PspRemoteControlProtocol

From EurAsiaWiki

Main Page | Recent changes | View source | Page history | Log in / create account |

Special pages Double redirects Broken redirects Disambiguation pages Log in / create account Preferences My watchlist Recent changes Upload file File list Gallery of new files User list Statistics Random page Orphaned pages Uncategorized pages Uncategorized categories Uncategorized files Uncategorized templates Unused categories Unused files Wanted pages Wanted categories Most linked to pages Most linked to categories Most linked-to templates Pages with the most categories Most linked to files Pages with the most revisions Pages with the fewest revisions Short pages Long pages New pages Oldest pages Dead-end pages Protected pages Protected titles All pages Prefix index List of blocked IP addresses and usernames User contributions What links here Book sources Categories Export pages Version System messages Logs MIME search List redirects Unused templates Random redirect Pages without language links File path Popular pages Search

Printable version | Disclaimers | Privacy policy
Category: PSP

---

Ok, now I can't keep my soldering iron out of the remote any longer.

I built a snooping device using an EZ-USB microcontroller, and logged all the traffic between the PSP and the remote control.

First of all, forget what I said about pin 3 and 6. Looking at the logs, it is clear that pin 3 is the PSP talking, and pin 6 is the remote.

Without further ado, here are the logs I captured:

Cold start
=

Pin6 00:00:00.557 : f0
Pin6 00:00:00.617 : f0
Pin6 00:00:00.677 : f0
Pin6 00:00:00.737 : f0
Pin6 00:00:00.796 : f0

Pin6 00:00:00.856 : f0
Pin3 00:00:00.870 : f8
Pin6 00:00:00.876 : fd 80 01 01 01 81 fe
Pin3 00:00:00.906 : fa
Pin6 00:00:00.911 : f0
Pin3 00:00:00.916 : f8
Pin6 00:00:00.921 : fd 83 01 a8 00 47 6d fe
Pin6 00:00:01.001 : f0
Pin6 00:00:01.061 : f0
Pin3 00:00:01.080 : f0

Pin3 00:00:02.430 Framing error (BRK?)
Pin6 00:00:02.430 Framing error (BRK?)

Pin6 00:00:02.555 : f0
Pin3 00:00:02.567 : f8
Pin6 00:00:02.571 : fd 80 01 01 01 81 fe
Pin3 00:00:02.600 : fa
Pin6 00:00:02.605 : f0
Pin3 00:00:02.617 : f8
Pin6 00:00:02.620 : fd 83 01 a8 00 47 6d fe
Pin3 00:00:02.650 : fb f0
Pin6 00:00:02.655 : f8
Pin3 00:00:02.667 : fd 03 01 02 fe
Pin6 00:00:02.680 : fb
Pin3 00:00:02.683 : f0
Pin6 00:00:02.685 : f0
Pin3 00:00:02.700 : f8
Pin6 00:00:02.705 : fd 84 00 00 84 fe
Pin3 00:00:02.719 : fa f0
Pin6 00:00:02.725 : f8
Pin3 00:00:02.733 : fd 02 00 02 fe
Pin6 00:00:02.745 : fa

*

Pin3 00:00:03.749 : f0
Pin6 00:00:03.757 : f8
Pin3 00:00:03.767 : fd 03 00 03 fe
Pin6 00:00:03.782 : fb

Pin3 00:00:04.800 : f0
Pin6 00:00:04.807 : f8
Pin3 00:00:04.817 : fd 02 00 02 fe
Pin6 00:00:04.832 : fa

repeat from *

As I already had seen on the oscilloscope, the last exchanges are repeated every second indefinitely. By pressing the button, I can get other exchanges:

Play/Pause Pressed
=

Pin6 00:00:38.302 : f0
Pin3 00:00:38.317 : f8
Pin6 00:00:38.322 : fd 85 01 00 84 fe
Pin3 00:00:38.351 : fb f0
Pin6 00:00:38.357 : f8
Pin3 00:00:38.368 : fd 03 00 03 fe
Pin6 00:00:38.382 : fb

Play/Pause Released
=

Pin6 00:00:42.250 : f0
Pin3 00:00:42.268 : f8
Pin6 00:00:42.275 : fd 84 00 00 84 fe
Pin3 00:00:42.301 : fa f0
Pin6 00:00:42.310 : f8
Pin3 00:00:42.334 : fd 03 00 03 fe
Pin6 00:00:42.350 : fb

(these logs show both one key even and one periodic event each.)

From studying this, much of the protocol becomes clear.

Control characters

F0 : I want to speak
F8 : Go ahead and speak
FD: Message begins
FE: Message ends
FA: Message received ok (phase 0)
FB: Message received ok (phase 1)

If a message is not acknowledged with FA/FB in due time, F0 is sent again to initiate a retransmission. If three F0's go unanswered after a connection has already been established, some kind of BREAK seems to be used to reset the communication (it's a low pulse longer than 9 bit lengths, but I haven't measured the exact length).

The actual messages begin with one command byte, the least significant bit of which is the phase bit, which is not part of the command itself. The phase is inverted for each successfully acknowledged command, so that you can tell a new command from a retransmission of an old one. This is also why there are two acknowledge codes.

After the command comes zero or more data bytes, depending on the command, and finaly a checksum, which is XOR of the command byte and all data bytes.

The periodic command, which is sent by the PSP, has command code 0x02, and one data byte which seems to be always zero.

The remote uses commands 0x80 and 0x82 during the init phase (presumably all commands that go from the peripheral to the PSP have the MSB set), probably to identify itself and perhaps set some parameters.

When keys on the remote are pressed or released, the command 0x84 is sent (this is also sent during the init phase, to tell which keys were already pressed when the remote was plugged in). It has two bytes of data, which is a 16 bit (little endian) bitfield of which keys are pressed. The keys are

0x0001: Play/Pause
0x0004: Fast Forward
0x0008: Rewind
0x0010: Vol +
0x0020: Vol -
0x0080: Hold

The remaining 10 bits do not correspond to any key on the remote, but the jumps in the codes suggest that they might be assigned to keys present on more feature-rich remotes.

Now one of the probe wires came loose, so I guess it's time to go and update the webpage. :-)

---

http://mc.pp.se/psp/phones.xhtml

---

View source | Discuss this page | Page history | What links here | Related changes


This page has been accessed 549 times. This page was last modified 08:33, 17 February 2010.
Main Page | About EurAsiaWiki |

 

Check the EurAsia Online Shop for your hardware modding needs.