Conventional Rowhammer attacks rely on software vulnerabilities or CPU cache side channels, limiting their applicability and controllability. Method: This work identifies and validates a novel hardware-level Rowhammer vector—direct DDR4 bit flips triggered by malicious PCIe peripherals, including Thunderbolt 3/4-tunneled PCIe transactions. Leveraging a custom FPGA platform, the authors reverse-engineer DRAM row activation parameters and timing characteristics to construct low-overhead, high-precision PCIe DMA access patterns that bypass CPU and memory controller security boundaries at the physical layer. Contribution/Results: The attack successfully achieves remote, privilege-free, zero-click bit flips from both standard PCIe slots and Thunderbolt ports on mainstream DDR4 systems. This significantly expands the Rowhammer threat surface and provides critical empirical evidence for securing peripheral interconnects against direct-memory-access-based hardware exploits.

In recent years, Rowhammer has attracted significant attention from academia and industry alike. This technique, first published in 2014, flips bits in memory by repeatedly accessing neighbouring memory locations. Since its discovery, researchers have developed a substantial body of work exploiting Rowhammer and proposing countermeasures. These works demonstrate that Rowhammer can be mounted not only through native code, but also via remote code execution, such as JavaScript in browsers, and over networks. In this work, we uncover a previously unexplored Rowhammer vector. We present Thunderhammer, an attack that induces DRAM bitflips from malicious peripherals connected via PCIe or Thunderbolt (which tunnels PCIe). On modern DDR4 systems, we observe that triggering bitflips through PCIe requests requires precisely timed access patterns tailored to the target system. We design a custom device to reverse engineer critical architectural parameters that shape PCIe request scheduling, and to execute effective hammering access patterns. Leveraging this knowledge, we successfully demonstrate Rowhammer-induced bitflips in DDR4 memory modules via both PCIe slot connections and Thunderbolt ports tunnelling PCIe.