Category: Bt dongle

[deprecated – see newer post]

The code to get a teensy++ pair a bluetooth device with a PS3 is available there.

Disclaimer:

• use it at your own risk
• the vendor id and the product id are the property of Sony

To get it working, the following changes have to be done:

In sixaxis_pair_emu.c, edit the following lines:

uint8_t EEMEM DeviceBdaddr[6] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06};
uint16_t EEMEM VendorId = 0x03EB;
uint16_t EEMEM ProductId = 0x2042;

If your bdaddr is 11:22:33:44:55:66 then replace {0x01, 0x02, 0x03, 0x04, 0x05, 0x06 } with {0x11, 0x22, 0x33, 0x44, 0x55, 0x66 }.
The vendor id of a sixaxis is 0x054c, and the product id is 0x0268.

For now, you have to compile the firmware yourself.

Enhancements that I planned to do:

• make the PS3 bdaddr be learnt by the device (but not persistent) done
• write the variables that have to be modified in the eeprom done
• make a specific usb request to modify them done
• make a definitive firmware
• make a linux/windows gui app

I have just paired my broadcom dongle with my PS3 as a Sixaxis :-p

I did this without modifying the dongle: this dongle is built on a broadcom chipset, which does not allow bdaddr modification!

I lately have been looking for ways to do that:
– I tried to modify the bdaddr of a sixaxis so as to make it pair the bdaddr of a dongle (you never know, it could have worked – and testing that was very easy)
– I tried to emulate a sixaxis with a usb development board

The development board is a Teensy++, but the code written for this device can be ported to any other atmel usb development board supported by the LUFA framework, such as the bumble-b for example.

Steps of the work:

1/ I wrote the usb hid layer and the “sixpair interface” (3 host to device requests: set master bdaddr, get master bdaddr, and get device bdaddr), and got the usb exchanges with a Linux host (sniffed with Wireshark/usbmon) be identical

=>pairing failed

2/ I bombed a real sixaxis whith “get report” control requests so as to see all the wValue that give responses, and implemented these request responses

=>failed too

3/ I connected my jtagice mkii debugger to my teensy++, made the teensy++ write some request logs in memory, and inspected them.
I identified the request that was blocking, did the same request to a real sixaxis, and saw the response it should give.

=>success!!!

The sixaxis can now be emulated with any bluetooth device!

A usb device (such as a teensy++, a bumble-b or an atmel chip+vusb) can talk to the PS3 as an “unpaired” sixaxis.

I think it has to have the following characteristics:

• the same vendor id and product id
• the same hid descriptor
• after a small delay, the device sends a PS3 button press
• when the PS3 requests for the bdaddr, reply with the bdaddr we want to pair
• when the PS3 sends its bdaddr, reply “ok”

Another way to pair a dongle with the PS3 as a Sixaxis could be to change the bdaddr of a Sixaxis with the bdaddr of a dongle, and pair that Sixaxis with the PS3.

It seems that the bluetooth module of the sixaxis is composed of a CSR chip and an additional chip (flash memory?), so that there is a little chance that the bdaddr can be changed.

The bdaddr of the bluetooth master can be get/set with usb commands (as seen with sixpair utility). I’ll try to do the same with the bdaddr of the sixaxis (it is already known that there is a get command).

Pros:
– any bluetooth dongle could be used
– using a widcomm compatible dongle could make possible to port the sixaxis emulator to windows
– the sixaxis bdaddr could be reset to its original value so that the sixaxis and the sixaxis emulator could be used at the same time

Cons:
– none

This method doesn’t work, the command just fails.