[TUHS] Accessing the PDP-11/70 MMU registers and the kernel's u area

Diomidis Spinellis dds at aueb.gr
Mon Jun 15 02:13:08 AEST 2020

On 14-Jun-20 17:46, Noel Chiappa wrote:
> I don't know about 2.11, but in other PDP-11 Unixes, /dev/mem gives access to
> the actual CPU memory bus (which on a /34, etc, is the 18-bit address UNIBUS;
> on a /70 it's a separate 22-bit address bus).  In the /70 memory address
> space, the 'I/O page' (which is where the PxR's live) is at the top end of it,
> i.e. the registers are at 017772360 (KDSAR0), etc.

Indeed, fetching data from the I/O page region gives plausible values 
and everything works beautifully.  Thank you!

The value of the kernel's u is 0140000 so it begins exactly at the start 
of the memory mapped by kernel D-space PAR #6

sim> examine 17772374
17772374:       016226

Offset of u_uid in struct user is 0242, so its physical memory address is:

016226 * 0100 + 0242 = 01623042

sim> examine 1623042
1623042:        000145
sim> examine 1623044
1623044:        000145
sim> examine 1623046
1623046:        000145

This indeed matches my uid (0145) repeated for svuid and ruid.

Even better (and this was my original proof of concept goal), setting 
those addresses to 0 provides root access.

$ id
uid=101(dds) gid=101 groups=101, 0(wheel)
$ while : ; do : ; done

Simulation stopped, PC: 040214 (BNE 40232)
sim> deposit 1623042 0
sim> deposit 1623044 0
sim> deposit 1623046 0
sim> cont

$ id
uid=0(root) gid=101 groups=101, 0(wheel)

One remaining puzzle is why doesn't this work when examining the 
kernel's virtual address.   I would expect to see again my user id below.

sim> examine -v -k -d -o 140242
140242: 000026


More information about the TUHS mailing list