Disclaimer: The code in this repo can cause PERMANENT DAMAGE to your server. Use at your own risk.
This repo contains the supplementary materials for the paper "PMFault: Faulting and Bricking Server CPUs through Management Interfaces", which will appear in CHES 2023.
Check our website for a brief introduction of the PMFault attack.
PMFaut paper is available on CHES Website.
- x11-undervolt_from_rpi: PoC of undervolting via raspberry pi, used in initial investigation
- x11-FirmwareRepacking: PoC of firmware repacking to enable SSH access to BMC
- x11-BMC-DMA-PMBus: PoC of PMBus voltage control via code execution on BMC
- brick.c : overvolt and brick the CPU
- undervolt.c : undervolt and inject fault to SGX
- x11-voltage-change-with-ipmitool: Steps for changeing the voltage via ipmitool (over lan/kcs)
The target of the fault injection is the same as those used in PlunderVolt
- asrock-pmbus-powerdown: PoC of powerdown via PMBus for ASRock motherboard, execute with root privilege on CPU
- pmbusdetect: PMBusDetect tool for detecting the connection between CPU/BMC and VRM.
- currently it support ISL68137 and MP2955, welcome to add support for other VRM by opening an issue or pull request.
If you are using the OS provided i2c bus (/dev/i2c-X
) to communicate with PMBus, you'll need to:
- Load the kernel module to enable i2c bus, different motherboard may need different kernel module, check which one to use at here
sudo modprobe i2c-i801
works for Supermicro X11. libi2c
library is required for buildingPMBusDetect
,asrock-pmbus-powerdown
andx11-undervolt_from_rpi
, you can install it withsudo apt-get install -y libi2c-dev
or compile from source: i2c-tools
@article{Chen_Oswald_2023,
title={PMFault: Faulting and Bricking Server CPUs through Management Interfaces: Or: A Modern Example of Halt and Catch Fire},
author={Chen, Zitai and Oswald, David},
year={2023},
month={Mar.},
journal={IACR Transactions on Cryptographic Hardware and Embedded Systems},
volume={2023},
number={2},
pages={1–23}
url={https://tches.iacr.org/index.php/TCHES/article/view/10275},
DOI={10.46586/tches.v2023.i2.1-23}
}