I'm working on a sort-of re-write of fusee-launcher in Java that allows you to inject a payload. It's using the usb4java Java library with libusb. After a lot of trial and error, I got it to read 16 bytes as part of the exploit process. When it does that, it then allows me to send some hard-coded bytes to my Switch and sometimes it reports as a success. I want to take this further and hopefully create a working payload injector but I will need some help. To put it simple, I'm stuck on step 5 of the exploit execution section on the fusee-gelee disclosure.
Here's what I got so far:
If anyone has any tips to help me out, that would be much appreciated.
Here's what I got so far:
Code:
import java.nio.ByteBuffer;
import java.nio.ByteOrder;
import java.nio.IntBuffer;
import org.usb4java.BufferUtils;
import org.usb4java.DeviceHandle;
import org.usb4java.LibUsb;
import org.usb4java.LibUsbException;
public class Test {
private static final short vendorID = 0x0955;
private static final short productID = 0x7321;
private static final byte IN_ENDPOINT = (byte) 0x81;
private static final byte OUT_ENDPOINT = (byte) 0x01;
private static final int TIMEOUT = 5000;
public static void main(String[] args) {
// Initialize the libusb context
int result = LibUsb.init(null);
if (result != LibUsb.SUCCESS) {
throw new LibUsbException("Unable to initialize libusb", result);
}
// Search for RCM device and open it.
DeviceHandle handle = LibUsb.openDeviceWithVidPid(null, vendorID, productID);
if (handle == null) {
System.err.println("RCM device not found.");
System.exit(-1);
}
// Claim the interface
result = LibUsb.claimInterface(handle, 0);
if (result != LibUsb.SUCCESS) {
throw new LibUsbException("Unable to claim interface", result);
}
// Reads 16 bytes
read(handle, 16);
byte[] testData = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16};
write(handle, testData);
// Close the device
LibUsb.close(handle);
// Deinitialize the libusb context
LibUsb.exit(null);
}
public static ByteBuffer read(DeviceHandle handle, int size) {
ByteBuffer buffer = BufferUtils.allocateByteBuffer(size).order(ByteOrder.LITTLE_ENDIAN);
IntBuffer transferred = BufferUtils.allocateIntBuffer();
int result = LibUsb.bulkTransfer(handle, IN_ENDPOINT, buffer, transferred, TIMEOUT);
if (result != LibUsb.SUCCESS) {
throw new LibUsbException("Unable to read data", result);
}
System.out.println(transferred.get() + " bytes read from RCM device");
return buffer;
}
public static void write(DeviceHandle handle, byte[] data) {
ByteBuffer buffer = BufferUtils.allocateByteBuffer(data.length);
buffer.put(data);
IntBuffer transferred = BufferUtils.allocateIntBuffer();
int result = LibUsb.bulkTransfer(handle, OUT_ENDPOINT, buffer, transferred, TIMEOUT);
if (result != LibUsb.SUCCESS) {
throw new LibUsbException("Unable to send data", result);
}
System.out.println(transferred.get() + " bytes sent to RCM device");
}
}If anyone has any tips to help me out, that would be much appreciated.
Last edited by DylanWedman,
