I am using the latest Ubuntu Linux with a custom kernel (4.2.0-36-generic), in which i have disabled the CONFIG_STRICT_DEVNEM, because I need to dump and search some terms in memory during a project.
However, when using
dd if=/dev/mem of=/home/user/Documents/file.dump
dd if=/dev/mem | hexdump -C | grep 'term'
bs=1G count=2 skip=2
As answered on unix.stackexchange.com by ilkkachu, I was trying to access memory areas used by PCI/ACPI or some such hardware. Therefore I needed to access only "safe" memory areas.
So far, I can safely access the
(usable) areas as shown on
[ 0.000000] BIOS-e820: [mem 0x0000000020200000-0x000000003fffffff] usable [ 0.000000] BIOS-e820: [mem 0x0000000040000000-0x00000000401fffff] reserved [ 0.000000] BIOS-e820: [mem 0x0000000040200000-0x00000000c97e8fff] usable [ 0.000000] BIOS-e820: [mem 0x00000000c97e9000-0x00000000c9e81fff] reserved [ 0.000000] BIOS-e820: [mem 0x00000000c9e82000-0x00000000ca101fff] ACPI NVS [ 0.000000] BIOS-e820: [mem 0x00000000ca102000-0x00000000ca106fff] ACPI data [ 0.000000] BIOS-e820: [mem 0x00000000ca107000-0x00000000ca149fff] ACPI NVS [ 0.000000] BIOS-e820: [mem 0x00000000ca14a000-0x00000000cabb4fff] usable [ 0.000000] BIOS-e820: [mem 0x00000000cabb5000-0x00000000caff1fff] reserved [ 0.000000] BIOS-e820: [mem 0x00000000caff2000-0x00000000caffffff] usable
These areas can also be found as "System RAM" on
$ grep "System RAM" /proc/iomem 00001000-0009d7ff : System RAM 00100000-1fffffff : System RAM 20200000-3fffffff : System RAM 40200000-c97e8fff : System RAM
Therefore, I was able to
dd these safe memory areas with multiple commands such as (for
dd if=/dev/mem of=Filename bs=230467520 count=1 skip=1 ibs=1075838980
(Note that the
ibs is a few digits higher than the beginning of the memory area and the
bs is a bit smaller than its size, as getting exactly all the "safe" area, caused the system to crash again.)