Alexander Lattas Alexander Lattas - 1 year ago 71
Linux Question

Accessing /dev/mem freezes Ubuntu

I am using the latest Ubuntu Linux with a custom kernel (4.2.0-36-generic), in which i have disabled the CONFIG_STRICT_DEVNEM, because I need to dump and search some terms in memory during a project.

However, when using

dd if=/dev/mem
to print it on screen,
dd if=/dev/mem of=/home/user/Documents/file.dump
to save it as a file or
dd if=/dev/mem | hexdump -C | grep 'term'
to directly find what I'm looking for, the system freezes and reboots while in the process.

I have checked with
df -h
and my disc has plenty of free space. Also, the process always stops after writting a 2.1Gb to 2.5Gb, out of a 8Gb RAM and before reaching addresses that start with 4 (if these make any difference). In addition, checking
shows nothing relevant before the freezing.

Also, using parameters
bs=1G count=2
successfully copies the first 2GB of the memory but then trying
bs=1G count=2 skip=2
to get then next 2GB again freezes the system.

Would you suggest any solution so it is possible to dump the full memory or some other way to directly search terms in memory?

Answer Source

As answered on by ilkkachu, I was trying to access memory areas used by PCI/ACPI or some such hardware. Therefore I needed to access only "safe" memory areas.

So far, I can safely access the (usable) areas as shown on /var/log/kern.log:

[    0.000000] BIOS-e820: [mem 0x0000000020200000-0x000000003fffffff] usable
[    0.000000] BIOS-e820: [mem 0x0000000040000000-0x00000000401fffff] reserved
[    0.000000] BIOS-e820: [mem 0x0000000040200000-0x00000000c97e8fff] usable
[    0.000000] BIOS-e820: [mem 0x00000000c97e9000-0x00000000c9e81fff] reserved
[    0.000000] BIOS-e820: [mem 0x00000000c9e82000-0x00000000ca101fff] ACPI NVS
[    0.000000] BIOS-e820: [mem 0x00000000ca102000-0x00000000ca106fff] ACPI data
[    0.000000] BIOS-e820: [mem 0x00000000ca107000-0x00000000ca149fff] ACPI NVS
[    0.000000] BIOS-e820: [mem 0x00000000ca14a000-0x00000000cabb4fff] usable
[    0.000000] BIOS-e820: [mem 0x00000000cabb5000-0x00000000caff1fff] reserved
[    0.000000] BIOS-e820: [mem 0x00000000caff2000-0x00000000caffffff] usable

These areas can also be found as "System RAM" on /proc/iomem:

$ grep "System RAM" /proc/iomem
00001000-0009d7ff : System RAM
00100000-1fffffff : System RAM
20200000-3fffffff : System RAM
40200000-c97e8fff : System RAM

Therefore, I was able to dd these safe memory areas with multiple commands such as (for 20200000-3fffffff):

dd if=/dev/mem of=Filename bs=230467520 count=1 skip=1 ibs=1075838980

(Note that the ibs is a few digits higher than the beginning of the memory area and the bs is a bit smaller than its size, as getting exactly all the "safe" area, caused the system to crash again.)

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download