[TUHS] Accessing the PDP-11/70 MMU registers and the kernel's u area
dds at aueb.gr
Mon Jun 15 02:13:08 AEST 2020
On 14-Jun-20 17:46, Noel Chiappa wrote:
> I don't know about 2.11, but in other PDP-11 Unixes, /dev/mem gives access to
> the actual CPU memory bus (which on a /34, etc, is the 18-bit address UNIBUS;
> on a /70 it's a separate 22-bit address bus). In the /70 memory address
> space, the 'I/O page' (which is where the PxR's live) is at the top end of it,
> i.e. the registers are at 017772360 (KDSAR0), etc.
Indeed, fetching data from the I/O page region gives plausible values
and everything works beautifully. Thank you!
The value of the kernel's u is 0140000 so it begins exactly at the start
of the memory mapped by kernel D-space PAR #6
sim> examine 17772374
Offset of u_uid in struct user is 0242, so its physical memory address is:
016226 * 0100 + 0242 = 01623042
sim> examine 1623042
sim> examine 1623044
sim> examine 1623046
This indeed matches my uid (0145) repeated for svuid and ruid.
Even better (and this was my original proof of concept goal), setting
those addresses to 0 provides root access.
uid=101(dds) gid=101 groups=101, 0(wheel)
$ while : ; do : ; done
Simulation stopped, PC: 040214 (BNE 40232)
sim> deposit 1623042 0
sim> deposit 1623044 0
sim> deposit 1623046 0
uid=0(root) gid=101 groups=101, 0(wheel)
One remaining puzzle is why doesn't this work when examining the
kernel's virtual address. I would expect to see again my user id below.
sim> examine -v -k -d -o 140242
More information about the TUHS