RCM Payload Injection with Java (Need help)

duckstation for Switch

catlover007 · 2024-04-22T04:06:40+00:00

duckstation is an excellent Playstation 1 emulator by Stenzek. It has a very good compabiility and it is quite performant. It also supports all kinds of enhancements such as high resolution rendering and PGXP which can lessen the "wobble" and...

DylanWedman

Well-Known Member

Newcomer

Level 3

Jan 18, 2020

I'm working on a sort-of re-write of fusee-launcher in Java that allows you to inject a payload. It's using the usb4java Java library with libusb. After a lot of trial and error, I got it to read 16 bytes as part of the exploit process. When it does that, it then allows me to send some hard-coded bytes to my Switch and sometimes it reports as a success. I want to take this further and hopefully create a working payload injector but I will need some help. To put it simple, I'm stuck on step 5 of the exploit execution section on the fusee-gelee disclosure.

Here's what I got so far:

Code:

import java.nio.ByteBuffer;
import java.nio.ByteOrder;
import java.nio.IntBuffer;
import org.usb4java.BufferUtils;
import org.usb4java.DeviceHandle;
import org.usb4java.LibUsb;
import org.usb4java.LibUsbException;

public class Test {

    private static final short vendorID = 0x0955;
    private static final short productID = 0x7321;

    private static final byte IN_ENDPOINT = (byte) 0x81;
    private static final byte OUT_ENDPOINT = (byte) 0x01;

    private static final int TIMEOUT = 5000;

    public static void main(String[] args) {
        // Initialize the libusb context
        int result = LibUsb.init(null);

        if (result != LibUsb.SUCCESS) {
            throw new LibUsbException("Unable to initialize libusb", result);
        }

        // Search for RCM device and open it.
        DeviceHandle handle = LibUsb.openDeviceWithVidPid(null, vendorID, productID);

        if (handle == null) {
            System.err.println("RCM device not found.");
            System.exit(-1);
        }

        // Claim the interface
        result = LibUsb.claimInterface(handle, 0);

        if (result != LibUsb.SUCCESS) {
            throw new LibUsbException("Unable to claim interface", result);
        }

        // Reads 16 bytes
        read(handle, 16);

        byte[] testData = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16};
        write(handle, testData);

        // Close the device
        LibUsb.close(handle);

        // Deinitialize the libusb context
        LibUsb.exit(null);
    }

    public static ByteBuffer read(DeviceHandle handle, int size) {
        ByteBuffer buffer = BufferUtils.allocateByteBuffer(size).order(ByteOrder.LITTLE_ENDIAN);
        IntBuffer transferred = BufferUtils.allocateIntBuffer();
        int result = LibUsb.bulkTransfer(handle, IN_ENDPOINT, buffer, transferred, TIMEOUT);

        if (result != LibUsb.SUCCESS) {
            throw new LibUsbException("Unable to read data", result);
        }

        System.out.println(transferred.get() + " bytes read from RCM device");

        return buffer;
    }

    public static void write(DeviceHandle handle, byte[] data) {
        ByteBuffer buffer = BufferUtils.allocateByteBuffer(data.length);
        buffer.put(data);
        IntBuffer transferred = BufferUtils.allocateIntBuffer();
        int result = LibUsb.bulkTransfer(handle, OUT_ENDPOINT, buffer, transferred, TIMEOUT);

        if (result != LibUsb.SUCCESS) {
            throw new LibUsbException("Unable to send data", result);
        }

        System.out.println(transferred.get() + " bytes sent to RCM device");
    }
}

If anyone has any tips to help me out, that would be much appreciated.

Last edited by DylanWedman, Jan 18, 2020