Sixutils

During my investigations to pair a bluetooth device as a sixaxis with my PS3, I modified the original sixpair code:

  • sixaddr.c is a tool to get the sixaxis device address and the PS3 device address (not useful for the investigation, but it is great for step 1 of the sixaxis emulator tutorial)
  • sixdump.c is a tool to get all the usb get requests answered by a sixaxis (used in step 2)
  • sixmod.c is a tool to see the effect of a particular usb set request on the sixaxis (used in step 3)

I couldn’t have made the ‘pairing device’ work without this code!

Pair any bluetooth device with a PS3 as a Sixaxis!


I have just paired my broadcom dongle with my PS3 as a Sixaxis :-p

I did this without modifying the dongle: this dongle is built on a broadcom chipset, which does not allow bdaddr modification!

I lately have been looking for ways to do that:
– I tried to modify the bdaddr of a sixaxis so as to make it pair the bdaddr of a dongle (you never know, it could have worked – and testing that was very easy)
– I tried to emulate a sixaxis with a usb development board

The development board is a Teensy++, but the code written for this device can be ported to any other atmel usb development board supported by the LUFA framework, such as the bumble-b for example.

Steps of the work:

1/ I wrote the usb hid layer and the “sixpair interface” (3 host to device requests: set master bdaddr, get master bdaddr, and get device bdaddr), and got the usb exchanges with a Linux host (sniffed with Wireshark/usbmon) be identical

=>pairing failed

2/ I bombed a real sixaxis whith “get report” control requests so as to see all the wValue that give responses, and implemented these request responses

=>failed too

3/ I connected my jtagice mkii debugger to my teensy++, made the teensy++ write some request logs in memory, and inspected them.
I identified the request that was blocking, did the same request to a real sixaxis, and saw the response it should give.

=>success!!!

The sixaxis can now be emulated with any bluetooth device!

Sixaxis emulator: keyboard macros

It’s now possible to configure keyboard macros.

A key press will generate a series of events, with timing conditions.

Commands are the following:
– key down
– key up
– key press (= key down + delay + key up)
– delay (unit = ms)

Each macro has to be defined in a file.

Example: macro_example.txt

#Defines the action that triggers the macro execution
MACRO F1
#Performs a keystroke (key down + delay 50ms + key up)
KEY e
#Sleep 50ms
DELAY 50
#Perform a key down
KEYDOWN SPACE
#Sleep 50ms (minimum delay between KEYDOWN and KEYUP)
DELAY 50
#Perform a key up
KEYUP SPACE

Lines beginning with # are comments.

Each macro file has to be referenced in the macros.txt file.

All keys of the keyboard can trigger a macro. The complete list can be found in macro.c.

Remaining work:
– support for mouse events (buttons + moves)
– record/replay functionnality

Please give me a feedback!

I’m sharing my project for free, so please give me a feedback if you test(ed) it.

Tell me if it works or doesn’t work, and especially add the following details:

  • the tutorial (hidemulator or sixaxis emulator)
  • the Linux distribution
  • the libraries (if different from those suggested in the tutorials)
  • the PS3 hardware version (slim, fat 40Gb, fat 60Gb, …)
  • the PS3 firmware version
  • the bluetooth dongle (exact model + revision if there is one + output of “hciconfig -a hci0” and “sudo hciconfig hci0 revision”)
  • the hardware of the PC (at least the CPU and the amount of RAM)

Report that in commentary to this post.

And if it doesn’t work, first verify if you have the latest source code. Then look at the bug list, see if your problems are already known, and if it’s not, report them.

The project is still in development. A critical issue remains, and I’m actively working to solve it. The code works actually great on my side, so that it wouldn’t be possible for me to be aware of that issue without feedback!

Another way to pair a dongle with the PS3 as a Sixaxis – 2

A usb device (such as a teensy++, a bumble-b or an atmel chip+vusb) can talk to the PS3 as an “unpaired” sixaxis.

I think it has to have the following characteristics:

  • the same vendor id and product id
  • the same hid descriptor
  • after a small delay, the device sends a PS3 button press
  • when the PS3 requests for the bdaddr, reply with the bdaddr we want to pair
  • when the PS3 sends its bdaddr, reply “ok”

Another way to pair a dongle with a PS3 as a Sixaxis?

Another way to pair a dongle with the PS3 as a Sixaxis could be to change the bdaddr of a Sixaxis with the bdaddr of a dongle, and pair that Sixaxis with the PS3.

It seems that the bluetooth module of the sixaxis is composed of a CSR chip and an additional chip (flash memory?), so that there is a little chance that the bdaddr can be changed.

The bdaddr of the bluetooth master can be get/set with usb commands (as seen with sixpair utility). I’ll try to do the same with the bdaddr of the sixaxis (it is already known that there is a get command).

Pros:
– any bluetooth dongle could be used
– using a widcomm compatible dongle could make possible to port the sixaxis emulator to windows
– the sixaxis bdaddr could be reset to its original value so that the sixaxis and the sixaxis emulator could be used at the same time

Cons:
– none

This method doesn’t work, the command just fails.