Create own custom pcileech firmware

⚠️
While the guide I provided can give you a solid foundation, it's important to note that creating a fully secure and undetectable firmware requires additional steps. As some comments have rightly pointed out, there are crucial measures missing that are essential for avoiding detection by certain anti-cheat systems.
DMA

I recently bought the new PCIE SCREAMER SQUIRREL dma card. Via such hardware, it is possible to access the memory directly. This makes it quite difficult for anticheats to detect or prevent these accesses. The biggest detection factor with dma (atleast what i'm aware of), is the firmware. The above mentioned card comes pre flashed with the FPGA Firmware from pcieleech. This "default" firmware is flagged by most "good" anticheats and should not be used. So we need to create our own firmware. Fortunately, Ulf already created a guide how to create your own firmware:

pcileech-fpga/build.md at master · ufrisk/pcileech-fpga
FPGA modules used together with the PCILeech Direct Memory Access (DMA) Attack Software - pcileech-fpga/build.md at master · ufrisk/pcileech-fpga

This guide is mainly about the basics of firmware creation. Therefore, I have now created a guide which goes a little more into detail.

Dump and convert config space

To imitate a device, we need to dump the config space of the PCI device we want to imitate. This is currently only possible on Linux.

📌
As mentioned in the comments, there are ports of the tools for Windows. The script I'm sharing below won't work on Windows, though.

Additionally, there are alternative tools with a GUI. There are paid options such as Arbor and free alternatives like Telescan PE.

Live or dual boot in any Linux distribution. With the command sudo lspci -nn you can find all the devices in your system. The -nn flag displays you the vendor and device ID. Copy these IDs. Now run the following script and paste in the IDs when prompted:

#!/bin/bash

#Get device and vendor id
echo "Please enter the vendor and device ID (VVVV:DDDD):"
read device_vendor_id

echo "Config space grouped by dword:"
sudo lspci -d $device_vendor_id -xxxx  > config_space.txt

filename="config_space.txt"
i="1"

while read -r line; do
#Hinders first line of being printed
if [ $i != 1 ]; then
dword="$line"
echo $dword | cut -f2 -d":" | tr -d ' ' | sed -e "s/.\\{8\\}/&,/g"
fi
((i=i+1))
done < "$filename"

The console output should give you the config space converted in DWORD's. You will need this output when you build your custom firmware.

Create your own Firmware

+ Get Xilinx Vivado WebPACK 2021.2 or later.
  For this you need an account. Download

+ Download the latest FPGA firmware for your device.
  For me, it is the PCIeSquirrel: Repository
  Use git clone or download the latest release.

Now we are going to edit these files.
In the file src/pcileech_pcie_cfg_a7.sv edit the dsn:

rw[127:64]  <= 64'h0000001010000A32;    // +008: cfg_dsn

In the same file, enable auto clearing for master aborts:

rw[20]      <= 1;   //CFGSPACE_STATUS_REGISTER_AUTO_CLEAR [master abort flag]

At last, we edit the file that defines the config space. Replace the contents of the file ip/pcileech_cfgspace.coe with your config space dump. This dump needs to be converted from bytes to dword. Don’t remove the top three lines.

Now open "Vivado Tcl Shell" command prompt. (Administrator)
Move in to the directory of the downloaded FPGA firmware.

Run the following command inside the directory:

source vivado_generate_project.tcl -notrace  

This command creates the project files. It can take some time.

Now you should find a .xpr file inside the folder. Open this file with Vivado. (It can take some time until the Software opens.)

When the project is fully loaded navigate to
Project Manager (left side) → pcileech_squirrel_top → i_pcileech_pcie_a7.
Then double click on _pcie_7x_0

This will open a window. Navigate to the IDs tab. Now you can change the IDs and the class.

Untitled

Click OK to save the changes to the PCIe core. Click Generate in the following dialogue. After that run, synthesis from the left sidebar.  When this is completed, finally generate the bitstream.

When this task successfully finished, you can find your custom firmware under following path:
PCIeSquirrel\pcileech_squirrel\pcileech_squirrel.runs\impl_1\pcileech_squirrel_top.bin

Flash own firmware

Now you can flash the firmware to the card. I have created a repository which contains the proxy and flashing scripts you need. The README.md also contains instructions on how to flash the firmware. You can also check out the official documentation.

After you successfully flashed your firmware, you check the config space and dsn you need to use the tool lspci. Following command gives you all the necessary output:

sudo lspci -nn -d 12ab:0380 -vvv -xxxx

Resources

Firmware example

Recently ekknod, a well-known member of the cheating community, has put out a repository in which he is sharing the source code for a firmware that acts like a wireless card. This project is a good starting point if you want to create your own firmware.

GitHub - ekknod/pcileech-wifi: pcileech-fpga with wireless card emulation
pcileech-fpga with wireless card emulation. Contribute to ekknod/pcileech-wifi development by creating an account on GitHub.

Detailed maintained guide

Also, there are some other guides on how to create your own firmware, which I want to shout out. The guide from Silver2 is especially great.

GitHub - Silverr12/DMA-CFW-Guide: Detailed Instructions on the creation of custom/modified DMA (attack) Firmware based on pcileech-fpga
Detailed Instructions on the creation of custom/modified DMA (attack) Firmware based on pcileech-fpga - GitHub - Silverr12/DMA-CFW-Guide: Detailed Instructions on the creation of custom/modified DM…

He has also created a video in which he covers some of the steps:

Unknowncheats.me

A recent valuable guide has been shared on the unknowncheats.me forum:

DMA CUSTOM FIRMWARE GUIDE
Hi, long time lurker here. The purpose of this guide is to show users how to start making there own custom Firmware there is so much misinformation an…
Cheating with DMA Devices - DMA Cheating
Cheating with DMA devices is fun and safe. Learn how it’s done here!

Acknowledgement

I would like to thank for the support from ufrisk and SmokeToke.