This is a project within the GIMX project.
GIMX aims to provide interoperability between game controllers and game consoles.
More about GIMX at http://blog.gimx.fr/
Introduction
Unlike PC gamers, console gamers can't really choose the controller to play with, and have to waste money buying new controllers (sometimes poorly designed, or not adapted to the user's needs) for each console.
While the USB HID specification allows to design generic human interfaces that can work with generic drivers, console manufacturers prevent interoperability.
The PS3 has some unofficial support for generic USB HID joysticks.
Unofficial means that Sony can decide to blacklist some devices (based on the USB VID/PID) at its convenience. It was the case in the 3.50 firmware update.
Even if generic HID joysticks can work, many games can only be played with a sixaxis. With such games, using a generic HID joystick, some controls will be missing.
The Xbox 360 doesn't support generic HID joysticks.
It's even more restrictive as it only allows controllers that can authenticate as genuine 360 controllers. There is a security chip inside the controller.
Third-party controllers for the ps3 are either generic USB HID joysticks (limited game compatibility, can be blacklisted/disabled by Sony) either controllers that mimic the sixaxis protocol (over bluetooth or usb).
Third-party controllers for the 360 are either controllers that include a security chip (probably licensed by Microsoft) or controllers that use a genuine 360 controller to bypass the authentication.
Goal
Bypass the 360 controller authentication using a PC, a genuine 360 controller, and some cheap USB hardware.
Xbox 360 controller |----usb----| PC |----usb----| cheap USB hardware |----usb----| Xbox 360
Making this bypass as generic as possible would probably allow to reuse the source code for other USB sniffing/spoofing.
Hardware
GIMX is already working with the PS3 over a USB adapter composed of a USB AVR development board (for example a teensy 2.0) and a USB to serial TTL converter (for example a CP2102 converter).
This hardware is cheap (about 20$), widely available (due to the psgroove), and the development is easy with avr-gcc and LUFA.
It would be a plus if the authentication bypass can be performed using the same hardware, with a different AVR USB firmware of course.
There could be a bandwidth issue because serial converters are slower than full-speed USB (1Mbit/s vs 12Mbit/s).
But USB controllers are usually not bandwidth consuming, and USB timeouts are not that restrictive (http://www.beyondlogic.org/usbnutshell/usb6.shtml#SetupPacket).
Xbox 360 controller |----usb----| PC |----usb----| CP2102 |----serial----| Teensy |----usb----| Xbox 360
AVR USB firmware
The most natural way to start is to make a firmware that can enumerate as a 360 controller.
More about the USB enumeration: http://www.lvr.com/usbcenum.htm
Tools: lsusb (sudo lsusb -v -s [bus]:[devnum]) and usbmon (sudo wireshark).
Once this basic firmware is done, the AVR USB is connected to the 360, and the 360 requests are forwarded to the PC over serial.
The analysis of these requests shows that the authentication is performed through a few vendor-specific control transfers.
More about control transfers: http://www.beyondlogic.org/usbnutshell/usb4.shtml#Control
The enumeration could also be forwarded to the PC over the serial port, except the SET ADDRESS request, which is unique (the PC already sets the device address).
As enumeration is very similar across all operating systems, it's not very useful to forward it.
Software
It communicates over a serial port (CP2102 converter) and over USB (360 controller).
It forwards data (usb control messages) in both directions, as quickly as possible to avoid any USB timeout.
A reference for serial port programming is http://www.easysw.com/~mike/serial/serial.html
Because the nature of the data to be exchanged is unknown, raw input/output has to be configured.
USB programming from userspace is easy thanks to the libusb.
Aside the library initialization functions, the essential function for the bypass is called usb_control_msg: http://libusb.sourceforge.net/doc/function.usbcontrolmsg.html
Results
This is surprisingly enough to spoof the 360 controller.
The current procedure is:
1- connect the USB to serial converter to the PC
2- connect the 360 controller to the PC
3- start the spoofer
4- connect the AVR USB to the 360
- Identifiez-vous pour poster des commentaires