Access to physical addresses in Linux

The/dev/MEM driver provided in the Linux Kernel provides a channel for us to read and write the physical address of the memory. The following describes two methods to read and write physical addresses Using Mem Device Files: one is a device driver and the other is a system call.
First, let's take a look at the mem device file./dev/MEM is a character device in Linux. The source file is ~ /Drivers/Char/MEM. C. This device file is used to read and write physical addresses. The content is the address and content information of all physical memory. Generally, only root users have read and write permissions.
 
1. Device Driver Method

The file_operations structure defined in the mem. c file provides llseek, read, write, MMAP, and open methods.
Static struct file_operations mem_fops =
{
. Llseek = memory_lseek,
. Read = read_mem,
. Write = write_mem,
. MMAP = mmap_mem,
. Open = open_mem,
};
Therefore, we can use the general driver to treat the memory as a device. The application is as follows:
# Include <stdio. h>
# Include <fcntl. h>
Int main (void)
{
Int FD;
Char * rdbuf;
Char * wrbuf = "Butterfly ";
Int I;
FD = open ("/dev/mem", o_rdwr );
If (FD <0)
{
Printf ("Open/dev/MEM failed .");
}
Read (FD, rdbuf, 10 );
 
For (I = 0; I <10; I ++)
{
Printf ("Old mem [% d]: % C/N", I, * (rdbuf + I ));
}
Lseek (FD, 5, 0 );
Write (FD, wrbuf, 10 );
Lseek (FD, 0, 0); // move f_ops to the front
Read (FD, rdbuf, 10 );
For (I = 0; I <10; I ++)
{
Printf ("New mem [% d]: % C/N", I, * (rdbuf + I ));
}
 
Return 0;
}

The execution result is as follows: Replace the content of the first 10 bytes of memory.
[Root @ VOIP-IPCAM app] #./memtest
Old mem [0]: B
Old mem [1]: u
Old mem [2]: T
Old mem [3]: T
Old mem [4]: E
Old mem [5]: R
Old mem [6]: F
Old mem [7]: l
Old mem [8]: Y
Old mem [9]:!
New mem [0]: B
New mem [1]: u
New mem [2]: T
New mem [3]: T
New mem [4]: E
New mem [5]: B
New mem [6]: u
New mem [7]: T
New mem [8]: T
New mem [9]: E

2. System Call Method

You may find that, as you mentioned earlier, the address and content of the memory are stored in this file, can I directly view it? The answer is yes. Linux Kernel developers provide us with the hexedit command to display the/dev/MEM content (if you use CAT/dev/MEM, you will see garbled characters ), the result of executing hexedit/dev/MEM is as follows:
00000000 62 75 74 65 62 75 74 65 72 66 6C 79 21 20 butterfly!
00000010 20 20 20 20 20 20 20 20 20 20 20 20 20
00000020 20 20 20 20 20 20 20 20 20 20 20 20 20
00000030 6f EF 00 F0 6f EF 00 F0 57 EF 00 F0 6f EF 00 F0 o... w... o...
00000040 02 11 00 C0 4D F8 00 F0 41 F8 00 F0 34 85 00 F0 ...... M .........
00000050 39 E7 00 F0 59 F8 00 F0 2E E8 00 F0 D2 EF 00 F0 9... y ...........
00000060 A4 E7 00 F0 F2 E6 00 F0 6e Fe 00 F0 53 ff 00 F0 ...... n ...... S...
00000070 53 ff 00 F0 A4 F0 00 F0 C7 EF 00 F0 1C 42 00 C0 s ...... B ..
As you can see, the leftmost display is the address. The next 24 columns show the ASCII code of the content of each memory byte unit, and the rightmost display the corresponding character information. It is gratifying that this file can be directly modified. Press the tab key to enter the modification mode. During the modification process, the modification content will be displayed in bold. Press f2 to save the modification and the bold content will disappear. The above butterfly is modified in this way.
Since the memory address and content are all stored in the mem device file, we can think of another way to read and write the physical address. That is to combine the mem device file and MMAP system call to map the physical memory address in the file to the address space of the process, so as to read and write the physical memory address. Next, let's talk about MMAP system calls.
MMAP function prototype: void * MMAP (void * Start, size_t length, int Prot, int flags, int FD, off_t offset ), this function is defined in/usr/include/sys/Mman. h: # include <sys/Mman. h>, MMAP () is used to map the content of a file to the address space of the process. The access to the space is the read and write of the file content. Parameters are described as follows:
Start: point to the starting address of the address space to be mapped. Generally, if it is set to null or 0, the system automatically selects the address. After successful ing, the address will be returned.
Length: the size of the mapped file, in bytes.
Prot: indicates the protection mode of the ing area. There are four combinations:
-- The prot_exec ing area can be executed,
-- The prot_read ing area is readable,
-- The prot_write ing area can be written,
-- The prot_none ing region cannot be accessed.
Flags: some features of the ing area, mainly including:
-- Map_fixed: If the ing fails, an error is returned,
-- Map_shared writes data to the ing area to the original file.
-- Map_private: data written to the ing area is not written back to the original file.
-- Map_anonymous
-- Map_denywrite: only write operations on the ing region are allowed. Other operations on direct file write operations are rejected.
-- Map_locked: Lock the ing area
When calling MMAP (), you must specify map_shared or map_private.
FD: file descriptor returned by open.
Offset: the offset of the mapped file. It indicates the position where the file is mapped. Generally, it is set to 0, indicating that the ing starts from the beginning of the file. Offset must be an integer multiple of the page size (4096 bytes.
The application is as follows:
# Include <stdio. h>
# Include <fcntl. h>
# Include <sys/Mman. h> // MMAP head File
Int main (void)
{
Int I;
Int FD;
Char * start;
Char * Buf = "butterfly! ";
 
// Open/dev/MEM with read and write mode
FD = open ("/dev/mem", o_rdwr );
If (FD <0)
{
Printf ("cannot open/dev/MEM .");
Return-1;
}
 
// Map physical memory 0-10 bytes
Start = (char *) MMAP (0, 10, prot_read | prot_write, map_shared, FD, 0 );
If (start <0)
{
Printf ("MMAP failed .");
Return-1;
}
// Read old value
For (I = 0; I <10; I ++)
{
Printf ("Old mem [% d]: % C/N", I, * (start + I ));
}
// Write memory
Memcpy (START, Buf, 10 );
// Read New Value
For (I = 0; I <10; I ++)
{
Printf ("New mem [% d]: % C/N", I, * (start + I ));
}
Munmap (START, 10); // destroy MAP memory
Close (FD); // close file
Return 0;
}
The program execution result is as follows:
[Root @ VOIP-IPCAM app] #./rwphy
Old mem [0]: B
Old mem [1]: u
Old mem [2]: T
Old mem [3]: T
Old mem [4]: E
Old mem [5]: B
Old mem [6]: u
Old mem [7]: T
Old mem [8]: T
Old mem [9]: E
New mem [0]: B
New mem [1]: u
New mem [2]: T
New mem [3]: T
New mem [4]: E
New mem [5]: R
New mem [6]: F
New mem [7]: l
New mem [8]: Y
New mem [9]:!
Use a sentence from someone else to conclude:
"/Dev/MEM is a very interesting thing. You can directly access the physical memory. This is amazing in Linux. It seems like a thief is planning to steal a bank, but the bank is heavily guarded, just when the thief has no countermeasures, suddenly I found a backdoor in an inconspicuous place, which can be directly directed to the Bank's vault."