Discuss this article in the Nuts & Volts forums at http://forum.nutsvolts.com.
WHAT WE ALREADY KNOW
The MotioninJoy tool works in
conjunction with Windows to drive a
DualShock 3 directly from a host PC’s USB
portal. We will use the Explorer 200 to
capture everything USB that flows between
the PC and the attached DualShock 3. The
plan is to record all of the USB packets in
their order of appearance. This will give us a
clear view of the USB events that are
necessary to communicate with the
DualShock 3. The USB trace will begin as
soon as I attach the DualShock 3 to the PC’s
Screenshot 1 is a graphical view of the
USB packet that is sent from the host to
assign an address to the DualShock 3. It is
imperative to know the DualShock 3’s device
address as we will use it to route USB packets
destined for it. Note that our assigned
DualShock 3 device address is 1. We already
know that the USB stack will take care of
assigning a device address. Odds are that the
USB stack will also anoint the DualShock 3 as
device number 1.
Some applications want to know the
device’s name. The device name is contained
within the iProduct string. As you can see in
Screenshot 2, the iProduct field does not
contain the data. However, the iProduct field
does point to the data. The host requests the
iProduct string in Screenshot 3 using the
index value (02) of the wValue field (0x0302).
Before we leave Screenshot 2, there are a
few more things we need to be aware of. The
maximum packet size we can force through
endpoint 0 is 64 bytes, as notated in the
bMaxPacketSize0 field. Things can’t get too
complicated since we only have one device
configuration to work with.
That configuration alluded to in the
bNumConfigurations field of Screenshot 2
is outlined in the upper window of
Screenshot 4. Basically, the Configuration
descriptor is telling us that the DualShock 3’s
USB innards consist of a bus powered single interface
that wants permission to draw a maximum of 500 mA of
current. The HID (Human Interface Device) interface
(interface 0) supports two endpoints. A control endpoint
also exists which is not specified in the Interface
descriptor. The DualShock 3 endpoint types and
addresses are shown in Screenshot 5. Each of the
interrupt endpoints supports a maximum of 64 bytes per
packet. The next thing the HID host driver does is set the
configuration. Since we only have one configuration,
Screenshot 6 is an easy read. The Explorer 200 picks up a
■ SCREENSHOT 2. This beats fumbling through hex dumps. So, when
possible, I'll present our USB discoveries in this manner.
The content of this capture includes the PlayStation
DualShock 3's idVendor (VID) and idProduct (PID) data.
■ SCREENSHOT 3. The key to understanding how the iProduct string is
retrieved is to break down the 0x0302 wValue field. The 03 tells us that it
is a string and the 02 is the string index. The string's index value is
stored in the iProduct field in Screenshot 2.
series of GetReport USB events following the
SetConfiguration event. We could detour here for days
examining the structure and content of report descriptors.
I don’t think we’ll need to dig that deeply into report
descriptors at this point, however. So, to continue, let’s
look for something that the snakes and penguins have
previously described to us.
THE PENGUIN SPEAKS
As I browsed the Explorer 200 trace, a particular
June 2013 55