Re: Faking MMIO ops? Fooling a driver

[Larry Finger]

On 06/16/2011 12:20 PM, RafaÅ MiÅecki wrote:
> W dniu 16 czerwca 2011 16:44 uÅytkownik RafaÅ MiÅecki
> <zajec5@xxxxxxxxx>  napisaÅ:
> > I analyze MMIO dumps of closed source driver and found such a place:
> > W 2 3855.911536 9 0xb06003fc 0x810 0x0 0
> > R 2 3855.911540 9 0xb06003fe 0x0 0x0 0
> > W 2 3855.911541 9 0xb06003fe 0x0 0x0 0
> >
> > After translation:
> >   phy_read(0x0810) ->  0x0000
> > phy_write(0x0810)<- 0x0000
> >
> > So it's quite obvious, the driver is reading PHY register, masking it
> > and writing masked value. Unfortunately from just looking at such
> > place we can not guess the mask driver uses.
> >
> > I'd like to fake value read from 0xb06003fe to be 0xFFFF.
> > Is there some ready method for doing such a trick?
> >
> > Dump comes from Kernel hacking â Tracers â MMIO and ndiswrapper.
>
> I can see values in MMIO trace struct are filled in
> arch/x86/mm/mmio-mod.c in "pre" and "post". However still no idea how
> to hack the returned value.
>
> Should I try hacking read[bwl] instead? :|

Probably. I do not see any way to trace and modify the results for a particular 
address without special code.

FYI, my reference driver for reverse engineering has no instance of a 
read/modify/write for PHY register 0x810. Is the code in question for a PHY type 
> 6?

Larry
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/