PCILeech and MemProcFS allows for easy-to-use user-friendly DMA attacks and hardware assisted memory analysis. This is possible since PCI Express supports DMA. Unfortunately production of compatible hardware, such as the Screamer series has been hit hard by the global silicon shortage.
The goal with this project is to modify the Acorn CLE-215+ / Nitefury / Litefury FPGA boards, in a short time frame and on a relatively tight budget, to support PCILeech and MemProcFS at around 20-25MB/s.
|Acorn CLE-215+ and LiteFury.|
PCILeech traditionally connects to the FPGA device over USB3 resulting in DMA around 150MB/s. The now sold-out FTDI FT601 chip is used in synchronous FT245 mode to achieve this. The FT601 uses 40 signals between itself and the FPGA.
The goal with this project is to modify the Acorn CLE-215+ / Nitefury / Litefury to support the FTDI FT2232H USB2 chip. In FT245 mode this should allow for DMA transfer speeds around 20-25MB/s. This should allow PCILeech to work with the CLE-215+ with relatively minor software modifications.
Alternative ways that does not include hardware modifications would be UART (slow) or a carrier board with additional FPGA/chips (expensive and complex to design). The goal of this project was to create something low-cost in a limited time frame.
The FT2232H is readily available and an inexpensive mini module exists for labs. In this project the FT2232H-56Q mini module which has a micro-USB2 connector will be used.
The FT245 mode we require 15 signals: 8 data, 1 clock and 6 additional control signals. To make things even worse the FT2232H runs at 3.3V while the Acorn only have 4 GPIOs at 3.3V and 8 GPIOs at 2.5V. Also none of the GPIOs on the Acorn are clock capable - i.e. possible to use as a clock input pin.
Two hardware modifications are required:
1) Make the 2.5V GPIOs 3.3V. This is done by removing a 3.3V to 2.5V voltage regulator and connecting the 2.5V power rail to 3.3V. This has been previously discussed. The Schematics also support this change and it should have little or no side effects.
2) Desolder LED2, LED3 and LED4 and use the FPGA connections as three additional GPIOs. The FPGA PIN driving LED4 is also clock capable which is great!
In addition to the above a custom JTAG connector cable may have to be created.
- Molex crimp tool.
- Hot-air rework station.
- JTAG programmer cable.
- Soldering paste.
JTAG connector cable
- Cut the purchased Pico-EzMate cable in half.
- Then crimp standard molex connectors on the cable endings.
- Then insert the crimped connectors into the housing resulting to get a working JTAG cable adapter. Make sure the Pico-EzMate JTAG PINs are mapped to the correct PINs on your JTAG programming cable according to the pinout in (4).
Parts list custom JTAG connector cable:
Modification #1 - 2.5V to 3.3V
|2.5V voltage regulator U11 and schematics extracts.|
Now let's remove U11 using a hot-air rework station and short the 2.5V power rail to the 3.3 power rail. The removal of U11 is likely to be destructive - the part is likely to fall apart. Please take great care not damaging the Acorn / LiteFury. If you are not familiar with work like this please practice on scrap components before attempting this!
|Hot-air rework station setup.|
The topmost image below shows the Acorn when the U11 power regulator has been removed. In order to connect the 2.5V power rail to 3.3V a tiny amount of ChipQuik soldering paste as well as a tiny cable fragment is applied on the three "topmost" power regulator pads as shown in the bottom image below. Hot air is applied to make the modification permanent. Now the modification is complete and the Acorn 2.5V GPIOs has become 3.3V.
Modification #2 - LEDs to GPIOs
FPGA/FT2232H custom signal cable
Parts list custom signal cable:
Flashing FT2232H and FPGA
PCILeech DMA attacks and MemProcFS memory analysis
|Dumping memory using the acorn with PCILeech PCIe DMA attacks.|
|MemProcFS live memory analysis with the Acorn CLE-215+ works nicely.|