14 Jun
2020
14 Jun
'20
6:13 p.m.
On 14-Jun-20 17:46, Noel Chiappa wrote:
I don't know about 2.11, but in other PDP-11
Unixes, /dev/mem gives access to
the actual CPU memory bus (which on a /34, etc, is the 18-bit address UNIBUS;
on a /70 it's a separate 22-bit address bus). In the /70 memory address
space, the 'I/O page' (which is where the PxR's live) is at the top end of
it,
i.e. the registers are at 017772360 (KDSAR0), etc.
Indeed, fetching data from the I/O page region gives plausible values
and everything works beautifully. Thank you!
The value of the kernel's u is 0140000 so it begins exactly at the start
of the memory mapped by kernel D-space PAR #6
sim> examine 17772374
17772374: 016226
Offset of u_uid in struct user is 0242, so its physical memory address is:
016226 * 0100 + 0242 = 01623042
sim> examine 1623042
1623042: 000145
sim> examine 1623044
1623044: 000145
sim> examine 1623046
1623046: 000145
This indeed matches my uid (0145) repeated for svuid and ruid.
Even better (and this was my original proof of concept goal), setting
those addresses to 0 provides root access.
$ id
uid=101(dds) gid=101 groups=101, 0(wheel)
$ while : ; do : ; done
Simulation stopped, PC: 040214 (BNE 40232)
sim> deposit 1623042 0
sim> deposit 1623044 0
sim> deposit 1623046 0
sim> cont
$ id
uid=0(root) gid=101 groups=101, 0(wheel)
One remaining puzzle is why doesn't this work when examining the
kernel's virtual address. I would expect to see again my user id below.
sim> examine -v -k -d -o 140242
140242: 000026
Diomidis