Version 4.4

ufrisk · Jul 8, 2020 · 7297d4b · 7297d4b
1 parent 2052626
commit 7297d4b
Show file tree

Hide file tree

Showing 25 changed files with 204 additions and 111 deletions.
diff --git a/NeTV2/readme.md b/NeTV2/readme.md
@@ -3,6 +3,7 @@ NeTV2 PCIe to UDP/IP:
 This project contains software and HDL code for the [NeTV2 FPGA PCIe board](https://www.crowdsupply.com/alphamax/netv2).
 Once flashed it may be used together with the [PCILeech Direct Memory Access (DMA) Attack Toolkit](https://github.com/ufrisk/pcileech/) or [MemProcFS - The Memory Process File System](https://github.com/ufrisk/MemProcFS/) to perform DMA attacks, dump memory or perform research.
 
+
 Capabilities:
 =================
 * Retrieve memory from the target system over 100Mbit UDP/IP up to 7MB/s.<br><sub><sup>(7MB/s is the effective memory dump speed after protocol overhead)</sup></sub>
@@ -14,6 +15,7 @@ For information about more capabilities check out the general [PCILeech](https:/
 
 For information about other supported FPGA based devices please check out [PCILeech FPGA](https://github.com/ufrisk/pcileech-fpga/).
 
+
 The Hardware:
 =================
 * NeTV2 PCIe FPGA board. ([CrowdSupply](https://www.crowdsupply.com/alphamax/netv2))
@@ -27,6 +29,7 @@ The Hardware:
 
 Please also note that the NeTV2 currently have a too high latency for some PCILeech kernel injection techniques - such as injecting into recent Win10 kernels.
 
+
 Flashing (by using RPi via NeTV2 Quickstart Package):
 =====================================================
 Easiest way to flash the NeTV2 is by flashing it with the co-bundled Rasberry Pi in the Quickstart package. Please note that you need a rather long Torx screwdriver to open the case and unscrew the NeTV2 board from the case (which won't let you access PCIe and the NeTV2 ethernet).
@@ -41,16 +44,19 @@ Easiest way to flash the NeTV2 is by flashing it with the co-bundled Rasberry Pi
 
 It should probably be possible to flash by other methods as well, such as with OpenOCD and LambdaConcept programming cable (this is untested though). Or if having own RPi it's possible to download the sd-card image for booting the prepared NeTV2 RPi and flash it by the above method.
 
+
 Building:
 =================
 For building instructions please check out the [build readme](build.md) for information. The PCIe device will show as Xilinx Ethernet Adapter with Device ID 0x0666 on the target system by default. For instructions how to change the device id and other advanced build properties please also check out the [build readme](build.md) for information.
 
+
 Connecting to the NeTV2:
 =======================
 Once powered on the NeTV2 will try to fetch an IPv4 address by using DHCP regardless whether the ethernet cable is connected or not. This is indicated by a green blinking at the single HDMI port on the side. If no DHCP address is received in the first 10s the device will by default fall back to the default static IPv4 address of **192.168.0.222**. This is indicated by a red blinking at the single HDMI port on the side.
 
 Connect to the device by using the `-device rawudp://192.168.0.222` parameter in PCILeech or MemProcFS. The transport will take place over UDP - which may be lossy. Note that any lost UDP packages are not handled and may cause issues (this is normally not a problem).
 
+
 Other Notes:
 =================
 The completed solution contains Xilinx proprietary IP cores licensed under the Xilinx CORE LICENSE AGREEMENT. The completed solution contains an ethernet UDP core from [fpga-cores.com](https://www.fpga-cores.com). The ethernet core is OK to use for non-commercial purposes, but for commercial use a license should be acquired from fpga-cores.com.
@@ -59,6 +65,17 @@ This project as-is published on Github contains no Xilinx or fpga-cores.com prop
 
 Published source code are licensed under the MIT License. The end user that have downloaded the no-charge Vivado WebPACK from Xilinx will have the proper licenses and will be able to re-generate Xilinx proprietary IP cores by running the build detailed above.
 
+
+Support PCILeech/MemProcFS development:
+=======================================
+PCILeech and MemProcFS are hobby projects of mine. I put a lot of time and energy into my projects. The time being most of my spare time - since I'm not able to work with this. Unfortunately since some aspects also relate to hardware I also put quite some of money into my projects. If you think PCILeech and/or MemProcFS are awesome tools and/or if you had a use for them it's now possible to contribute.
+
+Please do note that PCILeech and MemProcFS are free and open source - as such I'm not expecting donations; even though a donation would be very much appreciated. I'm also not able to promise product features, consultancy or other things in return for a donation. A donation will have to stay donation and no more.  I'll set up the Github sponsors as soon as I'm able to; but for now it's possible to contribute with:
+
+ - Paypal: `paypal@ulffrisk.com` 
+ - Bitcoin: `bc1q9kur5pym8wmh5yxkf65792rdqm0guncd2gl4tu`
+
+
 Releases / Version History:
 =================
 v4.0
@@ -79,3 +96,12 @@ v4.2
 * Download pre-built binaries for XC7A35T and XC7A100T versions below:
   * [XC7A35T](https://mega.nz/#!ED5i3A4L!uaVsx9oR3S9-NlEQ4hlNnPZpUFwYjrm_0Otp7jmCcCk) SHA256: `86e1f6d4a109ca9e3dd063e6eab85efeea172701dac197fb691f538c7c7232fc`
   * [XC7A100T](https://mega.nz/#!1e4CUA4A!remhPrf7qRdqfNCgVgqRtbTAX-_9HDgqTMBwqdkKU-g) SHA256: `ed07835728641de5f5f7bb5df2c56a3b104a4c3e1fd0f23a014a10102636c5aa`
+
+v4.4
+* **PCILeech is free and open source. PCILeech is not directly affiliated with the NeTV2 and do not gain financially from sales. If you find PCILeech useful please consider supporting the project.**
+* Disable PCIe WAKE#.
+* Increased stability and reboot support.
+* Support for Ryzen CPUs (NB! this is FPGA support only - PCILeech itself may still have issues).
+* Download pre-built binaries for XC7A35T and XC7A100T versions below:
+  * [XC7A35T](https://mega.nz/file/dD5AzaTR#o2oZSnlkxcT0543aHINSFOXvXFuQU6TaGbyNz3fUTt8) SHA256: `27a534192d597f42e8bc98bf561086c0ec5eeef1827d4590ec0ac7ac534de69f`
+  * [XC7A100T](https://mega.nz/file/BK400CLS#oopXORZGvA1VW1v8S8t-JGF9FKcY3k63E732rLIU-i8) SHA256: `97b90c2efe0211aeb499ec82e2882cf9151546f4229c0577d5da6220f1dfec5f`
diff --git a/NeTV2/src/netv2.xdc b/NeTV2/src/netv2.xdc
@@ -51,6 +51,11 @@ set_false_path -from [get_pins {i_pcileech_fifo/_pcie_core_config_reg[*]/C}]
 set_false_path -from [get_pins i_pcileech_pcie_a7/i_pcie_7x_0/inst/inst/user_lnk_up_int_reg/C] -to [get_pins {i_pcileech_fifo/_cmd_tx_din_reg[16]/D}]
 set_false_path -from [get_pins i_pcileech_pcie_a7/i_pcie_7x_0/inst/inst/user_reset_out_reg/C]
 
+#PCIe signals
+set_property PACKAGE_PIN E18 [get_ports pcie_perst_n]
+set_property PACKAGE_PIN D20 [get_ports pcie_wake_n]
+set_property IOSTANDARD LVCMOS33 [get_ports pcie_perst_n]
+set_property IOSTANDARD LVCMOS33 [get_ports pcie_wake_n]
 
 # NB! one of the LOC GTPE2 lines will generate a crical warning and be ignored.
 # 35T = LOC GTPE2_CHANNEL_X0Y2
@@ -65,7 +70,6 @@ set_property PACKAGE_PIN E10 [get_ports pcie_clk_n]
 set_property PACKAGE_PIN F10 [get_ports pcie_clk_p]
 
 create_clock -name pcie_refclk_p -period 10.0 [get_nets pcie_clk_p]
-create_clock -name pcie_refclk -period 10.0 [get_nets i_pcileech_pcie_a7/pcie_clk_c]
 
 #
 # BITSTREAM CONFIG BELOW

diff --git a/NeTV2/src/pcileech_fifo.sv b/NeTV2/src/pcileech_fifo.sv
@@ -19,6 +19,9 @@ module pcileech_fifo #(
     input                   clk,
     input                   rst,
 
+    input                   pcie_present,
+    input                   pcie_perst_n,
+
     IfComToFifo.mp_fifo     dcom,
 
     IfPCIeFifoCfg.mp_fifo   dcfg,
@@ -254,10 +257,12 @@ module pcileech_fifo #(
             rw[204]     <= 1'b1;                        //       CFGTLP FILTER TLP FROM USER
             rw[205]     <= 1'b1;                        //       CLK_IS_ENABLED [if clk not started _pcie_core_config[77] will remain zero].
             rw[207:206] <= 0;                           //       SLACK
-            // PCIe DRP
+            // PCIe DRP, PRSNT#, PERST#
             rw[208+:16] <= 0;                           // +01A: DRP: pcie_drp_di
             rw[224+:9]  <= 0;                           // +01C: DRP: pcie_drp_addr
-            rw[233+:7]  <= 0;                           //       SLACK
+            rw[233+:5]  <= 0;                           //       SLACK
+            rw[238]     <= pcie_present;                //       PRSNT#
+            rw[239]     <= pcie_perst_n;                //       PERST#
             // 01E -  
 
         end

diff --git a/NeTV2/src/pcileech_header.svh b/NeTV2/src/pcileech_header.svh
@@ -107,6 +107,8 @@ interface IfPCIeSignals;
     wire    [31:0]      cfg_mgmt_di;
     wire    [9:0]       cfg_mgmt_dwaddr;
     wire    [3:0]       cfg_mgmt_byte_en;
+    wire                cfg_mgmt_wr_readonly;
+    wire                cfg_mgmt_wr_rw1c_as_rw;
 
     wire    [1:0]       pl_directed_link_change;
     wire    [1:0]       pl_directed_link_width;
@@ -146,7 +148,7 @@ interface IfPCIeSignals;
             cfg_status, cfg_to_turnoff, tx_buf_av, tx_cfg_req, tx_err_drop, cfg_vc_tcvc_map,
             cfg_interrupt_mmenable, cfg_interrupt_msienable, cfg_interrupt_msixenable, cfg_interrupt_msixfm, cfg_interrupt_rdy, cfg_interrupt_do,
 
-        output cfg_mgmt_rd_en, cfg_mgmt_wr_en, cfg_dsn, cfg_mgmt_di, cfg_mgmt_dwaddr, cfg_mgmt_byte_en, pl_directed_link_change, pl_directed_link_width, pl_directed_link_auton,
+        output cfg_mgmt_rd_en, cfg_mgmt_wr_en, cfg_dsn, cfg_mgmt_di, cfg_mgmt_dwaddr, cfg_mgmt_wr_readonly, cfg_mgmt_wr_rw1c_as_rw, cfg_mgmt_byte_en, pl_directed_link_change, pl_directed_link_width, pl_directed_link_auton,
             pl_directed_link_speed, pl_upstream_prefer_deemph, pl_transmit_hot_rst, pl_downstream_deemph_source,
             cfg_interrupt_di, cfg_pciecap_interrupt_msgnum, cfg_interrupt_assert, cfg_interrupt, cfg_interrupt_stat, cfg_pm_force_state, cfg_pm_force_state_en, cfg_pm_halt_aspm_l0s,
             cfg_pm_halt_aspm_l1, cfg_pm_send_pme_to, cfg_pm_wake, cfg_trn_pending, cfg_turnoff_ok, rx_np_ok, rx_np_req, tx_cfg_gnt
@@ -158,7 +160,7 @@ endinterface
 // ------------------------------------------------------------------------
 
 interface IfCfg_TlpCfg;
-    wire    [3:0]   tlp_tx_en;
+    wire    [2:0]   tlp_tx_en;
     wire    [15:0]  tlp_pcie_id;
 
     modport cfg(

diff --git a/NeTV2/src/pcileech_netv2_top.sv b/NeTV2/src/pcileech_netv2_top.sv
@@ -15,7 +15,7 @@ module pcileech_netv2_top #(
     // 0 = SP605, 1 = PCIeScreamer R1, 2 = AC701, 3 = PCIeScreamer R2, 4 = Screamer M2, 5 = NeTV2
     parameter       PARAM_DEVICE_ID = 5,
     parameter       PARAM_VERSION_NUMBER_MAJOR = 4,
-    parameter       PARAM_VERSION_NUMBER_MINOR = 2,
+    parameter       PARAM_VERSION_NUMBER_MINOR = 4,
     parameter       PARAM_UDP_STATIC_ADDR = 32'hc0a800de,   // 192.168.0.222
     parameter       PARAM_UDP_STATIC_FORCE = 1'b0,
     parameter       PARAM_UDP_PORT = 16'h6f3a               // 28474
@@ -38,6 +38,8 @@ module pcileech_netv2_top #(
     input   [0:0]   pcie_rx_n,
     input           pcie_clk_p,
     input           pcie_clk_n,
+    input           pcie_perst_n,
+    output reg      pcie_wake_n = 1'b1,
 
     // ETH
     output          eth_clk50,
@@ -115,6 +117,8 @@ module pcileech_netv2_top #(
     ) i_pcileech_fifo (
         .clk                ( clk                   ),
         .rst                ( rst                   ),
+        .pcie_present       ( 1'b1                  ),
+        .pcie_perst_n       ( pcie_perst_n          ),
         // FIFO CTL <--> COM CTL
         .dcom               ( dcom_fifo.mp_fifo     ),
         // FIFO CTL <--> PCIe
@@ -138,6 +142,7 @@ module pcileech_netv2_top #(
         .pcie_rx_n          ( pcie_rx_n             ),
         .pcie_clk_p         ( pcie_clk_p            ),
         .pcie_clk_n         ( pcie_clk_n            ),
+        .pcie_perst_n       ( pcie_perst_n          ),
         // State and Activity LEDs
         .led_state          ( led00                 ),
         // FIFO CTL <--> PCIe

diff --git a/NeTV2/src/pcileech_pcie_a7.sv b/NeTV2/src/pcileech_pcie_a7.sv
@@ -21,6 +21,7 @@ module pcileech_pcie_a7(
     input   [0:0]           pcie_rx_n,
     input                   pcie_clk_p,
     input                   pcie_clk_n,
+    input                   pcie_perst_n,
 
     // State and Activity LEDs
     output                  led_state,
@@ -44,11 +45,11 @@ module pcileech_pcie_a7(
     wire            user_lnk_up;
 
     // system interface
-    (* dont_touch = "true" *) wire pcie_clk_c;
+    wire pcie_clk_c;
     wire clk_user;
     wire rst_user;
     wire rst_subsys = rst | rst_user | dfifo_pcie.pcie_rst_subsys;
-    wire rst_pcie = rst | dfifo_pcie.pcie_rst_core;
+    wire rst_pcie = rst | ~pcie_perst_n | dfifo_pcie.pcie_rst_core;
 
     // Buffer for differential system clock
     IBUFDS_GTE2 refclk_ibuf (.O(pcie_clk_c), .ODIV2(), .I(pcie_clk_p), .CEB(1'b0), .IB(pcie_clk_n));
@@ -127,8 +128,8 @@ module pcileech_pcie_a7(
         .cfg_mgmt_do                ( ctx.cfg_mgmt_do           ),  // -> [31:0]
         .cfg_mgmt_rd_en             ( ctx.cfg_mgmt_rd_en        ),  // <-
         .cfg_mgmt_rd_wr_done        ( ctx.cfg_mgmt_rd_wr_done   ),  // ->
-        .cfg_mgmt_wr_readonly       ( 1'b0                      ),  // <-
-        .cfg_mgmt_wr_rw1c_as_rw     ( 1'b1                      ),  // <-
+        .cfg_mgmt_wr_readonly       ( ctx.cfg_mgmt_wr_readonly  ),  // <-
+        .cfg_mgmt_wr_rw1c_as_rw     ( ctx.cfg_mgmt_wr_rw1c_as_rw ), // <-
         .cfg_mgmt_di                ( ctx.cfg_mgmt_di           ),  // <- [31:0]
         .cfg_mgmt_wr_en             ( ctx.cfg_mgmt_wr_en        ),  // <-
 

diff --git a/NeTV2/src/pcileech_pcie_cfg_a7.sv b/NeTV2/src/pcileech_pcie_cfg_a7.sv
@@ -211,7 +211,8 @@ module pcileech_pcie_cfg_a7(
             // PCIe CFG MGMT
             rw[159:128] <= 0;                       // +010: cfg_mgmt_di
             rw[169:160] <= 0;                       // +014: cfg_mgmt_dwaddr
-            rw[171:170] <= 0;                       //       SLACK
+            rw[170]     <= 1;                       //       cfg_mgmt_wr_readonly
+            rw[171]     <= 1;                       //       cfg_mgmt_wr_rw1c_as_rw
             rw[175:172] <= 4'hf;                    //       cfg_mgmt_byte_en
             // PCIe PL PHY
             rw[176]     <= 0;                       // +016: pl_directed_link_auton
@@ -257,6 +258,8 @@ module pcileech_pcie_cfg_a7(
     assign ctx.cfg_dsn                      = rw[127:64];
     assign ctx.cfg_mgmt_di                  = rw[159:128];
     assign ctx.cfg_mgmt_dwaddr              = rw[169:160];
+    assign ctx.cfg_mgmt_wr_readonly         = rw[170];
+    assign ctx.cfg_mgmt_wr_rw1c_as_rw       = rw[171];
     assign ctx.cfg_mgmt_byte_en             = rw[175:172];
 
     assign ctx.pl_directed_link_auton       = rw[176];

diff --git a/NeTV2/src/pcileech_pcie_tlp_a7.sv b/NeTV2/src/pcileech_pcie_tlp_a7.sv
@@ -94,7 +94,9 @@ module pcileech_pcie_tlp_a7(
         .clk_fifo       ( clk_100                   ),
         .clk            ( clk_pcie                  ),
         .rst            ( rst                       ),
-        .dfifo          ( dfifo                     ),
+        .dfifo_tx_data  ( dfifo.tx_data             ),
+        .dfifo_tx_last  ( dfifo.tx_last             ),
+        .dfifo_tx_valid ( dfifo.tx_valid            ),
         .tlp_out        ( fifo_tlp                  )
     );
 
@@ -168,7 +170,6 @@ module pcileech_pcie_cfgspace(
     bit             bram_valid;             // bram valid
     bit             bram_supress_onwr;      // bram supress (= Cpl packet on Wr)
     bit [7:0]       bram_tag;
-    bit [4:0]       bram_addr_dw;
     bit [15:0]      bram_requester_id;
     wire [31:0]     bram_data1;
     wire [31:0]     bram_data2 = dcfgspacewr.cfgtlp_zero ? 32'h00000000 : bram_data1;
@@ -189,18 +190,17 @@ module pcileech_pcie_cfgspace(
             bram_valid          <= snoop_valid_rd;
             bram_supress_onwr   <= snoop_valid_wr;
             bram_tag            <= snoop_tag;
-            bram_addr_dw        <= snoop_addr_dw[4:0];
             bram_requester_id   <= snoop_requester_id;
         end
 
     // ------------------------------------------------------------------------
     // COMPLETION TLP generation and buffering below: 
-    // ------------------------------------------------------------------------       
-    wire [63:0]     cplrd_tlp_data_qw1  = { tlp_pcie_id, 16'h04, 32'b01001010000000000000000000000001 };
-    wire [63:0]     cplrd_tlp_data_qw2  = { bram_data2, bram_requester_id, bram_tag, 1'b0, bram_addr_dw, 2'b00 };
+    // ------------------------------------------------------------------------
+    wire [63:0]     cplrd_tlp_data_qw1  = { tlp_pcie_id, 16'h0004, 32'b01001010000000000000000000000001 };
+    wire [63:0]     cplrd_tlp_data_qw2  = { bram_data2, bram_requester_id, bram_tag, 8'h00 };
     wire [127:0]    cplrd_tlp_data      = { cplrd_tlp_data_qw2, cplrd_tlp_data_qw1 };
     wire [63:0]     cplwr_tlp_data_qw1  = { tlp_pcie_id, 16'h00, 32'b00001010000000000000000000000000 };
-    wire [63:0]     cplwr_tlp_data_qw2  = { 32'h00000000, bram_requester_id, bram_tag, 1'b0, bram_addr_dw, 2'b00 };
+    wire [63:0]     cplwr_tlp_data_qw2  = { 32'h00000000, bram_requester_id, bram_tag, 8'h00 };
     wire [127:0]    cplwr_tlp_data      = { cplwr_tlp_data_qw2, cplwr_tlp_data_qw1 };
     wire [128:0]    cpl_tlp_data        = { bram_valid, (bram_valid ? cplrd_tlp_data : cplwr_tlp_data)};
 
@@ -229,12 +229,11 @@ endmodule
 module tlp128_sink_mux1 (
     input                   clk,
     input                   rst,
-
     IfPCIeTlpRxTx.source    tlp_tx,
     IfTlp128.sink           p0,
     IfTlp16.sink            p1,
     IfTlp64.sink            p2,
-    input   [3:0]           pX_en
+    input   [2:0]           pX_en
 );
     reg [66 * 18 - 1 : 0]   tlp     = 0;
 
@@ -268,8 +267,9 @@ module tlp128_source_fifo (
     input                   clk_fifo,
     input                   clk,
     input                   rst,
-
-    IfPCIeFifoTlp.mp_pcie   dfifo,
+    input [31:0]            dfifo_tx_data,
+    input                   dfifo_tx_last,
+    input                   dfifo_tx_valid,
     IfTlp128.source         tlp_out
 );
     // data ( pcie_tlp_tx_din / tlp_din ) as follows:
@@ -282,18 +282,18 @@ module tlp128_source_fifo (
     reg [31:0]      d_pcie_tlp_tx_data;
     reg             d_pcie_tlp_tx_valid = 1'b0;
 
-    assign pcie_tlp_tx_din[31:0] = d_pcie_tlp_tx_valid ? d_pcie_tlp_tx_data : dfifo.tx_data;
-    assign pcie_tlp_tx_din[63:32] = dfifo.tx_data;
-    assign pcie_tlp_tx_din[64] = dfifo.tx_last;
+    assign pcie_tlp_tx_din[31:0] = d_pcie_tlp_tx_valid ? d_pcie_tlp_tx_data : dfifo_tx_data;
+    assign pcie_tlp_tx_din[63:32] = dfifo_tx_data;
+    assign pcie_tlp_tx_din[64] = dfifo_tx_last;
     assign pcie_tlp_tx_din[65] = d_pcie_tlp_tx_valid;
-    assign pcie_tlp_tx_wren = dfifo.tx_valid & ( dfifo.tx_last | d_pcie_tlp_tx_valid );
+    assign pcie_tlp_tx_wren = dfifo_tx_valid & ( dfifo_tx_last | d_pcie_tlp_tx_valid );
 
     always @ ( posedge clk_fifo )
         if( rst )
             d_pcie_tlp_tx_valid <= 1'b0;
-        else if ( dfifo.tx_valid )
+        else if ( dfifo_tx_valid )
             begin
-                d_pcie_tlp_tx_data <= dfifo.tx_data;
+                d_pcie_tlp_tx_data <= dfifo_tx_data;
                 d_pcie_tlp_tx_valid <= ~pcie_tlp_tx_wren;
             end