllers that have previously paired with the PS4 can cause it to wake up. If you spoof a previously paired DS4's BDADDR (is the unique address of a Bluetooth device, similar to the MAC address of a network card) and class, then using "sudo hcitool cc <ps4's bdaddr>" will wake up the PS4. If the same cc request comes from an unknown BDADDR, nothing happens.
{{G|SDP}} used by the PS4 the first time a device tries to connect, whereas the DS4 does it each time it connects to the PS4 (you can use Wireshark for parsing SDP files, but double check manually due to wrong interpretation or not standard protocol).
==== PDU ====
*SDP uses a request/response model where each transaction consists of one request PDU (protocol data unit) and one response PDU.


<small>
Capable of streaming 32Khz sound to the controllers speakers for up to 2 players, but that reduces to 16Khz when 3 or more players are hooked up.
{{Protocol_data_unit}}
</small>


==== Data Element ====
===UART HCI===


* an attribute id or an attribute value is often represented as a data element.
On the DS4 circuit itself is a [http://www.qca.qualcomm.com/wp-content/uploads/2013/11/AR3002.pdf Qualcomm Atheros AR3002] module and the {{G|UART}} pins have test points.


* The format of a data element follows the {{G|TLV}} (type-length-value) convention.
You can clearly see the UART HCI data when you analyze the traffic on the RX and TX pins (See [[:File:DS4 testpoints hci uart 1.jpg|testpoints]]).


<small>
The data seems to be at a baud rate of exactly 3Mbit/s , sticking with HCI standards, meaning it's 8N1 (8 data bits, No parity, 1 stop bit). The report rate seems to be once every 1.3 millisecond, but there are some occasional gaps in between that can reach 15 milliseconds.
{| class="wikitable" style="text-align: center;"
|-
!width="100"|byte index
!width="60"|bit 7
!width="60"|bit 6
!width="60"|bit 5
!width="60"|bit 4
!width="60"|bit 3
!width="60"|bit 2
!width="60"|bit 1
!width="60"|bit 0
|-
|[0]
|colspan="5"|'''Type'''
|colspan="3"|'''Length'''
|-
|[1-4] || colspan="8"| '''additional field'''
|-
|[x] || colspan="8"| '''Value'''
|-
|}
</small>


'''Type descriptor'''
[http://eleccelerator.com/wiki/index.php?title=File:Ds4_uart_hci_cap_with_unpaired_better.pcap This file] is a capture of the traffic over the UART HCI, [http://www.wireshark.org/ Wireshark] is required to view this PCAP file.


<small>
[http://eleccelerator.com/files/ds4_uart_hci_cap_playroom_needs_sorting.pcap.gz Similar] to the file before but uses data while running "the Playroom" app on the PS4, so that it shows motors, speaker, and LED activity. This file needs to be decompressed using gzip first, then opened with Wireshark. Once opened, it needs to be sorted by timestamp.
{| class="wikitable"
|-
! Type Descriptor value !! Valid Size descriptor values !! type description
|-
| 0 || 0 || Nil
|-
| 1 || 0, 1, 2, 3, 4 || Unsigned Integer
|-
| 2 || 0, 1, 2, 3, 4 || Signed twos-complements integer
|-
| 3 || 1, 2, 4 || Universally Unique Identifier (UUID)
|-
| 4 || 5, 6, 7 || text string
|-
| 5 || 0 || booleans
|-
| 6 || 5, 6, 7 || Data element sequence, a data element whose data field is a sequence of data elements
|-
| 7 || 5, 6, 7 || Data element alternative, data element whose data filed is a sequence of data elements from which one data elements is to be selected
|-
| 8 || 5, 6, 7 || Uniform Resource Locator (URL)
|-
| 9-31 || || Reserved
|}
</small>


'''Length descriptor'''
=== Service Discovery Protocol (SDP) ===
{{G|SDP}} used by the PS4 the first time a device tries to connect, whereas the DS4 does it each time it connects to the PS4.


<small>
{| class="wikitable"
|-
! Size Index !! Additional bits !! Data size
|-
| 0 || 0 || 1 byte
|-
| 1 || 0 || 2 bytes
|-
| 2 || 0 || 4 bytes
|-
| 3 || 0 || 8 bytes
|-
| 4 || 0 || 16 bytes
|-
| 5 || 8 || The data size is contained in the additional  8 bits, which are interpreted as an unsigned integer
|-
| 6 || 16 || The data size is contained in the additional 16 bits, which are interpreted as an unsigned integer
|-
| 7 || 32 || The data size is contained in the additional 32 bits, which are interpreted as an unsigned integer
|-
|}
</small>
e.g.: 0x35 = 00110101 (binary) = 00110 | 101 = Type 6 | Length size index 5
==== PS4 ====
==== PS4 ====
===== Request =====
<small>(without header (0x02 0x15 0x20 0x5C 0x01 0x58 0x01 0x40 0x00), see header section)</small>
<small>(without 0x02 0x1520 0x1800 0x1400 0x4000  see header section)</small>
 
<span style="background:#66ff66;">06 00 01 00 0f</span> 35 03 19 01 00 08 00 35 05 0a 00 00 ff ff 00
 
*<span style="background:#66ff66;">0x06</span> '''PDU Service Search Attribute Request'''
*<span style="background:#66ff66;">0x0001</span> Transaction ID
*<span style="background:#66ff66;">0x000F</span> Length
*0x3503: Data element (Type descriptor: 6, Size index: 5) 3 bytes
**0x19: Data element (type: 3 (UUID), size index: 1 (2 bytes))
**0x0100: L2CAP
*0x0800: Maximum Attribute Byte count (2048)?
*0x3505: Data element (Type descriptor: 6, Size index: 5) 5 bytes
**0x0A: Data element (type:1, Size index: 2 (4 bytes))
**0x0000FFFF: Attribute ID list
*0x00: Continuation State
 
===== Response =====
<small>(without 0x02 0x1520 0x5C01 0x5801 0x4000), see header section)</small>


  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
   
  00000000  <span style="background:#66ff66;">07</span> <span style="background:#66ff66;">00 01</span> <span style="background:#66ff66;">01 53</span> <span style="background:#66ff66;">01 50</span> <span style="background:#ff66ff;">36 01 4D</span> <span style="background:#ff66ff;">36 00 32</span> 09 <span style="background:#96CDCD;">00 00</span>  ....S.P6.M6.2...
  00000000  <span style="background:#66ff66;">07</span> <span style="background:#66ff66;">00 01</span> <span style="background:#66ff66;">01 53</span> <span style="background:#66ff66;">01 50</span> 36 01 4D 36 00 32 09 <span style="background:#96CDCD;">00 00</span>  ....S.P6.M6.2...
  00000010  0A 00 01 00 05 09 <span style="background:#96CDCD;">00 01</span> 35 03 19 <span style="background:#008080;">11 0A</span> 09 <span style="background:#96CDCD;">00 04</span>  ........5.......
  00000010  0A 00 01 00 05 09 <span style="background:#96CDCD;">00 01</span> 35 03 19 <span style="background:#008080;">11 0A</span> 09 <span style="background:#96CDCD;">00 04</span>  ........5.......
  00000020  35 10 35 06 19 <span style="background:#808080;">01 00</span> 09 00 19 35 06 19 <span style="background:#808080;">00 19</span> 09  5.5.......5.....
  00000020  35 10 35 06 19 <span style="background:#808080;">01 00</span> 09 00 19 35 06 19 <span style="background:#808080;">00 19</span> 09  5.5.......5.....
  00000030  01 02 09 <span style="background:#96CDCD;">00 09</span> 35 08 35 06 19 <span style="background:#008080;">11 0D</span> 09 01 02 <span style="background:#ff66ff;">36</span> .....5.5.......6
  00000030  01 02 09 <span style="background:#96CDCD;">00 09</span> 35 08 35 06 19 <span style="background:#008080;">11 0D</span> 09 01 02 36  .....5.5.......6
  00000040  <span style="background:#ff66ff;">00 32</span> 09 <span style="background:#96CDCD;">00 00</span> 0A 00 01 00 06 09 <span style="background:#96CDCD;">00 01</span> 35 03 19  .2...........5..
  00000040  00 32 09 <span style="background:#96CDCD;">00 00</span> 0A 00 01 00 06 09 <span style="background:#96CDCD;">00 01</span> 35 03 19  .2...........5..
  00000050  <span style="background:#008080;">11 0B</span> 09 <span style="background:#96CDCD;">00 04</span> 35 10 35 06 19 <span style="background:#808080;">01 00</span> 09 00 19 35  .....5.5.......5
  00000050  <span style="background:#008080;">11 0B</span> 09 <span style="background:#96CDCD;">00 04</span> 35 10 35 06 19 <span style="background:#808080;">01 00</span> 09 00 19 35  .....5.5.......5
  00000060  06 19 <span style="background:#808080;">00 19</span> 09 01 02 09 <span style="background:#96CDCD;">00 09</span> 35 08 35 06 19 <span style="background:#008080;">11</span>  ..........5.5...
  00000060  06 19 <span style="background:#808080;">00 19</span> 09 01 02 09 <span style="background:#96CDCD;">00 09</span> 35 08 35 06 19 <span style="background:#008080;">11</span>  ..........5.5...
  00000070  <span style="background:#008080;">0D</span> 09 01 02 <span style="background:#ff66ff;">36 00 3B</span> 09 <span style="background:#96CDCD;">00 00</span> 0A 00 01 00 07 09  ....6.;.........
  00000070  <span style="background:#008080;">0D</span> 09 01 02 36 00 3B 09 <span style="background:#96CDCD;">00 00</span> 0A 00 01 00 07 09  ....6.;.........
  00000080  <span style="background:#96CDCD;">00 01</span> 35 06 19 <span style="background:#008080;">11 0E</span> 19 <span style="background:#008080;">11 0F</span> 09 <span style="background:#96CDCD;">00 04</span> 35 10 35  ..5..........5.5
  00000080  <span style="background:#96CDCD;">00 01</span> 35 06 19 <span style="background:#008080;">11 0E</span> 19 <span style="background:#008080;">11 0F</span> 09 <span style="background:#96CDCD;">00 04</span> 35 10 35  ..5..........5.5
  00000090  06 19 <span style="background:#808080;">01 00</span> 09 00 17 35 06 19 <span style="background:#808080;">00 17</span> 09 01 03 09  .......5........
  00000090  06 19 <span style="background:#808080;">01 00</span> 09 00 17 35 06 19 <span style="background:#808080;">00 17</span> 09 01 03 09  .......5........
  000000A0  <span style="background:#96CDCD;">00 09</span> 35 08 35 06 19 <span style="background:#008080;">11 0E</span> 09 01 04 09 <span style="background:#96CDCD;">03 11</span> 09  ..5.5...........
  000000A0  <span style="background:#96CDCD;">00 09</span> 35 08 35 06 19 <span style="background:#008080;">11 0E</span> 09 01 04 09 <span style="background:#96CDCD;">03 11</span> 09  ..5.5...........
  000000B0  00 02 <span style="background:#ff66ff;">36 00 4D</span> 09 <span style="background:#96CDCD;">00 00</span> 0A 00 01 00 08 09 <span style="background:#96CDCD;">00 01</span>  ..6.M...........
  000000B0  00 02 36 00 4D 09 <span style="background:#96CDCD;">00 00</span> 0A 00 01 00 08 09 <span style="background:#96CDCD;">00 01</span>  ..6.M...........
  000000C0  35 03 19 <span style="background:#008080;">11 0C</span> 09 <span style="background:#96CDCD;">00 04</span> 35 10 35 06 19 <span style="background:#808080;">01 00</span> 09  5.......5.5.....
  000000C0  35 03 19 <span style="background:#008080;">11 0C</span> 09 <span style="background:#96CDCD;">00 04</span> 35 10 35 06 19 <span style="background:#808080;">01 00</span> 09  5.......5.5.....
  000000D0  00 17 35 06 19 <span style="background:#808080;">00 17</span> 09 01 03 09 <span style="background:#96CDCD;">00 09</span> 35 08 35  ..5..........5.5
  000000D0  00 17 35 06 19 <span style="background:#808080;">00 17</span> 09 01 03 09 <span style="background:#96CDCD;">00 09</span> 35 08 35  ..5..........5.5
  000000E0  06 19 <span style="background:#008080;">11 0E</span> 09 01 04 09 <span style="background:#96CDCD;">00 0D</span> 35 10 35 06 19 <span style="background:#808080;">01</span>  ..........5.5...
  000000E0  06 19 <span style="background:#008080;">11 0E</span> 09 01 04 09 <span style="background:#96CDCD;">00 0D</span> 35 10 35 06 19 <span style="background:#808080;">01</span>  ..........5.5...
  000000F0  <span style="background:#808080;">00</span> 09 00 1B 35 06 19 <span style="background:#808080;">00 17</span> 09 01 03 09 <span style="background:#96CDCD;">03 11</span> 09  ....5...........
  000000F0  <span style="background:#808080;">00</span> 09 00 1B 35 06 19 <span style="background:#808080;">00 17</span> 09 01 03 09 <span style="background:#96CDCD;">03 11</span> 09  ....5...........
  00000100  00 01 <span style="background:#ff66ff;">36 00 52</span> 09 <span style="background:#96CDCD;">00 00</span> 0A 00 01 00 0A 09 <span style="background:#96CDCD;">00 01</span>  ..6.R...........
  00000100  00 01 36 00 52 09 <span style="background:#96CDCD;">00 00</span> 0A 00 01 00 0A 09 <span style="background:#96CDCD;">00 01</span>  ..6.R...........
  00000110  35 03 19 <span style="background:#008080;">12 00</span> 09 <span style="background:#96CDCD;">00 04</span> 35 0D 35 06 19 <span style="background:#808080;">01 00</span> 09  5.......5.5.....
  00000110  35 03 19 <span style="background:#008080;">12 00</span> 09 <span style="background:#96CDCD;">00 04</span> 35 0D 35 06 19 <span style="background:#808080;">01 00</span> 09  5.......5.5.....
  00000120  00 01 35 03 19 <span style="background:#808080;">00 01</span> 09 <span style="background:#96CDCD;">00 09</span> 35 08 35 06 19 <span style="background:#008080;">12</span>  ..5.......5.5...
  00000120  00 01 35 03 19 <span style="background:#808080;">00 01</span> 09 <span style="background:#96CDCD;">00 09</span> 35 08 35 06 19 <span style="background:#008080;">12</span>  ..5.......5.5...
Line 254: Line 79:
<div style="height:350px; width:650px; overflow:auto">
<div style="height:350px; width:650px; overflow:auto">


*<span style="background:#66ff66;">07</span> '''PDU Service Search Attribute Response'''
*<span style="background:#66ff66;">07</span> Bluetooth SDP Protocol Data Unit (PDU): Service Search Attribute Response (0x7)
 
<small>Service Search Attribute Request (0x6)</small>
*<span style="background:#66ff66;">00 01</span> Transaction ID
*<span style="background:#66ff66;">00 01</span> Transaction ID
*<span style="background:#66ff66;">01 53</span> Length
*<span style="background:#66ff66;">01 53</span> Length
*<span style="background:#66ff66;">01 50</span> Length
*<span style="background:#66ff66;">01 50</span> Length


*<span style="background:#ff66ff;">36| 01 4D</span> type:6, size index:6 + Length
See [https://www.bluetooth.org/en-us/specification/assigned-numbers/service-discovery assigned IDs]:


*<span style="background:#96CDCD;">0x0000</span> Service Record Handle-->value:
{0x01000A (65546)}


See [https://www.bluetooth.org/en-us/specification/assigned-numbers/service-discovery assigned IDs]:


<span style="background:#ff66ff;">36 00 32</span> Length
*<span style="background:#96CDCD;">0x0000</span> Service Record Handle-->value:
{0x010005 (65541)}
*<span style="background:#96CDCD;">0x0001</span> Service Class ID List-->value:  
*<span style="background:#96CDCD;">0x0001</span> Service Class ID List-->value:  
{<span style="background:#008080;">0x110A</span> Audio Source} //Advanced Audio Distribution Profile (A2DP)
{<span style="background:#008080;">0x110A</span> Audio Source}
 
 
*<span style="background:#96CDCD;">0x0004</span> Protocol Descriptor List-->value:
*<span style="background:#96CDCD;">0x0004</span> Protocol Descriptor List-->value:
{<span style="background:#808080;">0x0100</span> L2CAP , 0x0019 } ,{ <span *style="background:#808080;">0x0019</span> Audio/Video Distribution Transport Protocol (AVDTP) , 0x0102 (258)}
{<span style="background:#808080;">0x0100</span> L2CAP , 0x0019 } ,{ <span style="background:#808080;">0x0019</span> Audio/Video Distribution Transport Protocol (AVDTP) , 0x0102 (258)}
 
 
*<span style="background:#96CDCD;">0x0009</span> Bluetooth Profile Descriptor List-->value:
*<span style="background:#96CDCD;">0x0009</span> Bluetooth Profile Descriptor List-->value:
{<span style="background:#008080;">0x110D</span> Advanced Audio Distribution , 0x0102 (258)}
{<span style="background:#008080;">0x110D</span> Advanced Audio Distribution , 0x0102 (258)}




<span style="background:#ff66ff;">36 00 32</span> Length
*<span style="background:#96CDCD;">0x0000</span> Service Record Handle-->value:
*<span style="background:#96CDCD;">0x0000</span> Service Record Handle-->value:
{ 0x010006 (65542) }
{ 0x010006 (65542) }
*<span style="background:#96CDCD;">0x0001</span> Service Class ID List-->value:
*<span style="background:#96CDCD;">0x0001</span> Service Class ID List-->value:
{ <span style="background:#008080;">0x110B</span> Audio Sink } //A2DP
{ <span style="background:#008080;">0x110B</span> Audio Sink }
 
 
*<span style="background:#96CDCD;">0x0004</span> Protocol Descriptor List-->value:
*<span style="background:#96CDCD;">0x0004</span> Protocol Descriptor List-->value:
{ <span style="background:#808080;">0x0100</span> L2CAP , 0x0019 (25)  }  , { <span style="background:#808080;">0x0019</span> Audio/Video Distribution Transport Protocol (AVDTP) , 0x0102 (258)  }
{ <span style="background:#808080;">0x0100</span> L2CAP , 0x0019 (25)  }  , { <span style="background:#808080;">0x0019</span> Audio/Video Distribution Transport Protocol (AVDTP) , 0x0102 (258)  }
*<span style="background:#96CDCD;">0x0009</span> Bluetooth Profile Descriptor List-->value:
*<span style="background:#96CDCD;">0x0009</span> Bluetooth Profile Descriptor List-->value:
{<span style="background:#008080;">0x110D</span> Advanced Audio Distribution , 0x0102 (258)}
{<span style="background:#008080;">0x110D</span> Advanced Audio Distribution , 0x0102 (258)}




<span style="background:#ff66ff;">36 00 3B</span> Length
*<span style="background:#96CDCD;">0x0000</span> Service Record Handle-->value:
*<span style="background:#96CDCD;">0x0000</span> Service Record Handle-->value:
{ 0x010007 (65543) }
{ 0x010007 (65543) }
*<span style="background:#96CDCD;">0x0001</span> Service ClassID List-->value:
*<span style="background:#96CDCD;">0x0001</span> Service ClassID List-->value:
{ <span style="background:#008080;">0x110E</span> Audio/Video Remote Control , <span style="background:#008080;">0x110F</span> Video Conferencing / A/V Remote Control Controller }
{ <span style="background:#008080;">0x110E</span> Audio/Video Remote Control , <span style="background:#008080;">0x110F</span> Video Conferencing / A/V Remote Control Controller }
<ref>
 
<small>The Audio/Video Remote Control Profile (AVRCP) specification v1.3 and later require that 0x110E also be included in the ServiceClassIDList before 0x110F for backwards compatibility</small>
<small>(NOTE: The Audio/Video Remote Control Profile (AVRCP) specification v1.3 and later require that 0x110E also be included in the ServiceClassIDList before 0x110F for backwards compatibility)</small>
</ref>
 
 
*<span style="background:#96CDCD;">0x0004</span> Protocol Descriptor List-->value:
*<span style="background:#96CDCD;">0x0004</span> Protocol Descriptor List-->value:
{ <span style="background:#808080;">0x0100</span> L2CAP , 0x0017 (23) } , {  <span style="background:#808080;">0x0017</span> Audio/Video Control Transport Protocol (AVCTP) , 0x0103 (259) }  
{ <span style="background:#808080;">0x0100</span> L2CAP , 0x0017 (23) } , {  <span style="background:#808080;">0x0017</span> Audio/Video Control Transport Protocol (AVCTP) , 0x0103 (259) }  
*<span style="background:#96CDCD;">0x0009</span> Bluetooth Profile Descriptor List-->value:
*<span style="background:#96CDCD;">0x0009</span> Bluetooth Profile Descriptor List-->value:
{ <span style="background:#008080;">0x110E</span> Audio/Video Remote Control , 0x0104 (260) }
{ <span style="background:#008080;">0x110E</span> Audio/Video Remote Control , 0x0104 (260) }
*<span style="background:#96CDCD;">0x0311</span> Supported Features-->value:
*<span style="background:#96CDCD;">0x0311</span> Supported Features-->value:
{ 0x02 }  
{ 0x02 }  




<span style="background:#ff66ff;">36 00 4D</span> Length
*<span style="background:#96CDCD;">0x0000</span> Service Record Handle-->value:
*<span style="background:#96CDCD;">0x0000</span> Service Record Handle-->value:
{ 0x010008 (65544) }
{ 0x010008 (65544) }
*<span style="background:#96CDCD;">0x0001</span> Service Class ID List-->value:
*<span style="background:#96CDCD;">0x0001</span> Service Class ID List-->value:
{ <span style="background:#008080;">0x110C</span> Audio/Video Remote Control Target  }
{ <span style="background:#008080;">0x110C</span> Audio/Video Remote Control Target  }
*<span style="background:#96CDCD;">0x0004</span> Protocol Descriptor List-->value:
*<span style="background:#96CDCD;">0x0004</span> Protocol Descriptor List-->value:
{ <span style="background:#808080;">0x0100</span> L2CAP , 0x0017 (23) } , {  <span style="background:#808080;">0x0017</span> Audio/Video Control Transport Protocol (AVCTP) , 0x0103 (259) }  
{ <span style="background:#808080;">0x0100</span> L2CAP , 0x0017 (23) } , {  <span style="background:#808080;">0x0017</span> Audio/Video Control Transport Protocol (AVCTP) , 0x0103 (259) }  
*<span style="background:#96CDCD;">0x0009</span> Bluetooth Profile Descriptor List-->value:
*<span style="background:#96CDCD;">0x0009</span> Bluetooth Profile Descriptor List-->value:
{ <span style="background:#008080;">0x110E</span> Audio/Video Remote Control , 0x0104 (260) }
{ <span style="background:#008080;">0x110E</span> Audio/Video Remote Control , 0x0104 (260) }
*<span style="background:#96CDCD;">0x000D</span> Additional Protocol Descriptor Lists-->value:
*<span style="background:#96CDCD;">0x000D</span> Additional Protocol Descriptor Lists-->value:
{ <span style="background:#808080;">0x0100</span> L2CAP , 0x001B (27) }  {  <span style="background:#808080;">0x0017</span> Audio/Video Control Transport Protocol (AVCTP) , 0x0103 (259) }
{ <span style="background:#808080;">0x0100</span> L2CAP , 0x001B (27) }  {  <span style="background:#808080;">0x0017</span> Audio/Video Control Transport Protocol (AVCTP) , 0x0103 (259) }
*<span style="background:#96CDCD;">0x0311</span> Supported Features-->value:
*<span style="background:#96CDCD;">0x0311</span> Supported Features-->value:
{ 0x01 }
{ 0x01 }
}}




<span style="background:#ff66ff;">36 00 52</span> Length
*<span style="background:#96CDCD;">0x0000</span> Service Record Handle-->value:  
*<span style="background:#96CDCD;">0x0000</span> Service Record Handle-->value:  
{0x01000A (65546)}
{0x01000A (65546)}
*<span style="background:#96CDCD;">0x0001</span> Service Class ID List-->value:  
*<span style="background:#96CDCD;">0x0001</span> Service Class ID List-->value:  
{ <span style="background:#008080;">0x1200</span> PnP Information }
{ <span style="background:#008080;">0x1200</span> PnP Information }
*<span style="background:#96CDCD;">0x0004</span> Protocol Descriptor List-->value:
*<span style="background:#96CDCD;">0x0004</span> Protocol Descriptor List-->value:
{ <span style="background:#808080;">0x0100</span> L2CAP , 0x0001)  }  , { <span style="background:#808080;">0x0001</span> SDP }
{ <span style="background:#808080;">0x0100</span> L2CAP , 0x0001)  }  , { <span style="background:#808080;">0x0001</span> SDP }
*<span style="background:#96CDCD;">0x0009</span> Bluetooth Profile Descriptor List-->value:
*<span style="background:#96CDCD;">0x0009</span> Bluetooth Profile Descriptor List-->value:
{ <span style="background:#008080;">0x1200</span> PnP Information , 0x0103 (259) }
{ <span style="background:#008080;">0x1200</span> PnP Information , 0x0103 (259) }
*<span style="background:#96CDCD;">0x0200</span> Specification ID-->value:
 
 
*<span style="background:#96CDCD;">0x0200</span> GoepL2capPsm (BIP v1.1 and later)-->value:
{ 0x0103 (259) }
{ 0x0103 (259) }
*<span style="background:#96CDCD;">0x0201</span> Vendor ID<ref><small>See [[DS4-USB|Device Descriptor]]</small></ref>-->value:
 
{ 0x054C } (Sony Corp.)  
 
*<span style="background:#96CDCD;">0x0202</span> Product ID-->value:
*<span style="background:#96CDCD;">0x0201</span> Service Database State-->value:
{ 0x081F }
{ 0x054C }
*<span style="background:#96CDCD;">0x0203</span> Version-->value:
 
{ 0x0100 }
or
*<span style="background:#96CDCD;">0x0204</span> Primary Record-->value:
 
{ 0x01 }
Specification ID 0x0200-->value: 0x0103
*<span style="background:#96CDCD;">0x0205</span> Vendor ID Source-->value:
 
{ 0x0002 }
Vendor ID 0x0201-->value: 0x054C (Sony Corp.)  
 
Product ID 0x0202-->value: 0x081F
 
Version         0x0203-->value: 0x0100
 
Primary Record 0x0204-->value: 0x01
 
Vendor ID Source 0x0205-->value: 0x0002
 
</div><br />
</div><br />


==== DS4 ====
==== DS4 ====
===== Response =====
This response is 708-byte long: the DS4 does not respect the 672-byte outgoing L2CAP MTU.


  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
   
  00000000  07 00 01 02 BF 02 BC 36 02 B9 36 <span style="background:#ff66ff;">02 61</span> 09 00 00  ....¿.¼6.¹6.a...
  00000000  07 00 01 02 BF 02 BC 36 02 B9 36 02 61 09 00 00  ....¿.¼6.¹6.a...
  00000010  0A 00 01 00 01 09 00 01 35 03 19 11 24 09 00 04  ........5...$...
  00000010  0A 00 01 00 01 09 00 01 35 03 19 11 24 09 00 04  ........5...$...
  00000020  35 0D 35 06 19 01 00 09 00 11 35 03 19 00 11 09  5.5.......5.....
  00000020  35 0D 35 06 19 01 00 09 00 11 35 03 19 00 11 09  5.5.......5.....
Line 385: Line 247:
  00000240  08 35 06 09 04 09 09 01 00 09 02 08 28 00 09 02  .5..........(...
  00000240  08 35 06 09 04 09 09 01 00 09 02 08 28 00 09 02  .5..........(...
  00000250  09 28 01 09 02 0A 28 01 09 02 0B 09 01 00 09 02  .(....(.........
  00000250  09 28 01 09 02 0A 28 01 09 02 0B 09 01 00 09 02  .(....(.........
  00000260  0C 09 1F 40 09 02 0D 28 00 09 02 0E 28 00 36 <span style="background:#ff66ff;">00</span> ...@...(....(.6.
  00000260  0C 09 1F 40 09 02 0D 28 00 09 02 0E 28 00 36 00  ...@...(....(.6.
  00000270  <span style="background:#ff66ff;">52</span> 09 00 00 0A 00 01 00 02 09 00 01 35 03 19 12  R...........5...
  00000270  52 09 00 00 0A 00 01 00 02 09 00 01 35 03 19 12  R...........5...
  00000280  00 09 00 04 35 0D 35 06 19 01 00 09 00 01 35 03  ....5.5.......5.
  00000280  00 09 00 04 35 0D 35 06 19 01 00 09 00 01 35 03  ....5.5.......5.
  00000290  19 00 01 09 00 09 35 08 35 06 19 12 00 09 01 03  ......5.5.......
  00000290  19 00 01 09 00 09 35 08 35 06 19 12 00 09 01 03  ......5.5.......
Line 393: Line 255:
  000002C0  09 '''00 02''' 00                                      ....
  000002C0  09 '''00 02''' 00                                      ....


0x07 PDU
0x0001 Transaction ID
0x02BF Length


0x02BC Length
or


0x36|02B9 type:6, size index:6 + Length
Specification ID 0x0200-->value: 0x0103


<span style="background:#ff66ff;">0x36|0261</span> type:6, size index:6 + Length first chunk
Vendor ID 0x0201-->value: 0x054C Vendor ID (VID) (Sony Corp.)


0x0000 Service Record Handle-->value {0x010001}
Product ID 0x0202-->value: 0x05C4 (Sony Computer Entertainment Wireless Controller)
*0x0001 Service Class ID List-->value {0x1124 Human Interface Device (HID)}
*0x0004 Protocol Descriptor List-->value {0x0100 L2CAP , 0x0011 } ,{ 0x0011 Human Interface Device Profile (HIDP) , 0x0102 (258)}
*0x0006 Language Base Attribute ID List<ref><small>A list of language bases that contains a language identifier according to [http://en.wikipedia.org/wiki/ISO_639-1 ISO 639:1] , a character encoding identifier and a base attribute ID (0x0100) for the languages used in the service record.</small></ref>-->: value = { 0x656E ("en"), 0x6A (106), 0x100(256)  }
*0x0009 Bluetooth Profile Descriptor List--> value = { 0x1124 Human Interface Device Service , 0x100(256)}
*0x000D Additional Protocol Descriptor Lists--> value = { { 0x0100 L2CAP , 0x0013(19)  } , { 0x00 11HIDP } }
*0X0100 Service Name--> value = "Wireless Controller"
*0x0101 Service Description--> value = "Game Controller"
*0x0102 Provider Name--> value = "Sony Computer Entertainment"
*0x0200 GOEP L2CAP PSM/Group Id/IP Subnet (0x200)--> value = 0x100 (256)
*0x0201 Service Database State--> value = 273


...
Version         0x0203-->value: 0x0100


<span style="background:#ff66ff;">0x36|0052</span> type:6, size index:6 + Length second chunk
Primary Record 0x0204-->value: 0x01


0x0000 Service Record Handle-->value {0x010002}
Vendor ID Source 0x0205-->value: 0x0002
*0x0001 Service Class ID List-->value {0x1200 Device Identification (DID)}
*0x0004 Protocol Descriptor List-->
 
*0x0200 Specification ID-->value: 0x0103
*0x0201 Vendor ID-->value: 0x054C (Sony Corp.)
*0x0202 Product ID-->value: 0x05C4 (Sony Computer Entertainment Wireless Controller)
*0x0203 Version-->value: 0x0100
*0x0204 Primary Record-->value: 0x01
*0x0205 Vendor ID Source-->value: 0x0002
 
==== Notes: ====
{{reflist}}


=== HID Report header & footer ===
=== HID Report header & footer ===
==== Examples ====
==== Examples ====
 
Here's a sample HCI transaction that represents a report from the DS4 to the PS4:
{{Spoiler|HCI Command Packet example|
<pre>
0000  01 13 0c f8 57 69 72 65 6c 65 73 73 20 43 6f 6e  ....Wireless Con
0010  74 72 6f 6c 6c 65 72 00 00 00 00 00 00 00 00 00  troller.........
0020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0040  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0050  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0060  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0070  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0080  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0090  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00a0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00b0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00c0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00d0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00e0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00f0  00 00 00 00 00 00 00 00 00 00 00 00              ............   
</pre>
*0x01: HCI Command Packet
 
*0x130C (0x0C13) Op-code (16 bits): identifies the command:
 
OGF (Op-code Group Field, most significant 6 bits):
 
OCF (Op-code Command Field, least significant 10 bits):
 
*0xF8 (248) Length of Packet
 
}}
 
{{Spoiler|HCI Event Packet example|
 
<pre>
04 13 05 01 15 00 01 00
</pre>
 
*0x04 Packet Type: HCI Event Packet
 
*0x13 Event code
 
*0x05 Parameter total length
 
*0x01 Number of Connection handles
 
*0x1500 (0x15) Connection handle
 
*0x0100 (1) Number of completed packets
 
}}
 
Here's a sample HCI ACL Data Packet transaction that represents a report from the DS4 to the PS4:




Line 501: Line 283:
  00000050  <span style="background:#66ff66;">00 00 00 00</span> <span style="background:lime;">7D 0A 5D 0B</span>
  00000050  <span style="background:#66ff66;">00 00 00 00</span> <span style="background:lime;">7D 0A 5D 0B</span>


(For Packet type 2)


{| class="wikitable"
{| class="wikitable"
Line 508: Line 291:
| rowspan="5" style="background-color:#ff6666;"|'''Header''' ||0x00||0x01||0x02|| (2) Packet Type:
| rowspan="5" style="background-color:#ff6666;"|'''Header''' ||0x00||0x01||0x02|| (2) Packet Type:
<small>
<small>
*0x00: Acknowledgement Packets ?
*0x01: HCI Command Packet (send commands to the Host Controller)
*0x01: HCI Command Packet (send commands to the Host Controller)
*'''0x02: HCI ACL Data Packet''' (exchange Asynchronous Connection-Less data between the Host and Host Controller)
*'''0x02: HCI ACL Data Packet''' (exchange Asynchronous Connection-Less data between the Host and Host Controller)
Line 529: Line 313:
</small>
</small>
|-
|-
|0x03||0x02||0x5300||(83) Total length
|0x03||0x02||0x5300||(For Packet type 2)
<small>(83) Length of Packet</small>
|-
|-
|0x05||0x02||0x4F00||(79) Data Length (Payload+Check)
|0x05||0x02||0x4F00||(79) Length (Payload+Check)
|-
|-
|0x07||0x02||0x4200||(0x0042) Channel ID (CID)
|0x07||0x02||0x4200||(0x0042) Channel ID (CID)
|-
|-
| rowspan="2" style="background-color:#66ff66;"|'''HID portion'''||0x09||0x03||0xA111C0|| Packet '''Payload''' header: INPUT DATA protocol code 0x11 (see Structure HID transaction)
| rowspan="2" style="background-color:#66ff66;"|'''HID portion'''||0x09||0x03||0xA111C0|| Packet Payload header: INPUT DATA protocol code 0x11 (see Structure HID transaction)
|-
|-
|0x0C||0x48||0x0083 … 0x00 || Data: See (speculation) USB data format for the first 64 bytes + 8 bytes NULL.
|0x0C||0x48||0x0083 … 0x00 || Data: See (speculation) USB data format for the first 64 bytes + 8 bytes NULL.
|-
|-
|style="background-color:lime;"|'''Check'''||0x54||0x04||0x7D0A5D0B||(0x0B5D0A7D) Data Integrity Check ({{G|CRC}}-32)
|rowspan="3" style="background-color:lime;"|'''Check'''||0x54||0x04||0x7D0A5D0B||(0x0B5D0A7D) Data Integrity Check ({{G|CRC}}-32)
<small>
<small>
To ensure that the packet is valid, this field is appended onto the end of the packet. Packet Payload is used to compute the Data Integrity Check (the CRC32's polynomial is 0x4C11DB7).
To ensure that the packet is valid, this field is appended onto the end of the packet. Packet Payload is used to compute the Data Integrity Check (the CRC32's polynomial is 0x4C11DB7)
</small>
|-
|}
 
Packet type 4 example:
 
04 13 05 01 15 00 01 00
 
{| class="wikitable"
|-
! Offset !! Size !! Value !! Description
|-
| 0x00||0x01||0x04|| (4) Packet Type:
<small>
*HCI Event Packet
</small>
|-
|0x01||0x01||0x13|| Event code
|-
|0x02||0x01||0x05|| Parameter total length
|-
|0x03||0x01||0x01|| Number of Connection handles
|-
|0x04||0x02||0x1500||(0x15) Connection handle
|-
|0x06||0x02||0x0100||(1) Number of completed packets
|-
|}
 
==== CRC32 ====


You can use http://www.lammertbies.nl/comm/info/crc-calculation.html to try this yourself, enter the packet payload into the textbox (hex):
You can use http://www.lammertbies.nl/comm/info/crc-calculation.html to try this yourself, enter the packet payload into the textbox (hex):
{{Spoiler|First 75 bytes of the HID report|
{{Spoiler|First 75 bytes of the HID report|
A1 11 C0 00 83 81 7E 7E 08 00 3C 00 00 83 A2 07 F1 FF F9 FF 04 00 21 03 17 1F 29 F9 00 00 00 00 00 08 00 00 00 00 80 00 00 00 80 00 00 00 00 80 00 00 00 80 00 00 00 00 80 00 00 00 80 00 00 00 00 80 00 00 00 80 00 00 00 00 00}}
A1 11 C0 00 83 81 7E 7E 08 00 3C 00 00 83 A2 07 F1 FF F9 FF 04 00 21 03 17 1F 29 F9 00 00 00 00 00 08 00 00 00 00 80 00 00 00 80 00 00 00 00 80 00 00 00 80 00 00 00 00 80 00 00 00 80 00 00 00 00 80 00 00 00 80 00 00 00 00 00}}
</small>
|-
|}


=== Structure HID transaction (portion) ===
=== Structure HID transaction (portion) ===
Line 577: Line 389:
*0x00:
*0x00:
*0x01:
*0x01:
*0x02:
</small>
</small>
|colspan="2"|'''report type:'''  
|colspan="2"|'''report type:'''  
Line 599: Line 410:
Protocol code:
Protocol code:
===== 0x01 =====
===== 0x01 =====
The transaction type is DATA (0x0a), and the report type is INPUT (0x01).
The protocol code is 0x01.
This report is sent until the GET REPORT FEATURE 0x02 is received.
This report is sent until the GET REPORT FEATURE 0x02 is received.
 
                                     
Supposition: a PC can understand this report?
0xa1, '''0x01''', 0x7d, 0x7d, 0x80, 0x7e, 0x08, 0x00, 0x00, 0x00, 0x00
 
            ^Left Stick X ...      ^D-PAD
Report example:
<pre>0xa1, 0x01, 0x7d, 0x7d, 0x80, 0x7e, 0x08, 0x00,
0x00, 0x00, 0x00</pre>
 
{| class="wikitable"
|+Data Format
|-
|width="100"|byte index
|width="60"|bit 7
|width="60"|bit 6
|width="60"|bit 5
|width="60"|bit 4
|width="60"|bit 3
|width="60"|bit 2
|width="60"|bit 1
|width="60"|bit 0
|-
|[0]
|colspan="4"|0x0a
|colspan="2"|0x00
|colspan="4"|0x01
|-
|[1]
|colspan="8"|0x01
|-
|
|colspan="8"|The following structure is a supposition.
|-
|[2]
|colspan="8"|Left Stick X (0 = left)
|-
|[3]
|colspan="8"|Left Stick Y (0 = up)
|-
|[4]
|colspan="8"|Right Stick X
|-
|[5]
|colspan="8"|Right Stick Y
|-
|[6]
|TRI
|CIR
|X
|SQR
|colspan="4"|D-PAD (hat format, 0x08 is released, 0=N, 1=NE, 2=E, 3=SE, 4=S, 5=SW, 6=W, 7=NW)
|-
|[7]
|R3
|L3
|OPT
|SHARE
|R2
|L2
|R1
|L1
|-
|[8]
|colspan="6"|Counter (counts up by 1 per report)
|T-PAD
|PS
|-
|[9]
|colspan="8"|Left Trigger (0 = released, 0xFF = fully pressed)
|-
|[10]
|colspan="8"|Right Trigger
|}


===== 0x11 =====
===== 0x11 =====
The transaction type is DATA (0x0a), and the report type is INPUT (0x01).
The protocol code is 0x11.
This report is sent once the GET REPORT FEATURE 0x02 is received.
This report is sent once the GET REPORT FEATURE 0x02 is received.
See example


Report example:
==== HID output reports ====
<pre>0xa1, 0x11, 0xc0, 0x00, 0x7d, 0x7d, 0x81, 0x7e, 0x08, 0x00, 0x28, 0x00, 0x00, 0x8c, 0xf3, 0x01,
0x13, 0x00, 0xf8, 0xff, 0x05, 0x00, 0x31, 0xfe, 0x3f, 0x0f, 0xd1, 0xe3, 0x00, 0x00, 0x00, 0x00,
0x00, 0x09, 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x00, 0x80,
0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00,
0x00, 0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x5e, 0x22, 0x7b, 0xa0</pre>
 
If you look carefully, it is very similar to the reports sent over USB if you ignore the first 3 bytes.
 
{| class="wikitable"
|+Data Format
|-
|width="100"|byte index
|width="60"|bit 7
|width="60"|bit 6
|width="60"|bit 5
|width="60"|bit 4
|width="60"|bit 3
|width="60"|bit 2
|width="60"|bit 1
|width="60"|bit 0
|-
|[0]
|colspan="4"|0x0a
|colspan="2"|0x00
|colspan="4"|0x01
|-
|[1]
|colspan="8"|0x11
|-
|[2]
|colspan="8"|0xc0
|-
|[3]
|colspan="8"|Report ID (always 0x00)
|-
|[4]
|colspan="8"|Left Stick X (0 = left)
|-
|[5]
|colspan="8"|Left Stick Y (0 = up)
|-
|[6]
|colspan="8"|Right Stick X
|-
|[7]
|colspan="8"|Right Stick Y
|-
|[8]
|TRI
|CIR
|X
|SQR
|colspan="4"|D-PAD (hat format, 0x08 is released, 0=N, 1=NE, 2=E, 3=SE, 4=S, 5=SW, 6=W, 7=NW)
|-
|[9]
|R3
|L3
|OPT
|SHARE
|R2
|L2
|R1
|L1
|-
|[10]
|colspan="6"|Counter (counts up by 1 per report)
|T-PAD
|PS
|-
|[11]
|colspan="8"|Left Trigger (0 = released, 0xFF = fully pressed)
|-
|[12]
|colspan="8"|Right Trigger
|-
|[13 - 14]
|colspan="8"|Seems to be a timestamp. A common increment value between two reports is 188 (at full rate the report period is 1.25ms). This timestamp is used by the PS4 to process acceleration and gyroscope data.
|-
|[15]
|colspan="8"|battery (0x00 to 0xff)
|-
|[16 - 17]
|colspan="8"|Angular velocity X
|-
|[18 - 19]
|colspan="8"|Angular velocity Y
|-
|[20 - 21]
|colspan="8"|Angular velocity Z
|-
|[22 - 23]
|colspan="8"|Acceleration X
|-
|[24 - 25]
|colspan="8"|Acceleration Y
|-
|[26 - 27]
|colspan="8"|Acceleration Z
|-
|[28 - 32]
|colspan="8"|Unknown (seems to be always 0x00)
|-
|[33]
|0x00
|phone
|mic
|usb
|colspan="4"|battery level
|-
|[34 - 35]
|colspan="8"|Unknown (seems to be always 0x00)
|-
|[36]
|colspan="8"|number of trackpad packets (0x00 to 0x04)
|-
|[37]
|colspan="8"|packet counter
|-
|[38]
|active low
|colspan="7"|finger 1 id
|-
|[39 - 41]
|colspan="8"|finger 1 coordinates
|-
|[42]
|active low
|colspan="7"|finger 2 id
|-
|[43 - 45]
|colspan="8"|finger 2 coordinates
|-
|[46]
|colspan="8"|packet counter
|-
|[47]
|active low
|colspan="7"|finger 1 id
|-
|[48 - 50]
|colspan="8"|finger 1 coordinates
|-
|[51]
|active low
|colspan="7"|finger 2 id
|-
|[52 - 54]
|colspan="8"|finger 2 coordinates
|-
|[55]
|colspan="8"|packet counter
|-
|[56]
|active low
|colspan="7"|finger 1 id
|-
|[57 - 59]
|colspan="8"|finger 1 coordinates
|-
|[60]
|active low
|colspan="7"|finger 2 id
|-
|[61 - 63]
|colspan="8"|finger 2 coordinates
|-
|[64]
|colspan="8"|packet counter
|-
|[65]
|active low
|colspan="7"|finger 1 id
|-
|[66 - 68]
|colspan="8"|finger 1 coordinates
|-
|[69]
|active low
|colspan="7"|finger 2 id
|-
|[70 - 72]
|colspan="8"|finger 2 coordinates
|-
|[73 - 74]
|colspan="8"|Unknown 0x00 0x00 or 0x00 0x01
|-
|[75 - 78]
|colspan="8"|CRC-32 of the first 75 bytes.
|}
 
Most of the time there is only 1 trackpad packet per report.
 
Below is a sample for bytes 36 to 72 with 4 trackpad packets:
 
<pre>0x04,
0x01,
0x04, 0x69, 0x91, 0x1a,
0x06, 0x15, 0x45, 0x1a,
0x05,
0x04, 0x66, 0x11, 0x1a,
0x06, 0x10, 0x15, 0x1a,
0x0a,
0x04, 0x63, 0x81, 0x19,
0x06, 0x0c, 0xe5, 0x19,
0x0f,
0x04, 0x5f, 0xf1, 0x18,
0x06, 0x08, 0xc5, 0x19</pre>
 
==== HID OUTPUT reports ====
Output controls are a sink for application data, for example, an LED (or sound or rumbles) that indicates the state of a device.
Output controls are a sink for application data, for example, an LED (or sound or rumbles) that indicates the state of a device.


Protocol code:
Protocol code:
===== 0x11 =====
===== 0x11 =====
The transaction type is DATA (0x0a), and the report type is OUTPUT (0x02).
The protocol code is 0x11.
First bit at byte 2 specifies whether to enable control. Byte at index 4 specifies which individual control to enable.
Report example:
0xa2, '''0x11''', 0xc0, 0x20, 0xf0, 0x04, 0x00, 0x00, 0x00, <span style="color:#ff0000">0x00</span>, <span style="color:#008000">0x00</span>, <span style="color:#0000ff">0x00</span>, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x43, 0x43, 0x00, 0x4d, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, <span style="background:lime">0xd8, 0x8e, 0x94, 0xdd</span>
Speculation:
0x11 may be not a packet ID but encoded packet size.
Lower digit (0x01) satisfies formula: '''((packet_size - 15) >> 6) + 1'''
(packet_size does not include '0xa2'; >> - bit shift right - equivalent to integer division by 64)
This formula seems to work for all packets (0x11..0x18).
Packet 0x19 looks like clamped by max packet size.
{| class="wikitable"
|+Data Format
|-
|width="100"|byte index
|width="60"|bit 7
|width="60"|bit 6
|width="60"|bit 5
|width="60"|bit 4
|width="60"|bit 3
|width="60"|bit 2
|width="60"|bit 1
|width="60"|bit 0
|-
|[0]
|colspan="4"|0x0a
|colspan="2"|0x00
|colspan="4"|0x02
|-
|'''[1]'''
|colspan="8"|'''0x11'''
|-
|[2]
|colspan="1"|Controls
|colspan="7"|Unknown
|-
|[3]
|colspan="8"|Unknown
|-
|[4]
|colspan="4"|0x0f
|colspan="1"|Unknown
|colspan="1"|Flash
|colspan="1"|Color
|colspan="1"|Rumble
|-
|[5 - 6]
|colspan="8"|Unknown
|-
|[7]
|colspan="8"|Rumble (right / weak)
|-
|[8]
|colspan="8"|Rumble (left / strong)
|-
|[9]
|colspan="8"|RGB color (<span style="color:#ff0000">R</span>ed)
|-
|[10]
|colspan="8"|RGB color (<span style="color:#008000">G</span>reen)
|-
|[11]
|colspan="8"|RGB color (<span style="color:#0000ff">B</span>lue)
|-
|[12]
|colspan="8"|Flash LED bright
|-
|[13]
|colspan="8"|Flash LED dark
|-
|[14 - 21]
|colspan="8"|Unknown
|-
|[22]
|colspan="8"|Volume left
|-
|[23]
|colspan="8"|Volume right
|-
|[24]
|colspan="8"|Volume mic - speculation
|-
|[25]
|colspan="8"|Volume speaker
|-
|[26-74]
|colspan="8"|Unknown
|-
|<span style="background:lime">[75 - 78]</span>
|colspan="8"|CRC-32 of the previous bytes.
|}


===== 0x14 =====
===== 0x14 =====
Contains sound.
Speculation: contains sound.


  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
   
     0000  <span style="background:#ff6666;">0f 01 42 00</span> a2 '''14''' 40 a0 f4 69 02 <span style="background:#ffff00;">9c 75 19 24</span> 00  [email protected].$.
     0000  <span style="background:#ff6666;">0f 01 42 00</span> a2 '''14''' 40 a0 f4 69 02 9c 75 19 24 00  [email protected].$.
     0010  00 00 00 00 00 00 00 76 db 6d bb 6d b6 dd b6 db  .......v.m.m....
     0010  00 00 00 00 00 00 00 76 db 6d bb 6d b6 dd b6 db  .......v.m.m....
     0020  6e db 6d b7 6d b6 db b6 db 6d db 6d b6 ed b6 db  n.m.m....m.m....
     0020  6e db 6d b7 6d b6 db b6 db 6d db 6d b6 ed b6 db  n.m.m....m.m....
Line 1,008: Line 437:
     0050  b6 db 6e db 6d b7 6d b6 db b6 db 6d db 6d b6 ed  ..n.m.m....m.m..
     0050  b6 db 6e db 6d b7 6d b6 db b6 db 6d db 6d b6 ed  ..n.m.m....m.m..
     0060  b6 db 76 db 6d bb 6d b6 dd b6 db 6e db 6d b7 6d  ..v.m.m....n.m.m
     0060  b6 db 76 db 6d bb 6d b6 dd b6 db 6e db 6d b7 6d  ..v.m.m....n.m.m
     0070  b6 db b6 db 6d db 6d b6 ed b6 db <span style="background:#ffff00;">9c 75 19 24</span> 00  ....m.m.....u.$.
     0070  b6 db b6 db 6d db 6d b6 ed b6 db 9c 75 19 24 00  ....m.m.....u.$.
     0080  00 00 00 00 00 00 00 76 db 6d bb 6d b6 dd b6 db  .......v.m.m....
     0080  00 00 00 00 00 00 00 76 db 6d bb 6d b6 dd b6 db  .......v.m.m....
     0090  6e db 6d b7 6d b6 db b6 db 6d db 6d b6 ed b6 db  n.m.m....m.m....
     0090  6e db 6d b7 6d b6 db b6 db 6d db 6d b6 ed b6 db  n.m.m....m.m....
Line 1,019: Line 448:
     0100  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 <span style="background:lime;">9f</span>  ................
     0100  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 <span style="background:lime;">9f</span>  ................
     0110  <span style="background:lime;">42 86 54</span>                                        B.T
     0110  <span style="background:lime;">42 86 54</span>                                        B.T
    <span style="background:#ffff00;">Bluetooth SBC header</span>  http://tools.ietf.org/html/draft-hoene-avt-rtp-sbc-05#section-6.2
   
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    | SYNCWORD      |SF.|BL.|CM.|A|S|BITPOOL        |CRC_CHECK      |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    Legend: SF.=SAMPLING FREQUENCY, BL.=BLOCKS, CM.=CHANNEL_MODE, A.=ALLOCATION_METHOD, S.=SUBBANDS
    0x9c = 156 syncword (always set to 156)
    1 byte - sf bl cm a s (msb..lsb)
      * frequency:
          00-16000
          01-32000
          10-44100
          11-48000
      * blocks:
          00-4
          01-8
          10-12
          11-16
      * channels:
          00-MONO
          01-DUAL_CHANNEL
          10-STEREO
          11-JOINT_STEREO
      * allocation method:
          0-loudnes
          1-SNR
      * subbands:
          0-4
          1-8
    1 byte - bitpool
            This unsigned integer indicates the size of the bit
            allocation pool that has been used for encoding the current
            block.The value of the bit - pool field MUST NOT exceed 16
            times the number of subbands for the MONO and DUAL_CHANNEL
            channel modes and 32 times the number of subbands for the
            STEREO and JOINT_STEREO channel modes.The bitpool value
            MAY change from SBC frame to the next.In addition, the
            bitpool value MUST be restricted such that it does not
            result in excess of maximum bit rate, which is 320kb / s for
            mono and 512kb / s for two - channel modes.


===== 0x15 =====
===== 0x15 =====
Line 1,073: Line 459:
     0030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
     0030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
     0040  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
     0040  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
     0050  00 00 00 <span style="background:pink;">f6 69</span> 02 <span style="background:#ffff00;">9c 75 19 24</span> 00 00 00 00 00 00  ....i..u.$......
     0050  00 00 00 f6 69 02 9c 75 19 24 00 00 00 00 00 00  ....i..u.$......
     0060  00 00 76 db 6d bb 6d b6 dd b6 db 6e db 6d b7 6d  ..v.m.m....n.m.m
     0060  00 00 76 db 6d bb 6d b6 dd b6 db 6e db 6d b7 6d  ..v.m.m....n.m.m
     0070  b6 db b6 db 6d db 6d b6 ed b6 db 76 db 6d bb 6d  ....m.m....v.m.m
     0070  b6 db b6 db 6d db 6d b6 ed b6 db 76 db 6d bb 6d  ....m.m....v.m.m
Line 1,080: Line 466:
     00a0  b7 6d b6 db b6 db 6d db 6d b6 ed b6 db 76 db 6d  .m....m.m....v.m
     00a0  b7 6d b6 db b6 db 6d db 6d b6 ed b6 db 76 db 6d  .m....m.m....v.m
     00b0  bb 6d b6 dd b6 db 6e db 6d b7 6d b6 db b6 db 6d  .m....n.m.m....m
     00b0  bb 6d b6 dd b6 db 6e db 6d b7 6d b6 db b6 db 6d  .m....n.m.m....m
     00c0  db 6d b6 ed b6 db <span style="background:#ffff00;">9c 75 19 24</span> 00 00 00 00 00 00  .m.....u.$......
     00c0  db 6d b6 ed b6 db 9c 75 19 24 00 00 00 00 00 00  .m.....u.$......
     00d0  00 00 76 db 6d bb 6d b6 dd b6 db 6e db 6d b7 6d  ..v.m.m....n.m.m
     00d0  00 00 76 db 6d bb 6d b6 dd b6 db 6e db 6d b7 6d  ..v.m.m....n.m.m
     00e0  b6 db b6 db 6d db 6d b6 ed b6 db 76 db 6d bb 6d  ....m.m....v.m.m
     00e0  b6 db b6 db 6d db 6d b6 ed b6 db 76 db 6d bb 6d  ....m.m....v.m.m
Line 1,102: Line 488:
*0xFF: LED (<span style="color:#0000ff">B</span>lue)
*0xFF: LED (<span style="color:#0000ff">B</span>lue)
...
...
0xB598A90F: <span style="color:lime">Check</span> (CRC-32 from offset 0x04 to 0x14E)
0xB598A90F: <span style="color:lime">Check</span> (CRC-32 (from 0xA2))
 
===== 0x17 =====
===== 0x17 =====
The transaction type is DATA (0x0a), and the report type is OUTPUT (0x02).
The protocol code is 0x17.
Report example:
0xa2, 0x17, 0x40, 0xa0, <span style="background:pink;">0xb4, 0x00</span>, 0x02, <span style="background:#ffff00;">0x9c, 0x75, 0x19, 0x24</span>, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7,
0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb,
0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb,
0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb,
0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb,
0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb,
0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, <span style="background:#ffff00;">0x9c, 0x75, 0x19, 0x24</span>, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7,
0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb,
0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb,
0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb,
0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb,
0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb,
0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, <span style="background:#ffff00;">0x9c, 0x75, 0x19, 0x24</span>, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7,
0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb,
0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb,
0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb,
0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb,
0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb,
0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, <span style="background:#ffff00;">0x9c, 0x75, 0x19, 0x24</span>, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7,
0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb,
0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb,
0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb,
0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb,
0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb,
0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x00, 0x00, 0x00, 0x00, 0x6b, 0xa2, 0x38, 0xe6
{| class="wikitable"
|+Data Format
|-
|width="100"|byte index
|width="60"|bit 7
|width="60"|bit 6
|width="60"|bit 5
|width="60"|bit 4
|width="60"|bit 3
|width="60"|bit 2
|width="60"|bit 1
|width="60"|bit 0
|-
|[0]
|colspan="4"|0x0a
|colspan="2"|0x00
|colspan="4"|0x02
|-
|[1]
|colspan="8"|0x17
|-
|[2 - 3]
|colspan="8"|TODO, work in progress.
|-
|<span style="background:pink;">[4-5]</span>
|colspan="8"| Audio frame count - Increases the number of frames in packet(4 for this)
|-
|[6]
|colspan="8"|Audio header
|-
|[6 - 458]
|colspan="8"|Bluetooth SBC Data
|-
|[459 - 462]
|colspan="8"|CRC-32 of the previous bytes.
|}


===== 0x18 =====
===== 0x18 =====
The transaction type is DATA (0x0a), and the report type is OUTPUT (0x02).
The protocol code is 0x18.
Report example:
0xa2, '''0x18''', 0x48, 0xa1, <span style="background:pink;">0xb4, 0x06</span>, 0x22, <span style="background:#ffff00;">0x9c, 0x7d, 0x33, 0xda</span>, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x77, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xed, 0xb6, 0xdb, 0xb6, 0xdb,
0x6d, 0xdd, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x76, 0xdb,
0x6d, 0xdb, 0x6d, 0xb6, 0xee, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6,
0xdb, 0xbb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x77, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xed, 0xb6,
0xdb, 0xb6, 0xdb, 0x6d, 0xdd, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d,
0xb7, 0x76, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xee, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xdb, 0x6d,
0xb7, 0x6d, 0xb6, 0xdb, 0xbb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, <span style="background:#ffff00;">0x9c, 0x7d, 0x33, 0xda</span>, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x77, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xed, 0xb6,
0xdb, 0xb6, 0xdb, 0x6d, 0xdd, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d,
0xb7, 0x76, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xee, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xdb, 0x6d,
0xb7, 0x6d, 0xb6, 0xdb, 0xbb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x77, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb,
0x6e, 0xed, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdd, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0xb6, 0xdb,
0x6e, 0xdb, 0x6d, 0xb7, 0x76, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xee, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6,
0xdd, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xbb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, <span style="background:#ffff00;">0x9c, 0x7d, 0x33,
0xda</span>, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x77, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb,
0x6e, 0xed, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdd, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0xb6, 0xdb,
0x6e, 0xdb, 0x6d, 0xb7, 0x76, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xee, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6,
0xdd, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xbb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x77, 0x6d, 0xb6,
0xdd, 0xb6, 0xdb, 0x6e, 0xed, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdd, 0xb6, 0xdb, 0x76, 0xdb, 0x6d,
0xbb, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x76, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xee, 0xdb, 0x6d,
0xbb, 0x6d, 0xb6, 0xdd, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xbb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb,
<span style="background:#ffff00;">0x9c, 0x7d, 0x33</span>, 0xda, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x77, 0x6d, 0xb6,
0xdd, 0xb6, 0xdb, 0x6e, 0xed, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdd, 0xb6, 0xdb, 0x76, 0xdb, 0x6d,
0xbb, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x76, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xee, 0xdb, 0x6d,
0xbb, 0x6d, 0xb6, 0xdd, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xbb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb,
0x77, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xed, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdd, 0xb6, 0xdb,
0x76, 0xdb, 0x6d, 0xbb, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x76, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6,
0xee, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xbb, 0x6d, 0xb6,
0xed, 0xb6, 0xdb, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x5e, 0x3b, 0x16, 0xec
{| class="wikitable"
|+Data Format
|-
|width="100"|byte index
|width="60"|bit 7
|width="60"|bit 6
|width="60"|bit 5
|width="60"|bit 4
|width="60"|bit 3
|width="60"|bit 2
|width="60"|bit 1
|width="60"|bit 0
|-
|[0]
|colspan="4"|0x0a
|colspan="2"|0x00
|colspan="4"|0x02
|-
|'''[1]'''
|colspan="8"|'''0x18'''
|-
|[2 - 3]
|colspan="8"|TODO, work in progress.
|-
|<span style="background:pink;">[4-5]</span>
|colspan="8"| Audio frame count - Increases the number of frames in packet(4 for this)
|-
|[6]
|colspan="8"|Audio header
|-
|[7 - 471]
|colspan="8"|Bluetooth SBC Data
|-
|[472 - 526]
|colspan="8"|Paddind - speculation
|-
|[527 - 530]
|colspan="8"|CRC-32 of the previous bytes.
|}


===== 0x19 =====
===== 0x19 =====
The transaction type is DATA (0x0a), and the report type is OUTPUT (0x02).
The protocol code is 0x19.
Report example:
0xa2, '''0x19''', 0xc0, 0xa0, 0xf3, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x43, 0x43, 0x00, 0x4d, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, <span style="background:pink;">0xc2,
0x00</span>, 0x02, <span style="background:#ffff00;">0x9c, 0x75, 0x19, 0x24</span>, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x76, 0xdb,
0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb,
0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb,
0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb,
0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb,
0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd,
0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed,
0xb6, 0xdb, <span style="background:#ffff00;">0x9c, 0x75, 0x19, 0x24</span>, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x76, 0xdb,
0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb,
0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb,
0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb,
0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb,
0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd,
0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed,
0xb6, 0xdb, <span style="background:#ffff00;">0x9c, 0x75, 0x19, 0x24</span>, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x76, 0xdb,
0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb,
0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb,
0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb,
0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb,
0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd,
0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed,
0xb6, 0xdb, <span style="background:#ffff00;">0x9c, 0x75, 0x19, 0x24</span>, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x76, 0xdb,
0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb,
0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb,
0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb,
0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb,
0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd,
0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed,
0xb6, 0xdb, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x46, 0x86, 0x51, 0x90
{| class="wikitable"
|+Data Format
|-
|width="100"|byte index
|width="60"|bit 7
|width="60"|bit 6
|width="60"|bit 5
|width="60"|bit 4
|width="60"|bit 3
|width="60"|bit 2
|width="60"|bit 1
|width="60"|bit 0
|-
|[0]
|colspan="4"|0x0a
|colspan="2"|0x00
|colspan="4"|0x02
|-
|'''[1]'''
|colspan="8"|'''0x19'''
|-
|[2 - 78]
|colspan="8"|Same as [[DS4-BT#0x11_2|output report 0x11]].
|-
|[79]
|colspan="8"|Unknown
|-
|<span style="background:pink;">[80-81]</span>
|colspan="8"| Audio frame count - Increases the number of frames in packet(4 for this)
|-
|[82]
|colspan="8"| Audio header
|-
|[83-533]
|colspan="8"| Bluetooth SBC Data
|-
|[533 - 547]
|colspan="8"| Paddind - speculation
|-
|[548 - 551]
|colspan="8"|CRC-32 of the previous bytes.
|}


==== HID features reports ====
==== HID features reports ====
There is a periodic report sequence that consists in 5 0xf0 SET FEATURE reports, 2 0xf2 GET FEATURE reports, and 19 0xf1 GET FEATURE REPORTS. Each sequence takes about 30 seconds, and a new sequence starts about 30 seconds after the end of the last one. There is 1 second between two reports sent by the PS4.
There is another periodic report sequence that consists in one 0x03 SET FEATURE report and 1 0x04 GET FEATURE report. A new sequence starts about 30 seconds after the end of the last one. The 0x03 SET FEATURE report is sent 5 seconds after the 0x04 GET FEATURE report.
These two periodic sequences seem to be independent as they do not have the same period, and they have two distinct sequence counters.
A user-mode application can obtain (get) and set feature information by using this report designation.
A user-mode application can obtain (get) and set feature information by using this report designation.
===== GET FEATURE=====
Each GET FEATURE report sent by the PS4 is answered by the DS4 with a DATA FEATURE report.
====0x02====
{| class="wikitable"
|+Data Format
|-
|width="100"|byte index
|width="60"|bit 7
|width="60"|bit 6
|width="60"|bit 5
|width="60"|bit 4
|width="60"|bit 3
|width="60"|bit 2
|width="60"|bit 1
|width="60"|bit 0
|-
|[0]
|colspan="4"|0x04 GET REPORT
|colspan="1"|0x01
|colspan="1"|0x00
|colspan="4"|0x03 FEATURE
|-
|[1]
|colspan="8"|Report id
|-
|[2 - 3]
|colspan="8"|Buffer size.
|}
====== 0x02 ======
The transaction type is DATA (0x0a), and the report type is FEATURE (0x03).
The protocol code is 0x02.
The bytes in this report do not seem to fluctuate.
Report example:
<pre>0xa3, 0x02, 0x01, 0x00, 0xff, 0xff, 0x01, 0x00, 0x5e, 0x22, 0x84, 0x22, 0x9b, 0x22, 0xa6, 0xdd,
0x79, 0xdd, 0x64, 0xdd, 0x1c, 0x02, 0x1c, 0x02, 0x85, 0x1f, 0x9f, 0xe0, 0x92, 0x20, 0xdc, 0xe0,
0x4d, 0x1c, 0x1e, 0xde, 0x08, 0x00</pre>
{| class="wikitable"
|+Data Format
|-
|width="100"|byte index
|width="60"|bit 7
|width="60"|bit 6
|width="60"|bit 5
|width="60"|bit 4
|width="60"|bit 3
|width="60"|bit 2
|width="60"|bit 1
|width="60"|bit 0
|-
|[0]
|colspan="4"|0x0a
|colspan="2"|0x00
|colspan="4"|0x03
|-
|[1]
|colspan="8"|0x02
|-
|[2 - 37]
|colspan="8"|TODO, work in progress.
|}
====== 0x04 ======
The transaction type is DATA (0x0a), and the report type is FEATURE (0x03).
The protocol code is 0x04.
Most bytes from index 4 change between two reports.
Report example:
<pre>0xa3, 0x04, 0x02, 0x00, 0x38, 0x85, 0x35, 0xd5, 0x7a, 0x81, 0x61, 0x2e, 0x21, 0x13, 0x7b, 0xda,
0xd5, 0x94, 0x25, 0x98, 0x5f, 0x67, 0xd1, 0x60, 0x9d, 0xfb, 0x95, 0xba, 0xff, 0xba, 0x1c, 0x48,
0xbf, 0xe2, 0x15, 0x0d, 0xff, 0x66, 0x63, 0x5f, 0x64, 0xc1, 0x46, 0x47, 0xcd, 0xd1, 0x9c, 0x84</pre>
{| class="wikitable"
|+Data Format
|-
|width="100"|byte index
|width="60"|bit 7
|width="60"|bit 6
|width="60"|bit 5
|width="60"|bit 4
|width="60"|bit 3
|width="60"|bit 2
|width="60"|bit 1
|width="60"|bit 0
|-
|[0]
|colspan="4"|0x0a
|colspan="2"|0x00
|colspan="4"|0x03
|-
|[1]
|colspan="8"|0x04
|-
|[2]
|colspan="8"|sequence counter (init = 0x02, step = 1)
|-
|[3]
|colspan="8"|0x00
|-
|[4 - 43]
|colspan="8"|TODO, work in progress.
|-
|[44 - 47]
|colspan="8"|CRC-32 of the previous bytes.
|}
====== 0x06 ======
The transaction type is DATA (0x0a), and the report type is FEATURE (0x03).
The protocol code is 0x06.
The bytes in this report do not seem to fluctuate. They are the same in two different controllers.
Report example:
<pre>0xa3, 0x06, 0x41, 0x75, 0x67, 0x20, 0x20, 0x33, 0x20, 0x32, 0x30, 0x31, 0x33, 0x00, 0x00, 0x00,
0x00, 0x00, 0x30, 0x37, 0x3a, 0x30, 0x31, 0x3a, 0x31, 0x32, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x01, 0x00, 0x31, 0x03, 0x00, 0x00, 0x00, 0x49, 0x00, 0x05, 0x00, 0x00, 0x80,
0x03, 0x00, 0x4b, 0x52, 0x02, 0xc7</pre>
{| class="wikitable"
|+Data Format
|-
|width="100"|byte index
|width="60"|bit 7
|width="60"|bit 6
|width="60"|bit 5
|width="60"|bit 4
|width="60"|bit 3
|width="60"|bit 2
|width="60"|bit 1
|width="60"|bit 0
|-
|[0]
|colspan="4"|0x0a
|colspan="2"|0x00
|colspan="4"|0x03
|-
|[1]
|colspan="8"|0x06
|-
|[2 - 49]
|colspan="8"|A date: Aug 3 2013 07:01:12
|-
|[50 - 53]
|colspan="8"|CRC-32 of the previous bytes.
|}
====== 0xA3 ======
The transaction type is DATA (0x0a), and the report type is FEATURE (0x03).
The protocol code is 0xa3.
It is identical to 0x06 except that there's no CRC-32 at the end of the packet.
Report example:
<pre>0xa3, 0xa3, 0x41, 0x75, 0x67, 0x20, 0x20, 0x33, 0x20, 0x32, 0x30, 0x31, 0x33, 0x00, 0x00, 0x00,
0x00, 0x00, 0x30, 0x37, 0x3a, 0x30, 0x31, 0x3a, 0x31, 0x32, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x01, 0x00, 0x31, 0x03, 0x00, 0x00, 0x00, 0x49, 0x00, 0x05, 0x00, 0x00, 0x80,
0x03, 0x00</pre>
{| class="wikitable"
|+Data Format
|-
|width="100"|byte index
|width="60"|bit 7
|width="60"|bit 6
|width="60"|bit 5
|width="60"|bit 4
|width="60"|bit 3
|width="60"|bit 2
|width="60"|bit 1
|width="60"|bit 0
|-
|[0]
|colspan="4"|0x0a
|colspan="2"|0x00
|colspan="4"|0x03
|-
|[1]
|colspan="8"|0xa3
|-
|[2 - 49]
|colspan="8"|A date: Aug 3 2013 07:01:12
|}
====== 0xF1 ======
The transaction type is DATA (0x0a), and the report type is FEATURE (0x03).
The protocol code is 0xf1.
This report is part of the authentication sequence: it contains challenge response data.
Report example:
<pre>0xa3, 0xf1, 0x01, 0x00, 0x00, 0x0c, 0xb2, 0x25, 0x71, 0x82, 0xc3, 0x2e, 0xaa, 0x73, 0xf5, 0x3e,
0x06, 0x72, 0x12, 0xeb, 0xd7, 0xbd, 0xa6, 0x4e, 0xd0, 0x25, 0xd0, 0x4d, 0xd4, 0xe9, 0x3a, 0x8d,
0xb4, 0xf2, 0x3b, 0x5e, 0x82, 0x9c, 0xc7, 0x02, 0x04, 0xa5, 0x44, 0xd5, 0x64, 0x74, 0xc2, 0x03,
0x3b, 0x45, 0xd6, 0x99, 0x9d, 0x79, 0x11, 0xa6, 0x3d, 0x5e, 0x3a, 0xdf, 0xdd, 0x3a, 0x51, 0x8e,
0xb3</pre>
{| class="wikitable"
|+Data Format
|-
|width="100"|byte index
|width="60"|bit 7
|width="60"|bit 6
|width="60"|bit 5
|width="60"|bit 4
|width="60"|bit 3
|width="60"|bit 2
|width="60"|bit 1
|width="60"|bit 0
|-
|[0]
|colspan="4"|0x0a
|colspan="2"|0x00
|colspan="4"|0x03
|-
|[1]
|colspan="8"|0xf1
|-
|[2]
|colspan="8"|sequence counter (init = 0x01, step = 1)
|-
|[3]
|colspan="8"|report counter (init = 0x00, step = 1, max = 0x12)
|-
|[4]
|colspan="8"|0x00
|-
|[5 - 60]
|colspan="8"|Challenge response data.
|-
|[61 - 64]
|colspan="8"|CRC-32 of the previous bytes.
|}
The sequence is 1040 bytes long with the following structure:
<pre>
struct ds4_response {
unsigned char signature[0x100];
unsigned char serial_num[0x10];
unsigned char n[0x100];
unsigned char e[0x100];
unsigned char casig[0x100];
};
</pre>
<u>signature</u> - is a PSS signature of the nonce, signed with DS4's private key<br>
<u>serial_num</u> - is the controller/cert serial number<br>
<u>n</u> - DS4's Public Key prime<br>
<u>e</u> - DS4's Public Key exponent<br>
<u>casig</u> - is a PSS signature (signed by Sony's CA private key) of the <u>serial_num</u>, <u>n</u> and <u>e</u><br>
The last (19th) packet is padded with 24 bytes.
====== 0xF2 ======
The transaction type is DATA (0x0a), and the report type is FEATURE (0x03).
The protocol code is 0xf2.
This report is part of the authentication sequence: it indicates if the challenge response is ready.
Report example:
<pre>0xa3, 0xf2, 0x01, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0d, 0x6a, 0x3c,
0xef</pre>
{| class="wikitable"
|+Data Format
|-
|width="100"|byte index
|width="60"|bit 7
|width="60"|bit 6
|width="60"|bit 5
|width="60"|bit 4
|width="60"|bit 3
|width="60"|bit 2
|width="60"|bit 1
|width="60"|bit 0
|-
|[0]
|colspan="4"|0x0a
|colspan="2"|0x00
|colspan="4"|0x03
|-
|[1]
|colspan="8"|0xf2
|-
|[2]
|colspan="8"|sequence counter (init = 0x01, step = 1)
|-
|[3]
|colspan="3"|0x00
|colspan="1"|0x01 = not ready
0x00 = ready
|colspan="7"|0x00
|-
|[4 - 12]
|colspan="8"|padded with 0x00.
|-
|[13 - 16]
|colspan="8"|CRC-32 of the previous bytes.
|}
===== SET FEATURE=====
These reports are sent by the PS4. The DS4 replies with a handshake, which is a packet with a single 0x00 byte.
====== 0x03 ======
The transaction type is SET REPORT (0x05), and the report type is FEATURE (0x03).
The protocol code is 0x03.
Most bytes from index 4 change between two reports.
Report example:
<pre>0x53, 0x03, 0x02, 0x00, 0xf1, 0xdf, 0xd3, 0x7b, 0x4f, 0x49, 0x0b, 0x0b, 0x7c, 0x79, 0xde, 0xad,
0x5d, 0xa3, 0x41, 0x8a, 0x9c, 0x2e, 0xaf, 0x09, 0xc4, 0xa6, 0x80, 0xb4, 0x82, 0x87, 0x2c, 0xbf,
0x86, 0xe0, 0x2a, 0x86, 0x60, 0xa0, 0x23, 0x33</pre>
{| class="wikitable"
|+Data Format
|-
|width="100"|byte index
|width="60"|bit 7
|width="60"|bit 6
|width="60"|bit 5
|width="60"|bit 4
|width="60"|bit 3
|width="60"|bit 2
|width="60"|bit 1
|width="60"|bit 0
|-
|[0]
|colspan="4"|0x05
|colspan="2"|0x00
|colspan="4"|0x03
|-
|[1]
|colspan="8"|0x03
|-
|[2]
|colspan="8"|sequence counter (init = 0x02, step = 1)
|-
|[3]
|colspan="8"|0x00
|-
|[4 - 35]
|colspan="8"|TODO, work in progress.
|-
|[36 - 39]
|colspan="8"|CRC-32 of the previous bytes.
|}
====== 0xF0 ======
The transaction type is SET REPORT (0x05), and the report type is FEATURE (0x03).
The protocol code is 0xf0.
This report is part of the authentication sequence: it contains challenge data.
Report example:
<pre>0x53, 0xf0, 0x01, 0x00, 0x00, 0x64, 0x01, 0x21, 0x58, 0x26, 0x03, 0xcc, 0xb8, 0x28, 0x78, 0xa9,
0xb5, 0x8c, 0x2c, 0x90, 0x3b, 0xe2, 0xf7, 0xee, 0x1c, 0x91, 0x2b, 0x0c, 0x79, 0xa6, 0xe7, 0xae,
0x7e, 0x49, 0xee, 0x36, 0x72, 0x81, 0xc2, 0x25, 0x41, 0x74, 0x45, 0x01, 0x15, 0xa0, 0x23, 0x1a,
0x4c, 0x27, 0x31, 0xcc, 0xc5, 0xe0, 0x8d, 0x6c, 0x1e, 0x42, 0x83, 0x93, 0x20, 0xa0, 0x35, 0xac,
0x82</pre>
{| class="wikitable"
|+Data Format
|-
|width="100"|byte index
|width="60"|bit 7
|width="60"|bit 6
|width="60"|bit 5
|width="60"|bit 4
|width="60"|bit 3
|width="60"|bit 2
|width="60"|bit 1
|width="60"|bit 0
|-
|[0]
|colspan="4"|0x05
|colspan="2"|0x00
|colspan="4"|0x03
|-
|[1]
|colspan="8"|0xf0
|-
|[2]
|colspan="8"|sequence counter (init = 0x01, step = 1)
|-
|[3]
|colspan="8"|report counter (init = 0x00, step = 1, max = 0x04)
|-
|[4]
|colspan="8"|0x00
|-
|[5 - 60]
|colspan="8"|Challenge data.
|-
|[61 - 64]
|colspan="8"|CRC-32 of the previous bytes.
|}
The packet with report counter = 0x04 only carries 32 bytes of data (it is padded with zeros). Therefore the length of the challenge message is 4x56+32 = 256 bytes.




{{Reverse Engineering}}
{{Reverse Engineering}}
<noinclude>[[Category:Main]]</noinclude>
<noinclude>[[Category:Main]]</noinclude>
Please note that all contributions to PS4 Developer wiki are considered to be released under the GNU Free Documentation License 1.2 (see PS4 Developer wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:

Cancel Editing help (opens in new window)

Templates used on this page:

Retrieved from "http://www.psdevwiki.com/ps4/DS4-BT"