W dniu 16 czerwca 2011 23:47 uÅytkownik RafaÅ MiÅecki <zajec5@xxxxxxxxx> napisaÅ: > W dniu 16 czerwca 2011 21:34 uÅytkownik Pekka Paalanen <pq@xxxxxx> napisaÅ: >> On Thu, 16 Jun 2011 21:19:04 +0200 >> RafaÅ MiÅecki <zajec5@xxxxxxxxx> wrote: >> >>> W dniu 16 czerwca 2011 20:07 uÅytkownik Larry Finger >>> <Larry.Finger@xxxxxxxxxxxx> napisaÅ: >>> > On 06/16/2011 12:20 PM, RafaÅ MiÅecki wrote: >>> >> >>> >> W dniu 16 czerwca 2011 16:44 uÅytkownik RafaÅ MiÅecki >>> >> <zajec5@xxxxxxxxx> ÂnapisaÅ: >>> >>> >>> >>> I analyze MMIO dumps of closed source driver and found such a >>> >>> place: W 2 3855.911536 9 0xb06003fc 0x810 0x0 0 >>> >>> R 2 3855.911540 9 0xb06003fe 0x0 0x0 0 >>> >>> W 2 3855.911541 9 0xb06003fe 0x0 0x0 0 >>> >>> >>> >>> After translation: >>> >>> Âphy_read(0x0810) -> Â0x0000 >>> >>> phy_write(0x0810)<- 0x0000 >>> >>> >>> >>> So it's quite obvious, the driver is reading PHY register, >>> >>> masking it and writing masked value. Unfortunately from just >>> >>> looking at such place we can not guess the mask driver uses. >>> >>> >>> >>> I'd like to fake value read from 0xb06003fe to be 0xFFFF. >>> >>> Is there some ready method for doing such a trick? >>> >>> >>> >>> Dump comes from Kernel hacking â Tracers â MMIO and >>> >>> ndiswrapper. >>> >> >>> >> I can see values in MMIO trace struct are filled in >>> >> arch/x86/mm/mmio-mod.c in "pre" and "post". However still no >>> >> idea how to hack the returned value. >> >> If you want to do it that way, the idea is to overwrite >> the right CPU register in mmio-mod.c:post(). You would test for >> the address you want to mess with, and then "invert" >> get_ins_reg_val() to overwrite the register with your own value. > > Good, idea thanks! Implementation attached. Now I only need to track writes to 0xfaafc3fc (that register is for addressing to-follow PHY read/write) and wait for 0xfaafc3fe which is read of PHY register value. -- RafaÅ
Attachment:
mmio.fake.0xfaafc000.patch
Description: Binary data
