GPU Turned Into Radio Transmitter To Defeat Air-Gapped PC

April 24, 2020 by Dan Maloney 31 Comments

Another week, another exploit against an air-gapped computer. And this time, the attack is particularly clever and pernicious: turning a GPU into a radio transmitter.

The first part of [Mikhail Davidov] and [Baron Oldenburg]’s article is a review of some of the basics of exploring the RF emissions of computers using software-defined radio (SDR) dongles. Most readers can safely skip ahead a bit to section 9, which gets into the process they used to sniff for potentially compromising RF leaks from an air-gapped test computer. After finding a few weak signals in the gigahertz range and dismissing them as attack vectors due to their limited penetration potential, they settled in on the GPU card, a Radeon Pro WX3100, and specifically on the power management features of its ATI chipset.

With a GPU benchmarking program running, they switched the graphics card shader clock between its two lowest power settings, which produced a strong signal on the SDR waterfall at 428 MHz. They were able to receive this signal up to 50 feet (15 meters) away, perhaps to the annoyance of nearby hams as this is plunk in the middle of the 70-cm band. This is theoretically enough to exfiltrate data, but at a painfully low bitrate. So they improved the exploit by forcing the CPU driver to vary the shader clock frequency in one megahertz steps, allowing them to implement higher throughput encoding schemes. You can hear the change in signal caused by different graphics being displayed in the video below; one doesn’t need much imagination to see how malware could leverage this to exfiltrate pretty much anything on the computer.

It’s a fascinating hack, and hats off to [Davidov] and [Oldenburg] for revealing this weakness. We’ll have to throw this on the pile with all the other side-channel attacks [Samy Kamkar] covered in his 2019 Supercon talk.

Continue reading “GPU Turned Into Radio Transmitter To Defeat Air-Gapped PC” →

The Mac That Helped Build The Xbox Rides Again

January 24, 2019 by Tom Nardi 11 Comments

The original Xbox, released in 2001 by Microsoft, was notable for being built out of largely off-the-shelf PC components. With a custom Pentium III CPU and IDE peripherals, the console was much closer to a contemporary desktop computer than any of the dedicated game consoles which had come before it. Which of course makes perfect sense if you think about it. Microsoft would want to use technology they were intimately acquainted with on their first foray into gaming market, and if there’s anything Microsoft knows better than forced system updates, it’s x86 computers.

But for their follow-up system, the Xbox 360, Microsoft decided to go with a PowerPC processor they co-developed with IBM. Naturally this meant they needed PowerPC development systems to give to developers, which is how Microsoft ended up briefly distributing PowerMac G5’s. [Pierre Dandumont] came into possession of one of these oddball Microsoft-branded Macs, though unfortunately the hard drive had been wiped. But with the help of a leaked drive image and some hardware sleuthing, he’s now got the machine up and running just like it was when Microsoft was sending them to developers between 2003 and 2005.

Since you’re reading this on Hackaday, you might have guessed there was a little more to the story then just downloading an ISO and writing it to the hard drive of a PowerMac G5. There’s apparently some debate in the community about whether or not it’s some form of rudimentary DRM on Microsoft’s part, but in any event, the development kit operating system will only run on a G5 with very specific hardware. So the challenge is not only figuring out what hardware the software is looking for, but finding it and getting it installed over a decade after its prime.

Most of the required hardware, like the Intel 741462-010 network card or 160 GB Seagate ST3160023AS hard drive were easy enough to track down on eBay. But the tricky one was finding a Mac version of the ATi Radeon X800 XT. [Pierre] ended up getting a much more common ATi FireGL X3 and flashing it with the Mac X800 firmware. This is a little easier said than done as depending on which manufacturer made the memory on your specific video card you have to fiddle with the clock speeds to get a usable image, but in the end he found the winning combination and the development kit OS booted up with his hacked graphics card.

So what does all this get you in 2019? [Pierre] admits nothing terribly useful, but it’s still pretty cool. The system lets you run Xbox and Xbox 360 binaries, and even features the old Xbox 360 “blade” style dashboard. He says that he’s only had limited success getting retail games to actually run on the thing, but if your goal was running Xbox 360 games in 2019 there’s certainly better ways to do that anyway. Like, buying an Xbox 360.

We’ve previously talked about the Xbox 360’s rather unusual processor, but around these parts we more often see projects which involve tearing Microsoft’s sophomore console apart than digging into how it actually worked.

Continue reading “The Mac That Helped Build The Xbox Rides Again” →

STM32 Driving A PCIe Video Card

October 8, 2012 by Mike Szczys 33 Comments

[Gpuhackr] chose his username to explain exactly how he spends his time. For instance, here he’s using an STM32 Discovery board to drive an AMD Radeon HD 2400 graphics card. The ARM microcontroller isn’t actually using the PCIe interface on the card. Instead, [Gpuhackr] has patched into the debugging interface built into the card itself. This isn’t quite as straight forward as it sounds, but if you do the wiring carefully it’s a pretty intersting way to connect an ARM to an LCD monitor.

This project would be almost impossible if it weren’t for the open source code which AMD has released. This lets him implement the card’s 3D rendering features. The demo directly programs the UVD Xtensa CPU which is on the video card. It draws a cube with color gradients on each side. The cube spins while the debug information is overlaid on the screen. In this case the ARM chip/board is really being used as a programmer to upload some custom firmware. But we think a real code-ninja could implement a communications protocol to open up a simple way to drive the card in real-time.

[Thanks uMinded]