T300RS PS4
This is a reverse engineering of the USB interface of the T300RS when connected to a PS4.
Contents
Enumeration
Device descriptor
12 01 10 01 00 00 00 40 4F 04 6D B6 00 01 01 02 00 01
String descriptor 00
04 03 09 04
String descriptor 01
1A 03 54 00 68 00 72 00 75 00 73 00 74 00 6D 00 61 00 73 00 74 00 65 00 72 00
String descriptor 02
1A 03 54 00 68 00 72 00 75 00 73 00 74 00 6D 00 61 00 73 00 74 00 65 00 72 00
Configuration descriptor
09 02 29 00 01 01 00 C0 32 09 04 00 00 02 03 00 00 00 09 21 10 01 00 01 22 A0 00 07 05 84 03 40 00 05 07 05 03 03 40 00 05
Report descriptor
Remark: it's the exact same as the Hori Pad 4 FPS.
05 01 09 05 A1 01 85 01 09 30 09 31 09 32 09 35 15 00 26 FF 00 75 08 95 04 81 02 09 39 15 00 25 07 35 00 46 3B 01 65 14 75 04 95 01 81 42 65 00 05 09 19 01 29 0E 15 00 25 01 75 01 95 0E 81 02 06 00 FF 09 20 75 06 95 01 81 02 05 01 09 33 09 34 15 00 26 FF 00 75 08 95 02 81 02 06 00 FF 09 21 95 36 81 02 85 05 09 22 95 1F 91 02 85 03 0A 21 27 95 2F B1 02 C0 06 F0 FF 09 40 A1 01 85 F0 09 47 95 3F B1 02 85 F1 09 48 95 3F B1 02 85 F2 09 49 95 0F B1 02 85 F3 0A 01 47 95 07 B1 02 C0
Get Reports (control endpoint)
Device specific report
03
This report differs from the Hori Pad 4 FPS:
- bytes 4-5: 09 00 -> 11 06
- bytes 25-26: 00 00 00 -> 0d 84 03
This report identifies the device as a FFB wheel: with these changes the PS4 interprets the HID report differently and it sends different control and interrupt OUT transfers (FFB related).
03 21 27 03 11 06 00 00 00 00 00 00 00 00 00 00 00 00 0D 0D 00 00 00 00 0D 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Authentication reports
f1
See http://eleccelerator.com/wiki/index.php?title=DualShock_4#0xf1
The only difference is the number of relevant bytes (32 instead of 56).
f2
See http://eleccelerator.com/wiki/index.php?title=DualShock_4#0xf2
The only difference is the number of relevant bytes (32 instead of 56).
f3
Bytes 2 and 3 indicate the number of relevant bytes in the authentication transfers (IN/OUT or OUT/IN).
F3 00 20 20 00 00 00 00
It's possible to change it so as to use a Dualshock 4 as an authentication device:
F3 00 38 38 00 00 00 00
FFB reports
The following reports are tranfered when Driveclub starts:
4F C9 A8 B6 15 4E 14 4D E8 03 4C 00 02 00 00 00 02 00 4B 54 D5 80 00 00 00 00
Bytes 1 & 2 of report 4B change when OUT report 38 is received.
The new values are bytes 2 & 3 of the OUT report.
Set Reports (control endpoint)
Authentication report
f0
See http://eleccelerator.com/wiki/index.php?title=DualShock_4#0xf0
The only difference is the number of relevant bytes (32 instead of 56).
Interrupt IN report
01 80 80 80 80 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 FF FF FF FF FF FF 00 FF FF 00 00 00 00 00 00 00 00 00 00
| byte index | bit 7 | bit 6 | bit 5 | bit 4 | bit 3 | bit 2 | bit 1 | bit 0 |
| [0] | Report ID = 0x01 | |||||||
| [1] | 0x80 (unused) | |||||||
| [2] | 0x80 (unused) | |||||||
| [3] | 0x80 (unused) | |||||||
| [4] | 0x80 (unused) | |||||||
| [5] | triangle | circle | cross | square | D-PAD (hat format, 0x08 is released, 0=N, 1=NE, 2=E, 3=SE, 4=S, 5=SW, 6=W, 7=NW) | |||
| [6] | r3 | l3 | options | share | r2 | l2 | r1 | l1 |
| [7] | 0 (unused) | PS | ||||||
| [8 - 42] | 0 (unused) | |||||||
| [43 - 44] | wheel, 2bytes, little endian, center = 0x8000 | |||||||
| [45 - 46] | gas pedal, 2bytes, little endian, released = 0xffff | |||||||
| [47 - 48] | brake pedal, 2bytes, little endian, released = 0xffff | |||||||
| [49 - 50] | ff ff (unknown) | |||||||
| [51] | 0 (unknown) | |||||||
| [52 - 53] | ff ff (unknown) | |||||||
| [54 - 63] | 0 (unused) | |||||||
Wheel rotation
540°
right = ffff (65535) left = 0000 (0)
center = 8000 (32768)
270°
right = d0b3 (53427) left = 2d2d (11565)
center = 7ef0 (32496)
180°
right = b681 (46721) left = 4912 (18706)
center = 7fc9 (32713)
Interrupt OUT reports
structure: XX <report data>
where XX is the report id (byte 0)
The size of each OUT report is 64 bytes.
All packets are filled with zeros.
In the following analysis, packets are truncated, and significant zeros may be missing at the end of the packets.
Initialization sequence
This OUT report sequence is played when Driveclub starts or when the T300RS is connected with Driveclub already started.
# unknown 48 01 3a 05 # byte 1 is byte 9 of next report 31 (effect id?) 35 00 # byte 1 is byte 11 of next report 31 35 10 # load spring force effect? 31 00 07 40 ff ff 00 ff ff 00 00 10 # activate? 39 00 01 01 # byte 1 is byte 9 of next report 31 (effect id?) 35 20 # byte 1 is byte 11 of next report 31 35 30 # load damper force effect? 31 01 08 40 ff ff 00 ff ff 20 00 30 # activate? 39 01 01 01 # byte 1 is byte 11 of next report 31 32 50 # byte 1 is byte 9 of next report 31 (effect id?) 34 40 00 00 00 00 32 #load strong rumble effect 31 02 04 40 ff ff 00 00 00 40 00 50 39 02 01 01 # byte 1 is byte 11 of next report 31 32 70 # byte 1 is byte 9 of next report 31 (effect id?) 34 60 00 00 00 00 19 #load weak rumble effect 31 03 04 40 ff ff 00 00 00 60 00 70 39 03 01 01 # unknown 3b 80 39 04 01 01 # disable FFB 38 11 ff ff # spring effect 35 00 00 28 28 00 00 00 00 28 28 # damper effect? 35 20 00 14 14 00 00 00 00 14 14 # strong and weak vibrations 34 40 00 00 00 00 37 34 60 00 00 00 00 14
Effect updates
Vibration
Strong motor
|
Weak motor
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Spring
Spring effect updates have the following format:
| byte index | bit 7 | bit 6 | bit 5 | bit 4 | bit 3 | bit 2 | bit 1 | bit 0 |
| [0] | 0x35 Update effect | |||||||
| [1] | id | |||||||
| [2] | 0x00 Unknown (id is on two bytes?) | |||||||
| [3] | Max intensity level (right) | |||||||
| [4] | Max intensity level (left) | |||||||
| [5] | Intensity level: signed, min=-103, max=103, center=0 | |||||||
| [6] | Direction: right = 0x00, left = 0xff | |||||||
| [7-8] | 0x00 0x00 Unknown | |||||||
| [9-10] | 0x64 0x64 Unknown | |||||||
| [11-63] | padded with 0x00 | |||||||
Damper?
| byte index | bit 7 | bit 6 | bit 5 | bit 4 | bit 3 | bit 2 | bit 1 | bit 0 |
| [0] | 0x35 Update effect | |||||||
| [1] | id | |||||||
| [2] | 0x00 Unknown (id is on two bytes?) | |||||||
| [3] | Force multiplier? (min = 0x00, max = 0x0f) (increases with the speed...) | |||||||
| [4] | Force multiplier? (min = 0x00, max = 0x0f) (increases with the speed...) | |||||||
| [5] | Intensity level: signed, min=-128, max=127, center=0 | |||||||
| [6] | Direction: right = 0xff, left = 0x00 | |||||||
| [7-8] | 0x00 0x00 Unknown | |||||||
| [9-10] | 0x14 0x14 Unknown | |||||||
| [11-63] | padded with 0x00 | |||||||
Tests
changing vibration level
Changing vibration level has influence on values in the reports 34 40 and 34 60.
Just after changing the setting the PS4 sends 31 times the same sequence.
This makes the wheel vibrate to let the user feel the new vibration level.
low
34 40 00 14 00 00 37 34 60 00 10 00 00 14 34 40 00 00 00 00 37 34 60 00 00 00 00 14 x31 |
medium
34 40 00 1d 00 00 37 34 60 00 19 00 00 14 34 40 00 00 00 00 37 34 60 00 00 00 00 14 x31 |
high
34 40 00 2a 00 00 37 34 60 00 24 00 00 14 34 40 00 00 00 00 37 34 60 00 00 00 00 14 x31 |
Moving the wheel at rest with different FFB intentities
Moving the wheel at rest changes values in the report 35 00.
It probably means this is a spring effect.
0%
right
35 00 00 00 00 f3 ff 00 00 64 64 35 00 00 00 00 00 00 00 00 64 64 35 00 00 00 00 0d 00 00 00 64 64 35 00 00 00 00 18 00 00 00 64 64 35 00 00 00 00 23 00 00 00 64 64 35 00 00 00 00 2e 00 00 00 64 64 35 00 00 00 00 33 00 00 00 64 64 35 00 00 00 00 43 00 00 00 64 64 35 00 00 00 00 4d 00 00 00 64 64 35 00 00 00 00 5b 00 00 00 64 64 35 00 00 00 00 67 00 00 00 64 64 35 00 00 00 00 50 00 00 00 64 64 35 00 00 00 00 1e 00 00 00 64 64 |
left
35 00 00 00 00 07 00 00 00 64 64 35 00 00 00 00 00 00 00 00 64 64 35 00 00 00 00 f6 ff 00 00 64 64 35 00 00 00 00 e2 ff 00 00 64 64 35 00 00 00 00 d2 ff 00 00 64 64 35 00 00 00 00 d0 ff 00 00 64 64 35 00 00 00 00 ce ff 00 00 64 64 35 00 00 00 00 ca ff 00 00 64 64 35 00 00 00 00 c1 ff 00 00 64 64 35 00 00 00 00 be ff 00 00 64 64 35 00 00 00 00 b7 ff 00 00 64 64 35 00 00 00 00 b0 ff 00 00 64 64 35 00 00 00 00 aa ff 00 00 64 64 35 00 00 00 00 a8 ff 00 00 64 64 35 00 00 00 00 9d ff 00 00 64 64 35 00 00 00 00 99 ff 00 00 64 64 35 00 00 00 00 9e ff 00 00 64 64 35 00 00 00 00 e1 ff 00 00 64 64 |
70%
right
35 00 00 3e 3e 0a 00 00 00 64 64 35 00 00 3e 3e 2e 00 00 00 64 64 35 00 00 3e 3e 45 00 00 00 64 64 35 00 00 3e 3e 55 00 00 00 64 64 35 00 00 3e 3e 63 00 00 00 64 64 35 00 00 3e 3e 67 00 00 00 64 64 35 00 00 3e 3e 5e 00 00 00 64 64 35 00 00 3e 3e 3f 00 00 00 64 64 35 00 00 3e 3e 28 00 00 00 64 64 35 00 00 3e 3e 21 00 00 00 64 64 |
left
35 00 00 3e 3e 00 00 00 00 64 64 35 00 00 3e 3e f6 ff 00 00 64 64 35 00 00 3e 3e e8 ff 00 00 64 64 35 00 00 3e 3e dc ff 00 00 64 64 35 00 00 3e 3e d2 ff 00 00 64 64 35 00 00 3e 3e cb ff 00 00 64 64 35 00 00 3e 3e bc ff 00 00 64 64 35 00 00 3e 3e b3 ff 00 00 64 64 35 00 00 3e 3e aa ff 00 00 64 64 35 00 00 3e 3e a7 ff 00 00 64 64 35 00 00 3e 3e a2 ff 00 00 64 64 35 00 00 3e 3e 99 ff 00 00 64 64 35 00 00 3e 3e a4 ff 00 00 64 64 35 00 00 3e 3e af ff 00 00 64 64 35 00 00 3e 3e c0 ff 00 00 64 64 35 00 00 3e 3e d6 ff 00 00 64 64 35 00 00 3e 3e e1 ff 00 00 64 64 |
100%
right
35 00 00 59 59 f8 ff 00 00 64 64 35 00 00 59 59 01 00 00 00 64 64 35 00 00 59 59 0f 00 00 00 64 64 35 00 00 59 59 26 00 00 00 64 64 35 00 00 59 59 39 00 00 00 64 64 35 00 00 59 59 51 00 00 00 64 64 35 00 00 59 59 65 00 00 00 64 64 35 00 00 59 59 67 00 00 00 64 64 35 00 00 59 59 5a 00 00 00 64 64 35 00 00 59 59 14 00 00 00 64 64 |
left
35 00 00 59 59 0f 00 00 00 64 64 35 00 00 59 59 05 00 00 00 64 64 35 00 00 59 59 f0 ff 00 00 64 64 35 00 00 59 59 d9 ff 00 00 64 64 35 00 00 59 59 bf ff 00 00 64 64 35 00 00 59 59 b0 ff 00 00 64 64 35 00 00 59 59 aa ff 00 00 64 64 35 00 00 59 59 a9 ff 00 00 64 64 35 00 00 59 59 a8 ff 00 00 64 64 35 00 00 59 59 a2 ff 00 00 64 64 35 00 00 59 59 9d ff 00 00 64 64 35 00 00 59 59 99 ff 00 00 64 64 35 00 00 59 59 9f ff 00 00 64 64 35 00 00 59 59 d7 ff 00 00 64 64 35 00 00 59 59 e1 ff 00 00 64 64 |
race start
When a race starts a report 38 is sent by the PS4.
It probably enables FFB effects.
38 11 67 af
race pause
When a race stops or pauses a report 38 is sent by the PS4.
It probably disables FFB effects.
38 11 ff ff
