Inception - Attacking FireWire Devices

Inception is a FireWire physical memory manipulation and hacking tool exploiting IEEE 1394 SBP-2 DMA. The tool can unlock (any password accepted) and escalate privileges to Administrator/root on almost* any powered on machine you have physical access to. The tool can attack over FireWire, Thunderbolt, ExpressCard, PC Card and any other PCI/PCIe interfaces.

Inception aims to provide a stable and easy way of performing intrusive and non-intrusive memory hacks in order to unlock live computers using FireWire SBP-2 DMA. It it primarily attended to do its magic against computers that utilize full disk encryption such as BitLocker, FileVault, TrueCrypt or Pointsec. There are plenty of other (and better) ways to hack a machine that doesn't pack encryption.

As of version 0.3.5, it is able to unlock the following x86 and x64 operating systems:
OSVersionUnlock lock screenEscalate privilegesDump memory < 4 GiB
Windows 88.1YesYesYes
Windows 88.0YesYesYes
Windows 7SP1YesYesYes
Windows 7SP0YesYesYes
Windows VistaSP2YesYesYes
Windows VistaSP1YesYesYes
Windows VistaSP0YesYesYes
Windows XPSP3YesYesYes
Windows XPSP2YesYesYes
Windows XPSP1Yes
Windows XPSP0Yes
Mac OS XMavericksYes (1)Yes (1)Yes (1)
Mac OS XMountain LionYes (1)Yes (1)Yes (1)
Mac OS XLionYes (1)Yes (1)Yes (1)
Mac OS XSnow LeopardYesYesYes
Mac OS XLeopardYes
Ubuntu (2)SaucyYesYesYes
UbuntuMaverickYes (3)Yes (3)Yes
UbuntuLucidYes (3)Yes (3)Yes
Linux Mint13YesYesYes
Linux Mint12YesYesYes
Linux Mint12YesYesYes

(1): If FileVault 2 is enabled, the tool will only work when the operating system is unlocked. (2): Other Linux distributions that use PAM-based authentication may also work using the Ubuntu signatures. (3): x86 only.

The tool also effectively enables escalation of privileges, for instance via the runas or sudo -s commands, respectively. More signatures will be added. The tool makes use of the libforensic1394 library courtesy of Freddie Witherden under a LGPL license.

Disqus Comments