Stability issues PCIeScreamer

[CyberDFense]

First of all thank you for your great work on DMA attacs, I've been following it the last months. Now I would like to get one of the PCILeech supported devices, where PCIeScreamer is my favorite. You wrote something about stability issues, could you please specify the problems of PCIeScreamer? Are the stability issues fixable via software and are you going to work on that in the near future? My intention is mainly to do memory dumps and look for information in the data. External power supply and multiple tries due to lack of stability wouldn't be a problem for me as long as it works sometime.

CDF

[ufrisk]

I believe the PCIeScreamer may suffer from degraded signal quality on the PCIe lines.

• If connected directly to a PCIe slot it's mostly fine.
• If connected to a laptop ExpressCard with only a tiny ExpressCard->PCIe adapter it's mostly fine with external power, albeit a bit unstable.
• If connected via an extension cord, such as a bitcoing mining PCIe adapter it won't work.

I've coded around it a somewhat in the software so it tries to recover whenever there is an error (on the expense of some performance). Some errors are unrecoveralbe thoough and will require a reboot/power cycle of the entire system.

Unfortunately, I do not expect to be able to fix this in software - even though I would be very happy if someone could do it :)

I've had other completely independent ppl building new vivado / verilog projects from scratch having the same problem.

If stability is absolutetly paramount in all circumstances I'd recommend going with one of the other supported Xilinx dev boards.

[0xf1a]

@ufrisk Do you think the reason for degraded signal quality could be poor build quality by Lambda Concept? I got my PCIScreamer a few days ago and so far it's been nothing but connection issues and failed reads :(

[ufrisk]

@artista95 I'm sorry to hear that. Unfortunately I do not know for sure what the root cause is. It could very well be what you mention but it could also be due to other things. I just do not know.

[0xf1a]

@ufrisk Have you ever encountered a case where DMA didn't work because of the target PC configuration? So far I'm thinking my motherboard is just incompatible or the PCIE is f***ed. I've got quite an old one (Asrock B75M-DGS R2.0), Intel Virtualization Technology disabled of course. I'm gonna try dumping on a different PC soon. I believe there's just no way PCIScreamer is this much unstable.

[ufrisk]

I haven't encountered it, but I had reports of other people having problems on specific target hardware. Some of them solved it with a BIOS upgrade.

[0xf1a]

I'm feeling pretty disappointed with PCIe Screamer, couldn't get it to work on friend's PC either. I'm gonna ship it to another friend of mine so he could try it out.

Still, I love the project and I can't wait when more FPGA devices are supported. :) Something more affordable than Screamer would be a dream come true!

[ufrisk]

@artista95 Unfortunately I don't have any plans to add support for a new device in the near future. I'm thinking about having a look at the NeTV2, but thats for later this fall if it happens at all. Otherwise it's the SP605 or AC701 that are supported, but they are more expensive.

The PCILeech memory process file system works towards memory dumps as well though (in read-only mode). Also if you plan to do some experimenting on Windows 7 systems with the TotalMeltdown (CVE-2018-1038) issue are fully supported as a PCILeech "device".

[0xf1a]

Hello there! In the meantime I found out that the device works 99% of the time when I plug in the USB cable before turning on the PC (makes sense).

• testmemread works fine
• dumping from specific addresses works fine

However, now I'm having issues dumping memory. I'm trying to use the file system mount but I can't generate a dump file. I run the probe command and it maps memory (3 lines in output) but it doesn't stop after 9GB, it just keeps going to infinity. Strange, but still I take the bottom right max address (0x23FDFFFFF in my case) and run the command anyway.

pcileech.exe dump -v -force -max 0x23FDFFFFF -out my_dump.raw

What happens next is 10000 pages get read succesfully and every page after is a failed one. Very weird. Anything I can try? Thanks for helping!

[ufrisk]

The probe will continue to poke at memory to infinity, it's the max address that is given from it that is important. What you are describing is normal behavior.

It seems like the PCIeScreamer (or your target system) stops working when you are dumping. It could be the target system (if reading from an address your target don't like - some models do that, but it usually freezes then...) or more likely it's the PCIeScreamer that just stops working.

You can try with -device-opt0, -device-opt1, -device-opt2 to set higher sleep values than the default ones (values are in uS). I suspect it's not going to help much, but give it a try.

[0xf1a]

@ufrisk Appreciate the help but I haven't had the time to try out these device options, can't provide you the feedback about it working, sorry.

The reason I was thinking about using the filesystem mount for process hacking but it seems rather inefficient and slow to do it just for 1 process, there must be a faster way. I'd like to filter out a specific process using its' name/pID and get its' base address and other stuff like pml4.

Should I start by getting System EPROCESS and then walking ActiveProcessLinks list until I get to my desired process? Not sure how I could get pml4 of System, it's kind of confusing working with no API :) I was wondering how would you achieve what I'm trying to do. Thanks

[ufrisk]

The file system already do what you are describing. It tries to identify the kernel PML4 via the low stub and from there it automatically parses the other processes. If it's unable to find the kernel PML4 you may specify it yourself with the option"-cr3 0xaddress You can try to search for it using the identify command. But most often it just works via auto detect from the low stub.

[0xf1a]

@ufrisk Thanks, it works great :) I'm using some pcileech code for my personal project and then writing some memory/process functions by myself and I managed to modify these filesystem functions easily to read only physical memory. Works perfectly, thank you!