readme.md

PCIeScreamerR04 and ScreamerM2:

This project contains software and HDL code for the PCIeScreamerR04 PCIe board and the ScreamerM2 FPGA M.2. board.

Once flashed it may be used together with the PCILeech Direct Memory Access (DMA) Attack Toolkit or MemProcFS - The Memory Process File System to perform DMA attacks, dump memory or perform research.

⚠️ The ScreamerM2 and PCIeScreamerR04 is no longer on sale at LambdaConcept. This project is kept as a reference project for users of the original hardware.

Capabilities:

• Retrieve memory from the target system over USB3/USB-C in excess of 190MB/s.
• Access all memory of target system without the need for kernel module (KMD) unless protected with VT-d/IOMMU.
• Enumerate/Probe accessible memory at >1GB/s.
• Raw PCIe Transaction Layer Packet (TLP) access.

For information about more capabilities check out the general PCILeech or MemProcFS abilities and capabilities.

For information about other supported FPGA based devices please check out PCILeech FPGA.

The Hardware: ScreamerM2

LambdaConcept ScreamerM2 M.2 Key M board. (LambdaConcept)

For more information about the hardware, and alternative software, LambdaConcept ScreamerM2 Wiki.

NB! The picture below depicts a ScreamerM2 R03 with a micro-usb3 connector. ScreamerM2 R04 have an USB-C connector instead. Both versions use identical software.

Flashing ScreamerM2: (Xilinx/Diligent programming cable):

Please note that this instruction applies to Xilinx Vivado compatible programming cables, such as Diligent HS2. This instruction will not work with the LambdaConcept programming cable.

1. Install Vivado WebPACK or Lab Edition (only for flashing).
2. Build PCILeech ScreamerM2 (see below) alternatively download and unzip pre-built binary (see below in releases section).
3. Open Vivado Tcl Shell command prompt.
4. cd into the directory of your unpacked files, or this directory (forward slash instead of backslash in path).
5. Make sure the JTAG USB cable is connected.
6. Run source vivado_flash_hs2.tcl -notrace to flash the PCILeech bitstream onto the ScreamerM2 board.
7. Finished !!!

Flashing ScreamerM2: (LambdaConcept programming cable):

Please note that this instruction applies to the LambdaConcept programming cable. OpenOCD is recommended when using the LambdaConcept programming cable. The LambdaConcept programming cable is not supported by Xilinx Vivado.

1. Build PCILeech PCIeScreamer (see below) alternatively download and unzip pre-built binary (link in version history at the bottom of this readme).
2. Follow the instruction about how to flash with OpenOCD (Linux preferred) on the LambdaConcept ScreamerM2 Wiki.

Building:

1. Install Xilinx Vivado WebPACK 2023.2 or later.
2. Open Vivado Tcl Shell command prompt.
3. cd into the directory of ScreamerM2 (forward slash instead of backslash in path).
4. Run source vivado_generate_project.tcl -notrace to generate required project files.
5. Run source vivado_build.tcl -notrace to generate Xilinx proprietary IP cores and build bitstream.
6. Finished !!!

Building the project may take a very long time (~1 hour).

The PCIe device will show as Xilinx Ethernet Adapter with Device ID 0x0666 on the target system by default. For instructions how to change the device id and other advanced build properties check out the build readme for information.

Other Notes:

The completed solution contains Xilinx proprietary IP cores licensed under the Xilinx CORE LICENSE AGREEMENT. This project as-is published on Github contains no Xilinx proprietary IP. Published source code are licensed under the MIT License. The end user that have downloaded the no-charge Vivado WebPACK from Xilinx will have the proper licenses and will be able to re-generate Xilinx proprietary IP cores by running the build detailed above.

Support PCILeech/MemProcFS development:

Thank You LambdaConcept for sponsoring the PCILeech project 💖

Some other hardware sellers have chosen not to support the project! If you think PCILeech and/or MemProcFS is awesome or if you had a use for it it's now also possible to support the project via Github Sponsors: https://github.com/sponsors/ufrisk.

To all my sponsors, Thank You 💖

Releases / Version History:

Previous releases (click to expand):

v4.1 * Initial Release. * Download pre-built binaries below: * [ScreamerM2](https://mega.nz/file/hPZwiQwa#GwnhexGDB4kppY6naI99M2edV66_MXiY2DQ7HSAdcPM) SHA256: `589eb60b26745a0b5c4dbc8831a71b1f3edbcaf693384366a1d2d374a8400169`

v4.2

• Optional custom PCIe configuration space.
• Optional on-board static PCIe TLP transmit.
• Download pre-built binaries below:
  • ScreamerM2 SHA256: ec9a1df74c969f970dbd5bddcc47ecdb0c38ca80a9b2d2a503dbc247553163bc

v4.3

• Blink LD2 on startup.
• Download pre-built binaries below:
  • ScreamerM2 SHA256: 961d3526a0c89b0965cafabffcd1f3ceacb2e5788d0e3716767ddf04b2fb9385

v4.4

• Disable PCIe WAKE#.
• Increased stability and reboot support.
• Support for Ryzen CPUs (NB! this is FPGA support only - PCILeech itself may still have issues).
• Download pre-built binaries below:
  • ScreamerM2 SHA256: 54ed5706357459d9595906b833155783801da9c1ef852c79e0533d4b613796df

v4.5

• Fix for receiving initial data from PCILeech host.
• Download pre-built binaries below:
  • ScreamerM2 SHA256: 04ca8e631981020dc12a4116c585e686def1b63d58660edb5970b00b3ce4592c

v4.6

• Support connecting USB cable after device power-on.
• Download pre-built binaries below:
  • ScreamerM2 SHA256: 875c32a36934875f194af7d68648a5454c63aaa6ec4a730532632d9424148cd3

v4.7

• New USB core.
• Support for auto-clear of PCIe status register / master abort flag.
• Download pre-built binaries below:
  • ScreamerM2 SHA256: 431959337c3321ddaa18d2eed85b7af5abf03f59db99880a1c9b1f5f9b204746

v4.8

• Bug fixes.
• Download pre-built binaries below:
  • ScreamerM2 SHA256: 926413ae821ef6b0e6cd5b0833691c04d67629d78c60b09a63dee5d0eb51e95d

v4.9

• Bug fixes.
• Download pre-built binaries below:
  • PCIeScreamerR04/ScreamerM2 SHA256: f4095b649117182c5a3130c5ea48b049ad02a2dd9d095fe11a5715f582ff495a

v4.11

• Bug fixes.
• Download pre-built binaries below:
  • PCIeScreamerR04/ScreamerM2 SHA256: 64be806e262e859126b93ebb3283c91be18c942bc2a690c95e6b966538572385

v4.12

• Bug fixes.
• Download pre-built binaries below:
  • PCIeScreamerR04/ScreamerM2 SHA256: d2e063f26367fbf2d00df52f0f5fb7ec18732d91aaa47cca8733399e55d697a0

v4.13

• Bug fixes.
• New internal design with on-board PIO BAR support.
• Download pre-built binaries below:
  • PCIeScreamerR04/ScreamerM2 SHA256: 25d5b47a7ba6d485bc8cf35c6f45c8a9f99ab906657ce706a012353437c37b39

v4.14

• Bug fixes.
• New internal design with on-board PIO BAR support.
• Download pre-built binaries below:
  • PCIeScreamerR04/ScreamerM2 SHA256: e0a93e9c0bfcba3f9ebe219d5d302a93599c13526fb0e6d9537847cd14a27565