Inception - Attacking FireWire Devices

Friday, May 30, 2014


Inception is a FireWire physical memory manipulation and hacking tool exploiting IEEE 1394 SBP-2 DMA. The tool can unlock (any password accepted) and escalate privileges to Administrator/root on almost* any powered on machine you have physical access to. The tool can attack over FireWire, Thunderbolt, ExpressCard, PC Card and any other PCI/PCIe interfaces.

Inception aims to provide a stable and easy way of performing intrusive and non-intrusive memory hacks in order to unlock live computers using FireWire SBP-2 DMA. It it primarily attended to do its magic against computers that utilize full disk encryption such as BitLocker, FileVault, TrueCrypt or Pointsec. There are plenty of other (and better) ways to hack a machine that doesn't pack encryption.

As of version 0.3.5, it is able to unlock the following x86 and x64 operating systems:
OS Version Unlock lock screen Escalate privileges Dump memory < 4 GiB
Windows 8 8.1 Yes Yes Yes
Windows 8 8.0 Yes Yes Yes
Windows 7 SP1 Yes Yes Yes
Windows 7 SP0 Yes Yes Yes
Windows Vista SP2 Yes Yes Yes
Windows Vista SP1 Yes Yes Yes
Windows Vista SP0 Yes Yes Yes
Windows XP SP3 Yes Yes Yes
Windows XP SP2 Yes Yes Yes
Windows XP SP1 Yes
Windows XP SP0 Yes
Mac OS X Mavericks Yes (1) Yes (1) Yes (1)
Mac OS X Mountain Lion Yes (1) Yes (1) Yes (1)
Mac OS X Lion Yes (1) Yes (1) Yes (1)
Mac OS X Snow Leopard Yes Yes Yes
Mac OS X Leopard Yes
Ubuntu (2) Saucy Yes Yes Yes
Ubuntu Raring Yes Yes Yes
Ubuntu Quantal Yes Yes Yes
Ubuntu Precise Yes Yes Yes
Ubuntu Oneiric Yes Yes Yes
Ubuntu Natty Yes Yes Yes
Ubuntu Maverick Yes (3) Yes (3) Yes
Ubuntu Lucid Yes (3) Yes (3) Yes
Linux Mint 13 Yes Yes Yes
Linux Mint 12 Yes Yes Yes
Linux Mint 12 Yes Yes Yes

(1): If FileVault 2 is enabled, the tool will only work when the operating system is unlocked. (2): Other Linux distributions that use PAM-based authentication may also work using the Ubuntu signatures. (3): x86 only.

The tool also effectively enables escalation of privileges, for instance via the runas or sudo -s commands, respectively. More signatures will be added. The tool makes use of the libforensic1394 library courtesy of Freddie Witherden under a LGPL license.



Subscribe via e-mail for updates!