| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 16 Jun 2011 19:20:12 +0200 From: Rafał Miłecki <zajec5@...il.com> To: linux-wireless@...r.kernel.org, Linux Kernel Mailing List <linux-kernel@...r.kernel.org> Cc: Pekka Paalanen <pq@....fi> Subject: Re: Faking MMIO ops? Fooling a driver W dniu 16 czerwca 2011 16:44 użytkownik Rafał Miłecki <zajec5@...il.com> napisał: > I analyze MMIO dumps of closed source driver and found such a place: > W 2 3855.911536 9 0xb06003fc 0x810 0x0 0 > R 2 3855.911540 9 0xb06003fe 0x0 0x0 0 > W 2 3855.911541 9 0xb06003fe 0x0 0x0 0 > > After translation: > phy_read(0x0810) -> 0x0000 > phy_write(0x0810) <- 0x0000 > > So it's quite obvious, the driver is reading PHY register, masking it > and writing masked value. Unfortunately from just looking at such > place we can not guess the mask driver uses. > > I'd like to fake value read from 0xb06003fe to be 0xFFFF. > Is there some ready method for doing such a trick? > > Dump comes from Kernel hacking → Tracers → MMIO and ndiswrapper. I can see values in MMIO trace struct are filled in arch/x86/mm/mmio-mod.c in "pre" and "post". However still no idea how to hack the returned value. Should I try hacking read[bwl] instead? :| -- Rafał -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists