PS 4 - Controller Authentication
Posted: Sat Dec 16, 2017 4:14 pm
Hi,
I have a question regarding the controller authentication.
Based on the GIMX source codes and the wiki/eleccelerator pages, I understood what are the current limitations for the PS 4 controller emulation.
Basically, please correct me if I'm wrong, right now it's not possible to 100% emulate a PS 4 controller due to an authentication process that is involved between the host and the device.
However, thanks to Matlo serial-usb project, I was able to sniff the USB communication between an H*RI (USB) m*ni fighti*g sti*k and the console.
Basically the authentication works in this way (more or less the same information that I got from the wiki):
Host sends the Set Report Request 0x03F0 to the device
The 0x03F0 is sent in 5 different messages:
1) The #1...4 contain 56bytes of relevant data (the first 4 bytes of each message are just header/counters, the last 4 bytes are the CRC)
2) The #5 contains 32 bytes of relevant data
In total the 0x03F0 is 256Bytes long that I assume it will represent the pass-phrase.
Probably it's a sort of 2048bit encryption (RSA?)
Anyway, the 0x03F0 changes every time that the console is restarted.
Once the device has received the five 03F0 messages, it will start to send the 0x03F1 report to the host that will contain some encoded payload, based on the key received from the host.
Now, I spent few hours analysing different Wireshark logs (took in different time) and I can see that the encoder/decoder protocol is not so easy to reverse (as I expected).
I think that this is the main reason that GIMX needs a PC/PI to spoof and pass-through the authentication.
Question.
With google I found out that there is a board called univer*al fight*ing sti*k that is able to full emulate every new gen controller.
I don't think that the company is authorized from S*ny or Micro*oft or Ninten*o to produce this board, so I believe that they were able to reverse the code.
Now, this makes me wonder that the challenge message sent is not based on some sort of hard level type of encryption (i.e. RSA), so this can make the decode process much easier.
Anyone knows how they did it?
I mean, anyone tried to capture the logs between this board and the console? Does anyone have some other information to share?
Thanks
I have a question regarding the controller authentication.
Based on the GIMX source codes and the wiki/eleccelerator pages, I understood what are the current limitations for the PS 4 controller emulation.
Basically, please correct me if I'm wrong, right now it's not possible to 100% emulate a PS 4 controller due to an authentication process that is involved between the host and the device.
However, thanks to Matlo serial-usb project, I was able to sniff the USB communication between an H*RI (USB) m*ni fighti*g sti*k and the console.
Basically the authentication works in this way (more or less the same information that I got from the wiki):
Host sends the Set Report Request 0x03F0 to the device
The 0x03F0 is sent in 5 different messages:
1) The #1...4 contain 56bytes of relevant data (the first 4 bytes of each message are just header/counters, the last 4 bytes are the CRC)
2) The #5 contains 32 bytes of relevant data
In total the 0x03F0 is 256Bytes long that I assume it will represent the pass-phrase.
Probably it's a sort of 2048bit encryption (RSA?)
Anyway, the 0x03F0 changes every time that the console is restarted.
Once the device has received the five 03F0 messages, it will start to send the 0x03F1 report to the host that will contain some encoded payload, based on the key received from the host.
Now, I spent few hours analysing different Wireshark logs (took in different time) and I can see that the encoder/decoder protocol is not so easy to reverse (as I expected).
I think that this is the main reason that GIMX needs a PC/PI to spoof and pass-through the authentication.
Question.
With google I found out that there is a board called univer*al fight*ing sti*k that is able to full emulate every new gen controller.
I don't think that the company is authorized from S*ny or Micro*oft or Ninten*o to produce this board, so I believe that they were able to reverse the code.
Now, this makes me wonder that the challenge message sent is not based on some sort of hard level type of encryption (i.e. RSA), so this can make the decode process much easier.
Anyone knows how they did it?
I mean, anyone tried to capture the logs between this board and the console? Does anyone have some other information to share?
Thanks