Jump to content
Nytro

DualSense Reverse Engineering

Recommended Posts

Posted

DualSense Reverse Engineering

Reading time ~6 min
Posted by Emmanuel Cristofaro on 23 November 2020

Ciao belli!

On the 19th of November 2020, SONY finally released the new PlayStation 5 in the UK. A few days earlier in the US, Japan, and Canada. Of course, Play Station 5 came together with a new Wireless Controller, this time named DualSense. I wanted to see if I could continue my PlayStation controller adventures on this new device, following on my previous work.

FB_IMG_1606076260083.jpg
Screenshot_20201124-092349-588x1024.png A few SONY installations available in London for the release of the PlayStation 5.

DualSense Wireless Controller

The DualSense Wireless Controller presents new features such as:

  • Haptic feedback, vibration sense via actuators (no more rumble motors), these are the components that manages and controls the movement mechanism.
  • Adaptive triggers, intensified game experience interaction when force and tension are applied on buttons.
  • A built-in microphone.
  • More LEDs.

I bought it just for the sake of playing with it. The DualSense Wireless Controller. Yes, just the DualSense Wireless Controller.

PXL_20201117_225516342-935x1024.jpg DualSense arrived.

When using the DualSense via USB it was possible to hear sounds from the speaker. With the DualShock 4, this was not possible. The speaker of the DualSense works in Stereo mode. What a pity, the speaker of the previous controller, the DualShock 4, was in Mono mode and I loved it for this reason. The quality of the sound issued when playing blues reminded me of a vintage radio. One of those that are convenient to have while camping. I don’t know… there was some kind of magic to it.

The speaker power while playing light music. Music coming from the speaker.

Teardown

Below is a little teardown of the DualSense Wireless Controller model CFI-ZCT1W.

PXL_20201123_044916511-1024x730.jpg Front.
PXL_20201123_044932912-1024x676.jpg Back.
PXL_20201123_044953501-1024x428.jpg Charger port.
PXL_20201123_045003697-1024x494.jpg Headset port.
PXL_20201123_050407075-1024x752.jpg Front mask.
PXL_20201123_050303597-768x1024-1.jpg Actuators.
PXL_20201123_045649068-1024x722-1.jpg Digital buttons.
PXL_20201123_0536052042-1024x597.jpg Microphone.
PXL_20201123_050351931.jpg Battery.
PXL_20201123_050740799-1024x837.jpg PCB Side B.
PXL_20201123_050809906-1024x996.jpg PCB Side A.

I spent the last weekend reversing the DualSense Wireless Controller. Tests were conducted after connecting the DualSense to a host machine via a USB cable and, with a few lines of code, it was possible to read HID reports sent by the device.

char *DS = "/dev/hidraw0";
char bufRead[16];
int fd, res;
fd = open(DS, O_RDWR|O_NONBLOCK);
/* Get a report from the device */
res = read(fd, bufRead, sizeof(16));
if (res < 0) {
 perror("read");
} else {
 printf("read() read %d bytes:\n\t", res);
 for (i = 0; i < res; i++){
  /* This will print out the part we are interest at */
  printf("%hhx ", bufRead[i]);
  puts("\n");
 }
}
close(fd);
return 0;

The output generated by the above piece of code changed each time a button was pressed down. The buttons Square, Exe, Circle, and Triangle were associated with the byte number 8 and its value changed every time one of those buttons were used.

Square: 0x18
Exe: 0x28
Circle: 0x48
Triangle: 0x88

Below some examples.

Screenshot-from-2020-01-04-14-43-14-1-ed Exe.
Screenshot-from-2020-01-04-14-42-50-edit Circle.

I wrote a script and started sending a bunch of bytes at a time to the DualSense in order to understand how to control/use its functionalities.

Screenshot-2020-11-25-at-08.36.39-1024x4 The resulting breakdown.

A few hours later, this resulted in me being able to intercept the pressed buttons and trigger LEDs and actuators.
The full Proof of Concept is available on GitHub.

The result.

Dual-Pod-Shock

Happy with the result I obtained in such a short time, I decided to work on the Dual-Pod-Shock project I have been working on last year and added the same functionalities to interact with the device while the music is playing. For more information about the Dual-Pod-Shock project refer to this page: https://orangecyberdefense.com/global/blog/sensepost/dual-pod-shock-emotional-abuse-of-a-dualshock/

With Dual-Pod-Shock it is now possible to use the new functionalities by pressing Square, Exe, Circle, and Triangle. One at a time. This action will also trigger the LED, which will change colour based on the button that is pressed.
Below the new functionalities implemented:

  • Square: Decrease the volume (R: FF, G: 14, B: 93)
  • Exe: Increase the volume (R: 00, G: 00, B: FF)
  • Circle: Switch ON the motors (R: FF, G: 00, B: 00)
  • Triangle: Switch OFF the motors (R: 00, G: FF, B: 00)
Testing the new functionalities added.

In order to play some music via Bluetooth, it was necessary to use SBC files. These files were generated by using a Gstreamer plugin called SBCENC. With the first attempts, the results were good but the audio was a bit stuttery.  Multiple tests were conducted to mitigate this problem. Finally, the problem was solved by converting the tracks from MP3 to SBC using the below command.

$ gst-launch-1.0 -q filesrc location=audiofilename.mp3 ! decodebin ! audioconvert ! audiosample ! sbcenc ! "audio/x-sbc,rate=32000,channels=2,channel-mode=dual,blocks=16,subbands=8,allocation-method=snr,bitpool=25" ! queque ! filesink location=audiofilename.sbc sync=false

Using the “snr” method instead of “loudness” the quality of the sound produced by the DualShock 4 seemed better. Below is what changed in terms of SBC headers.

// Before 
9c 75 19 

// After 
9c 77 19

The updated script is available on GitHub.
Note that this script was tested on Ubuntu 16.04 with kernel 4.4.0 and Raspberry OS with kernel 4.4.50+. If you have issues try to implement the CRC32 or patch your kernel.

The result.

Thanks for reading.

Proudly made by one of those lazy Italians.
HAPPY HACKING! <1337

 

Sursa: https://sensepost.com/blog/2020/dualsense-reverse-engineering/

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...