[Slightly OOT] DS4 spoofing

Talk about anything concerning the source code.
Post Reply
fraca7
Posts: 5
Joined: Sat Apr 04, 2020 10:08 am

[Slightly OOT] DS4 spoofing

Post by fraca7 »

Hello. I'm currently stuck on a little project of mine, as I said in my introduction. Basically I want to use an Arduino Leonardo with a USB host shield as a passthrough between the PS4 and the Dualshock, in order to alter the input reports. The final goal is to hack up gyro aiming to play Horizon: Zero Dawn without sucking with the bow :)

I took a look at the boards and found two topics of interest already:

https://gimx.fr/forum/viewtopic.php?f=20&t=893
https://gimx.fr/forum/viewtopic.php?f=11&t=3036

This second one makes me optimistic since it seemed to work, but the code was never published it seems. So a little more details:

Hardware: Leonardo, USB shield. PS4 Pro and the DS that came with it (product 0x09cc).
Software: USB host shield library to communicate with the DS4, LUFA for Arduino to communicate with the PS4.

I'm currently spoofing the USB descriptors (with a single HID interface, I skipped the sound ones), and then handling the HID class methods and forwarding them to the DS. This seems to *almost* work; when I plug the controller, I get the regular control flow:

GET_REPORT 0x02
GET_REPORT 0xa3
GET_REPORT 0x12

Then if I press PS

SET_REPORT 0x14 01 00...

And periodic 32-bytes packets on the interrupt OUT endpoint, to change the LED colors I guess (though the packets are identical). After some time the authentication challenge starts, the challenge response is ready, etc. This seems to show that the PS4 actually aknowledged the Leonardo, but the UI itself does not behave as if a controller was plugged.

So, does anyone have a hint about this ? I'd like to setup a Github repo for the code, but since it doesn't actually work right now... Ultimately this may be used to implement macros/remappings in a narrower sense than GIMX is already doing, but with much less setup involved. After I finish Horizon: Zero Dawn of course :)

fraca7
Posts: 5
Joined: Sat Apr 04, 2020 10:08 am

Re: [Slightly OOT] DS4 spoofing

Post by fraca7 »

Turns out, this happens because I was not spoofing the audio class interfaces (or maybe because since I wasn't, the HID interface number was 0 instead of 3, or something else related to the interface/endpoint numbers). Now on to the meat of the problem :)

fraca7
Posts: 5
Joined: Sat Apr 04, 2020 10:08 am

Re: [Slightly OOT] DS4 spoofing

Post by fraca7 »

I meant "1 instead of 3", not 0 obviously.

Post Reply