Popular Posts
PCI Express DIY hacking toolkit What This repository contains a set of tools and proof of concepts related to PCI-E bus. It includes HDL design which implements software controllable PCI-E gen 1.1 endpoint device for with Spartan-6 FPGA. In comparison with popular this design allows to operate with raw Transaction Level Packets (TLP) of PCI-E bus and perform full 64-bit memory read/write operations. It\'s early version of my first much or less complicated FPGA project, so the speed is quite slow (around 1-2 Mb/s), but in upcoming releases it will be significantly increased by connecting PCI-E endpoint to MicroBlaze soft processor with AXI DMA engine. However, even such low speed is more than enough for reliable implementation of various practical attacks over PCI-E bus: to demonstrate applied use cases of the design, for pre-boot DMA attacks on UEFI based machines which allow executing arbitrary UEFI DXE drivers during platform init. Shows how to use pre-boot DMA attacks to inject into the enabled Windows 10 Enterprise running on UEFI Secure Boot enabled platform. Provided Hyper-V backdoor PoC might be useful for reverse engineering and exploit development purposes, it for inspecting of hypervisor state (VMCS, physical/virtual memory, registers, etc.) from guest partition and perform the guest to host VM escape attacks.
Contents • s6_pcie_microblaze.xise − Xilinx ISE project file. • microblaze/pcores/axis_pcie_v1_00_a − Custom peripheral module which allows connecting PCI Express integrated endpoint block of Spartan-6 FPGA as raw TLP stream to MicroBlaze soft processor core. • sdk/srec_bootloader_0 − Simple bootloader for MicroBlaze soft processor, it using SREC image format and onboard linear flash memory of SP605 to load and store main MicroBlaze program.
Wow item dupe method. • sdk/main_0 − Main program for MicroBlaze soft processor, it forwards raw TLP packets of PCI-E bus into the TCP connection using onboard Ethernet port of SP605. • python/pcie_lib.py − Python library that talks over the network to main MicroBlaze program running on SP605 board. • python/pcie_mem.py − Command line program that dumps host RAM into the screen or output file by sending MRd TLPs. • python/pcie_mem_scan.py − Command line program that scans target host for physical memory ranges accessible over PCI-E bus, it\'s useful for a security audit of IOMMU enabled platforms (examples:,,, ). • python/uefi_backdoor_simple.py − Command line program for pre-boot DMA attack which injects dummy UEFI driver into the target.
Python/payloads/DmaBackdoorHv − UEFI DXE driver which implements. When build will be completed ISE opens Xilinx Software Development Kit IDE, use. Mar 4, 1975 - TU56 TU56 INTERFACE KITS 555. B015-D BO50-AA BD50-AB BD50-BA 8050-88 BO50-CA 8D50-CB aO50-HA BD50-HB. RELAY DRIVERS M684 12 BIT FF RELAY DRIVER M685 16 BIT FF RELAY DRIVER M686 12. 3 2/75 8/E MASTER ASYNC LI DESCRIPTION 47 LINE TERMINATOR PANEL.
• python/uefi_backdoor_hv.py − Command line program for pre-boot DMA attack which injects Hyper-V VM exit handler backdoor into the target. • python/payloads/DmaBackdoorSimple − Dummy UEFI DXE driver. • python/payloads/DmaBackdoorHv − UEFI DXE driver which implements Hyper-V backdoor and backdoor client.
Ready to use FPGA bitstream files s6_pcie_microblaze.mcs and s6_pcie_microblaze.bin can be downloaded. SP605 board configuration Xilinx UG526 document also known as is your best friend if you want to know more details about usage and configuration of this nice board. • To load bitstream from onboard SPI flash chip you need to configure SP605 by turning SW1 switches into the 1-ON, 2-OFF position. • Now you have to write FPGA bitstream into the SPI flash.
Use s6_pcie_microblaze.mcs file if you want to do it over JTAG with the help of Xilinx iMPACT utility (see ), or s6_pcie_microblaze.bin if you\'re going to use connected to J17 header of SP605 (which is the most faster and convenient way). In case of compatible external SPI programmer you can use flash_to_spi.py program as a flashrom wrapper: #./flash_to_spi.py s6_pcie_microblaze.bin Using region: \'main\'.
Calibrating delay loop. Found Winbond flash chip \'W25Q64.V\' (8192 kB, SPI) on linux_spi.
Reading old flash chip contents. Erasing and writing flash chip. Warning: Chip content is identical to the requested image. Erase/write done. • Bitstream which was written into the SPI flash in previous step includes a bootloader for MicroBlaze core (see for more details). This bootloader allows to configure board options and write main program into the linear flash.
...'>Master Kit Ba8050 Drajver(17.04.2019)PCI Express DIY hacking toolkit What This repository contains a set of tools and proof of concepts related to PCI-E bus. It includes HDL design which implements software controllable PCI-E gen 1.1 endpoint device for with Spartan-6 FPGA. In comparison with popular this design allows to operate with raw Transaction Level Packets (TLP) of PCI-E bus and perform full 64-bit memory read/write operations. It\'s early version of my first much or less complicated FPGA project, so the speed is quite slow (around 1-2 Mb/s), but in upcoming releases it will be significantly increased by connecting PCI-E endpoint to MicroBlaze soft processor with AXI DMA engine. However, even such low speed is more than enough for reliable implementation of various practical attacks over PCI-E bus: to demonstrate applied use cases of the design, for pre-boot DMA attacks on UEFI based machines which allow executing arbitrary UEFI DXE drivers during platform init. Shows how to use pre-boot DMA attacks to inject into the enabled Windows 10 Enterprise running on UEFI Secure Boot enabled platform. Provided Hyper-V backdoor PoC might be useful for reverse engineering and exploit development purposes, it for inspecting of hypervisor state (VMCS, physical/virtual memory, registers, etc.) from guest partition and perform the guest to host VM escape attacks.
Contents • s6_pcie_microblaze.xise − Xilinx ISE project file. • microblaze/pcores/axis_pcie_v1_00_a − Custom peripheral module which allows connecting PCI Express integrated endpoint block of Spartan-6 FPGA as raw TLP stream to MicroBlaze soft processor core. • sdk/srec_bootloader_0 − Simple bootloader for MicroBlaze soft processor, it using SREC image format and onboard linear flash memory of SP605 to load and store main MicroBlaze program.
Wow item dupe method. • sdk/main_0 − Main program for MicroBlaze soft processor, it forwards raw TLP packets of PCI-E bus into the TCP connection using onboard Ethernet port of SP605. • python/pcie_lib.py − Python library that talks over the network to main MicroBlaze program running on SP605 board. • python/pcie_mem.py − Command line program that dumps host RAM into the screen or output file by sending MRd TLPs. • python/pcie_mem_scan.py − Command line program that scans target host for physical memory ranges accessible over PCI-E bus, it\'s useful for a security audit of IOMMU enabled platforms (examples:,,, ). • python/uefi_backdoor_simple.py − Command line program for pre-boot DMA attack which injects dummy UEFI driver into the target.
Python/payloads/DmaBackdoorHv − UEFI DXE driver which implements. When build will be completed ISE opens Xilinx Software Development Kit IDE, use. Mar 4, 1975 - TU56 TU56 INTERFACE KITS 555. B015-D BO50-AA BD50-AB BD50-BA 8050-88 BO50-CA 8D50-CB aO50-HA BD50-HB. RELAY DRIVERS M684 12 BIT FF RELAY DRIVER M685 16 BIT FF RELAY DRIVER M686 12. 3 2/75 8/E MASTER ASYNC LI DESCRIPTION 47 LINE TERMINATOR PANEL.
• python/uefi_backdoor_hv.py − Command line program for pre-boot DMA attack which injects Hyper-V VM exit handler backdoor into the target. • python/payloads/DmaBackdoorSimple − Dummy UEFI DXE driver. • python/payloads/DmaBackdoorHv − UEFI DXE driver which implements Hyper-V backdoor and backdoor client.
Ready to use FPGA bitstream files s6_pcie_microblaze.mcs and s6_pcie_microblaze.bin can be downloaded. SP605 board configuration Xilinx UG526 document also known as is your best friend if you want to know more details about usage and configuration of this nice board. • To load bitstream from onboard SPI flash chip you need to configure SP605 by turning SW1 switches into the 1-ON, 2-OFF position. • Now you have to write FPGA bitstream into the SPI flash.
Use s6_pcie_microblaze.mcs file if you want to do it over JTAG with the help of Xilinx iMPACT utility (see ), or s6_pcie_microblaze.bin if you\'re going to use connected to J17 header of SP605 (which is the most faster and convenient way). In case of compatible external SPI programmer you can use flash_to_spi.py program as a flashrom wrapper: #./flash_to_spi.py s6_pcie_microblaze.bin Using region: \'main\'.
Calibrating delay loop. Found Winbond flash chip \'W25Q64.V\' (8192 kB, SPI) on linux_spi.
Reading old flash chip contents. Erasing and writing flash chip. Warning: Chip content is identical to the requested image. Erase/write done. • Bitstream which was written into the SPI flash in previous step includes a bootloader for MicroBlaze core (see for more details). This bootloader allows to configure board options and write main program into the linear flash.
...'>Master Kit Ba8050 Drajver(17.04.2019)