VSH plugin for Bluetooth

[Makara]

Would there be any possibility of getting a PSP Go to IPhone bluetooth connection working?

I've read that it's due to different profiles being used (DUN vs PAN)?

Advertising

[Orohu]

I managed to get it working, with a cheap Targus adapter, the Widcomm stack, and the A2DP profile. Now I can play my PSP Go's audio through my computer speakers wirelessly.
I'm still not exactly sure how to use the HSP profile with my computer, though.

Advertising

[Atros]

Hello guys i like where u going:) & thx 4 the efforts, i may have 2 ideas that might worth digging.
1st how about to adapt this little piece of software pspdisp its now support only a wifi & usb interface & it would be nice if a bt interface could be supported i already mailed the author & asked him to do it
second idea may be to mod "fusa gamepad" a nice & working homebrew to be able to use the pspgo as a gamepad to the pc using bt interface. =>http://foosa.do.am/news/fusa_gamepad_ve ... 0-01-03-23
i asked him to release the code source of it may be he could listen to u guys

Thx again 4 the good work
Cheers

[JJS]

1st how about to adapt this little piece of software pspdisp its now support only a wifi & usb interface & it would be nice if a bt interface could be supported i already mailed the author & asked him to do it

Yes, you did . I am just a bit rubbish with replying to my emails. Doing this is not easy at all though. Again this is mostly due to the lack of native PAN support.

[agatio123]

any updates here sir jjs?im already enjoying my psp using my laptop as a speaker...

[JiGGY]

Recognizes my Macbook as an SPP device.

I sure hope some bluetooth wizkid picks-up on this plugin, this is a great find jjs!

Edit: Forgot to mention! Even though it sees it and accepts it too, the connection drops after 2 seconds. When I press connect again, same; 2 seconds and gone.

[Strangelove]

Dumping the info I got on the PSP's bluetooth capabilities. I figure a PSP hacker could make more use of it than I.
---

BD Address: XX:XX:XX:XX:XX:XX
Device Name: "PSP"
LMP Version: 2.1 (0x4) LMP Subversion: 0x17d4
Manufacturer: Cambridge Silicon Radio (10)
Features: 0xff 0xff 0x07 0xfe 0x8b 0x3f 0x51 0x83
<3-slot packets> <5-slot packets> <encryption> <slot offset>
<timing accuracy> <role switch> <hold mode> <sniff mode>
<park state> <RSSI> <channel quality> <SCO link> <HV2 packets>
<HV3 packets> <u-law log> <A-law log> <CVSD> <paging scheme>
<power control> <EDR ACL 2 Mbps> <EDR ACL 3 Mbps>
<enhanced iscan> <interlaced iscan> <interlaced pscan>
<inquiry with RSSI> <extended SCO> <EV4 packets> <EV5 packets>
<AFH cap. slave> <3-slot EDR ACL> <5-slot EDR ACL>
<sniff subrating> <pause encryption> <AFH cap. master>
<AFH class. master> <EDR eSCO 2 Mbps> <extended inquiry>
<encapsulated PDU> <non-flush flag> <LSTO> <inquiry TX power>
<extended features>



Service RecHandle: 0x10000
Service Class ID List:
"Audio Source" (0x110a)
Protocol Descriptor List:
"L2CAP" (0x0100)
PSM: 25
"AVDTP" (0x0019)
uint16: 0x100
Profile Descriptor List:
"Advanced Audio" (0x110d)
Version: 0x0100

Service Name: Sony
Service Description: PSP Bluetooth Controller
Service Provider: Sony HIDEngine
Service RecHandle: 0x10001
Service Class ID List:
"Human Interface Device" (0x1124)
Protocol Descriptor List:
"L2CAP" (0x0100)
PSM: 17
"HIDP" (0x0011)
Language Base Attr List:
code_ISO639: 0x656e
encoding: 0x6a
base_offset: 0x100
Profile Descriptor List:
"Human Interface Device" (0x1124)
Version: 0x0100

Service Name: Voice Gateway
Service RecHandle: 0x10002
Service Class ID List:
"Headset Audio Gateway" (0x1112)
"Generic Audio" (0x1203)
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 1
Profile Descriptor List:
"Headset" (0x1108)
Version: 0x0100

Service RecHandle: 0x10003
Service Class ID List:
"AV Remote Target" (0x110c)
Protocol Descriptor List:
"L2CAP" (0x0100)
PSM: 23
"AVCTP" (0x0017)
uint16: 0x100
Profile Descriptor List:
"AV Remote" (0x110e)
Version: 0x0100

Service Description: PlayStation Portable(R)
Service RecHandle: 0x10004
Service Class ID List:
"PnP Information" (0x1200)
Protocol Descriptor List:
"L2CAP" (0x0100)
PSM: 1
"SDP" (0x0001)
Language Base Attr List:
code_ISO639: 0x656e
encoding: 0x6a
base_offset: 0x100
Profile Descriptor List:
"PnP Information" (0x1200)
Version: 0x0100

Service RecHandle: 0x10005
Service Class ID List:
"AV Remote" (0x110e)
Protocol Descriptor List:
"L2CAP" (0x0100)
PSM: 23
"AVCTP" (0x0017)
uint16: 0x100
Profile Descriptor List:
"AV Remote" (0x110e)
Version: 0x0100

[Strangelove]

Figured out a number of the unknown entries in the device enumeration struct (one was the MAC). also documented better the known ones.

Patch attached.

[npt]

JJS,
I must say, very cool code. I hadn't read it as of yet as I've been dang busy with miniS stuff, but finally I took the time as I thought this would be very cool w/ 6.20 TN-C, my psp Go(s), and all the bluetooth devices I have. Didn't realize how developed it was. Cheers mate! I can see a LOT of cool stuff coming from this, and you made is so easy for us! Thanks! Surprised I hadn't heard more about it. Keep it up.



npt

Have some code now

This version implements the "syscall stub in user memory" technique I wrote about in the last post. So now not only does the checking function get hooked now, it also writes out a logfile to "ef0:/btfree_log.txt" with the found devices. The function will get called repeatedly with the same values, so there will be duplicates in the file and it will grow every 5 seconds maybe.

Code: Select all

#include <pspsdk.h> 
#include <pspkernel.h> 
#include <systemctrl.h> 
#include <psploadcore.h>
#include <string.h>
#include <stdio.h>


PSP_MODULE_INFO("btfree", 0x1000, 0, 0);


// Prototype not in the PSPSDK
int sceKernelQuerySystemCall(void* function);


// Just some error codes I found in the bt module
#define PSP_ERROR_BLUETOOTH_ALREADY_REGISTERED 0x802F0131
#define PSP_ERROR_BLUETOOTH_UNSUPPORTED_DEVICE 0x802F0135


#define MAKE_CALL(f) (0x0c000000 | (((u32)(f) >> 2)  & 0x03ffffff))
#define MAKE_SYSCALL(n) (0x03ffffff & (((u32)(n) << 6) | 0x0000000c))


// Previous start module handler
STMOD_HANDLER previousStartModuleHandler = NULL; 

// Address for the syscall stub in user memory
int blockAddress = 0;

// This struct is passed to sub_09498 in bluetooth_plugin_module
typedef struct
{
	u32 stuct_size; // size of this struct = 0x54
	u16 item_number; // first item in array has 1, second has 2
	u16 name[32]; // in unicode
	u16 unknown1;
	u8 major_service_class; // probably this
	u8 major_device_class; // 1 = PC, 2 = phone, 4 = audio/video, 5 = peripheral device
	u8 minor_device_class; // different meaning depending on the major class
	u8 unknown2;
	u32 unknown3; // always the same for a given device
	u16 unknown4; // always the same for a given device
	u16 unknown5;
}
btDeviceInfo;


// Function pointer to the original sub_09498 in bluetooth_plugin_module
int (*bluetooth_plugin_module_sub_09498)(int, btDeviceInfo*, int) = NULL;


void fillBufferFromWidechar(unsigned short* inputBuffer, char* outputText)
{
  int i;
  for (i = 0; inputBuffer[i]; i++)
  {
    outputText[i] = inputBuffer[i];
  }

  outputText[i] = 0;
}


void logFilePrintf(char* format, int arg1)
{
	SceUID logfile = sceIoOpen("ef0:/btfree_log.txt", PSP_O_CREAT | PSP_O_WRONLY | PSP_O_APPEND, 0777);

	if (logfile > -1)
	{
		char buffer[100];
		sprintf(buffer, format, arg1);
		sceIoWrite(logfile, buffer, strlen(buffer));
		sceIoClose(logfile);
	}
}



int bluetooth_plugin_module_sub_09498_hook(int unknown, btDeviceInfo* devices, int count)
{
	int k1 = pspSdkSetK1(0);

	if (count > 0)
	{
		// Log the device info
		logFilePrintf("--------------------\n", 0);
		
		char name[32];
		int i;

		for (i = 0; i < count; i++)
		{
			fillBufferFromWidechar(devices[i].name, name);
			logFilePrintf("name         : %s\n", (u32)name);
			logFilePrintf("unknown1     : 0x%08lX\n", (u32)devices[i].unknown1);
			logFilePrintf("major_srv_cl : 0x%08lX\n", (u32)devices[i].major_service_class);
			logFilePrintf("major_dev_cl : 0x%08lX\n", (u32)devices[i].major_device_class);
			logFilePrintf("minor_dev_cl : 0x%08lX\n", (u32)devices[i].minor_device_class);
			logFilePrintf("unknown1     : 0x%08lX\n", (u32)devices[i].unknown2);
			logFilePrintf("unknown2     : 0x%08lX\n", (u32)devices[i].unknown3);
			logFilePrintf("unknown3     : 0x%08lX\n", (u32)devices[i].unknown4);
			logFilePrintf("unknown4     : 0x%08lX\n", (u32)devices[i].unknown5);
			logFilePrintf("\n", 0);

			// Device class can be changed here
			//devices[i].major_device_class = 2;
			//devices[i].minor_device_class = 4;
		}
	}

	pspSdkSetK1(k1);

	// Call the original function
	return bluetooth_plugin_module_sub_09498(unknown, devices, count);
}




int on_module_start(SceModule2* mod) 
{
	// Get active on the Bluetooth VSH plugin
	if (strcmp(mod->modname, "bluetooth_plugin_module") == 0) 
	{ 
		logFilePrintf("Entering on_module_start\n", 0);

		// Store function pointer to the original sub_09498
		bluetooth_plugin_module_sub_09498 = (void*)(mod->text_addr + 0x00009498);
		logFilePrintf("bluetooth_plugin_module_sub_09498 = 0x%08lX\n", (u32)bluetooth_plugin_module_sub_09498);

		// Setup a syscall stub in user memory
		if (blockAddress == 0)
		{
			SceUID blockId = sceKernelAllocPartitionMemory(2, "btfree_stub", PSP_SMEM_Low, 2 * sizeof(int), NULL);
			logFilePrintf("blockId = 0x%08lX\n", (u32)blockId);

			blockAddress = (int)sceKernelGetBlockHeadAddr(blockId);
			logFilePrintf("blockAddress = 0x%08lX\n", (u32)blockAddress);

			// Get syscall of the hook function
			int syscall = sceKernelQuerySystemCall(&bluetooth_plugin_module_sub_09498_hook);
			logFilePrintf("syscall = 0x%08lX\n", (u32)syscall);

			// Write syscall stub
			_sw(0x03E00008, blockAddress); // jr $ra
			_sw(MAKE_SYSCALL(syscall), blockAddress + sizeof(int)); // syscall
		}

		// Hook the call to the original function in bluetooth_plugin_module
		_sw(MAKE_CALL(blockAddress), mod->text_addr + 0x000095A4);


		// Now patch sub_09498 to accept any device class

		// There is a check for the device type that goes something like this:
		//
		// if (((descriptor & 0x000000FF) == 0x00000005) || (...) || (...)))
		//
		// It gets changed to:
		//
		// if (((descriptor & 0x000000FF) != 0x0000FFFF) || (...) || (...)))
		//
		// The result is obviously that the statement always evaluates as true,
		// therefore no devices are rejected early.

		// write "li $t6, 0xFFFF", was "li $t6, 0x5"
		_sw(0x240EFFFF, mod->text_addr + 0x000094A8);

		// write "bne $v0, $t6, loc_000094E4", was "beq $v0, $t6, loc_000094E4"
		_sw(0x144E0003, mod->text_addr + 0x000094D4);
	} 

	// Call previously set start module handler if necessary
	if (previousStartModuleHandler)
		return previousStartModuleHandler(mod);
	else
		return 0;
} 



int module_start(SceSize args, void* argp)
{
	// Establish a handler that gets called before any modules "module_start" function is called.
	// A previous handler gets saved.
	previousStartModuleHandler = sctrlHENSetStartModuleHandler(on_module_start);

	return 0;
}





int module_stop(SceSize args, void* argp)
{
	// Restore the previous start module handler if there was one
	if (previousStartModuleHandler)
		sctrlHENSetStartModuleHandler(previousStartModuleHandler);

	return 0;
}

Edit: I thought it was fishy that bluetooth and usb were mutually exclusive, but now it all makes sense. The bluetooth module is obviously attached to the USB port. The driver for it is usbbsmcdc.prx. I also found were the LED is blinked, you could patch it in there in the function sub_00A24().

[darkassain]

Edit: I thought it was fishy that bluetooth and usb were mutually exclusive, but now it all makes sense. The bluetooth module is obviously attached to the USB port. The driver for it is usbbsmcdc.prx. I also


found were the LED is blinked, you could patch it in there in the function sub_00A24().

do you by any chance know the parameters in the correct order to this subroutine?
searching didnt yield any good results...
thanks

EDIT: found the function that can change it (didnt think it was the same function used for wifi my bad) on pg1 sorry for not looking deeper....

EDIT 2: looking at the headers sceLedSetMode() (not to mention the link you gave btw thanks) is only for the Power and wlan, is possible to use it for MS orange LED (searching gave me sce's GPIO function) and the Blue Bluetooth LED(cant see any mentioning of this one, although i know its pretty early to expect something like this...)?