Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to access physical addresses from user space in Linux?

Tags:

linux

memory

arm

memory-address

memory-mapping

On a ARM based system running Linux, I have a device that's memory mapped to a physical address. From a user space program where all addresses are virtual, how can I read content from this address?

like image 935
lang2 Avatar asked Aug 20 '12 15:08

lang2

People also ask

How do I find my physical address in Linux?

Linux. Open a terminal and use the ifconfig command. The MAC address will be listed next to HWaddr. If your Linux OS does not have the ifconfig command, you may also use the ip addr command.

How do I access user space from kernel?

Whilst a user-space program is not allowed to access kernel memory, it is possible for the kernel to access user memory. However, the kernel must never execute user-space memory and it must also never access user-space memory without explicit expectation to do so.

Can kernel access physical memory?

Even the kernel has no direct access to physical memory in the way your are thinking. Basically the kind of memory you seem to imagine (linear memory with flat addressing) is something that is constructed by the kernel (from physical memory banks) and exported, it doesn't "exist".

1 Answers

busybox devmem

busybox devmem is a tiny CLI utility that mmaps /dev/mem.

You can get it in Ubuntu with: sudo apt-get install busybox

Usage: read 4 bytes from the physical address 0x12345678:

sudo busybox devmem 0x12345678

Write 0x9abcdef0 to that address:

sudo busybox devmem 0x12345678 w 0x9abcdef0

Source: https://github.com/mirror/busybox/blob/1_27_2/miscutils/devmem.c#L85

mmap MAP_SHARED

When mmapping /dev/mem, you likely want to use:

open("/dev/mem", O_RDWR | O_SYNC); mmap(..., PROT_READ | PROT_WRITE, MAP_SHARED, ...)

MAP_SHARED makes writes go to physical memory immediately, which makes it easier to observe, and makes more sense for hardware register writes.

CONFIG_STRICT_DEVMEM and nopat

To use /dev/mem to view and modify regular RAM on kernel v4.9, you must fist:

  • disable CONFIG_STRICT_DEVMEM (set by default on Ubuntu 17.04)
  • pass the nopat kernel command line option for x86

IO ports still work without those.

See also: mmap of /dev/mem fails with invalid argument for virt_to_phys address, but address is page aligned

Cache flushing

If you try to write to RAM instead of a register, the memory may be cached by the CPU: How to flush the CPU cache for a region of address space in Linux? and I don't see a very portable / easy way to flush it or mark the region as uncacheable:

  • How to write kernel space memory (physical address) to a file using O_DIRECT?
  • How to flush the CPU cache for a region of address space in Linux?
  • Is it possible to allocate, in user space, a non cacheable block of memory on Linux?

So maybe /dev/mem can't be used reliably to pass memory buffers to devices?

This can't be observed in QEMU unfortunately, since QEMU does not simulate caches.

How to test it out

Now for the fun part. Here are a few cool setups:

  • Userland memory
    • allocate volatile variable on an userland process
    • get the physical address with /proc/<pid>/maps + /proc/<pid>/pagemap
    • modify the value at the physical address with devmem, and watch the userland process react
  • Kernelland memory
    • allocate kernel memory with kmalloc
    • get the physical address with virt_to_phys and pass it back to userland
    • modify the physical address with devmem
    • query the value from the kernel module
  • IO mem and QEMU virtual platform device
    • create a platform device with known physical register addresses
    • use devmem to write to the register
    • watch printfs come out of the virtual device in response

Bonus: determine the physical address for a virtual address

Is there any API for determining the physical address from virtual address in Linux?

like image 76
Ciro Santilli 新疆再教育营六四事件法轮功郝海东 Avatar answered Sep 16 '22 12:09

Ciro Santilli 新疆再教育营六四事件法轮功郝海东
Sign in to Comment

Related questions

Bluetooth Low Energy: listening for notifications/indications in linux
Less Compiler for Linux [closed]
Assign AWK result to variable [duplicate]
How can I set a static IP address in a Docker container?
What happens when you run a program?
How to update a printed message in terminal without reprinting
Docker Bash prompt does not display color output
Why is import of SQL so slow?
How to list processes attached to a shared memory segment in linux?
scp copy directory to another server with private key auth
Why mmap() is faster than sequential IO? [duplicate]
How to build & deploy a Samsung SmartTV app without the IDE (e.g: on Linux)
remove white space from the end of line in linux [duplicate]
Keep Remote Directory Up-to-date
How to tell CMake where to put build files?
How to open the AVD manager on Ubuntu Linux from the command line?
How can I open Sublime Text 2 files from the command line in linux to a tab, not a new window
Tux, Varnish or Squid? [closed]
Threads in bash?
docker-compose up leads to "client and server don't have same version (client : 1.14, server: 1.12)" error but client and server have the same version

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!