The way it works is that the USB3380 chip has usb endpoints - PCIIN and PCIOUT - that give the usb host the ability to generate any kind of PCIe packet. It doesn't give full control of all header fields, but you can issue mem, io, and cfg reads and writes. Inception only scratches the surface, but is an easy and cool demonstration. Right now it's pretty slow, but i believe that's due to pyusb/libusb and a few other inefficiencies. theoretically it should be able to dump 4gb of memory in a matter of seconds, not 40 minutes.
https://www.youtube.com/watch?v=SvnvOXXAxaI
The PLX USB3380 is available for about $15. A custom DIY PCB is in progress but not ready yet. USB3380 reference boards work fine but need firmware to be flashed. They can be aquired from PLX as part of a costly kit, or bought directly form the distributor, Bplus technologies. All of the below are the same company:
http://www.bplus.com.tw/PLX.html
http://www.hwtools.net/PLX.html
http://www.aliexpress.com/store/group/PLX-Series/706012_250803066.html
- USB3380, both in PCIe adapter and ExpressCard adapters
- PP3380 - but this card ships with a large EEPROM that requires 2-byte addressing, see below
- OWC Mercury Helios TB enclosure
- Sonnet Echo Pro TB enclosure
- EC3380-AB small expresscard, EEPROM does not appear to work properly, so it can't work at all without PCIe-side drivers. This is a bummer cause it would've been a very compact combo with the sonnet echo pro.
All the months of toiling trying to prototype with linux usb gadget drivers were overcomplicated and went nowhere. If you build an eeprom image all you have to do is set a usb enabled bit after pcie powers up. All the other default settings are actually completely sufficient to make it all work. SLOTSCREAMER.bin is attached. PLX provides windows and linux tools to program the firmware, or you could use a hardware programmer. To use the plx tools:
- download sdk, linux package only, from: https://www.broadcom.com/products/pcie-switches-bridges/software-dev-kit
- unzip, then untar
- export PLX_SDK_DIR=..pathtofiles/PlxSdk
- cd PlxSdk/PlxApi
- make
- cd ../Driver
- ./builddriver Svc
- cd ../
- ./Bin/Plx_load Svc
- cd Samples/PlxCm
- make
- ./App/PlxCm
PlxCm is their command line interface. it should automatically choose your usb3380. type: show current eeprom state: "eep" load slotscreamer config: "eep_load SLOTSCREAMER.bin" confirm loading: "eep"
That's it, your usb3380 reference board is now a SLOTSCREAMER
You have to bridge jumper 3 to connect the eeprom.
The PP3380 uses the 3.3Vaux power rail by default (blue LED on the card will light up when power is present). Unfortunately, this power rail is optional in some configurations (such as SFF-8639) and may not be available. If power cannot be supplied to the 3.3Vaux input, The PP3380 appears to be reconfigurable to use main 3.3V power by moving a surface mount resistor.
The PP3380 may have a larger eeprom that requires two-byte addressing, which PlxCm doesn't do by default. In that case use PlxEe and specify the address width and file to load.
- cd Samples/PlxEe
- make
- ./App/PlxEe -w 2 -l slotscreamer.bin
Slotscreamer support is now incorporated upstream into inception, so this fork is no longer current. https://github.com/carmaa/inception
- ./inception_pci contains a version of inception designed for SLOTSCREAMER
- ./slotscreamer-test.py is a simple set of test functions ot make sure it works
We have not thoroughly tested inception for passoword bypass. In the near future, we intend to go through the list of known working OSs that inception can bypass and confirm it works of debug why it doesn't
The changes are essentially:
- added a SLOTSCREMER class to inception/util.py modeled after MemoryFile
- added necessary imports to util.py
- added pciemode to cfg.py and -N NativePCIe option in incept
- added switches for pcimode to both screenlock.py and memdump.py
- implemented caching for reads
- implemented cache invalidation after writes
- implemented proper responses to non-dword-aligned accesses