Inception is a physical memory manipulation and hacking tool exploiting PCI-based DMA.

Inception is a physical memory manipulation and hacking tool exploiting PCI-based DMA.

Update 12-01.2015:  for Caveats section [OS X > 10.7.2] [6] and [Windows > 8.1] [7]

Inception is a physical memory manipulation and hacking tool exploiting PCI-based DMA. The tool can attack over FireWire, Thunderbolt, ExpressCard, PC Card and any other PCI/PCIe HW interfaces.
Inception aims to provide a relatively quick, stable and easy way of performing intrusive and non-intrusive memory hacks against live computers using DMA.

How it works:
– Inception’s modules work as follows: By presenting a Serial Bus Protocol 2 (SBP-2) unit directory to the victim machine over the IEEE1394 FireWire interface, the victim operating system thinks that a SBP-2 device has connected to the FireWire port. Since SBP-2 devices utilize Direct Memory Access (DMA) for fast, large bulk data transfers (e.g., FireWire hard drives and digital camcorders), the victim lowers its shields and enables DMA for the device. The tool now has full read/write access to the lower 4GB of RAM on the victim.
– Once DMA is granted, the tool proceeds to search through available memory pages for signatures at certain offsets in the operating system’s code. Once found, the tool manipulates this code. For instance, in the unlock module, the tool short circuits the operating system’s password authentication module that is triggered if an incorrect password is entered.
– After running that module you should be able to log into the victim machine using any password.
– An analogy for this operation is planting an idea into the memory of the machine; the idea that every password is correct. In other words, the equivalent of a memory inception.

OS X > 10.7.2 and Windows > 8.1 disables FireWire DMA when the user has locked the OS and thus prevents inception. The tool will still work while a user is logged on. However, this is a less probable attack scenario IRL.
In addition, OS X Mavericks > 10.8.2 on Ivy Bridge (>= 2012 Macs) have enabled VT-D, effectively blocking DMA requests and thwarting all inception modules. Look for vtd[0] fault entries in your log/console.


Inception requires:
— Attacker machine: Linux or Mac OS X (host / attacker machine) with a FireWire or Thunderbolt interface, or an ExpressCard/PCMCIA expansion port. Linux is currently recommended due to buggy firewire interfaces on OS X
— Victim machine: A FireWire or Thunderbolt interface, or an ExpressCard/PCMCIA expansion port
— Python 3
— git
— gcc (incl. g++)
— cmake
— pip (for automatic resolution of dependencies)
— msgpack

*) Caveats

  • Inception may not work reliably against machines with more than 4 GiB RAM, as the signatures the tool look for may be loaded at a memory address > 0xffffffff. You may still be able to exploit the target by dumping as much memory as possible and, say, search for encryption keys.
  • You may have trouble reading above 2 GiB on targets with more than 2 GiB RAM. This is due to the way the memory controller provisions physical addresses. Since there’s currently no way of detecting (over FireWire) how much physical memory the target has, the tool will continue to attempt to read memory up to the 4 GiB limit. You will see a noticeable slowdown in reading when the tool tries to read data from addresses that doesn’t map to hardware RAM.
  • OS X Lion disables DMA when the user is logged out/screen is locked and FileVault is enabled. Attacking will only work while the user is logged in, or if user switching is enabled. The user switching trick only works for  versions before 10.7.2, where the vulnerability is patched.
  • If you have a OF/EFI firmware password set on the target Mac OS X, FireWire DMA is off by default.

Key data:
Version: 0.4.0
License: GPL
Author: Carsten Maartmann-Moe ( AKA ntropy
Twitter: @breaknenter
The tool makes use of the libforensic1394 library courtesy of Freddie Witherden under a LGPL license.

On Debian-based distributions the installation command lines can be summarized as:

On OS X, you can install the tool requirements with homebrew:

After installing the requirements, download and install libforensic1394:

 Download and install Inception

The setup script should be able to install dependencies if you have pip  installed.

General usage :
1. Connect the attacker machine (host) and the victim (target) with a FireWire cable
2. Run Inception
Simply type:

For a more complete and up-to-date description,  run:

 For Source & More Detail read here :

Disclaimer from Developers:
Do no evil with this tool. Also, I am a pentester, not a developer. So if you see weird code that bugs your pythonesque purity senses, drop me a note on how I can improve it. Or even better, fork my code, change it and issue a pull request.