This project contains software and HDL code for the NeTV2 FPGA PCIe board. Once flashed it may be used together with the PCILeech Direct Memory Access (DMA) Attack Toolkit or MemProcFS - The Memory Process File System to perform DMA attacks, dump memory or perform research.
- Retrieve memory from the target system over 100Mbit UDP/IP up to 7MB/s.
(7MB/s is the effective memory dump speed after protocol overhead) - Access all memory of target system without the need for kernel module (KMD) unless protected with VT-d/IOMMU.
- Enumerate/Probe accessible memory at 500-1000MB/s.
- Raw PCIe Transaction Layer Packet (TLP) access.
For information about more capabilities check out the general PCILeech or MemProcFS abilities and capabilities.
For information about other supported FPGA based devices please check out PCILeech FPGA.
- NeTV2 PCIe FPGA board. (CrowdSupply)
- The NeTV2 have a PCIe x4 connector and will NOT fit in PCIe x1 slots! It will fit in x4 - x16 slots.
- The NeTV2 unfortunately have the JTAG flash connector (connecting to bundled RPi) soldered on to it. This connector will take up space to render the adjacent PCIe slot (marked as 1) unusable.
- The Ethernet connector is on the internal facing card edge. The external facing card edge is populated with HDMI connectors not used by PCILeech.
Please also note that the NeTV2 currently have a too high latency for some PCILeech kernel injection techniques - such as injecting into recent Win10 kernels.
Easiest way to flash the NeTV2 is by flashing it with the co-bundled Rasberry Pi in the Quickstart package. Please note that you need a rather long Torx screwdriver to open the case and unscrew the NeTV2 board from the case (which won't let you access PCIe and the NeTV2 ethernet).
- Download the pre-built bitstream for your NeTV2 model as found below in releases section at bottom of this readme - alternatively copy the built bitstream from PCILeech_NeTV2/PCILeech_NeTV2.runs/impl_1/pcileech_netv2_top.bin if building from source.
- scp bitstream to RPi:
scp pcileech_netv2_top.bin pi@<IPv4_addr_of_RPi>:~/pcileech_netv2_top.bin
. The default password is: netv2mvp - ssh into RPi:
ssh pi@<IPv4_addr_of_RPi>
- Flash! depending on model either:
35T:sudo openocd -c "set BSCAN_FILE /home/pi/code/netv2mvp-scripts/bscan_spi_xc7a35t.bit" -c "set FPGAIMAGE /home/pi/pcileech_netv2_top.bin" -f /home/pi/code/netv2mvp-scripts/cl-spifpga.cfg
or
100T:sudo openocd -c "set BSCAN_FILE /home/pi/code/netv2mvp-scripts/bscan_spi_xc7a100t.bit" -c "set FPGAIMAGE /home/pi/pcileech_netv2_top.bin" -f /home/pi/code/netv2mvp-scripts/cl-spifpga.cfg
It should probably be possible to flash by other methods as well, such as with OpenOCD and LambdaConcept programming cable (this is untested though). Or if having own RPi it's possible to download the sd-card image for booting the prepared NeTV2 RPi and flash it by the above method.
For building instructions please check out the build readme for information. The PCIe device will show as Xilinx Ethernet Adapter with Device ID 0x0666 on the target system by default. For instructions how to change the device id and other advanced build properties please also check out the build readme for information.
Once powered on the NeTV2 will try to fetch an IPv4 address by using DHCP regardless whether the ethernet cable is connected or not. This is indicated by a green blinking at the single HDMI port on the side. If no DHCP address is received in the first 10s the device will by default fall back to the default static IPv4 address of 192.168.0.222. This is indicated by a red blinking at the single HDMI port on the side.
Connect to the device by using the -device rawudp://192.168.0.222
parameter in PCILeech or MemProcFS. The transport will take place over UDP - which may be lossy. Note that any lost UDP packages are not handled and may cause issues (this is normally not a problem).
The completed solution contains Xilinx proprietary IP cores licensed under the Xilinx CORE LICENSE AGREEMENT. The completed solution contains an ethernet UDP core from fpga-cores.com. The ethernet core is OK to use for non-commercial purposes, but for commercial use a license should be acquired from fpga-cores.com.
This project as-is published on Github contains no Xilinx or fpga-cores.com proprietary IP.
Published source code are licensed under the MIT License. The end user that have downloaded the no-charge Vivado WebPACK from Xilinx will have the proper licenses and will be able to re-generate Xilinx proprietary IP cores by running the build detailed above.
PCILeech and MemProcFS are hobby projects of mine. I put a lot of time and energy into my projects. The time being most of my spare time. If you think PCILeech and/or MemProcFS are awesome tools and/or if you had a use for them it's now possible to contribute.
- Github Sponsors:
https://github.com/sponsors/ufrisk
To all my sponsors, Thank You 💖
v4.0
- Initial Release.
- Download pre-built binaries for XC7A35T and XC7A100T versions below:
v4.1
- Minor bug-fixes and internal re-design.
- Download pre-built binaries for XC7A35T and XC7A100T versions below:
v4.2
- Optional custom PCIe configuration space.
- Optional on-board static PCIe TLP transmit.
- Download pre-built binaries for XC7A35T and XC7A100T versions below:
v4.4
- Disable PCIe WAKE#.
- Increased stability and reboot support.
- Support for Ryzen CPUs (NB! this is FPGA support only - PCILeech itself may still have issues).
- Download pre-built binaries for XC7A35T and XC7A100T versions below:
v4.5
- Fix for receiving initial data from PCILeech host.
- Download pre-built binaries for XC7A35T and XC7A100T versions below:
v4.7
- New USB core.
- Support for auto-clear of PCIe status register / master abort flag.
- Download pre-built binaries for XC7A35T and XC7A100T versions below:
v4.8
- Bug fixes.
- Download pre-built binaries for XC7A35T version below:
- XC7A35T SHA256:
e4d27efc10e00bf592b8bc7bc8de34b528357c0dc062bc81aa5a08fc0ca2d46b
- XC7A35T SHA256:
v4.9
- Bug fixes.
- Download pre-built binaries for XC7A35T version below:
- XC7A35T SHA256:
3ed45eeb66408090cee6aa5a4b0706e1b857af6199c5e515da37a27a019defbe
- XC7A35T SHA256:
v4.12
- Bug fixes.
- Download pre-built binaries for XC7A35T version below:
- XC7A35T SHA256:
6a70cc7d969f25c85ed1195ce1f7f98c7f54b3a44944bc09e1009c4b2a9ae1fa
- XC7A35T SHA256: