介紹作業系統概念的投影片

Transcription

介紹作業系統概念的投影片

Basic OS concept
CCL
HungLin Chou
Basic OS concept

The history of Operating System
From first processor to modern OS
Digging out kernel/system calls and static/dynamic libraries
in various OS environments
Real/Protected Mode (Rings)
User/Kernel Mode
Evil Hackers/Virus/Protocol Attacks issues
Virtual memory management
Inter-Process Communication
Device Driver Programming and how to work with user
applications
File-system internals and how to built-in various FS format
Operating System sub-systems
From the view of Microsoft to modern competitors
CCL
The history of computer
A good book about this history
意外的電腦王國
Accidental empires :how the boys of
Silicon Valley make their millions, battle
foreign competition, and still can’t get a
date
從大型電腦、小型電腦到個人電腦、微電腦的演變，美國數以千計的電腦業者竄起又跌落，
甚至蘋果（Apple）、微軟（Microsoft）、康百克（Compaq）等著名公司也數度面臨
絕境，其背後的艱辛、計謀及喜悅不僅代表了高科技人員的智慧，更流露出他們的血淚與無
奈。
在即將跨越20世紀的尾聲，作者斷言，穩坐龍頭地位數十年的IBM將要衰落，硬體業者難
以翻身，您可知道IBM的恐慌？
1999年12月31日，IBM大電腦就要跟我們說再見了！未來的世界景象－－您可知道？
CCL
The history of operating system
First software programmer in the world
ADA 伯爵夫人 (work with Charles Babbage, 1792-1871)
for a like-computer concept design
1981年美國國防部以此命名 ADA Language
Intel (Integrated Electronics)
In 1971, Busicom a Japanese company ask intel to
design a processing-chip.
In this project, hoff create a new concept let “software”
reside in memory and executed by computing-processunit
The first personal “CPU” product was produced by Intel
named “4004”.
in 1973,8bits Intel 8086
CCL
The history of operating system
CP/M (Control Program/Monitor)
In 1974， Dr. Gary Kildall design CP/M
CP/M-80 for Intel 8080
CP/M-86 for Intel 8088、8086
CP/M-68K for Motorola 68000
Microsoft
In 1979，IBM ask Microsoft to design a operating
system on Intel 8086
Microsoft buy the previous DOS (Disk operating
system) source code from engineer Tim Paterson and
then make the following DOS version and the compete
with CP/M for IBM personal computer
In 1987，IBM and Microsoft co-work to design OS/2
In 1990/5，released Windows 3.0
In 1992，released Windows NT
CCL
Why operating system?
Pack low level system design
including
Hardware platform dependent procedure
Support uniform system calls for upper layer program
calling and speed up the production of software
Not all program need to know the hardware spec.! OS and
device drivers will handle those low level design issue
Multi-Task and Memory Management
Multi-process/thread schedule on single processor
Support user-mode/kernel-mode to ensure the system
stable/security issue
Map different process into separate memory space to
provide convenient process-level memory management
and avoid the process-crash to effect the unstable issue
of whole system
CCL
Why operating system?
CPU initial booting
address
Boot loader
OS Environment
CPU
System/Hardware
initialization
User
User
program
program
User
program
User
program
User
program
SDRAM
Device Driver
and IO control
interface
CCL
Storage
ex:HD、Flash
I/O and
Bus
How to execute OS code?
CPU Initial
SDRAM
1
2
0xFFFFFFFF
Boot
Loader
CPU
Load 3
OS
Storage
ex:HD、Flash
I/O and
Bus
4
Load file system
Physical
Memory
0x00000000
CCL
How to generate execution file?
Compiler
C、Basic、Pascal
Assembly
Machine Code
Execution File Format
Code Section
Data Section
Other dynamic
environment section
CCL
Memory
Space
How OS load execution file?
OS program loader
Check file format
OS Environment
Initial environment or
re-direct to the interpreter
Memory Space
execve
Load called
Load called
DLLs
Load called
DLLs
DLLs
Execution File Format
Code Section
Dlls
Dlls
Dlls
Data Section
Execution
File Image
Other dynamic
environment section
CCL
Kernel Calls

Modern OSs will provide a set of kernel calls or device
driver function interface for the kernel-mode programmer
design issue
DOS is a single mode OS, and it provide

Interrupt 21h for programmer to control whole system
Any program could access any hardware without any limitation
A evil program/virus could easily crash/infect OS and
propagate itself continuously
Just could address to limited 1MB memory space

The program could only use the 0-640kbytes.
After Intel 80286

Intel support a “ Protected–mode” technology could support
32-bits command/address
The previous DSO program is in “Real-mode”
Microsoft release the DPMI(DOS Protected Mode Interface，
interrupt 2f/31) solution on DOS and let the DOS program
could access 4GB memory space easily
CCL
Kernel Calls
Kernel calls could reside in
Single-mode OS
Privileged-enable OS
Device driver interface will pack the kernel
call function into more convenient function
for the hardware driver designer
User-mode program couldn’t call the kernel
calls directly and must called via system
calls
CCL
System Calls
Operating system could define a set of
system calls for upper layer programs.
Usually it use the same way for the single
mode kernel calls
Under privileged mode, system calls is used
just to user-mode program
If the kernel mode code also want to use system
calls， it will modify the data segment let the
system map the correct data memory space
The OS’s system calls will define the upper
program limitation “capability” of this OS
CCL
Static library
For simple program distribution purpose, don’t need
to pack with any other libraries
The defects of static library
Big-Size for each execution file
Hard to upgrade the function of system
Need to recompile all programs with those functions
Sample product
Embedded English-Dictionary
For non-mmu processor, it is hard to provide dynamic
library
Static-library support will be the default setting for
that system architecture
CCL
Dynamic library
Could divide different function into
multiple dynamic library files
Easy to upgrade the function
Easy to maintain and need suitable
memory mapping mechanism
Execution files don’t need to contain
all functions it used
Minimum file size and system
environment storage requirement
CCL
Real mode – x86
Single-Task
Program could access any hardware
and change system configuration
Max-1MB memory addressing
Hard to provide high-performance
GUI
Text-mode dialog based GUI
CCL
Protected Rings
.
Processor will be in
real-mode first and
then enter
protected-mode
The outside of the
inner circles couldn’t
access the inside
code directly
Based on the
privileged level
Rare OSs support
ring 1 device driver
to protect the ring 0
kernel code
CCL
Protected mode -x86
setting the PE bit in CR0 causes the 80386 to begin
executing in protected mode
current privilege level (CPL) starts at zero
the segment registers continue to point to the same
linear addresses as in real address mode
mov
or
mov
jmp
eax,cr0
ax,1
cr0,eax
$+2
;
;
;
;
Get control register 0
Set PE bit (bit #0) in (e)ax
Activate protected mode!
To flush the instruction queue.
//The CPU is now executing in 16-bit protected mode. Make a far jump in order to
//load CS with a selector to a 32-bit executable code descriptor.
FJMP32
......
.........
Start32:
08h,Start32
; Jump to Start32 (below)
CCL
User-mode and kernel-mode memory space
CCL
User-mode
Separate memory-space
Any process execution status don’t
effect other process
User-mode program couldn’t access
I/O device directly
CCL
Kernel-mode
kernel-mode code segment and data
segment directly
In X86 environment
User could set “cr0” register to enter
protected mode
From 16-bits to 32-bits
CCL
How virus work?

Usually it will infect

System MBR
System boot sector
Hack to kernel-mode (Ring 0) from user-mode (Ring 3)
Hack into OS from internet protocol defects

Based on the protocol black-hole
Based on the programming bugs

Buffer-overflow
File system

Open/Read/Write actions

Fill in the file format empty section (ex:PE)
Move execution file entry code to other position and run the
virus code first then jump to the original code
Intercept the dynamic library function calls
Based on file-format

Execution file import table
Directly modify the header of function calls
CCL
Boot - virus
Infect the MBR/Boot
sector
Virus code will load before
operating system
Virus just could call BIOS
interrupt or directly access
hardware
Current operating system
won’t use BIOS calls after
entering privileged mode
Usually infect in the past
operating system
MS-dos
CCL
384 bytes
MBR Code
Boot-sector
Boot-sector
Boot-sector
File-inflected virus
Infect file format and file system
Infect file format
Don’t change any file size
Find the empty region of file format
Infect file system
Hook open/read/write operation
Check it if doubly infect
CCL
Invade kernel mode
For the system that IOPL (Input/output
privileged level) equal ring 3
It will be easy to hack kernel just modify IDT
(interrupt Descriptor Table) and trigger specific
interrupt to hacking ring 0
For the kernel-mode protocol bug
Hacker could use buffer-overflow or other
protocol black-hole to hack OS and enter the
kernel-mode protocol memory space to enter
the ring 0 kernel-mode
Infect the device driver file format
Not a good idea，but it workss。。^_^
CCL
Invade protocol layer
Buffer-Overflow
Stack
Evil Code
Function Parameters
Specific addr.
……..
Function Parameters
Return Address
Local variables
…….
CCL
31-22
21-12
11-0
Page Table Number
Page Number
Offset
Page Table Entry
Address
Page
Page
Page
Page
Page
Page
Table
Table
Table
Table
Table
Table
Number
Number
Number
Number
Number
Number
Page Number
Page Number
……
1024 entries
Page Number
4Kbytes Page
4Kbytes Page
Page Number
Page Number
……
1024 entries
Page Number
4Kbytes Page
4Kbytes Page
Page Number
Page Number
……
1024 entries
Page Number
4Kbytes Page
4Kbytes Page
4Kbytes Page
4Kbytes Page
……….
(2^10 = 1024 entries)
Page Table Number
Page Table Number
Page Table Number
32-bits
CCL
32-bits
4Kbytes Page
Virtual memory address translation
PTE based address = 0x12340000
Virtual address = 0x1cc151a0
(binary = 0001 1100 1100 0001 0101 0001 1010 0000)
Page Table Number: 0x073 (binary = 0001 1100 11)
Page Number: 0x015 (binary = 00 0001 0101)
Offset: 0x1a0 (binary = 0001 1010 0000)
Every entry is 4-bytes
Page Table Offset = 0x073 * 4 = 0x1cc
Page Number Offset = 0x015*4= 0x054
Get Page table at the address 0x123401cc
Page Table starting address 0x1258a000
Get page address 0x1258a054
Get the final page address “0x00020000” of physical memory
The final data address is “0x000201a0” in the physical
memory address
CCL
Inter-Process communication

Mutex
For application to check if any resource is used to decide waiting
for free or leaving out
Semaphore

Sema = CreateSemaphore(the number of semaphore)
Turn = WaitForSingleObject (Sema, 0)
//check it there is any free semaphore and return immediately
Mail-box
Socket layer
user-mode and kernel-mode could both use socket layer “port” for
communication
Shared-memory
User-mode application could share the same memory space to
exchange big data
Send Message – win32
For small and not too many data exchange
Good for win32 application to realize IPC
CCL
Device Driver Programming
Bind IRQ and provide interrupt
handling routine
Re-map physical hardware address to
virtual memory in kernel mode
If it enable MMU
Support DMA (Direct Memory Access)
and continuous memory space
Define a set of APIs for upper layer
CCL
How driver work with user-mode
Application
User-mode
1，DeviceIOControl (ioctl)
2，Blocking-Read (Driver Read Operation)
3，System Message
4，Via Socket Layer
Kernel-mode
Device
Driver
IRQ
I/O Space
CCL
How application control hardware?
Application
User-mode
1，Re-Map Physical memory to user-mode
virtual memory space via MMU
2，Device driver support device node with
ioctl/read/write operation
3，Device driver define message type for
application and driver communication
Kernel-mode
Device
Driver
IRQ
I/O Space
CCL
File-system internal
Windows 9x/ME IFSMgr
A book
Inside the Windows 95 File System
IFSMgr, The Installable File System Manager
CIFS (Common Internet File System)
FAT (File Allocation Table)12/16/32
Support 32-bits and 16-bits file system
access code
Win32 interface
16-bits V86 mode interface
CCL
Windows 9x/ME IFSMgr
Application
File System Interface
OS
IFSMgr
Installable
File System
VFAT
FSD
Input/Output
Supervisor
CD ROM
FSD
Network
Redirector
Other
OtherOtherOther
Driver
Driver
DriverDriver
SCSI
Port Port Port Driver
Driver Driver Miniport
Driver
CCL
Network
Subsystem
Windows 9x/ME
IFSMgr + Network FS
CCL
Linux VFS File system
CCL
Linux VFS File system
…..............
…..............…..............
Starting kswapd
VFS: Diskquotas version dquot_6.5.0 initialized
devfs: v1.10 (20020120) Richard Gooch ([email protected])
devfs: devfs_debug: 0x0
devfs: boot_options: 0x1
Detected PS/2 Mouse Port.
pty: 2048 Unix98 ptys configured
Serial driver version 5.05c (2001-07-08) with MANY_PORTS
MULTIPORT SHARE_IRQ S
…..............
….............. …..............
CCL
Operating System Sub-system
Windows NT Sub-System
CCL
Sample of executing program in sub-system
CCL
Lookup Sub-system in PE file format
Device Driver *.SYS
Win32 GUI Program
Win32 Console Program
CCL

Windows NT Sub-system mapping filename

Services.exe Service Controller Process
Winlogon.exe Logon Process
Smss.exe
Session Manager Process
Psxss.exe
POSIX Subsystem Process
OS2ss.exe
OS/2 Subsystem Process
Csrss.exe
Win32 Subsystem Process
Ntdll.dll
Internal Support Functions and System
Service
Dispatch stubs to Executive Functions
Kernel32.dll
Win32 Subsystem DLLs
User32.dll
GDI32.dll
Psxdll.dll
POSIX Subsystem DLL
NTOSKRNL.EXE Executive and Kernel
Hal.dll
Hardware Abstraction Layer
CCL
Windows NT DOS Script Sub-system
Use cmd.exe to emulate command.com
Could help to execute script files
CCL
Windows NT
DOS/Win16 Subsystem
NTVDM.EXE
DOS and Win16 program
use the same subsystem
CCL
Windows NT
DOS/Win16 Subsystem
Run more than
one DOS/Win16
program
CCL
Linux
CCL
Linux
The history of Linux
Compare linux with various OSs
From Kernel to user mode
Hacking linux
Kernel calls
System calls
Libraries
Various modern linux solution
Embedded linux
GUI linux
CCL
Introduction of linux

Embedded Linux attract many companies to join

Linux 2.4+glibc+X Window+Mozilla
Support many embedded windows system

Tiny-X
Microwindow
Embedded QT.............etc

486 PC 做成的單張1.44MB磁片開機的Linux Router
LRP﹝Linux Router Project﹞
有許多Open Source 的Server，像Apache、SAMBA、Wu-FTP、Squid、
SendMail、Qmail、Postgres SQL...…，這些眾多的Server都可以整合到
1—16MB的Flash上
基於GPL，在自由開放的前提下吸引各地好手加入開發的行列
缺點在於使用者端的應用軟體仍有待加強
Internet Resource

http://sourceforge.net/
http://freshmeat.net/
http://www.linuxdevices.com
CCL
The history of linux

In 1987

Andrew Tanenbaum implement MINIX
In 1991

Linus Torvalds don’t satisfy with the performance of minix
Decide to develop a OS on INTEL 80386

User will need to find other third-party or open source solution
for real-time requirement
Linux is a monolithic kernel(集成式核心) not micro-kernel
After 2.0 kernel，linux support dynamic loading kernel
drivers (modules). It will be the first step to go ahead to
micro-kernel.
Linux is for generous purpose not RT-Kernel.
In the future plan，linux will

Separate more kernel component into different module
More like micro-kernel architecture to support more flexibility
CCL
Non-MMU Linux

uCLinux

uÎ Micro
CÎ Control
Micro Control Linux

For microcontrollers without Memory Management Units (MMUs).
Block drivers
Blkmem driver

RAM disk driver

use the Linux RAM disk device. This is commonly used in standard Linux for diskless
booting.
MTD driver

The oldest and may well still be the most common choice for uClinux
Specifically designed for uClinux, but it is relatively simple and only supports a
handful of common NOR Flash memory types
Support a huge variety of Flash devices, and offer powerful mechanisms for defining
partitions and mappings.
Root file-system for uCLinux
Execution in Flash

Compressed File-system

CramFSÎ Efficient flash usage, not support XIP, need more memory to execute program,
Read-Only
Journaled Filesystem

RomfsÎ Simple architecture, light-weight system resource ,Read-Only, Support XIP (Execute
in place)
JFFS/JFFS2Î Read/Write File-system, Log-Based (also support compression) ,not support XIP
CCL
RamdiskÎ Excellent Read/Write Performance

ext2
Non-MMU Linux

uCLinux kernel size is smaller than origial linux kernel

Common Linux API
uCkernel < 512 kb
uCkernel + tools < 900 kb

Original Linux use virtual memory to achieve it (even the
physical memory space isn’t continuous)
Not Design for Real-Time issue
uClinux comes equipped with a full TCP/IP stack, as well as
support for numerous other networking protocols
Real memory mapping and no address translation table
System need to allocate enough continuous memory space
Use “flat” to execute program.

ELF binary VS FLAT (elf2flt)
FLAT format is designed to be a very light weight application binary format, no
symbols, no debug info, and only a simple small header.
CCL
Non-MMU Linux
uClinux booting
Linear Memory
Addressing
BootLoader
Linux Kernel
RootFS
Memory Technology
Device
Init Process
(from busybox)
CCL
Process N-3
Process N-2
Process N-1
Process N
Static Library
Blkmem on uclinux

Flash必須要可以讓CPU直接定址,運行程式碼
Ramdisk driver initialized : 16 ramdisks of 4096K size
Blkmem copyright 1998,1999 D. Jeff Dionne
Blkmem copyright 1998 Kenneth Albanowski
Blkmem 1 disk images:
0: 309EF3C-638EF33B (RO)
……………………………..
# more mounts
<< mounts >>
/dev/root / romfs rw 0 0
/dev/ram0 /var ext2 rw 0 0
proc /proc proc rw 0 0
#
CCL
Compare linux with other OSs
Network
Performance
Linux is usually
used in networkenable device
Linux network layer
could bring you
complete internet
services in many
hardware platforms
CCL
Network Performance
In Pentium II 350 + 224MB memory, compare Linux
2.4.3 and Windows 2000 Server network performance
Operating System
Linux 2.4.3
Windows 2000
Transmit 10000 Packets(512bytes)
0.087 s
3.465 s
Transmit 10000 Packets(1kbytes)
0.143 s
3.545 s
0.230 s
3.715 s
7.369 s
18.327 s
64.584 s
151.548 s
Transmit 10000 Packets(1Mbytes)
129.938 s
309.635 s
CCL
Network Performance
In Pentium II 350 + 224MB memory, compare Linux
2.4.3 and Windows 2000 Server network performance
Operating System
Linux 2.4.3
Windows 2000
Bandwidth in packet size 512bytes
56.124 MB/sec.
1.409 MB/sec.
Bandwidth in packet size 1kbytes
68.291 MB/sec.
3.837 MB/sec.
84.918 MB/sec.
5.257 MB/sec.
84.815 MB/sec.
34.103 MB/sec.
77.419 MB/sec.
32.993 MB/sec.
Bandwidth in packet size 1MB
76.96MB/sec.
32.296MB/sec.
CCL
Memory
Architecture
Linux
3-4GB Kernel
Mode
0-3GB User Mode
User processes
are all running in
user-mode
memory
CCL
Memory Architecture
Solaries in X86
在X86的機器上面，
Solaris 8的Kernel
Mode 是劃分到最上層
的記憶體位址，而真正
屬於Kernel Mode的
記憶體大小為512MB，
應用程式使用的動態函
式庫載入位址則由
0xE000000開始向下
延伸。應用程式載入的
起始點則由
0x08050000開始
CCL
Memory Architecture
Windows 9x/ME
Every process use
private memory
space in 0-2GB
3-4GBÎWindows
9x/ME Kernel
2-3GBÎWin16
program and system
shared library
0-2GBÎEvery process
has its own memory
space and specific
library
CCL
Memory
Architecture
Windows 2000/XP
2-4GBÎKernel
mode memory
0-2GBÎUser
mode memory
CCL
System Calls
Operating system support numerous
functions in kernel-mode and called by
user-mode program via “system-call”
privileged-level operation and must call
those services with system-call
Kernel could support this feature by
Call-gate
Interrupt-gate
CCL
System Calls
Windows 2000/XP
CCL
System Calls
Windows 2000/XP
NTDLL.DLL中的NtAlertThread函式
B8 07 00 00 00 mov
eax，7
8D 54 24 04
lea
edx，dword ptr [esp+4]
CD 2E
int
2Eh
C2 04 00
ret
4
CCL
NtAlertThread(IN HANDLE ThreadHandle);
eax(使用的函式編號)
edx(NtAlertThread 所使用參數位址)
System Calls
Solaris
CCL
System Calls
Solaris
int my_fork()
Call Gates
{
__asm__("
movl $0x2,%eax //SYS_fork
lcall $0x27,$0x0
");
透過一個遠程呼叫，改變CS﹝Code Segment﹞
的值到Kernel Mode﹝Ring 0﹞中，如此可以
讓在User Mode﹝Ring 3﹞的程式，可以藉此
呼叫並執行位於Kernel Mode﹝Ring 0﹞的程
式碼。
}
CCL
System Calls
///usr/include/sys/syscall.h
....…
Solaris
目前Solaris 8版本中，共定義了 256個
System Call的Number﹝由0--255﹞
CCL
#define SYS_exit
1
#define SYS_fork
2
#define SYS_read
3
#define SYS_write
4
#define SYS_open
5
#define SYS_close
6
#define SYS_wait
7
....…
#define SYS_mount
21
#define SYS_umount 22
#define SYS_setuid
23
#define SYS_getuid
24
....…
System Calls
Solaris
Some system calls
are implemented
by Interrupt-gate
gethrvtime
b8 04 00 00 00
cd d2
c3
CCL
movl $0x4,%eax
int $0xd2
ret
System Calls
Linux
///arch/i386/kernel/entry.S
int my_fork()
{
__asm__("
movl $0x2,%eax //SYS_fork
int
");
}
CCL
$0x80
System Calls
Linux
ARM Software Interrupt
00010c30 <__libc_open>:
00010c50 <__libc_read>:
10c30:
ef900005
swi
10c34:
e3700a01
cmn
10c38:
2a00035c
bcs
10c3c:
e1a0f00e
mov
0x00900005
10c50:
ef900003
swi
10c54:
e3700a01
cmn
119b0 <__syscall_error>
10c58:
2a000354
bcs
pc, lr
10c5c:
e1a0f00e
mov
r0, #4096
; 0x1000
00010c40 <__close>:
0x00900003
r0, #4096
; 0x1000
pc, lr
00010c60 <__libc_write>:
10c40:
ef900006
swi
10c44:
e3700a01
cmn
10c48:
2a000358
bcs
10c4c:
e1a0f00e
mov
0x00900006
10c60:
ef900004
swi
10c64:
e3700a01
cmn
10c68:
2a000350
bcs
pc, lr
10c6c:
e1a0f00e
mov
r0, #4096
; 0x1000
CCL
0x00900004
r0, #4096
; 0x1000
pc, lr
System Calls
Linux

2.1.x 比起 2.0.x 增加
了System Call，其中
包括了針對新架構
module所增加的
System Call﹝2.0.35
有166個，2.2.12 有
190個﹞
We can use Interrupt
80 to call Linux
System Call
From /linux/arch/i386/kernel/entry.s
.long SYMBOL_NAME(sys_sched_get_priority_min) /* 160 */
.long SYMBOL_NAME(sys_sched_rr_get_interval)
.long SYMBOL_NAME(sys_nanosleep)
.long SYMBOL_NAME(sys_mremap)
.long SYMBOL_NAME(sys_setresuid)
.long SYMBOL_NAME(sys_getresuid)/* 165 */
.long SYMBOL_NAME(sys_vm86)
.long SYMBOL_NAME(sys_query_module)
.long SYMBOL_NAME(sys_poll)
.long SYMBOL_NAME(sys_nfsservctl)
.long SYMBOL_NAME(sys_setresgid)/* 170 */
.long SYMBOL_NAME(sys_getresgid)
CCL
System Calls
Linux
In arch/arm/kernel/calls.S
__syscall_start:
/* 0 */
.long sys_ni_syscall
.long sys_exit
.long sys_fork_wrapper
.long sys_read
.long sys_write
/* 5 */
.long sys_open
.long sys_close
.long sys_ni_syscall
/* was sys_waitpid */
.long sys_creat
.long sys_link
………………………
CCL
Kernel calls
Operating system support numerous
kernel calls for kernel-mode
implementation and device-driver
programming
The code or module in kernel mode could
call those functions directly
CCL

Kernel calls

Windows 9x/ME

Take a look at Windows
9x/ME system architecture

Layer 1(Ring 0)

VMM32.VXD
(including multiple
VXD)

LE (Linear Execution)
Format

DPMI (Dos Protect
Mode Interface) Server
Layer 2 (Ring3)

KRNL386.exe is 16-bits
NE (New Execution)
user-mode kernel code

DPMI Client
Layer 3 (Ring 3)

Shell Interface
Layer 4 (Ring 3)

Other Windows
Applications
CCL
Kernel calls
Windows 9x/ME
VMM32.vxd
Is Windows
9x/ME real
“kernel-mode”
kernel
It contain
multiple kernel
component
With a MZ header
but not a
standard LE
driver file format
CCL
Kernel calls
Windows
9x/ME
Use Microsoft
command
“exehdr” to
show
krnl386.exe
NE Header
and
information
CCL

Kernel calls

Windows 9x/ME

Use interrupt 20h as
kernel call interface
The following
“000100A7” is
Use DDK (Device Driver Kit) to
compile the following code

VMMCall _Allocate_Device_CB_Area, <<SIZE
VwatchD_CB_STRUCT>, 0>

0001 is the
device id of
VXD Service
00A7 is the
service
number in
that VXD
Service Table
User could
look up those
device id and
service
number in
DDK include
files(ex：
VMM.inc)
And disassemble the binary file
6A 00
6A 04
CD 20
A7 00 01 00
83 C4 08
CCL
push
0
push
4
int
20h
dd 000100A7
add ESP,08
Kernel calls
Windows 9x/ME
How to make it
more efficiently
Kernel will
translate
interrupt calls
into function
address after the
first time calling
CCL
Kernel calls
Windows 9x/ME
How Windows
98/ME support
dual-format
device driver

WDM
(Windows
driver model)
in PE format
VXD in LE
format
Use DDK (Device Driver Kit) to
compile the following code
ntStatus = IoCreateDevice(DriverObject,
sizeof(DEVICE_EXTENSION),
&deviceNameUnicodeString,
FILE_DEVICE_UNKNOWN,
0,FALSE,DeviceObject);
And disassemble the binary file
FF1578020100
CALL DWORD PTR
[NTOSKRNL=>IoCreateDevice]
Then load the driver to memory and
Windows 98/ME
disassemble it
use
NTKERN.VXD to
FF15380000FF CALL [FF000038]
emulate
Î0028:FF000038
DC 98 29 C0
Windows NT
0xC02998DC mapped to NTKERN.VXD ’s
kernel
“NTOSKRNL.EXE” memory space
CCL
Kernel calls
Windows 2000/XP
Called by function
address and
translated via
import-table
Device driver in
PE format
The same as
user-mode
program and
dynamic libraries
CCL
Import Descriptor
Original First Thunk:
001F3DB4
Time Date Stamp:
00000000
Forwarder Chain:
00000000
Windows XP
Name:
001F3D94 (HAL.dll)
First Thunk:
00000580
ntoskrnl.exe
Ordn
Name
Export Directory
32 HalReportResourceUsage
Section Header
Characteristics:
00000000
5 HalAllProcessorsStarted
Name:
.text
Time Date Stamp:
41108004
........................
Virtual Size:
00071DC1
Version:
0.00
001F3EB8
Virtual Address:
00000580 Name:
001AE116 (ntoskrnl.exe) Original First Thunk:
Time
Date
Stamp:
00000000
Size of Raw Data:
00071E00 Base:
00000001
Forwarder
Chain:
00000000
Pointer to Raw Data:
00000580 Number of Functions:
000005CB
Name:
001F3D9C
Pointer to Relocations:
00000000 Number of Names:
000005CB
(BOOTVID.dll)
Pointer to Line Numbers:
00000000Address of Functions:
001AA728
First Thunk:
00000684
Number of Relocations:
0000
Address of Names:
001ABE54
Ordn
Name
Number of Line Numbers:
0000 Address of Name Ordinals:
001AD580
5 VidInitialize
Characteristics:
68000020 Func Adr Ordn Name
3 VidDisplayString
Contains Code
000047D5
1 ExAcquireFastMutexUnsafe
............................
Mem not pageable
000937AF
2 ExAcquireRundownProtection
001F3EE4
Mem executable
0016CB50
3 ExAcquireRundownProtectionEx Original First Thunk:
Time
Date
Stamp:
00000000
Mem readable
0016CB17
4 ExInitializeRundownProtection
Forwarder
Chain:
00000000
0000C495
5 ExInterlockedAddLargeStatistic
001F3DA8 (KDCOM.dll)
0000C5BE
6 ExInterlockedCompareExchange64 Name:
First
Thunk:
000006B0
0000B9C9
7 ExInterlockedFlushSList
Ordn
Name
0000B9EF
8 ExInterlockedPopEntrySList
0 KdD0Transition
0000BA10
9 ExInterlockedPushEntrySList
1 KdD3Transition
0016CB27 10 ExReInitializeRundownProtection
5 KdRestore
000047FA 11 ExReleaseFastMutexUnsafe
.......................
00004BD0 12 ExReleaseResourceLite
000937ED 13 ExReleaseRundownProtection
0016CBA3 14 ExReleaseRundownProtectionEx
.......................
Kernel calls
CCL
Kernel calls

Windows XP
Other kernel-mode drivers (*.sys)
Kernel-mode core components
NTOSKRNL.exe
hal.dll
kdcom.dll
bootvid.dll
CCL
Kernel calls
Solaris
DDI﹝Device Driver Interface﹞
DKI﹝Driver Kernel Interface﹞
Support “source code” level compatible
CCL
Kernel calls
Solaris
DDI
functions
/usr/ccs/bin/nm /kernel/genunix
............
[3333] |
[3447] |
[2917] |
[2447] |
[2083] |
[1048] |
[3472] |
[1038] |
[3643] |
[3622] |
[4525] |
[2406] |
............
532448|
550456|
518812|
518800|
518824|
550024|
532480|
536420|
516844|
532244|
518484|
518528|
12|FUNC |GLOB |0
40|FUNC |GLOB |0
12|FUNC |GLOB |0
12|FUNC |GLOB |0
48|FUNC |GLOB |0
160|FUNC |LOCL |0
224|FUNC |GLOB |0
124|FUNC |LOCL |0
12|FUNC |GLOB |0
8|FUNC |GLOB |0
44|FUNC |GLOB |0
44|FUNC |GLOB |0
CCL
|1
|1
|1
|1
|1
|1
|1
|1
|1
|1
|1
|1
|ddi_add_child
|ddi_add_eventcall
|ddi_add_fastintr
|ddi_add_intr
|ddi_add_softintr
|ddi_all_drivers_devid_to_devlist
|ddi_append_dev
|ddi_append_minor_node
|ddi_apply_range
|ddi_binding_name
|ddi_btop
|ddi_btopr
Kernel calls
Solaris
Kernel
“genunix”
is loaded
by krtld
CCL

Kernel calls

Solaris

標示為 “FUNC” 的Symbol就是我們可以在撰寫Solaris驅動程式時呼叫的函式。
# /usr/ccs/bin/elfdump /dev/ksyms
............…....
ksyms
(kernel
[1] 0xfe8051c4 0x0000000e FUNC LOCL 0 ABS
symbols
[2] 0xfe81dffe 0x00000000 NOTY LOCL 0 ABS
driver) will
update the
[3] 0xfe8051d4 0x0000000e FUNC LOCL 0 ABS
kernel
[4] 0xfe8051e4 0x0000000e FUNC LOCL 0 ABS
symbol table [5] 0xfe8051f4 0x0000000e FUNC LOCL 0 ABS
after we
[6] 0xfe805204 0x0000000e FUNC LOCL 0 ABS
load/unload
[7] 0xfe805214 0x0000000e FUNC LOCL 0 ABS
any kernel[8] 0xfec024bc 0x00000008 OBJT LOCL 0 ABS
mode driver
[9] 0xfe81d022 0x00000000 NOTY LOCL 0 ABS
Drivers could [10] 0xfe805224 0x0000000e FUNC LOCL 0 ABS
call each[11] 0xfec04f10 0x00000000 NOTY LOCL 0 ABS
other
............…....
functions
[7048] 0xfea777c4 0x00000250 FUNC LOCL 0 ABS
based on
“driver-stack” [7049] 0xfe80e900 0x00000014 FUNC GLOB 0 ABS
[7050] 0xfe80e8c4 0x00000014 FUNC GLOB 0 ABS
resolved
[7051] 0xfe81d3b0 0x0000001a FUNC GLOB 0 ABS
............…....
CCL
kadb_error10
audit_anchorpath_L
kadb_error11
kadb_error12
kadb_error13
kadb_error14
kadb_error15
kstat_hash_table
recv_L
kadb_error16
sec_svc_control_inf
fdc_enhance_probe
ddi_dma_unbindhdl
ddi_dma_allochdl
lm_shrlock
Kernel calls
Linux
Usually we name Linux device driver as
“module”
It support dynamic-driver loading after
kernel version 2.0
Kernel will maintain driver function symbol
and kernel current symbol into the same
kernel symbol table and could be called by
other kernel-mode modules
CCL
Kernel calls

Linux
ELF <Executable and
Linking Format> is a
common file format in
Linux
Linux Driver Driver is
a ELF relocatable
file﹝Object file﹞
It will be dynamic-link
when loading into
kernel，otherwise it
will show error
message “unresolved
symbo ”。
CCL

Kernel calls

Linux
The function names in
/proc/ksyms could
be called by linux
device driver

Some of them
are from Kernelsource code and
declare ”EXPORT
_SYMBOL()”
Some of them
are from device
driver
函式後方的編號，是該版本
的32位元CRC資料，用來確
認函式呼為正確版本
CCL

Kernel calls

Linux

Declare
kernel
export
function
and driver
“Only”
could call
those
limitedfunctions
The other
kernel
functions
are
invisible
for linux
device
driver
From linux/kernel/ksyms.c
EXPORT_SYMBOL(panic);
EXPORT_SYMBOL(printk);
EXPORT_SYMBOL(sprintf);
EXPORT_SYMBOL(vsprintf);
EXPORT_SYMBOL(kdevname);
EXPORT_SYMBOL(bdevname);
EXPORT_SYMBOL(cdevname);
EXPORT_SYMBOL(simple_strtoul);
EXPORT_SYMBOL(system_utsname);/* UTS data */
EXPORT_SYMBOL(uts_sem);/* UTS semaphore */
EXPORT_SYMBOL(sys_call_table);
EXPORT_SYMBOL(machine_restart);
EXPORT_SYMBOL(machine_halt);
CCL
Kernel calls
Linux
CCL

Kernel calls

Linux

“printk_R2gig_1b7d4074” 前
面有一個符號 “U”，這即表示
printk這個symbol尚未經過連
結。

函式”printk”之後的”
R2gig_1b7d4074”字串，為
Linux解決kernel 版本問題，而
在各kernel symbol之後附加的
32位元的CRC(Cyclic
Redundancy Code) 。

當module載入到系統時，
insmod會去比對所載入module
使用的symbol CRC值是否與目
前kernel所提供的CRC值一致。
兩者如果一樣的話，表示此函式
與載入module所要呼叫的函式相
同，並未有版本相容的問題。除
了CRC值的確認外，並透過取得
module中所紀錄
的 ”kernel_version”，與目前的
kernel版本做比較
CCL

Dynamic Library

Why we need dynamic-loading libraries

Compact the memory space requirement
Minimum the execution file size
Easy to maintain shared-libraries functions. After we update
some functions, don’t need to re-compile all execution files
What we need for getting dynamic-libraries supports

Memory-mapping mechanism

Multiple virtual memory space map to the same physical memory
space
Shared the same “Code” segment and support copy-on-write to avoid
any advanced programming skill “hacking-code”

Windows 9x/ME load system-dlls in 2-3GB memory space

Linux/Windows 2000/XP map individual dll into separately process
memory space to avoid evil “code-injecting”
Execution file format need to support those tables at the begin of
file, and program loader will parse those relative tables to load
specific dynamic libraries
CCL
Dynamic Library
Windows 9x/ME/2000/XP
Support PE format Dynamic Loading
Libraries
User-mode program could refer to the
same DLL in different virtual-address
mapped to the same physical-space
Use copy-on-write mechanism to minimum
the physical memory requirement
CCL

Dynamic Library
For a execution file
CCL
Import Descriptor
0001F678
Time Date Stamp:
FFFFFFFF
Forwarder Chain:
FFFFFFFF
Name:
0001F650 (msvcrt.dll)
First Thunk:
00001000
Ordn Name
133 __p__fmode
128 __p__commode
182 _adjust_fdiv
154 __setusermatherr
315 _initterm
........
0001F7A0
Time Date Stamp:
FFFFFFFF
Forwarder Chain:
FFFFFFFF
Name:
0001F65C (KERNEL32.dll)
First Thunk:
00001128
Ordn Name
229 FlushConsoleInputBuffer
577 LoadLibraryA
........
0001F964
Time Date Stamp:
FFFFFFFF
Forwarder Chain:
FFFFFFFF
Name:
0001F66A (USER32.dll)
First Thunk:
000012EC
Ordn Name
359 GetUserObjectInformationW
353 GetThreadDesktop
475 MessageBeep
........

Dynamic Library
Export Directory
For a dll file
Import Descriptor
Time Date Stamp:
Forwarder Chain:
Name:
First Thunk:
Ordn Name
21
7
54 WSARecvFrom
52 WSARecv
000030C8
FFFFFFFF
FFFFFFFF
000030AC (WS2_32.dll)
00001000
000030DC
Time Date Stamp:
FFFFFFFF
Forwarder Chain:
FFFFFFFF
Name:
000030B8 (KERNEL32.dll)
First Thunk:
00001014
Ordn Name
137 DisableThreadLibraryCalls
445 GetSystemTimeAsFileTime
316 GetCurrentProcessId
318 GetCurrentThreadId
.......
Characteristics:
00000000
Time Date Stamp:
41107EDB
Version:
0.00
Name:
0000248E (WSOCK32.dll)
Base:
00000001
Number of Functions:
00000476
Number of Names:
0000004B
Address of Functions:
000010F4
Address of Names:
000022CC
Address of Name Ordinals:
000023F8
Func Adr Ordn Name
00002BE7
1 accept (Forward Chain: ws2_32.accept)
00002BF5
2 bind (Forward Chain: ws2_32.bind)
00002C01
3 closesocket (Forward Chain: ws2_32.closesocket)
00002C14
4 connect (Forward Chain: ws2_32.connect)
00002C87
5 getpeername (Forward Chain: ws2_32.getpeername)
00002CF2
6 getsockname (Forward Chain: ws2_32.getsockname)
00002EDA
7 getsockopt
00002D05
8 htonl (Forward Chain: ws2_32.htonl)
00002D12
9 htons (Forward Chain: ws2_32.htons)
00002D1F 10 inet_addr (Forward Chain: ws2_32.inet_addr)
00002D45 11 inet_ntoa (Forward Chain: ws2_32.inet_ntoa)
00002D56 12 ioctlsocket (Forward Chain: ws2_32.ioctlsocket)
CCL
Dynamic
Library
Windows
9x/ME/2000
/XP
How to
hack
windows
dynamic
libraries
CCL
Dynamic
Library
Windows
9x/ME/2000/X
P
How to
hack
windows
dynamic
libraries
CCL
Dynamic Library
Linux
#include <stdio.h>
int main()
{
printf("\ntest");
}
[root@hlchou /root]# gcc test.c -o test
[root@hlchou /root]# ldd test
libc.so.6 => /lib/libc.so.6 (0x40016000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
CCL
Dynamic Library
Linux
[root@hlchou /root]# file test
test: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (use
s shared libs), not stripped
CCL
Dynamic Library
Linux
[root@hlchou /root]# ls -l test
-rwxr-xr-x 1 root
root
11694 Oct 24 02:31 test
經過strip後，則變為 3004 bytes
[root@hlchou /root]# strip test
-rwxr-xr-x 1 root
root
3004 Oct 24 02:48 test
CCL
Dynamic Library
Linux
[root@hlchou /root]# gcc -static test.c -o test
[root@hlchou /root]# ldd test
not a dynamic executable
[root@hlchou /root]# file test
test: ELF 32-bit LSB executable, Intel 80386, version 1, statically linked, not stripped
-rwxr-xr-x 1 root root
932258 Oct 24 02:51 test
[root@hlchou /root]# strip test
-rwxr-xr-x 1 root root
215364 Oct 24 02:55 test
CCL
Dynamic Library
Linux
用來刪去動態函式庫中不必要函式的工具，針對這個只用到了 printf的程式來產生新的
libc.so的話，我們可以得到一個精簡過的 libc.so 大小約為 219068 bytes
[root@hlchoua lib]# ls -l libc.so*
-rwxr-xr-x 1 root
lrwxrwxrwx 1 root
root
root
219068 Nov 2 04:47 libc.so
7 Nov 1 03:40 libc.so.6 -> libc.so
CCL
Dynamic Library
Linux
[root@hlchoua /root]# ldd /bin/ls
[root@hlchoua /root]# ldd /bin/pwd
[root@hlchoua /root]# ldd /bin/vi
libtermcap.so.2 => /lib/libtermcap.so.2 (0x40016000)
libc.so.6 => /lib/libc.so.6 (0x4001b000)
CCL
Dynamic Library
Linux
[root@hlchoua /root]# ldd /lib/libc.so.6
[root@hlchoua /root]# ldd /lib/ld-linux.so.2
statically linked
CCL
Dynamic Library
Linux
當我們執行程式時，系統會到哪些目錄去搜尋執行檔所用到的函式庫呢? 其實如果我們去檢
視 ”/etc/ld.so.conf” 檔案中的內容如下:
/usr/X11R6/lib
/usr/i486-linux-libc5/lib
CCL
Dynamic Library
Linux
程式用到了libreadline.so.3這個動態函式庫，若把這個函式庫移除了，所以實際上，它並不存
在這台電腦中，當啟動有用到libreadline.so.3的執行檔時，系統會先去檢視這個函式庫是否在
動態函式庫的快取(檔名為ld.so.cache)中存在，如果不存在的話，系統仍會試著去找尋這個動
態函式庫的檔案，它所搜尋的路徑如下順序
/lib/i686/mmx/libreadline.so.3
/lib/i686/libreadline.so.3
/lib/mmx/libreadline.so.3
/lib/libreadline.so.3
/usr/lib/i686/mmx/libreadline.so.3
/usr/lib/i686/libreadline.so.3
/usr/lib/mmx/libreadline.so.3
/usr/lib/libreadline.so.3
CCL
Dynamic Library
Linux
這種逐一目錄尋找的方式很缺乏效率，因此Linux提供了一個動態函式庫快
取的機制，它所存在的檔案位置為 /etc/ld.so.cache，舉我們之前的例子來說，
在ld.so.conf裡面紀錄了系統搜尋動態函式庫時所會依序去尋找的路徑，如
果把所要加入的動態函式庫檔案所存在的路徑加入此處，或是以下路徑的
其中之一，這樣我們執行程式時，便可以縮短函式庫搜尋所花的時間
/lib/
/usr/lib/
CCL
Dynamic Library
Linux
把libreadline.so.3放到 /root/lib中，並且修改/etc/ld.so.conf檔案的內容如下
/usr/X11R6/lib
/root/lib
接著把動態函式庫檔案libreadline.so.3移到/root/lib目錄下，執行ldconfig –D，
可以看到它會依序到以下目錄去建立動態函式庫的快取
/usr/X11R6/lib
/root/lib
/usr/lib
/lib
CCL
Dynamic Library
Linux
在這張圖中，程式是由記憶體0x08048000開始載入的，而所用
到的動態函式庫則是在記憶體位置0x40000000開始載入
40000000-40001000
/usr/share/locale/en_US/LC_MESSAGES/SYS_LC_MESSAGE
S
40001000-40002000 /usr/share/locale/en_US/LC_MONETARY
40002000-40003000 /usr/share/locale/en_US/LC_TIME
40003000-4000b000 /lib/libnss_files-2.1.2.so
4000b000-4000c000 /lib/libnss_files-2.1.2.so
4000c000-400f7000 /lib/libc-2.1.2.so
400f7000-400fb000 /lib/libc-2.1.2.so
400fb000-400ff000 0
400ff000-40111000 /lib/ld-2.1.2.so
40111000-40112000 /lib/ld-2.1.2.so
40112000-4011b000 /lib/libnss_nisplus-2.1.2.so ......…(more)
CCL
Dynamic Library
Linux
How linux kernel
load a execution
program
CCL
Dynamic Library
Linux
在函式do_load_elf_binary () 執行時，首先會去檢視目前的檔案是否為ELF
格式，如下程式碼
if (elf_ex.e_ident[0] != 0x7f || strncmp(&elf_ex.e_ident[1], "ELF", 3) != 0)
goto out;
便是去檢查該檔的前四個 bytes是否為 0x7f 加上 “ELF” (0x 45 0x4c 0x46)，
若非，則結束do_load_elf_binary的執行。之後，便是去檢視我們之前提過
的 e_type 屬性，來得知是否為ET_EXEC(Executable File) 或是
ET_DYN(Shared Object File) 這兩個值的其中之一
if (elf_ex.e_type != ET_EXEC && elf_ex.e_type != ET_DYN)
goto out;
如果都不是這兩個值之一，便結束do_load_elf_binary的執行
之後便是一連串讀取ELF 檔表格的動作，在此就不多說，各位可以自行參閱
/usr/src/linux/fs/binfmt_elf.c的內容即可。
CCL
How to minimum dynamic
libraries?
Dynamic Library
(*.so)
obj
obj
obj
obj
obj
obj
obj
obj
A thin library
for embedded
device
CCL
libraries?
Parsing ELF Header
Parsing ELF Header
Execution
file
Execution
file
Execution
file
Execution
file
Execution
file
Execution
Executionfile
file
Library
Project
Library
Project
Library
Project
Library
LibraryProject
Project
All functions provided
from each obj file
All functions
Mapping
CCL
Re-link a new library package
libraries?
[/root/VoIP/wavplay-1.4]nm wavfile.o
00000134 T WaveReadHeader
0000003c T WaveWriteHeader
U __errno_location
U __udivsi3
00000014 b buffer.91
00000000 t err
000003d4 T findchunk
00000000 t gcc2_compiled.
U lseek
U memcpy
00000000 r rcsid
U read
U sys_errlist
00000414 b v_erf
00000000 b waveformat.90
00000000 d waveheader
U write
[/root/VoIP/wavplay-1.4]
CCL
Linux booting
# fdisk /dev/hda
Command (m for help): p
Disk /dev/hda: 255 heads, 63 sectors, 9729 cylinders
Units = cylinders of 16065 * 512 bytes
Device Boot
Start
/dev/hda1 *
1
/dev/hda2
7
/dev/hda3
9665
End
6
Blocks Id System
48163+ 83 Linux
9664 77577885 83 Linux
9729
522112+ 82 Linux swap
Command (m for help):
CCL
Linux booting
./dump -h /dev/hda|more
0000001b 0000 0000 0000 0000 CF6E 3DBA 0000 8001
0000001c 0100 83FE 3F05 3F00 0000 4778 0100 0000
0000001d 0106 83FE FFFF 8678 0100 3A7D 3F09 00FE
0000001e FFFF 82FE FFFF C0F5 4009 01EF 0F00 0000
0000001f 0000 0000 0000 0000 0000 0000 0000 55AA
CCL
Linux booting (IDE)
C:\debug
-a100
0DAE:0100 mov ax,0201 <讀取一個磁區>
0DAE:0103 mov bx,200 <載入到記憶體篇移位址ES:200即0DAE:0200 - 0DAE:03FF共512bytes>
0DAE:0106 mov cx,1
0DAE:0109 mov dx,80 <即為讀取第一個硬碟的Partition>
0DAE:010C int 13
0DAE:010E int 3
<int 3 為 debug 中斷>
•AH = function number, 02h in this case
0DAE:010F
•AL = number of sectors to read (must be
nonzero)
-g=100
•CH = low 8 bits of cylinder number
0DAE:03B0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 01 ................
0DAE:03C0 01 00 06 3F BF 3B 3F 00-00 00 C1 30 23 00 80 00 ...?.;?....0#...
•CL = high 2 bits of cylinder number and 6-bit
sector number as follows:
0DAE:03D0 81 3C 83 3F FF 26 00 31-23 00 40 75 0E 00 00 00 .<.?.&.1#.@u....
•high-order bits 6-7 (hard disk only) contain high
2 bits of cylinder number
0DAE:03E0 C1 27 82 3F FF 3A 40 A6-31 00 00 3B 01 00 00 00 .'.?.:@.1..;....
•low-order bits 0-5 contain sector number (1-63)
0DAE:03F0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 55 AA ..............U.
•DH = head number
•DL = drive number (bit 7 set for hard disk)
•ES:BX = data buffer
CCL
Linux booting (IDE)
每個硬碟共有 16 byets的空間來記錄,它所紀錄下的資料分別為
00h
--> 啟動指示,若為80h 代表可啟動的分割
01h-03h
--> Begin CHS
04h
--> 作業系統指示
05h--07
--> End CHS
08h
--> Partition Start
0ch
--> Partition Size
(CHS(Cylinder(10bits), heads(8bits), sectors(6bits)) 8GB limited from “512bytes * CHS[1024x256x63] “= 8GB)
C = ((byte2 & 0xc0) << 2) + byte3
H = byte1
S = byte2 & 0x3f
作業系統指示的資料又有
00h
--> 無
01h
-->DOS 12 bit 的FAT
04h
-->DOS 16 bit 的 FAT
05h
06h
07h
-->DOS 3.3+ 的延伸分割 (即為延伸分割區,裡面還可以再包含其它的邏輯分割區)
-->DOS 大型檔案系統 (Win NT的 16bit FAT 即為此)
--> OS/2 HPFS
0Ah
--> OS/2 boot manage
0Bh
-->使用 Win 95 32bit FAT 即為此
82h
-->Linux swap 的分割區
83h
-->Linux native的分割區
CCL
Linux booting (Floppy)
objcopy -O binary -R .note -R .comment -S compressed/bvmlinux
compressed/bvmlinux.out tools/build -b bbootsect bsetup
compressed/bvmlinux.out CURRENT > bzImage
Boot sector 512 bytes.
Setup is 4792 bytes.
System is 1022 kB
CCL
Linux booting (loadlin.exe)
Support “DOS” command mode Linux Loader
(could work with Free-DOS)
loadlin c:\linux\vmlinuz root=/dev/hda3
CCL
Linux booting (syslinux)
Easy-to-use
MS DOS environment linux booting
utility
// config file “syslinux.cfg”
default linux
prompt 1
timeout 1
label linux
kernel linux
append ramdisk_size=32768 initrd=image.gz
CCL
Linux booting (lilo)
Could install in
Boot Sector
MBR(Master Boot Record) (446bytes)
Use BIOS interrupt to access hard disk
// /etc/lilo.conf
裝置
prompt
timeout=50
default=linux
IDE1 master
hda, hda1, hda2
IDE1 slave
hdb, hdb1, hdb2
IDE2 master
hdc, hdc1, hdc2
IDE2 slave
hdd, hdd1, hdd2
lba32
ÎLBA mode
image=/boot/vmlinuz
label=linux
root=/dev/hda2
read-only
CCL
Lilo
Linux booting (grub)
Need a separate partition to place Grub files
Support CHS/LBA could boot kernel after 8GB offset
Support User Menu
裝置
// /boot/grub/grub.conf
title Red Hat Linux (2.4.18-3)
Grub
IDE1 master
(hd0), (hd0,0), (hd0,1)
IDE1 slave
(hd1), (hd1,0), (hd1,1)
root (hd0,0)
kernel /vmlinuz-2.4.18-3 ro root=/dev/hda2
IDE2 master
initrd /initrd-2.4.18-3.img
IDE2 slave
CCL
(hd2), (hd2,0), (hd2,1)
(hd3), (hd3,0), (hd3,1)
Linux booting (initrd file)
//In RedHat initrd-2.4.18-3.img is used to support “ext3” or “SCSI” to avoid “kernel” not
supporting it and making “booting” failure
[root@pc085229 check_initrd]# ls
initrd-2.4.18-3.img
[root@pc085229 check_initrd]# gzip -dc initrd-2.4.18-3.img > initrd-2.4.18-3
[root@pc085229 check_initrd]# mkdir test
[root@pc085229 check_initrd]# mount -o loop initrd-2.4.18-3 test
[root@pc085229 check_initrd]# ls test
bin dev etc lib linuxrc loopfs proc sbin sysroot
[root@pc085229 check_initrd]#
CCL
Hacking linux kernel
Linux Kernel Message
We will use the two packages Sysklogd and utillinux in Linux environment
Sysklogd
klogd是紀錄Linux 核心訊息與Linux核心模組訊息,每當核心程
式呼叫printk時,就可以由這個User-Mode的klogd程式來負責
把此時的核心訊息紀錄下來
syslogd則是負責User-Mode程式所需紀錄的系統訊息(例如紀
錄在/var/log/messages的系統訊息).
util-linux
包含許多有用的系統工具軟體

arch(取得硬體架構)
ipcs(取得目前Process間通訊機制的資訊
dmesg可以在User-Mode動態的查詢目前系統的核心訊息.
CCL
Start
End
CCL
Ring Buffer for Linux Kernel Message
CCL
Ring Buffer的運作為在log_buf所配置的記憶體空間裡
log_start紀錄著下一筆要透過sys_syslog讀出的訊息位址
con_start紀錄著下一筆要在使用者電腦console前輸出的訊息位址
log_end紀錄著可供下一筆訊息寫入的位址,如果使用者寫入
log_buf的訊息超過了log_buf所配置的記憶體空間,就會從log_buf的起始
位址繼續寫入. 不過由於log_start,log_end都是會不斷的增加,所以在
log_buf中定址時,會與LOG_BUF_MASK作 "&" 運算,讓
log_start,log_end的值只在0-LOG_BUF_LEN的範圍內
CCL

(log_end&LOG_BUF_MASK) 超過了log_buf的記憶體空間後,又
由log_buf起始點開始寫入,如此就如同一個環形,可以不斷的把訊息寫
入,並且維持一個最大為LOG_BUF_LEN大小的訊息儲存空間.
CCL
Klogd and dmesg
Klogd(klogd -f /dev/pts/0 )與dmesg主要用到兩個System Call,分別為
sys_syslog(103)與sys_get_kernel_syms(130).這兩個Linux System
Call會定義在
X86Îsrc/arch/i386/kernel/entry.S
ArmÎsrc/arch/arm/kernel/calls.S
.long SYMBOL_NAME(sys_syslog) /* 103 */
.long SYMBOL_NAME( sys_get_kernel_syms ) /* 130 */
CCL
CCL
Linux driver module
Kerneld VS Kmod
Linux 2.0.xÎ主要是透過一個User Mode的 ”Kerneld” Daemon，
處理來自Kernel要求載入Driver的工作，並經由執行 “modprobe”
指令載入所需的Driver
Linux 2.1.xÎ則交由 “kmod” 這個Kernel Mode程式，透過產生
一個kernel thread來執行”modprobe”指令載入Driver
CCL
Linux driver
module
Kerneld
CCL

Linux driver module

Kerneld

kerneld在啟動時會把自己初始化
為一個user mode的daemon，
在程式一切準備就緒後，便開始
接收系統所發出的IPC(Internal
Process Comunication)
Message。若kernel要把某個
module載入系統時，便會透過發
出IPC Message的方式，來通知
kerneld載入該module。它所能
辨識的Message Type有數種，
我在圖中僅列出其中的兩種。

如果收到的Message Type為
KERNELD_REQUEST_MODUL
E，則透過外部呼叫，執行
“modprobe”這隻程式，來把所要
求的module載入系統中。若收到
的Message Type為
KERNELD_RELEASE_MODUL
E，亦透過”modprobe”來移除
module。
CCL
Linux driver
module
kmod
CCL
Linux driver module
Kmod
kernel 2.1.x之後Îkernel載入Driver時，透過kmod，
無須由kernel發出IPC Message給user mode 的
kerneld，可直接在kernel mode執行
request_module()透過 ”modprobe”載入module
函式request_module()呼叫 ”kernel_thread()” 產生
kernel thread來執行 “exec_modprobe()”。
在 ”exec_modprobe()” 中則透過”execve()” 以在
kernel mode裡外部執行modprobe。
直接在Kernel 中載入驅動程式，比起Kerneld更加簡潔
與有效率
CCL
Linux driver
module
kmod
CCL
Linux driver module
lsmod
Linux 2.0.xÎ”lsmod”開啟檔案“/proc/modules”
Linux 2.1.x Î系統提供了函式” query_module”
在kernel 2.0.x時，指令”lsmod”是去開啟檔案
“/proc/modules” 來得知系統中，已載入哪些Module。不過到
了kernel 2.1.x以後，系統提供了函式” query_module”。因此，
此時”lsmod”的實作便是透過呼叫query_module來取得系統已
載入module的相關資料。有關lsmod的實作，可以參考
modutils-2.1.85中的lsmod.c。
CCL
Linux driver module
lsmod
.long
.long
.long
.long
.long
.long
.long
.long
.long
.long
.long
.long
.long
.long
.long
SYMBOL_NAME(sys_sched_get_priority_min)/* 160 */
SYMBOL_NAME(sys_sched_rr_get_interval)
SYMBOL_NAME(sys_nanosleep)
SYMBOL_NAME(sys_mremap)
SYMBOL_NAME(sys_setresuid)
SYMBOL_NAME(sys_getresuid)/* 165 */
SYMBOL_NAME(sys_vm86)
SYMBOL_NAME(sys_query_module)
SYMBOL_NAME(sys_poll)
SYMBOL_NAME(sys_nfsservctl)
SYMBOL_NAME(sys_setresgid)/* 170 */
SYMBOL_NAME(sys_getresgid)
SYMBOL_NAME(sys_prctl)
SYMBOL_NAME(sys_rt_sigreturn)
SYMBOL_NAME(sys_rt_sigaction)
CCL
kernel 2.1.x之後所提供的函
式”query_module”，我們以
/arch/i386/kernel/entry.s
這檔案來比較kernel 2.0.35
與2.2.12在sys_call_table的
不同。其中，2.0.35共有0—
166個System Call (亦即 80
號中斷的服務)，而2.2.12則
有0---190個System Call，
其中所提到的函
式”query_module”則為第
167個函式。
Linux driver module
Modprobe
Modprobe 會解決 Module Stack的問題，
避免Module載入過程中呼叫其它未載入Module所提
供函式，而造成的”unresolved symbol” 錯誤
Modprobe透過函式 system()執行insmod來載
入其它module
CCL
Linux driver
module
modprobe
CCL
Linux driver
module
CCL
Linux driver module
CCL
Linux driver module
insmod
載入流程大略簡化如下
﹝1﹞搜尋Module所在的路徑(呼叫search_module_path() )
﹝2﹞比對目前環境Kernel版本與Module是否一致
﹝3﹞比對Kernel與Module的CRC值是否正確
﹝4﹞把目前Module中尚未定義的symbol，與目前kernel及已載入的
module之symbol做連結。
﹝5﹞把載入Module時使用者所加入的引數傳給Module
﹝6﹞建立新Module的Symbol Table
﹝7﹞在Kernel配置記憶體給Module，並把載入的Module由User Mode重
置到Kernel Mode的記憶體，執行init_module() 進行初始化
Linux 動態載入 Module 介紹
CCL
http://www.linuxfab.com/indexColumnData.php?CID=84&FIRSTHI
T=1

Linux driver module stack
Module所Reference到的Symbol也可能存在其它Module中

例﹕ÎModule A 使用了Module B的函式，當A Module載入到系統時，若B
Module此時不存在系統中，便會發生unresolved symbol的錯誤。因此要解決
Module Stack所引發的問題，我們可以在insmod A Module前，先把B Module
載入到系統中
如下圖的例子

module Y呼叫了module X所提供的函式，則module Y->deps會指向一個
module_ref結構
module X被module Y呼叫，所以module X->refs會指向圖中的module_ref結
構
module Y並未被其它的module所呼叫，所以module Y->refs為NULL
module X沒有呼叫其它的module，所以module X->deps為NULL
module Y呼叫module X的函式，需參考圖中的module_ref，所以
module_ref->ref指向module Y
module_ref依賴module X來提供資訊給module Y，所以module_ref->dep指
向module X
沒有同一個module函式被一個以上的module呼叫。所以，在圖中的
module_ref->next_ref為NULL
CCL
Linux driver
module stack
struct module Y
struct module X
size_of_struct
*next
size_of_struct
*next
*name
usecount
flags
*name
usecount
flags
nsyms
ndeps
*syms
nsyms
ndeps
*syms
*deps
*refs
*init
*cleanup
*ex_table_start
*ex_table_end
*persist_start
*persist_end
*can_unloadCCL
*dep
*ref
*next_ref
struct module_ref
*deps
*refs
*init
*cleanup
*ex_table_start
*ex_table_end
*persist_start
*persist_end
*can_unload

Linux driver module stack
如下圖，在載入module X與module Y後，接著載入module Z。module Z
同時呼叫了module X與module Y的函式。

首先，module Z呼叫module Y的函式，所以module Z->deps指向
module_ref A
module Z並沒有被其它module所呼叫，故module Z->refs為NULL。而
module Y函式被module Z呼叫，module Y->refs指向module_ref A
如之前例子的說明，module_ref A->ref指向module Z，而module_ref A>dep指向module Y。
接著，我們再看呼叫module X函式的情形。
module Z與module Y都呼叫了module X的函式，我們可以看到module_ref B
所在位置為module_ref A之後，而module_ref B->ref指向module Z，
module Z透過參考module_ref B來取得module X資訊。
而module_ref B->dep指向module X，值得注意的是module_ref B的
next_ref指向module_ref C。因為module Z與module Y共同呼叫了module X
的函式，所以這兩個module_ref亦建立了關係。
在module_ref C中，module_ref C->ref指向module Y，而 module_ref C>dep指向module X，module_ref C->next_ref為NULL。由於module Y呼叫
了module X的函式，所以在圖中，module Y->deps指向module_ref C。
CCL
Linux driver
module stack
struct module Z
struct module Y
struct module X
size_of_struct
size_of_struct
size_of_struct
*next
*name
usecount
flags
nsyms
ndeps
*syms
*next
*name
usecount
flags
nsyms
ndeps
*syms
*next
*name
usecount
flags
nsyms
ndeps
*syms
*deps
*refs
*init
*cleanup
*ex_table_start
*ex_table_end
*persist_start
*persist_end
*deps
*refs
*init
*cleanup
*ex_table_start
*ex_table_end
*persist_start
*persist_end
*can_unload
module_ref A
*dep
*ref
*next_ref
*dep
*ref
*next_ref
CCLmodule_ref B
*can_unload
module_ref C
*dep
*ref
*next_ref
*deps
*refs
*init
*cleanup
*ex_table_start
*ex_table_end
*persist_start
*persist_end
*can_unload
Linux program debugging tools
strace
strace /bin/ls
execve("/bin/ls", ["/bin/ls"], [/* 20 vars */]) = 0
uname({sys="Linux", node="localhost.localdomain", ...}) = 0
brk(0)
= 0x80535c4
open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY)
=3
fstat64(3, {st_mode=S_IFREG|0644, st_size=70378, ...}) = 0
old_mmap(NULL, 70378, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40016000
close(3)
=0
open("/lib/libtermcap.so.2", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\260\r\0"..., 512) = 512
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40028000
old_mmap(NULL, 14932, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x40029000
。。。。。。。
old_mmap(NULL, 1271364, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x4002d000
old_mmap(0x4015e000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x131000) = 0x4015e000
old_mmap(0x40161000, 9796, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x40161000
close(3)
=0
munmap(0x40016000, 70378)
=0
brk(0)
= 0x80535c4
brk(0x80745c4)
= 0x80745c4
brk(0)
= 0x80745c4
brk(0x8075000)
= 0x8075000
open("/usr/lib/locale/locale-archive", O_RDONLY|O_LARGEFILE) = 3
mmap2(NULL, 2097152, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40164000
mmap2(NULL, 204800, PROT_READ, MAP_PRIVATE, 3, 0xc17) = 0x40364000
CCL
Linux program debugging tools
ltrace
__register_frame_info(0x080530c0, 0x080532f4, 0x40029bbe, 0x0804954e, 0) = 0x080490e8
setlocale(6, "")
= "en_US.iso885915"
bindtextdomain("fileutils", "/usr/share/locale") = "/usr/share/locale"
ltrace /bin/ls textdomain("fileutils")
= "fileutils"
__libc_start_main(0x08049740, 1, 0xbffffab4, 0x08049060, 0x0804fcb0 <unfinished ...>
signal(15, 0x08049620)
= NULL
signal(9, 0x08049620)
= 0xffffffff
signal(19, 0x08049620)
= 0xffffffff
__cxa_atexit(0x0804d910, 0, 0, -1, -1)
=0
isatty(1)
=0
getenv("QUOTING_STYLE")
= NULL
getenv("LS_BLOCK_SIZE")
= NULL
getenv("BLOCK_SIZE")
= NULL
getenv("POSIXLY_CORRECT")
= NULL
getenv("COLUMNS")
= NULL
ioctl(1, 21523, 0xbffffa18)
= -1
getenv("POSIXLY_CORRECT")
= NULL
getenv("TABSIZE")
= NULL
getopt_long(1, 0xbffffab4, "abcdfghiklmnopqrstuvw:xABCDFGHI:"..., 0x0804fd4c, NULL) = -1
malloc(36)
= 0x08053f18
malloc(36)
= 0x08053f40
malloc(11600)
= 0x08053f68
malloc(12)
= 0x08056cc0
strlen(0x080509e1, 0x080509e1, 0xbffffa18, 0x4009d163, 0x401613a0) = 1
malloc(2)
= 0x08056cd0
strcpy(0x08056cd0, ".")
= 0x08056cd0
__errno_location()
= 0x40160ce0
opendir(".")
= 0x08056ce0
readdir64(0x08056ce0, 0x08056ce0, 0xbffffa38, 0x0804ab4a, 0x400a3c70) = 0x08056d10
。。。。。
CCL
Various modern linux system solution
Device File System
What is Devfs?
Originate from Richard Gooch in Australia.
Liunx 核心2.2.x尚未把Devfs附屬在Linux Kernel的原
始碼當中，所以需要在2.2.x環境中使用Devfs的話，還
需要經過一些Kernel的Patch
過去透過major 與 minor 識別device,為了廣泛相容性
都會預先建立額外的device node
In RedHat 7.0,it have more than 6000 device
node in /dev directory
Devfs support a NameSpace mechanism to provide
meaningful device naming support
CCL

Devfs and VFS
在系統初始化時，會先
進入函式
start_kernel﹝﹞，之
後進入init﹝﹞。而在
函式init﹝﹞中會先進
入do_basic_setup﹝﹞
再由函式
do_initcalls﹝﹞來初
始化Devfs的檔案系統，
如圖所示
init_devfs_fs﹝﹞函
式會呼叫
register_filesystem
﹝﹞對系統註冊Devfs
檔案系統
CCL
Devfs and VFS
Major號碼主要的意義就是Device ID，例
如﹕軟碟機floppy=02,音效裝置
audio=14,ISDN設備isdn=45,第一個排
線上的硬碟機hda=3.......等
Minor號碼則是代表了所屬Device ID的裝
置編號，例如以硬碟機為例子，hda的
Partition Table部分的Minor號碼為0、第
一個分割區為1、第二個分割區為2......…
CCL
Devfs and VFS
/dev (In RedHat 7.0)
MAKEDEV*
md5
sdag7 sdci15 sdr1
ttyF185 ttySR323
X0R@
md6
sdag8 sdci2 sdr10
ttyF186 ttySR324
aaa
md7
sdag9 sdci3 sdr11
ttyF187 ttySR325
adbmouse
md8
sdah sdci4 sdr12
ttyF188 ttySR326
agpgart
md9
sdah1 sdci5 sdr13
ttyF189 ttySR327
amigamouse mdsp1
sdah10 sdci6 sdr14
ttyF19 ttySR328
amigamouse1 mdsp10
sdah11 sdci7 sdr15
ttyF190 ttySR329
apm_bios
mdsp11
sdah12 sdci8 sdr2
ttyF191 ttySR33
atarimouse mdsp12
sdah13 sdci9 sdr3
ttyF192 ttySR330
atibm
mdsp13
sdah14 sdcj sdr4
ttyF193 ttySR331
atimouse
mdsp14
sdah15 sdcj1 sdr5
ttyF194 ttySR332
audio
mdsp15
sdah2 sdcj10 sdr6
ttyF195 ttySR333
audio1
mdsp16
sdah3 sdcj11 sdr7
ttyF196 ttySR334
audioctl
mdsp2
sdah4 sdcj12 sdr8
ttyF197 ttySR335
aztcd
mdsp3
sdah5 sdcj13 sdr9
ttyF198 ttySR336
bpcd
mdsp4
sdah6 sdcj14 sds
ttyF199 ttySR337
bttv0@
mdsp5
sdah7 sdcj15 sds1
ttyF2
ttySR338
capi20
mdsp6
sdah8 sdcj2 sds10
ttyF20 ttySR339
CCL
......…
Devfs and VFS
支援Devfs檔案系統的驅動程式，都必須要加入
Devfs的註冊函式，也就是說在我們所使用的環
境中可能會存在有舊版本的驅動程式，如果為
了相容性的問題，其實就算同時保留了過去的
裝置檔案也是可以的。有支援Devfs的驅動程式，
則只要在初始化的過程中呼叫函式
devfs_register()即可對Devfs檔案系統註冊該
裝置檔案
CCL
Devfs and VFS
/devfs檔案系統目錄
./shm
./vc
./misc
./pty
./pts
./vcc
./tts
./cua
./ide/host0/bus0/target0/lun0
./ide/host0/bus0/target0
./ide/host0/bus0/target1/lun0
./ide/host0/bus0/target1
./ide/host0/bus0
./ide/host0
./ide
./cdroms
./discs
./floppy
CCL
Devfs and VFS
在核心編譯的選項，需要把如下的選項打開
/dev file system support (EXPERIMENTAL)
(CONFIG_DEVFS_FS) [Y/n/?]
如果希望可以在開機時自動的啟動Devfs服務，則須把以下選項打開
Automatically mount at boot (CONFIG_DEVFS_MOUNT)
[Y/n/?]
必須在開機時Script檔案前先把使用者端的常駐程式devfsd載入
[root@hlchou linux]# more /etc/rc.d/rc.sysinit
#!/bin/bash
......…
# If we're using devfs, start devfsd now - we need the
old device names
[ -e /dev/.devfsd -a -x /sbin/devfsd ] &&
/sbin/devfsd /dev
CCL
Devfs and VFS
如果我們不打算在一開機時就啟動Devfs的話，就可以關
閉該選項，只需在開機進入系統後，透過手動方式執行
以下指令即可
mount -t devfs /mnt1 /mnt2
mnt1使用者可以輸入任意的目錄名稱。mnt2為Devfs
所要載入的目錄，例如我們可以設定為/devfs
CCL
Devfs and VFS
[root@hlchou /root]# ls /devfs
[root@hlchou /root]# mount -t devfs /mnt1 /devfs
cdroms/ discs/ ide/ misc/ ptmx random tts/
vc/
console floppy/ kmem null pts/ root@ tty
vcc/
cua/
full
mem port pty/ shm/ urandom zero
[root@hlchou /root]# echo "test /devfs/tty" > /devfs/tty
test /devfs/tty
[root@hlchou /root]#
CCL
Devfs and VFS
在核心載入Devfs後，我們還需要透過使用者端的devfsd常駐程式來建立與之前裝置檔案系統的相容性，如下所示
[root@hlchou /root]# devfsd /devfs
Started device management daemon for /devfs
agpgart@ ptyb3@ ptydd@ ptyq7@ ptyt1@ ptyvb@ ptyy5@ tty13@ tty51@
cdroms/ ptyb4@ ptyde@ ptyq8@ ptyt2@ ptyvc@ ptyy6@ tty14@ tty52@
console ptyb5@ ptydf@ ptyq9@ ptyt3@ ptyvd@ ptyy7@ tty15@ tty53@
cua/
ptyb6@ ptye0@ ptyqa@ ptyt4@ ptyve@ ptyy8@ tty16@ tty54@
cua0@
ptyb7@ ptye1@ ptyqb@ ptyt5@ ptyvf@ ptyy9@ tty17@ tty55@
cua1@
ptyb8@ ptye2@ ptyqc@ ptyt6@ ptyw0@ ptyya@ tty18@ tty56@
discs/ ptyb9@ ptye3@ ptyqd@ ptyt7@ ptyw1@ ptyyb@ tty19@ tty57@
fd@
ptyba@ ptye4@ ptyqe@ ptyt8@ ptyw2@ ptyyc@ tty2@ tty58@
floppy/ ptybb@ ptye5@ ptyqf@ ptyt9@ ptyw3@ ptyyd@ tty20@ tty59@
full
ptybc@ ptye6@ ptyr0@ ptyta@ ptyw4@ ptyye@ tty21@ tty6@
hda@
ptybd@ ptye7@ ptyr1@ ptytb@ ptyw5@ ptyyf@ tty22@ tty60@
hda1@
ptybe@ ptye8@ ptyr2@ ptytc@ ptyw6@ ptyz0@ tty23@ tty61@
…………………………………………………
…………………………………
ptyb1@ ptydb@ ptyq5@ ptysf@ ptyv9@ ptyy3@ tty11@ tty5@
CCL ptyy4@ tty12@ tty50@
ptyb2@ ptydc@ ptyq6@ ptyt0@ ptyva@
Devfs and VFS
透過/dev與/devfs 目錄查看第一個磁碟機的第一個分割區所對應到的裝置檔案
[root@hlchou /root]# ls /dev/hda -l
brw-rw---- 1 root
disk
3, 0 8月 24 2000 /dev/hda
[root@hlchou /root]# ls /devfs/hda -l
lr-xr-xr-x 1 root
root
32 6月 13 20:02 /devfs/hda ->
ide/host0/bus0/target0/lun0/disc
透過不同的裝置檔案系統架構﹝過去的/dev與目前的/devfs﹞，來讀取第一個磁碟機的MBR
[root@hlchou /root]# dd if=/dev/hda of=/mbr_dev bs=512 count=1
1+0 records in
1+0 records out
[root@hlchou /root]# dd if=/devfs/hda of=/mbr_devfs bs=512 count=1
1+0 records in
1+0 records out
[root@hlchou/root]# dd if=/devfs/ide/host0/bus0/target0/lun0/disc of=/mbr_devf
bs=512 count=1
1+0 records in
1+0 records out
CCL

Devfs
and
VFS
分別透過hexdump來查看剛剛所讀取出來的磁碟機MBR資料是否正確無誤
[root@hlchou /root]# hexdump /mbr_dev
0000000 ebfa 6c7c 6162 494c 4f4c 0001 0415 005a
0000010 0000 0000 cbd5 3b20 ac80 4cc0 8101 c0ac
.........…
00001f0 0000 0000 0000 0000 0000 0000 0000 aa55
0000200
[root@hlchou /root]# hexdump /mbr_devfs
0000000 ebfa 6c7c 6162 494c 4f4c 0001 0415 005a
0000010 0000 0000 cbd5 3b20 ac80 4cc0 8101 c0ac
...........
00001f0 0000 0000 0000 0000 0000 0000 0000 aa55
0000200
[root@hlchou /root]# hexdump /mbr_devfs2
0000000 ebfa 6c7c 6162 494c 4f4c 0001 0415 005a
0000010 0000 0000 cbd5 3b20 ac80 4cc0 8101 c0ac
...........
00001f0 0000 0000 0000 0000 0000 0000 0000 aa55
0000200
CCL
Devfs initial process

在函式init﹝﹞中，
do_basic_setup﹝﹞函式結
束後，會進入函式
prepare_namespace﹝﹞，
之後會呼叫
mount_devfs_fs﹝﹞去確認
我們是否選擇要在一開機時
就把Devfs自動的載入檔案
系統，不過自動載入的預設
目錄為/dev，對於希望把
Devfs檔案系統與原本的裝
置檔案系統目錄分開的使用
者來說，其實可以透過
mount指令自行把Devfs檔案
系統選擇載入到特定的目錄。
CCL
Devfs initial
process
假設Devfs檔案系統並
不會在一開機時就自動
載入，而是在系統開機
完成後，由使用者透
過”mount”指令自行載
入
CCL
Devfs initial process
devfs_register﹝﹞的函式原型如下
devfs_handle_t devfs_register (devfs_handle_t dir, const char *name,unsigned int
flags,unsigned int major, unsigned int minor, umode_t mode, void *ops, void *info)
dir: 為一個指向裝置檔案在devfs中所屬主目錄進入點﹝例如﹕/devfs/cdroms﹞的參數。如果為NULL的話，
那就表示這個新的裝置檔案是相對於devfs的根目錄﹝例如﹕/devfs﹞。
name: 該裝置檔案進入點的名稱。
flags:設定該裝置檔案的旗標﹝詳細內容可參閱Linux原始碼
/linux/include/linux/devfs_fs_kernel.h﹞。
major: The major number. Not needed for regular files.
minor: The minor number. Not needed for regular files.
mode: 設定裝置檔案的狀態﹝例如﹕區塊、字元裝置檔案......等，可參閱Linux原始碼
/linux/include/linux/stat.h﹞。
ops: 定義對該裝置檔案操作的基本函式，例如對一個ide介面的裝置，其中ops宣告如下
struct block_device_operations ide_fops[] = {{
open:
ide_open,
release:
ide_release,
ioctl:
ide_ioctl,
check_media_change:
ide_check_media_change,
revalidate:
ide_revalidate_disk}};
CCL
Devfs
當核心Devfs檔案系統有
新的裝置產生或是有一些
狀態的改變時，會呼叫函
式
devfsd_notify_one﹝﹞
把需要處理的事件加入
queue中。因為queue中
新增了需要處理的事件，
所以devfsd程式就會從
Read動作中讀取到資料，
進而分析所讀取的資料，
再來對目前Devfs檔案系
統所屬的目錄做出對應的
動作
CCL

Linux MISC Filesystem and JAVA environment

J2EE主要應用是針對企業市場，因此考量上主要針對伺服器端
﹝Server-Side﹞程式的開發與應用，例如它的執行環境中支援了Java
Beans來支援企業的分散式運算，及Servlet/JSP以供企業應用在網站的
服務中
J2SE主要針對個人電腦用戶的運算平台，在這平台上廣泛支援了一般
Java所會使用到的執行環境。
J2ME主要針對執行環境資源有限的平台，例如:嵌入式系統的應用，
J2ME主要分為兩個版本，分別為

CDC﹝Connected Device Configuration ﹞
CVM(C Virtual Machine)與一組核心函式庫，主要運作在32-bits的處理器與
RAM、Flash或ROM總和在2Mbytes以上的裝置，CDC主要是針對像智慧型
手機、汽車導航系統或是資訊家電…....等

CLDC﹝Connected Limited Device Configuration ﹞。
KVM，K Virtual Machine﹞，主要運作在RAM、Flash或ROM總和在160—
512Kbytes的裝置上，具備低耗電與有限的連網能力，例如現在在Palm OS
中所使用的大多為KVM
CCL
Linux MISC Filesystem and JAVA
environment
Linux kernel support MISC filesystem to let user
could execute java bytecode directly.
It is suitable for a Java-enable device to support
in Linux Kernel.
在編譯核心時把支援MISC檔案系統的選項加入，如下:
Kernel support for a.out binaries
(CONFIG_BINFMT_AOUT) [y/m/N/?]
Kernel support for ELF binaries
(CONFIG_BINFMT_ELF) [Y/m/n/?]
Kernel support for MISC binaries
(CONFIG_BINFMT_MISC) [Y/m/n/?]
CCL
Linux MISC
Filesystem and
JAVA environment
Linux MISC File
System could
support different
file format to
provide various
application
CCL
echo ':Java:M::\xca\xfe\xba\xbe::/usr/local/jdk1.2.2/bin/javawrapper:' >
/proc/sys/fs/binfmt_misc/register
//Java Application
echo ':Applet:E::html::/usr/local/jdk1.2.2/bin/appletviewer:' >
//副檔名為 ”html”
echo ':Applet:M::<!--applet::/usr/local/jdk1.2.2/bin/appletviewer:' >
//檔頭為 “<!--applet”
而每個參數所代表的意義如下表所示
欄位順序
名稱
1
Name
產生在 “/proc/sys/fs/binfmt_misc” 目錄下的檔案名稱，用來識別所支援的執行檔環境
2
Type
3
Offset
M 表示透過比對檔頭來辨認執行檔
E 表示透過延伸的副檔名來辨認執行檔
用來標示比對檔頭資料所偏移的位置，通常為0，表示由檔頭的起始位置開始比對
4
Magic
所要比對的檔頭資料或是副檔名的名稱
5
Mask
可以用來mask部分比對字串的位元，通常不使用
6
Interpreter
意義
指向我們所要採用的載入器，而我們使用的執行檔會成為這個載入器的第一個變數
CCL
Linux MISC Filesystem and JAVA
environment
以以下這段簡單的Java程式碼為例子
class HelloWorldApp {
public static void main (String args[]) {
System.out.println("Hello World!");
}
}
首先，把它存檔為 “HelloWorldApp.java”，透過程式 javac來進行編譯
[root@Proxy bin]# ls
HelloWorldApp.java cvm
[root@Proxy bin]# javac HelloWorldApp.java
HelloWorldApp.class HelloWorldApp.java cvm
[root@Proxy bin]#
CCL
透過jar把Java的Class檔壓縮，以便於日後在使用Java Class時，便於利用jar所壓縮的Java class壓縮檔，來減
少耗用的系統空間，接下來我們執行以下指令
[root@Proxy bin]# jar -cvf HelloWorldApp.jar HelloWorldApp.class
added manifest
adding: HelloWorldApp.class(in = 432) (out= 290)(deflated 32%)
HelloWorldApp.class HelloWorldApp.jar HelloWorldApp.java cvm
現在就可以透過我們剛剛編譯好的J2ME CDC版本的JVM﹝在目錄cdcfoundation/build/linux/bin/﹞來執行
Java的程式了，如下
[root@Proxy bin]# ./cvm -Djava.class.path=./HelloWorldApp.jar HelloWorldApp
GC[SS]: Initialized semi-space gen for generational GC
Size of *each* semispace in bytes=1048576
Limits of generation = [0x40159200,0x40359200)
First semispace
= [0x40159200,0x40259200)
Second semispace
= [0x40259200,0x40359200)
GC[MC]: Initialized mark-compact gen for generational GC
Size of the space in bytes=3145728
GC[generational]: Auxiliary data structures
heapBaseMemoryArea=[0x40159008,0x40659208)
cardTable=[0x830dc98,0x8310498)
objectHeaderTable=[0x83104a0,0x8312ca0)
summaryTable=[0x8312ca8,0x831cca8)
CCL
security properties not found. using defaults.
Hello World!
[root@Proxy bin]#
修改檔案 “/usr/local/jdk1.2.2/bin/ javawrapper”，把最後一行的
/usr/local/jdk1.2.2/bin/java $FQCLASS "$@"
修改為
/home/hlchou/javavm/cdcfoundation/build/linux/bin/cvm -Djava.class.path=./ $FQCLASS
"$@"
使得我們在執行Java Class時，會直接引用到J2ME CDC的JVM，在此我把參數 “java.class.path” 改為 “./” ，這是
假設我們會在Java Class所在的目錄中執行Java Class，各位可以根據自己不同的需求來加以修改，修改完後的環境，如
下所示
[root@Proxy bin]# ./HelloWorldApp.class
GC[SS]: Initialized semi-space gen for generational GC
Size of *each* semispace in bytes=1048576
First semispace
= [0x40159200,0x40259200)
Second semispace
= [0x40259200,0x40359200)
GC[MC]: Initialized mark-compact gen for generational GC
Size of the space in bytes=3145728
GC[generational]: Auxiliary data structures
heapBaseMemoryArea=[0x40159008,0x40659208)
cardTable=[0x830dc98,0x8310498)
objectHeaderTable=[0x83104a0,0x8312ca0)
summaryTable=[0x8312ca8,0x831cca8)
CCL
security properties not found. using defaults.
Hello World!
[root@Proxy bin]#
Linux MISC
Filesystem and
JAVA environment
CCL
Linux kernel mode http daemon
A kernel-mode http daemon
suitable for heavy loading server
Almost all commercial web servers are
running in user-mode.
AdvantageÎmaintenance is easy
DisadvantageÎextra user-kernel mode
memory copy
CCL

Linux kernel mode
kHTTPd 0.1.3 (marked "1.3", running kernel 2.2.10)
http"kernel236_zeus",
daemon running kernel 2.3.6)
Zeus (marked
Apache 1.3.3 (no tuning):
(X-axis = number of cuncurrent
requests (-c parameter from
ApacheBench), Y-axis = achieved
requests per second) All benchmarks
are done on a K6-2 350 Mhz server
with ApacheBench fetching a static
1K file on a K6-2 300 Mhz client, over
a 100BaseT (100 Mbit, full duplex)
network-connection.
CCL
Linux kernel mode
http daemon
User-mode http
server
CCL
Linux kernel
mode http
daemon
switch(call)
{
case SYS_SOCKET:
err = sys_socket(a0,a1,a[2]);
break;
case SYS_BIND:
err = sys_bind(a0,(struct sockaddr *)a1, a[2]);
break;
case SYS_CONNECT:
err = sys_connect(a0, (struct sockaddr *)a1, a[2]);
break;
case SYS_LISTEN:
err = sys_listen(a0,a1);
break;
case SYS_ACCEPT:
err = sys_accept(a0,(struct sockaddr *)a1, (int *)a[2]);
break;
…………………..
}
User-mode
socket
In net/socket.c
System Call
"sys_socketcall"
CCL
User-mode socket
參數
說明
所呼叫的核心函式
SYS_SOCKET
產生新的Socket
sys_socket
SYS_CONNECT
建立TCP/IP連線
sys_connect
SYS_LISTEN
等待連線要求
sys_listen
SYS_ACCEPT
接收連線要求
sys_accept
SYS_SEND
送出TCP/IP封包
sys_send
SYS_SENDTO
送出UDP/IP封包
sys_sendto
SYS_RECV
接收TCP/IP封包
sys_recv
SYS_RECVFROM
接收UDP/IP封包
sys_recvfrom
CCL
Usr-mode socket
User Mode的程式位於Ring 3，Kernel Mode的程式位於Ring 0，
所以說Ring 3的程式並不能隨意的讀寫位於Ring 0程式所掌握的
記憶體，而位於Ring 0的程式﹝Kernel Mode﹞，卻可以讀寫
Ring 3﹝User Mode﹞的記憶體。因為這樣的特性，如果說我們
的網頁伺服器是屬於User Mode的應用程式，每一次的收送封包
資料，都要進行一次User Mode與Kernel Mode資料的拷貝與交
換，對於系統效能上也有一定程度的影響。
CCL
Linux kernel mode
http daemon
Kernel-mode http
server
CCL
//in net/khttpd/main.c
int __init khttpd_init(void)
{
........….
(void)kernel_thread(ManagementDaemon,NULL,
CLONE_FS | CLONE_FILES | CLONE_SIGHAND);
..…..
}
CCL
//in /usr/src/linux/net/khttpd/sockets.c
int StartListening(const int Port)
{
..…....
error = sock_create(PF_INET,SOCK_STREAM,IPPROTO_TCP,&sock);
......…
error = sock->ops->bind(sock,(struct sockaddr*)&sin,sizeof(sin));
.......
error=sock->ops->listen(sock,48);
.........
}
CCL
//The same as User-Mode Socket Procedure
asmlinkage long sys_bind(int fd, struct sockaddr *umyaddr, int addrlen)
{ ..…..
if((sock = sockfd_lookup(fd,&err))!=NULL)
{
if((err=move_addr_to_kernel(umyaddr,addrlen,address))>=0)
err = sock->ops->bind(sock, (struct sockaddr *)address,addrlen);
sockfd_put(sock);
} return err;}
asmlinkage long sys_listen(int fd, int backlog)
{
struct socket *sock;
int err;
if ((sock = sockfd_lookup(fd, &err)) != NULL) {
if ((unsigned) backlog > SOMAXCONN)
backlog = SOMAXCONN;
err=sock->ops->listen(sock, backlog);
sockfd_put(sock);
}
return err;}
CCL
Linux kernel mode
http daemon
CCL
Embedded linux
Linux support many hardware
platform
[root@ arch]# pwd
/hal/linux/arch
[root@ arch]# ls
alpha/ cris/ ia64/ mips/ parisc/ s390/ sh/
sparc64/
arm/ i386/ m68k/ mips64/ ppc/
s390x/ sparc/
[root@ arch]#
CCL
Embedded linux
Build crosscompiler
CCL
Embedded linux
A basic Linux root files system
CCL
Embedded linux
Busybox
CCL
Embedded linux
Linux
kernel
booting
CCL
File system on embedded linux
Flash
Why we need flash?
High reliability
Wear levelingÎextend device lifetime.
以Flash技術的應用來說,主要可以分為儲存資料
(Data Storage)與儲存程式碼,(Code
Storage)
Code Storage會注重於資料的容錯性以及讀寫的可靠
度
Data Storage主要是著重在容量大,速度快與單價低
CCL
NOR Flash
單位容量售價高,裝置可儲存空間小,可如同
RAM線性隨機存取,並且支援XIP(eXecute In
Place),可以如同記憶體一樣在Flash中執行應
用程式,而不必把程式把讀到記憶體(RAM)中. .
消除資料速度慢(消除區塊大小為64-128KB,約
需要5s),讀取資料速度快,主要設計用於ROM的
裝置上,目前Intel/Sharp與AMD/Fujitsu為產
能與技術主要的提供者
CCL
NAND Flash
單位容量售價低,裝置單元密度高,可提供高容量的儲存空
間,讀取方式為區塊存取,每個區塊可以有多個分頁(分頁
大小為512byes),每個分頁達到寫入次數上限時,就需要整
個區塊重新寫入,每個分頁都有額外16 bytes空間,可以用來
給日誌式檔案系統做為日誌記錄標記. 消除資料速度快
(消除區塊大小為8-32KB,約需要4ms). Toshiba為這領域主
要的供應商,主要設計可用來取代例如磁碟的儲存媒體
由於目前Flash媒體每個區塊平均最多可以消除100000次
(NAND Flash最多可以消除1百萬次),為了確保整個Flash裝置
可以獲得最佳化的利用,都會盡可能的把消除資料的位置平均
分散在整個Flash的空間(wear levelling),以提高Flash的使用壽命.
CCL
Flash Translation
Layers (FTL)
Emulate a standard
block device
Use a normal file
system on top of
that
M-Systems have
granted a licence
for
FTL to be used on
all PCMCIA devices
NFTL to be used
only on DiskOnChip
devices.
CCL

LEGAL NOTE: The FTL format is patented by M-Systems. They
have granted a license for its use with PCMCIA devices:
"M-Systems grants a royalty-free, non-exclusive license under
any presently existing M-Systems intellectual property rights
necessary for the design and development of FTL-compatible
drivers, file systems and utilities using the data formats with
PCMCIA PC Cards as described in the PCMCIA Flash Translation
Layer (FTL) Specification."
Use of the FTL format for non-PCMCIA applications may be an
infringement of these patents. For additional information,
contact M-Systems (http://www.m-sys.com) directly.
CCL
Flash Translation
Layer
CCL
Flash Translation Layer
wear levelling and reliable operation
sectors of the emulated block device are stored
in varying locations on the physical medium
``Translation Layer'' is used to keep track of the
current location of each sector in the emulated
block device.
Product
PCMCIA Flash CardÎNAND Flash
Disk On Chip(M-System)Î NAND Flash
Disk On ModuleÎNAND Flash
CCL
Ramdisk
User could use
memory as block
device.
Based on ramdisk
we could support
common filesystem
on it.
CCL
Ramdisk
Block devices --->
<*> RAM disk support
(4096) Default RAM disk size
(NEW)
[*] Initial RAM disk (initrd)
support
CCL
Memory
Technology Device
mtdchar
可以把MTD裝置註
冊成為Char Device
mtdblock
把MTD裝置註冊為
Block Device
CCL
Mtdram
modprobe mtdram total_size=32768
erase_size=256 可以在載入到記憶體時,定義
所要透過記憶體模擬MTD空間的大小,例如
total_sizeÎ指定MTD裝置大小(單位KB)
erase_sizeÎ指定每個可抹除區塊基本大小(單位
KB)
CCL
My linux-MTD and NOR flash
Kernel command line: root=/dev/mtdblock2 noinitrd
console=ttyS0,115200
….
…………….
….
flash device: 400000 at 1fc00000
Amd/Fujitsu Extended Query Table v1.1 at 0x0040
number of JEDEC chips: 1
1: offset=0x10000,size=0x10000,blocks=63
Creating 4 MTD partitions on "Physically mapped flash":
0x00000000-0x00040000 : "pmon"
0x00040000-0x003e0000 : "linux"
0x00100000-0x003e0000 : "rootfs"
0x003e0000-0x00400000 : "nvram"
CCL
CramFS
CramFS是Linus Torvalds在Transmeta任職時，
所參與開發的檔案系統
CramFS is a read-only filesystem.
All data are compressed into each block
and decompress when we read it.
In Linux Kernel
Compressed ROM file system support
(CONFIG_CRAMFS) [Y/m/n/?]
CCL
CramFS
把Linux的原始碼解開後，可以在”
linux/scripts/cramfs”找到工具程式mkcramfs的原始碼，
在這目錄下可以透過 make 指令來把mkcramfs原始碼編
譯為可執行檔。首先，mkcramfs其實就是一個包含在
Linux核心原始碼環境中，用來製作CramFS檔案系統映像
檔的工具程式，我們只要把規劃好的使用者環境，透過
這個工具來壓縮處理，就可以生成屬於CramFS檔案系統
的映像檔，而透過mkcramfs生成的映像檔將會包含有
Superblock與完整的檔案系統結構......等，因為有了
這些基本的CramFS檔案系統結構，所以我們可以直接把
製作好的CramFS檔案系統映像檔裝置到我們目標儲存裝
置中。
CCL

CramFS

一個CramFS檔案系統映像檔的結
構，首先我們可以看到最前面就
是CramFS的Superblock，大小共
76 bytes。之後便是CramFS的
inode結構，最需要注意的一點就
是每個cramfs_inode的結構大小
為12 bytes，而每個
cramfs_inode所代表的檔案名稱
直接就會接在cramfs_inode的後
面，以0x00結尾。並
且 ”cramfs_inode + 檔案名稱”的
長度必須為4的倍數，如果不足的
部份就會補0，如果長度恰好為4
的倍數，那就不補0直接連接下一
個cramfs_inode。
如此 ”cramfs_inode + 檔案名
稱”+ ”cramfs_inode + 檔案名稱”
+ ”cramfs_inode + 檔案名
稱”........，的方式就構成了
CramFS檔案系統映像檔的目錄結
構。
CCL
CramFS
把製作好的執行環境放到目錄tree底下，透過指令du來查看目錄
中所有檔案的大小與總和，如下所示，
[root@hlchou /cramfs]# du tree
4.0k tree/lost+found
92k
tree/bin
4.0k tree/dev
12k
tree/etc/rc.d
72k
tree/etc
1.2M tree/lib
4.0k tree/proc
360k tree/sbin
4.0k tree/tmp
4.0k tree/usr
4.0k tree/var
1.8M tree
透過du指令，我們可以發現目前tree目錄底下所有的檔案大小總
和為1.8Mbytes，這是目前尚未經過壓縮的大小。
CCL
CramFS
[root@hlchou /cramfs]# ./mkcramfs tree tree.CramFS
.....
-71.09% (-51852 bytes) libpthread.so.0
-53.75% (-11660 bytes) libcrypt.so.1
-56.82% (-5052 bytes) libutil.so.1
-57.70% (-6088 bytes) libdl.so.2
166.67% (+15 bytes)
linuxrc
-45.60% (-69868 bytes) init
-46.45% (-3768 bytes) mingetty
300.00% (+12 bytes)
update
-50.62% (-21632 bytes) ifconfig
-50.81% (-19096 bytes) route
-51.99% (-12980 bytes) modprobe
-48.43% (-14160 bytes) insmod
-45.58% (-12328 bytes) syslogd
-49.05% (-9964 bytes) klogd
Everything: 816 kilobytes
[root@hlchou /cramfs]# ls -l *.CramFS
-rw-r--r-- 1 root
root 835584 Jul 16 18:41 tree.CramFS
我們可以發現原本為1.8Mbytes大小的目錄內容，被壓縮成一個835kbytes
的CramFS檔案系統映像檔
CCL
CramFS
函式cramfs_read_super﹝﹞中，會呼叫函式cramfs_read﹝﹞把Superblock讀取到記憶體中，並
且進行Superblock磁區的型態確認，例如
//確認Superblock的參數magic是否為 0x28cd3d45，
//若非則結束函式，並傳回NULL
if (super.magic != CRAMFS_MAGIC)
{
printk("wrong magic\n");
goto out;
}
//確認Superblock的參數signature是否為 "Compressed ROMFS"，
//若非則結束函式，並傳回NULL
if (memcmp(super.signature, CRAMFS_SIGNATURE, sizeof(super.signature)))
{
printk("wrong signature\n");
goto out;
}
//參數flags預設值為0，而CRAMFS_SUPPORTED_FLAGS值為0xff，
//在&運算後，若為1則結束函式，並傳回NULL
if (super.flags & ~CRAMFS_SUPPORTED_FLAGS)
{
printk("unsupported filesystem features\n");
goto out;
}
函式cramfs_read_super﹝﹞的最後，會呼叫函式get_cramfs_inode﹝﹞，取得CramFS檔案系統
根目錄的資訊。
CCL
List CramFS
directory
CCL
List
CramFS
directory
首先我們可以由Superblock取得根目錄﹝”/”﹞的cramfs_inode，例如﹕根目錄的offset為19
mode:41ffh uid:0h size:204 gid:0h namelen:0 offset:19 根目錄
也就是說這個根目錄底下的檔案或是目錄的資料會放在由CramFS磁區起始往後偏移19*4=76 bytes的
位置。接下來，我們偏移到76 bytes的位置，依序把”cramfs_inode + name”的結構讀取出來，得到
如下的結果
mode:41edh
mode:41edh
mode:45edh
mode:45edh
mode:41edh
mode:a1ffh
mode:45edh
mode:45edh
mode:41edh
mode:45edh
mode:41edh
uid:0h
uid:0h
uid:0h
uid:0h
uid:0h
uid:0h
uid:0h
uid:0h
uid:0h
uid:0h
uid:0h
size:0 gid:0h namelen:3 offset:0 lost+found
size:1208 gid:0h namelen:1 offset:70 bin
size:3536 gid:f6h namelen:1 offset:372 dev
size:264 gid:f6h namelen:1 offset:1256 etc
size:184 gid:0h namelen:1 offset:1334 lib
size:9 gid:0h namelen:2 offset:163264 linuxrc
size:0 gid:f6h namelen:1 offset:0 proc
size:176 gid:f6h namelen:1 offset:1380 sbin
size:0 gid:0h namelen:1 offset:0 tmp
size:0 gid:f6h namelen:1 offset:0 usr
size:0 gid:0h namelen:1 offset:0 var
其中，mode的值可以用來判斷目前的cramfs_inode是為目錄或是檔案型態。
CCL
List CramFS directory
如果說我們現在要查看etc目錄下的所有檔案或是目錄名稱，因為”etc”cramfs_inode的offset值為
1256，所以etc目錄底下的資料會存放在距離CramFS磁區起始位置偏移1256*4=5024 bytes的
cramfs_inode。所以我們現在由CramFS磁區起始位置偏移5024bytes，得到如下的結果
mode:45edh uid:0h size:48 gid:f6h namelen:1 offset:1322 rc.d
mode:81a4h uid:0h size:376 gid:f6h namelen:2 offset:12288 inittab
mode:81edh uid:0h size:21 gid:f6h namelen:2 offset:12331 passwd
mode:81edh uid:0h size:13 gid:f6h namelen:2 offset:12339 group
mode:81a4h uid:0h size:437 gid:f6h namelen:2 offset:12345 profile
mode:81a4h uid:0h size:97 gid:f6h namelen:3 offset:12411 protocols
mode:81a4h uid:0h size:11349 gid:f6h namelen:2 offset:12435 services
mode:81a4h uid:0h size:20 gid:f6h namelen:2 offset:13602 hosts
mode:81a4h uid:0h size:26 gid:f6h namelen:3 offset:13610 host.conf
..........
..........................
..........
透過這樣的方式，我們就可以把CramFS檔案系統映像檔的目錄內容解讀出來囉。不論是目錄的內容或是檔
案壓縮過的資料儲存位置，都可以經由Offset值來推算出來，並且讀取解壓縮到記憶體中。
CCL
Read file from
CramFS
CCL
Read file from CramFS
CramFS檔案系統預設是每次都會解壓縮4Kbytes的資料到Linux
Cache Memory中。所以說，如果讀者去觀察CramFS的讀取運
作時，會發現只有第一次檔案被讀取時才會動態的去解壓縮，第
二次與第二次以後的檔案讀取動作就會直接去該檔案目前所對應
到的Linux Cache Memory來讀取，而不會再去解壓縮，耗費系
統運算資源。這樣的運作原理，與我們一般使用的Linux 檔案系
統﹝例如﹕Ext2﹞是一致的，透過一個Cache的機制，讓目前被
讀取的檔案不必要每次都從磁碟機中讀取出來，浪費許多磁碟機
搜尋的時間，把目前使用的資料暫存在Cache中，可以增加每一
次讀取檔案的速度。如果在CramFS檔案系統中，檔案大小超過
4Kbytes的話，就會分多次來解壓縮。
CCL
Read file from CramFS
在Linux+CramFS的環境下，解決讀取大
型檔案的方式為，當使用者開啟一個大型
檔案時，系統並不會一口氣就把該檔的內
容讀取到記憶體中，所採取的方式是當使
用者讀取到檔案的某個位置時，在依據該
檔案目前所讀取內容儲存的磁區，來動態
的從磁碟系統中讀取出來，載入到記憶體
中。
CCL
JFFS
Journal Flash File System
Axis Communications AB released in
1999
Based on log-structured file system
Needn’t extra layer(Like FTL)
Direct access flash devices
CCL
JFFS Components
JFFS是純粹的LogStructured
Filesystem,系統只存
在一種Node Type為
jffs_raw_inode
Data Node的結構
inode
numberÎ32bits,
每個inode值都是唯
一且不重複
VersionÎ 32 bits ,
所以每個inode允許
有40億次的修改,但這
對於Flash的壽命
(100000次)而言基
本上是相當足夠的.
CCL
JFFS Operations
At mount time
Entire medium is scanned
Build the directory hierarchy and inode map
Write
Simply writing a new node to the end of the
log
Read
Read nodes in reverse version order
CCL
JFFS Operations
CCL
JFFS Operations
CCL
JFFS Garbage Collection
When empty spaces reach threshold
Garbage collection will be triggered
How to proceed the garbage collection
Erase dirty blocks and becomes available
for reuse
Proceed linearly from head to tail in the log
Write out a new data to the tail of the log
CCL
JFFS Garbage
Collection
CCL
JFFS2
January, 2001, David Woodhouse of Red Hat
Under both GPL and eCos Public License
Improvements
Compression

Non-Sequential Log Structure
Improved memory usage
Different node type for medium
Hard link support
ln <old name> <new name>
symbolic linkÎln -s source_file myfile
CCL
JFFS2 Based on MTD
[root@loda jffs2]# mount -t jffs2 /dev/hda3 test
mount: wrong fs type, bad option, bad superblock on
/dev/hda3,
or too many mounted file systems
[root@loda jffs2]#
jffs2: read_super for device 03:03
jffs2: attempt to mount non-MTD device 03:03
CCL
Embedded Windows Solution
CCL
Embedded Linux + Windows
What is the embedded windows solution for
Linux

Embedded Qt
Embedded gtk
tinyX
Pocket Linux
MicroWindows
MiniGUI
W-Windows
CCL
Embedded qt
We can get binary or source code
version from trolltech
http://www.trolltech.com/
The latest version is 2.2.4
Qt is written in C++ and is fully
object-oriented
Trolltech can offer training,
partnerships and first class support.
CCL
Embedded qt
The Qt Free Edition is
provided under the GNU
General Public License, GPL.
This specifies that you may
freely use the Qt/Embedded
Free Edition for:
Running GPL software
developed by others.
Development of GPL
software.
The Qt/Embedded
Professional / Enterprise
Editions are available for
development of
commercial/proprietary
software.
CCL
Embedded qt
The Qt library, with full source code
Licensing to create commercial applications with
Qt
One year of free upgrades to all new versions of
Qt
One year of free email support
Personal license certificate
The complete reference documentation in both
HTML and man-page format (Postscript is also
available)
There are no royalties, run-time licenses or other
additional costs. You can distribute your Qt-based
programs either statically or dynamically linked
without any additional charges.
CCL
Embedded qt
Konqueror has
SSL､Cookie､Java
Script､HTML4/CSS
... 。
It’s size is between
2.1 MB and 2.8 MB
CCL
Embedded gtk
AniMeta SPARROW GTK / Embedded Window System &
MicroBrowser
http://www.animeta.com
Easy installation and programming guide for rapid
application development
Well-integrated hardware with ready-to-use IA
solutions.
Immediate experience of AniMeta's reputable
SPARROW and GTK/embedded.
Easy UI customization
GTK+ API programming provides easy and standard
application development.
Fast time to market for IA products.
CCL
Access Browser for gtk
HTML 3.2, some HTML
4.0, frames, cookies,
JavaScript, JV-Lite
1.3.1(plug-in), and SSL
2.0/3。0
http://www.access.co.jp
CCL
EmGTK
www.emsoftltd.com
CCL
tinyX
tinyX can run X Windows under 4 MB
Ram
http://www.superant.com/smalllinux/smallX/tinyX01.
html
We can download somw tinyX demo
package from
http://www.tux.org/pub/distributions/tinylinux/tinyX/
tinyX is a GPL Project for embedded
windows
CCL
Pocket Linux
PocketLinux can run on X86、Strong
Arm...…etc
http://www.pocketlinux.com/
We can download source code from
http://www.pocketlinux.com/ftp/latest/src/
PocketLinux is distributed as Open Source
under the GNU General Public License.
CCL
Pocket Linux

PocketLinux is built on 4 key pieces of technology:

Linux 2.4.x - the latest incarnation of the Linux kernel
reengineered for small devices - such as PDAs, cellphones and
TVs.
Kaffe - our Open Source Java implementation developed with
embedded devices in mind - it enables PocketLinux to provide a
uniform programming engine on any device, regardless of
hardware.
XML - used to represent all data in PocketLinux whether it is the
configuration database, the incoming email and news feeds, or
the way applications look on the screen. This enables maximal
interoperation between devices.
The Web - our webserver and data proxy can deliver a
consistent interface to news, email, and other content, whether
you're using a desktop machine or another device
CCL
Pocket Linux
PocketLinux can run on
any hardware, and
because we use XML
and Java we can run
the same applications
anywhere... on the web,
on a cellphone,
anywhere
CCL
MicroWindows
Microwindows is a Open Source project
Century has developed support for StrongARM,
MIPS, PPC, SuperH, and x86 CPUs
http://www.century.com/
http://embedded.censoft.com/
The product for century is “Century Embedded
Operating Environment and Development
Toolkit for Linux”
Esfia ‘s RedBlue Linux will use Tiny-X and
Microwindows ﹐and browser is ViewML
http://www.esfia.com/
CCL
MicroWindows
Microwindows 圖形化視窗
系統﹐觸控式螢幕､點選式
鍵盤﹐手寫文字辨識。
嵌入式網頁瀏覽器 ViewML
（版本 0.18）﹐2MB 大小､
相容於 HTML 3.2。
FLNX（版本 0.14）發展工
具組､函式庫。
ScreenTop 視窗管理員。能
自定圖示､工具列﹐和應用
程式外觀。
應用程式：終端機模擬､負
載監控､時鐘､電池監控､
冷光切換﹐和時間／日期顯
示... 等等
CCL
MinuGUI
MiniGUI is base on SVGALib and LinuxThread
http://www.minigui.org/
MiniGUI is a graphics user interface (GUI) system，
and it can also run X-Windows and WinCE
MiniGUI has two Layer﹝for hardware independent﹞
Graphics Abstract Layer (GAL)
Input Abstract Layer (IAL)
MiniGUI libraries, including minigui and mywins,
use LGPL license
http://www.minigui.org/license.html
CCL
MinuGUI
CCL
MinuGUI
CCL
W-Windows
W-Windows is a GPL Project
http://vhl-tools.sourceforge.net/wdoc/clients.html
http://vhl-tools.sourceforge.net/
Main Page
http://devnull.owl.de/~frank/W.html
CCL
W-Windows
CCL
Conclusion
CCL

介紹作業系統概念的投影片

Transcription

Similar documents

Master of Engineering Thesis Evaluation and Implementation of the