Recently 0xor0ne recirculated an interesting article from 2019 we missed covering Reverse Engineering Counterfeit PS4 Gamepads Cortex M0 Microcontroller Firmware via USB by @Octopus (aka oct0xor on Twitter) that was initially shared on Twitter from @zecoxao back in 2020. 
For those new in the PlayStation 4 Scene, some related topics can be found below (sorted by date with the oldest first), followed by a brief synopsis of the Hacking Microcontroller Firmware Through a USB article:
This blog post turned out to be quite long, but I really wanted to prepare it for a very wide audience. I have given a step-by-step guide on the analysis of embedded firmware, finding vulnerabilities and exploiting them to acquire a firmware dump and to carry out code execution on a USB device.
The subject of glitching attacks is not included in the scope of this article, but such attacks are also very effective against USB devices. For those who want to learn more about them, I recommend watching this video. For those wondering how p!rates managed to acquire the algorithm and key from DualShock 4 to make their own devices, I suggest reading this article.
As for the mystery of the auxiliary microcontroller that was used to keep secrets, I found out that it was not used in all devices and was only added for obscurity. This microcontroller doesn’t keep any secrets and is only used for SHA1 and SHA256. This research also aids enthusiasts to create their own open source projects for use with game consoles.
As for buyers of counterfeit gamepads, they are not in an enviable position because manufacturers block illegally used keys and the users end up without a working gamepad or hints on where to get firmware updates.
After discovering what I wrote here, I thought I hit a dead-end: it’s easy to list all the GET reports, but doing the same with the SET reports will probably brick the device.
Well, luck was on my side when few hours later I stumbled upon a leaked reverse-engineered code of the PS4 uploaded on archive.org (wtf, really?).
From PS4-SRC:
this set of files should produce the necessary keys for the GP2040-CE PS4 Mode. You can quickly find it via google search but i've decided to put it here for you to use. This will make the device be able to skip 8 minute timeout
From the included README.md:
For those new in the PlayStation 4 Scene, some related topics can be found below (sorted by date with the oldest first), followed by a brief synopsis of the Hacking Microcontroller Firmware Through a USB article:
- DualShock 4 PS4 Firmware Dump & Reversing Tools
- PlayStation 4 DualShock 4 Controller Teardown
- PS4 Registry Editor and Viewer by Oct0xor
- PS4 Aux Hax: Hacking Aeolia, Syscon and DS4
- PS4 Blu-ray Disc Drive Internals & Security by Oct0xor
- Hacking PS4 Blu-ray Drives Oct0xor 36c3 Talk / #36c3 Livestream
- PS4 Jedi Master Key Documented, Decrypts DualShock 4 Firmwares
- Gamepad Tester / Debugger for DS4 Controllers
- DualShock 4 Controller USB-C PCB (No Soldering) Update
This blog post turned out to be quite long, but I really wanted to prepare it for a very wide audience. I have given a step-by-step guide on the analysis of embedded firmware, finding vulnerabilities and exploiting them to acquire a firmware dump and to carry out code execution on a USB device.
The subject of glitching attacks is not included in the scope of this article, but such attacks are also very effective against USB devices. For those who want to learn more about them, I recommend watching this video. For those wondering how p!rates managed to acquire the algorithm and key from DualShock 4 to make their own devices, I suggest reading this article.
As for the mystery of the auxiliary microcontroller that was used to keep secrets, I found out that it was not used in all devices and was only added for obscurity. This microcontroller doesn’t keep any secrets and is only used for SHA1 and SHA256. This research also aids enthusiasts to create their own open source projects for use with game consoles.
As for buyers of counterfeit gamepads, they are not in an enviable position because manufacturers block illegally used keys and the users end up without a working gamepad or hints on where to get firmware updates.
- DualShock4 Reverse Engineering - Part 1
- DualShock4 Reverse Engineering - Part 2
- DualShock4 Reverse Engineering - Part 3
- DualShock4 Reverse Engineering - Part 4
- DualShock4 Reverse Engineering - Part 5: Stick calibration
- DualSense Calibration
After discovering what I wrote here, I thought I hit a dead-end: it’s easy to list all the GET reports, but doing the same with the SET reports will probably brick the device.
Well, luck was on my side when few hours later I stumbled upon a leaked reverse-engineered code of the PS4 uploaded on archive.org (wtf, really?).
From PS4-SRC:
| info.txt | 20-Jul-2019 05:42 | 7.6K |
| links.txt | 20-Jul-2019 05:43 | 14.9K |
| ps4-src_archive.torrent | 03-Sep-2022 18:25 | 31.1K |
| ps4-src_files.xml | 03-Sep-2022 18:25 | 1.9K |
| ps4-src_meta.sqlite | 20-Jul-2019 06:51 | 16.0K |
| ps4-src_meta.xml | 03-Sep-2022 18:25 | 1.2K |
| src.zip (View Contents) | 20-Jul-2019 06:50 | 2.9G |
this set of files should produce the necessary keys for the GP2040-CE PS4 Mode. You can quickly find it via google search but i've decided to put it here for you to use. This will make the device be able to skip 8 minute timeout
- ds4-master-custom-lJArAqXq.zip (789.79 KB - includes ds4sig.bin, jedi_crypto.py, jedi_crypto-mod.py, jedi_flash-Aug_3_2013.bin, jedi_flash, Aug_3_2013.idc, jedi_tool.py and ps4nonce.bin via GodzIvan)
From the included README.md:
Code:
# ds4
Tools for working with DualShock 4
With fw of controller, it is possible to do interesting things like:
* flash custom fw to controller
* learn how all aspects of controller works
* implement native pairing on other host devices
* present custom hardware as "official" DS4 to PS4
- GodzIvan -
Working ????
