GIMX PS4 support – status 1

The HCI UART captures reveal the use of bluetooth authentication, which is based on a shared secret between both between the PS4 and the DS4. This shared secret is called the link key and is the result of the pairing. The link key can be seen plain-text in the HCI UART traffic. Knowing both the bluetooth device address and its associated link key is enough to spoof a DS4.

I managed to talk to a PS4 using a bluetooth proxy that I’m sharing in my git repository. This bluetooth proxy can forward the traffic between a DS4 and a PS4, using two bluetooth dongles. I also was able to modify the reports sent to the PS4. The only thing to do is to modify the desired axes and buttons, and update the last four bytes which are a CRC32 of the first 75 bytes.

Extracting the link key from a DS4 is fortunately not the only way to get a valid link key. Frank from eleccelerator discovered that the link key is sent over USB the first time the DS4 is wired to the PS4. Which means it should be possible to get a valid link key for any bluetooth device address, using a USB development board (a teensy for example) running a firmware emulating a DS4. It seems it should also be possible to use a standard bluetooth pairing: the DS4 can be turned into a discoverable device holding the share button and PS button at the same time, and then paired using the PS4 UI.

Leave a Reply

Your email address will not be published. Required fields are marked *