Create own custom pcileech firmware

I recently bought the new PCIE SCREAMER SQUIRREL dma card. Via such hardware, it is possible to access the memory directly. This makes it quite difficult for anticheats to detect or prevent these accesses. The biggest detection factor with dma (atleast what i'm aware of), is the firmware. The above mentioned card comes pre flashed with the FPGA Firmware from pcieleech. This "default" firmware is flagged by most "good" anticheats and should not be used. So we need to create our own firmware. Fortunately, Ulf already created a guide how to create your own firmware:

pcileech-fpga/build.md at master · ufrisk/pcileech-fpga

FPGA modules used together with the PCILeech Direct Memory Access (DMA) Attack Software - pcileech-fpga/build.md at master · ufrisk/pcileech-fpga

GitHubufrisk

This guide is mainly about the basics of firmware creation. Therefore, I have now created a guide which goes a little more into detail.

Dump and convert config space

To imitate a device, we need to dump the config space of the PCI device we want to imitate. This is currently only possible on Linux.

Live or dual boot in any Linux distribution. With the command sudo lspci -nn you can find all the devices in your system. The -nn flag displays you the vendor and device ID. Copy these IDs. Now run the following script and paste in the IDs when prompted:

#!/bin/bash

#Get device and vendor id
echo "Please enter the vendor and device ID (VVVV:DDDD):"
read device_vendor_id

echo "Config space grouped by dword:"
sudo lspci -d $device_vendor_id -xxxx  > config_space.txt

filename="config_space.txt"
i="1"

while read -r line; do
#Hinders first line of being printed
if [ $i != 1 ]; then
dword="$line"
echo $dword | cut -f2 -d":" | tr -d ' ' | sed -e "s/.\\{8\\}/&,/g"
fi
((i=i+1))
done < "$filename"

The console output should give you the config space converted in DWORD's. You will need this output when you build your custom firmware.

Create your own Firmware

+ Get Xilinx Vivado WebPACK 2021.2 or later.
  For this you need an account. Download

+ Download the latest FPGA firmware for your device.
  For me, it is the PCIeSquirrel: Repository
  Use git clone or download the latest release.

Now we are going to edit these files.
In the file src/pcileech_pcie_cfg_a7.sv edit the dsn:

rw[127:64]  <= 64'h0000001010000A32;    // +008: cfg_dsn

In the same file, enable auto clearing for master aborts:

rw[20]      <= 1;   //CFGSPACE_STATUS_REGISTER_AUTO_CLEAR [master abort flag]

At last, we edit the file that defines the config space. Replace the contents of the file ip/pcileech_cfgspace.coe with your config space dump. This dump needs to be converted from bytes to dword. Don’t remove the top three lines.

Now open "Vivado Tcl Shell" command prompt. (Administrator)
Move in to the directory of the downloaded FPGA firmware.

Run the following command inside the directory:

source vivado_generate_project.tcl -notrace  

This command creates the project files. It can take some time.

Now you should find a .xpr file inside the folder. Open this file with Vivado. (It can take some time until the Software opens.)

When the project is fully loaded navigate to
Project Manager (left side) → pcileech_squirrel_top → i_pcileech_pcie_a7.
Then double click on _pcie_7x_0

This will open a window. Navigate to the IDs tab. Now you can change the IDs and the class.

Click OK to save the changes to the PCIe core. Click Generate in the following dialogue. After that run, synthesis from the left sidebar.  When this is completed, finally generate the bitstream.

When this task successfully finished, you can find your custom firmware under following path:
PCIeSquirrel\pcileech_squirrel\pcileech_squirrel.runs\impl_1\pcileech_squirrel_top.bin

Flash own firmware

Now you can flash the firmware to the card. I have created a repository which contains the proxy and flashing scripts you need. The README.md also contains instructions on how to flash the firmware. You can also check out the official documentation.

After you successfully flashed your firmware, you check the config space and dsn you need to use the tool lspci. Following command gives you all the necessary output:

sudo lspci -nn -d 12ab:0380 -vvv -xxxx

Resources

Firmware example

Recently ekknod, a well-known member of the cheating community, has put out a repository in which he is sharing the source code for a firmware that acts like a wireless card. This project is a good starting point if you want to create your own firmware.

GitHub - ekknod/pcileech-wifi: pcileech-fpga with wireless card emulation

pcileech-fpga with wireless card emulation. Contribute to ekknod/pcileech-wifi development by creating an account on GitHub.

GitHubekknod

Detailed maintained guide

Also, there are some other guides on how to create your own firmware, which I want to shout out. The guide from Silver2 is especially great.

GitHub - Silverr12/DMA-CFW-Guide: Detailed Instructions on the creation of custom/modified DMA (attack) Firmware based on pcileech-fpga

Detailed Instructions on the creation of custom/modified DMA (attack) Firmware based on pcileech-fpga - GitHub - Silverr12/DMA-CFW-Guide: Detailed Instructions on the creation of custom/modified DM…

GitHubSilverr12

He has also created a video in which he covers some of the steps:

Unknowncheats.me

A recent valuable guide has been shared on the unknowncheats.me forum:

DMA CUSTOM FIRMWARE GUIDE

Hi, long time lurker here. The purpose of this guide is to show users how to start making there own custom Firmware there is so much misinformation an…

UnKnoWnCheaTs - Multiplayer Game Hacking and Cheats

Collection of resources related to DMA cheating

Cheating with DMA Devices - DMA Cheating

Cheating with DMA devices is fun and safe. Learn how it’s done here!

DMA Cheating

Acknowledgement

I would like to thank for the support from ufrisk and SmokeToke.