#######                                            #####
   #    #    # #    # #    # #####  ###### #####  #     #   ##   ##### ######
   #    #    # #    # ##   # #    # #      #    # #        #  #    #   #
   #    ###### #    # # #  # #    # #####  #    # #  #### #    #   #   #####
   #    #    # #    # #  # # #    # #      #####  #     # ######   #   #
   #    #    # #    # #   ## #    # #      #   #  #     # #    #   #   #
   #    #    #  ####  #    # #####  ###### #    #  #####  #    #   #   ######

ThunderGate: a toolkit for Tigon3 firmware and PCIe research

ThunderGate turns the Tigon3 gigabit Ethernet controller into an open platform for on-NIC firmware development, DMA experiments, and PCIe attack-surface research.

Source on GitHub Quick start

release 1.0 · GPLv3

# what it is

The Tigon3 is the controller behind Broadcom's NetXtreme and NetLink gigabit Ethernet interfaces: the onboard Ethernet in a generation of Dell, HP and IBM business PCs and servers, and the silicon inside the Apple Thunderbolt Gigabit Ethernet adapter.

It is also a small computer that happens to forward packets. Behind the Ethernet MAC sit a PCI endpoint, DMA read and write engines, on-chip RAM, non-volatile storage, and an on-chip MIPS core, all reachable from the host. (Older Tigon3 variants carry a second core; the 57762 generation does not.)

ThunderGate opens them up. It drives the hardware from userspace Python, builds and flashes custom firmware for the on-chip cores, and ships worked examples of what that makes possible, from a userspace network tap to firmware that monitors and rewrites traffic and host memory.

Background: the project grew out of Thunderbolt: Exposure and Mitigation (CS838-1 final project, University of Wisconsin–Madison, 2013) and the v0 ThunderGate releases that followed in 2015.

# what's inside

userspace TAP driver

Bridge the NIC to the host network stack from userspace. Three implementations, one synchronous and two asyncio, selected per platform across Linux, Windows and macOS.

on-NIC firmware

Code that runs on the Tigon3's own MIPS core: a built-from-source image with an on-core ARP / IPv4 / ICMP / UDP stack, plus zForth and uBASIC interpreters because it can.

EFI option ROM

A PCI option ROM and EFI boot-services driver that rewrites the ACPI DMAR and IORT tables to inhibit Intel VT-d and ARM SMMU address translation.

# what it's good for

DMA research

A programmable bus-mastering PCIe endpoint built from a cheap, widely available adapter, with full source for the firmware that drives it.

IOMMU work

A reproducible target for evaluating Intel VT-d and ARM SMMU configurations, with a boot-time EFI ROM that disables translation when you want a known-bad baseline.

NIC reverse engineering

A working second implementation to compare against Broadcom's stock firmware on NetXtreme and NetLink parts.

Teaching and CTF

zForth and uBASIC interpreters on the NIC's MIPS core, because it can.

# runs on

Linux

vfio-pci for the TAP driver; uio_pci_generic and sysfs for the read-only toolkit paths.

macOS

A PCIDriverKit driver extension on Intel and Apple Silicon.

Windows

A KMDF driver (tgwink) binds the NIC; the host TAP uses OpenVPN's TAP-Windows6 adapter.

# quick start

# clone the repo
git clone https://github.com/sstjohn/thundergate.git
cd thundergate

# build the mips-elf cross-toolchain (GCC 14, -mtigon)
misc/build-toolchain.sh

# set up the Python 3.13 toolkit
python3 -m venv .venv
.venv/bin/pip install -r requirements.txt

# build the firmware, EFI ROM and tooling
make

The install guides cover per-platform setup: VFIO binding, the macOS driver extension, and Windows driver signing.

# warning

ThunderGate is experimental software, made available under the GPLv3. It writes firmware to your hardware and manipulates host memory and IOMMU state. You assume all risks in using it.

Always back up your device's factory firmware before you start.