Initial Commit

pcileech.sln

@@ -0,0 +1,38 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio 14
+VisualStudioVersion = 14.0.25123.0
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "pcileech", "pcileech\pcileech.vcxproj", "{DFFA1B4C-279B-4356-ADB1-08A6F4795931}"
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "pcileech_gensig", "pcileech_gensig\pcileech_gensig.vcxproj", "{C55314C6-71A0-4AE2-A4F0-E5E531A5E065}"
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "pcileech_shellcode", "pcileech_shellcode\pcileech_shellcode.vcxproj", "{5C698F13-6E9F-46F3-95FC-55376A65D8BF}"
+EndProject
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution Items", "{41BC2617-A896-4D63-9F5E-ED26C5A613B8}"
+	ProjectSection(SolutionItems) = preProject
+		LICENSE = LICENSE
+		readme.md = readme.md
+	EndProjectSection
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|x64 = Debug|x64
+		Release|x64 = Release|x64
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{DFFA1B4C-279B-4356-ADB1-08A6F4795931}.Debug|x64.ActiveCfg = Debug|x64
+		{DFFA1B4C-279B-4356-ADB1-08A6F4795931}.Debug|x64.Build.0 = Debug|x64
+		{DFFA1B4C-279B-4356-ADB1-08A6F4795931}.Release|x64.ActiveCfg = Release|x64
+		{DFFA1B4C-279B-4356-ADB1-08A6F4795931}.Release|x64.Build.0 = Release|x64
+		{C55314C6-71A0-4AE2-A4F0-E5E531A5E065}.Debug|x64.ActiveCfg = Debug|x64
+		{C55314C6-71A0-4AE2-A4F0-E5E531A5E065}.Debug|x64.Build.0 = Debug|x64
+		{C55314C6-71A0-4AE2-A4F0-E5E531A5E065}.Release|x64.ActiveCfg = Release|x64
+		{C55314C6-71A0-4AE2-A4F0-E5E531A5E065}.Release|x64.Build.0 = Release|x64
+		{5C698F13-6E9F-46F3-95FC-55376A65D8BF}.Debug|x64.ActiveCfg = Release|x64
+		{5C698F13-6E9F-46F3-95FC-55376A65D8BF}.Release|x64.ActiveCfg = Release|x64
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+EndGlobal

pcileech/consoleredir.c

@@ -0,0 +1,101 @@
+// consoleredir.c : implementation related 'console redirect' functionality.
+//
+// (c) Ulf Frisk, 2016
+// Author: Ulf Frisk, pcileech@frizk.net
+//
+#include "consoleredir.h"
+#include "device.h"
+#include "util.h"
+
+// If console redirection is enabled separate buffers are allocated and is as
+// follows below:
+// page 2: Read/Write - input part (input to targeted console window)
+//         0..n       = USERSHELL_BUFFER_IO struct
+//         n+1..0xfff = input buffer
+// page 3: Read/Write - output part (output from targeted console window)
+//         0..n       = USERSHELL_BUFFER_IO struct
+//         n+1..0xfff = output buffer
+#define USERSHELL_BUFFER_IO_MAGIC 0x012651232dfef9521
+#define USERSHELL_BUFFER_IO_SIZE 0x800
+typedef struct tUSERSHELLBUFFERIO {
+	QWORD qwMagic;
+	QWORD cbRead;
+	QWORD cbReadAck;
+	QWORD qwDebug[10];
+	BYTE  pb[];
+} USERSHELL_BUFFER_IO, *PUSERSHELL_BUFFER_IO;
+
+typedef struct tdCONSOLEREDIR_THREADDATA {
+	PCONFIG pCfg;
+	PDEVICE_DATA pDeviceData;
+	PUSERSHELL_BUFFER_IO pInfoIS;
+	PUSERSHELL_BUFFER_IO pInfoOS;
+	BYTE pbDataISConsoleBuffer[4096];
+	BYTE pbDataOSConsoleBuffer[4096];
+} CONSOLEREDIR_THREADDATA, *PCONSOLEREDIR_THREADDATA;
+
+// input buffer to targeted console (outgoing info)
+// read from this console and send to targeted console
+DWORD ConsoleRedirect_ThreadConsoleInput(PCONSOLEREDIR_THREADDATA pd)
+{
+	HANDLE hConsole = GetStdHandle(STD_OUTPUT_HANDLE);
+	DWORD cbWrite, cbModulo, cbModuloAck;
+	while(TRUE) {
+		while(pd->pInfoOS->cbRead == pd->pInfoIS->cbReadAck) {
+			Sleep(10);
+			continue;
+		}
+		cbModulo = pd->pInfoOS->cbRead % USERSHELL_BUFFER_IO_SIZE;
+		cbModuloAck = pd->pInfoIS->cbReadAck % USERSHELL_BUFFER_IO_SIZE;
+		if(cbModuloAck < cbModulo) {
+			WriteConsoleA(hConsole, pd->pInfoOS->pb + cbModuloAck, cbModulo - cbModuloAck, &cbWrite, NULL);
+		}
+		else {
+			WriteConsoleA(hConsole, pd->pInfoOS->pb + cbModuloAck, USERSHELL_BUFFER_IO_SIZE - cbModuloAck, &cbWrite, NULL);
+		}
+		pd->pInfoIS->cbReadAck += cbWrite;
+	}
+}
+
+DWORD ConsoleRedirect_ThreadConsoleOutput(PCONSOLEREDIR_THREADDATA pd)
+{
+	HANDLE hConsoleIn = GetStdHandle(STD_INPUT_HANDLE);
+	DWORD cbRead;
+	while(TRUE) {
+		ReadConsoleA(hConsoleIn, pd->pInfoIS->pb + (pd->pInfoIS->cbRead % USERSHELL_BUFFER_IO_SIZE), 1, &cbRead, NULL);
+		pd->pInfoIS->cbRead += cbRead;
+		while(pd->pInfoIS->cbRead - pd->pInfoOS->cbReadAck >= USERSHELL_BUFFER_IO_SIZE) {
+			Sleep(10);
+		}
+	}
+}
+
+VOID ActionConsoleRedirect(_In_ PCONFIG pCfg, _In_ PDEVICE_DATA pDeviceData, _In_ QWORD ConsoleBufferAddr_InputStream, _In_ QWORD ConsoleBufferAddr_OutputStream)
+{
+	BOOL result;
+	PCONSOLEREDIR_THREADDATA pd = LocalAlloc(LMEM_ZEROINIT, sizeof(CONSOLEREDIR_THREADDATA));
+	if(!pd) { return; }
+	pd->pCfg = pCfg;
+	pd->pDeviceData = pDeviceData;
+	pd->pInfoIS = (PUSERSHELL_BUFFER_IO)pd->pbDataISConsoleBuffer;
+	pd->pInfoOS = (PUSERSHELL_BUFFER_IO)pd->pbDataOSConsoleBuffer;
+	// read initial buffer and check validity
+	Sleep(250);
+	result = DeviceReadMEM(pDeviceData, ConsoleBufferAddr_OutputStream, pd->pbDataOSConsoleBuffer, 0x1000);
+	if(pd->pInfoOS->qwMagic != USERSHELL_BUFFER_IO_MAGIC) {
+		printf("\nCONSOLE_REDIRECT: Error: Adress 0x%016llX does not contain a valid console buffer.\n", ConsoleBufferAddr_OutputStream);
+		return;
+	}
+	// create worker threads
+	CreateThread(NULL, 0, ConsoleRedirect_ThreadConsoleInput, pd, 0, NULL);
+	CreateThread(NULL, 0, ConsoleRedirect_ThreadConsoleOutput, pd, 0, NULL);
+	// buffer syncer
+	while(TRUE) {
+		result = DeviceReadMEM(pDeviceData, ConsoleBufferAddr_OutputStream, pd->pbDataOSConsoleBuffer, 0x1000);
+		if(!result || pd->pInfoOS->qwMagic != USERSHELL_BUFFER_IO_MAGIC) {
+			printf("\nCONSOLE_REDIRECT: Error: Adress 0x%016llX does not contain a valid console buffer.\n", ConsoleBufferAddr_OutputStream);
+			return;
+		}
+		DeviceWriteMEM(pDeviceData, ConsoleBufferAddr_InputStream, pd->pbDataISConsoleBuffer, 0x1000);
+	}
+}

pcileech/consoleredir.h

@@ -0,0 +1,20 @@
+// consoleredir.h : definitions related to 'console redirect' functionality.
+//
+// (c) Ulf Frisk, 2016
+// Author: Ulf Frisk, pcileech@frizk.net
+//
+#ifndef __CONSOLEREDIR_H__
+#define __CONSOLEREDIR_H__
+#include "pcileech.h"
+
+/*
+* Connect to an interactive console at the target system over DMA. This works
+* by reading and writing memory buffers on the target system.
+* -- pCfg
+* -- pDeviceData
+* -- ConsoleBufferAddr_InputStream = DMA buffer on target system for input.
+* -- ConsoleBufferAddr_OutputStream = DMA buffer on target system for output.
+*/
+VOID ActionConsoleRedirect(_In_ PCONFIG pCfg, _In_ PDEVICE_DATA pDeviceData, _In_ QWORD ConsoleBufferAddr_InputStream, _In_ QWORD ConsoleBufferAddr_OutputStream);
+
+#endif /* __CONSOLEREDIR_H__ */

pcileech/cpuflash.c

@@ -0,0 +1,50 @@
+// cpuflash.c : implementation related to 8051 CPU and EEPROM flashing.
+//
+// (c) Ulf Frisk, 2016
+// Author: Ulf Frisk, pcileech@frizk.net
+//
+#include "cpuflash.h"
+#include "device.h"
+
+VOID ActionFlash(_In_ PCONFIG pCfg, _In_ PDEVICE_DATA pDeviceData)
+{
+	BOOL result;
+	printf("Flashing firmware ... \n");
+	if(!pCfg->cbIn || pCfg->cbIn > 32768) {
+		printf("Flash failed: failed to open file or invalid size\n");
+		return;
+	}
+	if(pCfg->pbIn[0] != 0x5a || *(WORD*)(pCfg->pbIn + 2) > (DWORD)pCfg->cbIn - 1) {
+		printf("Flash failed: invalid firmware signature or size\n");
+		return;
+	}
+	result = DeviceFlashEEPROM(pDeviceData, pCfg->pbIn, (DWORD)pCfg->cbIn);
+	if(!result) {
+		printf("Flash failed: failed to write firmware to device\n");
+		return;
+	}
+	printf("SUCCESS!\n");
+}
+
+VOID Action8051Start(_In_ PCONFIG pCfg, _In_ PDEVICE_DATA pDeviceData)
+{
+	BOOL result;
+	printf("Loading 8051 executable and starting ... \n");
+	if(!pCfg->cbIn || pCfg->cbIn > 32768) {
+		printf("8051 startup failed: failed to open file or invalid size\n");
+		return;
+	}
+	result = Device8051Start(pDeviceData, pCfg->pbIn, (DWORD)pCfg->cbIn);
+	if(!result) {
+		printf("8051 startup failed: failed to write executable to device or starting 8051\n");
+		return;
+	}
+	printf("SUCCESS!\n");
+}
+
+VOID Action8051Stop(_In_ PCONFIG pCfg, _In_ PDEVICE_DATA pDeviceData)
+{
+	printf("Stopping 8051 ... \n");
+	Device8051Stop(pDeviceData);
+	printf("SUCCESS!\n");
+}

pcileech/cpuflash.h

@@ -0,0 +1,32 @@
+// cpuflash.h : definitions related to 8051 CPU and EEPROM flashing.
+//
+// (c) Ulf Frisk, 2016
+// Author: Ulf Frisk, pcileech@frizk.net
+//
+#ifndef __CPUFLASH_H__
+#define __CPUFLASH_H__
+#include "pcileech.h"
+
+/*
+* Flash a new firmware into the onboard memory of the USB3380 card.
+* This may be dangerious and the device may stop working after a reflash!
+* -- pCfg = The configuration data containing the flash image filename.
+* -- pDeviceData
+*/
+VOID ActionFlash(_In_ PCONFIG pCfg, _In_ PDEVICE_DATA pDeviceData);
+
+/*
+* Load a program into the 8051 CPU and start executing it.
+* -- pCfg = The configuration data containing the program image filename.
+* -- pDeviceData
+*/
+VOID Action8051Start(_In_ PCONFIG pCfg, _In_ PDEVICE_DATA pDeviceData);
+
+/*
+* Stop the onboard 8051 CPU if its running.
+* -- pCfg
+* -- pDeviceData
+*/
+VOID Action8051Stop(_In_ PCONFIG pCfg, _In_ PDEVICE_DATA pDeviceData);
+
+#endif /* __CPUFLASH_H__ */