DOS ain't dead - Fixing the Memtest EXE loader

RayeR

CZ,
11.03.2015, 19:02

Fixing the Memtest EXE loader (Developers)

Hi, I tried to compile modified memtest https://github.com/CMU-SAFARI/rowhammer
it contains your EXE loader by eric auer
https://github.com/CMU-SAFARI/rowhammer/blob/master/src/mt86%2B_loader.asm
I have a problem that produced exe throw error:

nopatch db "jmp far dword not found at setup.S offset 37h,",13,10
db "(file offset 237h is not 66h, 0eah)",13,10
db "please adjust and recompile memtestl...",13,10,"$"

I found that it is little bit shifted and when I change
mov ax,[buffer+251h] ; should be jmp far dword (ofs, seg)
cmp ax,0ea66h
to
mov ax,[buffer+251h+13] ; should be jmp far dword (ofs, seg)
it finds it and I got another error:
lgdt [...] not found at setup.S offset 0ch

so I did some further patching by adding 13 but it ended with immediate reset of PC after I run it. What is the right place to correct the offset?
fullsize matches right the size of memtest.bin

---
DOS gives me freedom to unlimited HW access.

roytam

12.03.2015, 08:24

@ RayeR

Fixing the Memtest EXE loader

Post reply

> Hi, I tried to compile modified memtest
> https://github.com/CMU-SAFARI/rowhammer
> it contains your EXE loader by eric auer
> https://github.com/CMU-SAFARI/rowhammer/blob/master/src/mt86%2B_loader.asm
> I have a problem that produced exe throw error:
>
> nopatch db "jmp far dword not found at setup.S offset 37h,",13,10
> db "(file offset 237h is not 66h, 0eah)",13,10
> db "please adjust and recompile memtestl...",13,10,"$"
>
> I found that it is little bit shifted and when I change
> mov ax,[buffer+251h] ; should be jmp far dword (ofs, seg)
> cmp ax,0ea66h
> to
> mov ax,[buffer+251h+13] ; should be jmp far dword (ofs, seg)
> it finds it and I got another error:
> lgdt [...] not found at setup.S offset 0ch
>
> so I did some further patching by adding 13 but it ended with immediate
> reset of PC after I run it. What is the right place to correct the offset?
> fullsize matches right the size of memtest.bin

I tried to do same thing, it starts but once it detected RAM modal names and tries to start testing, it reboots.

@@ -133,11 +133,11 @@ ; should be 4 ... inc al ; the boot sector itself movzx eax,al shl eax,9 ; log 2 of sector size add [cs:buflinear],eax ; linear address of head.S now - mov ax,[buffer+251h] ; should be jmp far dword (ofs, seg) + mov ax,[buffer+25eh] ; should be jmp far dword (ofs, seg) cmp ax,0ea66h jz foundpatch patchbug: ; could not patch the jump mov dx,nopatch jmp generror @@ -146,20 +146,20 @@ mov dx,nogdt jmp generror foundpatch: mov eax,[cs:buflinear] - mov [buffer+253h],eax ; patch the protected mode entry jump + mov [buffer+260h],eax ; patch the protected mode entry jump ; (offset only - segment selector unchanged: flat linear CS) findgdt: - mov eax,[cs:buffer+20ch] ; should be lgdt offset + mov eax,[cs:buffer+219h] ; should be lgdt offset and eax,00ffffffh cmp eax,0016010fh ; lgdt ... jnz gdtbug - mov ax,[cs:buffer+20fh] ; GDTR contents pointer + mov ax,[cs:buffer+21ch] ; GDTR contents pointer mov bx,ax mov eax,[cs:buffer+200h+bx+2] ; GDT linear offset and eax,1ffh ; assume GDT in first sector of setup.S ; *** WARNING: this is needed because setup.S contains ; *** HARDCODED offset of setup.S on linear 90200h, which

RayeR

CZ,
12.03.2015, 17:56

@ roytam

Fixing the Memtest EXE loader

Post reply

> I tried to do same thing, it starts but once it detected RAM modal names
> and tries to start testing, it reboots.

LOL, seems that I did the same yesterday as you with the same result. I could save my time insted... Memtest 5.01 original crashes when test should begin (desktop and ntb). Memtest 5.01 rowhammer starts running but reports errors on all address. My patch:

mt86+_loader.asm: 15,17c15,16 < %define fullsize ( 182704 + buffer - exeh ) < ; the fullsize of memtest.bin is adjusted by makedos.sh < ; don't remove space after brace (needed for awk/sed processing) --- > %define fullsize (182704 + buffer - exeh) > ; 182704 is the size of memtest86+ V5.01, adjust as needed! 139c138 < mov ax,[buffer+25Eh] ; should be jmp far dword (ofs, seg) --- > mov ax,[buffer+251h] ; should be jmp far dword (ofs, seg) 152c151 < mov [buffer+260h],eax ; patch the protected mode entry jump --- > mov [buffer+253h],eax ; patch the protected mode entry jump 156c155 < mov eax,[cs:buffer+219h] ; should be lgdt offset --- > mov eax,[cs:buffer+20ch] ; should be lgdt offset 161c160 < mov ax,[cs:buffer+21ch] ; GDTR contents pointer --- > mov ax,[cs:buffer+20fh] ; GDTR contents pointer 216,217c215,216 < nopatch db "jmp far dword not found at setup.S offset 5Eh,",13,10 < db "(file offset 25Eh is not 66h, 0eah)",13,10 --- > nopatch db "jmp far dword not found at setup.S offset 37h,",13,10 > db "(file offset 237h is not 66h, 0eah)",13,10 220,221c219,220 < nogdt db "lgdt [...] not found at setup.S offset 19h,",13,10 < db "(file offset 219h is not 0fh, 01h, 16h)",13,10 --- > nogdt db "lgdt [...] not found at setup.S offset 0ch,",13,10 > db "(file offset 20ch is not 0fh, 01h, 16h)",13,10

makedos.sh: #!/bin/bash if [ -f memtest.bin ] then CSIZE="$(awk 'NR==15' mt86+_loader.asm | awk '{print $4}')"; NSIZE="$(ls -l memtest.bin | awk '{print $5}')"; sed "s/$CSIZE/$NSIZE/" mt86+_loader.asm > mt86+_loader.asm.new; mv mt86+_loader.asm.new mt86+_loader.asm; nasm mt86+_loader.asm; fi

---
DOS gives me freedom to unlimited HW access.

Zyzzle 12.03.2015, 23:16 @ RayeR	Fixing the Memtest EXE loader Post reply
	Do you have a binary of your patched 5.01 rowhammer version that I may test? Thanks.

RayeR

CZ,
13.03.2015, 01:24

@ Zyzzle

Fixing the Memtest EXE loader

Post reply

> Do you have a binary of your patched 5.01 rowhammer version that I may
> test? Thanks.

I just deleted it, seems that newer memtest 5.x cannot be started with old loader and will need further update (according copyright it's 12 years old code). I use grub4dos to start memtest.bin from dos, it works from real mode.

---
DOS gives me freedom to unlimited HW access.