Help - Search - Members - Calendar
Full Version: Kernel Memory Dumper
Project OS X Forums > Snow Leopard Guides & Tutorials > Tools
Slice
Apr 14 2010, 08:41 PM
Hi all!
I want to present you a tool to dump memory in hex and binary.
It was written from Apple's opensource SimpleUserClient.
Load SimpleDriver and use MemoryDumpTool
CODE
chown -R root:wheel SimpleDriver,kext
chmod -R 755 SimpleDriver.kext
kextload -v SimpleDriver.kext
./MemoryDumpTool

In Snow it must be kextutil command. 32bit only, sorry!
For example you have FADT table
CODE
/*
* Intel ACPI Component Architecture
* AML Disassembler version 20100331
*
* Disassembly of acpitbls/FACP.0.aml, Sun Apr 11 10:32:11 2010
*
* ACPI Data Table [FACP]
*
* Format: [HexOffset DecimalOffset ByteLength]  FieldName : FieldValue
*/

[000h 0000  4]                    Signature : "FACP"    /* Fixed ACPI Description Table */
[004h 0004  4]                 Table Length : 000000F4
[008h 0008  1]                     Revision : 01
[009h 0009  1]                     Checksum : E8     /* Incorrect checksum, should be D0 */
[00Ah 0010  6]                       Oem ID : "Apple "
[010h 0016  8]                 Oem Table ID : "MacBook "
[018h 0024  4]                 Oem Revision : 00010001
[01Ch 0028  4]              Asl Compiler ID : "PTL "
[020h 0032  4]        Asl Compiler Revision : 000F4240

[024h 0036  4]                 FACS Address : 47F7FFC0
[028h 0040  4]                 DSDT Address : 47F7AC9E

Thus you know address of FACS table
CODE
SamsungP29:~/Desktop/Test root# ./MemoryDumpTool -x 47F7FFC0,40
Connect success. sign=53434146
0x0000:  46 41 43 53 40 00 00 00 00 00 00 00 00 00 00 00    FACS............
0x0010:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
0x0020:  00 00 00 00 00 00 00 00 00 00 00 00 00 10 30 00    ..............0.
0x0030:  06 00 00 00 c4 de a3 03 00 00 00 00 00 00 20 00    ................
SamsungP29:~/Desktop/Test root#

Another example - Video BIOS dump
CODE
SamsungP29:~/Desktop/Test root# ./MemoryDumpTool -x c0000,100
Connect success. sign=e980aa55
0x0000:  55 aa 80 e9 56 04 00 00 85 1c 00 00 00 00 00 00    U...V...........
0x0010:  00 00 00 00 00 00 00 00 6c 01 00 85 1c 00 49 42    ........l.....IB
0x0020:  4d c7 00 00 00 00 00 00 00 00 00 00 00 00 00 00    M...............
0x0030:  20 37 36 31 32 39 35 35 32 30 00 00 00 00 00 00    .761295520......
0x0040:  3f 3f 00 00 00 00 00 00 04 01 00 00 00 00 00 00    ................
0x0050:  32 30 30 35 2f 30 32 2f 30 31 20 31 32 3a 31 32    2005.02.01.12.12
0x0060:  00 00 00 00 e9 50 10 00 e9 04 1c 00 00 00 00 00    .....P..........
0x0070:  4d df 5b 00 4d 14 02 61 00 00 00 00 00 00 00 00    M...M..a........
0x0080:  0d 0a 53 50 2d 32 38 20 49 47 50 39 20 56 47 41    ..SP.28.IGP9.VGA
0x0090:  20 42 49 4f 53 20 33 30 30 4d 68 7a 0d 0a 00 28    .BIOS.300Mhz....
0x00A0:  43 29 20 31 39 38 38 2d 32 30 30 32 2c 20 41 54    C..1988.2002..AT
0x00B0:  49 20 54 65 63 68 6e 6f 6c 6f 67 69 65 73 20 49    I.Technologies.I
0x00C0:  6e 63 2e 20 42 4b 2d 41 54 49 20 56 45 52 30 30    nc..BK.ATI.VER00
0x00D0:  38 2e 30 31 37 49 2e 30 36 30 2e 30 30 30 00 20    8.017I.060.000..
0x00E0:  78 35 6f 73 63 61 72 2e 73 61 6d 20 39 3c 01 75    x5oscar.sam.9..u
0x00F0:  05 80 cb 01 eb 0c 3c 02 75 05 80 cb 02 eb 03 80    ........u.......

Or main BIOS
CODE
SamsungP29:~/Desktop/Test root# ./MemoryDumpTool -x e0000,200  
Connect success. sign=cb085555
0x0000:  55 55 08 cb 00 00 00 00 00 00 00 00 00 00 00 00    UU..............
0x0010:  00 14 00 00 01 02 93 e4 03 07 80 9f 19 7c 00 00    ................
0x0020:  00 00 02 00 53 41 4d 53 55 4e 47 20 45 4c 45 43    ....SAMSUNG.ELEC
0x0030:  54 52 4f 4e 49 43 53 20 43 4f 2e 2c 4c 54 44 00    TRONICS.CO..LTD.
0x0040:  43 32 4f 41 2e 58 58 58 58 58 58 58 58 2e 58 58    C2OA.XXXXXXXX.XX
0x0050:  58 58 2e 48 4a 55 00 30 32 2f 31 39 2f 32 30 30    XX.HJU.02.19.200
0x0060:  35 00 00 01 19 01 00 01 02 03 04 e0 df 47 64 db    5............Gd.
0x0070:  1d b2 11 80 00 ee 32 d4 dd 08 ae 06 53 41 4d 53    ......2.....SAMS
0x0080:  55 4e 47 20 45 4c 45 43 54 52 4f 4e 49 43 53 20    UNG.ELECTRONICS.
0x0090:  43 4f 2e 2c 4c 54 44 00 50 32 39 2f 32 38 2f 32    CO..LTD.P29.28.2
0x00A0:  36 00 41 41 41 41 00 31 32 33 34 39 30 45 4e 34    6.AAAA.123490EN4
0x00B0:  30 30 30 31 35 20 20 20 20 20 20 00 00 03 15 02    00015...........
0x00C0:  00 01 01 02 03 04 03 03 03 03 00 00 00 00 34 12    ..............4.
0x00D0:  00 00 53 41 4d 53 55 4e 47 20 45 4c 45 43 54 52    ..SAMSUNG.ELECTR
0x00E0:  4f 4e 49 43 53 20 43 4f 2e 2c 20 4c 54 44 00 4e    ONICS.CO...LTD.N
0x00F0:  2f 41 00 4e 6f 6e 65 00 4e 6f 20 41 73 73 65 74    .A.None.No.Asset
0x0100:  20 54 61 67 00 00 04 23 03 00 01 03 02 02 d8 06    .Tag............
0x0110:  00 00 ff fb e9 af 03 96 00 00 d0 07 14 05 41 04    ..............A.
0x0120:  07 00 08 00 ff ff 00 00 00 55 32 33 00 49 4e 54    .........U23.INT
0x0130:  45 4c 00 41 34 33 00 00 05 14 04 00 03 04 03 03    EL.A43..........
0x0140:  07 0c 00 00 05 02 02 00 00 01 00 04 00 00 06 0c    ................
0x0150:  05 00 01 01 3c 00 05 7f 7f 00 43 68 61 6e 6e 65    ..........Channe
0x0160:  6c 20 41 30 00 00 06 0c 06 00 01 23 3c 00 05 7f    l.A0............
0x0170:  7f 00 43 68 61 6e 6e 65 6c 20 41 33 00 00 07 13    ..Channel.A3....


A command -b create a binary file with this information.
./MemoryDumpTool -b e0000,1000
First hex number is address and second (also hex) is size.
Click to view attachment
Slice
Apr 15 2010, 11:16 AM
More SSDT tables!
By dumpacpitbls I got 10 ACPI tables and only one SSDT. Look inside.
CODE
        Name (SSDT, Package (0x0C)
        {
            "CPU0IST ",
            0x7F66E4B4,
            0x000002C8,
            "CPU1IST ",
            0x7F66E77C,
            0x000000C4,
            "CPU0CST ",
            0x7F66DE4A,
            0x000005E5,
            "CPU1CST ",
            0x7F66E42F,
            0x00000085
        })

There are another four tables (name, address, length). Got its!
CODE
slice$ ./MemoryDumpTool -b 7F66E4B4,2c8
Connect success. sign=54445353
slice$ ./MemoryDumpTool -b 7F66E77C,c4
Connect success. sign=54445353
slice$ ./MemoryDumpTool -b 7F66DE4A,5e5
start 7f66de48 + 0002  size 000005e7
Connect success. sign=53536ba4
slice$ ./MemoryDumpTool -b 7F66E42F,85
start 7f66e42c + 0003  size 00000088
Connect success. sign=5303e80b
slice$ ./MemoryDumpTool -x 7F66E42F,85
start 7f66e42c + 0003  size 00000088
Connect success. sign=5303e80b
0x0000:  53 53 44 54 85 00 00 00 01 7a 50 6d 52 65 66 00    SSDT.....zPmRef.
0x0010:  43 70 75 31 43 73 74 00 00 30 00 00 49 4e 54 4c    Cpu1Cst..0..INTL
0x0020:  24 06 05 20 10 40 06 5c 2e 5f 50 52 5f 43 50 55    ..........PR.CPU
0x0030:  31 14 43 05 5f 43 53 54 00 a0 3b 90 7b 43 46 47    1.C..CST.....CFG
0x0040:  44 0c 00 00 00 01 00 92 7b 50 44 43 31 0a 10 00    D........PDC1...
0x0050:  a4 12 23 02 0a 01 12 1e 04 11 14 0a 11 82 0c 00    ................
0x0060:  7f 00 00 00 00 00 00 00 00 00 00 00 79 00 0a 01    ............y...
0x0070:  0a 00 00 00 00 00 cf 52 01 46 02 00 00 18 af 7c    .......R.F......
0x0080:  34 4c 4d 23 00 00 00 00 00 00 00 00 00 00 00 00    4LM.............

And then decompile by iasl.
Wow! I see my native _PSS methods!
CODE
        Name (_PSS, Package (0x06)
        {
            Package (0x06)
            {
                0x00000961,
                0x00007D00,
                0x0000000A,
                0x0000000A,
                0x00000D28,
                0x00000D28
            },

            Package (0x06)
            {
                0x00000960,
                0x00007918,
                0x0000000A,
                0x0000000A,
                0x00000C22,
                0x00000C22
            },
......
joe75
Apr 16 2010, 03:48 AM
way to go, Slice!
THe KiNG
Apr 16 2010, 01:38 PM
Good Job! wink.gif
18seven
Apr 17 2010, 10:36 AM
I started to play with this and also find tables that did not dump from linux.

[edit] errr... I was looking at an older linux dump, the tables are present in a fresh linux dump. Nonetheless great tool, thx.
modbin
May 27 2010, 10:10 AM
nice tool Slice smile.gif

if you want to enable /dev/mem and /dev/kmem on OS X just use the bootarg kmem=1
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2012 Invision Power Services, Inc.