PCILeech firmware, masquerading as a legal Ralink RT5392 device
This firmware was created for my CypherCon 8 talk: Not Fair!!1!: Bypassing Anti-Cheat With Direct Memory Access.
- Shadow Configuration Space
- Core needs to be modified, still presents as valid due to Type 0 CFG Space Header being built in IP Core prior to
EXT_CFG(_XP)_CAP_PTRkicking in
- Core needs to be modified, still presents as valid due to Type 0 CFG Space Header being built in IP Core prior to
- Writemask
- BAR Controller (Thank you Dzul for the 3090 base)
- Static BAR for the most part, loads EFUSE registers defined in rt2800pci driver
- Legacy INTx Interrupts (Thank you Kilmu for logic base)
List of files that have been changed from the original pcileech-fpga repository.
- /ip/ Folder
- pcileech_cfgspace.coe: Coefficient file that contains the configuration space for the firmware, allows you to mask the core to implement shadow space
- pcileech_cfgspace_writemask.coe: Coefficient file that contains the writemask for the firmware, setting a permission map for which bits can be modified in the configuration space
- /pcie_7x/ Folder
- pcie_7x_0_core_top.v: Core file for defines the implementation for the PCIe endpoint interface. Includes core configuration, support for the device's capabilities (such as MSI(-x), AER, PM, DSN, etc.), clock management, and more. Since this firmware was already built from a .tcl, you can't recustomize the IP block through Vivado, you have to manually edit this file
- /src/ Folder
- pcileech_pcie_a7.sv: Configuration file for physical PCIe signals, FIFO interfaces, etc. Main implementation is the inclusion of interrupt definitions to enable them
- pcileech_pcie_cfg_a7.sv: Management for PCIe configuration space access and control, including R/W operations, device status, control registers, BAR tracking, and primarily (for our customization) interrupt functionality. Logic at the bottom is what sends an interrupt (
o_int) through the wire - pcileech_pcie_tlp_a7.sv: Configuration file for TLP handling. Handles TLP processing, filtering, and routing. Main implementation is the inclusion of interrupt definitions to enable them
- pcileech_tlps128_bar_controller.sv: PCIe BAR and PIO controller module. This file enables you to simulate behavior traits of the original donor card (RT5392 in this case). Since older Ralink chips are pretty easy to load the driver for, we only use static reads for the EFUSE logic seen in the original Linux driver code (rt2800pci.c & rt2800.h). Additionally, this file contains the logic to tell
pcileech_pcie_cfg_a7.svwhen to trigger an interrupt by implementing a counter that ticks per clock cycle
Realistically, you could configure each and every file within this repository for your intended purpose (like tlp_magic in /src/pcileech_fifo.sv for DNA Lock) but it's not necessary for getting a pass on drvscan.
For support, guidance, and resources.