Category: Custom pairing

The final sixpair-emu firmware for the Teensy++ is available there.

I wrote a small python app that makes the customization of the sixpair-emu easier: nothing to compile, no firmware to download (except the pre-compiled initial one) to the Teensy++!

It looks like this:

Disclaimer:

• use it at your own risk
• the (vendor id, product id) = (0x054c, 0x0268) is the property of Sony

Instructions:

• plug the Teensy++ to the PC
• download the firmware to the Teensy++ with the Teensy loader
• if the bluetooth device to be used is a dongle, then plug it to the PC (if external)
• launch the sixpair-emu customizer
• select the Teensy++
• select the bluetooth device, or select and edit custom bdaddr
• select the (vendor id – product id): sixaxis = 0x054c – 0x0268, original firmware = 0x03eb – 0x2042
• clic apply (if there is no change, the application tells nothing was modified)
• unplug the Teensy++
• plug it to the PS3

=> the bluetooth device is registered as a Sixaxis by the PS3, so that it can connect to the PS3 as a sixaxis!

If a Teensy++ or a bluetooth device is plugged after the application is started, the refresh button allows to refresh the gui without restart.

Python code is available there.

Ubuntu:

It requires following packages:

• python 2.6.5
• python-tk
• libusb > 1.0
• pyusb > 1.0
• pybluez 0.18

It has to be launched in a terminal with the following command:

sudo python sixp-emu-cust.py

Windows:

(tested in windows vista)

– python 2.6.5 (includes python-tk)
– libusb filter driver 1.1.14.0
– pyusb 1.0.0-a0 (to be installed in cmd shell with ‘setup.py install’)
– pybluez 0.18

(the bdaddrs are not read, but custom bdaddr can be set)

[deprecated – see newer post]

The code to get a teensy++ pair a bluetooth device with a PS3 is available there.

Disclaimer:

• use it at your own risk
• the vendor id and the product id are the property of Sony

To get it working, the following changes have to be done:

In sixaxis_pair_emu.c, edit the following lines:

uint8_t EEMEM DeviceBdaddr[6] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06};
uint16_t EEMEM VendorId = 0x03EB;
uint16_t EEMEM ProductId = 0x2042;

If your bdaddr is 11:22:33:44:55:66 then replace {0x01, 0x02, 0x03, 0x04, 0x05, 0x06 } with {0x11, 0x22, 0x33, 0x44, 0x55, 0x66 }.
The vendor id of a sixaxis is 0x054c, and the product id is 0x0268.

For now, you have to compile the firmware yourself.

Enhancements that I planned to do:

• make the PS3 bdaddr be learnt by the device (but not persistent) done
• write the variables that have to be modified in the eeprom done
• make a specific usb request to modify them done
• make a definitive firmware
• make a linux/windows gui app

I have just paired my broadcom dongle with my PS3 as a Sixaxis :-p

I did this without modifying the dongle: this dongle is built on a broadcom chipset, which does not allow bdaddr modification!

I lately have been looking for ways to do that:
– I tried to modify the bdaddr of a sixaxis so as to make it pair the bdaddr of a dongle (you never know, it could have worked – and testing that was very easy)
– I tried to emulate a sixaxis with a usb development board

The development board is a Teensy++, but the code written for this device can be ported to any other atmel usb development board supported by the LUFA framework, such as the bumble-b for example.

Steps of the work:

1/ I wrote the usb hid layer and the “sixpair interface” (3 host to device requests: set master bdaddr, get master bdaddr, and get device bdaddr), and got the usb exchanges with a Linux host (sniffed with Wireshark/usbmon) be identical

=>pairing failed

2/ I bombed a real sixaxis whith “get report” control requests so as to see all the wValue that give responses, and implemented these request responses

=>failed too

3/ I connected my jtagice mkii debugger to my teensy++, made the teensy++ write some request logs in memory, and inspected them.
I identified the request that was blocking, did the same request to a real sixaxis, and saw the response it should give.

=>success!!!

The sixaxis can now be emulated with any bluetooth device!

A usb device (such as a teensy++, a bumble-b or an atmel chip+vusb) can talk to the PS3 as an “unpaired” sixaxis.

I think it has to have the following characteristics:

• the same vendor id and product id
• the same hid descriptor
• after a small delay, the device sends a PS3 button press
• when the PS3 requests for the bdaddr, reply with the bdaddr we want to pair
• when the PS3 sends its bdaddr, reply “ok”

Another way to pair a dongle with the PS3 as a Sixaxis could be to change the bdaddr of a Sixaxis with the bdaddr of a dongle, and pair that Sixaxis with the PS3.

It seems that the bluetooth module of the sixaxis is composed of a CSR chip and an additional chip (flash memory?), so that there is a little chance that the bdaddr can be changed.

The bdaddr of the bluetooth master can be get/set with usb commands (as seen with sixpair utility). I’ll try to do the same with the bdaddr of the sixaxis (it is already known that there is a get command).

Pros:
– any bluetooth dongle could be used
– using a widcomm compatible dongle could make possible to port the sixaxis emulator to windows
– the sixaxis bdaddr could be reset to its original value so that the sixaxis and the sixaxis emulator could be used at the same time

Cons:
– none

This method doesn’t work, the command just fails.