3rd-party/linux-kernel-module-cheat
1
0
Fork 0
mirror of https://github.com/cirosantilli/linux-kernel-module-cheat.git synced 2026-01-23 02:05:57 +01:00
Code Issues Releases Wiki Activity

Use busybox devmem

Browse Source
This commit is contained in:
Ciro Santilli
2017-08-08 11:56:01 +01:00
parent 68af3477cc
commit 8d668d6ed3
9 changed files with 35 additions and 144 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
buildroot_config_fragment
View File

@@ -47,31 +47,6 @@ BR2_PACKAGE_DTC=y
BR2_PACKAGE_DTC_PROGRAMS=y BR2_PACKAGE_DTC_PROGRAMS=y
BR2_PACKAGE_HOST_DTC=y BR2_PACKAGE_HOST_DTC=y
# On ARM, with our lkmc_platform_device:
#
# devmem2 0x101e9000 w 0x12345678
#
# Then on QEMU monitor, notice that the registers don't actually change value:
#
# xp/4 0x101e9000
#
# Uses /dev/mem.
#
# Upstream: http://free-electrons.com/pub/mirror/devmem2.c
#
# See also:
#
# - https://superuser.com/questions/71389/what-is-dev-mem/1214662#1214662
# - https://unix.stackexchange.com/questions/4948/shell-command-to-read-device-registers
# - man mem
#
# TODO: why with mmap MAP_PRIVATE (used in my previous custom naive version),
# the entire register page is read?;
#
# TODO: have a look at: https://github.com/kaiwan/device-memory-readwrite
#
BR2_PACKAGE_DEVMEM2=y
# Provides setpci and a lspci more advanced than Busybox's # Provides setpci and a lspci more advanced than Busybox's
# #
# setpci can read and write to PCI configuration registers. # setpci can read and write to PCI configuration registers.

22
busybox_config_fragment
View File

@@ -4,3 +4,25 @@ CONFIG_NC=y
CONFIG_NC_EXTRA=y CONFIG_NC_EXTRA=y
CONFIG_NC_SERVER=y CONFIG_NC_SERVER=y
CONFIG_STAT=y CONFIG_STAT=y
# On ARM, with our lkmc_platform_device:
#
# devmem 0x101e9000 w 0x12345678
#
# Then on QEMU monitor, notice that the registers don't actually change value:
#
# xp/4 0x101e9000
#
# Uses /dev/mem.
#
# See also:
#
# - https://superuser.com/questions/71389/what-is-dev-mem/1214662#1214662
# - https://unix.stackexchange.com/questions/4948/shell-command-to-read-device-registers
# - man mem
#
# TODO: why with mmap MAP_PRIVATE (used in my previous custom naive version),
# the entire register page is read?;
#
# TODO: have a look at: https://github.com/kaiwan/device-memory-readwrite
CONFIG_DEVMEM=y

2
kernel_module/character_device_create.c
View File

@@ -1,7 +1,7 @@
/* /*
Automatically create the device under /dev on insmod, and remove on rmmod. Automatically create the device under /dev on insmod, and remove on rmmod.
https://stackoverflow.com/questions/5970595/how-to-create-a-device-node-from-the-init-module-code-of-a-linux-kernel-module https://stackoverflow.com/questions/5970595/how-to-create-a-device-node-from-the-init-module-code-of-a-linux-kernel-module/45531867#45531867
*/ */
#include <linux/cdev.h> #include <linux/cdev.h>

2
kernel_module/pci.c
View File

@@ -63,7 +63,7 @@ TODO: does it have any side effects? Set in the edu device at:
## Play with registers from the CLI ## Play with registers from the CLI
Use setpci, devmem2 and /sys. Use setpci, devmem and /sys.
*/ */
#include <asm/uaccess.h> /* put_user */ #include <asm/uaccess.h> /* put_user */

2
kernel_module/platform_device.c
View File

@@ -12,7 +12,7 @@ Expected outcome after insmod:
Also without insmodding this module, try: Also without insmodding this module, try:
devmem2 0x101e9000 w 0x12345678 devmem 0x101e9000 w 0x12345678
which touches from userland through /dev/mem. which touches from userland through /dev/mem.
*/ */

106
kernel_module/user/devmem3.c
View File

@@ -1,106 +0,0 @@
/*
Adapted from: http://free-electrons.com/pub/mirror/devmem2.c
Forked because of the unpredictable access widths:
https://bugs.busybox.net/show_bug.cgi?id=10171
*/
#include <ctype.h>
#include <errno.h>
#include <fcntl.h>
#include <signal.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <termios.h>
#include <unistd.h>
#define FATAL do { fprintf(stderr, "Error at line %d, file %s (%d) [%s]\n", \
__LINE__, __FILE__, errno, strerror(errno)); exit(1); } while(0)
int main(int argc, char **argv) {
int access_type = 'w';
unsigned long map_size, map_mask;
off_t target;
uintmax_t read_result, writeval;
int fd;
void *map_base, *virt_addr;
map_size = sysconf(_SC_PAGE_SIZE);
map_mask = map_size - 1;
if(argc < 2) {
fprintf(stderr, "\nUsage:\t%s { address } [ type [ data ] ]\n"
"\taddress : memory address to act upon\n"
"\ttype : access operation type : [b]yte, [h]alfword, [w]ord\n"
"\tdata : data to be written\n\n",
argv[0]);
exit(1);
}
target = strtoul(argv[1], 0, 0);
if(argc > 2)
access_type = tolower(argv[2][0]);
if((fd = open("/dev/mem", O_RDWR | O_SYNC)) == -1) FATAL;
printf("/dev/mem opened.\n");
fflush(stdout);
/* Map one page */
map_base = mmap(0, map_size, PROT_READ | PROT_WRITE, MAP_SHARED, fd, target & ~map_mask);
if(map_base == (void *) -1) FATAL;
printf("Memory mapped at address %p.\n", map_base);
fflush(stdout);
virt_addr = map_base + (target & map_mask);
switch(access_type) {
case 'b':
read_result = *((uint8_t *) virt_addr);
break;
case 'h':
read_result = *((uint16_t *) virt_addr);
break;
case 'w':
read_result = *((uint32_t *) virt_addr);
break;
case 'q':
read_result = *((uint64_t *) virt_addr);
break;
default:
fprintf(stderr, "Illegal data type '%c'.\n", access_type);
exit(2);
}
printf("Value at address 0x%jX (%p): 0x%jX\n", (uintmax_t)target, virt_addr, (uintmax_t)read_result);
fflush(stdout);
if(argc > 3) {
writeval = strtoul(argv[3], 0, 0);
switch(access_type) {
case 'b':
*((uint8_t *) virt_addr) = writeval;
read_result = *((uint8_t *) virt_addr);
break;
case 'h':
*((uint16_t *) virt_addr) = writeval;
read_result = *((uint16_t *) virt_addr);
break;
case 'w':
*((uint32_t *) virt_addr) = writeval;
read_result = *((uint32_t *) virt_addr);
break;
case 'q':
*((uint64_t *) virt_addr) = writeval;
read_result = *((uint64_t *) virt_addr);
break;
}
printf("Written 0x%jX; readback 0x%jX\n", (uintmax_t)writeval, (uintmax_t)read_result);
fflush(stdout);
}
if(munmap(map_base, map_size) == -1) FATAL;
close(fd);
return 0;
}

4
kernel_module/user/usermem.c
View File

@@ -48,7 +48,7 @@ see: https://stackoverflow.com/questions/11891979/how-to-access-mmaped-dev-mem-w
Then: Then:
devmem2 0x7c7b800 devmem 0x7c7b800
Possible output: Possible output:
@@ -60,7 +60,7 @@ to our physical address and given to the process that mapped /dev/mem.
And finally, let's change the value! And finally, let's change the value!
devmem2 0x7c7b800 w 0x9abcdef0 devmem 0x7c7b800 w 0x9abcdef0
After one second, we see on the screen: After one second, we see on the screen:

8
rootfs_overlay/uio_read.sh
View File

@@ -8,8 +8,8 @@ echo '1234 11e9' > /sys/bus/pci/drivers/uio_pci_generic/new_id
insmod /irq.ko insmod /irq.ko
base="$(setpci -d 1234:11e9 BASE_ADDRESS_0)" base="$(setpci -d 1234:11e9 BASE_ADDRESS_0)"
# Start generating interrupt. # Start generating interrupt.
/devmem3.out "0x${base}" w 0x12345678 devmem "0x${base}" w 0x12345678
# Stop generating interrupt. # Stop generating interrupt.
/devmem3.out "0x$(($base + 4))" w 0x12345678 devmem "0x$(($base + 4))" w 0x12345678
/devmem3.out "0x${base}" w 0x12345678 devmem "0x${base}" w 0x12345678
/devmem3.out "0x$(($base + 4))" w 0x12345678 devmem "0x$(($base + 4))" w 0x12345678

8
rootfs_overlay/virt_to_phys.sh
View File

@@ -6,11 +6,11 @@ cat lkmc_virt_to_phys
# k = 0x12345678 # k = 0x12345678
# i = 0x12345678 # i = 0x12345678
addr=$(awk '$1 == "virt_to_phys_k" { print $2 }' lkmc_virt_to_phys) addr=$(awk '$1 == "virt_to_phys_k" { print $2 }' lkmc_virt_to_phys)
devmem2 "$addr" devmem "$addr"
devmem2 "$addr" w 0x9ABCDEF0 devmem "$addr" w 0x9ABCDEF0
addr=$(awk '$1 == "virt_to_phys_i" { print $2 }' lkmc_virt_to_phys) addr=$(awk '$1 == "virt_to_phys_i" { print $2 }' lkmc_virt_to_phys)
devmem2 "$addr" devmem "$addr"
devmem2 "$addr" w 0x9ABCDEF0 devmem "$addr" w 0x9ABCDEF0
cat lkmc_virt_to_phys cat lkmc_virt_to_phys
# k = 0x9ABCDEF0 # k = 0x9ABCDEF0
# i = 0x12345678 # i = 0x12345678