Skip to content

Instantly share code, notes, and snippets.

@dogtopus

dogtopus/ps4cse_public.md

Last active March 14, 2024 03:32
Show Gist options
  • Star 16 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save dogtopus/dae307c7773e792150990a06e79583d0 to your computer and use it in GitHub Desktop.
Save dogtopus/dae307c7773e792150990a06e79583d0 to your computer and use it in GitHub Desktop.
Download ZIP
Licensed PS4 Controller "Security Chip" Secure Element
Raw
ps4cse_public.md

SE for PS4 Licensed Controllers

Disclaimer

This documentation is provided solely for education and interoperability purposes (aka persons who are tired of proprietary non-customizable hardware and want to use their own hardware for DIY controllers). It enables neither chip-cloning nor controller counterfeiting which would violate copyright and/or any other applicable laws. This documentation also comes without warranty. Use it at your own risk.

Basic info

  • Model: NXP A710x series, possibly semi-customized (Label says 7105 - A7105 does not exist)
  • Protocol: I2C
  • Seen in:
    • Hori Mini (baseline for this documentation)
    • Guilty Gear GamePad (SRK)
    • possibly Hori FC4 (unconfirmed, picture too blurry to read out the label) (SRK)
    • Guitar Hero Live Dongle (the PS4 version)
    • possibly other licensed PS4 controllers (did $**y just give reels of pre-programmed chips to licensees?)

Protocol

Outer layer: Smart Card I2C Protocol (AN12207)

request:
[0] request cmd (PCB)
(optional) [1] len
(optional) [2:] payload

response:
[0] len
[1] return value (depends on command) (PCB)
(optional) [2:] payload

Observed startup sequence

  • Wake-up (0x0f)
  • Soft reset (0x1f)
  • Get ATR (0x2f)
  • Parameter Exchange - set maximum length of response to 253 (0xff)

ATR

Seems to be standard SCI2C ATR.

Raw ATR string: b80411010504b9020101ba0101bb0c413731303543433234325231bc00

Parsed result:

  • Low Level Data Object (11 01 05 04)
    • Slave Device Protocol Version: 1.1 (11)
    • Error Detection Codes: LRC (xor summation) (01)
    • Frame Waiting Time: 320ms (05)
    • Communication Speed: 400kbps maximum (04)
  • Protocol Binding Data Object (01 01)
    • Supported Protocol Bindings: APDU (01)
    • Default Selected Protocol Binding: APDU (01)
  • Higher Layer Data Object (01)
    • APDU Support: Short, extended (01)
  • Operating System Data Object (41 37 31 30 35 43 43 32 34 32 52 31)
    • Historical Bytes: b'A7105CC242R1' (41 37 31 30 35 43 43 32 34 32 52 31)
  • Identification Data Object ()
    • Identification Data: b'' ()

APDU

The PS4 controller SE uses APDU over SCI2C. Therefore the master must wrap all APDU commands as SCI2C packets before sending to the secure element. The master must also unwrap the response (and check for errors if applicable) from the secure element. Details about how to (un)wrap APDU commands can be found on section 13.10 of AN12207.

(Response from secure element comes with trailing status code as part of the standard APDU protocol. Although they are omitted below for simplicity, one should always check them to make sure the issued command was executed successfully.)

For an APDU-level emulator of this protocol targeting the JavaCard platform, see here.

Reset authentication

Command: CLA=0x80, INS=0x48, P1=0x00, P2=0x00

Response: None

Resets authentication state.

Set challenge (nonce)

Command: CLA=0x80, INS=0x44, P1=<page_size>, P2=<page>, data=<nonce[page*page_size:(page+1)*page_size]>

Response: None

Upload one page with index page and size page_size of the challenge nonce to the secure element.

Get response

Command: CLA=0x80, INS=0x46, P1=<page_size>, P2=<page>, Le=<page_size>

Response: response[page*page_size:(page+1)*page_size]

Download one page with index page and size page_size of the response response (*) to challenge from the secure element.

*: See the DS4Response struct in ds4poke.py for more information regarding to the exact format of response.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment