Source: http://eleccelerator.com/wiki/index.php?title=DualShock_4 (full paste 17:50 UTC, 18 January 2014 )

Bluetooth

The DS4 has two modes, one where you can pair it with a computer (hold PS and share at the same time until the light blinks twice in quick succession rapidly), and another mode when it is used with a PS4.

In the PS4 mode, it appears to advertise as two devices, one is a game controller and the other is an audio device. The game controller has a class 0x002508, and the audio device is class 0x200404. Neither has a name.

Only controllers that have previously paired with the PS4 can cause it to wake up. If you spoof a previously paired DS4's BDADDR and class, then using "sudo hcitool cc <ps4's bdaddr>" will wake up the PS4. If the same cc request comes from an unknown BDADDR, nothing happens.

Capable of streaming 32Khz sound to the controllers speakers for up to 2 players, but that reduces to 16Khz when 3 or more players are hooked up.

UART HCI

On the DS4 circuit itself is a Qualcomm Atheros AR3002 module and the UART pins have test points.

You can clearly see the UART HCI data when you analyze the traffic on the RX and TX pins (See testpoints).

The data seems to be at a baud rate of exactly 3Mbit/s , sticking with HCI standards, meaning it's 8N1 (8 data bits, No parity, 1 stop bit). The report rate seems to be once every 1.3 millisecond, but there are some occasional gaps in between that can reach 15 milliseconds.

This file is a capture of the traffic over the UART HCI, Wireshark is required to view this PCAP file.

Similar to the file before but uses data while running "the Playroom" app on the PS4, so that it shows motors, speaker, and LED activity. This file needs to be decompressed using gzip first, then opened with Wireshark. Once opened, it needs to be sorted by timestamp.

Service Discovery Protocol (SDP)

SDP used by the PS4 the first time a device tries to connect, whereas the DS4 does it each time it connects to the PS4.

PS4

DS4

HID Report header & footer

Examples

Here's a sample HCI transaction that represents a report from the DS4 to the PS4:

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000  02 15 20 53 00 4F 00 42 00 A1 11 C0 00 83 81 7E
00000010  7E 08 00 3C 00 00 83 A2 07 F1 FF F9 FF 04 00 21
00000020  03 17 1F 29 F9 00 00 00 00 00 08 00 00 00 00 80
00000030  00 00 00 80 00 00 00 00 80 00 00 00 80 00 00 00
00000040  00 80 00 00 00 80 00 00 00 00 80 00 00 00 80 00
00000050  00 00 00 00 7D 0A 5D 0B

(For Packet type 2)

	Offset	Size	Value	Description
Header	0x00	0x01	0x02	(2) Packet Type: 0x00: Acknowledgement Packets ? 0x01: HCI Command Packet (send commands to the Host Controller) 0x02: HCI ACL Data Packet (exchange Asynchronous Connection-Less data between the Host and Host Controller) 0x03: HCI SCO Data Packet (exchange Synchronous Connection-Oriented data) 0x04: HCI Event Packet (notify the Host when events occur)
	0x01	0x02	0x1520	(0x2015) Control information (_msb00 10 000000010101_lsb): for Packet type: 2 Broadcast (BC) flag (most significant 2 bits): 00 = point-to-point packet (no broadcast) (only two Bluetooth units involved) 01 = Active Slave Broadcast (Up to 7 slaves can be active in the Piconet) 10 = Parked Slave Broadcast (Up to 255 further slave devices can be inactive) Packet boundary (PB) flag (2 bits): 01 = continuing packet of a higher level message 10 = first packet of a higher level message Connection handle (least significant 12 bits): 0x15
	0x03	0x02	0x5300	(For Packet type 2) (83) Length of Packet
	0x05	0x02	0x4F00	(79) Length (Payload+Check)
	0x07	0x02	0x4200	(0x0042) Channel ID (CID)
HID portion	0x09	0x03	0xA111C0	Packet Payload header: INPUT DATA protocol code 0x11 (see Structure HID transaction)
HID portion	0x0C	0x48	0x0083 … 0x00	Data: See (speculation) USB data format for the first 64 bytes + 8 bytes NULL.
Check	0x54	0x04	0x7D0A5D0B	(0x0B5D0A7D) Data Integrity Check (CRC-32) To ensure that the packet is valid, this field is appended onto the end of the packet. Packet Payload is used to compute the Data Integrity Check (the CRC32's polynomial is 0x4C11DB7)

Packet type 4 example:

04 13 05 01 15 00 01 00

Offset	Size	Value	Description
0x00	0x01	0x04	(4) Packet Type: HCI Event Packet
0x01	0x01	0x13	Event code
0x02	0x01	0x05	Parameter total length
0x03	0x01	0x01	Number of Connection handles
0x04	0x02	0x1500	(0x15) Connection handle
0x06	0x02	0x0100	(1) Number of completed packets

CRC32

You can use http://www.lammertbies.nl/comm/info/crc-calculation.html to try this yourself, enter the packet payload into the textbox (hex):

First 75 bytes of the HID report

A1 11 C0 00 83 81 7E 7E 08 00 3C 00 00 83 A2 07 F1 FF F9 FF 04 00 21 03 17 1F 29 F9 00 00 00 00 00 08 00 00 00 00 80 00 00 00 80 00 00 00 00 80 00 00 00 80 00 00 00 00 80 00 00 00 80 00 00 00 00 80 00 00 00 80 00 00 00 00 00

Structure HID transaction (portion)

Input and output reports specify control data and feature reports specify configuration data.

Data Format
byte index	bit 7	bit 3	bit 1
[0]	transaction type: 0x04: GET REPORT 0x05: SET REPORT 0x0A: DATA	parameters: 0x00: 0x01:	report type: 0x01: INPUT 0x02: OUTPUT 0x03: FEATURE
[1]	protocol code
[2]	-
[3-end]	report content (e.g. buttons for report type input , see data structure)

HID INPUT reports

Input controls are sources of data relevant to an application, for example, X and Y data (e.g.: axes stick) or buttons obtained from a pointing device.

Protocol code:

0x01

This report is sent until the GET REPORT FEATURE 0x02 is received.

0xa1, 0x01, 0x7d, 0x7d, 0x80, 0x7e, 0x08, 0x00, 0x00, 0x00, 0x00
            ^Left Stick X ...       ^D-PAD

0x11

This report is sent once the GET REPORT FEATURE 0x02 is received. See example

HID output reports

Output controls are a sink for application data, for example, an LED (or sound or rumbles) that indicates the state of a device.

Protocol code:

0x11

0x14

Speculation: contains sound.

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   0000   0f 01 42 00 a2 14 40 a0 f4 69 02 9c 75 19 24 00  [email protected].$.
   0010   00 00 00 00 00 00 00 76 db 6d bb 6d b6 dd b6 db  .......v.m.m....
   0020   6e db 6d b7 6d b6 db b6 db 6d db 6d b6 ed b6 db  n.m.m....m.m....
   0030   76 db 6d bb 6d b6 dd b6 db 6e db 6d b7 6d b6 db  v.m.m....n.m.m..
   0040   b6 db 6d db 6d b6 ed b6 db 76 db 6d bb 6d b6 dd  ..m.m....v.m.m..
   0050   b6 db 6e db 6d b7 6d b6 db b6 db 6d db 6d b6 ed  ..n.m.m....m.m..
   0060   b6 db 76 db 6d bb 6d b6 dd b6 db 6e db 6d b7 6d  ..v.m.m....n.m.m
   0070   b6 db b6 db 6d db 6d b6 ed b6 db 9c 75 19 24 00  ....m.m.....u.$.
   0080   00 00 00 00 00 00 00 76 db 6d bb 6d b6 dd b6 db  .......v.m.m....
   0090   6e db 6d b7 6d b6 db b6 db 6d db 6d b6 ed b6 db  n.m.m....m.m....
   00a0   76 db 6d bb 6d b6 dd b6 db 6e db 6d b7 6d b6 db  v.m.m....n.m.m..
   00b0   b6 db 6d db 6d b6 ed b6 db 76 db 6d bb 6d b6 dd  ..m.m....v.m.m..
   00c0   b6 db 6e db 6d b7 6d b6 db b6 db 6d db 6d b6 ed  ..n.m.m....m.m..
   00d0   b6 db 76 db 6d bb 6d b6 dd b6 db 6e db 6d b7 6d  ..v.m.m....n.m.m
   00e0   b6 db b6 db 6d db 6d b6 ed b6 db 00 00 00 00 00  ....m.m.........
   00f0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   0100   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9f  ................
   0110   42 86 54                                         B.T

0x15

Speculation: contains rumbles, LED color and sound.

0000   4f 01 42 00 a2 15 c0 a0 f3 04 00 00 00 00 00 ff  O.B.............
0010   00 00 00 00 00 00 00 00 00 00 49 49 00 4f 85 00  ..........II.O..
0020   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0030   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0040   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0050   00 00 00 f6 69 02 9c 75 19 24 00 00 00 00 00 00  ....i..u.$......
0060   00 00 76 db 6d bb 6d b6 dd b6 db 6e db 6d b7 6d  ..v.m.m....n.m.m
0070   b6 db b6 db 6d db 6d b6 ed b6 db 76 db 6d bb 6d  ....m.m....v.m.m
0080   b6 dd b6 db 6e db 6d b7 6d b6 db b6 db 6d db 6d  ....n.m.m....m.m
0090   b6 ed b6 db 76 db 6d bb 6d b6 dd b6 db 6e db 6d  ....v.m.m....n.m
00a0   b7 6d b6 db b6 db 6d db 6d b6 ed b6 db 76 db 6d  .m....m.m....v.m
00b0   bb 6d b6 dd b6 db 6e db 6d b7 6d b6 db b6 db 6d  .m....n.m.m....m
00c0   db 6d b6 ed b6 db 9c 75 19 24 00 00 00 00 00 00  .m.....u.$......
00d0   00 00 76 db 6d bb 6d b6 dd b6 db 6e db 6d b7 6d  ..v.m.m....n.m.m
00e0   b6 db b6 db 6d db 6d b6 ed b6 db 76 db 6d bb 6d  ....m.m....v.m.m
00f0   b6 dd b6 db 6e db 6d b7 6d b6 db b6 db 6d db 6d  ....n.m.m....m.m
0100   b6 ed b6 db 76 db 6d bb 6d b6 dd b6 db 6e db 6d  ....v.m.m....n.m
0110   b7 6d b6 db b6 db 6d db 6d b6 ed b6 db 76 db 6d  .m....m.m....v.m
0120   bb 6d b6 dd b6 db 6e db 6d b7 6d b6 db b6 db 6d  .m....n.m.m....m
0130   db 6d b6 ed b6 db 00 00 00 00 00 00 00 00 00 00  .m..............
0140   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b5  ................
0150   98 a9 0f                                         ...

0x4F01: length (335)
0x4200: CID (42)
0xA2: DATA OUTPUT
0x15: Protocol Code
0xC0A0F30400: Unknown
0x00: Rumble right
0x00: Rumble left
0x00: LED (Red)
0x00: LED (Green)
0xFF: LED (Blue)

... 0xB598A90F: Check (CRC-32 (from 0xA2))

0x17

0x18

0x19

HID features reports

A user-mode application can obtain (get) and set feature information by using this report designation.

DS4-BT

Contents

Bluetooth

UART HCI

Service Discovery Protocol (SDP)

PS4

DS4

HID Report header & footer

Examples

CRC32

Structure HID transaction (portion)

HID INPUT reports

0x01

0x11

HID output reports

0x11

0x14

0x15

0x17

0x18

0x19

HID features reports

Navigation menu

DS4-BT

Bluetooth

UART HCI

Service Discovery Protocol (SDP)

PS4

DS4

HID Report header & footer

Examples

CRC32

Structure HID transaction (portion)

HID INPUT reports

0x01

0x11

HID output reports

0x11

0x14

0x15

0x17

0x18

0x19

HID features reports

Navigation menu

Search