Category: Bluetooth

My current task consists in reverse engineering the Bluetooth HID protocol used by the PS4 and the DS4. I’m sharing the result of this work on the DS4 page of Frank’s wiki. This is not a trivial task but I made it easier since I have a L2CAP proxy that allows man-in-the-middle operations, like skipping specific transfers or modifying specific bytes within specific transfers.

The most difficult transfers to understand are those that are carried over the HID control channel (SET and FEATURE reports). The transfers that are carried over the HID interrupt channel are easier to understand: input reports carry axes and buttons states from the DS4 to the PS4, and output reports carry rumble, led and audio data from the PS4 to the PS4.

This work will eventually allow to cleanly implement the DS4 protocol in GIMX.

The HCI UART captures reveal the use of bluetooth authentication, which is based on a shared secret between both between the PS4 and the DS4. This shared secret is called the link key and is the result of the pairing. The link key can be seen plain-text in the HCI UART traffic. Knowing both the bluetooth device address and its associated link key is enough to spoof a DS4.

I managed to talk to a PS4 using a bluetooth proxy that I’m sharing in my git repository. This bluetooth proxy can forward the traffic between a DS4 and a PS4, using two bluetooth dongles. I also was able to modify the reports sent to the PS4. The only thing to do is to modify the desired axes and buttons, and update the last four bytes which are a CRC32 of the first 75 bytes.

Extracting the link key from a DS4 is fortunately not the only way to get a valid link key. Frank from eleccelerator discovered that the link key is sent over USB the first time the DS4 is wired to the PS4. Which means it should be possible to get a valid link key for any bluetooth device address, using a USB development board (a teensy for example) running a firmware emulating a DS4. It seems it should also be possible to use a standard bluetooth pairing: the DS4 can be turned into a discoverable device holding the share button and PS button at the same time, and then paired using the PS4 UI.