DMA - type of undetectable prohibited software

[admin]

This is one of the most detailed guides dedicated to hardware based cheats.

Guide focuses on a relatively new type of prohibited software.
Let's understand how they work and why they have been undetectable for years.
Last update: 4/27/2024

 

Quick FAQs

  Reveal hidden contents

• Is it difficult to install the hardware and start using DMA cheats? - It depends on the user, an experienced user will be able to do it in a couple of minutes, a person who has never used anything like this before will need a little more time. As practice shows, shops that sell the devices include detailed instructions and provide installation assistance via live chat.
  Running the DMA cheat on a second computer should take no more than a minute, but again this depends on the product you are using.
• Which DMA board should I buy? - Any, the only difference is in supported firmware (usually all are supported, but it is worth asking the seller) and chip performance.
• Where can I buy a DMA board? - Anywhere. Aliexpress; Amazon; specialty shops; and other platforms. Also you can find legit DMA board & CFW vendors in our list.
• Are we going to start seeing DMA cheats being detected in the near future? - Most likely not.
• What games can I cheat in with a DMA card? - Any game. The main thing is to find a cheat that works with DMA. Almost every popular game has at least one provider.

Let's take a closer look at why this type of cheats is, without a doubt, the safest solution on the market today.

 

This article is divided into several parts:

1. Advantages and reasons for the DMA cheats usage.
2. Is it possible to detect a DMA cheat?
3. Hardware based cheats requirements.
4. Importance of Firmware and DMA board.
5. Firmware selection for your DMA board.
6. How anti-cheats try to stop DMA attacks and what methods are currently used to ban DMA users.
7. DMA board & KMBox setup and connection.

 

 

1. Advantages and reasons for the DMA cheats usage.

  Reveal hidden contents

DMA cheats use a special DMA device (screemer board installed into a PCIe slot of the gaming (main) PC) to read the game's memory using a Radar (second) PC. Reading the game's memory is the most important aspect of playing with cheats, as it allows you to use almost all of the cheat features, such as Aimbot, ESP and so on.

• Why is it so important that the cheat is not running on my gaming computer? - If the cheat is running on a second computer, it will be "out of range" of the anti-cheat, so the anti-cheat will not be able to detect that something is accessing the game memory.

Example of how DMA cheats work

The main idea of DMA cheats is to interact as little as possible with the system where the anti-cheat is deployed & running. You connect the DMA board installed in your gaming (main) PC via a USB-cable to your radar (second) PC. Prohibited software (cheats) will run on the radar (second) PC.

Unlike regular cheats, which are hidden on the game computer via drivers, DMA cheats are outside the gaming computer and do not require such a carefully developed bypass.
Therefore, as long as we do not change the memory on the game computer, there is basically no way for a DMA cheat to be detected, except by the DMA card itself emulating another device. The safest way to use DMA board is to read memory only.

 

DMA operation showcase

  Reveal hidden contents

 

 

 

 

2. Is it possible to detect a DMA cheat?

  Reveal hidden contents

DMA cheats are undetectable because they use a second computer to operate, and ideally should only be reading game memory (changes to memory can lead to detection). The only way to detect this type of cheats is through the detection of a 'suspicious' board in your gaming computer. That's what the firmware is for, but more on that later.

This task is much more difficult for anti-cheats, because in order to understand whether you are using the software or not, the anti-cheat developers need to understand whether your masked device is a real device or just trying to appear to be one.

In DMA read-only mode and using a second computer, the cheat is undetectable. However, there is still a detection vector - the DMA board installed in the gaming PC, which can be detected by advanced anti-cheats such as FACEIT and Vanguard (we will not mention the lesser-known anti-cheats that are used exclusively for playing CS on other platforms).

Complete undetection is guaranteed if you:

• Use a read-only cheats/features
• Use KMBox or Raspberry Pi Pico to change cursor position (for Aimbot)
• Use high-quality firmware

 

 

3. What do I need to start using hardware based cheats?

  Reveal hidden contents

List:

1. Two computers (PCs)(Gaming PC & Radar PC) --> To run the cheat out of the anti-cheat's "line of sight".
2. DMA board --> To read game memory
3. CFW (Custom Firmware) --> To hide a DMA board from anti-cheats
4. KMBox B+ Pro | KMBox NET | Raspberry Pi Pico --> To use Aimbot feature safely
5. Fuser --> To play with the cheat visuals on the one display

 

1.1. Gaming (Main) PC
Your gaming computer on which you will be playing and where the DMA board will be installed.
A free PCIE x1 port is required for operation. Installation in x4, x8 and x16 slots is allowed.

 

1.2. Radar (Second) PC
Almost any computer with Windows 10/11 will work.

• Can it be a cheap laptop? - Yes.
• Can it be a PC? - Yes. As long as it has a USB 3.0+ port. Otherwise, the reading speed may be slow.
• Can I use only 1 PC? - Yes, however it is strongly not recommended!

 

2. DMA board
Device that will do the reading of the game memory.

All DMAs are the same!
The only difference is the firmware (which we will talk about later) & the chip installed (35T, 75T & 100T). There are a few nuances between them, but before we look at the choice of DMAs, let's understand what CFW is and why we need it.

 

3. CFW
CFW also known as Custom Firmware - is a type of software that masks the DMA board installed in a gaming PC.

• Why do I need to mask the DMA card? - This is required to mask the usage of the DMA device from anti-cheat. As we said earlier, you are undetectable if you use read-only cheats or features. However, anti-cheat can detect cheats usage if it detects that you have a DMA board installed in your gaming computer.

Firmware is the most important part when playing with hardware based cheats!

 

4. KMBox | Raspberry Pi Pico (optional)
Device which is required for the safe Aimbot & Triggerbot usage.

Information Update (4/27/2024): Recently, FACEIT and Vanguard have started flagging players who have been spotted using KMBox (especially the B Pro model). Therefore Raspberry Pi Pico is a more reliable device.

Since for hardware based cheats unlike Internal/External cheats it is not recommended to use game memory writing, the KMBox or Pico device will help us to safely use the automatic aiming features.

You CAN use many cheats without KMBox or Pico, but the aim assistance will not work. Only visual part of the cheat will work in that case (as long as the cheat works completely in read-only mode).

• Are there any differences between KMBox B Pro & KMBox NET? - Yes, but they are not significant. Some providers recommend using the B Pro because it is an older model and not all cheats currently support the new KMBox NET version.

 

5. Fuser (optional)
Device used to display cheat visuals (including GUI) on a gaming (main) monitor.

If you want to see visuals on the main monitor, you will need to purchase an additional device known as a Fuser, which will combine two images into one.
The image from the Radar (second) PC will be overlapped on the gaming (main) monitor image. This method is the most secure way of displaying ESP that can be imagined. This is also completely streamproof & screenshotproof.

 

 

4. Why should I choose a more expensive firmware and any DMA board?

  Reveal hidden contents

Firmware differences

1. Quality
All pre-flashed firmwares are most likely to be generated automatically by a special software program. That's why such DMA boards from Clutch, Terminator and Lurker were banned on almost all ACs. Pre-flashed firmware is bad!

As well as 1:1 CFW is a hoax and marketing. Once again, there is NO difference to the anti-cheat.
You will be detected along with everyone else as soon as the anti-cheat finds a common pattern. All the claims made by vendors about the uniqueness of their 1:1 CFW are just marketing and a way to increase sales. You can't buy good 1:1 firmware for $100 or $200.

PS. We are not talking about a custom emulated 1:1 copy of the real device. That costs several thousand dollars and can take weeks to months to fully emulate the device, install a working driver for it and write the TLP logic.

But there's nothing wrong with buying a card from Captain, for example, and flashing it later.
The performance difference between Captain Gen3, Gen 4 and Gen 5 is very small, if any. But the price is almost twice as much.

 

2. Pricing
DMA cards are practically indistinguishable from each other, so we recommend not spending a lot of resources on a DMA card, but rather on good firmware for your game. DMA boards that use different chips, such as the 35T and 75T, have pretty much the same performance.

 

 

5. Select the right firmware for your game.

  Reveal hidden contents

BattlEye 
Detection attempts: 1/10
Working firmware: Any, some of which is free & public.
Comments: There hasn't been a big wave of DMA device bans in the last 2 years. 

 

EasyAntiCheat 
Detection attempts: 5/10
Working firmware: Most of them. Recently there has been a massive detection of ClutchSolutions and other pre-flashed firmwares. Some "1:1 custom" firmwares from new vendors are also affected.
Comments: Recently, developers have started to actively fight against public DMA firmware methods. According to our predictions, in 12 months the situation will probably be similar to Vanguard, where most of the popular and open-source firmwares will be flagged.

 

Vanguard
Detection attempts: 7/10
Working firmware: Public firmwares will most likely not work, or will be detected fairly quickly. Private firmwares - work fine.
Comments: Compared to BattlEye & EasyAntiCheat, the situation is much better. Only private firmwares work normally. Most public vendors have been detected/fixed. It is still possible to find a good firmware for ~200$.

 

FACEIT
Detection attempts: 9/10
Working firmware: 90% of all public and "private" firmwares are detected.
Comments:

  Reveal hidden contents

*IMPORTANT NOTE*
Before we start analysing the DMA situation on FACEIT, we need to understand one thing. FACEIT is the best anti-cheat in the world when it comes to detecting DMA attacks. The amount of time and effort that FACEIT's anti-cheat developers have put into the detection of DMA devices is second to none. Their closest competitor, Vanguard, is way behind.

We don't think it's worth talking about other anti-cheats like BattlEye & EasyAntiCheat. DMA is not really detected by them, and it is unlikely that it will be detected in the next couple of years.
Developers of Vanguard are making some attempts to detect DMA devices. But they have not gone further than disabling "Bus mastering", which of course "puts a spoke in the wheel" but does not change anything dramatically.

FACEIT has started a very active fight against DMA boards, in comparison to the other years. Over the last few months, all popular DMA boards and their firmware have been banned.

Does this mean the end of dma cheats? - No!
The boards can still be masked from anti-cheat by creating custom firmware, but this will require much more resources (effort and time if you decide to make your own firmware or money if you decide to buy a ready-made solution).

The current solution to bypass the FACEIT anti-cheat is firmware with a working driver, no FPGA device flags and the availability of TLP. 90% of all low quality firmware such as ClutchSolution, Atomic, Terminator, Captain and others come with a non-working driver and no communication between hardware and driver.
You may see an exclamation mark next to the device, which means there is a conflict with the driver. This does not mean that the firmware is immediately banned, but it is definitely a red flag to look out for.

In summary, does FACEIT detect DMA? The answer is both, yes and no. Private firmware is still not detected and has good protection, but all public firmwares are flagged at the moment.

 

To lower your chance of being scammed by a provider, watch this entire video:

  Reveal hidden contents

 

 

 

 

6. How anti-cheats try to stop DMA attacks and what methods are currently used to ban DMA users.

  Reveal hidden contents

All modern anti-cheats have long been aware of the existence of such boards, and we will now consider what they do to counter such an attack. There are several vectors for possible detection:

1. Firmware
This is the most basic reason why DMA is detected. It is caused by the detection of a vulnerability in the firmware. Based on past experience, such bans are often of a mass scale.
Example #1: More than 3 years ago, a "Master Abort" vulnerability was found in firmware that caused a specific error when sending a command to a DMA device.
Example #2: Bus Mastering - FACEIT and Vanguard disable bus mastering on the board if they think the device the dma is mimicking is not real or too suspicious.

 

2. Manual Bans
Currently, manual bans are the most common. If a user receives too many reports, this leads to a manual analysis of the data and often results in a ban. Manual bans are the most difficult to predict. They can be the result of analysis (demos/screens) as well as your gameplay and reports being analysed by humans. Or it can be the result of an account being banned outright by the developers. If a group of players are banned at the same time, it is most likely due to manual or administrative interaction.

 

3. Cheat Features
Nowadays, DMA software has two ways to implement the features, one is to modify the memory directly, and the read & write speed of DMA directly affects its performance, the higher the read speed of DMA, the better the performance. The other method is the injection method. Its performance is not directly related to the DMA read/write speed and depends on the memory. Of these two methods, direct memory modification is the safest (on the Radar (second) PC), if you don't write memory on a gaming PC, the probability of being banned is greatly reduced.
Example: Feature (Unlock door with key) in Escape From Tarkov. Despite the fact that DMA is completely undetected in EFT (BattlEye), you can be automatically banned if you try to change the memory location monitored by the anti-cheat. If you try to open a door with a non-existent key, the anti-cheat will realise that you are trying to perform an action that is impossible and you will be automatically banned. Even though DMA was not detected.

 

4. Game Stats
Most games have data monitoring systems in place. If your data exceeds certain thresholds, your account may be reviewed or banned altogether.
Example: Frequency of enemy hits, % of headshots, K/D and so on. Especially for new accounts. This method is similar to manual bans, but with more focus on data and AI detection. To avoid detection, make sure your stats look legit. Having a K/D of 99 looks cool, but it's almost unrealistic for a real legit player.

 

 

 

7. DMA board & KMBox setup and connection.

  Reveal hidden contents

Gaming (main) PC

• Turn off gaming PC
• Install the DMA board in the PCIe x1 slot of your motherboard

If you don't have an x1 slot, you can install the board in an x4, x8 or x16 slot. Please refer to your motherboard manual.

• Connect the USB-C cable to the (DATA) port on your DMA card
• Turn on the gaming PC and boot into the BIOS

For Intel processors:

• Disable Virtualization
• Disable VT-d

For AMD processors:

• Disable Virtualization
• Disable IQMMU
• Disable NX-Bit (if available)
• Disable Secure Boot

Save the settings in BIOS and boot into Windows

 

Radar (second) PC

• Download DMA Tools.zip from our website
• Install "FTD" driver via .bat file

To check DMA operation, you will need to run a benchmark.
If you can run benchmarks, then you have installed everything correctly. Congratulations! You are now ready to use any DMA cheat!

 

KMBox B Pro Setup

• Connect as shown in the screenshot above
• Install CH340 driver on the Radar PC
• Run a benchmark and see if the cursor has moved on the gaming (main) PC.

 

KMBox NET Setup

• Connect as shown in the screenshot above
• Install CH340 driver on the Radar PC

Connection verification

  Reveal hidden contents

1. Open Device Manager on Radar (second) PC.

 

2. Open Ports (COM&LPT) category.

Find the USB-SERIAL CH340 device and look at the port in brackets. In our case, it is (COM 2).
You need to remember this value, because we will need it later.

 

You can also change this port by going to the Port Settings.

 

COM Port Number - Select the one that is not used.

 

 

Functionality verification

  Reveal hidden contents

Launch KmBoxTester

 

Enter the previously mentioned port.
Then enter the X,Y coordinates for the cursor to move (offset change) on the gaming PC (In my case it is 400 400).

 

Next, keep a close eye on the cursor on the gaming PC.

If the cursor has changed its position - Congratulations! You have configured KMBox NET.

If you get the error "Failed to open the serial port".

Most likely you connected something incorrectly or entered an incorrect port.

 

 

 

Epilogue

We would like to say a big thank you to everyone who has read this article to the end. 

We sincerely hope that this article has helped you understand how hardware cheats work. With the right approach, they are almost impossible to detect, which is why hardware based cheats have become so popular in the cheat community in such a short time.

If you are thinking of buying both the DMA card and the rest of the devices as well as the firmware, you can check the list of legit vendors we have provided by following link: https://cheatsdb.org/cdb-dma/

 

 

Credits

  Reveal hidden contents

• https://directcheats.store/ - For help in gathering information and for an explanation of how some of the mechanisms work.
• @Concept1337 - For help in writing this article.