search

ufrisk / LeechCore

LeechCore - Physical Memory Acquisition Library & The LeechAgent Remote Memory Acquisition Agent
GNU General Public License v3.0
517 stars 92 forks source link

use libusb instead of pciescreamer driver #3

Closed tlk-synacktiv closed 5 years ago

tlk-synacktiv commented 5 years ago

Because the FTDI library is quite buggy on Linux, pcileech use the pciescreamer driver to speak with the FT601 (https://github.com/enjoy-digital/pcie_screamer/tree/master/drivers/ft60x). This requires to build a kernel module, load it as root, and use udev rules...

This patch introduce code to directly communicate with the FT601 without using a kernel driver, through libusb and out of the box. The code is largely based on pciescreamer code and reverse engineering of the FTDI library.

It has only been tested with a SP605.

$ ./pcileech probe

[+] using FTDI device: 0403:601f (bus 2, device 9)
[+] FTDI - FTDI SuperSpeed-FIFO Bridge - serialNumber 000000000001
 Memory Map:                                     
 START              END               #PAGES   
 fffffffffffff000 - 000000000009efff  000000a0   
 00000000000bf000 - 000000008affefff  0008af40   
 00000000a09ff000 - 00000000a0a3ffff  00000041   
 00000000fffff000 - 000000016fdfefff  0006fe00              

 Current Action: Probing Memory                                               
 Access Mode:    Normal                                                       
 Progress:       5886 / 5886 (100%)                      
 Speed:          735 MB/s                                
 Address:        0x000000016FDFF000                      
 Pages read:     1027617 / 1506816 (68%)           
 Pages failed:   479199 (31%)                  
Memory Probe: Completed.

Cheers !

ufrisk commented 5 years ago

Huge thanks for this pull request. I'm currently at BlachHat/DEF CON but I'll take a look at the pull request, do some additional testing with the PCIeScreamer and AC701 when I get back home.

Getting rid of the dependency of the custom kernel module would be very nice - provided that it's stable and around the same performance :)

tlk-synacktiv commented 5 years ago

Alright, enjoy !

I just saw that there is a problem with the displayed addresses. Here is a small patch, I can open another pull request directly if you want.

diff --git a/pcileech/statistics.c b/pcileech/statistics.c
--- a/pcileech/statistics.c
+++ b/pcileech/statistics.c
@@ -158,9 +158,9 @@ VOID PageStatUpdate(_In_opt_ PPAGE_STATISTICS pPageStat, _In_ QWORD qwAddr, _In_
     pPageStat->cPageFail += cPageFailAdd;
     // add to memory map
     if(cPageSuccessAdd && (pPageStat->i.MemMapIdx < PAGE_STATISTICS_MEM_MAP_MAX_ENTRY - 1)) {
-        if(!pPageStat->i.MemMapIdx || (qwAddr - (cPageSuccessAdd << 12)) != (pPageStat->i.MemMap[pPageStat->i.MemMapIdx].qwAddrBase + ((QWORD)pPageStat->i.MemMap[pPageStat->i.MemMapIdx].cPages << 12))) {
+        if(!pPageStat->i.MemMapIdx || qwAddr != (pPageStat->i.MemMap[pPageStat->i.MemMapIdx].qwAddrBase + ((QWORD)pPageStat->i.MemMap[pPageStat->i.MemMapIdx].cPages << 12))) {
             pPageStat->i.MemMapIdx++;
-            pPageStat->i.MemMap[pPageStat->i.MemMapIdx].qwAddrBase = qwAddr - (cPageSuccessAdd << 12);
+            pPageStat->i.MemMap[pPageStat->i.MemMapIdx].qwAddrBase = qwAddr;
         }
         pPageStat->i.MemMap[pPageStat->i.MemMapIdx].cPages += (DWORD)cPageSuccessAdd;
     }
[+] using FTDI device: 0403:601f (bus 2, device 3)
[+] FTDI - FTDI SuperSpeed-FIFO Bridge - serialNumber 000000000001
 Memory Map:                                     
 START              END               #PAGES   
 0000000000000000 - 000000000009ffff  000000a0   
 00000000000c0000 - 000000008affffff  0008af40   
 00000000a0a00000 - 00000000a0a40fff  00000041   
 0000000100000000 - 000000016fdfffff  0006fe00              

 Current Action: Probing Memory                                               
 Access Mode:    Normal                                                       
 Progress:       5886 / 5886 (100%)                      
 Speed:          735 MB/s                                
 Address:        0x000000016FDFF000                      
 Pages read:     1027617 / 1506816 (68%)           
 Pages failed:   479199 (31%)                  
Memory Probe: Completed.
ufrisk commented 5 years ago

Thanks :) I'll take a look at the memmap statistics separately, it's small enough so no need to drop a pull request for it. I just need to make sure there are no other side effects of removing the pieces of code.

About the main patch, I'll test it with the other hardwares next week, the code looks super nice :) only "issue" is that I'd like to know who to credit in the code, it would be awesome if you could add it in the fpga_libusb.c/h files similar to this: https://github.com/ufrisk/LeechCore/blob/master/leechcore/device_rawtcp.c or similar to what I've done in the other files, also if you do have a twitter handle or something like that. But no hurry, I still need to check it out with my other devices before I merge when back home.

ufrisk commented 5 years ago

I've verified this patch with the PCIeScreamer R02 and the AC701 and it's working really well.

Performance is identical - but it's nicer to use libusb rather than a custom kernel driver. Code quality is also really good. Thank you :)

Just one question / request before I merge - who should I credit for this? From your Github handle I'm guessing Synacktiv. Could you please add some notes/credits at the top of the fpga_libusb.c/.h similar to this: https://github.com/ufrisk/LeechCore/blob/master/leechcore/device_fpga.c#L12

tlk-synacktiv commented 5 years ago

Voilà !

ufrisk commented 5 years ago

Awesome, and huge thanks - getting rid of the kernel module and make it more standardized will be very helpful. I'll integrate, update some documentation and push the new version this week :)

ufrisk commented 5 years ago

Merged! Once again big thank you for this one. I'll push the binary versions together with some guide changes and other improvements later this week.