KME(1) General Commands Manual KME(1)

kme - Kernel Memory Editor

kme
[-ahirstx] [-A addrscal [-b base] [-c corefile] [-d defsnames] [-D defspaths] [-e emuldev] [-f fepdev] [-k board_index] [-L extension] [-m hostlist] [-M offset:len] [-n namelist] [-p row] [-P pid] [-S addressmask] [-u uptime] [-U udp_port] [params ...]

Kme is a general purpose screen-oriented tool for viewing and modifying UNIX kernel memory. Upon invokation, the program continuously displays and updates one or more sections of /dev/kmem in a spreadsheet-like format. The memory range and display format may be defined on the command line or entered on the screen. Thereafter the corresponding memory contents are continuously displayed and updated on the screen, and may be modified by field entry. Available builtin display formats are character, hex and decimal in various byte, word and longword combinations. The file kme_defs in the current directory may contain user-defined display formats for composite memory structures.

Command line options include:

-a
Do not display address expressions.
-A addrscale
Scale input addresses by multiplying them by addrscale before accessing the corefile. Scale displayed addresses by dividing them by addrscale before displaying them.

The default value for addrscale is 1 (no scaling).

This feature is useful for displaying memory on devices that are not byte addressable, such as DSP memory. For example, when displaying memory on an Analog Devices 2187 DSP, a scale factor of 2 can be used for data memory and a scale factor of 4 can be used for program memory (4 is used instead of 3 because the underlying DSP interface is 32 bits wide, not 24 bits wide).

NOTE: this feature is not very well tested.

-b base
Add the hex number base to all addresses before accessing kernel memory.
-c corefile
Use the file corefile for memory accesses. If the environment variable KME_CORE is defined, it contains the default file name. Otherwise the default is /dev/kmem.
-d defsnames
Read user-defined display definitions from the colon-separated list of file names given in defsnames. If the environment variable KME_DEFS is defined, it contains the list of default file names. Otherwise the default is kme_defs in the current directory. The search path can be modified using the -D option. If a file can't be opened, a warning will be printed except that no warning will be printed if the file kme_defs can't be found.
-D defspaths
When searching for display definition files which aren't absolute file names (see -d), use defspaths as a colon separated list of directories to search. If the environment variable KME_PATH is defined, it contains the list of default directory names. Otherwise the default is the current directory.
-e emuldev
Access kernel memory using the HP64000 emulator connected to tty device emuldev. The program assumes a 38400 connection to port B of the emulator.
-f fepdev
Access kernel memory using DIGI_KME ioctl() calls directed to tty device fepdev.
-h
Suppress the one-line help memu normally displayed at screen bottom.
-i
Allow curses to use insert/delete line sequences when updating the screen.
-k board_conc
-L extension.so
Dynamically load a shared object as an extension to the display format capabilities of "kme". Not supported on all operating systems.
-m hostlist
Specifies a colon-separated list of TCP/IP hostnames where memory should be displayed. Each host must provide a kme/udp memory read/write server, as specified in the services file.
-M offset:len
Access memory by using the mmap() system call to map the corefile directly into kme's address space. Memory is mapped beginning at offset bytes from the beginning of corefile for a length of len bytes. Note that corefile is typically set to /dev/pmem when this option is used. Offset and len are specified using the conventions of strtol(), e.g. 0x500000:0x1000.
-n namelist
Read symbol definitions from the colon separated list of file names given in namelist. If the environment variable KME_SYMS is defined, it contains the default file list. Otherwise the default is kme_syms in the current directory. Each file may be either a binary file (defined by the ld library) or an ASCII file where each line contains a hexidecimal symbol value followed by a alphanumeric symbol name.
-p
Position the initial display so row is at the top of the screen.
-P process_id
Access the memory space of the running process with the specified process_id. If process_id is zero, it uses the process id of KME itself. (Useful for debugging KME) Best when combined with the -n
-r
Open /dev/kmem read-only, and prohibit all attempts to modify memory.
-s
Swap 2-byte and 4-byte quantities displayed from and written to the core file.
-S addressmask
All addresses read from the symbols file (ascii, coff, or nlisted) will be binary masked with addressmask.
-t
Normally, indexed arrays are displayed in the form of "foo+0xb4". This flag changes it to display the index into the array instead of the offset. The example may then display as "foo[4]". Same as ^T within the program.
-u uptime
Wait uptime tenths of a second after refreshing the screen before beginning a new refresh cycle. Default is 2, limiting screen refresh time to 5/second.
-U port
When accessing memory over the network (option -m) ignore the kme/udp entry in the services file, and assume the remote is listening on the specified UDP port.
-V
Print version and other information determined by the configuration process when kme was built.

-x Print debugging information to stderr.

Additional parameters specify initial screen display requests, or user format defines. The form:

line_number = memory_address / display_format

says to display data at screen line_number from at memory_address according to display_format. If line_number is 0 this data will display on the line following the first blank line after the previous display_format has completed. This method of determining format positioning may affect subsequent absolutely anchored references.

The form:

user_display_char = display_format

defines the upper-case single user_display_char to be an abbreviation for the display_format string which follows.

As a special case when using the -f option, the memory address field may be prefined by one or two hexidecimal digits and a (:) to designate the address space of a particular DigiBoard device. The first digit specifies the PC-bus board, while the second digit (if present) further specifies a concentrator attached to that host adapter. For example the prefix 03:1000 specifies address 0x1000 in the 3rd concentrator attached to the 1st host adapter board.

The CRT screen display is tabular, with a line number leftmost, the hex memory address next, and memory data fields every 8 columns thereafter across the screen. On a 24 by 80 CRT screen, the display is 23 address lines tall by 8 data columns wide, with a help menu on the bottom line.

Regardless of the screen size, kme supports 200 virtual display lines. At any given time, only a subset of these lines may be viewed through the screen window. The screen window follows the cursor, so the user may scroll through the range in the manner of an editor or spreadsheet.

Through command line parameters, or by screen entry, the user selects the data to be displayed on each address line. From the screen there are two methods to accomplish this. The user may type an m and enter a memory display string or user format character definition just as it would appear on a command line. He may also position the cursor to the desired address field, type the letter c for change, or e for edit, and then enter a string of the form:

address_expression / display_format

In either case, the memory address_expression value immediately appears on the specified display line, followed by zero or more data fields according to the display_format given. If more data fields are specified than fit across the screen, the data is extended to multiple lines, and the memory address of the first data field on each line is displayed in the corresponding address field.

The address_expression may include decimal (0t prefix) and hexidecimal numbers, symbols defined in the namelist file, and the operators listed below. Precedence is modeled after the C-language.

.
Structure element designator. Performs a simple binary add, but with much higher precedence.
{}
2-byte Subscript. The form a{b} returns the 16-bit quantity at address a+b in the corefile.
[]
4-byte Subscript. The form a[b] returns the 32-bit quantity at address a+b in the corefile.
Unary 32-bit indirection.
@
Unary 16-bit indirection.
#
Unary 8-bit indirection.
$
Fetch temporary value. The size of the current display item is available in temporary 0, although it will always be zero the first time the item is displayed. Other temporaries are stored with the $ display operator.
+
Unary plus.
Unary minus.
~
Unary NOT.
^
Swap 2 byte operand.
%
Swap 4 byte operand.
Multiply.
/
Divide. This operator is recognized only in parenthesized expressions, so it is not confused with the / separator character.
%
Modulus.
+
Binary add.
Binary subtract.
<<
Shift left.
>>
Shift right.
<
Less than.
>
Greater than.
<=
Less equal.
>=
Greater equal.
==
Equal.
!=
Not equal.
&
Bitwise AND.
^
Bitwise Exclusive OR.
|
Bitwise Inclusive OR.
?:
C-language style if-else conditional value operator.
<be16>
Conditional swap 2 byte operand. On a big-endian CPU, this operator is a NOP. On a little-endian CPU, this operator is the same as the ^ operator.
<be32>
Conditional swap 4 byte operand. On a big-endian CPU, this operator is a NOP. On a little-endian CPU, this operator is the same as the % operator.
<le16>
Conditional swap 2 byte operand. On a little-endian CPU, this operator is a NOP. On a big-endian CPU, this operator is the same as the ^ operator.
<le32>
Conditional swap 4 byte operand. On a little-endian CPU, this operator is a NOP. On a big-endian CPU, this operator is the same as the % operator.

Builtin format characters are lower-case letters, punctuation marks, and text strings delimited by single and double quotes. As a special case, text strings containing ´\h´ are used to toggle highlighting in the displayed string. You may want to use this for section headers or elsewhere for emphasis. User-defined format characters are upper case alpha letters. Format characters, and format strings enclosed in parens may be preceeded by a decimal repetition count, and concatenated to form a display string of arbitrary complexity. User-defined format characters may include other user-defined characters to a recursive limit of 10.

The builtin format characters are given below. Except as otherwise described, a preceeding decimal repetition behaves exactly as though the following character were repeated that number of times.

+
Increment the working memory address.
Decrement the working memory address.
´text´
Display text. If text is more than 8 characters, use multiple fields as required. Ignore any repetition count.
"text"
Same as above.
.
Display a blank data field.
:
Display nothing, but fetch subsequent blocks of display data from the memory device in blocks of count bytes. The effect continues until the end of the format string. This is often useful when reading device registers.
$
Display nothing, but store the current display address in the temporary value given by count.
%
Display nothing, but toggle the endianness swap flag. If enclosed in parenthesis, the effect ends at the next right paren. Otherwise the effect continues until the end of the format string.
=
Display nothing, but set an internal variable called width to the value of count.
*
Display nothing, but set the new count to the temporary value stored in temporary register number count.
&
Display nothing, but store the value at the current display address in temporary register number count. The width of the value fetched is determined by the current setting of width (see = format).
^
Display nothing, but roundup the value in temporary register number count. The value is rounded up to the next multiple of the current value of width.
#
Display nothing. If enclosed in parenthesis, set the working memory address to the working memory address at the last left paren plus count. Otherwise set the working memory address to address_expression plus count.
a
Mask the next memory byte with 0x7f and display the result in ASCII. Characters below 0x20 are shown with a caret as control characters.
b
Display the next memory byte in hexadecimal.
c
Display the next byte in an unambiguous character format. Characters below 0x20 are shown with a caret as control characters. Characters greater-equal 0x7f are shown in hexadecimal.
d
Display the next 2 bytes as signed decimal.
e
Display the next 4 bytes as an unsigned decimal. To keep the field size down to 8 characters, if the number exceeds 9,999,999, display a plus sign (+) followed by the lower 7 digits of the decimal value.
f
Display the next 4 bytes as floating point number with printf mode "%8f". This is probably terribly broken if your longs and your floats are different sizes.
i
Display the next byte as a character (masked to 7 bits), and the following byte in hexadecimal.
l
Display the next 4 bytes as an 8-digit hexadecimal number.
n
Advance to the next display line.
s
Display string data with zeroes shown as spaces, and other unprintable characters shown as periods. When used with a repeat count, up to 8 characters are shown per field, using as many fields as necessary to show the complete string.
t
Display the next byte of memory as unsigned decimal. u Display the next 2 bytes as an unsigned decimal.
x
Display the next 2 bytes of memory in hexadecimal.
z
Display the next 4 bytes of memory in decimal.

Screen commands are all single keystrokes, possibly preceeded by a repeat count. Available commands are:
^F
Page forward.
^U
Page back.
^D
Scroll down. The line scroll count is remembered and becomes the default scroll count next time.
^T
Normally, indexed arrays are displayed in the form of "foo+0xb4". This flag changes it to display the index into the array instead of the offset. The example may then display as "foo[4]". Same as -t on the command line.
^U
Scroll up. The line scroll count is remembered and becomes the default scroll count next time.
^J
Move down to the beginning of the next line.
^
Move to the address field.
+
Advance the memory address of the current display line by the size of the data displayed.
Decrement the memory address of the current display line by the size of the data displayed.
!
Prompt for and execute a shell command.
?
Toggle the appearance of the help menu on the bottom line of the screen.
a
Toggle address display mode.
b
Prompt for and accept a new memory base address.
c
Change the field under the cursor.
d
Delete the current line, and remember it in the save buffer. If a repeat count is given, delete and keep all those lines in a single operation.
e
Edit the contents of the field under the cursor using vi style editing commands.
f
When using an HP64000 emulator, switch command input to control port A. Memory updates will not succeed until switched back by other means.
g
If no repeat count is given, move the cursor to the last virtual display line. If a count is given, move to the line number given in that count.
h
Move left.
i
Insert count lines before the current one.
j
Move down.
k
Move up.
l
Move right.
m
Prompt for and accept either a display line request or a user format macro using the command line syntax.
n
Discard all existing symbol definitions and re-read the namelist files to get a fresh copy.
o
Output (print) the contents of the current screen to a file. If the first character of the file name is the pipe character (|), then the output is piped to a program. If the first two characters of the file name are >> then the output is appended to the file.
p
Put deleted lines back into the display.
q
Quit the program.
r
Discard all existing macro definitions and re-read the defspath files to get a fresh copy.
s
Save the configuration of the current display to a command file. Subsequently executing that command file should automatically recreate the current display.
u
Allow the user to enter a new update interval.
y
Yank (copy) the specified number of screen lines into the save buffer.
z
Zero the memory location under the cursor.

During all field entry, the user may invoke vi-style commands to edit the entry in the style of ksh. This facility supports the basic line editing command characters $.0abcdDfhiIlrstuwx, and the history command characters +-/jkn. The character q quits the field entry w/o change.

On startup, user-defined display formats are read from the colon-separated list of files defined in defspath. In this file, a line beginning with an upper-case letter defines the corresponding user format character. Subsequent indented lines are continuations. Single and double quoted strings are passed verbatim, otherwise white space is discarded, and everything on a line after an unquoted (#) is a comment.

An example file might contain:

A	"thead""ttail""tstart""tmax""rhead""rtail""rstart""rmax"
	8xN
	"cport""seg""rlow""rhigh"n
	4xnN
	"tlow""dcdtime""flow""mstat""lstat""status"n
	2x4bnN
	"imask""baud""dtype""hndshk""xoff""xon""hflush""btime"
	4b2c2bN
	"bcount""portnum""dmask""irq""tmask""tval""bstart"n
	6bxnN
	"rr0""rr1""rr3""rr10""wr0""wr1""wr2""wr3"
	8bN
	"wr4""wr5""wr9""wr11""wr12""wr13""wr14""wr15"
	8bN
	"ov/un""dcdlo""dcdhi""portbit"n
	4xnN
	"mcount""m10ms""mand""mor""mval"n
	xxbbbn 49+
L	l.
N	n

This file defines format A to display a 128 byte structure. The name of each field is displayed immediately above it. The 49+ at the end of the A definition pads out the size of the structure to be 128 bytes so that the + and - commands will work as desired. Normally, double spacing is used between lines, but the user may make it single spaced by redefining N to be Null.

When l format fields are displayed side-by-side, they run together. The L user format overcomes this by placing a blank field after the 8-character hexadecimal number.

The syntax for user defined formats has been enhanced, while remaining compatible with the mode described above. In a complex system, a limit of 26 uppercase user defined formats was restricive and difficult to make mnemonic. You can now also define the above format like this:

!channel	"thead""ttail""tstart""tmax""rhead""rtail""rstart""rmax"
	8xN
	...

You must display this symbolically named format with a leading ! character, so the program knows the difference between a symbol named "channel" and a format string consisting of c, h, and so on. All alphanumeric (plus underbar) characters following the ! are interpreted to be part of the format name.

A new feature in kme is the ability to extend display formats using shared objects. You can write your own C program to add an arbitrary display format to kme. The method to do this is operating system specific. With the GNU toolchain, you would do something like the following:

	$ cc -c dxbmsg.c -o dxbmsg.o
	$ ld -shared dxbmsg.o -o dxbmsg.so
	$ kme -L dxbmsg.so 1=0/!dxbmsg

The shared object must have an _init() routine which calls:

	typedef char * (*DLFUNC)(ulong *addrp);
	add_format(char *name, char *format, DLFUNC dlfunc);

for each new format name that it wants to define. If format is not NULL, then the new format is just a simple string. This is not interesting as you can already do this with kme_defs files. However, if dlfunc is not NULL, then (*dlfunc)(&addr) is called whenever the format needs to be displayed. &addr is a pointer to the variable which holds the current display address.

(*dlfunc)(ulong *addrp) can do one of two things. It can generate a format string on the fly and return a pointer to it. In this case, kme will display the format as returned. Or it can handle doing display updates itself. In this case, it returns NULL and must update the current display address (*addrp) itself.

An example format that displays a real C-string by returning a customized display format string is:

extern unsigned char *mem;
typedef unsigned long ulong;
char *
format(ulong * addrp)
{
	ulong		faddr = *addrp;
	ulong		zaddr;
	static char	fmt[32];
	for (;;)
	{
		if (!getmem(1))
			return "
		if (*mem == 0)
			break;
		(*addrp)++;
	}
	zaddr = *addrp;
	*addrp = faddr;
	sprintf(fmt, "%d a 1+0, zaddr - faddr);
	return (fmt);
}
void
_init(void)
{
	add_format("asciiz", NULL, &format);
}

The above example, although simple to implement, also shows why there is a second method for the way that extensions can choose to operate. The above example is inefficient, as memory will be traversed twice (once in the extension, and once in kme itself). However, the second method currently requires some knowledge of how kme is implemented internally. Translation: we are currently too busy to clean up and expose a set of functions for your convenient use.

/usr/lib/kme_defs
User defined formatting commands.
/dev/kmem
Access to kernel memory.
/etc/services
Internet Services file.

There needs to be a stack of last memory addresses, so that you can use '-' to step backwards thru memory when a variable length format from an extension is being used.
$Revision$ $Date$ BSD