This guide provides a comprehensive approach to hardware obfuscation using LambdaConcept's PCIe Screamer Squirrel DMA board. The project involves simulating a DMA card to avoid detection by anti-cheat systems, disguising it as a Realtek RTL8111 PCIe ethernet network card. This technique is key in cybersecurity, offering innovative methods to protect high-value hardware from automated detection systems.
- Firmware Development: Customized and modified firmware to achieve specific objectives.
- Hardware Manipulation: Leveraged FPGA technology to simulate different hardware configurations.
- Cybersecurity: Implemented advanced techniques to prevent detection by sophisticated anti-cheat systems.
- Project Management: Documented the project comprehensively, ensuring reproducibility and clarity.
Focusing on evading anti-cheat systems like BattleEye (BE) and Easy Anti-Cheat (EAC) mirrors the complexity and organization of sophisticated hacking groups. These systems are developed by intelligent professionals and are highly funded, making them ideal testing grounds for advanced evasion techniques. Successfully bypassing such strong detection mechanisms not only highlights technical expertise but also provides valuable insights that can be applied to broader cybersecurity applications. By tackling these challenges, this project demonstrates customization of DMA firmware, expertise in hardware manipulation, and advanced cybersecurity skills—highly valuable in the tech industry and relevant to defending against equally well-funded, malicious entities.
-
Hardware:
-
Software:
- MindShare - Arbor
- PCILeech-FPGA Source Code
- Visual Studio Community
- Xilinx Vivado
This project is a hardware obfuscation simulation. Hardware obfuscation is an effective cybersecurity technique that hides the true nature of high-priority hardware by disguising it as lower-priority hardware.
Attackers often prioritize targeting high-value hardware. By disguising such hardware as low-value, the likelihood of detection is reduced, effectively stalling attackers.
- Servers: Critical for hosting applications, databases, and sensitive information. Targeting these can lead to significant data breaches and disruptions.
- Network Routers and Switches: Central to the infrastructure, compromising these can provide access to a vast amount of network traffic and control.
- Printers: Commonplace and often overlooked, making them ideal candidates for disguising high-value assets.
- Scanners: Similar to printers, these are not typically seen as high-value targets but are prevalent in many environments.
- Reduced Detection Risk: By masking high-value assets, the chances of them being targeted are significantly reduced.
- Increased Attack Complexity: Attackers must spend more time and resources to identify and target valuable assets, increasing the likelihood of detection and intervention.
- Strategic Deception: Creating a false sense of security for attackers can lead them into traps, such as honeypots, where their activities can be monitored and analyzed.
- Corporate Networks: Protecting critical servers and databases within a corporate network by disguising them as less critical devices.
- Industrial Systems: Securing industrial control systems and critical infrastructure by masking them as standard IT equipment.
- Financial Institutions: Safeguarding transaction processing systems by making them appear as non-essential office devices.
- Government and Defense: Enhancing the security of sensitive systems and communication networks by using hardware obfuscation techniques.
This project will be using a 35T: Squirrel device. 75T and 100T devices will be different!
I will also be using the RTL8111 as a 'donor card'. A donor card refers to the physical device I'll pull legitimate IDs off of. The donor cards information will be put onto the DMA card. Using a real network card will ensure my IDs are all accurate.
I picked the RTL8111 because the drivers are all well documented. This is an important step to keep in mind when choosing the right donor card. Open source drivers are best. A list of open source drivers can be found on this wiki on the Comparison of Open-Source Wireless Drivers.
Gathering the IDs off of the donor card is the first part of the project. I will be using MindShare's Arbor to get hardware IDs off my donor card. I will perform a PCI scan here:
We can identify the RTL8111 is on Bus 5 within the PCI Map tab:
Inside teh PCI Config tab, we can identify many values within the RTL8111 such as B:D:F, Class, Device Description, Device Type, Capabilities.
We can also identify the header for the RTL8111:
Nothing out of the ordinary on the RTL8111. We must collect some values from the RTL8111.
Note the size for your base registry addresses (BARs) by clicking on BAR0 to BAR5. A BAR set to '00 00 00 00' is a special bar. The 0's indicate that this specific BAR is not used on the RTL8111.
BAR0 is 256 bytes.
BAR1 is not used.
BAR2 and BAR3 are a pair. Their size is 4KB.
BAR4 and BAR5 are a pair. Thier size is 16KB.
Set the master abort flag to 1 in pcileech-fpga-4.15\PCIeSquirrel\src in the pcileech_pcie_cfg_a7.sv file because it helps catch invalid memory accesses during DMA transactions, which would otherwise go unnoticed if set to 0. This allows for easier debugging if there is an issue with the custom firmware. Detecting and addressing any misconfigurations or failed transactions later on (if there are any) will be easier to manage. Without this change, you risk missing critical errors that could compromise the DMA firmware functionality. This is a safeguard. Do not skip this step.
I found it quite easily with the CTRL + F function and the string 'master abort flag'. There is only 1 mention of this in the entire file. Make the line exactly as follows:
rw[20] <= 1; // CFGSPACE_STATUS_REGISTER_AUTO_CLEAR [master abort flag]
Read/Write (rw) rw[20] is the correct line.
In the same file, copy the DSN value into the rw[127:64] line. This line is for the cfg_dsn. There are 16 avalible characters in this section. Be sure to copy the Lower DW over top of the first 8 numbers and copy the Upper DW into the second 8 numbers like shown:
rw[127:64] <= 64'h684CE00051140000; // +008: cfg_dsn
684CE000 and 51140000 are our Lower and Upper DWs.
Save pcieleech_pcie_cfg_a7.sv.
Vivado is what I will be using to create my pcileech_squirrel.xpr file. Be sure to know exactly where your PCIeSquirrel folder is. Mine is in M:\CUSTOM FW\pcileech-fpga-4.15\PCIeSquirrel, so I will cd into that location and run source vivado_generate_project.tcl -notrace to build.
cd into your PCIeSquirrel:
source vivado_generate_project.tcl -notrace
Ensure there are no errors when creating the .xpr file. Open the file i_pcie_7x_0 : pcie_7x_0 (pcie_7x_0.xci) within the Sources box. Expand pcileech_squirrel_top and i_pcileech_tlps128_dst64 : pcileech_tlps128_dst64 until you find i_pcie_7x_0 : pcie_7x_0 (pcie_7x_0.xci). Open i_pcie_7x_0 : pcie_7x_0 (pcie_7x_0.xci).
We will now write in the IDs we saved before into the tab IDs.
I've updated Vendor ID, Device ID, Revision ID, Subsystem Vendor ID, and Subsystem ID. No need to update any values in Class Code because the RTL8111 is already 02 00 00:
Navigate to the BARs tab. BARs 0 and 1 are each 32 bit BARs becasue they contain a single BAR each. BARs 2, and 4 are 64 bit BARs because they contain two total BARs each. I/O BARs are always 32 bit. Do not enable BARs 1, 3, and 5 because they are unused BARs. We know this because they are hard coded to all 0s. BAR 3 is part of BAR 2 so do not enable BAR 3. Likewise, BAR 5 is part of BAR 4 so do not enable BAR 5. All 64 bit BARs will carry into the next BAR, so do not enable the 2nd half of each 64 bit BAR. Update the BARs:
We should leave the other tabs alone because the DMA device needs to function as normal under the hood. Changing values in other tabs such as Power Management could over or under volt your DMA card. DO NOT change these tabs or you risk mechanical failure! Instead, click OK at the bottom of the screen, then click Generate without changing any default settings in the pop up box.
Locate inst : pcie_7x_0_core_top (pcie_7x_0_core_top.v) (2)
We will now manually edit these values. There is no friendly GUI to help us anymore like before. You (generally) read the parameter name by the <Capability Structure>_<Capability Name>_<Capability Description>. For example, MSI_CAP_64_BIT_ADDR_CAPABLE is in the MSI Structure, CAP (short for capabilities) is the name of the Capability, and 64_BIT_ADDR_CAPABLE is the name of the description. I've indcluded screenshots on how to read the MSI capability below. They love to abbreviate the names, so read over them carefully. I'm simply going to list out line numbers and values to change below:
Line 154:
parameter MSI_CAP_64_BIT_ADDR_CAPABLE = "TRUE",
Line 101:
parameter integer DEV_CAP_ENDPOINT_L0S_LATENCY = 3,
How to read:
3 is the value for the Endpoint L0s Latency at [8:6]
Line 102:
parameter integer DEV_CAP_ENDPOINT_L1_LATENCY = 6,
Line 103:
parameter DEV_CAP_EXT_TAG_SUPPORTED = "TRUE",
Line 104:
parameter integer DEV_CAP_MAX_PAYLOAD_SUPPORTED = 2,
Line 105:
parameter integer DEV_CAP_PHANTOM_FUNCTIONS_SUPPORT = 0,
Line 134:
parameter [3:0] LINK_CAP_MAX_LINK_SPEED = 4'h1,
Line 135:
parameter [5:0] LINK_CAP_MAX_LINK_WIDTH = 6'h1,
Line 139:
parameter [3:0] LINK_CTRL2_TARGET_LINK_SPEED = 4'h0,
Line 163:
parameter [3:0] PCIE_CAP_DEVICE_PORT_TYPE = 4'h0,
How to read:
4' means the value is 4 bits wide. The assigned value here must fit within 4 bits.
h indicates the base of the number. h stands for hex (base 16)
0 is the actual value assigned
4'h0 means it is a 4 bit hex value that is set to 0. We can see that 0000b is the value assigned for Device/Port Type. Checks out.
Line 267:
parameter LINK_CAP_ASPM_SUPPORT = 3,
Line 167:
parameter PM_CAP_D1SUPPORT = "TRUE",
Line 168:
parameter PM_CAP_D2SUPPORT = "FALSE",
Line 171:
parameter PM_CSR_NOSOFTRST = "TRUE",
Line 310: parameter PM_CAP_AUXCURRENT = 4,
Line 315:
parameter PM_CAP_VERSION = 3,
This part is slightly different.
- PCIE_BASE_PTR: Set to 0x40, which is where the PCI Express capability structure is located.
Line 292:
parameter [7:0] PCIE_BASE_PTR = 8'h40,
- PCIE_CAP_NEXTPTR: Set to 0xC8, which is where the next capability, Power Management, is located.
Line 164:
parameter [7:0] PCIE_CAP_NEXTPTR = 8'hC8,
- PM_BASE_PTR: Set to 0xC8, which is the offset for Power Management capability.
Line 309:
parameter [7:0] PM_BASE_PTR = 8'hC8,
- PM_CAP_NEXTPTR: Set to 0xD0, pointing to the MSI-X structure at offset 0xD0.
Line 169:
parameter [7:0] PM_CAP_NEXTPTR = 8'hD0,
- MSI_BASE_PTR: Set to 0xD0, the location of the MSI-X capability.
Line 280:
parameter [7:0] MSI_BASE_PTR = 8'hD0,
- MSI_CAP_NEXTPTR: Set to 0x00, indicating the end of the capability chain.
Line 282:
parameter [7:0] MSI_CAP_NEXTPTR = 8'h00,
- CAPABILITIES_PTR: The starting point of the capabilities list is set to 0x40, which is the offset for the PCIe capability
Line 359:
parameter [7:0] CAPABILITIES_PTR = PCIE_BASE_PTR,
This will link the capability structures in the configuation space based on the offsets and pointers.
Save your work so far.
This will take a while to run. It took around 10 minutes on my 10600KF + 3070 PC.
Run source vivado_build.tcl -notrace again in the console.
It will generate pchileech_squirrel_top.bin. Flash this onto your DMA Card. This project will not go over how to flash the firmware onto the DMA card as that is out of the scope of this project. This project is for building custom firmware only.
Connect your second PC (Attack PC) to the PC with the DMA Card installed.
insert pic of my DMA card plugged in
insert image of my Laptop plugged in
I can verify my firmware is working using Lone DMA Test Tool.
insert image of lone DMA test tool
DMA cards are forbidden to be plugged into your computer when launching a game equiped with BattleEye Anti Cheat. You will be banned immediately along with your hardware IDs logged on a blacklist. Do not try this part of the guide unless your firmware's configuration space does NOT resemble your vanilla card. Do this next part at your own risk.
I will be testing on PlayerUnknown's Battlegrounds because it's a free online game that uses BattleEye anti cheat.
I have no issues logging into the game.
insert pic of me in training mode
This project was a success. I will keep the status of my firmware up to date here. When this method no longer works, I will update this section.
As of my last check, this method passes and works.
- PCILeech capabilities
- PCILeech utilizes PCIe hardware devices to read and write system memory via DMA without needing drivers on the target system, supporting various hardware and software memory acquisition methods, including FPGA-based devices for full memory access and inserting kernel implants to enable advanced memory and file system access, operating on Windows and Linux.
-
DMA (Direct Memory Access): A method that allows hardware devices to access the system memory directly, bypassing the CPU, making it faster for data transfers.
-
FPGA (Field-Programmable Gate Array): A type of programmable hardware used for a variety of tasks, including simulating different hardware configurations, like network cards in this project.
-
PCIe (Peripheral Component Interconnect Express): A high-speed interface standard used to connect hardware devices, like GPUs or network cards, to the motherboard.
-
BAR (Base Address Register): A register that holds the memory or I/O address space allocated to a device, crucial for interacting with the device during PCIe transactions.
-
DSN (Device Serial Number): A unique identifier assigned to a hardware device, used for identification during PCIe transactions.
-
TLP (Transaction Layer Packet): A type of data packet used in PCIe communication for transmitting data between devices and memory.
-
AER (Advanced Error Reporting): A PCIe feature that provides detailed information about errors, improving diagnostics and troubleshooting.
-
VC (Virtual Channel): A capability structure in PCIe that allows multiple independent data paths or virtual channels to share the same physical link.
-
Master Abort: An error condition that occurs when a device attempts to access an invalid memory location or a device that doesn’t respond. Enabling master abort handling allows these errors to be detected and logged.
-
BE (BattleEye): An anti-cheat software used in games to detect unauthorized modifications, including DMA-based cheating methods.
-
EAC (Easy Anti-Cheat): Another popular anti-cheat system designed to prevent hacking and cheating in online games.
-
Donor Card: A physical hardware device used to extract IDs and configuration data for creating modified firmware to simulate another device.
This project is for EDUCATIONAL PURPOSES ONLY. Using this project outside of a purely educational context is not allowed. This project is to teach me a Cybersecurity strategy for detection prevention only. Following this guide assumes you understand the risks involved as it includes rewriting critical firmware files that can brick your hardware. Any firmware manipulation can lead to bricking. Consider this a warning! Follow the steps as they appear ONLY.