public static void SendPayload(FileInfo info)
{
Writes = 0;
byte[] payload = File.ReadAllBytes(info.FullName);
var buf = new byte[0x10];
Device.ReadPipe(0x81, buf, 0x10, out _, IntPtr.Zero);
WritePayload(Device, SwizzlePayload(payload));
if (Writes % 2 != 1)
{
Console.WriteLine("Switching buffers...");
Device.WritePipe(1, new byte[0x1000], 0x1000, out _, IntPtr.Zero);
}
var setup = new WINUSB_SETUP_PACKET
{
RequestType = 0x81,
Request = 0,
Value = 0,
Index = 0,
Length = 0x7000
};
Task.Run(() => Device.ControlTransfer(setup, new byte[0x7000], 0x7000, out var b, IntPtr.Zero));
}
internal static extern bool WinUsb_ControlTransfer(
IntPtr InterfaceHandle,
WINUSB_SETUP_PACKET SetupPacket,
byte[] Buffer,
uint BufferLength,
out uint LengthTransferred,
IntPtr Overlapped);
/// <summary>
/// Performs a control transfer that has no data stage.
/// </summary>
/// <param name="setupPacket">The SETUP packet to send to the device.</param>
protected unsafe void controlTransfer(WINUSB_SETUP_PACKET setupPacket)
{
UInt32 lengthTransferred = controlTransfer(setupPacket, (Byte *)null);
if (lengthTransferred != 0)
{
throw new Exception("The control transfer was expected to have no data stage, but " + lengthTransferred + " bytes were transferred.");
}
}
internal void controlTransfer(byte RequestType, byte Request, ushort Value, ushort Index)
{
WINUSB_SETUP_PACKET setupPacket = new WINUSB_SETUP_PACKET();
setupPacket.RequestType = RequestType;
setupPacket.Request = Request;
setupPacket.Value = Value;
setupPacket.Index = Index;
setupPacket.Length = 0;
controlTransfer(setupPacket);
}
/// <summary>
/// Performs a control transfer, a series of USB transactions that
/// consist of a SETUP packet sent to the device, an optional data
/// phase for transferring bytes to the host or the device, and an
/// acknowledgement packet form the party that did not send the
/// data phase.
///
/// A control transfer with no data phase is considered to be a
/// control write transfer, so the acknowledgement packet comes
/// from the device.
/// </summary>
/// <param name="buffer">
/// If this is a Read transfer, this is the buffer that the data from the
/// device will be read in to during the data stage. If this is a Write
/// transfer, this is the buffer that will be written to the device during
/// the data stage.
/// </param>
/// <param name="setupPacket">The SETUP packet to send to the device.</param>
/// <returns>
/// The number of bytes transferred in the data stage.
/// This is usually equal to setupPacket.wLength.
/// </returns>
protected unsafe UInt32 controlTransfer(WINUSB_SETUP_PACKET setupPacket, void *buffer)
{
UInt32 lengthTransferred = 0;
Boolean success = WinUsb_ControlTransfer(handles.winusbHandle, setupPacket, buffer, setupPacket.Length, &lengthTransferred, (OVERLAPPED *)0);
if (!success)
{
throw new Win32Exception("Control transfer failed.");
}
return(lengthTransferred);
}
internal unsafe uint controlTransfer(byte RequestType, byte Request, ushort Value, ushort Index, void *data, ushort Length)
{
WINUSB_SETUP_PACKET setupPacket = new WINUSB_SETUP_PACKET();
setupPacket.RequestType = RequestType;
setupPacket.Request = Request;
setupPacket.Value = Value;
setupPacket.Index = Index;
setupPacket.Length = Length;
return(controlTransfer(setupPacket, data));
}
unsafe public static bool WinUsb_ControlTransfer(IntPtr InterfaceHandle, USBSetupPacket SetupPacket, IntPtr Buffer, uint BufferLength, ref uint LengthTransferred, NativeOverlapped *Overlapped)
{
WINUSB_SETUP_PACKET packet = new WINUSB_SETUP_PACKET()
{
Index = SetupPacket.Index,
Length = SetupPacket.Length,
Request = SetupPacket.Request,
RequestType = SetupPacket.RequestType,
Value = SetupPacket.Value
};
return(NativeMethods.WinUsb_ControlTransfer(InterfaceHandle, packet, Buffer, BufferLength, ref LengthTransferred, Overlapped));
}
protected bool SendTransfer(byte requestType, byte request, ushort value, byte[] buffer, ref int transfered)
{
if (!IsActive)
{
return(false);
}
var setup = new WINUSB_SETUP_PACKET {
RequestType = requestType,
Request = request,
Value = value,
Index = 0,
Length = (ushort)buffer.Length
};
return(WinUsbWrapper.ControlTransfer(_winUsbHandle, setup, buffer, buffer.Length, ref transfered, IntPtr.Zero));
}
/// <summary>
/// Performs a control transfer with a data stage. Calling this function
/// is slightly safer than calling controlTransfer(WINUSB_SETUP_PACKET, Byte *)
/// because this function can verify that buffer is not null and that buffer
/// is long enough.
/// </summary>
/// <param name="buffer">
/// If this is a Read transfer, this is the buffer that the data from the
/// device will be read in to during the data stage. If this is a Write
/// transfer, this is the buffer that will be written to the device during
/// the data stage.
/// </param>
/// <param name="setupPacket">The SETUP packet to send to the device.</param>
/// <returns>
/// The number of bytes transferred in the data stage.
/// This is usually equal to setupPacket.wLength.
/// </returns>
protected unsafe UInt32 controlTransfer(WINUSB_SETUP_PACKET setupPacket, Byte[] buffer)
{
if (setupPacket.Length != 0)
{
if (buffer == null)
{
throw new ArgumentException("The setupPacket length field is non-zero, but no buffer was provided.", "buffer");
}
if (buffer.Length < setupPacket.Length)
{
throw new ArgumentException("The setupPacket length field is " + setupPacket.Length + ", but the buffer provided is only " + buffer.Length + " bytes.", "buffer");
}
}
fixed(Byte *pointer = &buffer[0]) return(controlTransfer(setupPacket, pointer));
}
public virtual Boolean SendTransfer(Byte RequestType, Byte Request, UInt16 Value, Byte[] Buffer, ref Int32 Transfered)
{
if (!m_IsActive)
{
return(false);
}
WINUSB_SETUP_PACKET Setup = new WINUSB_SETUP_PACKET();
Setup.RequestType = RequestType;
Setup.Request = Request;
Setup.Value = Value;
Setup.Index = 0;
Setup.Length = (UInt16)Buffer.Length;
return(WinUsb_ControlTransfer(m_WinUsbHandle, Setup, Buffer, Buffer.Length, ref Transfered, IntPtr.Zero));
}
public virtual bool SendTransfer(byte RequestType, byte Request, ushort Value, byte[] Buffer, ref int Transfered)
{
if (!m_IsActive)
{
return(false);
}
var Setup = new WINUSB_SETUP_PACKET();
Setup.RequestType = RequestType;
Setup.Request = Request;
Setup.Value = Value;
Setup.Index = 0;
Setup.Length = (ushort)Buffer.Length;
return(WinUsb_ControlTransfer(m_WinUsbHandle, Setup, Buffer, Buffer.Length, ref Transfered, IntPtr.Zero));
}
private static void Main(string[] args)
{
var buf = new byte[0x10];
UsbK Switch;
try
{
Switch = FindDevice();
Switch.SetAltInterface(0, false, 0);
}
catch
{
Console.Error.WriteLine("Error: Cannot access device, is your Switch plugged in, turned on and in RCM mode?");
return;
}
Switch.ReadPipe(0x81, buf, 0x10, out _, IntPtr.Zero);
Console.WriteLine("Device ID: {0}", BitConverter.ToString(buf).Replace("-", "").ToLower());
Console.WriteLine("Writing payload...");
Write(Switch, SwizzlePayload(File.ReadAllBytes(args[0])));
if (_writes % 2 != 1)
{
Console.WriteLine("Switching buffers...");
Switch.WritePipe(1, new byte[0x1000], 0x1000, out _, IntPtr.Zero);
}
Console.WriteLine("Smashing...");
var setup = new WINUSB_SETUP_PACKET
{
RequestType = 0x81,
Request = 0,
Value = 0,
Index = 0,
Length = 0x7000
};
var result = Switch.ControlTransfer(setup, new byte[0x7000], 0x7000, out var b, IntPtr.Zero);
Console.WriteLine(!result
? "Successfully smashed device!"
: $"Length transferred was 0x{b:x} bytes... it seems your Switch isn't vulnerable.");
}
public bool WriteBytesTransfer(byte requestType, byte request, ushort value, byte[] outputBuffer)
{
try
{
if (!Connected)
{
return(false);
}
WINUSB_SETUP_PACKET setupPacket = new WINUSB_SETUP_PACKET();
setupPacket.RequestType = requestType;
setupPacket.Request = request;
setupPacket.Value = value;
setupPacket.Index = 0;
setupPacket.Length = (ushort)outputBuffer.Length;
return(WinUsb_ControlTransfer(WinUsbHandle, setupPacket, outputBuffer, outputBuffer.Length, out int bytesWritten, IntPtr.Zero) && bytesWritten > 0);
}
catch (Exception ex)
{
Debug.WriteLine("Failed to write transfer bytes: " + ex.Message);
return(false);
}
}
private static unsafe extern bool WinUsb_ControlTransfer(IntPtr InterfaceHandle, WINUSB_SETUP_PACKET SetupPacket, Byte[] Buffer, UInt32 BufferLength, ref UInt32 LengthTransferred, NativeOverlapped *pOverlapped);
public static extern bool WinUsb_ControlTransfer(IntPtr hInterface, WINUSB_SETUP_PACKET SetupPacket, byte[] Buffer, uint BufferLength, ref uint LengthTransferred, IntPtr Overlapped);
public virtual bool SendTransfer(byte RequestType, byte Request, ushort Value, byte[] Buffer, ref int Transfered)
{
if (!m_IsActive) return false;
var setup = new WINUSB_SETUP_PACKET
{
RequestType = RequestType,
Request = Request,
Value = Value,
Index = 0,
Length = (ushort) Buffer.Length
};
return WinUsb_ControlTransfer(m_WinUsbHandle, setup, Buffer, Buffer.Length, ref Transfered, IntPtr.Zero);
}
static extern unsafe Boolean WinUsb_ControlTransfer(IntPtr InterfaceHandle, WINUSB_SETUP_PACKET SetupPacket, void *Buffer, UInt32 BufferLength, UInt32 *LengthTransferred, OVERLAPPED *Overlapped);
protected static extern Boolean WinUsb_ControlTransfer(IntPtr InterfaceHandle, WINUSB_SETUP_PACKET SetupPacket, Byte[] Buffer, Int32 BufferLength, ref Int32 LengthTransferred, IntPtr Overlapped);
public virtual Boolean SendTransfer(Byte RequestType, Byte Request, UInt16 Value, Byte[] Buffer, ref Int32 Transfered)
{
if (!m_IsActive) return false;
WINUSB_SETUP_PACKET Setup = new WINUSB_SETUP_PACKET();
Setup.RequestType = RequestType;
Setup.Request = Request;
Setup.Value = Value;
Setup.Index = 0;
Setup.Length = (UInt16) Buffer.Length;
return WinUsb_ControlTransfer(m_WinUsbHandle, Setup, Buffer, Buffer.Length, ref Transfered, IntPtr.Zero);
}
public static extern bool WinUsb_ControlTransfer(IntPtr interfaceHandle, WINUSB_SETUP_PACKET setupPacket, byte[] buffer, int bufferLength, out int lengthTransferred, IntPtr overlapped);
private static unsafe extern bool WinUsb_ControlTransfer(IntPtr InterfaceHandle, WINUSB_SETUP_PACKET SetupPacket, Byte[] Buffer, UInt32 BufferLength, ref UInt32 LengthTransferred, NativeOverlapped* pOverlapped);
public static extern bool WinUsb_ControlTransfer(IntPtr InterfaceHandle, WINUSB_SETUP_PACKET SetupPacket, Byte[] Buffer, UInt32 BufferLength, ref UInt32 LengthTransferred, IntPtr Overlapped);
public static extern bool WinUsb_ControlTransfer(IntPtr InterfaceHandle, WINUSB_SETUP_PACKET SetupPacket,
Byte[] Buffer, UInt32 BufferLength, ref UInt32 LengthTransferred, IntPtr Overlapped);
unsafe public static extern bool WinUsb_ControlTransfer(IntPtr InterfaceHandle, WINUSB_SETUP_PACKET SetupPacket, IntPtr Buffer, uint BufferLength, ref uint LengthTransferred, NativeOverlapped *Overlapped);
internal static extern Boolean WinUsb_ControlTransfer(SafeWinUsbHandle InterfaceHandle, WINUSB_SETUP_PACKET SetupPacket, Byte[] Buffer, UInt32 BufferLength, ref UInt32 LengthTransferred, IntPtr Overlapped);
protected static extern bool WinUsb_ControlTransfer(IntPtr InterfaceHandle, WINUSB_SETUP_PACKET SetupPacket,
byte[] Buffer, int BufferLength, ref int LengthTransferred, IntPtr Overlapped);
protected static extern Boolean WinUsb_ControlTransfer(IntPtr InterfaceHandle, WINUSB_SETUP_PACKET SetupPacket, Byte[] Buffer, Int32 BufferLength, ref Int32 LengthTransferred, IntPtr Overlapped);
public extern static bool WinUsb_ControlTransfer(IntPtr interfaceHandle, WINUSB_SETUP_PACKET setupPacket, byte[] buffer, uint bufferLength, out UInt32 lengthTransferred, IntPtr overlapped);
