ufrisk
commented
2 weeks ago You're confusing physical memory with kernel virtual memory.
pcileech dump will dump physical memory, which starts at 0GB and ends at an address a bit more than the amount of RAM in the system.
The addresses starting with 0xFFFF are virtual addresses belonging to the kernel address space. You cannot dump it that way. Dum the physical memory and look into the virtual memory with a tool such as MemProcFS instead.
I would like to read the end of memory via FPGA Screamer. pcileech.exe -device fpga dump -min 0xfffffffffff00000 -max 0xffffffffffffffff
The output is:
Current Action: Dumping Memory Current Action: Dumping Memory Access Mode: Normal Progress: 15280 / (unknown) Speed: 587 MB/s Address: 0x00000103BAFFF000 Pages read: 0 Pages failed: 3911680
And no transactions were detected on PCIe bus.