From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Received: from mail-ey0-f174.google.com ([209.85.215.174]:41895 "EHLO mail-ey0-f174.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1757775Ab1FPTfH (ORCPT ); Thu, 16 Jun 2011 15:35:07 -0400 Date: Thu, 16 Jun 2011 22:34:56 +0300 From: Pekka Paalanen To: =?UTF-8?B?UmFmYcWCIE1pxYJlY2tp?= Cc: Larry Finger , linux-wireless@vger.kernel.org, Linux Kernel Mailing List Subject: Re: Faking MMIO ops? Fooling a driver Message-ID: <20110616223456.5cfdec2b@farn.lan> (sfid-20110616_213521_113374_250BE61E) In-Reply-To: References: <4DFA4672.5080307@lwfinger.net> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-wireless-owner@vger.kernel.org List-ID: On Thu, 16 Jun 2011 21:19:04 +0200 Rafał Miłecki wrote: > W dniu 16 czerwca 2011 20:07 użytkownik Larry Finger > napisał: > > On 06/16/2011 12:20 PM, Rafał Miłecki wrote: > >> > >> W dniu 16 czerwca 2011 16:44 użytkownik Rafał Miłecki > >>  napisał: > >>> > >>> I analyze MMIO dumps of closed source driver and found such a > >>> place: W 2 3855.911536 9 0xb06003fc 0x810 0x0 0 > >>> R 2 3855.911540 9 0xb06003fe 0x0 0x0 0 > >>> W 2 3855.911541 9 0xb06003fe 0x0 0x0 0 > >>> > >>> After translation: > >>>  phy_read(0x0810) ->  0x0000 > >>> phy_write(0x0810)<- 0x0000 > >>> > >>> So it's quite obvious, the driver is reading PHY register, > >>> masking it and writing masked value. Unfortunately from just > >>> looking at such place we can not guess the mask driver uses. > >>> > >>> I'd like to fake value read from 0xb06003fe to be 0xFFFF. > >>> Is there some ready method for doing such a trick? > >>> > >>> Dump comes from Kernel hacking → Tracers → MMIO and > >>> ndiswrapper. > >> > >> I can see values in MMIO trace struct are filled in > >> arch/x86/mm/mmio-mod.c in "pre" and "post". However still no > >> idea how to hack the returned value. If you want to do it that way, the idea is to overwrite the right CPU register in mmio-mod.c:post(). You would test for the address you want to mess with, and then "invert" get_ins_reg_val() to overwrite the register with your own value. > >> Should I try hacking read[bwl] instead? :| > > > > Probably. I do not see any way to trace and modify the results > > for a particular address without special code. > > Did you success with writing some special code? Following patch > does not seem to work for me: > > > diff --git a/include/asm-generic/io.h b/include/asm-generic/io.h > index e0ffa3d..448e4ff 100644 > --- a/include/asm-generic/io.h > +++ b/include/asm-generic/io.h > @@ -23,6 +23,8 @@ > #define mmiowb() do {} while (0) > #endif > > +static int zajec = 0; > + > /*****************************************************************************/ > /* > * readX/writeX() are used to access memory mapped devices. On > some @@ -40,6 +42,11 @@ static inline u8 __raw_readb(const > volatile void __iomem *addr) > #ifndef __raw_readw > static inline u16 __raw_readw(const volatile void __iomem *addr) > { > + if (zajec++ < 10) > + printk(KERN_INFO "[ZAJEC] %d\n", *addr); > + if (*addr == 0xfaafc000) > + printk(KERN_INFO "[ZAJEC] Bingo!\n"); > + //0x1381a8d8 > return *(const volatile u16 __force *) addr; > } > #endif > > Should I modify different readw? Path include/asm-generic/io.h > sounds sane to me, so I modified this one. Are you sure that code is ever used on your arch? For instance, it seems that arch/x86/include/asm/io.h defines a different __raw_readw. Cheers. -- Pekka Paalanen http://www.iki.fi/pq/