[apple/xnu.git] / tools / lldbmacros / pmap.py

from xnu import *
import xnudefines
from kdp import *
from utils import *

def ReadPhysInt(phys_addr, bitsize = 64, cpuval = None):
    """ Read a physical memory data based on address. 
        params:
            phys_addr : int - Physical address to read
            bitsize   : int - defines how many bytes to read. defaults to 64 bit
            cpuval    : None (optional)
        returns:
            int - int value read from memory. in case of failure 0xBAD10AD is returned.
    """
    if "kdp" == GetConnectionProtocol():
        return KDPReadPhysMEM(phys_addr, bitsize)

    #NO KDP. Attempt to use physical memory
    paddr_in_kva = kern.PhysToKernelVirt(long(phys_addr))
    if paddr_in_kva :
        if bitsize == 64 :
            return kern.GetValueFromAddress(paddr_in_kva, 'uint64_t *').GetSBValue().Dereference().GetValueAsUnsigned()
        if bitsize == 32 :
            return kern.GetValueFromAddress(paddr_in_kva, 'uint32_t *').GetSBValue().Dereference().GetValueAsUnsigned()
        if bitsize == 16 :
            return kern.GetValueFromAddress(paddr_in_kva, 'uint16_t *').GetSBValue().Dereference().GetValueAsUnsigned()
        if bitsize == 8 :
            return kern.GetValueFromAddress(paddr_in_kva, 'uint8_t *').GetSBValue().Dereference().GetValueAsUnsigned()
    return 0xBAD10AD

@lldb_command('readphys')
def ReadPhys(cmd_args = None):
    """ Reads the specified untranslated address 
        The argument is interpreted as a physical address, and the 64-bit word
        addressed is displayed.
        usage: readphys <nbits> <address>
        nbits: 8,16,32,64
        address: 1234 or 0x1234 
    """
    if cmd_args == None or len(cmd_args) < 2:
        print "Insufficient arguments.", ReadPhys.__doc__
        return False
    else:
        nbits = ArgumentStringToInt(cmd_args[0])
        phys_addr = ArgumentStringToInt(cmd_args[1])
        print "{0: <#x}".format(ReadPhysInt(phys_addr, nbits))
    return True

lldb_alias('readphys8', 'readphys 8 ')
lldb_alias('readphys16', 'readphys 16 ')
lldb_alias('readphys32', 'readphys 32 ')
lldb_alias('readphys64', 'readphys 64 ')

def KDPReadPhysMEM(address, bits):
    """ Setup the state for READPHYSMEM64 commands for reading data via kdp
        params:
            address : int - address where to read the data from
            bits : int - number of bits in the intval (8/16/32/64)
        returns:
            int: read value from memory. 
            0xBAD10AD: if failed to read data.
    """
    retval = 0xBAD10AD
    if "kdp" != GetConnectionProtocol():
        print "Target is not connected over kdp. Nothing to do here."
        return retval

    input_address = unsigned(addressof(kern.globals.manual_pkt.input))
    len_address = unsigned(addressof(kern.globals.manual_pkt.len))
    data_address = unsigned(addressof(kern.globals.manual_pkt.data))
    if not WriteInt32ToMemoryAddress(0, input_address):
        return retval

    kdp_pkt_size = GetType('kdp_readphysmem64_req_t').GetByteSize()
    if not WriteInt32ToMemoryAddress(kdp_pkt_size, len_address):
        return retval

    data_addr = int(addressof(kern.globals.manual_pkt))
    pkt = kern.GetValueFromAddress(data_addr, 'kdp_readphysmem64_req_t *')
    
    header_value =GetKDPPacketHeaderInt(request=GetEnumValue('kdp_req_t::KDP_READPHYSMEM64'), length=kdp_pkt_size)
    
    if ( WriteInt64ToMemoryAddress((header_value), int(addressof(pkt.hdr))) and
         WriteInt64ToMemoryAddress(address, int(addressof(pkt.address))) and
         WriteInt32ToMemoryAddress((bits/8), int(addressof(pkt.nbytes))) and
         WriteInt16ToMemoryAddress(xnudefines.lcpu_self, int(addressof(pkt.lcpu)))
         ):
         
        if WriteInt32ToMemoryAddress(1, input_address):
            # now read data from the kdp packet
            data_address = unsigned(addressof(kern.GetValueFromAddress(int(addressof(kern.globals.manual_pkt.data)), 'kdp_readphysmem64_reply_t *').data))
            if bits == 64 :
                retval =  kern.GetValueFromAddress(data_address, 'uint64_t *').GetSBValue().Dereference().GetValueAsUnsigned()
            if bits == 32 :
                retval =  kern.GetValueFromAddress(data_address, 'uint32_t *').GetSBValue().Dereference().GetValueAsUnsigned()
            if bits == 16 :
                retval =  kern.GetValueFromAddress(data_address, 'uint16_t *').GetSBValue().Dereference().GetValueAsUnsigned()
            if bits == 8 :
                retval =  kern.GetValueFromAddress(data_address, 'uint8_t *').GetSBValue().Dereference().GetValueAsUnsigned()
    return retval


def KDPWritePhysMEM(address, intval, bits):
    """ Setup the state for WRITEPHYSMEM64 commands for saving data in kdp
        params:
            address : int - address where to save the data
            intval : int - integer value to be stored in memory
            bits : int - number of bits in the intval (8/16/32/64)
        returns:
            boolean: True if the write succeeded.
    """
    if "kdp" != GetConnectionProtocol():
        print "Target is not connected over kdp. Nothing to do here."
        return False
    input_address = unsigned(addressof(kern.globals.manual_pkt.input))
    len_address = unsigned(addressof(kern.globals.manual_pkt.len))
    data_address = unsigned(addressof(kern.globals.manual_pkt.data))
    if not WriteInt32ToMemoryAddress(0, input_address):
        return False

    kdp_pkt_size = GetType('kdp_writephysmem64_req_t').GetByteSize()
    if not WriteInt32ToMemoryAddress(kdp_pkt_size, len_address):
        return False

    data_addr = int(addressof(kern.globals.manual_pkt))
    pkt = kern.GetValueFromAddress(data_addr, 'kdp_writephysmem64_req_t *')
    
    header_value =GetKDPPacketHeaderInt(request=GetEnumValue('kdp_req_t::KDP_WRITEPHYSMEM64'), length=kdp_pkt_size)
    
    if ( WriteInt64ToMemoryAddress((header_value), int(addressof(pkt.hdr))) and
         WriteInt64ToMemoryAddress(address, int(addressof(pkt.address))) and
         WriteInt32ToMemoryAddress((bits/8), int(addressof(pkt.nbytes))) and
         WriteInt16ToMemoryAddress(xnudefines.lcpu_self, int(addressof(pkt.lcpu)))
         ):
         
        if bits == 8:
            if not WriteInt8ToMemoryAddress(intval, int(addressof(pkt.data))):
                return False
        if bits == 16:
            if not WriteInt16ToMemoryAddress(intval, int(addressof(pkt.data))):
                return False
        if bits == 32:
            if not WriteInt32ToMemoryAddress(intval, int(addressof(pkt.data))):
                return False
        if bits == 64:
            if not WriteInt64ToMemoryAddress(intval, int(addressof(pkt.data))):
                return False
        if WriteInt32ToMemoryAddress(1, input_address):
            return True
    return False


def WritePhysInt(phys_addr, int_val, bitsize = 64):
    """ Write and integer value in a physical memory data based on address. 
        params:
            phys_addr : int - Physical address to read
            int_val   : int - int value to write in memory
            bitsize   : int - defines how many bytes to read. defaults to 64 bit
        returns:
            bool - True if write was successful.
    """
    if "kdp" == GetConnectionProtocol():
        if not KDPWritePhysMEM(phys_addr, int_val, bitsize):
            print "Failed to write via KDP."
            return False
        return True
    #We are not connected via KDP. So do manual math and savings.
    print "Failed: Write to physical memory is not supported for %s connection." % GetConnectionProtocol()
    return False

@lldb_command('writephys')
def WritePhys(cmd_args=None):
    """ writes to the specified untranslated address 
        The argument is interpreted as a physical address, and the 64-bit word
        addressed is displayed.
        usage: writephys <nbits> <address> <value>
        nbits: 8,16,32,64
        address: 1234 or 0x1234
        value: int value to be written
        ex. (lldb)writephys 16 0x12345abcd 0x25 
    """
    if cmd_args == None or len(cmd_args) < 3:
        print "Invalid arguments.", WritePhys.__doc__
    else:
        nbits = ArgumentStringToInt(cmd_args[0])
        phys_addr = ArgumentStringToInt(cmd_args[1])
        int_value = ArgumentStringToInt(cmd_args[2])
        print WritePhysInt(phys_addr, int_value, nbits)


lldb_alias('writephys8', 'writephys 8 ')
lldb_alias('writephys16', 'writephys 16 ')
lldb_alias('writephys32', 'writephys 32 ')
lldb_alias('writephys64', 'writephys 64 ')

def _PT_Step(paddr, index, verbose_level = vSCRIPT):
    """
     Step to lower-level page table and print attributes
       paddr: current page table entry physical address
       index: current page table entry index (0..511)
       verbose_level:    vHUMAN: print nothing
                         vSCRIPT: print basic information
                         vDETAIL: print basic information and hex table dump
     returns: (pt_paddr, pt_valid, pt_large)
       pt_paddr: next level page table entry physical address
                      or null if invalid
       pt_valid: 1 if $kgm_pt_paddr is valid, 0 if the walk
                      should be aborted
       pt_large: 1 if kgm_pt_paddr is a page frame address
                      of a large page and not another page table entry
    """
    entry_addr = paddr + (8 * index)
    entry = ReadPhysInt(entry_addr, 64, xnudefines.lcpu_self )
    out_string = ''
    if verbose_level >= vDETAIL:
        for pte_loop in range(0, 512):
            paddr_tmp = paddr + (8 * pte_loop)
            out_string += "{0: <#020x}:\t {1: <#020x}\n".format(paddr_tmp, ReadPhysInt(paddr_tmp, 64, xnudefines.lcpu_self))
    paddr_mask = ~((0xfff<<52) | 0xfff)
    paddr_large_mask =  ~((0xfff<<52) | 0x1fffff)
    pt_valid = False
    pt_large = False
    pt_paddr = 0
    if verbose_level < vSCRIPT:
        if entry & 0x1 :
            pt_valid = True
            pt_large = False
            pt_paddr = entry & paddr_mask
            if entry & (0x1 <<7):
                pt_large = True
                pt_paddr = entry & paddr_large_mask
    else:
        out_string+= "{0: <#020x}:\n\t{1:#020x}\n\t".format(entry_addr, entry)
        if entry & 0x1:
            out_string += " valid"
            pt_paddr = entry & paddr_mask
            pt_valid = True
        else:
            out_string += " invalid"
            pt_paddr = 0
            pt_valid = False
            #Stop decoding other bits
            entry = 0
        if entry & (0x1 << 1):
            out_string += " writable"
        else:
            out_string += " read-only"
        
        if entry & (0x1 << 2):
            out_string += " user"
        else:
            out_string += " supervisor"
        
        if entry & (0x1 << 3):
            out_string += " PWT"
        
        if entry & (0x1 << 4):
            out_string += " PCD"
        
        if entry & (0x1 << 5):
            out_string += " accessed"
        
        if entry & (0x1 << 6):
            out_string += " dirty"
        
        if entry & (0x1 << 7):
            out_string += " large"
            pt_large = True
        else:
            pt_large = False
        
        if entry & (0x1 << 8):
            out_string += " global"
        
        if entry & (0x3 << 9):
            out_string += " avail:{0:x}".format((entry >> 9) & 0x3)
        
        if entry & (0x1 << 63):
            out_string += " noexec"
    print out_string
    return (pt_paddr, pt_valid, pt_large)
        
            
def _PmapL4Walk(pmap_addr_val,vaddr, verbose_level = vSCRIPT):
    """ Walk the l4 pmap entry.
        params: pmap_addr_val - core.value representing kernel data of type pmap_addr_t
        vaddr : int - virtual address to walk
    """
    is_cpu64_bit = int(kern.globals.cpu_64bit)
    pt_paddr = unsigned(pmap_addr_val)
    pt_valid = (unsigned(pmap_addr_val) != 0)
    pt_large = 0
    pframe_offset = 0
    if pt_valid and is_cpu64_bit:
        # Lookup bits 47:39 of linear address in PML4T
        pt_index = (vaddr >> 39) & 0x1ff
        pframe_offset = vaddr & 0x7fffffffff
        if verbose_level > vHUMAN :
            print "pml4 (index {0:d}):".format(pt_index)
        (pt_paddr, pt_valid, pt_large) = _PT_Step(pt_paddr, pt_index, verbose_level)
    if pt_valid:
        # Lookup bits 38:30 of the linear address in PDPT
        pt_index = (vaddr >> 30) & 0x1ff
        pframe_offset = vaddr & 0x3fffffff
        if verbose_level > vHUMAN:
            print "pdpt (index {0:d}):".format(pt_index)
        (pt_paddr, pt_valid, pt_large) = _PT_Step(pt_paddr, pt_index, verbose_level)
    if pt_valid and not pt_large:
        #Lookup bits 29:21 of the linear address in PDPT
        pt_index = (vaddr >> 21) & 0x1ff
        pframe_offset = vaddr & 0x1fffff
        if verbose_level > vHUMAN:
            print "pdt (index {0:d}):".format(pt_index)
        (pt_paddr, pt_valid, pt_large) = _PT_Step(pt_paddr, pt_index, verbose_level)
    if pt_valid and not pt_large:
        #Lookup bits 20:21 of linear address in PT
        pt_index = (vaddr >> 12) & 0x1ff
        pframe_offset = vaddr & 0xfff
        if verbose_level > vHUMAN:
            print "pt (index {0:d}):".format(pt_index)
        (pt_paddr, pt_valid, pt_large) = _PT_Step(pt_paddr, pt_index, verbose_level)
    paddr = 0
    paddr_isvalid = False
    if pt_valid:
        paddr = pt_paddr + pframe_offset
        paddr_isvalid = True
    
    if verbose_level > vHUMAN:
        if paddr_isvalid:
            pvalue = ReadPhysInt(paddr, 32, xnudefines.lcpu_self)
            print "phys {0: <#020x}: {1: <#020x}".format(paddr, pvalue)
        else:
            print "no translation"

    return
 
def _PmapWalkARMLevel1Section(tte, vaddr, verbose_level = vSCRIPT):
    paddr = 0
    out_string = ""
    #Supersection or just section?
    if (tte & 0x40000) == 0x40000:
        paddr = ( (tte & 0xFF000000) | (vaddr & 0x00FFFFFF) )
    else:
        paddr = ( (tte & 0xFFF00000) | (vaddr & 0x000FFFFF) )
        
    if verbose_level >= vSCRIPT:
        out_string += "{0: <#020x}\n\t{1: <#020x}\n\t".format(addressof(tte), tte)
        #bit [1:0] evaluated in PmapWalkARM
        # B bit 2
        b_bit = (tte & 0x4) >> 2
        # C bit 3
        c_bit = (tte & 0x8) >> 3
        #XN bit 4
        if (tte & 0x10) : 
            out_string += "no-execute"
        else:
            out_string += "execute"
        #Domain bit [8:5] if not supersection
        if (tte & 0x40000) == 0x0:
            out_string += " domain ({:d})".format(((tte & 0x1e0) >> 5) )
        #IMP bit 9
        out_string += " imp({:d})".format( ((tte & 0x200) >> 9) )
        # AP bit 15 and [11:10] merged to a single 3 bit value
        access = ( (tte & 0xc00) >> 10 ) | ((tte & 0x8000) >> 13)
        out_string += xnudefines.arm_level2_access_strings[access]
        
        #TEX bit [14:12]
        tex_bits = ((tte & 0x7000) >> 12)
        #Print TEX, C , B all together
        out_string += " TEX:C:B({:d}{:d}{:d}:{:d}:{:d})".format(
                                                                    1 if (tex_bits & 0x4) else 0,
                                                                    1 if (tex_bits & 0x2) else 0,
                                                                    1 if (tex_bits & 0x1) else 0,
                                                                    c_bit,
                                                                    b_bit
                                                                    )
        # S bit 16
        if tte & 0x10000:
            out_string += " shareable"
        else:
            out_string += " not-shareable"
        # nG bit 17
        if tte & 0x20000 :
            out_string += " not-global"
        else:
            out_string += " global"
        # Supersection bit 18
        if tte & 0x40000:
            out_string += " supersection"
        else:
            out_string += " section"
        #NS bit 19
        if tte & 0x80000 :
            out_string += " no-secure"
        else:
            out_string += " secure"
        
    print out_string
    return paddr
    
        
def _PmapWalkARMLevel2(tte, vaddr, verbose_level = vSCRIPT):
    """ Pmap walk the level 2 tte. 
        params: 
          tte - value object
          vaddr - int
        returns: str - description of the tte + additional informaiton based on verbose_level
    """
    pte_base = kern.PhysToKernelVirt(tte & 0xFFFFFC00)
    pte_index = (vaddr >> 12) & 0xFF
    pte_base_val = kern.GetValueFromAddress(pte_base, 'pt_entry_t *')
    pte = pte_base_val[pte_index]
    out_string = ''
    if verbose_level >= vSCRIPT:
        out_string += "{0: <#020x}\n\t{1: <#020x}\n\t".format(addressof(tte), tte)
        # bit [1:0] evaluated in PmapWalkARM
        # NS bit 3
        if tte & 0x8:
            out_string += ' no-secure'
        else:
            out_string += ' secure'
        #Domain bit [8:5]
        out_string += " domain({:d})".format(((tte & 0x1e0) >> 5))
        # IMP bit 9
        out_string += " imp({:d})".format( ((tte & 0x200) >> 9))
        out_string += "\n"
    if verbose_level >= vSCRIPT:
        out_string += "second-level table (index {:d}):\n".format(pte_index)
    if verbose_level >= vDETAIL:
        for i in range(256):
            tmp = pte_base_val[i]
            out_string += "{0: <#020x}:\t{1: <#020x}\n".format(addressof(tmp), unsigned(tmp))

    paddr = 0
    if pte & 0x2:
        paddr = (unsigned(pte) & 0xFFFFF000) | (vaddr & 0xFFF)

    if verbose_level >= vSCRIPT:
        out_string += " {0: <#020x}\n\t{1: <#020x}\n\t".format(addressof(pte), unsigned(pte))
        if (pte & 0x3) == 0x0:
            out_string += " invalid"
        else:
            if (pte & 0x3) == 0x1:
                out_string += " large"
                # XN bit 15
                if pte & 0x8000 == 0x8000: 
                    out_string+= " no-execute" 
                else: 
                    out_string += " execute"
            else:
                out_string += " small"
                # XN bit 0
                if (pte & 0x1) == 0x01:
                    out_string += " no-execute"
                else:
                    out_string += " execute"
            # B bit 2
            b_bit = (pte & 0x4) >> 2
            c_bit = (pte & 0x8) >> 3
            # AP bit 9 and [5:4], merged to a single 3-bit value
            access = (pte & 0x30) >> 4 | (pte & 0x200) >> 7
            out_string += xnudefines.arm_level2_access_strings[access]
            
            #TEX bit [14:12] for large, [8:6] for small
            tex_bits = ((pte & 0x1c0) >> 6)
            if (pte & 0x3) == 0x1:
                tex_bits = ((pte & 0x7000) >> 12)    
            
            # Print TEX, C , B alltogether
            out_string += " TEX:C:B({:d}{:d}{:d}:{:d}:{:d})".format(
                                                                    1 if (tex_bits & 0x4) else 0,
                                                                    1 if (tex_bits & 0x2) else 0,
                                                                    1 if (tex_bits & 0x1) else 0,
                                                                    c_bit,
                                                                    b_bit
                                                                    )
            # S bit 10
            if pte & 0x400 :
                out_string += " shareable"
            else:
                out_string += " not-shareable"
            
            # nG bit 11
            if pte & 0x800:
                out_string += " not-global"
            else:
                out_string += " global"
    print out_string
    return paddr
    #end of level 2 walking of arm


def PmapWalkARM(pmap, vaddr, verbose_level = vHUMAN):
    """ Pmap walking for ARM kernel.
        params:
          pmapval: core.value - representing pmap_t in kernel
          vaddr:  int     - integer representing virtual address to walk
    """
    paddr = 0
    # shift by TTESHIFT (20) to get tte index
    tte_index = ((vaddr - unsigned(pmap.min)) >> 20 )
    tte = pmap.tte[tte_index]
    if verbose_level >= vSCRIPT:
        print "First-level table (index {:d}):".format(tte_index)
    if verbose_level >= vDETAIL:
        for i in range(0, 4096):
            ptr = unsigned(addressof(pmap.tte[i]))
            val = unsigned(pmap.tte[i])
            print "{0: <#020x}:\t {1: <#020x}".format(ptr, val)
    if (tte & 0x3) == 0x1:
        paddr = _PmapWalkARMLevel2(tte, vaddr, verbose_level)
    elif (tte & 0x3) == 0x2 :
        paddr = _PmapWalkARMLevel1Section(tte, vaddr, verbose_level)
    else:
        paddr = 0
        if verbose_level >= vSCRIPT:
            print "Invalid First-Level Translation Table Entry: {0: #020x}".format(tte)

    if verbose_level >= vHUMAN:
        if paddr:
            print "Translation of {:#x} is {:#x}.".format(vaddr, paddr)
        else:
            print "(no translation)"

    return paddr

def PmapWalkX86_64(pmapval, vaddr):
    """
        params: pmapval - core.value representing pmap_t in kernel
        vaddr:  int     - int representing virtual address to walk
    """
    _PmapL4Walk(pmapval.pm_cr3, vaddr, config['verbosity'])

def assert_64bit(val):
    assert(val < 2**64)

def PmapWalk(pmap, vaddr, verbose_level = vHUMAN):
    if kern.arch == 'x86_64':
        return PmapWalkX86_64(pmap, vaddr)
    elif kern.arch == 'arm':
        return PmapWalkARM(pmap, vaddr, verbose_level)
    else:
        raise NotImplementedError("PmapWalk does not support {0}".format(kern.arch))

@lldb_command('pmap_walk')
def PmapWalkHelper(cmd_args=None):
    """ Perform a page-table walk in <pmap> for <virtual_address>.
        Syntax: (lldb) pmap_walk <pmap> <virtual_address> [-v]
            Multiple -v's can be specified for increased verbosity
    """
    if cmd_args == None or len(cmd_args) < 2:
        raise ArgumentError("Too few arguments to pmap_walk.")

    pmap = kern.GetValueAsType(cmd_args[0], 'pmap_t')
    addr = unsigned(kern.GetValueFromAddress(cmd_args[1], 'void *'))
    PmapWalk(pmap, addr, config['verbosity'])
    return
Commit	Line	Data
39236c6e A	1	from xnu import *
	2	import xnudefines
	3	from kdp import *
	4	from utils import *
	5
	6	def ReadPhysInt(phys_addr, bitsize = 64, cpuval = None):
	7	""" Read a physical memory data based on address.
	8	params:
	9	phys_addr : int - Physical address to read
	10	bitsize : int - defines how many bytes to read. defaults to 64 bit
	11	cpuval : None (optional)
	12	returns:
	13	int - int value read from memory. in case of failure 0xBAD10AD is returned.
	14	"""
	15	if "kdp" == GetConnectionProtocol():
	16	return KDPReadPhysMEM(phys_addr, bitsize)
	17
	18	#NO KDP. Attempt to use physical memory
	19	paddr_in_kva = kern.PhysToKernelVirt(long(phys_addr))
	20	if paddr_in_kva :
	21	if bitsize == 64 :
	22	return kern.GetValueFromAddress(paddr_in_kva, 'uint64_t *').GetSBValue().Dereference().GetValueAsUnsigned()
	23	if bitsize == 32 :
	24	return kern.GetValueFromAddress(paddr_in_kva, 'uint32_t *').GetSBValue().Dereference().GetValueAsUnsigned()
	25	if bitsize == 16 :
	26	return kern.GetValueFromAddress(paddr_in_kva, 'uint16_t *').GetSBValue().Dereference().GetValueAsUnsigned()
	27	if bitsize == 8 :
	28	return kern.GetValueFromAddress(paddr_in_kva, 'uint8_t *').GetSBValue().Dereference().GetValueAsUnsigned()
	29	return 0xBAD10AD
	30
	31	@lldb_command('readphys')
	32	def ReadPhys(cmd_args = None):
	33	""" Reads the specified untranslated address
	34	The argument is interpreted as a physical address, and the 64-bit word
	35	addressed is displayed.
	36	usage: readphys <nbits> <address>
	37	nbits: 8,16,32,64
	38	address: 1234 or 0x1234
	39	"""
	40	if cmd_args == None or len(cmd_args) < 2:
	41	print "Insufficient arguments.", ReadPhys.__doc__
	42	return False
	43	else:
	44	nbits = ArgumentStringToInt(cmd_args[0])
	45	phys_addr = ArgumentStringToInt(cmd_args[1])
	46	print "{0: <#x}".format(ReadPhysInt(phys_addr, nbits))
	47	return True
	48
	49	lldb_alias('readphys8', 'readphys 8 ')
	50	lldb_alias('readphys16', 'readphys 16 ')
	51	lldb_alias('readphys32', 'readphys 32 ')
	52	lldb_alias('readphys64', 'readphys 64 ')
	53
	54	def KDPReadPhysMEM(address, bits):
	55	""" Setup the state for READPHYSMEM64 commands for reading data via kdp
	56	params:
	57	address : int - address where to read the data from
	58	bits : int - number of bits in the intval (8/16/32/64)
	59	returns:
	60	int: read value from memory.
	61	0xBAD10AD: if failed to read data.
	62	"""
	63	retval = 0xBAD10AD
	64	if "kdp" != GetConnectionProtocol():
65	print "Target is not connected over kdp. Nothing to do here."
66	return retval
67
68	input_address = unsigned(addressof(kern.globals.manual_pkt.input))
69	len_address = unsigned(addressof(kern.globals.manual_pkt.len))
70	data_address = unsigned(addressof(kern.globals.manual_pkt.data))
71	if not WriteInt32ToMemoryAddress(0, input_address):
72	return retval
73
74	kdp_pkt_size = GetType('kdp_readphysmem64_req_t').GetByteSize()
75	if not WriteInt32ToMemoryAddress(kdp_pkt_size, len_address):
76	return retval
77
78	data_addr = int(addressof(kern.globals.manual_pkt))
79	pkt = kern.GetValueFromAddress(data_addr, 'kdp_readphysmem64_req_t *')
80
81	header_value =GetKDPPacketHeaderInt(request=GetEnumValue('kdp_req_t::KDP_READPHYSMEM64'), length=kdp_pkt_size)
82
83	if ( WriteInt64ToMemoryAddress((header_value), int(addressof(pkt.hdr))) and
84	WriteInt64ToMemoryAddress(address, int(addressof(pkt.address))) and
85	WriteInt32ToMemoryAddress((bits/8), int(addressof(pkt.nbytes))) and
86	WriteInt16ToMemoryAddress(xnudefines.lcpu_self, int(addressof(pkt.lcpu)))
87	):
88
89	if WriteInt32ToMemoryAddress(1, input_address):
90	# now read data from the kdp packet
91	data_address = unsigned(addressof(kern.GetValueFromAddress(int(addressof(kern.globals.manual_pkt.data)), 'kdp_readphysmem64_reply_t *').data))
92	if bits == 64 :
93	retval = kern.GetValueFromAddress(data_address, 'uint64_t *').GetSBValue().Dereference().GetValueAsUnsigned()
94	if bits == 32 :
95	retval = kern.GetValueFromAddress(data_address, 'uint32_t *').GetSBValue().Dereference().GetValueAsUnsigned()
96	if bits == 16 :
97	retval = kern.GetValueFromAddress(data_address, 'uint16_t *').GetSBValue().Dereference().GetValueAsUnsigned()
98	if bits == 8 :
99	retval = kern.GetValueFromAddress(data_address, 'uint8_t *').GetSBValue().Dereference().GetValueAsUnsigned()
100	return retval
101
102
103	def KDPWritePhysMEM(address, intval, bits):
104	""" Setup the state for WRITEPHYSMEM64 commands for saving data in kdp
105	params:
106	address : int - address where to save the data
107	intval : int - integer value to be stored in memory
108	bits : int - number of bits in the intval (8/16/32/64)
109	returns:
110	boolean: True if the write succeeded.
111	"""
112	if "kdp" != GetConnectionProtocol():
113	print "Target is not connected over kdp. Nothing to do here."
114	return False
115	input_address = unsigned(addressof(kern.globals.manual_pkt.input))
116	len_address = unsigned(addressof(kern.globals.manual_pkt.len))
117	data_address = unsigned(addressof(kern.globals.manual_pkt.data))
118	if not WriteInt32ToMemoryAddress(0, input_address):
119	return False
120
121	kdp_pkt_size = GetType('kdp_writephysmem64_req_t').GetByteSize()
122	if not WriteInt32ToMemoryAddress(kdp_pkt_size, len_address):
123	return False
124
125	data_addr = int(addressof(kern.globals.manual_pkt))
126	pkt = kern.GetValueFromAddress(data_addr, 'kdp_writephysmem64_req_t *')
127
128	header_value =GetKDPPacketHeaderInt(request=GetEnumValue('kdp_req_t::KDP_WRITEPHYSMEM64'), length=kdp_pkt_size)
129
130	if ( WriteInt64ToMemoryAddress((header_value), int(addressof(pkt.hdr))) and
131	WriteInt64ToMemoryAddress(address, int(addressof(pkt.address))) and
132	WriteInt32ToMemoryAddress((bits/8), int(addressof(pkt.nbytes))) and
133	WriteInt16ToMemoryAddress(xnudefines.lcpu_self, int(addressof(pkt.lcpu)))
134	):
135
136	if bits == 8:
137	if not WriteInt8ToMemoryAddress(intval, int(addressof(pkt.data))):
138	return False
139	if bits == 16:
140	if not WriteInt16ToMemoryAddress(intval, int(addressof(pkt.data))):
141	return False
142	if bits == 32:
143	if not WriteInt32ToMemoryAddress(intval, int(addressof(pkt.data))):
144	return False
145	if bits == 64:
146	if not WriteInt64ToMemoryAddress(intval, int(addressof(pkt.data))):
147	return False
148	if WriteInt32ToMemoryAddress(1, input_address):
149	return True
150	return False
151
152
153	def WritePhysInt(phys_addr, int_val, bitsize = 64):
154	""" Write and integer value in a physical memory data based on address.
155	params:
156	phys_addr : int - Physical address to read
157	int_val : int - int value to write in memory
158	bitsize : int - defines how many bytes to read. defaults to 64 bit
159	returns:
160	bool - True if write was successful.
161	"""
162	if "kdp" == GetConnectionProtocol():
163	if not KDPWritePhysMEM(phys_addr, int_val, bitsize):
164	print "Failed to write via KDP."
165	return False
166	return True
167	#We are not connected via KDP. So do manual math and savings.
168	print "Failed: Write to physical memory is not supported for %s connection." % GetConnectionProtocol()
169	return False
170
171	@lldb_command('writephys')
172	def WritePhys(cmd_args=None):
173	""" writes to the specified untranslated address
174	The argument is interpreted as a physical address, and the 64-bit word
175	addressed is displayed.
176	usage: writephys <nbits> <address> <value>
177	nbits: 8,16,32,64
178	address: 1234 or 0x1234
179	value: int value to be written
180	ex. (lldb)writephys 16 0x12345abcd 0x25
181	"""
182	if cmd_args == None or len(cmd_args) < 3:
183	print "Invalid arguments.", WritePhys.__doc__
184	else:
185	nbits = ArgumentStringToInt(cmd_args[0])
186	phys_addr = ArgumentStringToInt(cmd_args[1])
187	int_value = ArgumentStringToInt(cmd_args[2])
188	print WritePhysInt(phys_addr, int_value, nbits)
189
190
191	lldb_alias('writephys8', 'writephys 8 ')
192	lldb_alias('writephys16', 'writephys 16 ')
193	lldb_alias('writephys32', 'writephys 32 ')
194	lldb_alias('writephys64', 'writephys 64 ')
195
196	def _PT_Step(paddr, index, verbose_level = vSCRIPT):
197	"""
198	Step to lower-level page table and print attributes
199	paddr: current page table entry physical address
200	index: current page table entry index (0..511)
201	verbose_level: vHUMAN: print nothing
202	vSCRIPT: print basic information
203	vDETAIL: print basic information and hex table dump
204	returns: (pt_paddr, pt_valid, pt_large)
205	pt_paddr: next level page table entry physical address
206	or null if invalid
207	pt_valid: 1 if $kgm_pt_paddr is valid, 0 if the walk
208	should be aborted
209	pt_large: 1 if kgm_pt_paddr is a page frame address
210	of a large page and not another page table entry
211	"""
212	entry_addr = paddr + (8 * index)
213	entry = ReadPhysInt(entry_addr, 64, xnudefines.lcpu_self )
214	out_string = ''
215	if verbose_level >= vDETAIL:
216	for pte_loop in range(0, 512):
217	paddr_tmp = paddr + (8 * pte_loop)
218	out_string += "{0: <#020x}:\t {1: <#020x}\n".format(paddr_tmp, ReadPhysInt(paddr_tmp, 64, xnudefines.lcpu_self))
219	paddr_mask = ~((0xfff<<52) \| 0xfff)
220	paddr_large_mask = ~((0xfff<<52) \| 0x1fffff)
221	pt_valid = False
222	pt_large = False
223	pt_paddr = 0
224	if verbose_level < vSCRIPT:
225	if entry & 0x1 :
226	pt_valid = True
227	pt_large = False
228	pt_paddr = entry & paddr_mask
229	if entry & (0x1 <<7):
230	pt_large = True
231	pt_paddr = entry & paddr_large_mask
232	else:
233	out_string+= "{0: <#020x}:\n\t{1:#020x}\n\t".format(entry_addr, entry)
234	if entry & 0x1:
235	out_string += " valid"
236	pt_paddr = entry & paddr_mask
237	pt_valid = True
238	else:
239	out_string += " invalid"
240	pt_paddr = 0
241	pt_valid = False
242	#Stop decoding other bits
243	entry = 0
244	if entry & (0x1 << 1):
245	out_string += " writable"
246	else:
247	out_string += " read-only"
248
249	if entry & (0x1 << 2):
250	out_string += " user"
251	else:
252	out_string += " supervisor"
253
254	if entry & (0x1 << 3):
255	out_string += " PWT"
256
257	if entry & (0x1 << 4):
258	out_string += " PCD"
259
260	if entry & (0x1 << 5):
261	out_string += " accessed"
262
263	if entry & (0x1 << 6):
264	out_string += " dirty"
265
266	if entry & (0x1 << 7):
267	out_string += " large"
268	pt_large = True
269	else:
270	pt_large = False
271
272	if entry & (0x1 << 8):
273	out_string += " global"
274
275	if entry & (0x3 << 9):
276	out_string += " avail:{0:x}".format((entry >> 9) & 0x3)
277
278	if entry & (0x1 << 63):
279	out_string += " noexec"
280	print out_string
281	return (pt_paddr, pt_valid, pt_large)
282
283
284
285
286	def _PmapL4Walk(pmap_addr_val,vaddr, verbose_level = vSCRIPT):
287	""" Walk the l4 pmap entry.
288	params: pmap_addr_val - core.value representing kernel data of type pmap_addr_t
289	vaddr : int - virtual address to walk
290	"""
291	is_cpu64_bit = int(kern.globals.cpu_64bit)
292	pt_paddr = unsigned(pmap_addr_val)
293	pt_valid = (unsigned(pmap_addr_val) != 0)
294	pt_large = 0
295	pframe_offset = 0
296	if pt_valid and is_cpu64_bit:
297	# Lookup bits 47:39 of linear address in PML4T
298	pt_index = (vaddr >> 39) & 0x1ff
299	pframe_offset = vaddr & 0x7fffffffff
300	if verbose_level > vHUMAN :
301	print "pml4 (index {0:d}):".format(pt_index)
302	(pt_paddr, pt_valid, pt_large) = _PT_Step(pt_paddr, pt_index, verbose_level)
303	if pt_valid:
304	# Lookup bits 38:30 of the linear address in PDPT
305	pt_index = (vaddr >> 30) & 0x1ff
306	pframe_offset = vaddr & 0x3fffffff
307	if verbose_level > vHUMAN:
308	print "pdpt (index {0:d}):".format(pt_index)
309	(pt_paddr, pt_valid, pt_large) = _PT_Step(pt_paddr, pt_index, verbose_level)
310	if pt_valid and not pt_large:
311	#Lookup bits 29:21 of the linear address in PDPT
312	pt_index = (vaddr >> 21) & 0x1ff
313	pframe_offset = vaddr & 0x1fffff
314	if verbose_level > vHUMAN:
315	print "pdt (index {0:d}):".format(pt_index)
316	(pt_paddr, pt_valid, pt_large) = _PT_Step(pt_paddr, pt_index, verbose_level)
317	if pt_valid and not pt_large:
318	#Lookup bits 20:21 of linear address in PT
319	pt_index = (vaddr >> 12) & 0x1ff
320	pframe_offset = vaddr & 0xfff
321	if verbose_level > vHUMAN:
322	print "pt (index {0:d}):".format(pt_index)
323	(pt_paddr, pt_valid, pt_large) = _PT_Step(pt_paddr, pt_index, verbose_level)
324	paddr = 0
325	paddr_isvalid = False
326	if pt_valid:
327	paddr = pt_paddr + pframe_offset
328	paddr_isvalid = True
329
330	if verbose_level > vHUMAN:
331	if paddr_isvalid:
332	pvalue = ReadPhysInt(paddr, 32, xnudefines.lcpu_self)
333	print "phys {0: <#020x}: {1: <#020x}".format(paddr, pvalue)
334	else:
335	print "no translation"
336
337	return
338
339	def _PmapWalkARMLevel1Section(tte, vaddr, verbose_level = vSCRIPT):
340	paddr = 0
341	out_string = ""
342	#Supersection or just section?
343	if (tte & 0x40000) == 0x40000:
344	paddr = ( (tte & 0xFF000000) \| (vaddr & 0x00FFFFFF) )
345	else:
346	paddr = ( (tte & 0xFFF00000) \| (vaddr & 0x000FFFFF) )
347
348	if verbose_level >= vSCRIPT:
349	out_string += "{0: <#020x}\n\t{1: <#020x}\n\t".format(addressof(tte), tte)
350	#bit [1:0] evaluated in PmapWalkARM
351	# B bit 2
352	b_bit = (tte & 0x4) >> 2
353	# C bit 3
354	c_bit = (tte & 0x8) >> 3
355	#XN bit 4
356	if (tte & 0x10) :
357	out_string += "no-execute"
358	else:
359	out_string += "execute"
360	#Domain bit [8:5] if not supersection
361	if (tte & 0x40000) == 0x0:
362	out_string += " domain ({:d})".format(((tte & 0x1e0) >> 5) )
363	#IMP bit 9
364	out_string += " imp({:d})".format( ((tte & 0x200) >> 9) )
365	# AP bit 15 and [11:10] merged to a single 3 bit value
366	access = ( (tte & 0xc00) >> 10 ) \| ((tte & 0x8000) >> 13)
367	out_string += xnudefines.arm_level2_access_strings[access]
368
369	#TEX bit [14:12]
370	tex_bits = ((tte & 0x7000) >> 12)
371	#Print TEX, C , B all together
372	out_string += " TEX:C:B({:d}{:d}{:d}:{:d}:{:d})".format(
373	1 if (tex_bits & 0x4) else 0,
374	1 if (tex_bits & 0x2) else 0,
375	1 if (tex_bits & 0x1) else 0,
376	c_bit,
377	b_bit
378	)
379	# S bit 16
380	if tte & 0x10000:
381	out_string += " shareable"
382	else:
383	out_string += " not-shareable"
384	# nG bit 17
385	if tte & 0x20000 :
386	out_string += " not-global"
387	else:
388	out_string += " global"
389	# Supersection bit 18
390	if tte & 0x40000:
391	out_string += " supersection"
392	else:
393	out_string += " section"
394	#NS bit 19
395	if tte & 0x80000 :
396	out_string += " no-secure"
397	else:
398	out_string += " secure"
399
400	print out_string
401	return paddr
402
403
404
405	def _PmapWalkARMLevel2(tte, vaddr, verbose_level = vSCRIPT):
406	""" Pmap walk the level 2 tte.
407	params:
408	tte - value object
409	vaddr - int
410	returns: str - description of the tte + additional informaiton based on verbose_level
411	"""
412	pte_base = kern.PhysToKernelVirt(tte & 0xFFFFFC00)
413	pte_index = (vaddr >> 12) & 0xFF
414	pte_base_val = kern.GetValueFromAddress(pte_base, 'pt_entry_t *')
415	pte = pte_base_val[pte_index]
416	out_string = ''
417	if verbose_level >= vSCRIPT:
418	out_string += "{0: <#020x}\n\t{1: <#020x}\n\t".format(addressof(tte), tte)
419	# bit [1:0] evaluated in PmapWalkARM
420	# NS bit 3
421	if tte & 0x8:
422	out_string += ' no-secure'
423	else:
424	out_string += ' secure'
425	#Domain bit [8:5]
426	out_string += " domain({:d})".format(((tte & 0x1e0) >> 5))
427	# IMP bit 9
428	out_string += " imp({:d})".format( ((tte & 0x200) >> 9))
429	out_string += "\n"
430	if verbose_level >= vSCRIPT:
431	out_string += "second-level table (index {:d}):\n".format(pte_index)
432	if verbose_level >= vDETAIL:
433	for i in range(256):
434	tmp = pte_base_val[i]
435	out_string += "{0: <#020x}:\t{1: <#020x}\n".format(addressof(tmp), unsigned(tmp))
436
437	paddr = 0
438	if pte & 0x2:
439	paddr = (unsigned(pte) & 0xFFFFF000) \| (vaddr & 0xFFF)
440
441	if verbose_level >= vSCRIPT:
442	out_string += " {0: <#020x}\n\t{1: <#020x}\n\t".format(addressof(pte), unsigned(pte))
443	if (pte & 0x3) == 0x0:
444	out_string += " invalid"
445	else:
446	if (pte & 0x3) == 0x1:
447	out_string += " large"
448	# XN bit 15
449	if pte & 0x8000 == 0x8000:
450	out_string+= " no-execute"
451	else:
452	out_string += " execute"
453	else:
454	out_string += " small"
455	# XN bit 0
456	if (pte & 0x1) == 0x01:
457	out_string += " no-execute"
458	else:
459	out_string += " execute"
460	# B bit 2
461	b_bit = (pte & 0x4) >> 2
462	c_bit = (pte & 0x8) >> 3
463	# AP bit 9 and [5:4], merged to a single 3-bit value
464	access = (pte & 0x30) >> 4 \| (pte & 0x200) >> 7
465	out_string += xnudefines.arm_level2_access_strings[access]
466
467	#TEX bit [14:12] for large, [8:6] for small
468	tex_bits = ((pte & 0x1c0) >> 6)
469	if (pte & 0x3) == 0x1:
470	tex_bits = ((pte & 0x7000) >> 12)
471
472	# Print TEX, C , B alltogether
473	out_string += " TEX:C:B({:d}{:d}{:d}:{:d}:{:d})".format(
474	1 if (tex_bits & 0x4) else 0,
475	1 if (tex_bits & 0x2) else 0,
476	1 if (tex_bits & 0x1) else 0,
477	c_bit,
478	b_bit
479	)
480	# S bit 10
481	if pte & 0x400 :
482	out_string += " shareable"
483	else:
484	out_string += " not-shareable"
485
486	# nG bit 11
487	if pte & 0x800:
488	out_string += " not-global"
489	else:
490	out_string += " global"
491	print out_string
492	return paddr
493	#end of level 2 walking of arm
494
495
496	def PmapWalkARM(pmap, vaddr, verbose_level = vHUMAN):
497	""" Pmap walking for ARM kernel.
498	params:
499	pmapval: core.value - representing pmap_t in kernel
500	vaddr: int - integer representing virtual address to walk
501	"""
502	paddr = 0
503	# shift by TTESHIFT (20) to get tte index
504	tte_index = ((vaddr - unsigned(pmap.min)) >> 20 )
505	tte = pmap.tte[tte_index]
506	if verbose_level >= vSCRIPT:
507	print "First-level table (index {:d}):".format(tte_index)
508	if verbose_level >= vDETAIL:
509	for i in range(0, 4096):
510	ptr = unsigned(addressof(pmap.tte[i]))
511	val = unsigned(pmap.tte[i])
512	print "{0: <#020x}:\t {1: <#020x}".format(ptr, val)
513	if (tte & 0x3) == 0x1:
514	paddr = _PmapWalkARMLevel2(tte, vaddr, verbose_level)
515	elif (tte & 0x3) == 0x2 :
516	paddr = _PmapWalkARMLevel1Section(tte, vaddr, verbose_level)
517	else:
518	paddr = 0
519	if verbose_level >= vSCRIPT:
520	print "Invalid First-Level Translation Table Entry: {0: #020x}".format(tte)
521
522	if verbose_level >= vHUMAN:
523	if paddr:
524	print "Translation of {:#x} is {:#x}.".format(vaddr, paddr)
525	else:
526	print "(no translation)"
527
528	return paddr
529
530	def PmapWalkX86_64(pmapval, vaddr):
531	"""
532	params: pmapval - core.value representing pmap_t in kernel
533	vaddr: int - int representing virtual address to walk
534	"""
535	_PmapL4Walk(pmapval.pm_cr3, vaddr, config['verbosity'])
536
537	def assert_64bit(val):
538	assert(val < 2**64)
539
540	def PmapWalk(pmap, vaddr, verbose_level = vHUMAN):
541	if kern.arch == 'x86_64':
542	return PmapWalkX86_64(pmap, vaddr)
543	elif kern.arch == 'arm':
544	return PmapWalkARM(pmap, vaddr, verbose_level)
545	else:
546	raise NotImplementedError("PmapWalk does not support {0}".format(kern.arch))
547
548	@lldb_command('pmap_walk')
549	def PmapWalkHelper(cmd_args=None):
550	""" Perform a page-table walk in <pmap> for <virtual_address>.
551	Syntax: (lldb) pmap_walk <pmap> <virtual_address> [-v]
552	Multiple -v's can be specified for increased verbosity
553	"""
554	if cmd_args == None or len(cmd_args) < 2:
555	raise ArgumentError("Too few arguments to pmap_walk.")
556
557	pmap = kern.GetValueAsType(cmd_args[0], 'pmap_t')
558	addr = unsigned(kern.GetValueFromAddress(cmd_args[1], 'void *'))
559	PmapWalk(pmap, addr, config['verbosity'])
560	return