All About DMA Cheats – Questions, Myths, and Realities 💬🛡️

[Kmizzoii]

Hey everyone! 👋

I've been diving deep into the world of DMA (Direct Memory Access) cheats for games like R6S, Apex Legends, Tarkov, CS2, and others protected by EAC (Easy Anti-Cheat) and Vanguard (VGK). Despite spending hours reading forums and guides, there's still a ton of misinformation, myths, and unanswered questions floating around.

So, I wanted to start an open and organized discussion where we can clarify technical details, share experiences, and address key questions.


🧠 ❓ Key Questions I Have:

1️⃣ DMA Hardware: Cards and Setup

• What's the real difference between 35T, 75T, and 100T cards?
• Does using PCIe vs M.2 have any impact on detection?
• Are cheaper cards bought directly from TaoBao reliable, or do they come with hidden risks?
• Which trusted vendors are still worth buying from in 2024?

2️⃣ DMA Firmware: Public vs Private

• Are public firmwares (like Ekknod's Wifi 2.0) enough for games like R6?
• What's the actual difference between "Custom," "1:1 Config Space," and "Full Emulated" firmware?
• Are those overpriced firmwares ($200-$500) actually safer, or is it just marketing hype?
• Why do some firmwares remain "UD" (Undetected) for months while others get flagged immediately?

3️⃣ Anti-Cheat Detection: Truth or Myth?

• If the cheat operates on a second PC, why is there still a risk of detection?
• How can anticheats (like EAC, Vanguard) detect a DMA card if it’s controlled from another machine?
• Are techniques like "Timing Checks," "TLP Checks," and "PCIe Scans" real threats, or are they overblown myths?
• Does the connection type (PCIe vs M.2) affect the likelihood of detection?

4️⃣ Security and Risks: Detection, Bans, and Behavior

• Is it really risky to use a detected cheat or a free public firmware on a second PC?
• If the cheat is detected on the second PC, how can it impact the first PC?
• Are bans purely from software detection, or do in-game behavior and patterns also play a key role?
• Is an "UD firmware" actually a guarantee, or just a temporary status?

5️⃣ The DMA Market: Scams and Reality

• Why are so many vendors inflating prices for cards and firmware?
• Which vendors or platforms are still trustworthy for DMA hardware and firmware?
• Are cards bought directly from TaoBao the same as those resold at 2-3x the price?
• Are there reliable ways to verify firmware stability and safety before purchasing?

🚀 Why I’m Starting This Discussion:

• Clarify common myths and misinformation about DMA cheats.
• Get concrete technical answers on detection and protection methods.
• Share experiences from seasoned users.
• Help avoid scams and overpriced firmware traps.

🛡️ 💡 My Main Question: Detected Cheats vs First PC Safety

One thing that’s been bugging me is:
👉 If you use a detected cheat or free public firmware on a second PC, does it really pose any risk to the first PC where the anti-cheat is running?

In theory, the cheat operates entirely on the second PC, and the anti-cheat on the first PC shouldn’t see anything. Yet, we keep hearing about bans even in two-PC setups.

• Is it because cheat effects are still visible in memory?
• Could it be due to PCIe anomalies or mismatched TLP responses?
• Or is there another layer of detection we're missing?

📝 🎯 Share Your Knowledge, Experiences, and Recommendations!

• If you have answers to any of the above questions, drop them here!
• If you know reliable vendors, cards, or firmware, let me know.
• If you've had first-hand experiences with bans or detections, your insights are incredibly valuable.

The goal here is to create a central knowledge hub where both newcomers and experienced users can make informed decisions and avoid costly mistakes.

Let’s shed light on this complicated topic together! 🎤😊

[f3me]

What's the real difference between 35T, 75T, and 100T cards?

Artix-7 35T, 75T, and 100T r all members of the Xilinx Artix-7 FPGA family. The primary differences between them lie in their logic resources and performance capabilities for example has the 35t 1,5mb block RAM and the 100t 4,8mb. For your daily dma case the 35t is not the problem as the bottleneck comes from the ftdi gate not from the 35t.

Does using PCIe vs M.2 have any impact on detection?

For DMA the formfactor M.2 is used with pcie x4. There are only theoretical detection methods for timing checks for example. Atm we dont see any of these timing checks in the wild as they are far too hard. Depending on the hardware, the latencies fluctuate far too much. in theory, such attacks are possible, but they are not currently used due to the massive effort involved. There are simply much more elegant ways to catch dma. For me there are no other normal detectionsvectors depending on x4 lane.

if interested you can look into diffrent papers for this topic like:

SBAP: Software-Based Attestation for Peripherals by Yanlin Li, Jonathan M. McCune, and Adrian Perrig

VIPER: Verifying the Integrity of PERipherals’ Firmware by Yanlin Li, Jonathan M. McCune, and Adrian Perrig

Timing Attacks with PCIe Congestion Side-channel by Mingtian Tan∗, Junpeng Wan∗, Zhe Zhou†

Are cheaper cards bought directly from TaoBao reliable, or do they come with hidden risks?

Fakecard like the famous leet fake called mvp dma are in most cases working. But its not super rare that those cards are facing quality issues in speeds for example.

What's the actual difference between "Custom," "1:1 Config Space," and "Full Emulated" firmware?


This whole thing has grown historically. When PCILeech DMA started becoming a thing around 2016, both sides—cheaters and anti-cheat developers—were still completely overwhelmed by the topic. Neither side had qualified personnel. Due to the high costs and the lack of well-documented and patched PCILeech at the time, there were very few compatible FPGAs, cheats, or firmware coders.

The first firmware versions back in 2016/2017 did nothing more than change PCILeech's stock VID (Vendor ID) and PID (Product ID). All other values remained unchanged. This allowed the device to present itself to the target PC as, for example, device XX from company XX. But this was only very superficial. If you put a Ferrari sticker on an old Opel Corsa, it still looks like an Opel Corsa...

Over time, more people started working on firmware, leading to the first major change. Anti-cheat systems noticed that the config space of stock PCILeech devices was identical to those that pretended to be Ferraris. As a result, it was no longer just the VID and PID being altered; the config space (pcileech_configspace.coe) was also modified to deviate from stock PCILeech. Additionally, DSR was tweaked a bit, and minor adjustments were made to the PCI IP core. And voilà, everything worked again—for the time being.

However, what actually changed was as follows: Previously, only the VID and PID were changed, like slapping a sticker on the front of a car. Everyone was still driving the same Opel Corsa, just with different stickers—some with Ferrari, some with Porsche, and others maybe with Mazda. After these changes, everyone had a different car. It was now, for example, a Ford Ka with a Ferrari sticker or a VW Polo with a Porsche sticker. I hope this analogy makes sense.

Then, in 2021, BattlEye came up with a clever idea. They discovered that if you send packets to a DMA card that the card doesn’t expect, it responds with a so-called "master abort." Since this was not normal behavior, it became one of the biggest DMA detections at the time. Since then, firmware has been designed to set the "master abort" flag, preventing this issue.

After that, not much changed for quite a while. Many firms started selling pooled firmware and 1:1 firmware. Back then, "1:1" meant that only one user had the same config space. In other words, no one else was driving the same car/sticker combination.

In 2023, Vanguard began taking massive steps against DMA. They had reportedly hired the DMA developer from FACEIT back in 2020, who has been exclusively developing Vanguard's anti-DMA module ever since. Vanguard came up with the idea to block devices they could confidently assume were not actively being used on the PC. In the first few days, people thought Vanguard had fully implemented IOMMU, but that turned out to be false. Instead, they removed the bus master flag from devices they deemed at least "fishy."

Disabling the bus master bit in the config space of the PCI bridge prevents devices behind that bridge from initiating DMA transfers. Vanguard applied this to devices without their own bus master flag and to devices without a valid driver assignment that still had a bus master flag.

For context, the bus master flag allows a device to take control of the bus and initiate read and write processes. Around this time, Ekknod apparently took an interest in this topic. He spent a few days researching and eventually publicly released PCILeech-WiFi as proof of concept. He referred to this at the time as "emulation." Since then, everyone has been calling firmware that allows a driver to load "emulated."

Today, things have progressed significantly. A lot has happened in 2023 and 2024. Due to the fact that high-tier anti-cheat systems are taking major action against DMA, firmware has also evolved. When you read "1:1" today, it no longer means you’re the only person with a specific combination. Instead, it refers to the config space of a real device being copied bit-for-bit. Identical PCI devices don’t have different config spaces. If you buy the same network card five times from Amazon, all five will have the same config space.

"Emulated" has strayed far from Ekknod’s original concept and has become something of a meme. Nowadays, everyone calls their firmware "emulated," and some even make ridiculous claims about "half-emulated" or similar nonsense. Properly emulating or imitating a real device involves much more than just loading a driver or cloning the config space 1:1.

You can’t simply equate "emulated" with "good firmware." More than anything, it comes down to trust in the developer who created the firmware and their expertise. In 90% of the market, that trust is misplaced. Most of these developers are just following guides on ************* or YouTube, cobbling things together without truly understanding what they’re doing.

Sure, this might work for a short while, but when unexpected problems arise (those not covered in the guides), they’re unable to fix them—just like the "Gummibear DTC" issue that hit 90% of the market.

Are those overpriced firmwares ($200-$500) actually safer, or is it just marketing hype?

All firmware based on Ulf Frisk's PCILeech is 95% identical to Ulf Frisk's original code. Only 5% of the work is actually done by the firmware developers. In my opinion, this makes the prices massively overpriced. Especially considering that 95% of the firmware developers in the market don’t truly understand what they’re doing and are simply following guides that anyone could follow themselves. Of course, there are projects outside of PCILeech or, very rarely, projects from skilled individuals where the money might actually be worth it. However, this doesn’t apply to the vast majority of firmware on the market.

Why do some firmwares remain "UD" (Undetected) for months while others get flagged immediately?

Currently, NICs (Network Interface Cards) are particularly popular among firmware developers. Many of the necessary resources are freely available on GitHub, making it easy to copy-paste solutions and sell them quickly for a profit. There's a reason why so many people are selling Realtek network cards and so few are using Intel i221, for example. The BAR controller for loading the Realtek driver is available on GitHub, whereas the one for Intel is not.

In general, only poorly made firmware gets detected. Especially with EAC, which hasn’t yet implemented truly advanced detection techniques. If a firmware is caught by EAC, it means the developer made a significant mistake. All truly modern and well-made firmware has never been detected by EAC.

How can anticheats (like EAC, Vanguard) detect a DMA card if it’s controlled from another machine?

Of course, this is a huge topic. For example, VGK (Vanguard) has detected many different DMA-related issues over the past few years. Back then, VGK blocked all devices that didn’t send typical PCIe interrupts, marking them as inactive devices. Since it took a long time to figure out how VGK differentiated between legitimate and malicious devices, developers came up with the idea of using so-called exploit firmware. These firmware versions deliberately introduced errors that no real device could produce. VGK had to fix each of these exploits individually and teach the anti-cheat how to handle them. Today, almost all of these exploits have been patched, though a few still exist—but they are not public.

At some point, EAC announced that they would outright ban accounts with non-legitimate config spaces (exploits). This led to situations where firmware that still worked on VGK got detected on EAC. Fundamentally, this can be attributed to the different strategies employed by the two anti-cheat systems.
For example, EAC banned "illegal" header types. Legitimate types are 00, 01, 02, and 80, 81, 82. While others technically exist, they are not actually used in practice. If a device had something else in its header type, it resulted in an instant ban.

That said, this wasn’t entirely true, as certain header types were skipped for a long time—probably because they technically existed. But fundamentally, this was the approach.

If you manually modified the values at the end, you could get rid of the subdevices of a Donocard using "@0x40". However, doing so led to bans.

Of course, there have been and still are many other detection methods worth discussing.

[Apu Nahasapeemapetilon]

This thread should get more recognition. Great topic, thanks!

[todayta]

Quote:

Originally Posted by f3me

What's the real difference between 35T, 75T, and 100T cards?

Artix-7 35T, 75T, and 100T r all members of the Xilinx Artix-7 FPGA family. The primary differences between them lie in their logic resources and performance capabilities for example has the 35t 1,5mb block RAM and the 100t 4,8mb. For your daily dma case the 35t is not the problem as the bottleneck comes from the ftdi gate not from the 35t.

Does using PCIe vs M.2 have any impact on detection?

For DMA the formfactor M.2 is used with pcie x4. There are only theoretical detection methods for timing checks for example. Atm we dont see any of these timing checks in the wild as they are far too hard. Depending on the hardware, the latencies fluctuate far too much. in theory, such attacks are possible, but they are not currently used due to the massive effort involved. There are simply much more elegant ways to catch dma. For me there are no other normal detectionsvectors depending on x4 lane.

if interested you can look into diffrent papers for this topic like:

SBAP: Software-Based Attestation for Peripherals by Yanlin Li, Jonathan M. McCune, and Adrian Perrig

VIPER: Verifying the Integrity of PERipherals’ Firmware by Yanlin Li, Jonathan M. McCune, and Adrian Perrig

Timing Attacks with PCIe Congestion Side-channel by Mingtian Tan∗, Junpeng Wan∗, Zhe Zhou†

Are cheaper cards bought directly from TaoBao reliable, or do they come with hidden risks?

Fakecard like the famous leet fake called mvp dma are in most cases working. But its not super rare that those cards are facing quality issues in speeds for example.

What's the actual difference between "Custom," "1:1 Config Space," and "Full Emulated" firmware?


This whole thing has grown historically. When PCILeech DMA started becoming a thing around 2016, both sides—cheaters and anti-cheat developers—were still completely overwhelmed by the topic. Neither side had qualified personnel. Due to the high costs and the lack of well-documented and patched PCILeech at the time, there were very few compatible FPGAs, cheats, or firmware coders.

The first firmware versions back in 2016/2017 did nothing more than change PCILeech's stock VID (Vendor ID) and PID (Product ID). All other values remained unchanged. This allowed the device to present itself to the target PC as, for example, device XX from company XX. But this was only very superficial. If you put a Ferrari sticker on an old Opel Corsa, it still looks like an Opel Corsa...

Over time, more people started working on firmware, leading to the first major change. Anti-cheat systems noticed that the config space of stock PCILeech devices was identical to those that pretended to be Ferraris. As a result, it was no longer just the VID and PID being altered; the config space (pcileech_configspace.coe) was also modified to deviate from stock PCILeech. Additionally, DSR was tweaked a bit, and minor adjustments were made to the PCI IP core. And voilà, everything worked again—for the time being.

However, what actually changed was as follows: Previously, only the VID and PID were changed, like slapping a sticker on the front of a car. Everyone was still driving the same Opel Corsa, just with different stickers—some with Ferrari, some with Porsche, and others maybe with Mazda. After these changes, everyone had a different car. It was now, for example, a Ford Ka with a Ferrari sticker or a VW Polo with a Porsche sticker. I hope this analogy makes sense.

Then, in 2021, BattlEye came up with a clever idea. They discovered that if you send packets to a DMA card that the card doesn’t expect, it responds with a so-called "master abort." Since this was not normal behavior, it became one of the biggest DMA detections at the time. Since then, firmware has been designed to set the "master abort" flag, preventing this issue.

After that, not much changed for quite a while. Many firms started selling pooled firmware and 1:1 firmware. Back then, "1:1" meant that only one user had the same config space. In other words, no one else was driving the same car/sticker combination.

In 2023, Vanguard began taking massive steps against DMA. They had reportedly hired the DMA developer from FACEIT back in 2020, who has been exclusively developing Vanguard's anti-DMA module ever since. Vanguard came up with the idea to block devices they could confidently assume were not actively being used on the PC. In the first few days, people thought Vanguard had fully implemented IOMMU, but that turned out to be false. Instead, they removed the bus master flag from devices they deemed at least "fishy."

Disabling the bus master bit in the config space of the PCI bridge prevents devices behind that bridge from initiating DMA transfers. Vanguard applied this to devices without their own bus master flag and to devices without a valid driver assignment that still had a bus master flag.

For context, the bus master flag allows a device to take control of the bus and initiate read and write processes. Around this time, Ekknod apparently took an interest in this topic. He spent a few days researching and eventually publicly released PCILeech-WiFi as proof of concept. He referred to this at the time as "emulation." Since then, everyone has been calling firmware that allows a driver to load "emulated."

Today, things have progressed significantly. A lot has happened in 2023 and 2024. Due to the fact that high-tier anti-cheat systems are taking major action against DMA, firmware has also evolved. When you read "1:1" today, it no longer means you’re the only person with a specific combination. Instead, it refers to the config space of a real device being copied bit-for-bit. Identical PCI devices don’t have different config spaces. If you buy the same network card five times from Amazon, all five will have the same config space.

"Emulated" has strayed far from Ekknod’s original concept and has become something of a meme. Nowadays, everyone calls their firmware "emulated," and some even make ridiculous claims about "half-emulated" or similar nonsense. Properly emulating or imitating a real device involves much more than just loading a driver or cloning the config space 1:1.

You can’t simply equate "emulated" with "good firmware." More than anything, it comes down to trust in the developer who created the firmware and their expertise. In 90% of the market, that trust is misplaced. Most of these developers are just following guides on ************* or YouTube, cobbling things together without truly understanding what they’re doing.

Sure, this might work for a short while, but when unexpected problems arise (those not covered in the guides), they’re unable to fix them—just like the "Gummibear DTC" issue that hit 90% of the market.

Are those overpriced firmwares ($200-$500) actually safer, or is it just marketing hype?

All firmware based on Ulf Frisk's PCILeech is 95% identical to Ulf Frisk's original code. Only 5% of the work is actually done by the firmware developers. In my opinion, this makes the prices massively overpriced. Especially considering that 95% of the firmware developers in the market don’t truly understand what they’re doing and are simply following guides that anyone could follow themselves. Of course, there are projects outside of PCILeech or, very rarely, projects from skilled individuals where the money might actually be worth it. However, this doesn’t apply to the vast majority of firmware on the market.

Why do some firmwares remain "UD" (Undetected) for months while others get flagged immediately?

Currently, NICs (Network Interface Cards) are particularly popular among firmware developers. Many of the necessary resources are freely available on GitHub, making it easy to copy-paste solutions and sell them quickly for a profit. There's a reason why so many people are selling Realtek network cards and so few are using Intel i221, for example. The BAR controller for loading the Realtek driver is available on GitHub, whereas the one for Intel is not.

In general, only poorly made firmware gets detected. Especially with EAC, which hasn’t yet implemented truly advanced detection techniques. If a firmware is caught by EAC, it means the developer made a significant mistake. All truly modern and well-made firmware has never been detected by EAC.

How can anticheats (like EAC, Vanguard) detect a DMA card if it’s controlled from another machine?

Of course, this is a huge topic. For example, VGK (Vanguard) has detected many different DMA-related issues over the past few years. Back then, VGK blocked all devices that didn’t send typical PCIe interrupts, marking them as inactive devices. Since it took a long time to figure out how VGK differentiated between legitimate and malicious devices, developers came up with the idea of using so-called exploit firmware. These firmware versions deliberately introduced errors that no real device could produce. VGK had to fix each of these exploits individually and teach the anti-cheat how to handle them. Today, almost all of these exploits have been patched, though a few still exist—but they are not public.

At some point, EAC announced that they would outright ban accounts with non-legitimate config spaces (exploits). This led to situations where firmware that still worked on VGK got detected on EAC. Fundamentally, this can be attributed to the different strategies employed by the two anti-cheat systems.
For example, EAC banned "illegal" header types. Legitimate types are 00, 01, 02, and 80, 81, 82. While others technically exist, they are not actually used in practice. If a device had something else in its header type, it resulted in an instant ban.

That said, this wasn’t entirely true, as certain header types were skipped for a long time—probably because they technically existed. But fundamentally, this was the approach.

If you manually modified the values at the end, you could get rid of the subdevices of a Donocard using "@0x40". However, doing so led to bans.

Of course, there have been and still are many other detection methods worth discussing.

Absolutely love this , dissapointed you don't mock the idea of "private" Firmware some more but that's fine, also are you talking about yxlnqs's drivers?

[XPG5]

I want to start DMA cheating. I am using a laptop as my pc that the game is running on. I have purchased a m-key m.2 to pcie x1 adapter for the DMA itself and the donor card. (I'm looking at a PCIE Screamer Squirrel card and have a wifi card as my donor.) I recently just discovered m.2 DMAs, so I would like to know if I should invest in a m.2 DMA or just the regular card in the adapter. Thank you for any and all replies.

[ReallyRich]

Really good breakdown of what DMA cheats actually are. A lot of people think it’s just plug-and-play

[sc2music]

This is excellent but one topic you don't cover which I was proxied too but don't have enough information or reach is how some firmware and DMA devices do bypass faceit as I had a friend of mine still play at this moment using DMA he got from a CN coder who lives in cn which I do not speak or know what the exact situation is working. For almost 1.5 years now and he has around 600 games at faceit lvl 10 with around 2.2k elo in the US and I don't understand because other people around ekk and soju and apekros have been banned with their firmware even though a lot of the people from these discords are very good reverse engineers. do you have any insight or info or stories about this such thing?

[XPG5]

I think its if your firmware is 1:1 meaning that you used a separate device (e.g Wifi card) and stole its ids and config. If you use this firmware with the card that you cloned from, that might be why you're getting detected. If you bought firmware (I do not recommend) that also might be the issue. Hope this helps

[HK002]

Quote:

Originally Posted by XPG5

I want to start DMA cheating. I am using a laptop as my pc that the game is running on. I have purchased a m-key m.2 to pcie x1 adapter for the DMA itself and the donor card. (I'm looking at a PCIE Screamer Squirrel card and have a wifi card as my donor.) I recently just discovered m.2 DMAs, so I would like to know if I should invest in a m.2 DMA or just the regular card in the adapter. Thank you for any and all replies.

Use Thunderbolt to convert to PCI-E. In recent years, mainstream notebooks have Thunderbolt interfaces.

For hardware,I bought the 75t DMA Card, 2K@144hz/1080P@240hz Fuser, and Kmbox Net for less than 100usd.
In China, 90% of cheaters use pirated DMA Cards. Pirated DMA Cards for me, cheats work well, I haven't found any problems so far.
Just offering my personal opinion

[r00kie]

Interesting topic, I hope the thread gets a bit more traffic

[XPG5]

Ok, quick question. Where would i find the FTD3XX.dll, leechcore.dll and vmm.dll of a PCIE Screamer Squirrel?

[Whippets]

bumping this thread up again for newbies who are looking in dma

[kilikolo]

Quote:

Originally Posted by XPG5

Ok, quick question. Where would i find the FTD3XX.dll, leechcore.dll and vmm.dll of a PCIE Screamer Squirrel?

just search up the names of the dlls on google and u instantly get them and just download

[dksx]

up

[yourcloset]

An offshoot for this intelligent post is a list of aliexpress dma hardware so us newbies dont have to pay through our noses for "premium" hardware