search

ufrisk / pcileech

Direct Memory Access (DMA) Attack Software
GNU Affero General Public License v3.0
4.58k stars 695 forks source link

Thunderbolt issue #256

Open und3ath opened 11 months ago

und3ath commented 11 months ago

Context: hp laptop with vt-d, vbs, kernel dma etc

I have successfully read dma through the pci, (a lot of unreadable pages which is normal with vt-d)

If I do the same thing with thunderbolt (no security at the thunderbolt level, my pci device is present once the session is open), If I read outside physical ranges, I get a blue screen or the pc freeze which is normal. But if i stay in the physical range 100% of the pages read fail and sometime the pc freez or get a bsod too .

It is normal ?

ufrisk commented 11 months ago

Thunderbolt is quite well secured by default. But you indicate that you changed some settings. Also, Windows 11 employs a few protection techniques when the computer is locked in addition to the ones you mention.

On a freshly booted (not rebooted) and unlocked target system does the command below work and display some memory?

pcileech.exe display -min 0x1000 -device fpga -v

Also, if you run some custom firmware this may be causing issues. I don't think it should be an issue of it works thru PCIe ports tho. But you can also try (on a freshly booted system):

pcileech.exe display -min 0x1000 -device fpga://algo=1 -v

Please let me know how it goes, if you have any success or if you're still having issues.

und3ath commented 11 months ago

Hello, i have a leetdma but i have flashed the pcieSquirrel firmware .

The thunderbolt adapter is a wikingoo egpu ( seen as TB4 Home in the thunderbolt app ) and the leetdma is shown as an ethernet adapter in the device tree ( just changed id in vivado before compiling )

On a fresh boot, after unlocking the session:

#######################################################

pcileech.exe display -min 0x1000 -device fpga -v

DEVICE: FPGA: ScreamerM2 PCIe gen2 x1 [300,25,500] [v4.12,0e00] [ASYNC,NORM] Memory Display: Failed reading memory at address: 0x0000000000001000.

#######################################################

pcileech.exe display -min 0x1000 -device fpga://algo=1 -v

DEVICE: FPGA: ScreamerM2 PCIe gen2 x1 [300,25,500] [v4.12,0e00] [ASYNC,TINY] Memory Display: Failed reading memory at address: 0x0000000000001000.

ufrisk commented 11 months ago

It seems like communicating with the device works fine, but DMA is not working.

Ensure Thunderbolt security mode is set to no security / legacy in BIOS settings. Also if you have some extra Thunderbolt controller software installed you may need to disable it here as well. Ensure IOMMU / VT-d is disabled in BIOS settings. Ensure Windows is booted and you're logged in (i.e. the computer is unlocked).

On a freshly booted (and logged on unlocked state) try: pcileech.exe display -min 0x1000 -device fpga://algo=1 -v