Nuts and Volts

SetReport event caught my eye. The hexadecimal sequence 0x42 0x0C 0x00 0x00 I came across in the trace is identical to a portion of the Linux code that enables the DualShock 3, which is also known as SIXAXIS. Thus far, all of the communications between the DualShock 3 and the PC have used the control endpoint (endpoint 0). That tells us that all of the USB traffic up to this point has been in the form of setup and commands. Report data moves on the pair of interrupt endpoints.

Digging deeper into the trace, I discovered another enable function payload hexadecimal match of 0x03 0xF4. The Setup transaction you see in Screenshot 7 is telling us that four bytes of data is to be sent to the DualShock 3 interface. These four bytes to be sent consist of the SIXAXIS enable string (0x42 0x0C 0x00 0x00). None of this will fall together and make any sense until we can map those hex characters to a corresponding USB stack function call. Using the Setup transaction field names, I found a stack function that just might work. Here are its parameters:

Parameters:
  BYTE deviceAddress  - Device address
  BYTE bmRequestType  - The request type as
  defined by the USB specification.
  BYTE bRequest - The request as defined by the
  USB specification.
  WORD wValue  - The value for the request as
  defined by the USB specification.
  WORD wIndex - The index for the request as
  defined by the USB  specification.
  WORD wLength - The data length for the request
  as defined by the USB specification.
  BYTE *data - Pointer to the data for the
  request.
  BYTE dataDirection  - USB_DEVICE_REQUEST_SET
 or USB_DEVICE_REQUEST_GET
 BYTE clientDriverID - Client driver to
 send the event to.

The stack function that belongs to the aforementioned parameters is defined as follows:

BYTE USBHostIssueDeviceRequest(
 BYTE deviceAddress, BYTE bmRequestType,
 BYTE bRequest,WORD wValue, WORD wIndex,
 WORD wLength, BYTE *data, BYTE
dataDirection,
  BYTE clientDriverID )

The function name and arguments appear to be in line with the call we will have to issue to send those four bytes of SIXAXIS enable data.

THE SNAKE IS HISSING

The 48-byte hex dump that follows is actually the contents of a buffer that is sent as a report to the DualShock 3. I found this in a Python listing:

0x00, 0x00, 0x00, 0x00, 0x00,
 // rumble control
0x00, 0x00, 0x00, 0x00, 0x00,
 // LED Control
0xFF, 0x27, 0x10, 0x00, 0x32,
 // LED4
0xFF, 0x27, 0x10, 0x00, 0x32,
 // LED3
0xFF, 0x27, 0x10, 0x00, 0x32,
 // LED2
0xFF, 0x27, 0x10, 0x00, 0x32,
 // LED1
0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00

The Explorer 200 captured the packet payload in this configuration:

56 June 2013

■ SCREENSHOT 4. USB descriptors aren't very difficult once you understand how they support each other. The Configuration descriptor informs us about the interfaces and configurations. The Interface descriptor lays out the endpoints. The endpoints are described in their respective descriptors.

0x00, 0x96, 0x00, 0x96, 0x00,
 // rumble control
0x00, 0x00, 0x00, 0x00, 0x02,
 // LED Control

Cover
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
BC

one page

print

SlideShow

fullscreen

Click to subscribe to this magazine

Open Article

article text for page

< previous story | next story >

Share this page with a friend
Save to “My Stuff”
Subscribe to this magazine
Search
Help