What corruption is indicated by WinDbg and !chkimg? - windbg

I am having often BSODs and WinDbg report similar corruption for most of them
4: kd> !chkimg -lo 50 -d !nt
fffff80177723e6d-fffff80177723e6e 2 bytes - nt!MiPurgeZeroList+6d
[ 80 fa:00 e9 ]
2 errors : !nt (fffff80177723e6d-fffff80177723e6e)
and
CHKIMG_EXTENSION: !chkimg -lo 50 -d !nt
fffff8021531ae6d-fffff8021531ae6e 2 bytes - nt!MiPurgeZeroList+6d
[ 80 fa:00 aa ]
2 errors : !nt (fffff8021531ae6d-fffff8021531ae6e)
What does it mean? What with what is compared and how it can be that corruption is similar? Does it explicitly indicates RAM problem?
UPDATE
What do these numbers mean? fffff80177723e6d and fffff8021531ae6d? What does it mean, that endings conincide?
What does the following code mean: nt!MiPurgeZeroList+6d?

I already answered this on superuser.com. Windbg downloads the original Exe/DLLs from the Symbol Server and now the chkimg command detects corruption in the images of executable files by comparing them to the copy on a symbol store.
All sections of the file are compared, except for sections that are
discardable, that are writeable, that are not executable, that have
"PAGE" in their name, or that are from INITKDBG. You can change this
behavior can by using the -ss, -as, or -r switches.
!chkimg displays any mismatch between the image and the file as an
image error, with the following exceptions:
Addresses that are occupied by the Import Address Table (IAT) are not checked.
Certain specific addresses in Hal.dll and Ntoskrnl.exe are not checked, because certain changes occur when these sections are loaded.
To check these addresses, include the -nospec option.
If the byte value 0x90 is present in the file, and if the value 0xF0 is present in the corresponding byte of the image (or vice
versa), this situation is considered a match. Typically, the symbol
server holds one version of a binary that exists in both uniprocessor
and multiprocessor versions. On an x86-based processor, the lock
instruction is 0xF0, and this instruction corresponds to a nop (0x90)
instruction in the uniprocessor version. If you want !chkimg to
display this pair as a mismatch, set the -noplock option.
If the RAM is fine, check the HDD / HDD cables for errors (disk diag tool and run chkdsk to detect and fix NTFS issues). You can also connect the HDD to different SATA port on the mainboard.

Related

Where on disk is the BIOS file used by Simics?

(I saw one of my previous posts didn't actually answer the "where's the BIOS file used by simics?" question, so I renamed the previous one and am pulling that question out and making it standalone here.)
I can see the BIOS code for a default "targets\qsp-x86\firststeps.simics" invocation by just stepping through the debugger from the start. But if I want to see the full binary, is there a specific file somewhere I can look at?
you can check "bios" attribute on motherboard image:
simics> board.mb->bios
"%simics%/targets/qsp-x86/images/SIMICSX58IA32X64_1_0_0_bp_r.fd"
You can specify what BIOS image to use by bios_image script parameter to qsp-clear-linux.simics scripts.
Help info for the script:
$ ./simics -h targets/qsp-x86/qsp-clear-linux.simics
System:
bios_image - existing file or NIL
BIOS file.
Default value:
"%simics%/targets/qsp-x86/images/SIMICSX58IA32X64_1_0_0_bp_r.fd"
you can run with your own BIOS like this:
$ ./simics -e '$bios_image=my-bios.bin' targets/qsp-x86/qsp-clear-linux.simics
Now the BIOS is not quite handled consistently with some other things. Typically in Simics, disks and similar things are images. You can list them using list-persistent-images and resolve locations using lookup-file:
simics> list-persistent-images
┌─────────────────────┬────────────┬───────────────────────────────────────────────────────┐
│Image │Unsaved data│File(s) (read-only/read-write) │
├─────────────────────┼────────────┼───────────────────────────────────────────────────────┤
│board.disk0.hd_image │ no│%simics%/targets/qsp-x86/images/cl-b28910-v2.craff (ro)│
│board.disk1.hd_image │ no│ │
│board.mb.sb.spi_image│ yes│%simics%/targets/qsp-x86/images/spi-flash.bin (ro) │
└─────────────────────┴────────────┴───────────────────────────────────────────────────────┘
simics> lookup-file "%simics%/targets/qsp-x86/images/spi-flash.bin"
"/disk1/simics-6/simics-qsp-x86-6.0.47/targets/qsp-x86/images/spi-flash.bin"
The BIOS in the QSP is just loaded straight into target memory for execution. Which is a bit of a cheat for convenience.
Upon searching around, I found the following folder:
C:\Users\yourusername\AppData\Local\Programs\Simics\simics-qsp-x86-6.0.44\targets\qsp-x86\images
Inside that folder are the following 3 files:
SIMICSX58IA32X64_1_0_0_bp_r.fd
SIMICSX58IA32X64-ahci.fd
spi-flash. bin
Both SIMICSX58IA32X64_1_0_0_bp_r. fd and SIMICSX58IA32X64-ahci.fd have UEFI filevolume headers at the start, and a seeming BIOS entry point at the end. The spi-flash. bin seems to have a placeholder of the flash descriptor which would go at the start of the flash, but is mostly empty. So I believe Intel basically either stitches these together in memory, or possibly just uses the spi-flash. bin to allow for "soft strap" configuration or somesuch (since it's a virtual MCH/ICH anyway.)

Program and Run PIC18 with pickit4 on linux

I am on linux ubuntu and target is a PIC18F47J53.
I basically want to program the chip and then let it run, using command lines and using pickit4.
using ipecmd (from mplab x ide v5.45), this is my command:
/opt/microchip/mplabx/v5.45/sys/java/zulu8.40.0.25-ca-fx-jre8.0.222-linux_x64/bin/java -jar /opt/microchip/mplabx/v5.45/mplab_platform/mplab_ipe/ipecmd.jar -TPPK4 /P18F47J53 -M -F"/path_to_myfile.hex" -W
This is my output
DFP Version Used : PIC18F-J_DFP,1.4.41,Microchip
*****************************************************
Connecting to MPLAB PICkit 4...
Currently loaded versions:
Application version............00.06.66
Boot version...................01.00.00
Script version.................00.04.17
Script build number............db473af2f4
Tool pack version .............1.6.961
PICkit 4 is supplying power to the target (3.25 volts).
Target device PIC18F47J53 found.
Device Revision Id = 0x1
*****************************************************
Calculating memory ranges for operation...
Erasing...
The following memory area(s) will be programmed:
program memory: start address = 0x0, end address = 0x3ff
program memory: start address = 0x1fc00, end address = 0x1fff7
configuration memory
Programming/Verify complete
Program Report
30-Jan-2021, 12:54:41
Device Type:PIC18F47J53
Program Succeeded.
Operation Succeeded
All good, and takes about 12 seconds, however, after that the pickit4 turns off the power target, and the pickit LED is BLUE (I guess state "ready")
The main question is how can I let the pickit4 powering the boards? any specific parameter? (I cannot find on the readme.html)
If I use MPLAB X IPE GUI to program, the programming is much quicker (3 or 4 seconds), the pickit LED is YELLOW and the target is left powered on. (I selected "release from reset")
I have tried to get the log out with as many details as possible, but I cannot see the commands sent to the pickit4.
Any idea? thanks
I realize that it's been a while since you asked, but i put the answer here for anyone who needs it. Add -OL to your command line options.

Listing the volumes on Solaris OS

I am new to solaris OS, and trying to write a script which collects volume data from solaris box.
We did a similar script for Linux, and we used "df -P" command to list the volumes, and select the entries that start with "/dev".
By default, in linux, i could see a volume "/dev/sda1".
when i run df command on solaris box(df -k),i could not see any entry similar to (/dev/*) in my output.
When i mounted a CD, i could see an entry in df output as below.
/dev/dsk/c1t1d0s2 57632 57632 0 100% /media/VBOXADDITIONS_5.0.14_105127
So, in solaris, what is the pattern, i should look for to pick the volumes?
And, why am I not seeing at least one volume in the pattern /dev/
is it "/dev" or something else?
I am using solaris 11 image on oracle virtual box.
When i try "format" command, i could see 3 disks:
AVAILABLE DISK SELECTIONS:
0. c1d0 <VBOX HAR-8ea18e8b-2b2a0a5-0001-31.25GB> testvolu
/pci#0,0/pci-ide#1,1/ide#0/cmdk#0,0
1. c2d0 <VBOX HAR-b4343b55-dbed77c-0001 cyl 1020 alt 2 hd 64 sec 32>
/pci#0,0/pci-ide#1,1/ide#1/cmdk#0,0
2. c3t0d0 <ATA-VBOX HARDDISK-1.0 cyl 1009 alt 2 hd 64 sec 32>
/pci#0,0/pci8086,2829#d/disk#0,0
But, i dont see any partition in "df -k"
Also, i read here(https://docs.oracle.com/cd/E19455-01/805-6331/6j5vgg680/index.html), that disk names should be in "/dev/dsk/*" format.
Solaris 11 uses ZFS which has no one to one relationship between volumes (partitions) and file systems.
You can look at zpool status output to get the underlying devices.
$ zpool status
pool: rpool
state: ONLINE
scan: none requested
config:
NAME STATE READ WRITE CKSUM
rpool ONLINE 0 0 0
c1t0d0 ONLINE 0 0 0
Here, the whole c1t0d0 disk is used, hence no sx or px suffix.

Dump file + PDB files - is it possible to create dump on one PC and then investigate it on another?

One certain problem is only reproducible on customer side.
We cannot reproduce it locally despite all our attempts.
But I know that TaskMgr in Windows 2008 R2 has a possibility to create dump file for a process. So, my question: is it possible to create dump on customer site for a certain process of our software and then investigate that dump file locally?
We already made a new build of our software (we saved a build sandbox and *.PDB files for all binaries). Then we installed that on site and now we are waiting when customer report that problem happens again so we will create a dump file for hanging process and then try to investigate it.
My question has 2 parts:
Would such method work at all?
If yes - how exactly to do that?
At the moment I have some doubt if that would work. Because I have tried to create a proof-test on my local Win 2008 R2 VM. I build all with .PDB files, then I run our software in a mode when it makes a long pause in the middle and I clicked "Create Dump File" in TaskMgr exactly when it does a pause (its simple call of Sleep(30000)). Then I tried to load that dump file in WinDbg and check what I could find there. First thing which makes me pessimistic about such way is a wrong stack trace. In particular - I cannot see a full stack trace in WinDbg. It shows me only stack trace for wow64.dll and ntdll.dll modules, I cannot see stack trace for our code.
In particular I see only this:
wow64cpu!TurboDispatchJumpAddressEnd+0x6c0
wow64cpu!TurboDispatchJumpAddressEnd+0x56b
wow64!Wow64SystemServiceEx+0x1ce
wow64!Wow64LdrpInitialize+0x42a
ntdll!RtlUniform+0x6e6
ntdll!RtlCreateTagHeap+0xa7
ntdll!LdrInitializeThunk+0xe
But when I try to attach process with debugger I see a full call-stack, like this:
ntdll.dll! 7754fd910
[Frames below may be incorrect and/or missing, no symbols loaded for ntdll.dll]
ntdll.dll!7754fd9l0
KernelBase.dll! 76ae3bd50
KernelBase.dll! 76ae44a 5Q
ScrVm.DLL!Profiler::DoSleep(intmilliseconds=30000) Line 205
ScrVm.DLL!Script::VmToolKit::iMethod_Sleep(unsigned char & han
ScrVm.DLL!CComponent::Invoke(const _SU::basic_string<char,std
ScrVm.DLL!Script::VirtualMachine::do_Invoke(Script::VmCommand
ScrVm.DLL!Script::VirtualMachine::InnerLoop( Line 4471
ScrVm.DLL!Script::VirtualMachine::Execute(unsigned long hFunc=
ScrVm.DLL!ScriptProcessor::Run(const _SU::basic_string<char,st
ScrVm.DLL!ScriptProcessor::ProcessDocumentO Line 285 + 0x40 by
ScrVm.DLL!DocumentProcessor::Process(BinaryDOM::Document * pDo
ScrVm.DLL!CFuncExecScript::ExecuteO Line 219
ScrVm.DLL!SrvManager::ExecuteO Line 586 +0xldbytes
ScrVm.DLL!SrvManager::Run(tag_TReqHdr "pRequestBuf=0x00187
ScrVm.DLL!SrvManager::HandleRequest(tag_TReqHdr " pRequest
ScrVm.DLL!SrvProcessRequest(tag_TReqHdr * pRequesffiuf=0x0
ScrVm.DLL!ProcessRequest(char "pRequesffiuf=0x001873b6, char "
ScrVm.DLL!ProcessRequest_DLL(char " achMsg=0x001873b6, char "a
siteExec212.exe!00409b2d0
siteExec212.exe!0040a4cfO
As you can see WinDbg seems only showing last 7 items in stack which are useless for me. Question - is it possible to discover the full stack trace from dump file created in TaskMgr in Windows 7/2008? Or at least - I need more items in stack trace, to see from what place in our code this call was made.
Note: compiler MS VisualStudio 2008, WinDbg 6.12 x64.
Since your process is 32 bit you must use the 32 bit version of Task Manager to create the dump. Default installs have it in C:\Windows\SysWow64\taskmgr.exe
Also, make sure to use the 32 bit version of windbg.

Not getting UUID from diskutil on OSX

Running Mac OSX 10.7.5
I want to enable NTFS on a USB3 external hard disk and need the UUID to do it (http://ntfsonmac.com) but diskutil is refusing to give me the UUID. I start with:
diskutil info /Volumes/HD-PCTU3/
then from this:
diskutil info disk2s1
Device Identifier: disk2s1
Device Node: /dev/disk2s1
Part of Whole: disk2
Device / Media Name: Untitled 1
Volume Name: HD-PCTU3
Escaped with Unicode: HD-PCTU3
Mounted: Yes
Mount Point: /Volumes/HD-PCTU3
Escaped with Unicode: /Volumes/HD-PCTU3
File System Personality: NTFS
Type (Bundle): ntfs
Name (User Visible): Windows NT File System (NTFS)
Partition Type: Windows_NTFS
OS Can Be Installed: No
Media Type: Generic
Protocol: USB
SMART Status: Not Supported
Total Size: 500.1 GB (500107804672 Bytes) (exactly 976773056 512-Byte-Blocks)
Volume Free Space: 499.9 GB (499896778752 Bytes) (exactly 976360896 512-Byte-Blocks)
Device Block Size: 512 Bytes
Read-Only Media: No
Read-Only Volume: Yes
Ejectable: Yes
Whole: No
Internal: No
but as can be seen there is no UUID displayed. Any ideas why and/or how to get the UUID?
The only way I've been able to find involves a somewhat poorly documented feature of the hfs.util.
Run the diskutil command and then copy/remember/save the Device Identifier:
diskutil info /Volumes/my_drive_label | grep "Device Identifier"
You can use the hfs.util with the Device Identifier (replacing disk2s1 below) from diskutil to (re)generate a UUID for your volume:
/System/Library/Filesystems/hfs.fs/hfs.util -s disk2s1
Keep in mind this won't work for every volume, if the volume is not an HFS drive than it may not work, and other Filesystem/*.fs/*.util commands may not have a -s verb to generate UUIDs.
UPDATE
In Yosemite and after the -s flag has been disabled at the source level. I haven't been able to find a pre-modified version of hfs.util, but you can do it yourself using the information found in this Superuser question, summarized here:
Download the hfs.util source from Apple and extract it to a temporary folder
Download hfs_fsctl.h from Apple and put it in the hfs.util folder
Change line 47 of hfsutil_jnl.c into #include <hfs_fsctl.h>
Change line 80 of hfsutil_main.c into #include <System/uuid/uuid.h>
Change line 81 of hfsutil_main.c into static unsigned char kFSUUIDNamespaceSHA1[] = {0xB3,0xE2,0x0F,0x39,0xF2,0x92,0x11,0xD6,0x97,0xA4,0x00,0x30,0x65,0x43,0xEC,0xAC}; (replacing the include line)
Also add #define HFS_UUID_SUPPORT 1 to hfsutil_main.c
There might still be something missing in the argument parsing section if the above doesn't work, please reference the Superuser question and comment if I've missed something.
Some people have also reported that it may be possible to use Gparted to change the UUID of a drive.
I'm on Mac OS X 10.6.8 and bought NTFS 4TB Seagate USB3.0 drive.
Plugged in, Mac allowed me to read files from it, but not write to it. When I select 'Get Info' for the volume/disk, I see 'You can read only' under 'Sharing & Permissions'.
I copied a large file from Windows 10 to the USB Drive, worked fine. I then downloaded the file to Mac, worked fine, but won't allow me to write anything from Mac to the USB drive, or make any changes to it eg. delete or rename files on the USB drive.
My reason for getting this USB drive formatted in NTFS was to copy files from Mac larger than 4GB to Windows for redundant backup, because of 4GB limit in FAT.
One solution I found online was to sudo echo UUID to /etc/fstab
When I diskutil info, I don't get UUID.
I also see the following extracts:
File System Personality: NTFS
Type (Bundle): ntfs
Name (User Visible): Windows NT File System (NTFS)
&
Read-Only Media: No
Read-Only Volume: Yes
Ejectable: Yes
My solution was to download Samsung NTFS for Mac Driver from:
https://www.seagate.com/au/en/support/downloads/item/samsung-ntfs-driver-master-dl/
After installation & reboot, I noticed the following changes:
When I select 'Get Info' for the volume/disk, I see 'You can read and write' under 'Sharing & Permissions'.
2.
File System Personality: UFSD_NTFS
Type (Bundle): ufsd_NTFS
Name (User Visible): Windows NT Filesystem
3.
Read-Only Media: No
Read-Only Volume: No
Ejectable: Yes
The readme file (pdf) that comes with the download says NTFS features also work in Mac for the USB drive.
Now I can read/write to the disk, and is also visible in Finder. I've tested read & write speeds with a 2GB file, and don't see any difference in performance/speed between the NTFS & HFS+ Journaled volumes.
Finally after 2 days of reading about sudo, hfs.util & diskutil, I can now get back to backing up data from Mac 10.6 to USB NTFS drive.