Page 1 of 2

PS 4 - Controller Authentication

Posted: Sat Dec 16, 2017 4:14 pm
by Avok
Hi,

I have a question regarding the controller authentication.
Based on the GIMX source codes and the wiki/eleccelerator pages, I understood what are the current limitations for the PS 4 controller emulation.
Basically, please correct me if I'm wrong, right now it's not possible to 100% emulate a PS 4 controller due to an authentication process that is involved between the host and the device.

However, thanks to Matlo serial-usb project, I was able to sniff the USB communication between an H*RI (USB) m*ni fighti*g sti*k and the console.
Basically the authentication works in this way (more or less the same information that I got from the wiki):
Host sends the Set Report Request 0x03F0 to the device
The 0x03F0 is sent in 5 different messages:
1) The #1...4 contain 56bytes of relevant data (the first 4 bytes of each message are just header/counters, the last 4 bytes are the CRC)
2) The #5 contains 32 bytes of relevant data
In total the 0x03F0 is 256Bytes long that I assume it will represent the pass-phrase.
Probably it's a sort of 2048bit encryption (RSA?)
Anyway, the 0x03F0 changes every time that the console is restarted.

Once the device has received the five 03F0 messages, it will start to send the 0x03F1 report to the host that will contain some encoded payload, based on the key received from the host.

Now, I spent few hours analysing different Wireshark logs (took in different time) and I can see that the encoder/decoder protocol is not so easy to reverse (as I expected).
I think that this is the main reason that GIMX needs a PC/PI to spoof and pass-through the authentication.

Question.
With google I found out that there is a board called univer*al fight*ing sti*k that is able to full emulate every new gen controller.
I don't think that the company is authorized from S*ny or Micro*oft or Ninten*o to produce this board, so I believe that they were able to reverse the code.
Now, this makes me wonder that the challenge message sent is not based on some sort of hard level type of encryption (i.e. RSA), so this can make the decode process much easier.
Anyone knows how they did it?
I mean, anyone tried to capture the logs between this board and the console? Does anyone have some other information to share?
Thanks

Re: PS 4 - Controller Authentication

Posted: Sat Dec 16, 2017 6:14 pm
by Matlo
Hi,

I would not be surprised that the fightstick you are talking about requires a genuine controller to work on PS4 and Xbox 360/One.

I believe they are using symmetric-key algorithms, which means you have to know the private key to authenticate.
On Xbox platforms this is handled by a dedicated chip. It's unlikely to be hacked.

Re: PS 4 - Controller Authentication

Posted: Sat Dec 16, 2017 8:18 pm
by Avok
Hi Matlo,

Thanks for the reply.
Based on the information available on the seller website and also on the YouTube videosl, it seems that the board doesn't need the original pad for the authentication.
It looks weird to me too, but if you look at the circuit board there is only one USB socket, that is used to connect to the console, that's it, no BT or other USB ports.
There is a good review on YouTube too.

I will continue my research :-)
Thanks
Bye.

Re: PS 4 - Controller Authentication

Posted: Sat Dec 16, 2017 11:36 pm
by Matlo
Could you please post a link? I cannot guess which device you are talking about.

Re: PS 4 - Controller Authentication

Posted: Sun Dec 17, 2017 12:43 am
by Avok

Re: PS 4 - Controller Authentication

Posted: Thu Dec 21, 2017 5:33 pm
by Matlo
If this is for real, then they hacked the gamepad authentication.

Re: PS 4 - Controller Authentication

Posted: Fri Dec 22, 2017 12:41 am
by Zer0xFF
@Avok if you're interested and if you think it might be of use I can probably get you the DS4 firmware (currently the one with PS4 FW 1.76, but with the release of the new exploit 4.05, might even be able to get a newer version)

Re: PS 4 - Controller Authentication

Posted: Sat Dec 23, 2017 12:46 am
by Avok
Zer0xFF wrote: Fri Dec 22, 2017 12:41 am @Avok if you're interested and if you think it might be of use I can probably get you the DS4 firmware (currently the one with PS4 FW 1.76, but with the release of the new exploit 4.05, might even be able to get a newer version)
It would be great :-).
Thanks!

Re: PS 4 - Controller Authentication

Posted: Sat Dec 23, 2017 12:55 am
by Avok
Matlo wrote: Thu Dec 21, 2017 5:33 pm If this is for real, then they hacked the gamepad authentication.
Yes, it's absolutely real.
If you do a search on google you will find ton of posts of users that are very satisfied of this board.
This company produces many adapters for all type of consoles.
This means that they have hacked the authentications for all new-gen consoles.

Re: PS 4 - Controller Authentication

Posted: Sat Dec 23, 2017 9:52 am
by GoDlike
Yeah DS4 FW can be dumped from the 1.76 hacked console for some months. Probably they used it to hack gamepad authentication. There's 4.05 hack in the works and private 5.01 exploit. It will surely be an interesting time.