Editing DS4-BT

'''Source:''' http://eleccelerator.com/wiki/index.php?title=DualShock_4 (full paste 17:50 UTC, 18 January 2014 )

[[File:DS4 CUHZCT1 03 Glacier White top.png|thumbnail|right]]

== Bluetooth ==

{{Panorama
|image   = File:Atheros_AR3002.jpg
|height  = 200
|alt     = Bluetooth module Qualcomm: [http://www.qca.qualcomm.com/wp-content/uploads/2013/11/AR3002.pdf Qualcomm Atheros AR3002-BL3D]
|caption = Bluetooth module Qualcomm: [http://www.qca.qualcomm.com/wp-content/uploads/2013/11/AR3002.pdf Qualcomm Atheros AR3002-BL3D]
}}

[[File:Bluetooth.png|15px]] [[Bluetooth]] is a [[Wireless|wireless]] technology for creating personal area networks operating in the 2.4 GHz unlicensed band, with a default range of 10 meters.

Capable of streaming 32Khz sound to the controllers speakers for up to 2 players, but that reduces to 16Khz when 3 or more players are hooked up.

===UART HCI===
[[File:DS4 testpoints hci uart 1.jpg|thumbnail|150px|right|Testpoints]]

On the DS4 circuit itself is a [http://www.qca.qualcomm.com/wp-content/uploads/2013/11/AR3002.pdf Qualcomm Atheros AR3002] module and the {{G|UART}} pins have test points.

You can clearly see the UART HCI receiving/transmitting data when you analyze the traffic on the RX and TX pins (See testpoints).

The data seems to be at a baud rate of exactly 3Mbit/s , sticking with HCI standards, meaning it's 8N1 (8 data bits, No parity, 1 stop bit). The report rate seems to be once every 1.3 millisecond, but there are some occasional gaps in between that can reach 15 milliseconds.

[http://eleccelerator.com/wiki/index.php?title=File:Ds4_uart_hci_cap_with_unpaired_better.pcap This file] is a capture of the traffic over the UART HCI, [http://www.wireshark.org/ Wireshark] can be used for parsing this PCAP file.

[http://eleccelerator.com/files/ds4_uart_hci_cap_playroom_needs_sorting.pcap.gz Similar] to the file before but uses data while running "the Playroom" app on the PS4, so that it shows motors, speaker, and LED activity. This file needs to be decompressed using gzip first, then opened with Wireshark. Once opened, it needs to be sorted by timestamp.

=== Maximum theoretical update frequency per second (Minimum theoretical latency) ===
{| class="wikitable sortable"
|-
! Controllers !! Input+Output disabled !! Output enabled !! Input enabled
|-
| 1 || 800x (1.25ms) || 400 (2.50ms) || 125 (8ms)
|-
| 2 || 400x (2.50ms) || 200 (5ms) || 62.50 (16ms)
|-
| 3 || 266x (3,75ms)|| 133 (7.5ms)|| 41.66 (24ms)
|-
| 4 || 200x (5ms) || 100 (10ms) || 31.25 (32ms)
|-
|}
In comparison, USB has 250x (4ms)

=== Overlapping channels BT/WiFi ===
* [[Bluetooth#Overlapping_channels_BT.2FWiFi|Overlapping channels BT/WiFi]]

=== Bluetooth Adressing ===

Each Bluetooth unit has a unique 48-bit address (BD_ADDR).

If you spoof a previously paired DS4's BDADDR (is the unique address of a Bluetooth device, similar to the MAC address of a network card) and class, then using "[http://www.linux-commands-examples.com/hcitool sudo hcitool cc <ps4's bdaddr>]" will wake up the PS4. If the same cc request comes from an unknown BDADDR, nothing happens.

The [[DualShock 4]] has two modes, one where you can pair it with a computer (hold PS and share at the same time until the light blinks twice in quick succession rapidly), and another mode when it is used with a PS4.

{| class="wikitable" style="text-align: center;border:3px solid #123AAA;"
|-
|colspan="6"|'''Company_assigned'''
|colspan="6"|'''Company_id'''
|-
|colspan="6"|'''L'''ower '''A'''ddress '''P'''art (24-bit)<br />transmitted with every packet as part of the packet header
|colspan="2"|'''U'''pper '''A'''ddress '''P'''art  (8-bit)<br />
|colspan="4"|'''N'''on-Significant '''A'''ddress '''P'''art (16-bit)<br />[http://standards-oui.ieee.org/oui.txt assigned  publicly by the IEEE]
|-=
!width="70"|<sub>lsb</sub>xxxx
!width="70"|xxxx
!width="70"|xxxx
!width="70"|xxxx
!width="70"|xxxx
!width="70"|xxxx
!width="70"|xxxx
!width="70"|xxxx
!width="70"|xxxx
!width="70"|xxxx
!width="70"|xxxx
!width="70"|xxxx<sup>msb</sup>
|-
|}

==== Unpairing ====

*http://eleccelerator.com/unpairing-a-dualshock-4-and-setting-a-new-bdaddr/

===Class of Device/Service (CoD)===

In the PS4 mode, the DualShock 4 appears to be advertised as two devices (neither has a name), one is a game controller and the other is an audio device:

The game controller has a [https://www.bluetooth.org/en-us/specification/assigned-numbers/baseband class of Device/Service (CoD)] 0x002508:

*Major Service Class: Limited Discoverable Mode (0x2000)
*Major Device Class : Peripheral (mouse, joystick, keyboards etc) (0x500)
*Minor Device Class : Gamepad (0x08)

The audio device is class 0x200404:

*Major Service Class: Audio (Speaker, Microphone, Headset service, ...)
*Major Device Class : Audio/Video (headset, speaker, stereo, video display, VCR, ...)
*Minor Device Class : Wearable Headset Device 

<small>(Online Generator http://bluetooth-pentest.narod.ru/software/bluetooth_class_of_device-service_generator.html)</small>

=== Service Discovery Protocol (SDP) ===
{{G|SDP}} used by the PS4 the first time a device tries to connect, whereas the DS4 does it each time it connects to the PS4 (you can use Wireshark for parsing SDP files, but double check manually due to wrong interpretation or not standard protocol).
==== PDU ====
*SDP uses a request/response model where each transaction consists of one request PDU (protocol data unit) and one response PDU.

<small>
{{Protocol_data_unit}}
</small>

==== Data Element ====

* an attribute id or an attribute value is often represented as a data element.

* The format of a data element follows the {{G|TLV}} (type-length-value) convention.

<small>
{| class="wikitable" style="text-align: center;"
|-
!width="100"|byte index
!width="60"|bit 7
!width="60"|bit 6
!width="60"|bit 5
!width="60"|bit 4
!width="60"|bit 3
!width="60"|bit 2
!width="60"|bit 1
!width="60"|bit 0
|-
|[0]
|colspan="5"|'''Type'''
|colspan="3"|'''Length'''
|-
|[1-4] || colspan="8"| '''additional field'''
|-
|[x] || colspan="8"| '''Value'''
|-
|}
</small>

'''Type descriptor'''

<small>
{| class="wikitable"
|-
! Type Descriptor value !! Valid Size descriptor values !! type description
|-
| 0 || 0 || Nil
|-
| 1 || 0, 1, 2, 3, 4 || Unsigned Integer
|-
| 2 || 0, 1, 2, 3, 4 || Signed twos-complements integer
|-
| 3 || 1, 2, 4 || Universally Unique Identifier (UUID)
|-
| 4 || 5, 6, 7 || text string
|-
| 5 || 0 || booleans
|-
| 6 || 5, 6, 7 || Data element sequence, a data element whose data field is a sequence of data elements
|-
| 7 || 5, 6, 7 || Data element alternative, data element whose data filed is a sequence of data elements from which one data elements is to be selected
|-
| 8 || 5, 6, 7 || Uniform Resource Locator (URL)
|-
| 9-31 || || Reserved
|}
</small>

'''Length descriptor'''

<small>
{| class="wikitable"
|-
! Size Index !! Additional bits !! Data size
|-
| 0 || 0 || 1 byte
|-
| 1 || 0 || 2 bytes
|-
| 2 || 0 || 4 bytes
|-
| 3 || 0 || 8 bytes
|-
| 4 || 0 || 16 bytes
|-
| 5 || 8 || The data size is contained in the additional  8 bits, which are interpreted as an unsigned integer
|-
| 6 || 16 || The data size is contained in the additional 16 bits, which are interpreted as an unsigned integer
|-
| 7 || 32 || The data size is contained in the additional 32 bits, which are interpreted as an unsigned integer
|-
|}
</small>

e.g.: 0x35 = 00110101 (binary) = 00110 | 101 = Type 6 | Length size index 5
==== PS4 ====
===== Request =====
<small>(without 0x02 0x1520 0x1800 0x1400 0x4000  see header section)</small>

 <span style="background:#66ff66;">06 00 01 00 0f</span> 35 03 19 01 00 08 00 35 05 0a 00 00 ff ff 00

*<span style="background:#66ff66;">0x06</span> '''PDU Service Search Attribute Request'''
*<span style="background:#66ff66;">0x0001</span> Transaction ID
*<span style="background:#66ff66;">0x000F</span> Length
*0x3503: Data element (Type descriptor: 6, Size index: 5) 3 bytes
**0x19: Data element (type: 3 (UUID), size index: 1 (2 bytes))
**0x0100: L2CAP
*0x0800: Maximum Attribute Byte count (2048)?
*0x0A: Data element (type:1, Size index: 2 (4 bytes)
**0x0000FFFF: Attribute ID list
*0x00: Continuation State

===== Response =====
<small>(without 0x02 0x1520 0x5C01 0x5801 0x4000), see header section)</small>

 Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
 
 00000000  <span style="background:#66ff66;">07</span> <span style="background:#66ff66;">00 01</span> <span style="background:#66ff66;">01 53</span> <span style="background:#66ff66;">01 50</span> <span style="background:#ff66ff;">36 01 4D</span> <span style="background:#ff66ff;">36 00 32</span> 09 <span style="background:#96CDCD;">00 00</span>  ....S.P6.M6.2...
 00000010  0A 00 01 00 05 09 <span style="background:#96CDCD;">00 01</span> 35 03 19 <span style="background:#008080;">11 0A</span> 09 <span style="background:#96CDCD;">00 04</span>  ........5.......
 00000020  35 10 35 06 19 <span style="background:#808080;">01 00</span> 09 00 19 35 06 19 <span style="background:#808080;">00 19</span> 09  5.5.......5.....
 00000030  01 02 09 <span style="background:#96CDCD;">00 09</span> 35 08 35 06 19 <span style="background:#008080;">11 0D</span> 09 01 02 <span style="background:#ff66ff;">36</span>  .....5.5.......6
 00000040  <span style="background:#ff66ff;">00 32</span> 09 <span style="background:#96CDCD;">00 00</span> 0A 00 01 00 06 09 <span style="background:#96CDCD;">00 01</span> 35 03 19  .2...........5..
 00000050  <span style="background:#008080;">11 0B</span> 09 <span style="background:#96CDCD;">00 04</span> 35 10 35 06 19 <span style="background:#808080;">01 00</span> 09 00 19 35  .....5.5.......5
 00000060  06 19 <span style="background:#808080;">00 19</span> 09 01 02 09 <span style="background:#96CDCD;">00 09</span> 35 08 35 06 19 <span style="background:#008080;">11</span>  ..........5.5...
 00000070  <span style="background:#008080;">0D</span> 09 01 02 <span style="background:#ff66ff;">36 00 3B</span> 09 <span style="background:#96CDCD;">00 00</span> 0A 00 01 00 07 09  ....6.;.........
 00000080  <span style="background:#96CDCD;">00 01</span> 35 06 19 <span style="background:#008080;">11 0E</span> 19 <span style="background:#008080;">11 0F</span> 09 <span style="background:#96CDCD;">00 04</span> 35 10 35  ..5..........5.5
 00000090  06 19 <span style="background:#808080;">01 00</span> 09 00 17 35 06 19 <span style="background:#808080;">00 17</span> 09 01 03 09  .......5........
 000000A0  <span style="background:#96CDCD;">00 09</span> 35 08 35 06 19 <span style="background:#008080;">11 0E</span> 09 01 04 09 <span style="background:#96CDCD;">03 11</span> 09  ..5.5...........
 000000B0  00 02 <span style="background:#ff66ff;">36 00 4D</span> 09 <span style="background:#96CDCD;">00 00</span> 0A 00 01 00 08 09 <span style="background:#96CDCD;">00 01</span>  ..6.M...........
 000000C0  35 03 19 <span style="background:#008080;">11 0C</span> 09 <span style="background:#96CDCD;">00 04</span> 35 10 35 06 19 <span style="background:#808080;">01 00</span> 09  5.......5.5.....
 000000D0  00 17 35 06 19 <span style="background:#808080;">00 17</span> 09 01 03 09 <span style="background:#96CDCD;">00 09</span> 35 08 35  ..5..........5.5
 000000E0  06 19 <span style="background:#008080;">11 0E</span> 09 01 04 09 <span style="background:#96CDCD;">00 0D</span> 35 10 35 06 19 <span style="background:#808080;">01</span>  ..........5.5...
 000000F0  <span style="background:#808080;">00</span> 09 00 1B 35 06 19 <span style="background:#808080;">00 17</span> 09 01 03 09 <span style="background:#96CDCD;">03 11</span> 09  ....5...........
 00000100  00 01 <span style="background:#ff66ff;">36 00 52</span> 09 <span style="background:#96CDCD;">00 00</span> 0A 00 01 00 0A 09 <span style="background:#96CDCD;">00 01</span>  ..6.R...........
 00000110  35 03 19 <span style="background:#008080;">12 00</span> 09 <span style="background:#96CDCD;">00 04</span> 35 0D 35 06 19 <span style="background:#808080;">01 00</span> 09  5.......5.5.....
 00000120  00 01 35 03 19 <span style="background:#808080;">00 01</span> 09 <span style="background:#96CDCD;">00 09</span> 35 08 35 06 19 <span style="background:#008080;">12</span>  ..5.......5.5...
 00000130  <span style="background:#008080;">00</span> 09 01 03 09 <span style="background:#96CDCD;">02 00</span> 09 01 03 09 <span style="background:#96CDCD;">02 01</span> 09 05 4C  ...............L
 00000140  09 <span style="background:#96CDCD;">02 02</span> 09 08 1F 09 <span style="background:#96CDCD;">02 03</span> 09 01 00 09 <span style="background:#96CDCD;">02 04</span> 28  ...............(
 00000150  01 09 <span style="background:#96CDCD;">02 05</span> 09 00 02 00                          ........

<small>
<span style="background:#96CDCD;">Universal Attributes</span>

<span style="background:#008080;">Universally Unique Identifier (UUID)</span>

<span style="background:#808080;">UUID Protocol Identifiers</span>(shall be used only in the Profile Descriptor List attribute).
</small>

<div style="height:350px; width:650px; overflow:auto">

*<span style="background:#66ff66;">07</span> '''PDU Service Search Attribute Response'''
*<span style="background:#66ff66;">00 01</span> Transaction ID
*<span style="background:#66ff66;">01 53</span> Length
*<span style="background:#66ff66;">01 50</span> Length

*<span style="background:#ff66ff;">36| 01 4D</span> type:6, size index:6 + Length


See [https://www.bluetooth.org/en-us/specification/assigned-numbers/service-discovery assigned IDs]:

<span style="background:#ff66ff;">36 00 32</span> Length
*<span style="background:#96CDCD;">0x0000</span> Service Record Handle-->value: 
{0x010005 (65541)}
*<span style="background:#96CDCD;">0x0001</span> Service Class ID List-->value: 
{<span style="background:#008080;">0x110A</span> Audio Source} //Advanced Audio Distribution Profile (A2DP)
*<span style="background:#96CDCD;">0x0004</span> Protocol Descriptor List-->value:
{<span style="background:#808080;">0x0100</span> L2CAP , 0x0019 } ,{ <span *style="background:#808080;">0x0019</span> Audio/Video Distribution Transport Protocol (AVDTP) , 0x0102 (258)}
*<span style="background:#96CDCD;">0x0009</span> Bluetooth Profile Descriptor List-->value:
{<span style="background:#008080;">0x110D</span> Advanced Audio Distribution , 0x0102 (258)}


<span style="background:#ff66ff;">36 00 32</span> Length
*<span style="background:#96CDCD;">0x0000</span> Service Record Handle-->value:
{ 0x010006 (65542) }
*<span style="background:#96CDCD;">0x0001</span> Service Class ID List-->value:
{ <span style="background:#008080;">0x110B</span> Audio Sink } //A2DP
*<span style="background:#96CDCD;">0x0004</span> Protocol Descriptor List-->value:
{ <span style="background:#808080;">0x0100</span> L2CAP , 0x0019 (25)  }  , { <span style="background:#808080;">0x0019</span> Audio/Video Distribution Transport Protocol (AVDTP) , 0x0102 (258)  }
*<span style="background:#96CDCD;">0x0009</span> Bluetooth Profile Descriptor List-->value:
{<span style="background:#008080;">0x110D</span> Advanced Audio Distribution , 0x0102 (258)}


<span style="background:#ff66ff;">36 00 3B</span> Length
*<span style="background:#96CDCD;">0x0000</span> Service Record Handle-->value:
{ 0x010007 (65543) }
*<span style="background:#96CDCD;">0x0001</span> Service ClassID List-->value:
{ <span style="background:#008080;">0x110E</span> Audio/Video Remote Control , <span style="background:#008080;">0x110F</span> Video Conferencing / A/V Remote Control Controller }
<ref>
<small>The Audio/Video Remote Control Profile (AVRCP) specification v1.3 and later require that 0x110E also be included in the ServiceClassIDList before 0x110F for backwards compatibility</small>
</ref>
*<span style="background:#96CDCD;">0x0004</span> Protocol Descriptor List-->value:
{ <span style="background:#808080;">0x0100</span> L2CAP , 0x0017 (23) } , {  <span style="background:#808080;">0x0017</span> Audio/Video Control Transport Protocol (AVCTP) , 0x0103 (259) } 
*<span style="background:#96CDCD;">0x0009</span> Bluetooth Profile Descriptor List-->value:
{ <span style="background:#008080;">0x110E</span> Audio/Video Remote Control , 0x0104 (260) }
*<span style="background:#96CDCD;">0x0311</span> Supported Features-->value:
{ 0x02 } 


<span style="background:#ff66ff;">36 00 4D</span> Length
*<span style="background:#96CDCD;">0x0000</span> Service Record Handle-->value:
{ 0x010008 (65544) }
*<span style="background:#96CDCD;">0x0001</span> Service Class ID List-->value:
{ <span style="background:#008080;">0x110C</span> Audio/Video Remote Control Target  }
*<span style="background:#96CDCD;">0x0004</span> Protocol Descriptor List-->value:
{ <span style="background:#808080;">0x0100</span> L2CAP , 0x0017 (23) } , {  <span style="background:#808080;">0x0017</span> Audio/Video Control Transport Protocol (AVCTP) , 0x0103 (259) } 
*<span style="background:#96CDCD;">0x0009</span> Bluetooth Profile Descriptor List-->value:
{ <span style="background:#008080;">0x110E</span> Audio/Video Remote Control , 0x0104 (260) }
*<span style="background:#96CDCD;">0x000D</span> Additional Protocol Descriptor Lists-->value:
{ <span style="background:#808080;">0x0100</span> L2CAP , 0x001B (27) }  {  <span style="background:#808080;">0x0017</span> Audio/Video Control Transport Protocol (AVCTP) , 0x0103 (259) }
*<span style="background:#96CDCD;">0x0311</span> Supported Features-->value:
{ 0x01 }
}}


<span style="background:#ff66ff;">36 00 52</span> Length
*<span style="background:#96CDCD;">0x0000</span> Service Record Handle-->value: 
{0x01000A (65546)}
*<span style="background:#96CDCD;">0x0001</span> Service Class ID List-->value: 
{ <span style="background:#008080;">0x1200</span> PnP Information }
*<span style="background:#96CDCD;">0x0004</span> Protocol Descriptor List-->value:
{ <span style="background:#808080;">0x0100</span> L2CAP , 0x0001)  }  , { <span style="background:#808080;">0x0001</span> SDP }
*<span style="background:#96CDCD;">0x0009</span> Bluetooth Profile Descriptor List-->value:
{ <span style="background:#008080;">0x1200</span> PnP Information , 0x0103 (259) }
*<span style="background:#96CDCD;">0x0200</span> Specification ID-->value:
{ 0x0103 (259) }
*<span style="background:#96CDCD;">0x0201</span> Vendor ID<ref><small>See [[DS4-USB|Device Descriptor]]</small></ref>-->value:
{ 0x054C } (Sony Corp.) 
*<span style="background:#96CDCD;">0x0202</span> Product ID-->value:
{ 0x081F }
*<span style="background:#96CDCD;">0x0203</span> Version-->value:
{ 0x0100 }
*<span style="background:#96CDCD;">0x0204</span> Primary Record-->value:
{ 0x01 }
*<span style="background:#96CDCD;">0x0205</span> Vendor ID Source-->value:
{ 0x0002 }
</div><br />

==== DS4 ====
===== Response =====
This response is 708-byte long: the DS4 does not respect the 672-byte outgoing L2CAP MTU. 

 Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
 
 00000000  07 00 01 02 BF 02 BC 36 02 B9 36 <span style="background:#ff66ff;">02 61</span> 09 00 00  ....¿.¼6.¹6.a...
 00000010  0A 00 01 00 01 09 00 01 35 03 19 11 24 09 00 04  ........5...$...
 00000020  35 0D 35 06 19 01 00 09 00 11 35 03 19 00 11 09  5.5.......5.....
 00000030  00 06 35 09 09 65 6E 09 00 6A 09 01 00 09 00 09  ..5..en..j......
 00000040  35 08 35 06 19 11 24 09 01 00 09 00 0D 35 0F 35  5.5...$......5.5
 00000050  0D 35 06 19 01 00 09 00 13 35 03 19 00 11 09 01  .5.......5......
 00000060  00 25 13 57 69 72 65 6C 65 73 73 20 43 6F 6E 74  .%.Wireless Cont
 00000070  72 6F 6C 6C 65 72 09 01 01 25 0F 47 61 6D 65 20  roller...%.Game 
 00000080  43 6F 6E 74 72 6F 6C 6C 65 72 09 01 02 25 1B 53  Controller...%.S
 00000090  6F 6E 79 20 43 6F 6D 70 75 74 65 72 20 45 6E 74  ony Computer Ent
 000000A0  65 72 74 61 69 6E 6D 65 6E 74 09 02 00 09 01 00  ertainment......
 000000B0  09 02 01 09 01 11 09 02 02 08 08 09 02 03 08 00  ................
 000000C0  09 02 04 28 00 09 02 05 28 01 09 02 06 36 01 6C  ...(....(....6.l
 000000D0  36 01 69 08 22 26 01 64 05 01 09 05 A1 01 85 01  6.i."&.d....¡.….
 000000E0  09 30 09 31 09 32 09 35 15 00 26 FF 00 75 08 95  .0.1.2.5..&ÿ.u.•
 000000F0  04 81 02 09 39 15 00 25 07 75 04 95 01 81 42 05  ....9..%.u.•..B.
 00000100  09 19 01 29 0E 15 00 25 01 75 01 95 0E 81 02 75  ...)...%.u.•...u
 00000110  06 95 01 81 01 05 01 09 33 09 34 15 00 26 FF 00  .•......3.4..&ÿ.
 00000120  75 08 95 02 81 02 06 04 FF 85 02 09 24 95 24 B1  u.•.....ÿ…..$•$±
 00000130  02 85 A3 09 25 95 30 B1 02 85 05 09 26 95 28 B1  .…£.%•0±.…..&•(±
 00000140  02 85 06 09 27 95 34 B1 02 85 07 09 28 95 30 B1  .…..'•4±.…..(•0±
 00000150  02 85 08 09 29 95 2F B1 02 06 03 FF 85 03 09 21  .…..)•/±...ÿ…..!
 00000160  95 26 B1 02 85 04 09 22 95 2E B1 02 85 F0 09 47  •&±.….."•.±.…ð.G
 00000170  95 3F B1 02 85 F1 09 48 95 3F B1 02 85 F2 09 49  •?±.…ñ.H•?±.…ò.I
 00000180  95 0F B1 02 06 00 FF 85 11 09 20 15 00 26 FF 00  •.±...ÿ….. ..&ÿ.
 00000190  75 08 95 4D 81 02 09 21 91 02 85 12 09 22 95 8D  u.•M...!‘.….."•.
 000001A0  81 02 09 23 91 02 85 13 09 24 95 CD 81 02 09 25  ...#‘.…..$•Í...%
 000001B0  91 02 85 14 09 26 96 0D 01 81 02 09 27 91 02 85  ‘.…..&–.....'‘.…
 000001C0  15 09 28 96 4D 01 81 02 09 29 91 02 85 16 09 2A  ..(–M....)‘.…..*
 000001D0  96 8D 01 81 02 09 2B 91 02 85 17 09 2C 96 CD 01  –.....+‘.…..,–Í.
 000001E0  81 02 09 2D 91 02 85 18 09 2E 96 0D 02 81 02 09  ...-‘.…...–.....
 000001F0  2F 91 02 85 19 09 30 96 22 02 81 02 09 31 91 02  /‘.…..0–"....1‘.
 00000200  06 80 FF 85 82 09 22 95 3F B1 02 85 83 09 23 B1  .€ÿ…‚."•?±.…ƒ.#±
 00000210  02 85 84 09 24 B1 02 85 90 09 30 B1 02 85 91 09  .…„.$±.…..0±.…‘.
 00000220  31 B1 02 85 92 09 32 B1 02 85 93 09 33 B1 02 85  1±.…’.2±.…“.3±.…
 00000230  A0 09 40 B1 02 85 A4 09 44 B1 02 C0 09 02 07 35   .@±.…¤.D±.À...5
 00000240  08 35 06 09 04 09 09 01 00 09 02 08 28 00 09 02  .5..........(...
 00000250  09 28 01 09 02 0A 28 01 09 02 0B 09 01 00 09 02  .(....(.........
 00000260  0C 09 1F 40 09 02 0D 28 00 09 02 0E 28 00 36 <span style="background:#ff66ff;">00</span>  ...@...(....(.6.
 00000270  <span style="background:#ff66ff;">52</span> 09 00 00 0A 00 01 00 02 09 00 01 35 03 19 12  R...........5...
 00000280  00 09 00 04 35 0D 35 06 19 01 00 09 00 01 35 03  ....5.5.......5.
 00000290  19 00 01 09 00 09 35 08 35 06 19 12 00 09 01 03  ......5.5.......
 000002A0  09 02 00 09 01 03 09 02 01 09 '''05 4C''' 09 02 02 09  ...........L....
 000002B0  '''05 C4''' 09 02 03 09 '''01 00''' 09 02 04 28 '''01''' 09 02 05  .Ä.........(....
 000002C0  09 '''00 02''' 00                                      ....

0x07 PDU

0x0001 Transaction ID

0x02BF Length

0x02BC Length

0x36|02B9 type:6, size index:6 + Length

<span style="background:#ff66ff;">0x36|0261</span> type:6, size index:6 + Length first chunk

0x0000 Service Record Handle-->value {0x010001}
*0x0001 Service Class ID List-->value {0x1124 Human Interface Device (HID)}
*0x0004 Protocol Descriptor List-->value {0x0100 L2CAP , 0x0011 } ,{ 0x0011 Human Interface Device Profile (HIDP) , 0x0102 (258)}
*0x0006 Language Base Attribute ID List<ref><small>A list of language bases that contains a language identifier according to [http://en.wikipedia.org/wiki/ISO_639-1 ISO 639:1] , a character encoding identifier and a base attribute ID (0x0100) for the languages used in the service record.</small></ref>-->: value = { 0x656E ("en"), 0x6A (106), 0x100(256)  } 
*0x0009 Bluetooth Profile Descriptor List--> value = { 0x1124 Human Interface Device Service , 0x100(256)}
*0x000D Additional Protocol Descriptor Lists--> value = { { 0x0100 L2CAP , 0x0013(19)  } , { 0x00 11HIDP } } 
*0X0100 Service Name--> value = "Wireless Controller"
*0x0101 Service Description--> value = "Game Controller" 
*0x0102 Provider Name--> value = "Sony Computer Entertainment"
*0x0200 GOEP L2CAP PSM/Group Id/IP Subnet (0x200)--> value = 0x100 (256)
*0x0201 Service Database State--> value = 273 

...

<span style="background:#ff66ff;">0x36|0052</span> type:6, size index:6 + Length second chunk 

0x0000 Service Record Handle-->value {0x010002}
*0x0001 Service Class ID List-->value {0x1200 Device Identification (DID)}
*0x0004 Protocol Descriptor List-->

*0x0200 Specification ID-->value: 0x0103
*0x0201 Vendor ID-->value: 0x054C (Sony Corp.) 
*0x0202 Product ID-->value: 0x05C4 (Sony Computer Entertainment Wireless Controller)
*0x0203 Version-->value: 0x0100
*0x0204 Primary Record-->value: 0x01
*0x0205 Vendor ID Source-->value: 0x0002

==== Notes: ====
{{reflist}}

=== HID Report header & footer ===
==== Examples ====

{{Spoiler|HCI Command Packet example|
<pre>
0000   01 13 0c f8 57 69 72 65 6c 65 73 73 20 43 6f 6e  ....Wireless Con
0010   74 72 6f 6c 6c 65 72 00 00 00 00 00 00 00 00 00  troller.........
0020   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0030   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0040   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0050   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0060   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0070   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0080   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0090   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00a0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00b0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00c0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00d0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00e0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00f0   00 00 00 00 00 00 00 00 00 00 00 00              ............    
</pre>
 
*0x01: HCI Command Packet

*0x130C (0x0C13) Op-code (16 bits): identifies the command:

OGF (Op-code Group Field, most significant 6 bits):

OCF (Op-code Command Field, least significant 10 bits):

*0xF8 (248) Length of Packet

}}

{{Spoiler|HCI Event Packet example|

<pre>
04 13 05 01 15 00 01 00
</pre>

*0x04 Packet Type: HCI Event Packet

*0x13 Event code 

*0x05 Parameter total length

*0x01 Number of Connection handles

*0x1500 (0x15) Connection handle

*0x0100 (1) Number of completed packets

}}

Here's a sample HCI ACL Data Packet transaction that represents a report from the DS4 to the PS4:


 Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
 00000000  <span style="background:#ff6666;">02 15 20 53 00 4F 00 42 00</span> <span style="background:#66ff66;">A1 11 C0 00 83 81 7E</span>
 00000010  <span style="background:#66ff66;">7E 08 00 3C 00 00 83 A2 07 F1 FF F9 FF 04 00 21</span>
 00000020  <span style="background:#66ff66;">03 17 1F 29 F9 00 00 00 00 00 08 00 00 00 00 80</span>
 00000030  <span style="background:#66ff66;">00 00 00 80 00 00 00 00 80 00 00 00 80 00 00 00</span>
 00000040  <span style="background:#66ff66;">00 80 00 00 00 80 00 00 00 00 80 00 00 00 80 00</span>
 00000050  <span style="background:#66ff66;">00 00 00 00</span> <span style="background:lime;">7D 0A 5D 0B</span>


{| class="wikitable"
|-
! !! Offset !! Size !! Value !! Description
|-
| rowspan="5" style="background-color:#ff6666;"|'''Header''' ||0x00||0x01||0x02|| (2) Packet Type:
<small>
*0x01: HCI Command Packet (send commands to the Host Controller)
*'''0x02: HCI ACL Data Packet''' (exchange Asynchronous Connection-Less data between the Host and Host Controller)
*0x03: HCI SCO Data Packet (exchange Synchronous Connection-Oriented data)
*0x04: HCI Event Packet (notify the Host when events occur)
</small>
|-
|0x01||0x02||0x1520|| (0x2015) Control information (<sub>msb</sub>00 10 000000010101<sub>lsb</sub>):

'''for Packet type: 2'''
<small>
*Broadcast (BC) flag (most significant 2 bits):
 '''00 = point-to-point packet''' (no broadcast) (only two Bluetooth units involved)
 01 = Active Slave Broadcast (Up to 7 slaves can be active in the {{G|Piconet}})
 10 = Parked Slave Broadcast (Up to 255 further slave devices can be inactive)
*Packet boundary (PB) flag (2 bits):
 01 = continuing packet of a higher level message
 '''10 = first packet of a higher level message'''
*Connection handle (least significant 12 bits):
0x15
</small>
|-
|0x03||0x02||0x5300||(83) Total length
|-
|0x05||0x02||0x4F00||(79) Data Length (Payload+Check)
|-
|0x07||0x02||0x4200||(0x0042) Channel ID (CID)
|-
| rowspan="2" style="background-color:#66ff66;"|'''HID portion'''||0x09||0x03||0xA111C0|| Packet '''Payload''' header: INPUT DATA protocol code 0x11 (see Structure HID transaction)
|-
|0x0C||0x48||0x0083 … 0x00 || Data: See (speculation) USB data format for the first 64 bytes + 8 bytes NULL.
|-
|style="background-color:lime;"|'''Check'''||0x54||0x04||0x7D0A5D0B||(0x0B5D0A7D) Data Integrity Check ({{G|CRC}}-32)
<small>
To ensure that the packet is valid, this field is appended onto the end of the packet. Packet Payload is used to compute the Data Integrity Check (the CRC32's polynomial is 0x4C11DB7).

You can use http://www.lammertbies.nl/comm/info/crc-calculation.html to try this yourself, enter the packet payload into the textbox (hex):
{{Spoiler|First 75 bytes of the HID report|
A1 11 C0 00 83 81 7E 7E 08 00 3C 00 00 83 A2 07 F1 FF F9 FF 04 00 21 03 17 1F 29 F9 00 00 00 00 00 08 00 00 00 00 80 00 00 00 80 00 00 00 00 80 00 00 00 80 00 00 00 00 80 00 00 00 80 00 00 00 00 80 00 00 00 80 00 00 00 00 00}}
</small>
|-
|}

=== Structure HID transaction (portion) ===
Input and output reports specify control data and feature reports specify configuration data.

{| class="wikitable"
|+Data Format
|-
!width="100"|byte index
!width="60"|bit 7
!width="60"|bit 6
!width="60"|bit 5
!width="60"|bit 4
!width="60"|bit 3
!width="60"|bit 2
!width="60"|bit 1
!width="60"|bit 0
|-
|[0]
|colspan="4"|'''transaction type:'''
<small>
*0x04: GET REPORT
*0x05: SET REPORT
*0x0A: DATA 
</small>
|colspan="2"|'''parameters:'''
<small>
*0x00:
*0x01:
*0x02:
</small>
|colspan="2"|'''report type:''' 
<small>
*0x01: INPUT
*0x02: OUTPUT
*0x03: FEATURE
</small>
|-
|[1] || colspan="8"| '''protocol code'''
|-
|[2] || colspan="8"| -
|-
|[3-end] || colspan="8"| '''report content''' (e.g. buttons for report type input , see data structure)
|-
|}

==== HID INPUT reports ====
Input controls are sources of data relevant to an application, for example, X and Y data (e.g.: axes stick) or buttons obtained from a pointing device.

Protocol code:
===== 0x01 =====
The transaction type is DATA (0x0a), and the report type is INPUT (0x01).
The protocol code is 0x11.

This report is sent until the GET REPORT FEATURE 0x02 is received.

Supposition: a PC can understand this report?

Report example:
<pre>0xa1, 0x01, 0x7d, 0x7d, 0x80, 0x7e, 0x08, 0x00,
0x00, 0x00, 0x00</pre>

{| class="wikitable"
|+Data Format
|-
|width="100"|byte index
|width="60"|bit 7
|width="60"|bit 6
|width="60"|bit 5
|width="60"|bit 4
|width="60"|bit 3
|width="60"|bit 2
|width="60"|bit 1
|width="60"|bit 0
|-
|[0]
|colspan="4"|0x0a
|colspan="2"|0x00
|colspan="4"|0x01
|-
|[1]
|colspan="8"|0x01
|-
|
|colspan="8"|The following structure is a supposition.
|-
|[2]
|colspan="8"|Left Stick X (0 = left)
|-
|[3]
|colspan="8"|Left Stick Y (0 = up)
|-
|[4]
|colspan="8"|Right Stick X
|-
|[5]
|colspan="8"|Right Stick Y
|-
|[6]
|TRI
|CIR
|X
|SQR
|colspan="4"|D-PAD (hat format, 0x08 is released, 0=N, 1=NE, 2=E, 3=SE, 4=S, 5=SW, 6=W, 7=NW)
|-
|[7]
|R3
|L3
|OPT
|SHARE
|R2
|L2
|R1
|L1
|-
|[8]
|colspan="6"|Counter (counts up by 1 per report)
|T-PAD
|PS
|-
|[9]
|colspan="8"|Left Trigger (0 = released, 0xFF = fully pressed)
|-
|[10]
|colspan="8"|Right Trigger
|}

===== 0x11 =====
The transaction type is DATA (0x0a), and the report type is INPUT (0x01).
The protocol code is 0x11.

This report is sent once the GET REPORT FEATURE 0x02 is received.

Report example:
<pre>0xa1, 0x11, 0xc0, 0x00, 0x7d, 0x7d, 0x81, 0x7e, 0x08, 0x00, 0x28, 0x00, 0x00, 0x8c, 0xf3, 0x01,
0x13, 0x00, 0xf8, 0xff, 0x05, 0x00, 0x31, 0xfe, 0x3f, 0x0f, 0xd1, 0xe3, 0x00, 0x00, 0x00, 0x00,
0x00, 0x09, 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x00, 0x80,
0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00,
0x00, 0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x5e, 0x22, 0x7b, 0xa0</pre>

If you look carefully, it is very similar to the reports sent over USB if you ignore the first 3 bytes.

{| class="wikitable"
|+Data Format
|-
|width="100"|byte index
|width="60"|bit 7
|width="60"|bit 6
|width="60"|bit 5
|width="60"|bit 4
|width="60"|bit 3
|width="60"|bit 2
|width="60"|bit 1
|width="60"|bit 0
|-
|[0]
|colspan="4"|0x0a
|colspan="2"|0x00
|colspan="4"|0x01
|-
|[1]
|colspan="8"|0x11
|-
|[2]
|colspan="8"|0xc0
|-
|[3]
|colspan="8"|Report ID (always 0x00)
|-
|[4]
|colspan="8"|Left Stick X (0 = left)
|-
|[5]
|colspan="8"|Left Stick Y (0 = up)
|-
|[6]
|colspan="8"|Right Stick X
|-
|[7]
|colspan="8"|Right Stick Y
|-
|[8]
|TRI
|CIR
|X
|SQR
|colspan="4"|D-PAD (hat format, 0x08 is released, 0=N, 1=NE, 2=E, 3=SE, 4=S, 5=SW, 6=W, 7=NW)
|-
|[9]
|R3
|L3
|OPT
|SHARE
|R2
|L2
|R1
|L1
|-
|[10]
|colspan="6"|Counter (counts up by 1 per report)
|T-PAD
|PS
|-
|[11]
|colspan="8"|Left Trigger (0 = released, 0xFF = fully pressed)
|-
|[12]
|colspan="8"|Right Trigger
|-
|[13 - 14]
|colspan="8"|Seems to be a timestamp. A common increment value between two reports is 188 (at full rate the report period is 1.25ms). This timestamp is used by the PS4 to process acceleration and gyroscope data.
|-
|[15]
|colspan="8"|battery (0x00 to 0xff)
|-
|[16 - 17]
|colspan="8"|Acceleration X
|-
|[18 - 19]
|colspan="8"|Acceleration Y
|-
|[20 - 21]
|colspan="8"|Acceleration Z
|-
|[22 - 23]
|colspan="8"|Gyroscope Roll?
|-
|[24 - 25]
|colspan="8"|Gyroscope Yaw?
|-
|[26 - 27]
|colspan="8"|Gyroscope Pitch?
|-
|[28 - 32]
|colspan="8"|Unknown (seems to be always 0x00)
|-
|[33]
|0x00
|phone
|mic
|usb
|colspan="4"|battery level
|-
|[34 - 35]
|colspan="8"|Unknown (seems to be always 0x00)
|-
|[36]
|colspan="8"|number of trackpad packets (0x00 to 0x04)
|-
|[37]
|colspan="8"|packet counter
|-
|[38]
|active low
|colspan="7"|finger 1 id
|-
|[39 - 41]
|colspan="8"|finger 1 coordinates
|-
|[42]
|active low
|colspan="7"|finger 2 id
|-
|[43 - 45]
|colspan="8"|finger 2 coordinates
|-
|[46]
|colspan="8"|packet counter
|-
|[47]
|active low
|colspan="7"|finger 1 id
|-
|[48 - 50]
|colspan="8"|finger 1 coordinates
|-
|[51]
|active low
|colspan="7"|finger 2 id
|-
|[52 - 54]
|colspan="8"|finger 2 coordinates
|-
|[55]
|colspan="8"|packet counter
|-
|[56]
|active low
|colspan="7"|finger 1 id
|-
|[57 - 59]
|colspan="8"|finger 1 coordinates
|-
|[60]
|active low
|colspan="7"|finger 2 id
|-
|[61 - 63]
|colspan="8"|finger 2 coordinates
|-
|[64]
|colspan="8"|packet counter
|-
|[65]
|active low
|colspan="7"|finger 1 id
|-
|[66 - 68]
|colspan="8"|finger 1 coordinates
|-
|[69]
|active low
|colspan="7"|finger 2 id
|-
|[70 - 72]
|colspan="8"|finger 2 coordinates
|-
|[73 - 74]
|colspan="8"|Unknown 0x00 0x00 or 0x00 0x01
|-
|[75 - 78]
|colspan="8"|CRC-32 of the first 75 bytes.
|}

Most of the time there is only 1 trackpad packet per report.

Below is a sample for bytes 36 to 72 with 4 trackpad packets:

<pre>0x04,
0x01,
0x04, 0x69, 0x91, 0x1a,
0x06, 0x15, 0x45, 0x1a,
0x05,
0x04, 0x66, 0x11, 0x1a,
0x06, 0x10, 0x15, 0x1a,
0x0a,
0x04, 0x63, 0x81, 0x19,
0x06, 0x0c, 0xe5, 0x19,
0x0f,
0x04, 0x5f, 0xf1, 0x18,
0x06, 0x08, 0xc5, 0x19</pre>

==== HID OUTPUT reports ====
Output controls are a sink for application data, for example, an LED (or sound or rumbles) that indicates the state of a device.

Protocol code:
===== 0x11 =====

The transaction type is DATA (0x0a), and the report type is OUTPUT (0x02).
The protocol code is 0x11.

Byte at index 4 changes from 0xf0 to 0xf3 in the first reports. Making it always 0xf0 does not seem to change something.

Report example:
 0xa2, '''0x11''', 0xc0, 0x20, 0xf0, 0x04, 0x00, 0x00, 0x00, <span style="color:#ff0000">0x00</span>, <span style="color:#008000">0x00</span>, <span style="color:#0000ff">0x00</span>, 0x00, 0x00, 0x00, 0x00,
 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x43, 0x43, 0x00, 0x4d, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00,
 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, <span style="background:lime">0xd8, 0x8e, 0x94, 0xdd</span>

{| class="wikitable"
|+Data Format
|-
|width="100"|byte index
|width="60"|bit 7
|width="60"|bit 6
|width="60"|bit 5
|width="60"|bit 4
|width="60"|bit 3
|width="60"|bit 2
|width="60"|bit 1
|width="60"|bit 0
|-
|[0]
|colspan="4"|0x0a
|colspan="2"|0x00
|colspan="4"|0x02
|-
|'''[1]'''
|colspan="8"|'''0x11'''
|-
|[2 - 3]
|colspan="8"|Unknown
|-
|[4]
|colspan="8"|0xf0 disables the rumble motors, 0xf3 enables them
|-
|[5 - 6]
|colspan="8"|Unknown
|-
|[7]
|colspan="8"|Rumble (right / weak)
|-
|[8]
|colspan="8"|Rumble (left / strong)
|-
|[9]
|colspan="8"|RGB color (<span style="color:#ff0000">R</span>ed)
|-
|[10]
|colspan="8"|RGB color (<span style="color:#008000">G</span>reen)
|-
|[11]
|colspan="8"|RGB color (<span style="color:#0000ff">B</span>lue)
|-
|[12]
|colspan="8"|Flash LED bright
|-
|[13]
|colspan="8"|Flash LED dark
|-
|[14 - 21]
|colspan="8"|Unknown
|-
|[22]
|colspan="8"|Volume left
|-
|[23]
|colspan="8"|Volume right
|-
|[24]
|colspan="8"|Volume mic - speculation
|-
|[25]
|colspan="8"|Volume speaker
|-
|[26-74]
|colspan="8"|Unknown
|-
|<span style="background:lime">[75 - 78]</span>
|colspan="8"|CRC-32 of the previous bytes.
|}

===== 0x14 =====
Contains sound.

 Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
 
    0000   <span style="background:#ff6666;">0f 01 42 00</span> a2 '''14''' 40 a0 f4 69 02 <span style="background:#ffff00;">9c 75 19 24</span> 00  ..B...@..i..u.$.
    0010   00 00 00 00 00 00 00 76 db 6d bb 6d b6 dd b6 db  .......v.m.m....
    0020   6e db 6d b7 6d b6 db b6 db 6d db 6d b6 ed b6 db  n.m.m....m.m....
    0030   76 db 6d bb 6d b6 dd b6 db 6e db 6d b7 6d b6 db  v.m.m....n.m.m..
    0040   b6 db 6d db 6d b6 ed b6 db 76 db 6d bb 6d b6 dd  ..m.m....v.m.m..
    0050   b6 db 6e db 6d b7 6d b6 db b6 db 6d db 6d b6 ed  ..n.m.m....m.m..
    0060   b6 db 76 db 6d bb 6d b6 dd b6 db 6e db 6d b7 6d  ..v.m.m....n.m.m
    0070   b6 db b6 db 6d db 6d b6 ed b6 db <span style="background:#ffff00;">9c 75 19 24</span> 00  ....m.m.....u.$.
    0080   00 00 00 00 00 00 00 76 db 6d bb 6d b6 dd b6 db  .......v.m.m....
    0090   6e db 6d b7 6d b6 db b6 db 6d db 6d b6 ed b6 db  n.m.m....m.m....
    00a0   76 db 6d bb 6d b6 dd b6 db 6e db 6d b7 6d b6 db  v.m.m....n.m.m..
    00b0   b6 db 6d db 6d b6 ed b6 db 76 db 6d bb 6d b6 dd  ..m.m....v.m.m..
    00c0   b6 db 6e db 6d b7 6d b6 db b6 db 6d db 6d b6 ed  ..n.m.m....m.m..
    00d0   b6 db 76 db 6d bb 6d b6 dd b6 db 6e db 6d b7 6d  ..v.m.m....n.m.m
    00e0   b6 db b6 db 6d db 6d b6 ed b6 db 00 00 00 00 00  ....m.m.........
    00f0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    0100   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 <span style="background:lime;">9f</span>  ................
    0110   <span style="background:lime;">42 86 54</span>                                         B.T

    <span style="background:#ffff00;">Bluetooth SBC header</span>  http://tools.ietf.org/html/draft-hoene-avt-rtp-sbc-05#section-6.2
     
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    | SYNCWORD      |SF.|BL.|CM.|A|S|BITPOOL        |CRC_CHECK      |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    Legend: SF.=SAMPLING FREQUENCY, BL.=BLOCKS, CM.=CHANNEL_MODE, A.=ALLOCATION_METHOD, S.=SUBBANDS

    0x9c = 156 syncword (always set to 156)
     1 byte - sf bl cm a s (msb..lsb)
       * frequency:
           00-16000
           01-32000
           10-44100
           11-48000
       * blocks:
           00-4
           01-8
           10-12
           11-16
       * channels:
           00-MONO
           01-DUAL_CHANNEL 
           10-STEREO 
           11-JOINT_STEREO
       * allocation method:
           0-loudnes
           1-SNR
       * subbands:
           0-4
           1-8
     1 byte - bitpool
            This unsigned integer indicates the size of the bit
            allocation pool that has been used for encoding the current
            block.The value of the bit - pool field MUST NOT exceed 16
            times the number of subbands for the MONO and DUAL_CHANNEL
            channel modes and 32 times the number of subbands for the
            STEREO and JOINT_STEREO channel modes.The bitpool value
            MAY change from SBC frame to the next.In addition, the
            bitpool value MUST be restricted such that it does not
            result in excess of maximum bit rate, which is 320kb / s for
            mono and 512kb / s for two - channel modes.

===== 0x15 =====
Speculation: contains rumbles, LED color and sound.

 Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
 
    0000   <span style="background:#ff6666;">4f 01 42 00</span> a2 '''15''' c0 a0 f3 04 00 ''00'' ''00'' <span style="color:#ff0000">00</span> <span style="color:#008000">00</span> <span style="color:#0000ff">ff</span>  O.B.............
    0010   00 00 00 00 00 00 00 00 00 00 49 49 00 4f 85 00  ..........II.O..
    0020   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    0030   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    0040   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    0050   00 00 00 <span style="background:pink;">f6 69</span> 02 <span style="background:#ffff00;">9c 75 19 24</span> 00 00 00 00 00 00  ....i..u.$......
    0060   00 00 76 db 6d bb 6d b6 dd b6 db 6e db 6d b7 6d  ..v.m.m....n.m.m
    0070   b6 db b6 db 6d db 6d b6 ed b6 db 76 db 6d bb 6d  ....m.m....v.m.m
    0080   b6 dd b6 db 6e db 6d b7 6d b6 db b6 db 6d db 6d  ....n.m.m....m.m
    0090   b6 ed b6 db 76 db 6d bb 6d b6 dd b6 db 6e db 6d  ....v.m.m....n.m
    00a0   b7 6d b6 db b6 db 6d db 6d b6 ed b6 db 76 db 6d  .m....m.m....v.m
    00b0   bb 6d b6 dd b6 db 6e db 6d b7 6d b6 db b6 db 6d  .m....n.m.m....m
    00c0   db 6d b6 ed b6 db <span style="background:#ffff00;">9c 75 19 24</span> 00 00 00 00 00 00  .m.....u.$......
    00d0   00 00 76 db 6d bb 6d b6 dd b6 db 6e db 6d b7 6d  ..v.m.m....n.m.m
    00e0   b6 db b6 db 6d db 6d b6 ed b6 db 76 db 6d bb 6d  ....m.m....v.m.m
    00f0   b6 dd b6 db 6e db 6d b7 6d b6 db b6 db 6d db 6d  ....n.m.m....m.m
    0100   b6 ed b6 db 76 db 6d bb 6d b6 dd b6 db 6e db 6d  ....v.m.m....n.m
    0110   b7 6d b6 db b6 db 6d db 6d b6 ed b6 db 76 db 6d  .m....m.m....v.m
    0120   bb 6d b6 dd b6 db 6e db 6d b7 6d b6 db b6 db 6d  .m....n.m.m....m
    0130   db 6d b6 ed b6 db 00 00 00 00 00 00 00 00 00 00  .m..............
    0140   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 <span style="background:lime">b5</span>  ................
    0150   <span style="background:lime">98 a9 0f</span>                                         ...

*0x4F01: length (335)
*0x4200: CID (42)
*0xA2: DATA OUTPUT
*'''0x15''': Protocol Code
*0xC0A0F30400: Unknown
*0x00: ''Rumble'' right
*0x00: ''Rumble'' left
*0x00: LED (<span style="color:#ff0000">R</span>ed)
*0x00: LED (<span style="color:#008000">G</span>reen)
*0xFF: LED (<span style="color:#0000ff">B</span>lue)
...
0xB598A90F: <span style="color:lime">Check</span> (CRC-32 from offset 0x04 to 0x14E)

===== 0x17 =====

The transaction type is DATA (0x0a), and the report type is OUTPUT (0x02).
The protocol code is 0x17.

Report example:
 0xa2, 0x17, 0x40, 0xa0, <span style="background:pink;">0xb4, 0x00</span>, 0x02, <span style="background:#ffff00;">0x9c, 0x75, 0x19, 0x24</span>, 0x00, 0x00, 0x00, 0x00, 0x00,
 0x00, 0x00, 0x00, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7,
 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb,
 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb,
 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb,
 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb,
 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb,
 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, <span style="background:#ffff00;">0x9c, 0x75, 0x19, 0x24</span>, 0x00, 0x00, 0x00, 0x00, 0x00,
 0x00, 0x00, 0x00, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7,
 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb,
 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb,
 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb,
 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb,
 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb,
 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, <span style="background:#ffff00;">0x9c, 0x75, 0x19, 0x24</span>, 0x00, 0x00, 0x00, 0x00, 0x00,
 0x00, 0x00, 0x00, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7,
 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb,
 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb,
 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb,
 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb,
 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb,
 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, <span style="background:#ffff00;">0x9c, 0x75, 0x19, 0x24</span>, 0x00, 0x00, 0x00, 0x00, 0x00,
 0x00, 0x00, 0x00, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7,
 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb,
 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb,
 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb,
 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb,
 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb,
 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x00, 0x00, 0x00, 0x00, 0x6b, 0xa2, 0x38, 0xe6

{| class="wikitable"
|+Data Format
|-
|width="100"|byte index
|width="60"|bit 7
|width="60"|bit 6
|width="60"|bit 5
|width="60"|bit 4
|width="60"|bit 3
|width="60"|bit 2
|width="60"|bit 1
|width="60"|bit 0
|-
|[0]
|colspan="4"|0x0a
|colspan="2"|0x00
|colspan="4"|0x02
|-
|[1]
|colspan="8"|0x17
|-
|[2 - 3]
|colspan="8"|TODO, work in progress.
|-
|<span style="background:pink;">[4-5]</span>
|colspan="8"| Audio frame count - Increases the number of frames in packet(4 for this)
|-
|[6]
|colspan="8"|Audio header
|-
|[6 - 458]
|colspan="8"|Bluetooth SBC Data
|-
|[459 - 462]
|colspan="8"|CRC-32 of the previous bytes.
|}

===== 0x18 =====

The transaction type is DATA (0x0a), and the report type is OUTPUT (0x02).
The protocol code is 0x18.

Report example:
 0xa2, '''0x18''', 0x48, 0xa1, <span style="background:pink;">0xb4, 0x06</span>, 0x22, <span style="background:#ffff00;">0x9c, 0x7d, 0x33, 0xda</span>, 0x00, 0x00, 0x00, 0x00, 0x00,
 0x00, 0x00, 0x00, 0x00, 0x77, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xed, 0xb6, 0xdb, 0xb6, 0xdb,
 0x6d, 0xdd, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x76, 0xdb,
 0x6d, 0xdb, 0x6d, 0xb6, 0xee, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6,
 0xdb, 0xbb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x77, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xed, 0xb6,
 0xdb, 0xb6, 0xdb, 0x6d, 0xdd, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d,
 0xb7, 0x76, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xee, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xdb, 0x6d,
 0xb7, 0x6d, 0xb6, 0xdb, 0xbb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, <span style="background:#ffff00;">0x9c, 0x7d, 0x33, 0xda</span>, 0x00, 0x00,
 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x77, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xed, 0xb6,
 0xdb, 0xb6, 0xdb, 0x6d, 0xdd, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d,
 0xb7, 0x76, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xee, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xdb, 0x6d,
 0xb7, 0x6d, 0xb6, 0xdb, 0xbb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x77, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb,
 0x6e, 0xed, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdd, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0xb6, 0xdb,
 0x6e, 0xdb, 0x6d, 0xb7, 0x76, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xee, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6,
 0xdd, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xbb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, <span style="background:#ffff00;">0x9c, 0x7d, 0x33,
 0xda</span>, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x77, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb,
 0x6e, 0xed, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdd, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0xb6, 0xdb,
 0x6e, 0xdb, 0x6d, 0xb7, 0x76, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xee, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6,
 0xdd, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xbb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x77, 0x6d, 0xb6,
 0xdd, 0xb6, 0xdb, 0x6e, 0xed, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdd, 0xb6, 0xdb, 0x76, 0xdb, 0x6d,
 0xbb, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x76, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xee, 0xdb, 0x6d,
 0xbb, 0x6d, 0xb6, 0xdd, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xbb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb,
 <span style="background:#ffff00;">0x9c, 0x7d, 0x33</span>, 0xda, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x77, 0x6d, 0xb6,
 0xdd, 0xb6, 0xdb, 0x6e, 0xed, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdd, 0xb6, 0xdb, 0x76, 0xdb, 0x6d,
 0xbb, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x76, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xee, 0xdb, 0x6d,
 0xbb, 0x6d, 0xb6, 0xdd, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xbb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb,
 0x77, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xed, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdd, 0xb6, 0xdb,
 0x76, 0xdb, 0x6d, 0xbb, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x76, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6,
 0xee, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xbb, 0x6d, 0xb6,
 0xed, 0xb6, 0xdb, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x5e, 0x3b, 0x16, 0xec

{| class="wikitable"
|+Data Format
|-
|width="100"|byte index
|width="60"|bit 7
|width="60"|bit 6
|width="60"|bit 5
|width="60"|bit 4
|width="60"|bit 3
|width="60"|bit 2
|width="60"|bit 1
|width="60"|bit 0
|-
|[0]
|colspan="4"|0x0a
|colspan="2"|0x00
|colspan="4"|0x02
|-
|'''[1]'''
|colspan="8"|'''0x18'''
|-
|[2 - 3]
|colspan="8"|TODO, work in progress.
|-
|<span style="background:pink;">[4-5]</span>
|colspan="8"| Audio frame count - Increases the number of frames in packet(4 for this)
|-
|[6]
|colspan="8"|Audio header
|-
|[7 - 471]
|colspan="8"|Bluetooth SBC Data
|-
|[472 - 526]
|colspan="8"|Paddind - speculation
|-
|[527 - 530]
|colspan="8"|CRC-32 of the previous bytes.
|}

===== 0x19 =====

The transaction type is DATA (0x0a), and the report type is OUTPUT (0x02).
The protocol code is 0x19.

Report example:
 0xa2, '''0x19''', 0xc0, 0xa0, 0xf3, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00,
 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x43, 0x43, 0x00, 0x4d, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00,
 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, <span style="background:pink;">0xc2,
 0x00</span>, 0x02, <span style="background:#ffff00;">0x9c, 0x75, 0x19, 0x24</span>, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x76, 0xdb,
 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb,
 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb,
 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb,
 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb,
 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd,
 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed,
 0xb6, 0xdb, <span style="background:#ffff00;">0x9c, 0x75, 0x19, 0x24</span>, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x76, 0xdb,
 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb,
 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb,
 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb,
 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb,
 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd,
 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed,
 0xb6, 0xdb, <span style="background:#ffff00;">0x9c, 0x75, 0x19, 0x24</span>, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x76, 0xdb,
 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb,
 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb,
 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb,
 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb,
 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd,
 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed,
 0xb6, 0xdb, <span style="background:#ffff00;">0x9c, 0x75, 0x19, 0x24</span>, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x76, 0xdb,
 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb,
 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb,
 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb,
 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd, 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb,
 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed, 0xb6, 0xdb, 0x76, 0xdb, 0x6d, 0xbb, 0x6d, 0xb6, 0xdd,
 0xb6, 0xdb, 0x6e, 0xdb, 0x6d, 0xb7, 0x6d, 0xb6, 0xdb, 0xb6, 0xdb, 0x6d, 0xdb, 0x6d, 0xb6, 0xed,
 0xb6, 0xdb, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 0x46, 0x86, 0x51, 0x90

{| class="wikitable"
|+Data Format
|-
|width="100"|byte index
|width="60"|bit 7
|width="60"|bit 6
|width="60"|bit 5
|width="60"|bit 4
|width="60"|bit 3
|width="60"|bit 2
|width="60"|bit 1
|width="60"|bit 0
|-
|[0]
|colspan="4"|0x0a
|colspan="2"|0x00
|colspan="4"|0x02
|-
|'''[1]'''
|colspan="8"|'''0x19'''
|-
|[2 - 78]
|colspan="8"|Same as [[DS4-BT#0x11_2|output report 0x11]].
|-
|[79]
|colspan="8"|Unknown 
|-
|<span style="background:pink;">[80-81]</span>
|colspan="8"| Audio frame count - Increases the number of frames in packet(4 for this)
|-
|[82]
|colspan="8"| Audio header
|-
|[83-533]
|colspan="8"| Bluetooth SBC Data
|-
|[533 - 547]
|colspan="8"| Paddind - speculation
|-
|[548 - 551]
|colspan="8"|CRC-32 of the previous bytes.
|}

==== HID features reports ====
There is a periodic report sequence that consists in 5 0xf0 SET FEATURE reports, 2 0xf2 GET FEATURE reports, and 19 0xf1 GET FEATURE REPORTS. Each sequence takes about 30 seconds, and a new sequence starts about 30 seconds after the end of the last one. There is 1 second between two reports sent by the PS4.

There is another periodic report sequence that consists in one 0x03 SET FEATURE report and 1 0x04 GET FEATURE report. A new sequence starts about 30 seconds after the end of the last one. The 0x03 SET FEATURE report is sent 5 seconds after the 0x04 GET FEATURE report.

These two periodic sequences seem to be independent as they do not have the same period, and they have two distinct sequence counters.

A user-mode application can obtain (get) and set feature information by using this report designation.

===== GET FEATURE=====

Each GET FEATURE report sent by the PS4 is answered by the DS4 with a DATA FEATURE report.

====0x02====

{| class="wikitable"
|+Data Format
|-
|width="100"|byte index
|width="60"|bit 7
|width="60"|bit 6
|width="60"|bit 5
|width="60"|bit 4
|width="60"|bit 3
|width="60"|bit 2
|width="60"|bit 1
|width="60"|bit 0
|-
|[0]
|colspan="4"|0x04 GET REPORT
|colspan="1"|0x01
|colspan="1"|0x00
|colspan="4"|0x03 FEATURE
|-
|[1]
|colspan="8"|Report id
|-
|[2 - 3]
|colspan="8"|Buffer size.
|}

====== 0x02 ======

The transaction type is DATA (0x0a), and the report type is FEATURE (0x03).
The protocol code is 0x02.

The bytes in this report do not seem to fluctuate.

Report example:
<pre>0xa3, 0x02, 0x01, 0x00, 0xff, 0xff, 0x01, 0x00, 0x5e, 0x22, 0x84, 0x22, 0x9b, 0x22, 0xa6, 0xdd,
0x79, 0xdd, 0x64, 0xdd, 0x1c, 0x02, 0x1c, 0x02, 0x85, 0x1f, 0x9f, 0xe0, 0x92, 0x20, 0xdc, 0xe0,
0x4d, 0x1c, 0x1e, 0xde, 0x08, 0x00</pre>

{| class="wikitable"
|+Data Format
|-
|width="100"|byte index
|width="60"|bit 7
|width="60"|bit 6
|width="60"|bit 5
|width="60"|bit 4
|width="60"|bit 3
|width="60"|bit 2
|width="60"|bit 1
|width="60"|bit 0
|-
|[0]
|colspan="4"|0x0a
|colspan="2"|0x00
|colspan="4"|0x03
|-
|[1]
|colspan="8"|0x02
|-
|[2 - 37]
|colspan="8"|TODO, work in progress.
|}

====== 0x04 ======

The transaction type is DATA (0x0a), and the report type is FEATURE (0x03).
The protocol code is 0x04.

Most bytes from index 4 change between two reports.

Report example:
<pre>0xa3, 0x04, 0x02, 0x00, 0x38, 0x85, 0x35, 0xd5, 0x7a, 0x81, 0x61, 0x2e, 0x21, 0x13, 0x7b, 0xda,
0xd5, 0x94, 0x25, 0x98, 0x5f, 0x67, 0xd1, 0x60, 0x9d, 0xfb, 0x95, 0xba, 0xff, 0xba, 0x1c, 0x48,
0xbf, 0xe2, 0x15, 0x0d, 0xff, 0x66, 0x63, 0x5f, 0x64, 0xc1, 0x46, 0x47, 0xcd, 0xd1, 0x9c, 0x84</pre>

{| class="wikitable"
|+Data Format
|-
|width="100"|byte index
|width="60"|bit 7
|width="60"|bit 6
|width="60"|bit 5
|width="60"|bit 4
|width="60"|bit 3
|width="60"|bit 2
|width="60"|bit 1
|width="60"|bit 0
|-
|[0]
|colspan="4"|0x0a
|colspan="2"|0x00
|colspan="4"|0x03
|-
|[1]
|colspan="8"|0x04
|-
|[2]
|colspan="8"|sequence counter (init = 0x02, step = 1)
|-
|[3]
|colspan="8"|0x00
|-
|[4 - 43]
|colspan="8"|TODO, work in progress.
|-
|[44 - 47]
|colspan="8"|CRC-32 of the previous bytes.
|}

====== 0x06 ======

The transaction type is DATA (0x0a), and the report type is FEATURE (0x03).
The protocol code is 0x06.

The bytes in this report do not seem to fluctuate. They are the same in two different controllers.

Report example:
<pre>0xa3, 0x06, 0x41, 0x75, 0x67, 0x20, 0x20, 0x33, 0x20, 0x32, 0x30, 0x31, 0x33, 0x00, 0x00, 0x00,
0x00, 0x00, 0x30, 0x37, 0x3a, 0x30, 0x31, 0x3a, 0x31, 0x32, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x01, 0x00, 0x31, 0x03, 0x00, 0x00, 0x00, 0x49, 0x00, 0x05, 0x00, 0x00, 0x80,
0x03, 0x00, 0x4b, 0x52, 0x02, 0xc7</pre>

{| class="wikitable"
|+Data Format
|-
|width="100"|byte index
|width="60"|bit 7
|width="60"|bit 6
|width="60"|bit 5
|width="60"|bit 4
|width="60"|bit 3
|width="60"|bit 2
|width="60"|bit 1
|width="60"|bit 0
|-
|[0]
|colspan="4"|0x0a
|colspan="2"|0x00
|colspan="4"|0x03
|-
|[1]
|colspan="8"|0x06
|-
|[2 - 49]
|colspan="8"|A date: Aug 3 2013 07:01:12
|-
|[50 - 53]
|colspan="8"|CRC-32 of the previous bytes.
|}

====== 0xA3 ======

The transaction type is DATA (0x0a), and the report type is FEATURE (0x03).
The protocol code is 0xa3.

It is identical to 0x06 except that there's no CRC-32 at the end of the packet.

Report example:
<pre>0xa3, 0xa3, 0x41, 0x75, 0x67, 0x20, 0x20, 0x33, 0x20, 0x32, 0x30, 0x31, 0x33, 0x00, 0x00, 0x00,
0x00, 0x00, 0x30, 0x37, 0x3a, 0x30, 0x31, 0x3a, 0x31, 0x32, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x01, 0x00, 0x31, 0x03, 0x00, 0x00, 0x00, 0x49, 0x00, 0x05, 0x00, 0x00, 0x80,
0x03, 0x00</pre>

{| class="wikitable"
|+Data Format
|-
|width="100"|byte index
|width="60"|bit 7
|width="60"|bit 6
|width="60"|bit 5
|width="60"|bit 4
|width="60"|bit 3
|width="60"|bit 2
|width="60"|bit 1
|width="60"|bit 0
|-
|[0]
|colspan="4"|0x0a
|colspan="2"|0x00
|colspan="4"|0x03
|-
|[1]
|colspan="8"|0xa3
|-
|[2 - 49]
|colspan="8"|A date: Aug 3 2013 07:01:12
|}

====== 0xF1 ======
The transaction type is DATA (0x0a), and the report type is FEATURE (0x03).
The protocol code is 0xf1.

This report is part of the authentication sequence: it contains challenge response data.

Report example:
<pre>0xa3, 0xf1, 0x01, 0x00, 0x00, 0x0c, 0xb2, 0x25, 0x71, 0x82, 0xc3, 0x2e, 0xaa, 0x73, 0xf5, 0x3e,
0x06, 0x72, 0x12, 0xeb, 0xd7, 0xbd, 0xa6, 0x4e, 0xd0, 0x25, 0xd0, 0x4d, 0xd4, 0xe9, 0x3a, 0x8d,
0xb4, 0xf2, 0x3b, 0x5e, 0x82, 0x9c, 0xc7, 0x02, 0x04, 0xa5, 0x44, 0xd5, 0x64, 0x74, 0xc2, 0x03,
0x3b, 0x45, 0xd6, 0x99, 0x9d, 0x79, 0x11, 0xa6, 0x3d, 0x5e, 0x3a, 0xdf, 0xdd, 0x3a, 0x51, 0x8e,
0xb3</pre>

{| class="wikitable"
|+Data Format
|-
|width="100"|byte index
|width="60"|bit 7
|width="60"|bit 6
|width="60"|bit 5
|width="60"|bit 4
|width="60"|bit 3
|width="60"|bit 2
|width="60"|bit 1
|width="60"|bit 0
|-
|[0]
|colspan="4"|0x0a
|colspan="2"|0x00
|colspan="4"|0x03
|-
|[1]
|colspan="8"|0xf1
|-
|[2]
|colspan="8"|sequence counter (init = 0x01, step = 1)
|-
|[3]
|colspan="8"|report counter (init = 0x00, step = 1, max = 0x12)
|-
|[4]
|colspan="8"|0x00
|-
|[5 - 60]
|colspan="8"|Challenge response data.
|-
|[61 - 64]
|colspan="8"|CRC-32 of the previous bytes.
|}

The packets with report counter from 0x00 to 0x09 carry 528 bytes of data.<br />
Packet 0x09 contains 24 bytes of data and is padded with zeros.<br />
The packets with report counter from 0x0a to 0x0c are padded with zeros.<br />
Packet 0x0d is padded with zeros, except bytes 58 and 60 (both are 0x01).<br />
The packets with report counter from 0x0e to 0x12 carry 256 bytes of data.<br />
Packet 0x12 contains 32 bytes of data and is padded with zeros.<br />

====== 0xF2 ======

The transaction type is DATA (0x0a), and the report type is FEATURE (0x03).
The protocol code is 0xf2.

This report is part of the authentication sequence: it indicates if the challenge response is ready.

Report example:
<pre>0xa3, 0xf2, 0x01, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0d, 0x6a, 0x3c,
0xef</pre>

{| class="wikitable"
|+Data Format
|-
|width="100"|byte index
|width="60"|bit 7
|width="60"|bit 6
|width="60"|bit 5
|width="60"|bit 4
|width="60"|bit 3
|width="60"|bit 2
|width="60"|bit 1
|width="60"|bit 0
|-
|[0]
|colspan="4"|0x0a
|colspan="2"|0x00
|colspan="4"|0x03
|-
|[1]
|colspan="8"|0xf2
|-
|[2]
|colspan="8"|sequence counter (init = 0x01, step = 1)
|-
|[3]
|colspan="3"|0x00
|colspan="1"|0x01 = not ready
0x00 = ready
|colspan="7"|0x00
|-
|[4 - 12]
|colspan="8"|padded with 0x00.
|-
|[13 - 16]
|colspan="8"|CRC-32 of the previous bytes.
|}

===== SET FEATURE=====
These reports are sent by the PS4. The DS4 replies with a handshake, which is a packet with a single 0x00 byte.

====== 0x03 ======

The transaction type is SET REPORT (0x05), and the report type is FEATURE (0x03).
The protocol code is 0x03.

Most bytes from index 4 change between two reports.

Report example:
<pre>0x53, 0x03, 0x02, 0x00, 0xf1, 0xdf, 0xd3, 0x7b, 0x4f, 0x49, 0x0b, 0x0b, 0x7c, 0x79, 0xde, 0xad,
0x5d, 0xa3, 0x41, 0x8a, 0x9c, 0x2e, 0xaf, 0x09, 0xc4, 0xa6, 0x80, 0xb4, 0x82, 0x87, 0x2c, 0xbf,
0x86, 0xe0, 0x2a, 0x86, 0x60, 0xa0, 0x23, 0x33</pre>

{| class="wikitable"
|+Data Format
|-
|width="100"|byte index
|width="60"|bit 7
|width="60"|bit 6
|width="60"|bit 5
|width="60"|bit 4
|width="60"|bit 3
|width="60"|bit 2
|width="60"|bit 1
|width="60"|bit 0
|-
|[0]
|colspan="4"|0x05
|colspan="2"|0x00
|colspan="4"|0x03
|-
|[1]
|colspan="8"|0x03
|-
|[2]
|colspan="8"|sequence counter (init = 0x02, step = 1)
|-
|[3]
|colspan="8"|0x00
|-
|[4 - 35]
|colspan="8"|TODO, work in progress.
|-
|[36 - 39]
|colspan="8"|CRC-32 of the previous bytes.
|}

====== 0xF0 ======


The transaction type is SET REPORT (0x05), and the report type is FEATURE (0x03).
The protocol code is 0xf0.

This report is part of the authentication sequence: it contains challenge data.

Report example:
<pre>0x53, 0xf0, 0x01, 0x00, 0x00, 0x64, 0x01, 0x21, 0x58, 0x26, 0x03, 0xcc, 0xb8, 0x28, 0x78, 0xa9,
0xb5, 0x8c, 0x2c, 0x90, 0x3b, 0xe2, 0xf7, 0xee, 0x1c, 0x91, 0x2b, 0x0c, 0x79, 0xa6, 0xe7, 0xae,
0x7e, 0x49, 0xee, 0x36, 0x72, 0x81, 0xc2, 0x25, 0x41, 0x74, 0x45, 0x01, 0x15, 0xa0, 0x23, 0x1a,
0x4c, 0x27, 0x31, 0xcc, 0xc5, 0xe0, 0x8d, 0x6c, 0x1e, 0x42, 0x83, 0x93, 0x20, 0xa0, 0x35, 0xac,
0x82</pre>

{| class="wikitable"
|+Data Format
|-
|width="100"|byte index
|width="60"|bit 7
|width="60"|bit 6
|width="60"|bit 5
|width="60"|bit 4
|width="60"|bit 3
|width="60"|bit 2
|width="60"|bit 1
|width="60"|bit 0
|-
|[0]
|colspan="4"|0x05
|colspan="2"|0x00
|colspan="4"|0x03
|-
|[1]
|colspan="8"|0xf0
|-
|[2]
|colspan="8"|sequence counter (init = 0x01, step = 1)
|-
|[3]
|colspan="8"|report counter (init = 0x00, step = 1, max = 0x04)
|-
|[4]
|colspan="8"|0x00
|-
|[5 - 60]
|colspan="8"|Challenge data.
|-
|[61 - 64]
|colspan="8"|CRC-32 of the previous bytes.
|}

The packet with report counter = 0x04 only carries 32 bytes of data (it is padded with zeros). Therefore the length of the challenge message is 4x56+32 = 256 bytes.


{{Reverse Engineering}}
<noinclude>[[Category:Main]]</noinclude>