Download the FREE 5-IP version of the GFI LANguard network vulnerability scanner!

Memory dumping over FireWire - UMA issues


When researching forensic memory dumping using FireWire, I stumbled across a problem when dumping parts of the physical memory space. Every time I tried to dump parts of the Upper Memory Area (a0000h to fffffh) the target computer froze completely. During my summer vacation I decided to figure out the reason, and now I think it is time to share my results.

Architectural overview

To understand why dumping from UMA can be a problem we need to take a look at the architecture of a typical PC with an Intel chipset and FireWire support. As Figure 1 illustrates, the processor is connected to a Memory Controller Hub (MCH), which in turn is connected to an I/O Controller Hub (ICH). The system PCI bus, where the FireWire controller resides, is connected to the ICH.

architectural overview
Figure 1 - A typical PC based on an Intel chipset

Dumping the Upper Memory Area

The c0000h to fffffh range of the UMA is in first hand intended to be used for ROM memory. The MCH allows the thirteen areas (one 64 kB and twelve 16 kB) that together build the range to be configured separately. Each area can be read-mapped to either ROM or main memory, and write-mapped to either ROM or main memory. Let us consider the special case where an area is read-mapped to ROM and write-mapped to main memory. Let us further assume that the processor for some reason has a modified cache line for this area.

Now we try to perform a memory dump over FireWire. The FireWire controller will at some point request a read from the previously mentioned area. When the processor snoops the read it will see that it has a corresponding cache line in the modified state, and issue an implicit writeback. What happens is that the processor transfers the data since it has the most up-to-date copy. Since the area is configured as only read-mapped to main memory, the ICH will become the target of the implicit writeback. The MCH will then hang because it is not designed to handle implicit writebacks to the ICH.


The particular situation described above is perhaps not so common. In any case it is important to understand that for some configurations a memory dump over FireWire will lock the target computer before the dump has a chance to finish. The easiest solution is simply to skip the UMA range. In most configurations I have encountered this far, none of the areas in UMA are mapped entirely to main memory. However, there are systems with one or more of the areas mapped entirely to main memory - both read and write - and used as ordinary memory. Even in such systems we will never miss more than 1/4 MB of memory by skipping UMA.


© Arne Vidstrom. All rights reserved.