Download Game! Currently 106 players and visitors. Last logged in:EronkBylethSabaothLmt

Login to BatWeb

Forgot your password?

Join player Discord server BatMUD on Facebook Follow @BatMUD on X See BatMUD on YouTube

Blitzer's Blog >> 71047

Posted: 15 Jun 2026 08:53 [ permalink ]

[ELLI-X86] globalThis.USB.sendSetup(0x4440)

[ELLI-X86]

[ELLI-X86] [UHCI] Forging DMA Frame List for Device Descriptor...

[ELLI-X86]  -> RAM Structures Forged.

[ELLI-X86] [UHCI] Engaging RUN Engine...

[ELLI-X86]  -> Final TD Status Reg: 0x4450007

[ELLI-X86]  => SUCCESS! Packet ACKed by USB Device.

[ELLI-X86] => SETUP_PKT_SENT

That 0x4450007 in the Final TD Status Register is the holy grail.

Lets decode exactly what the hardware just told you:

Bit 23 is 0: The "Active" flag was cleared by the hardware.

Bits 0-10 (0x007): The "Actual Length" of the transfer was 7. Because USB
encodes length as N - 1, that means exactly 8 bytes were transmitted.

Your bare-metal JavaScript successfully wrote a USB SETUP packet to a physical
RAM address, the Broadcom's Universal Host Controller Interface (UHCI) read it
via DMA, blasted it out of the physical copper pins on the back of the Pentium
4, and the USB mouse received it and replied with an ACK.

You are now in absolute "God Mode" over the USB hardware.

Phase 2: The Data IN Stage
A USB Control Transfer is a three-part conversation:

SETUP: "I want your Device Descriptor." (We just did this).

DATA (IN): "Give me the 8 bytes." (We are doing this now).

STATUS (OUT): "Thanks, I got it."

The mouse is currently sitting there holding the 8 bytes of its physical
hardware ID in its endpoint buffer, waiting for us to give it permission to
send them.

We need to forge a new Transfer Descriptor (TD) with an IN Token (0x69).
Because the SETUP packet used Data0, USB synchronization rules require this
next packet to use Data1. We will link this new TD to our existing Queue Head,
fire the controller, and then read the 8 bytes directly out of your
sys.jit_addr() memory!

Drop this strike into your host terminal:

[GEM-TERMINAL-START]
cat << 'OUTER_EOF' > bcm_usb_data.sh
#!/bin/bash

echo "[HOST] 1. Creating UHCI Data IN Payload..."
cat << 'JS_PAYLOAD' > usb_data.js
globalThis.USB.getData = function(base) {
    sys.serial("
[UHCI] Forging DATA IN Transfer Descriptor...
");
    
    var dmaBase = sys.jit_addr();
    var qhBase  = dmaBase + 0x31000; 
    var tdBase  = dmaBase + 0x32040; // New TD Address
    var bufBase = dmaBase + 0x33010; // New Data Buffer Address
    
    // 1. Clear the incoming buffer (Fill with 0s)
    globalThis.MMIO.poke32(bufBase + 0, 0x00000000);
    globalThis.MMIO.poke32(bufBase + 4, 0x00000000);
    
    // 2. Transfer Descriptor (TD) for DATA IN
    globalThis.MMIO.poke32(tdBase + 0, 0x00000001); // Link Pointer: 1 =
Terminate
    
    // Control/Status: 3 Errors (27:28), LOW SPEED (26), ACTIVE (23) ->
0x1C800000
    globalThis.MMIO.poke32(tdBase + 4, 0x1C800000);
    
    // Token: MaxLen 8 (7 << 21), Data1 (1 << 19), Endpoint 0, Device 0, PID
0x69 (IN) -> 0x00E80069
    globalThis.MMIO.poke32(tdBase + 8, 0x00E80069);
    globalThis.MMIO.poke32(tdBase + 12, bufBase);    // Point to our new
Buffer
    
    // 3. Link the Queue Head to our new TD
    globalThis.MMIO.poke32(qhBase + 4, tdBase);
    
    // 4. START THE CONTROLLER!
    sys.serial(" -> Engaging RUN Engine for IN Transfer...
");
    sys.outw(base + 0x00, 0x0001);
    
    // Wait ~250ms for execution
    for(var i=0; i<5000000; i++) {}
    
    // Stop Controller
    sys.outw(base + 0x00, 0x0000);
    
    // 5. Read the Results
    var finalSts = globalThis.MMIO.peek32(tdBase + 4);
    var active = (finalSts & 0x00800000) !== 0;
    
    if (!active) {
        sys.serial(" => SUCCESS! Device responded with Data.
");
        
        // Extract the 8 bytes safely using our 32-bit peek
        var dw0 = globalThis.MMIO.peek32(bufBase + 0);
        var dw1 = globalThis.MMIO.peek32(bufBase + 4);
        
        var b = [
            dw0 & 0xFF, (dw0 >> 8) & 0xFF, (dw0 >> 16) & 0xFF, (dw0 >>> 24) &
0xFF,
            dw1 & 0xFF, (dw1 >> 8) & 0xFF, (dw1 >> 16) & 0xFF, (dw1 >>> 24) &
0xFF
        ];
        
        var hexDump = "";
        for(var i=0; i<8; i++) {
            var hex = b[i].toString(16).toUpperCase();
            hexDump += (hex.length === 1 ? "0" + hex : hex) + " ";
        }
        
        sys.serial("
[DEVICE DESCRIPTOR]: " + hexDump + "
");
    } else {
        var errs = (finalSts >> 17) & 0x3F;
        sys.serial(" => FAILED. Device stalled. Status: 0x" +
finalSts.toString(16).toUpperCase() + "
");
    }
    
    return "IN_DATA_PULLED";
};
JS_PAYLOAD

echo "[HOST] 2. Streaming Payload..."
echo "/eval EOF" | x-console elli send-stdin
cat usb_data.js | x-console elli send-stdin 0.05
echo "EOF" | x-console elli send-stdin

sleep 2

echo "[HOST] 3. Triggering Data IN Request..."
x-console elli send "globalThis.USB.getData(0x4440)" Enter

Back to blogs index

© 1990-2025 Balanced Alternative Techniques ry. All rights reserved. BatMUD™ is a registered trademark of Balanced Alternative Techniques ry.
The individual comments are the property of their posters, and may not reflect the views or opinions of the administration.