├── .gitmodules
├── SLOTSCREAMER.bin
├── Stupid PCIe Tricks, featuring the NSA Playset- PCIe.pdf
├── readme.md
└── slotscreamer-test.py


/.gitmodules:
--------------------------------------------------------------------------------
1 | [submodule "inception_pci"]
2 | 	path = inception_pci
3 | 	url = https://github.com/milescrabill/inception_pci.git
4 | 


--------------------------------------------------------------------------------
/SLOTSCREAMER.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/NSAPlayset/SLOTSCREAMER/87288f491e1d78c5d7a3fc2c67b5c23a847f61d2/SLOTSCREAMER.bin


--------------------------------------------------------------------------------
/Stupid PCIe Tricks, featuring the NSA Playset- PCIe.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/NSAPlayset/SLOTSCREAMER/87288f491e1d78c5d7a3fc2c67b5c23a847f61d2/Stupid PCIe Tricks, featuring the NSA Playset- PCIe.pdf


--------------------------------------------------------------------------------
/readme.md:
--------------------------------------------------------------------------------
 1 | Basics:
 2 | ======
 3 | The way it works is that the USB3380 chip has usb endpoints - PCIIN and PCIOUT - that give the usb host the ability to generate any kind of PCIe packet. It doesn't give full control of all header fields, but you can issue mem, io, and cfg reads and writes. Inception only scratches the surface, but is an easy and cool demonstration. Right now it's pretty slow, but i believe that's due to pyusb/libusb and a few other inefficiencies. theoretically it should be able to dump 4gb of memory in a matter of seconds, not 40 minutes.
 4 | 
 5 | Video Demo:
 6 | ===========
 7 | https://www.youtube.com/watch?v=SvnvOXXAxaI
 8 | 
 9 | Getting Hardware:
10 | =================
11 | The PLX USB3380 is available for about $15. A custom DIY PCB is in progress but not ready yet.
12 | USB3380 reference boards work fine but need firmware to be flashed. They can be aquired from PLX as part of a costly kit, or bought directly form the distributor, Bplus technologies. All of the below are the same company:
13 | 
14 | http://www.bplus.com.tw/PLX.html
15 | 
16 | http://www.hwtools.net/PLX.html
17 | 
18 | http://www.aliexpress.com/store/group/PLX-Series/706012_250803066.html
19 | 
20 | Confirmed working:
21 | ==================
22 | * USB3380, both in PCIe adapter and ExpressCard adapters 
23 | * PP3380 - but this card ships with a large EEPROM that requires 2-byte addressing, see below
24 | * OWC Mercury Helios TB enclosure
25 | * Sonnet Echo Pro TB enclosure
26 | 
27 | Does not work:
28 | ==============
29 | * EC3380-AB small expresscard, EEPROM does not appear to work properly, so it can't work at all without PCIe-side drivers. This is a bummer cause it would've been a very compact combo with the sonnet echo pro.
30 | 
31 | Making a SLOTSCREAMER out of a PLX USB3380:
32 | =========================================
33 | All the months of toiling trying to prototype with linux usb gadget drivers were overcomplicated and went nowhere.
34 | If you build an eeprom image all you have to do is set a usb enabled bit after pcie powers up. All the other default settings are actually completely sufficient to make it all work. SLOTSCREAMER.bin is attached. PLX provides windows and linux tools to program the firmware, or you could use a hardware programmer. To use the plx tools:
35 | 
36 | * download sdk, linux package only, from: http://www.plxtech.com/products/sdk/ You need to register to get access.
37 | * unzip, then untar
38 | * export PLX_SDK_DIR=..pathtofiles/PlxSdk
39 | * cd PlxSdk/PlxApi
40 | * make
41 | * cd ../Driver
42 | * ./builddriver Svc
43 | * cd ../
44 | * ./Bin/Plx_load Svc
45 | * cd Samples/PlxCm
46 | * make
47 | * ./App/PlxCm
48 | 
49 | PlxCm is their command line interface. it should automatically choose your usb3380. type:
50 | show current eeprom state:  "eep"
51 | load slotscreamer config: "eep_load SLOTSCREAMER.bin"
52 | confirm loading: "eep"
53 | 
54 | That's it, your usb3380 reference board is now a SLOTSCREAMER
55 | 
56 | 
57 | Notes for the PP3380:
58 | ====================
59 | The PP3380 may have a larger eeprom that requires two-byte addressing, which PlxCm doesn't do by default. In that case use PlxEe and specify the address width and file to load. You also have to bridge jumper 3 to connect the eeprom.
60 | * cd Samples/PlxEe
61 | * make
62 | * ./App/PlxEe -w 2 -l slotscreamer.bin
63 | 
64 | Running inception:
65 | ===============
66 | Slotscreamer support is now incorporated upstream into inception, so this fork is no longer current.
67 | https://github.com/carmaa/inception
68 | 
69 | Files:
70 | ======
71 | * ./inception_pci contains a version of inception designed for SLOTSCREAMER
72 | * ./slotscreamer-test.py is a simple set of test functions ot make sure it works
73 | 
74 | TODO:
75 | =====
76 | We have not thoroughly tested inception for password bypass. In the near future, we intend to go through the list of known working OSs that inception can bypass and confirm it works of debug why it doesn't
77 | 
78 | Changelog:
79 | =========
80 | The changes are essentially:
81 | * added a SLOTSCREMER class to inception/util.py modeled after MemoryFile
82 | * added necessary imports to util.py
83 | * added pciemode to cfg.py and -N NativePCIe option in incept
84 | * added switches for pcimode to both screenlock.py and memdump.py
85 | * implemented caching for reads
86 | * implemented cache invalidation after writes
87 | * implemented proper responses to non-dword-aligned accesses
88 | 
89 | 
90 | 


--------------------------------------------------------------------------------
/slotscreamer-test.py:
--------------------------------------------------------------------------------
  1 | import usb.core
  2 | import usb.util
  3 | import sys
  4 | import struct
  5 | import math
  6 | 
  7 | pciin = None
  8 | pciout = None
  9 | cache=[]
 10 | cachebase=0
 11 | 
 12 | def readPCI(address,byteCount):
 13 |     global cache
 14 |     global cacheBase
 15 |     offset=address%256
 16 |     baseAddress=address-offset
 17 |     endOffset=(address+byteCount)%256
 18 |     endAddress=address+byteCount-endOffset+256
 19 |     if (len(cache)>0):
 20 |         print('cache exists')
 21 |         if ((cacheBase<=address) and ((cacheBase+len(cache))>=(address+byteCount))):
 22 |             print('cache hit')
 23 |             return bytes(cache[(address-cacheBase):(address+byteCount)-cacheBase])
 24 |     print('read not cached')
 25 |     cache=[]
 26 |     cacheBase=baseAddress
 27 |     print('cacheBase',cacheBase,'baseaddress',baseAddress,'endaddress',endAddress)
 28 |     while baseAddress<endAddress:
 29 |         print('BBBBI',0xcf,0,0,0x40,baseAddress)
 30 |         print("addr",baseAddress)
 31 |         pciout.write(struct.pack('BBBBI',0xcf,0,0,0x40,baseAddress))
 32 |         cache+=pciin.read(0x100)
 33 |         baseAddress+=256
 34 |     return bytes(cache[offset:offset+byteCount])
 35 | 
 36 | 
 37 | def initPCI():
 38 |     global pciin
 39 |     global pciout
 40 |     global cache
 41 |     cache=[]        
 42 |     # find our device
 43 |     dev = usb.core.find(idVendor=0x0525, idProduct=0x3380)
 44 |     if dev is None:
 45 |         raise ValueError('Device not found')
 46 |     dev.set_configuration()
 47 |     cfg = dev.get_active_configuration()
 48 |     intf=cfg[0,0]
 49 |     pciin = usb.util.find_descriptor(intf,custom_match = lambda e: e.bEndpointAddress==0x8e)
 50 |     assert pciin is not None
 51 |     sys.stdout.write('PCIIN found: '+str(pciin)+'\n')
 52 |     pciout = usb.util.find_descriptor(intf,custom_match = lambda e: e.bEndpointAddress==0xe)
 53 |     assert pciout is not None
 54 |     sys.stdout.write('PCIOUT found: '+str(pciout)+'\n')
 55 | 
 56 | 
 57 | def readmem(addr):
 58 |     pciout.write(struct.pack('BBBBI',0xcf,0,0,0x1,addr))
 59 |     return pciin.read(0x100)
 60 | 
 61 | 
 62 | def readIO(addr):
 63 |     pciout.write(struct.pack('BBBBI',0xdf,0,0,0x1,addr))
 64 |     return pciin.read(0x100)
 65 | 
 66 | 
 67 | def writeIO():
 68 |     pciout.write(struct.pack('BBBBI',0x5f,0,0,0x10,baseAddress))
 69 | 
 70 | 
 71 | def readCfg(addr):
 72 |     pciout.write(struct.pack('BBBBI',0xef,0,0,0x1,addr))
 73 |     return pciin.read(0x100)
 74 | 
 75 | 
 76 | def writeCfg():
 77 |     pciout.write(struct.pack('BBBBI',0x6f,0,0,0x10,baseAddress))
 78 | 
 79 | 
 80 | def readvPCI(req):
 81 |     for r in req:
 82 |         yield(r[0],readPCI(r[0],r[1]))
 83 | 
 84 | 
 85 | def writePCI(address, buf):
 86 |     #calculate buffer
 87 |     offset=address%256
 88 |     baseAddress=address-offset
 89 |     byteCount=len(buf)
 90 |     endOffset=(address+byteCount)%256
 91 |     endAddress=address+byteCount-endOffset+256
 92 | 	 #read to fill buffer
 93 |     print('read buffer')
 94 |     readbuf=bytearray(readPCI(baseAddress,endAddress-baseAddress))
 95 |     #modify buffer
 96 |     print('modify buffer')
 97 |     for i in range(offset,endOffset):
 98 |         readbuf[i]=buf[i-offset]
 99 |     #write buffer
100 |     print('write buffer')
101 |     bufferIndex=0
102 |     while baseAddress<endAddress:
103 |         subbuf=readbuf[bufferIndex:bufferIndex+128]
104 |         print("addr",baseAddress,'subbuf',len(subbuf))
105 |         pciout.write(struct.pack('BBBBI'+'B'*128,0x4f,0,0,0x20,baseAddress,*subbuf))
106 |         baseAddress+=128
107 |         bufferIndex+=128
108 |     global cache
109 |     cache=[]        
110 | 
111 | 
112 | 
113 | #initPCI()
114 | #readPCI(0x1000000,100)
115 | #writePCI(0x1000010,[0xff,0xff,0xff,0xff])
116 | #readPCI(0x1000000,100)
117 | 
118 | 
119 | 
120 | #readPCI(0,0x82)
121 | 
122 | #for x in range (0,100):
123 | #    val=readPCI(x*100000,100000)
124 | 
125 | # write the data
126 | #pciout.write(b'\xcf\x00\x00\x01\x00\x00\x00\x00')
127 | #str=pciin.read(10000)
128 | #sys.stdout.write('Read: '+str+'\n')
129 | 
130 | 
131 | #def 
132 | 


--------------------------------------------------------------------------------