Playstation 2 (Dual Shock) controller protocol notes =========================== ========================================= ========================= ===========
There are many sources for information on the basics of the Playstation controller protocol. There is frustratingly little, however, in the way of comprehensive documentation for the controller's full command set. This document is a rather loose collection of reverseengineering notes, documenting a larger subset of the PS2 and Dual Shoc protocols than !'ve seen elsewhere. The reader should already be familiar with the basics of the Playstation controller protocol. This document has three primary sources" - Publicly Publicly available documents such as Playstation.t#t Playstation.t#t - Traces Traces from a homebrew homebrew PS2 PS2 controller$memory controller$memory port sniffer sniffer - !nteractively !nteractively e#perimenting with a controller controller connected to both the above port sniffer and an arbitrary pacet generator. Since the Playstation always transmits and receives simultaneously, this document uses T%$&% notation, where T% is the he#idecimal command byte being transmitted to the controller and &% is the he#adecimal response byte. ( ) character is often used to separate the header from a command's payload, but it has no electrical significance. --*icah Dowty +micahnavi.c# +micahnavi.c# --------------------General packet format ---------------------
/$ ff
0igh nybble is device type, low nybble is port number 1$( (lways 334
52$
6ommand byte 0igh nybble is device mode$status, low nybble is the number of /7-bit words of command-specific command-specific data.
5/
$ 8a
1$( (lways 4 1$( (lways 8a. 9nd-of-header:4 9nd-of-header:4
.. command-specific command-specific data .. ;ast byte is not (6<'ed4 The byte #8( seems to be used as padding in several situations.
=esides end-of-header, end-of-header, it seems to be sent by the PS2 when the controller via the low nybble of the second response byte4 indicates it has more data to reply with, but the PS2 has no more parameter data to send. Device #5" #>" #3"
modes" Digital Dual shoc 9scape
1ote that the command byte and the mode$length byte are transferred simultaneously. simultaneously. This means that the length of the reply cannot directly depend on the command you ?ust sent@ This is probably the reason why all escape-mode commands are the same length" the reply length can be calculated using only the current mode, without any need to now which command is being replied to. This means that the data dependencies between the command and the reply are Auite small. The controller needs to process the command byte by the time the first command-specific reply byte is sent, and it needs to validate each byte in the header ?ust enough to now whether that byte gets to be (6<'ed. There are no sub-byte data dependencies, and there is an entire byte of slac between the command and the commandspecific data.
----------------Packet reference: ----------------0x40 nitiali!e pressure sensor ===============================
B Cnly (6<'ed when the controller is in escape mode #34 /$ff 5$f $8a ) $ 2$ $2 $ $ $8a This command sets up parameters for a single pressure-sensitive pressure-sensitive button. 1ote that it is not reAuired in order to use pressure sensitive buttons, and that this command by itself will not
enable them. Eou still need to use command #5f to add them to the controller's results pacet. 6ommand data" . =utton =utton number # - #b, in the same order that that the buttons are listed in the response pacet4 /. #2 :4 2. # :4 . # :4 5. # :4 8. # :4 &esponse data" . # :4 /. # :4 2. #2 :4 . # :4 5. # :4 8. #8a Padding:4
0x4" Get a#aila$le pollin% results ==================================
B Cnly (6<'ed when the controller is in escape mode #34 /$ff 5/$f $8a ) 8a$ff 8a$ff 8a$ 8a$ 8a$ 8a$8a 6ommand data" - 1one Padded with #8a4 &esponse data" - !n digital mode, returns all Feroes - !n analog mode" -5. =itfield of available polling results. This bitfield can be given verbatim to command #5f to enable all polling results4 8. (lways #8a padding4 0x42 &ontroller poll ('ea $uttonsaxes* +rite actuators) =========================== ========================================= ============================ ================ ==
B Galid in escape #f4 and non-escape modes /$ff 52$5/ $8a ) $ff $ff Side effects" 9#its escape mode 6ommand data"
7 bytes bytes of (ctuator (ctuator data DualShoc mode only4 See 6ommand #5d for details on actuator actuator data. &esponse data" The length of the the response response varies, depending on the controller mode. The following data bytes are available. The actual actual set of data data sent during each poll is controlled by 6ommand #5f. Digital mode" . buttons /4 /. buttons 24 DualShoc mode" enabled by default4 2. rightHanalogH# . rightHanalogHy 5. leftHanalogH# 8. leftHanalogHy DualShoc mode" disabled by default4 7. rightHpressure >. leftHpressure I. upHpressure J. downHpressure /. triangleHpressure triangleHpressure //. circleHpressure circleHpressure /2. crossHpressure crossHpressure /. sAuareHpressure sAuareHpressure /5. l/Hpressure /8. r/Hpressure /7. l2Hpressure />. r2Hpressure
0x4, &ontroller 'ea an scape ===============================
B Galid in escape #f4 and non-escape modes /$ff 5$5/ $8a ) /$ff $ff 6ommand data" . to e#it escape mode, / to enter escape mode /. (lways Fero: &esponse data" Same as comand #524 0ypothesis" 6ommand #5 is a controller read, lie command #52, but the first PS%-controller PS%-controller byte indicates whether to put the controller
into an escape mode. !n escape mode, the controller's mode is reported as #3 and several additional commands are available. 0x44 Set ma.or moe (DualShockDi%ital) (DualShockDi%ital) =========================== ======================================= ============
B Cnly (6<'ed when the controller is in escape mode #34 /$ff 55$f $8a ) /$ $ $ $ $ $ Side effects" - Disables pressure-sensitive pressure-sensitive buttons. - Khen DualShoc mode is enabled, the (nalog light goes goes on. - Khen DualShoc mode is disabled, the (nalog (nalog light goes off. off. K(&1!1L" There is a watchdog timer on DualShoc mode. !f the controller doesn't see the PS% polling 6ommand #524 for a few seconds, it switches bac to Digital mode. 6ommand data" . #/ to set DualShoc mode, # # to set Digital Digital mode /. # :4 2. # :4 . # :4 5. # :4 8. # :4 &esponse data" (lways Fero:
0x4/ 'ea extene status " ===========================
B Cnly (6<'ed when the controller is in escape mode #34 /$ff 58$f $8a ) 8a$ 8a$2 8a$/ 8a$2 8a$/ 8a$ 6ommand data" - 1one Padded with #8a4 &esponse data" - # :4 on Dual Shoc Shoc controller, controller, #/ :4 for Luitar 0ero 0ero controller - #2 :4 - #/ if the (nalog light is on, # if it's off. - #2 :4 - #/ :4 - # :4
0x4 'ea constant " ====================
B Cnly (6<'ed when the controller is in escape mode #34 /$ff 57$f $8a ) $ 8a$ 8a$/ 8a$2 8a$ 8a$a /$ff 57$f $8a ) /$ 8a$ 8a$/ 8a$/ 8a$/ 8a$/5 6ommand data" . Cffset or /4 Padded with #8(4 This command reads some unnown identifier or status bloc. The bloc is / bytes long, and has a constant value on every controller and operating mode !'ve tested" / 2 a / / / /5
0x41 'ea constant 2 ====================
B Cnly (6<'ed when the controller is in escape mode #34 /$ff 5>$f $8a ) $ 8a$ 8a$2 8a$ 8a$/ 8a$ 6ommand data" . Cffset: always 4 Padded with #8(4 This command reads some unnown identifier or status bloc. The bloc is 8 bytes long, and has a constant value on every controller and operating mode !'ve tested" 2 / 0x4c 'ea constant , ====================
B Cnly (6<'ed when the controller is in escape mode #34 /$ff 5c$f $8a ) $ 8a$ 8a$ 8a$5 8a$ 8a$ /$ff 5c$f $8a ) /$ 8a$ 8a$ 8a$> 8a$ 8a$ 6ommand data" . Cffset or /4 Padded with #8(4 This command reads some unnown identifier or status bloc.
The bloc is / bytes long, and has a constant value on every controller and operating mode !'ve tested" 5 > / 0x4 Specify pollin% comman format ===================================
B Cnly (6<'ed when the controller is in escape mode #34 /$ff 5d$f $8a ) $ /$/ ff$ff ff$ff ff$ff ff$ff This command sets up a mapping between bytes in each controller poll 6ommand #524 and the controller's actuator channels. 9ach data byte in this command dictates the meaning of the corresponding data byte in command #52. 3or the Dual Shoc controller, this command can specify the following actuator channels" " Small vibration motor, with no speed speed control. !f this channel is set to #33, the small motor turns on. (ny other value turns it off. /" ;arger ;arger vibration vibration motor, with I-bit I-bit variable variable speed. ff" Disabled The e#ample pacet above is typical for a Dual Shoc controller. This command's response pacet is the previous actuator mapping. =y default all channels are disabled, so when this command is run immediately after switching into DualShoc mode it will return all #33.
0x4f Specify pollin% result format ==================================
B Cnly (6<'ed when the controller is in escape mode #34 /$ff 5f$f $8a ) ff$ ff$ $ $ $ $8a 6ommand data" =itfield indicating which bytes bytes in the response response pacet should be included. included. This lets lets the host instruct instruct the controller to include include more more or less data data than it would would by default. default. This This command command is used to to enable enable pressurepressuresensitive buttons, and it can be used to disable any any of the default response bytes.
&esponse data" . (lways # /. (lways # 2. (lways # . (lways # 5. (lways # 8. (lways #8a --
