This documentation is provided solely for education and interoperability purposes (aka persons who are tired of proprietary non-customizable hardware and want to use their own hardware for DIY controllers). It enables neither chip-cloning nor controller counterfeiting which would violate copyright and/or any other applicable laws. This documentation also comes without warranty. Use it at your own risk.
- Model: NXP A710x series, possibly semi-customized (Label says 7105 - A7105 does not exist)
- Protocol: I2C
- Seen in:
Outer layer: Smart Card I2C Protocol (AN12207)
request:
[0] request cmd (PCB)
(optional) [1] len
(optional) [2:] payload
response:
[0] len
[1] return value (depends on command) (PCB)
(optional) [2:] payload
- Wake-up (0x0f)
- Soft reset (0x1f)
- Get ATR (0x2f)
- Parameter Exchange - set maximum length of response to 253 (0xff)
Seems to be standard SCI2C ATR.
Raw ATR string: b80411010504b9020101ba0101bb0c413731303543433234325231bc00
Parsed result:
- Low Level Data Object (11 01 05 04)
- Slave Device Protocol Version: 1.1 (11)
- Error Detection Codes: LRC (xor summation) (01)
- Frame Waiting Time: 320ms (05)
- Communication Speed: 400kbps maximum (04)
- Protocol Binding Data Object (01 01)
- Supported Protocol Bindings: APDU (01)
- Default Selected Protocol Binding: APDU (01)
- Higher Layer Data Object (01)
- APDU Support: Short, extended (01)
- Operating System Data Object (41 37 31 30 35 43 43 32 34 32 52 31)
- Historical Bytes: b'A7105CC242R1' (41 37 31 30 35 43 43 32 34 32 52 31)
- Identification Data Object ()
- Identification Data: b'' ()
The PS4 controller SE uses APDU over SCI2C. Therefore the master must wrap all APDU commands as SCI2C packets before sending to the secure element. The master must also unwrap the response (and check for errors if applicable) from the secure element. Details about how to (un)wrap APDU commands can be found on section 13.10 of AN12207.
(Response from secure element comes with trailing status code as part of the standard APDU protocol. Although they are omitted below for simplicity, one should always check them to make sure the issued command was executed successfully.)
For an APDU-level emulator of this protocol targeting the JavaCard platform, see here.
Command: CLA=0x80, INS=0x48, P1=0x00, P2=0x00
Response: None
Resets authentication state.
Command: CLA=0x80, INS=0x44, P1=<page_size>, P2=<page>, data=<nonce[page*page_size:(page+1)*page_size]>
Response: None
Upload one page with index page
and size page_size
of the challenge nonce
to the secure element.
Command: CLA=0x80, INS=0x46, P1=<page_size>, P2=<page>, Le=<page_size>
Response: response[page*page_size:(page+1)*page_size]
Download one page with index page
and size page_size
of the response response
(*) to challenge from the secure element.
*: See the DS4Response struct in ds4poke.py for more information regarding to the exact format of response.