search

carmaa / inception

Inception is a physical memory manipulation and hacking tool exploiting PCI-based DMA. The tool can attack over FireWire, Thunderbolt, ExpressCard, PC Card and any other PCI/PCIe interfaces.
1.57k stars 196 forks source link

read more than 4G? #136

Closed Veltis closed 6 years ago

Veltis commented 6 years ago

Is it possible to read more than 4G memory? if I try, then after 4G I get bytes equal to 0

tomemick commented 6 years ago

Direct Memory Access (DMA) through the IEEE1394 FireWire interface only gives access to the low address space, normally defined as the first 4GB of the memory, and that is why you only are able to read up to 4GB.

"Inception’s modules work as follows: By presenting a Serial Bus Protocol 2 (SBP-2) unit directory to the victim machine over a IEEE1394 FireWire interface, the victim operating system thinks that a SBP-2 device has connected to the FireWire port. Since SBP-2 devices utilize Direct Memory Access (DMA) for fast, large bulk data transfers (e.g., FireWire hard drives and digital camcorders), the victim lowers its shields and enables DMA for the device. The tool now has full read/write access to the lower 4GB of RAM on the victim."

If you really want to dig into the research part of it: https://freddie.witherden.org/pages/ieee-1394-forensics.pdf

The paper is from 2010, but gives you an overview of the IEEE1394 interface, and why you only are able to get access to the lower 4 GB of RAM.

carmaa commented 6 years ago

What @tomemick said. Unfortunately not possible with inception, but have a look at https://github.com/ufrisk/pcileech-fpga/