The Belkin QODE Ultimate iPad Air keyboard case is a folio style case for the iPad Air with a Bluetooth keyboard built-in. The Belkin QODE Ultimate Keyboard case for the iPad Air is a higher-end version of the QODE Slim Style we recently reviewed. The Belkin QODE Ultimate iPad Air keyboard case is an excellent tool for mobile productivity. The base of the case, where the keys are located, is made of aluminum for a premium look and feel that also delivers a very solid surface to type on.
The typing experience is very nice thanks to well spaced and well placed keys with enough travel for a mobile keyboard. The key travel is sufficient for a mobile keyboard and Belkin delivers a good deal of space between the keys so that any typos were my fault, not one I could blame on the keyboard. Punctuation is the only real place I slow down on the Belkin QODE Ultimate iPad Air keyboard case. Belkin claims the QODE Ultimate iPad Air keyboard case battery lasts 264 hours, which is something we haven’t hit yet, but it is still going strong after heavy use and no recharging during the last several weeks, so suffice to say battery life is good. The QODE Ultimate is an excellent iPad Air keyboard case that delivers a wonderful typing experience, multiple angles and a case that looks very nice and provides protection. I wanted to share this story because I am very happy that I finally managed to get this far! I have already accomplished a similar project that worked with a PS3 (UsbXlater), something that connected to the PS3 via USB that translated keyboard and mouse data format to gamepad data format. Once the PS4 launched, I reversed engineered the USB protocol used by the DualShock, and then attempted the same technique.
I started talking with people who are working on similar projects, such as Matlo from and the creators of XIM.
At this point, I wrote a bit of firmware code that allowed me to store things in flash memory. I also noticed 4 bytes of random-looking data appended to every packet, after a few checks, it turns out that these are just a 32 bit CRC that is not a part of official Bluetooth specifications, so Sony must have added them just to be safe. At this point, I had to make a modification to my own circuit so that it included a Bluetooth module. Then I tried to program my own Bluetooth stack firmware (I had to literally learn the entire Bluetooth spec). While I was doing this, Matlo is way ahead of me and he already tried to send data to the PS4 via Bluetooth.

This means that a real DualShock is required to be connected over Bluetooth at all times, because the PlayStation never actually stops requesting authentication. The traffic is so high that my own circuit can’t keep up either, I had to prioritize my FIFOs so the important authentication packets are guaranteed to be delivered, the other stuff have 80% chance of being re-routed correctly. So The final stretch was to code my firmware to work like Matlo’s proxy, except the packets that needed to be modified with new button bytes thumbstick bytes.
At one point in this story, the UsbXlater circuit had to be redesigned to include the USB hub. I need to redesign the circuit, it needs a 4 port hub instead of 3, and I need to swap the two USB interfaces (the HS interface has 12 host channels and the FS interface has only 8, I need to use the HS interface for the hub). This doesn’t sound impressive at all, there are a lot of products out there already that does this for the Xbox 360, Xbox One, and PlayStation 3. The first thing I did was make it work with the PlayStation 3 by spoofing a DualShock 3 connected using the USB connection.
My circuit is all digital, no analog noise, no input latency from analog-digital conversion, no need to disassemble the DualShock. How did you trick the DualShock and PlayStation to connect to your circuit instead of each other? The Bluetooth device address (basically the MAC address) is given to the DualShock first via USB. The Bluetooth device address and link key of the PlayStation is also obtained by connecting my circuit to the PlayStation by a USB cable.
I took a video of BF4’s minimap spinning at different speeds, plot that speed vs stick curve, flip the curve to generate a look-up-table. I have no idea how they do it, but since the Hori Pad is an official Sony licensed product, Sony can make some sort of exception for it in the PS4’s operating system.
This entry was posted in Project and tagged bluetooth, ps4, reverse engineer, usb on March 2, 2014 by Admin. If you don’t update absolutely 100% of all DualShocks and allow both old and new firmware to work, then people who want to use my hack will just buy one that has the older firmware. Developing and then testing the new firmware, and then testing the new firmware update process, will not be cheap for Sony either. Another thing, the HoriPad is an officially licensed (approved by Sony) 3rd party wired controller for PS4 that has a similar vulnerability.
The Pi can be a USB host but not USB device, how is it going to pretend to be a XB360 controller when you can’t plug it into the XB360?
So you would need another microcontroller to become the USB device, and somehow also listening to the Pi for commands. If you get a microcontroller that has two USB interfaces anyways, then what is the point of using the Raspberry Pi anymore? You can get around this in two ways, one way is to manually pair with the PS4 using the PS4’s menu, which is super annoying.
I really wish I had any idea how to do this, I love my console but hate controllers so much.
If the item comes direct from a manufacturer, it may be delivered in non-retail packaging, such as a plain or unprinted box or plastic bag.

For the higher price users get a metal keyboard tray with support for more angles and a much nicer looking case for the iPad Air. The ability to position the iPad Air in one of three angles is a big plus as many iPad keyboards only allow users to place the device at a fixed angle. I am not a fan of keeping the iPad in this case when I am reading a book, though you can wrap the keyboard around the back. The Alt and Command keys operate as on a Mac, allowing users to delete or select words or lines at a time.
The period, comma and question mark are easy enough to hit, but even after a few weeks I have yet to adjust to the colon and semi colon position to the right of the space bar. For the price I wish it was backlit for easier use in low light situations, but even without this feature it is a great tool for mobile productivity. Without a doubt, this is the easiest and most financially rewarding job I’ve ever had. This device is easy to install ,take out and connect with any version of PS4 original controller as well, and provides convenient and useful functions like text type, Internet chat, and game playing. The keyboard and mouse plugs into the USB hub, and then the microcontroller takes the data from the keyboard and mouse, translates them to the data format used by the PlayStation 4. If you want to buy something similar from somebody else, try the XIM4 (my top choice), CronusMAX, Venom X, etc. Anybody who is attempting this and thought it was impossible to do can now breath a sigh of relief because it definitely can be done.
The Bluetooth link key (pretend it’s a 16 byte long pairing code) is the next challenge. If this was a cryptographic hash or if the CRC used a different seed or used a different polynomial, then spoofing the packets would be much more difficult (impossible to somebody without cryptography skills).
I had several choices but eventually settled on using a common USB Bluetooth dongle (Advantages: fast, certified, cheap. I almost finished writing one but I was not happy with how complicated it needed to become in order to handle all possible situations.

Since some packets are modified, the CRC need to be recalculated, which is done easily because the STM32 microcontroller I am using has a CRC engine already (which is faster than software implemented CRC). I also need to make a keybinding configuration utility so the control mapping can be adapted to other games. They forgot to include a digital signature, if the encryption depended on the Bluetooth address in some way, then the proxy attack would not have worked. This means the touch pad data and motion data are not modified, so the DualShock still works. I expected A2DP to be used for audio but apparently the audio data is mixed in with the HID data.
I did see two test points on the DualShock’s PCB that may have been the SWDIO and SWCLK pins for a SWD interface, but if Sony locked the firmware and I attempted to read it, it would cause the microcontroller to wipe itself (self destruct the firmware). For Bluetooth, I tried to use an Ubertooth One, but was unsuccessful because it could not perform the neccessary frequency hopping correctly for some reason. To change the way that the encryption works on the DualShock, they would have to do a firmware update on the DualShock. How many are just sitting on a store shelf or in a warehouse waiting to be sold with a old firmware. This can be done by either getting a microcontroller with two USB device interfaces (one for the Pi, one for the Xbox), or use the serial port of the Pi.
I am not sure how much access you have to the deeper Bluetooth and USB stuff on Android or iOS.
Your F401 only has one USB interface, which you will use as a host to use the keyboard, mouse, and the Bluetooth module.
The other way is to have the USB interface switch between host and device roles, so it retrieves the link key once and then store it for use later. Because I read your post stating that “because the PlayStation never actually stops requesting authentication.
The authentication is different, it sends a different challenge every time, but you don’t need to change USB roles for authentication because it is transmitted over Bluetooth. If not, would it be too much to ask to capture one, I think it could be an important key in getting the DS4 headset to work on PC. If you reside in an EU member state besides UK, import VAT on this purchase is not recoverable. Import charges previously quoted are subject to change if you increase you maximum bid amount.
Se sei residente in uno stato membro dell'Unione Europea eccetto il Regno Unito, non puoi recuperare l'IVA per questo oggetto. I will often grab this combo when heading out in the evening or when I visit my in-laws on a weekend so that I can turn any downtime into writing time. Gamepad controls are not suitable for shooter games, using a keyboard and mouse is much more comfortable for gameplay. It does the translation in a way as though the mouse was the right thumbstick, and the keys are mapped to buttons (the WASD keys are mapped to the left thumbstick).
I connected these signals to my logic analyzer to capture the UART traffic, logged it, and wrote a script to reformat the log into pcap format so the traffic can be analyzed using WireShark (which actually have specific analysis for H4 HCI). The Bluetooth link keys and addresses can now be stored in flash memory, so the user only needs to obtain them once, not every time.
The traffic over Bluetooth is so high that Matlo noticed that his computer will sometimes miss packets. The link key is also given to the DualShock this way (a link key is similar to a pairing code, but not exactly). Because of my proxy technique, the LED colours and vibration data are not modified so they still work in games. However, after the discovery of the H4 HCI UART signals, I didn’t need the Ubertooth because HCI traffic contains all the information I needed (in an unencrypted form too, which is a bonus).
The only advantage the Raspberry Pi has is that it has video output that might make reconfiguring it easier. This means you don’t have a USB device interface, which is needed to retrieve the link key from the PS4. There is no power button on the keyboard as it will turn on and off as needed, something it did reliably during our testing. It did not work, it seemed like only wireless traffic was used by the PlayStation, not USB traffic. I noticed this because I noticed a chunk of bytes that looked random in the USB enumeration traffic, which gave me a hunch to check if it was the same bytes as the link key. I had to reimplement my USB transport layer for it and make some tweaks to it, but it does the job well enough right now.
This is a problem if Matlo wants his code working on a small platform such as the Raspberry Pi.
If another device attempts to provide a wrong answer, the PlayStation will ignore that device. As I have mentioned before, there are packets being lost, which means audio data will be lost. How about all the 3rd party products current in development that we don’t know about yet? We did not know how to generate the responses (the challenges are 256 bytes of random data, we did not have the cryptography expertise to even start attempting to defeat it). The Bluetooth L2CAP traffic still uses the HID PSM so all of the traffic look similar to USB traffic, and the report IDs being used are the same.
Matlo created a tool called l2cap_proxy that replayed all traffic between two devices exactly.
So I conducted an experiment (using PyUSB) to feed the challenges to the DualShock by USB instead of Bluetooth, then attempt to read the response by USB. It’s simply too much data to process on a microcontroller (and Matlo had trouble with the data rate even on a full PC).

