Hi, I am a developer of DS4 Xinput tool.
I have a question regarding 30s re-authentication mechanism that PS4/DS4 uses, could you please elaborate more on this?
I am curious what kinda authentication and possibly how to retrieve/store the secret key
PS4 and DS4 authentication
Re: PS4 and DS4 authentication
Hi,
I wrote some details there: http://eleccelerator.com/wiki/index.php ... ol_reports
It's probably using symetric cryptography. It's probably not possible to get the secret key without attacking the main chip.
I wrote some details there: http://eleccelerator.com/wiki/index.php ... ol_reports
It's probably using symetric cryptography. It's probably not possible to get the secret key without attacking the main chip.
GIMX creator
Re: PS4 and DS4 authentication
Thanks, I think i was able to rewrite the key at some point in my initial development as my DS4 works only now with PC it stops working after few min with PS4. I did it wile try to see what each report ID does. It did help me identify a lot of interesting report ID's, like through USB its possible to turn on the speaker through report id 160 if remember correctly. As well as 128 allows you to rewrite DS4's MAC address permanently.
I also tried sending exact copy of reports mentioned on the frank's page to output, but they don't seem to enable audio. I think there is a on/off for the speaker like a found on USB but not sure where it is on BT
ps, sorry for reported post. looked like a reply..
I also tried sending exact copy of reports mentioned on the frank's page to output, but they don't seem to enable audio. I think there is a on/off for the speaker like a found on USB but not sure where it is on BT
ps, sorry for reported post. looked like a reply..
Re: PS4 and DS4 authentication
This is interresting, although being able to write the secret key does not necessarly mean it can be retrieved.
Do you have the exact command to send for writing the DS4 bdaddr?
If you want to investigate more on the bluetooth side, I suggest you to try my l2cap proxy.
Do you have the exact command to send for writing the DS4 bdaddr?
If you want to investigate more on the bluetooth side, I suggest you to try my l2cap proxy.
GIMX creator
Re: PS4 and DS4 authentication
Yeah it makes sense that they would hide secret code and only allow writing it.
Sending set feature request to report id 128(dec) size of the report is 6 bytes, so each byte is pair or XX in hex first byte is report ID # so i was sending buffer of size 7. This is over USB connection
Sending set feature request to report id 160(0xA0) size of the report is 6 bytes, first byte report ID # so i was sending buffer of size 7. This is over USB connection as well. Sending all 1 seems to turn on speaker (beep sound)
Sending set feature request to report id 128(dec) size of the report is 6 bytes, so each byte is pair or XX in hex first byte is report ID # so i was sending buffer of size 7. This is over USB connection
Sending set feature request to report id 160(0xA0) size of the report is 6 bytes, first byte report ID # so i was sending buffer of size 7. This is over USB connection as well. Sending all 1 seems to turn on speaker (beep sound)
Re: PS4 and DS4 authentication
Could you confirm the following values are correct?
request_type = 0x21 (LIBUSB_ENDPOINT_OUT | LIBUSB_REQUEST_TYPE_CLASS | LIBUSB_RECIPIENT_INTERFACE)
bRequest = 0x09 (LIBUSB_REQUEST_SET_CONFIGURATION)
wValue = 0x80 (modify DS4's bdaddr)
wIndex = 0x0000
wLength = 0x0007
I tried sending a get feature (request_type = 0xa1, bRequest = 0x01), I got no answer.
request_type = 0x21 (LIBUSB_ENDPOINT_OUT | LIBUSB_REQUEST_TYPE_CLASS | LIBUSB_RECIPIENT_INTERFACE)
bRequest = 0x09 (LIBUSB_REQUEST_SET_CONFIGURATION)
wValue = 0x80 (modify DS4's bdaddr)
wIndex = 0x0000
wLength = 0x0007
I tried sending a get feature (request_type = 0xa1, bRequest = 0x01), I got no answer.
GIMX creator
Re: PS4 and DS4 authentication
Yes 0x21, 0x9, 0x80 is correct request, it was done through WinUSB drivers.
The buffer is 6 bytes of MAC address in reversed order so last hex pair comes first
you should see DS4 MAC change in report 0x12 with request 0xa1 0x1, 0x12
Edit:
I noticed in your source it seems you are using 0x0312 and 0x0313 instead of 0x12 and 0x13 so you might have to do something like 0x0380
The buffer is 6 bytes of MAC address in reversed order so last hex pair comes first
you should see DS4 MAC change in report 0x12 with request 0xa1 0x1, 0x12
Edit:
I noticed in your source it seems you are using 0x0312 and 0x0313 instead of 0x12 and 0x13 so you might have to do something like 0x0380