ufrisk
commented
4 years ago Address space in a PC isn't exclusively backed by RAM.
Between 3-4 GB there is a space which is reserved for devices; reading these addresses usually generate a read towards a memory mapped device. This is usually not a problem; but some computers on some hardware really dislikes this. Behavior can range from nothing, to freezes, to reboots, to device stops working. I think this is the most likely cause of your problem.
Right now you would need to use pcileech with the -min and -max flags to skip those addresses; like pcileech.exe dump -max 0xc0000000 -out 0-3gb.raw and pcileech.exe dump -min 0x100000000 -out 4gb.raw.
In next version which I have ready for release, which may be released soon I hope (it's dependent on legal issues right now which is out of my control, but which I hope will be resolved soon) I will have an option to manually specify memory map.
MemProcFS shouldn't really have these problems though; since it usually never read anything in those regions.
This is what I think is the most likely issue; There might be more issues at play as well (due to the MemProcFS error); but it's really hard for me to tell. Lets wait for that memmap feature first.
michaelweber
whatsgoingon1177111
Hi @ufrisk!
Apologies if this is a duplicate issue (I've been reading through the closed issues and it seems like this occasionally happens, but most of the threads seem to end with the users just seeing it magically work again).
I'm using a Screamer M.2 with the latest official firmware from pcileech-fpga to try to read from a Windows 10 Build 18363 machine. It's an older AMD machine (AMD FX 6300, nothing Ryzen tier), which I know isn't what your test hardware is, but I've disabled IOMMU + SVM and windows is telling me that all device security measures are unavailable so I think any hardware protections are out of the way.
What's weird is that I can read the first 3 gigs of memory fine using pcileech - but the moment I got past that point - everything stops working. If I try to use MemProcFS or invoke the
kmdloadfunctionality this also breaks everything.An example successful run if I shut everything down, boot up, and then run from the lock screen:
All the reads succeed. This can be run over and over again and it won't have any problems. But if I try to read a single page beyond the 3GB threshold:
No dice. And now if I try to re-run the previous probe all the reads that had previously succeeded will now fail. I see similar failures if I try running the kmdload functions or just running MemProcFS.
I've tried swapping between PCI lanes and rebooting the machine a few times as well as swapping to slower read speeds but this issue seems to keep popping up. Is there some other obvious step I've missed in order to get access to the remaining memory / is there anything else I should be trying?
Thanks for your patience and apologies if this is some RTFM material - I've tried to go through all the documentation and I'm just not sure what next steps to try here. Do you have any suggestions / is there any other information I can provide that would be helpful?