T300RS PS4

From GIMX

Revision as of 19:57, 17 December 2014 by Matlo (talk | contribs) (Created page with " This is a reverse engineering of the USB interface of the T300RS when connected to a PS4. =Enumeration= ==Device descriptor== <pre> 12 01 10 01 00 00 00 40 4F 04 6D B6 00 ...")

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

This is a reverse engineering of the USB interface of the T300RS when connected to a PS4.

Enumeration

Device descriptor

12 01 10 01 00 00 00 40 4F 04 6D B6 00 01 01 02
00 01

String descriptor 00

04 03 09 04

String descriptor 01

1A 03 54 00 68 00 72 00 75 00 73 00 74 00 6D 00
61 00 73 00 74 00 65 00 72 00

String descriptor 02

1A 03 54 00 68 00 72 00 75 00 73 00 74 00 6D 00
61 00 73 00 74 00 65 00 72 00

Configuration descriptor

09 02 29 00 01 01 00 C0 32 09 04 00 00 02 03 00
00 00 09 21 10 01 00 01 22 A0 00 07 05 84 03 40
00 05 07 05 03 03 40 00 05

Report descriptor

Remark: it's the exact same as the Hori Pad 4 FPS. 

05 01 09 05 A1 01 85 01 09 30 09 31 09 32 09 35
15 00 26 FF 00 75 08 95 04 81 02 09 39 15 00 25
07 35 00 46 3B 01 65 14 75 04 95 01 81 42 65 00
05 09 19 01 29 0E 15 00 25 01 75 01 95 0E 81 02
06 00 FF 09 20 75 06 95 01 81 02 05 01 09 33 09
34 15 00 26 FF 00 75 08 95 02 81 02 06 00 FF 09
21 95 36 81 02 85 05 09 22 95 1F 91 02 85 03 0A
21 27 95 2F B1 02 C0 06 F0 FF 09 40 A1 01 85 F0
09 47 95 3F B1 02 85 F1 09 48 95 3F B1 02 85 F2
09 49 95 0F B1 02 85 F3 0A 01 47 95 07 B1 02 C0

Get Reports (control endpoint)

Device specific report

03

This report differs from the Hori Pad 4 FPS:

  • byte 4-5: 09 00 -> 11 06
  • bytes 25-26: 00 00 00 -> 0d 84 03

This report identifies the device as a FFB wheel: with these changes the PS4 interprets the HID report differently and it sends different control and interrupt OUT transfers (FFB related). 

03 21 27 03 11 06 00 00 00 00 00 00 00 00 00 00
00 00 0D 0D 00 00 00 00 0D 84 03 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Authentication reports

f1

See http://eleccelerator.com/wiki/index.php?title=DualShock_4#0xf1
The only difference is the number of relevant bytes (32 instead of 56).

f2

See http://eleccelerator.com/wiki/index.php?title=DualShock_4#0xf2
The only difference is the number of relevant bytes (32 instead of 56).

f3

Bytes 2 and 3 indicate the number of relevant bytes in the authentication transfers (IN/OUT or OUT/IN). 

F3 00 20 20 00 00 00 00

It's possible to change it so as to use a Dualshock 4 as an authentication device: 

F3 00 38 38 00 00 00 00

FFB reports

The following reports are tranfered when Driveclub starts: 

4F C9 A8 B6 15
4E 14
4D E8 03
4C 00 02 00 00 00 02 00
4B 54 D5 80 00 00 00 00

Bytes 1 & 2 of report 4B change when OUT report 38 is received.
The new values are bytes 2 & 3 of the OUT report.

Set Reports (control endpoint)

Authentication report

f0

See http://eleccelerator.com/wiki/index.php?title=DualShock_4#0xf0
The only difference is the number of relevant bytes (32 instead of 56).

Interrupt IN report

01 80 80 80 80 08 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 80 FF FF FF
FF FF FF 00 FF FF 00 00
00 00 00 00 00 00 00 00
Data Format
byte index bit 7 bit 6 bit 5 bit 4 bit 3 bit 2 bit 1 bit 0
[0] Report ID = 0x01
[1] 0x80 (unused)
[2] 0x80 (unused)
[3] 0x80 (unused)
[4] 0x80 (unused)
[5] triangle circle cross square D-PAD (hat format, 0x08 is released, 0=N, 1=NE, 2=E, 3=SE, 4=S, 5=SW, 6=W, 7=NW)
[6] r3 l3 options share r2 l2 r1 l1
[7] 0 (unused) PS
[8 - 42] 0 (unused)
[43 - 44] wheel, 2bytes, little endian, center = 0x8000
[45 - 46] gas pedal, 2bytes, little endian, released = 0xffff
[47 - 48] break pedal, 2bytes, little endian, released = 0xffff
[49 - 50] ff ff (unknown)
[51] 0 (unknown)
[52 - 53] ff ff (unknown)
[54 - 63] 0 (unused)

Wheel rotation

270°

right = d0b3 (53427) left = 2d2d (11565)

center = 7ef0 (32496)

180°

right = b681 (46721) left = 4912 (18706)

center = 7fc9 (32713)

Interrupt OUT reports

structure: XX <report data> where XX is the report id (byte 0)

The size of each OUT report is 64 bytes. All packets are filled with zeros. In the following analysis, significant zeros may be missing at the end of the packets.

game start or connect with game started

48 01 
3a 05 

35 00 <- byte 1 is byte 9 of next report 31 (effect id?)
35 10 <- byte 1 is byte 11 of next report 31

31 00 07 40 ff ff 00 ff ff 00 00 10 <- load constant force?
39 00 01 01 <- activate ?

35 20 <- byte 1 is byte 9 of next report 31 (effect id?)
35 30 <- byte 1 is byte 11 of next report 31

31 01 08 40 ff ff 00 ff ff 20 00 30 
39 01 01 01 

32 50 <- byte 1 is byte 11 of next report 31
34 40 00 00 00 00 32 <- byte 1 is byte 9 of next report 31 (effect id?)

31 02 04 40 ff ff 00 00 00 40 00 50 
39 02 01 01 

32 70 <- byte 1 is byte 11 of next report 31
34 60 00 00 00 00 19 <- byte 1 is byte 9 of next report 31 (effect id?)

31 03 04 40 ff ff 00 00 00 60 00 70 
39 03 01 01 

3b 80 

39 04 01 01 
38 11 ff ff 

35 00 00 28 28 00 00 00 00 28 28
35 20 00 14 14 00 00 00 00 14 14

force | id? | 00 | intensity? x2? | wheel position? (2 bytes) | 0000 | max intensity? x2?

34 40 00 00 00 00 37
34 60 00 00 00 00 14

vibration | id? | 00 | intensity | 0000 | unknown

changing vibration level

low

34 40 00 14 00 00 37 
34 60 00 10 00 00 14 
34 40 00 00 00 00 37 
34 60 00 00 00 00 14 

x31

medium

34 40 00 1d 00 00 37 
34 60 00 19 00 00 14 
34 40 00 00 00 00 37 
34 60 00 00 00 00 14 

x31

high

34 40 00 2a 00 00 37 
34 60 00 24 00 00 14 
34 40 00 00 00 00 37 
34 60 00 00 00 00 14 

x31

race with FFB intentity 0%

speed = 0, wheel right

35 00 00 00 00 f3 ff 00 00 64 64 
35 00 00 00 00 00 00 00 00 64 64 
35 00 00 00 00 0d 00 00 00 64 64 
35 00 00 00 00 18 00 00 00 64 64 
35 00 00 00 00 23 00 00 00 64 64 
35 00 00 00 00 2e 00 00 00 64 64 
35 00 00 00 00 33 00 00 00 64 64 
35 00 00 00 00 43 00 00 00 64 64 
35 00 00 00 00 4d 00 00 00 64 64 
35 00 00 00 00 5b 00 00 00 64 64 
35 00 00 00 00 67 00 00 00 64 64 
35 00 00 00 00 50 00 00 00 64 64 
35 00 00 00 00 1e 00 00 00 64 64

speed = 0, wheel left

35 00 00 00 00 07 00 00 00 64 64 
35 00 00 00 00 00 00 00 00 64 64 
35 00 00 00 00 f6 ff 00 00 64 64 
35 00 00 00 00 e2 ff 00 00 64 64 
35 00 00 00 00 d2 ff 00 00 64 64 
35 00 00 00 00 d0 ff 00 00 64 64 
35 00 00 00 00 ce ff 00 00 64 64 
35 00 00 00 00 ca ff 00 00 64 64 
35 00 00 00 00 c1 ff 00 00 64 64 
35 00 00 00 00 be ff 00 00 64 64 
35 00 00 00 00 b7 ff 00 00 64 64 
35 00 00 00 00 b0 ff 00 00 64 64 
35 00 00 00 00 aa ff 00 00 64 64 
35 00 00 00 00 a8 ff 00 00 64 64 
35 00 00 00 00 9d ff 00 00 64 64 
35 00 00 00 00 99 ff 00 00 64 64 
35 00 00 00 00 9e ff 00 00 64 64 
35 00 00 00 00 e1 ff 00 00 64 64

race with FFB intentity 70%

speed = 0, wheel right

35 00 00 3e 3e 0a 00 00 00 64 64 
35 00 00 3e 3e 2e 00 00 00 64 64 
35 00 00 3e 3e 45 00 00 00 64 64 
35 00 00 3e 3e 55 00 00 00 64 64 
35 00 00 3e 3e 63 00 00 00 64 64 
35 00 00 3e 3e 67 00 00 00 64 64 
35 00 00 3e 3e 5e 00 00 00 64 64 
35 00 00 3e 3e 3f 00 00 00 64 64 
35 00 00 3e 3e 28 00 00 00 64 64 
35 00 00 3e 3e 21 00 00 00 64 64

speed = 0, wheel left

35 00 00 3e 3e 00 00 00 00 64 64 
35 00 00 3e 3e f6 ff 00 00 64 64 
35 00 00 3e 3e e8 ff 00 00 64 64 
35 00 00 3e 3e dc ff 00 00 64 64 
35 00 00 3e 3e d2 ff 00 00 64 64 
35 00 00 3e 3e cb ff 00 00 64 64 
35 00 00 3e 3e bc ff 00 00 64 64 
35 00 00 3e 3e b3 ff 00 00 64 64 
35 00 00 3e 3e aa ff 00 00 64 64 
35 00 00 3e 3e a7 ff 00 00 64 64 
35 00 00 3e 3e a2 ff 00 00 64 64 
35 00 00 3e 3e 99 ff 00 00 64 64 
35 00 00 3e 3e a4 ff 00 00 64 64 
35 00 00 3e 3e af ff 00 00 64 64 
35 00 00 3e 3e c0 ff 00 00 64 64 
35 00 00 3e 3e d6 ff 00 00 64 64 
35 00 00 3e 3e e1 ff 00 00 64 64

race with FFB intentity 100%

speed = 0, wheel right

35 00 00 59 59 f8 ff 00 00 64 64 
35 00 00 59 59 01 00 00 00 64 64 
35 00 00 59 59 0f 00 00 00 64 64 
35 00 00 59 59 26 00 00 00 64 64 
35 00 00 59 59 39 00 00 00 64 64 
35 00 00 59 59 51 00 00 00 64 64 
35 00 00 59 59 65 00 00 00 64 64 
35 00 00 59 59 67 00 00 00 64 64 
35 00 00 59 59 5a 00 00 00 64 64 
35 00 00 59 59 14 00 00 00 64 64

speed = 0, wheel left

35 00 00 59 59 0f 00 00 00 64 64 
35 00 00 59 59 05 00 00 00 64 64 
35 00 00 59 59 f0 ff 00 00 64 64 
35 00 00 59 59 d9 ff 00 00 64 64 
35 00 00 59 59 bf ff 00 00 64 64 
35 00 00 59 59 b0 ff 00 00 64 64 
35 00 00 59 59 aa ff 00 00 64 64 
35 00 00 59 59 a9 ff 00 00 64 64 
35 00 00 59 59 a8 ff 00 00 64 64 
35 00 00 59 59 a2 ff 00 00 64 64 
35 00 00 59 59 9d ff 00 00 64 64 
35 00 00 59 59 99 ff 00 00 64 64 
35 00 00 59 59 9f ff 00 00 64 64 
35 00 00 59 59 d7 ff 00 00 64 64 
35 00 00 59 59 e1 ff 00 00 64 64

race start

38 11 67 af

race pause

38 11 ff ff

Retrieved from "https://gimx.fr/wiki/index.php?title=T300RS_PS4&oldid=3821"