PS 4 - Controller Authentication

General Chat, Feel Free To talk about anything here.
Avok
Posts: 6
Joined: Sat Dec 16, 2017 3:33 pm

Re: PS 4 - Controller Authentication

Post by Avok » Sat Dec 23, 2017 1:29 pm

Godlike wrote:
Sat Dec 23, 2017 9:52 am
Yeah DS4 FW can be dumped from the 1.76 hacked console for some months. Probably they used it to hack gamepad authentication. There's 4.05 hack in the works and private 5.01 exploit. It will surely be an interesting time.
Probably, but they also found the way for the X1 and Switch gamepads :o

billy.joe
Posts: 3
Joined: Fri Mar 23, 2018 4:23 pm

Re: PS 4 - Controller Authentication

Post by billy.joe » Fri Mar 23, 2018 10:27 pm

Hi,

Is there a public dump of a successful PS4-DS4 authentication? The Wiki articles that cover the auth packets are wrong / incomplete.

User avatar
Matlo
Posts: 4935
Joined: Wed Jul 06, 2011 7:01 am
Location: France
Contact:

Re: PS 4 - Controller Authentication

Post by Matlo » Sat Mar 24, 2018 8:53 pm

Hi,

Authentication is based on symmetric cryptography. Replaying a successful authentication will not work.
GIMX creator Donate Shop

billy.joe
Posts: 3
Joined: Fri Mar 23, 2018 4:23 pm

Re: PS 4 - Controller Authentication

Post by billy.joe » Mon Mar 26, 2018 3:00 pm

Hi Matlo,

I was wondering, because it all looked too simple - get nonce, sign nonce, send nonce. After getting a dump it seems its actually quite different.

The console sends the 0x100 (256) bytes long nonce, but the controller responds with two messages (separate by padding), 528 and 256 bytes respectively, spanned across 17-18 packets.


Note: ignore this post, check the post below for more information.
Last edited by billy.joe on Wed Apr 11, 2018 12:09 pm, edited 1 time in total.

billy.joe
Posts: 3
Joined: Fri Mar 23, 2018 4:23 pm

Re: PS 4 - Controller Authentication

Post by billy.joe » Tue Mar 27, 2018 3:11 pm

For the sake of Googlers passing by, the auth works as following for the USB controllers:

- Console sends a nonce in 5 packets type 0xF0
- DS4 sends one ACK packet type 0xF2 that's its prepping the data (probably because RSA is compute-heady and that microcontroller on the gamepad needs some time)
- DS4 sends one ACK packet type 0xF2, but this time, removes the flag, indicating that its ready to send commands.
- DS4 sends 19 packets type 0xF1.

Challenge:

Code: Select all

struct ps4_challenge {
 	unsigned char nonce[0x100];
};
Response:

Code: Select all

struct ds4_response {
	unsigned char signature[0x100];
	unsigned char serial_num[0x10];
	unsigned char n[0x100];
	unsigned char e[0x100];
	unsigned char casig[0x100];
};
signature is a PSS signature of the nonce, signed by the private key of DS4
serial_num is the controller/cert serial number.
n is the Public Key's prime number
e is the Public Key's exponent
casig is a PSS signature (signed by Sony's CA private key) of the serial_num, n and e. This is what prevents you from generating your own keys and this is why you need a valid DS4 dump.

You'll have to get a dump of the DS4 in order to get valid serial_num, n, e, casig and private_key with which to sign the nonce. I'm not sure if the capability is present/active, but Sony might be able ban known/public DS4 dumps. Similar to how Certificate Revocation works in TLS.

Why so many packets?

The controller's descriptors set the maximum packets size at 64 bytes. Usable data (without the checksum and the header) is 56 bytes.

What is sequence and packet counters?

The console sends auth requests periodically, in order to know which request you're answering, you have a sequence counter. This counter is set by the console and does not change, until a new auth request is issued.

Packet counter is the packet number within the sequence. As data is split in multiple packets, the console needs to keep track of the order.
Last edited by billy.joe on Wed Apr 11, 2018 12:09 pm, edited 3 times in total.

User avatar
Matlo
Posts: 4935
Joined: Wed Jul 06, 2011 7:01 am
Location: France
Contact:

Re: PS 4 - Controller Authentication

Post by Matlo » Wed Mar 28, 2018 11:50 am

Thanks for sharing!
GIMX creator Donate Shop

Post Reply