PCIe is the main high speed way of communicating between a processor and its peripherals. It is used in PC (also encapsulated in Thunderbolt) and now even in mobile phones. Doing security research on a PCIe system is complex because it requires expensive tools (>$50k) and such tools are not that common when packet generation is needed. PCIeScreamer provides a such tool at a more reasonable price.
We recommend you to get the JtagSerial pack in order to program it. (Xilinx JTAG cable)
Documentation and examples
- XC7A35T Xilinx 7 Series FPGA
- FT601 FTDI USB 3.0
- MT41K256 4Gb DDR3 DRAM
- PCIe Gen2 X1
Currently, only few attacks were made on PCIe devices. Most of them were done using a Microblaze inside a Xilinx FPGA to send/receive the TLPs, making it hard to really analyze. (Using embedded C software to generate/analyze traffic) An other way is to use USB3380 chip, but it is also not flexible enough (only supporting 32bits addressing) and does not allow debugging the PCIe state machine.
The PCIe injector is based on a Series 7 Xilinx FPGA connected to a DDR3 and a high speed USB 3.0 FT601 chip from FTDI.
- Having a full control of the PCIe core.
- Sending/Receiving TLPs through USB 3.0 (or bufferize it to/from DDR3)
- Using flexible software/tools on the Host for receiving/generating/analyzing the TLPs. (Wireshark dissectors, scapy, ...)