/home/tftpboot/wanha/etc/ser2net.conf 2001:raw:600:/dev/ttyS0:38400 8DATABITS NONE 1STOPBIT lindi@sauna:~$ nc wanha 2001 -vvv wanha.l.org [192.168.0.3] 2000 (sieve) open Linux version 2.4.18 (lindi@kurp) (gcc version 2.95.4 20011002 (Debian prerelease)) #1 Fri Feb 11 14:39:53 EET 2005 BIOS-provided physical RAM map: BIOS-88: 0000000000000000 - 000000000009f000 (usable) BIOS-88: 0000000000100000 - 0000000000300000 (usable) On node 0 totalpages: 512 zone(0): 512 pages. zone(1): 0 pages. zone(2): 0 pages. Kernel command line: console=ttyS0,38400n8 mem=2M root=/dev/ram init=/linuxrc Initializing CPU#0 Calibrating delay loop... 16.48 BogoMIPS Memory: 712k/2048k available (600k kernel code, 948k reserved, 89k data, 40k init, 0k highmem) Checking if this processor honours the WP bit even in supervisor mode... Ok. Dentry-cache hash table entries: 512 (order: 0, 4096 bytes) Inode-cache hash table entries: 512 (order: 0, 4096 bytes) Mount-cache hash table entries: 512 (order: 0, 4096 bytes) Buffer-cache hash table entries: 1024 (order: 0, 4096 bytes) Page-cache hash table entries: 1024 (order: 0, 4096 bytes) CPU: AMD 02/0a stepping 04 Checking 'hlt' instruction... OK. POSIX conformance testing by UNIFIX Linux NET4.0 for Linux 2.4 Based upon Swansea University Computer Society NET3.039 Initializing RT netlink socket Starting kswapd Serial driver version 5.05c (2001-07-08) with no serial options enabled ttyS00 at 0x03f8 (irq = 4) is a 16550A ttyS01 at 0x02f8 (irq = 3) is a 16550A block: 64 slots per queue, batch=16 RAMDISK driver initialized: 16 RAM disks of 4096K size 1024 blocksize Universal TUN/TAP device driver 1.4 (C)1999-2001 Maxim Krasnyansky NET4: Linux TCP/IP 1.0 for NET4.0 IP Protocols: ICMP, UDP, TCP IP: routing cache hash table of 512 buckets, 4Kbytes TCP: Hash tables configured (established 512 bind 512) RAMDISK: Compressed image found at block 0 Freeing initrd memory: 15k freed VFS: Mounted root (minix filesystem). Freeing unused kernel memory: 40k freed asmutils shell # cd bin cd bin # utun 12 <--- pid of m_inetd ^a : exec :.: sudo kurp/utun/utun (Make sure sudo won't ask for password.) Another solution: sudo kurp/utun/utun < /dev/ttyS0 > /dev/ttyS0 lindi@sauna:~$ ping -c1 10.0.0.3 PING 10.0.0.3 (10.0.0.3) from 10.0.0.2 : 56(84) bytes of data. 64 bytes from 10.0.0.3: icmp_seq=1 ttl=255 time=138 ms --- 10.0.0.3 ping statistics --- 1 packets transmitted, 1 received, 0% loss, time 0ms rtt min/avg/max/mdev = 138.101/138.101/138.101/0.000 ms 4500005400004000400126a50a0000020a00000308001a04250401008e9b0e422f17010008090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031323334353637 4500005400004000400126a50a0000020a00000308001a04250401008e9b0e422f17010008090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031323334353637 lindi@sauna:~$ nc 10.0.0.3 10023 -vvv 10.0.0.3: inverse host lookup failed: Unknown host (UNKNOWN) [10.0.0.3] 10023 (?) open asmutils shell # # mount -t proc proc /proc # lindi@sauna:~$ echo -en "cat /proc/meminfo\nexit\n" | nc 10.0.0.3 10023 -vvv 10.0.0.3: inverse host lookup failed: Unknown host (UNKNOWN) [10.0.0.3] 10023 (?) open asmutils shell # cat /proc/meminfo total: used: free: shared: buffers: cached: Mem: 774144 598016 176128 0 8192 126976 Swap: 0 0 0 MemTotal: 756 kB MemFree: 172 kB MemShared: 0 kB Buffers: 8 kB Cached: 124 kB SwapCached: 0 kB Active: 92 kB Inactive: 116 kB HighTotal: 0 kB HighFree: 0 kB LowTotal: 756 kB LowFree: 172 kB SwapTotal: 0 kB SwapFree: 0 kB # exit logout sent 23, rcvd 566 i=0; while true; do echo try $i; echo -en "cat /proc/kcore\nexit\n" | nc 10.0.0.3 10023 -vvv > kcore.$i; sleep 300; done cat filelist.txt | while read filename; do echo -en "cat $filename\nexit\n" | nc 10.0.0.3 10023 -vvv; sleep 1; done | grep -Ev "^(logout|# exit|asmutils shell)$" # cat /proc/misc 200 net/tun # cat /proc/bus # cat /proc/tty # cat /proc/driver # cat /proc/fs # cat /proc/net # cat /proc/slabinfo slabinfo - version: 1.1 kmem_cache 54 70 112 2 2 1 tcp_tw_bucket 12 40 96 1 1 1 tcp_bind_bucket 1 203 16 1 1 1 tcp_open_request 0 59 64 0 1 1 inet_peer_cache 1 78 48 1 1 1 ip_fib_hash 2 203 16 1 1 1 ip_dst_cache 2 24 160 1 1 1 arp_cache 1 35 112 1 1 1 blkdev_requests 64 96 80 2 2 1 dnotify cache 0 0 20 0 0 1 file lock cache 0 0 92 0 0 1 fasync cache 0 0 16 0 0 1 uid_cache 0 0 32 0 0 1 skbuff_head_cache 15 27 144 1 1 1 sock 6 10 816 2 2 1 sigqueue 0 0 132 0 0 1 cdev_cache 2 78 48 1 1 1 bdev_cache 1 59 64 1 1 1 mnt_cache 8 59 64 1 1 1 inode_cache 25 32 480 4 4 1 dentry_cache 21 70 112 2 2 1 filp 15 35 112 1 1 1 names_cache 0 1 4096 0 1 1 buffer_head 108 120 96 3 3 1 mm_struct 5 27 144 1 1 1 vm_area_struct 14 48 80 1 1 1 fs_cache 4 78 48 1 1 1 files_cache 4 9 416 1 1 1 signal_act 6 9 1296 2 3 1 size-131072(DMA) 0 0 131072 0 0 32 size-131072 0 0 131072 0 0 32 size-65536(DMA) 0 0 65536 0 0 16 size-65536 0 0 65536 0 0 16 size-32768(DMA) 0 0 32768 0 0 8 size-32768 0 0 32768 0 0 8 size-16384(DMA) 0 0 16384 0 0 4 size-16384 0 0 16384 0 0 4 size-8192(DMA) 0 0 8192 0 0 2 size-8192 0 0 8192 0 0 2 size-4096(DMA) 0 0 4096 0 0 1 size-4096 2 3 4096 2 3 1 size-2048(DMA) 0 0 2048 0 0 1 size-2048 3 6 2048 2 3 1 size-1024(DMA) 0 0 1024 0 0 1 size-1024 1 4 1024 1 1 1 size-512(DMA) 0 0 512 0 0 1 size-512 9 16 512 2 2 1 size-256(DMA) 0 0 256 0 0 1 size-256 6 15 256 1 1 1 size-128(DMA) 0 0 128 0 0 1 size-128 52 60 128 2 2 1 size-64(DMA) 0 0 64 0 0 1 size-64 15 59 64 1 1 1 size-32(DMA) 0 0 32 0 0 1 size-32 21 113 32 1 1 1 # cat /proc/cpuinfo processor : 0 vendor_id : AuthenticAMD cpu family : 4 model : 10 model name : 02/0a stepping : 4 fdiv_bug : no hlt_bug : no f00f_bug : no coma_bug : no fpu : no fpu_exception : no cpuid level : 1 wp : yes flags : bogomips : 4.07 # cat /proc/mounts /dev/root / minix rw 0 0 proc /proc proc rw 0 0 # cat /proc/execdomains 0-0 Linux [kernel] # cat /proc/iomem 00000000-0009efff : System RAM 000a0000-000bffff : Video RAM area 000f0000-000fffff : System ROM 00100000-001fffff : System RAM 00100000-00196c08 : Kernel code 00196c09-001ad8cb : Kernel data # cat /proc/swaps Filename Type Size Used Priority # cat /proc/locks # cat /proc/cmdline console=ttyS0,38400n8 mem=2M root=/dev/ram init=/linuxrc # cat /proc/ioports 0000-000f : dma1 0020-0021 : pic1 0022-0023 : csc 0040-0043 : timer 0060-0064 : keyboard 0080-008f : dma page reg 00a0-00a1 : pic2 00c0-00df : dma2 02f8-02ff : serial(auto) 03f8-03ff : serial(auto) # cat /proc/dma 4: cascade # cat /proc/filesystems nodev rootfs nodev bdev nodev proc nodev sockfs nodev tmpfs nodev pipefs minix # cat /proc/interrupts CPU0 0: 3159753 XT-PIC timer 2: 0 XT-PIC cascade 4: 5437544 XT-PIC serial NMI: 0 ERR: 1 # cat /proc/partitions major minor #blocks name # cat /proc/devices Character devices: 1 mem 2 pty 3 ttyp 4 ttyS 5 cua 10 misc 162 raw Block devices: 1 ramdisk 43 nbd # cat /proc/stat cpu 33014 0 335750 2791486 cpu0 33014 0 335750 2791486 page 64 35 swap 0 0 intr 8598175 3160250 0 0 0 5437924 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 disk_io: ctxt 563190 btime 1108260676 processes 201 # cat /proc/version Linux version 2.4.18 (lindi@kurp) (gcc version 2.95.4 20011002 (Debian prerelease)) #1 Fri Feb 11 23:44:21 EET 2005 # cat /proc/meminfo total: used: free: shared: buffers: cached: Mem: 774144 593920 180224 0 8192 114688 Swap: 0 0 0 MemTotal: 756 kB MemFree: 176 kB MemShared: 0 kB Buffers: 8 kB Cached: 112 kB SwapCached: 0 kB Active: 64 kB Inactive: 132 kB HighTotal: 0 kB HighFree: 0 kB LowTotal: 756 kB LowFree: 176 kB SwapTotal: 0 kB SwapFree: 0 kB # cat /proc/uptime 31609.79 28471.59 # cat /proc/loadavg 0.36 0.12 0.04 3/10 209 # cat /proc/tty/drivers serial /dev/cua 5 64-67 serial:callout serial /dev/ttyS 4 64-67 serial pty_slave /dev/ttyp 3 0-255 pty:slave pty_master /dev/pty 2 0-255 pty:master /dev/console /dev/console 5 1 system:console /dev/tty /dev/tty 5 0 system:/dev/tty # cat /proc/tty/ldiscs n_tty 0 # cat /proc/tty/driver/serial serinfo:1.0 driver:5.05c revision:2001-07-08 0: uart:16550A port:3F8 irq:4 baud:38400 tx:83013701 rx:2485727 RTS|DTR|DSR 1: uart:16550A port:2F8 irq:3 tx:0 rx:0 2: uart:unknown port:3E8 irq:0 3: uart:unknown port:2E8 irq:3 # cat /proc/net/udp sl local_address rem_address st tx_queue rx_queue tr tm->when retrnsmt uid timeout inode # cat /proc/net/tcp sl local_address rem_address st tx_queue rx_queue tr tm->when retrnsmt uid timeout inode 0: 00000000:2727 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 14 1 c01edcc0 300 0 0 2 -1 1: 0300000A:2727 0200000A:A291 06 00000000:00000000 03:00000BE7 00000000 0 0 0 2 c00240f0 2: 0300000A:2727 0200000A:A29B 06 00000000:00000000 03:0000163B 00000000 0 0 0 2 c0024210 3: 0300000A:2727 0200000A:A29A 06 00000000:00000000 03:0000158A 00000000 0 0 0 2 c00241b0 4: 0300000A:2727 0200000A:A299 06 00000000:00000000 03:000014E8 00000000 0 0 0 2 c0024150 5: 0300000A:2727 0200000A:A29D 01 00000023:00000005 01:000000A6 00000000 0 0 168 4 c002b330 185 4 8 2 -1 6: 0300000A:2727 0200000A:A29C 06 00000000:00000000 03:000016E4 00000000 0 0 0 2 c0024270 # cat /proc/net/sockstat sockets: used 5 TCP: inuse 2 orphan 0 tw 6 alloc 2 mem 1 UDP: inuse 0 RAW: inuse 0 FRAG: inuse 0 memory 0 # cat /proc/net/snmp Ip: Forwarding DefaultTTL InReceives InHdrErrors InAddrErrors ForwDatagrams InUnknownProtos InDiscards InDelivers OutRequests OutDiscards OutNoRoutes ReasmTimeout ReasmReqds ReasmOKs ReasmFails FragOKs FragFails FragCreates Ip: 2 64 21351 0 0 0 0 0 21310 30158 0 0 0 0 0 0 0 0 0 Icmp: InMsgs InErrors InDestUnreachs InTimeExcds InParmProbs InSrcQuenchs InRedirects InEchos InEchoReps InTimestamps InTimestampReps InAddrMasks InAddrMaskReps OutMsgs OutErrors OutDestUnreachs OutTimeExcds OutParmProbs OutSrcQuenchs OutRedirects OutEchos OutEchoReps OutTimestamps OutTimestampReps OutAddrMasks OutAddrMaskReps Icmp: 8 0 0 0 0 0 0 8 0 0 0 0 0 8 0 0 0 0 0 0 0 8 0 0 0 0 0 Tcp: RtoAlgorithm RtoMin RtoMax MaxConn ActiveOpens PassiveOpens AttemptFails EstabResets CurrEstab InSegs OutSegs RetransSegs InErrs OutRsts Tcp: 0 0 0 0 0 0 0 0 1 21324 30150 8904 0 1 Udp: InDatagrams NoPorts InErrors OutDatagrams Udp: 0 0 0 0 # cat /proc/net/netstat TcpExt: SyncookiesSent SyncookiesRecv SyncookiesFailed EmbryonicRsts PruneCalled RcvPruned OfoPruned OutOfWindowIcmps LockDroppedIcmps ArpFilter TW TWRecycled TWKilled PAWSPassive PAWSActive PAWSEstab DelayedACKs DelayedACKLocked DelayedACKLost ListenOverflows ListenDrops TCPPrequeued TCPDirectCopyFromBacklog TCPDirectCopyFromPrequeue TCPPrequeueDropped TCPHPHits TCPHPHitsToUser TCPPureAcks TCPHPAcks TCPRenoRecovery TCPSackRecovery TCPSACKReneging TCPFACKReorder TCPSACKReorder TCPRenoReorder TCPTSReorder TCPFullUndo TCPPartialUndo TCPDSACKUndo TCPLossUndo TCPLoss TCPLostRetransmit TCPRenoFailures TCPSackFailures TCPLossFailures TCPFastRetrans TCPForwardRetrans TCPSlowStartRetrans TCPTimeouts TCPRenoRecoveryFail TCPSackRecoveryFail TCPSchedulerFailed TCPRcvCollapsed TCPDSACKOldSent TCPDSACKOfoSent TCPDSACKRecv TCPDSACKOfoRecv TCPAbortOnSyn TCPAbortOnData TCPAbortOnClose TCPAbortOnMemory TCPAbortOnTimeout TCPAbortOnLinger TCPAbortFailed TCPMemoryPressures TcpExt: 0 0 0 0 0 0 0 0 0 0 70 0 0 0 0 0 3 1 0 0 0 317 0 64 0 101 2 15048 5953 0 3789 0 0 0 0 0 0 0 0 387 1212 252 0 563 118 6649 0 593 73 0 752 0 0 0 0 5 0 0 1 2 0 0 0 0 0 # cat /proc/net/raw sl local_address rem_address st tx_queue rx_queue tr tm->when retrnsmt uid timeout inode # cat /proc/net/rt_cache_stat 00000002 00005364 00000014 00000000 00000000 00000000 00000000 00000000 000000bb 00000009 00000000 # cat /proc/net/rt_cache Iface Destination Gateway Flags RefCnt Use Metric Source MTU Window IRTT TOS HHRef HHUptod SpecDst tun0 0200000A 0200000A 0 2 161 0 0300000A 1500 0 166 00 -1 0 0300000A lo 0300000A 0300000A 84000000 1 21353 0 0200000A 40 0 0 00 -1 0 0300000A # cat /proc/net/route Iface Destination Gateway Flags RefCnt Use Metric Mask MTU Window IRTT tun0 0000000A 00000000 0001 0 0 0 00FFFFFF 40 0 0 # cat /proc/net/arp IP address HW type Flags HW address Mask Device # cat /proc/net/netlink sk Eth Pid Groups Rmem Wmem Dump Locks c01ed000 0 0 00000000 0 0 00000000 2 c01ed660 4 0 00000000 0 0 00000000 2 # cat /proc/net/dev_mcast # cat /proc/net/softnet_stat 00005396 00000000 00000007 00000000 00000000 00000000 00000000 00000000 00000000 # cat /proc/net/dev Inter-| Receive | Transmit face |bytes packets errs drop fifo frame compressed multicast|bytes packets errs drop fifo colls carrier compressed lo: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 tun0: 1215085 21403 0 0 0 0 0 0 41471081 30208 0 0 0 0 0 0 take screenshot: # mknod /dev/mem c 1 1 echo -en "dd if=/dev/mem of=a bs=1 skip=755376 count=16000\nexit\n" | nc 10.0.0.3 10023 -vv # nbd-client # mkdir /usr # mount -t minix /dev/nd0 /usr # cat /proc/mounts /dev/root / minix rw 0 0 proc /proc proc rw 0 0 /dev/nd0 /usr minix rw 0 0 # /usr/bin/cal Feb 2005 Su Mo Tu We Th Fr Sa 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 # /usr/bin/cpuinfo 00 00000001 68747541 444D4163 69746E65 01 000004A4 00000000 00000000 00000000 # /usr/bin/date Sun Feb 13 15:18:34 2005 # /usr/bin/factor 141419 141419: 103 1373 # /usr/bin/netstat Active Internet connections (w/o servers) Proto Local Address Foreign Address State tcp 10.0.0.3:10023 10.0.0.2:42153 ESTABLISHED tcp 10.0.0.3:3074 10.0.0.2:2000 ESTABLISHED Active UNIX domain sockets (w/o servers) Proto RefCnt Flags Type State I-Node Path # /usr/bin/ps PID TTY STAT RSS COMMAND 1 0 S 5 (linuxrc) 2 0 S 0 (keventd) 3 0 R 0 (ksoftirqd_CPU0) 4 0 S 0 (kswapd) 5 0 S 0 (bdflush) 6 0 S 0 (kupdated) 7 0 R 5 (utun) 12 0 S 3 (m_inetd) 320 0 S 5 (sh) 340 0 S 2 (nbd-client) 360 0 R 2 (ps) # echo hello world | /usr/bin/rot13 uryyb jbeyq # /usr/bin/uptime # That also printed "Out of Memory: Killed process 45 (sh)." to console. # /usr/bin/ping 10.0.0.2 10.0.0.2 is alive! # /usr/bin/wget 10.0.0.2 hello.txt # cat hello.txt Hello World! # /usr/bin/ping 216.239.59.147 Aha, routing problem. # route add -net 0.0.0.0 netmask 0.0.0.0 dev tun0 # /usr/bin/ping 216.239.59.147 # Now tcpdump shows the packet but firewall stops it. After adjusting firewall rules: # /usr/bin/ping 216.239.59.147 216.239.59.147 is alive! # /usr/bin/wget 198.64.149.47 blank.html # cat blank.html # Create nice image of memory $ echo -en "cat /proc/kcore\nexit\n" | nc 10.0.0.3 > kcore $ (echo "P4 2048 8192"; cat kcore) > kcore.pbm $ gimp kcore.pbm with http://iki.fi/lindi/mtdtest2.config : Linux version 2.4.18 (lindi@kurp) (gcc version 2.95.4 20011002 (Debian prerelease)) #2 Fri Feb 18 13:12:30 EET 2005 BIOS-provided physical RAM map: BIOS-88: 0000000000000000 - 000000000009f000 (usable) BIOS-88: 0000000000100000 - 0000000000300000 (usable) On node 0 totalpages: 512 zone(0): 512 pages. zone(1): 0 pages. zone(2): 0 pages. Kernel command line: console=ttyS0,38400n8 mem=2M root=/dev/ram init=/linuxrc Initializing CPU#0 Calibrating delay loop... 4.07 BogoMIPS Memory: 832k/2048k available (479k kernel code, 828k reserved, 82k data, 40k init, 0k highmem) Checking if this processor honours the WP bit even in supervisor mode... Ok. Dentry-cache hash table entries: 512 (order: 0, 4096 bytes) Inode-cache hash table entries: 512 (order: 0, 4096 bytes) Mount-cache hash table entries: 512 (order: 0, 4096 bytes) Buffer-cache hash table entries: 1024 (order: 0, 4096 bytes) Page-cache hash table entries: 1024 (order: 0, 4096 bytes) CPU: AMD 02/0a stepping 04 Checking 'hlt' instruction... OK. POSIX conformance testing by UNIFIX Linux NET4.0 for Linux 2.4 Based upon Swansea University Computer Society NET3.039 Starting kswapd Serial driver version 5.05c (2001-07-08) with no serial options enabled ttyS00 at 0x03f8 (irq = 4) is a 16550A ttyS01 at 0x02f8 (irq = 3) is a 16550A block: 64 slots per queue, batch=16 RAMDISK driver initialized: 16 RAM disks of 4096K size 1024 blocksize MTD Sharp chip driver 5066: Octagon Probe Failed, is this an Octagon 5066 SBC? Could not find PAR responsible for SC520CDP Flash Bank #0 Trying default address 0x8400000 Could not find PAR responsible for SC520CDP Flash Bank #1 Trying default address 0x8c00000 Could not find PAR responsible for SC520CDP DIL Flash Trying default address 0x9400000 SC520 CDP flash device: 800000 at 8400000 CFI: Found no SC520CDP Flash Bank #0 device at location zero priv->size is zero mtd: Giving out device 0 to SC520CDP Flash Bank #0 SC520 CDP flash device: 800000 at 8c00000 CFI: Found no SC520CDP Flash Bank #1 device at location zero priv->size is zero mtd: Giving out device 1 to SC520CDP Flash Bank #1 SC520 CDP flash device: 80000 at 9400000 CFI: Found no SC520CDP DIL Flash device at location zero did recognize jedec chip mtd: Giving out device 2 to SC520CDP DIL Flash Tempustech VMAX 301 MEM:0xd8000-0xe0000 Unable to handle kernel paging request at virtual address ffffdfff printing eip: c015d55b *pde = 00002063 *pte = 00000000 Oops: 0002 CPU: 0 EIP: 0010:[] Not tainted EFLAGS: 00010286 eax: ffffffff ebx: 00000000 ecx: c018be20 edx: 00000000 esi: c018be20 edi: 000000f0 ebp: c0091f58 esp: c0091d64 ds: 0018 es: 0018 ss: 0018 Process swapper (pid: 1, stackpage=c0091000) Stack: c015d698 c018be20 00000000 c0091f58 c018be20 c018bb64 c01560f1 c018be20 000000f0 00000000 c0091f58 c018be20 c018bb64 c018be20 c0188ee8 00000286 00000001 c0188f00 c010f9a0 c019febc c015a3ea c018be20 00000000 00000000 Call Trace: [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] Code: 66 89 90 00 e0 ff ff 89 51 30 c3 89 f6 56 53 8b 74 24 0c 8b <0>Kernel panic: Attempted to kill init! with http://iki.fi/lindi/mtdtest3.config : Linux version 2.4.18 (lindi@kurp) (gcc version 2.95.4 20011002 (Debian prerelease)) #3 Fri Feb 18 14:01:01 EET 2005 BIOS-provided physical RAM map: BIOS-88: 0000000000000000 - 000000000009f000 (usable) BIOS-88: 0000000000100000 - 0000000000300000 (usable) On node 0 totalpages: 512 zone(0): 512 pages. zone(1): 0 pages. zone(2): 0 pages. Kernel command line: console=ttyS0,38400n8 mem=2M root=/dev/ram init=/linuxrc Initializing CPU#0 Calibrating delay loop... 4.08 BogoMIPS Memory: 840k/2048k available (477k kernel code, 820k reserved, 81k data, 40k init, 0k highmem) Checking if this processor honours the WP bit even in supervisor mode... Ok. Dentry-cache hash table entries: 512 (order: 0, 4096 bytes) Inode-cache hash table entries: 512 (order: 0, 4096 bytes) Mount-cache hash table entries: 512 (order: 0, 4096 bytes) Buffer-cache hash table entries: 1024 (order: 0, 4096 bytes) Page-cache hash table entries: 1024 (order: 0, 4096 bytes) CPU: AMD 02/0a stepping 04 Checking 'hlt' instruction... OK. POSIX conformance testing by UNIFIX Linux NET4.0 for Linux 2.4 Based upon Swansea University Computer Society NET3.039 Starting kswapd Serial driver version 5.05c (2001-07-08) with no serial options enabled ttyS00 at 0x03f8 (irq = 4) is a 16550A ttyS01 at 0x02f8 (irq = 3) is a 16550A block: 64 slots per queue, batch=16 RAMDISK driver initialized: 16 RAM disks of 4096K size 1024 blocksize MTD Sharp chip driver Could not find PAR responsible for SC520CDP Flash Bank #0 Trying default address 0x8400000 Could not find PAR responsible for SC520CDP Flash Bank #1 Trying default address 0x8c00000 Could not find PAR responsible for SC520CDP DIL Flash Trying default address 0x9400000 SC520 CDP flash device: 800000 at 8400000 CFI: Found no SC520CDP Flash Bank #0 device at location zero priv->size is zero mtd: Giving out device 0 to SC520CDP Flash Bank #0 SC520 CDP flash device: 800000 at 8c00000 CFI: Found no SC520CDP Flash Bank #1 device at location zero priv->size is zero mtd: Giving out device 1 to SC520CDP Flash Bank #1 SC520 CDP flash device: 80000 at 9400000 CFI: Found no SC520CDP DIL Flash device at location zero did recognize jedec chip mtd: Giving out device 2 to SC520CDP DIL Flash $Id: ftl.c,v 1.39 2001/10/02 15:05:11 dwmw2 Exp $ ftl_cs: FTL header not found. ftl_cs: FTL header not found. ftl_cs: FTL header not found. NFTL driver: nftlcore.c $Revision: 1.82 $, nftlmount.c $Revision: 1.25 $ NFTL_notify_add for SC520CDP Flash Bank #0 No OOB data, quitting NFTL_notify_add for SC520CDP Flash Bank #1 No OOB data, quitting NFTL_notify_add for SC520CDP DIL Flash No OOB data, quitting RAMDISK: Compressed image found at block 0 Freeing initrd memory: 15k freed VFS: Mounted root (minix filesystem). Freeing unused kernel memory: 40k freed asmutils shell # cat /proc/mtd dev: size erasesize name mtd0: 00800000 00020000 "SC520CDP Flash Bank #0" mtd1: 00800000 00020000 "SC520CDP Flash Bank #1" mtd2: 00080000 00020000 "SC520CDP DIL Flash" # mknod /dev/mtdblock0 b 31 0 # mknod /dev/mtdblock1 b 31 1 # mknod /dev/mtdblock2 b 31 2 # cat /dev/mtdblock2 mtdblock_open ok mtdblock: read on "SC520CDP DIL Flash" at 0x0, size 0x1000 mtdblock: read on "SC520CDP DIL Flash" at 0x1000, size 0x1000 mtdblock: read on "SC520CDP DIL Flash" at 0x2000, size 0x1000 mtdblock: read on "SC520CDP DIL Flash" at 0x3000, size 0x1000 mtdblock: read on "SC520CDP DIL Flash" at 0x4000, size 0x1000 mtdblock: read on "SC520CDP DIL Flash" at 0x5000, size 0x1000 mtdblock: read on "SC520CDP DIL Flash" at 0x6000, size 0x1000 mtdblock: read on "SC520CDP DIL Flash" at 0x7000, size 0x1000 mtdblock: read on "SC520CDP DIL Flash" at 0x8000, size 0x1000 mtdblock: read on "SC520CDP DIL Flash" at 0x9000, size 0x1000 mtdblock: read on "SC520CDP DIL Flash" at 0xa000, size 0x1000 ... mtdblock: read on "SC520CDP DIL Flash" at 0x7d000, size 0x1000 mtdblock: read on "SC520CDP DIL Flash" at 0x7e000, size 0x1000 mtdblock: read on "SC520CDP DIL Flash" at 0x7f000, size 0x1000 mtdblock_release ok # dd if=/dev/mtdblock2 of=/tmp/a bs=128 count=1 mtdblock_open ok mtdblock: read on "SC520CDP DIL Flash" at 0x0, size 0x1000 mtdblock_release ok # hexdump /tmp/a 00000000: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000010: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000030: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000040: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000050: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000060: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000070: 0000 0000 0000 0000 0000 0000 0000 0000 ................ # cat /proc/devices Character devices: 1 mem 2 pty 3 ttyp 4 ttyS 5 cua 10 misc 90 mtd 162 raw Block devices: 1 ramdisk 31 mtdblock 44 ftl 93 nftl # mknod /dev/nftl0 b 93 0 # dd if=/dev/nftl0 of=/tmp/a bs=128 count=1 dd if=/dev/nftl0 of=/tmp/a bs=128 count=1 NFTL_open ENODEV: thisNFTL = 0, minor = 23808, ip = c0193430, fp = c009d270 # Using bochs 1) get http://iki.fi/lindi/bochsrc.txt 2) get any DOS boot floppy image 3) mount bochs-floppy /mnt -oloop cp bootlin.com kernel.img initrd.img /mnt umount /mnt 4) open some terminal (screen window, virtual console, xterm) and run "tty" to get its name. Then add that to bochsrc.txt, e.g. com1: enabled=1, dev=/dev/pts/1 Now run something like "sleep 1000000" in this terminal 5) Start bochs on some other terminal http://www.ctyme.com/intr/rb-0607.htm # bios1.asm (this version had bugs, it didn't set all registers # correctly, see bios4.asm) org 0100h mov ah, 02h mov al, 1 mov ch, 1 mov cl, 0 mov dh, 0 mov dl, 1 mov bx, buf int 13h sti mov ax, 4c00h int 21h buf times 1024 db 42h ch=0 dl=0 EB FE 90 4D 53 44 4F 53 33 33 31 00 02 02 01 00 02 E0 00 00 00 F0 ch=1 dl=0 01 1F 02 1F 03 1F 04 1F 05 1F 06 1F 07 1F 08 1F 09 1F 0A 1F 0B 1F ch=0 dl=1 EB FE 90 4D 53 44 4F 53 33 33 31 00 02 02 01 00 02 10 00 E0 0E F8 # interrupt handler 13h # at f000:cb46 sti int 40 retf 0002 sub ah, ah stc retf 0002 sub ah,ah stc rtf ret sti push ds call cc81 cmp dl, [003f] jz cb7c # same as hex: FB CD 40 CA 02 00 2A E4 F9 CA 02 00 2A E4 F9 CA 02 00 C3 FB 1E E8 23 01 3A 16 3F 00 74 18 80 FC 00 # fortunately these can be found from the kcore dump | starting here at 000FCB67 000FCB60 16 4D 03 1F CF C3 00 FB CD 40 CA 02 00 2A E4 F9 # unique match INTERRUPT HANDLER 13h 000FCB67:iFB sti 000FCB68:iCD40 int 40 000FCB6A:iCA0200 retf 0002 000FCB6D:i2AE4 sub ah,ah 000FCB6F:iF9 stc 000FCB70:iCA0200 retf 0002 INTERRUPT HANDLER 40h # interrupt 40 seems to be a helper routine that 13h just # calls. http://www.ctyme.com/intr/rb-6131.htm does not list much # info. # code at f000:cb59 fb 1e e8 23 01 3a163f00 7418 80fc00 7428 3a163e00 # these are again fortunately in kcore dump: 000FCB7A:iFB sti 000FCB7B:i1E push ds 000FCB7C:iE82301 calln file:000FCCA2 ; what does this do? let's call it FUN1 000FCB7F:i3A163F00 cmp dl,[+003F] ; = 00 000FCB83:i7418 je file:000FCB9D 000FCB85:i80FC00 cmp ah,00 000FCB88:i7428 je file:000FCBB2 000FCB8A:i3A163E00 cmp dl,[+003E] ; 01 000FCB8E:i7414 je file:000FCBA4 000FCB90:i3A163C00 cmp dl,[+003C] ; 02 000FCB94:i7415 je file:000FCBAB 000FCB96:i1F pop ds ; if no drive number matched, return 000FCB97:i2AE4 sub ah,ah 000FCB99:iF9 stc 000FCB9A:iCA0200 retf 0002 000FCB9D:iE88124 calln file:000FF021 000FCBA0:i1F pop ds 000FCBA1:iCA0200 retf 0002 000FCBA4:iE81214 calln file:000FDFB9 ; FUN2 000FCBA7:i1F pop ds 000FCBA8:iCA0200 retf 0002 000FCBAB:iE8EB08 calln file:000FD499 000FCBAE:i1F pop ds 000FCBAF:iCA0200 retf 0002 000FCBB2:i52 push dx 000FCBB3:i2AE4 sub ah,ah FUN1 000FCCA2:i2E8E1EA8BE mov ds,[cs:+BEA8] 000FCCA7:i8E1E0E00 mov ds,[+000E] 000FCCAB:iC3 retn # ds seems to be 0xffff after this FUN2 # kcore 000FDFB9 # ram f000:df98 000FDFB9:iFB sti 000FDFBA:iFC cld 000FDFBB:i1E push ds 000FDFBC:iE8E3EC calln file:000FCCA2 000FDFBF:i8E1E4000 mov ds,[+0040] 000FDFC3:i80FC17 cmp ah,17 000FDFC6:i731E jnc file:000FDFE6 000FDFC8:i53 push bx 000FDFC9:i8ADC mov bl,ah 000FDFCB:i2AFF sub bh,bh 000FDFCD:i03DB add bx,bx 000FDFCF:i2E8B9F43BF mov bx,[cs:bx-40BD] 000FDFD4:i891E0002 mov [+0200],bx 000FDFD8:i5B pop bx 000FDFD9:iFF160002 call (w) [+0200] 000FDFDD:iE8B6EC calln file:000FCC96 000FDFE0:i88264100 mov [+0041],ah 000FDFE4:i1F pop ds 000FDFE5:iC3 retn 000FDFE6:iE87C00 calln file:000FE065 000FDFE9:iEBF2 jmps file:000FDFDD 000FDFEB:iC3 retn 000FDFEC:iB400 mov ah,00 000FDFEE:iF8 clc 000FDFEF:iC3 retn 000FDFF0:i1E push ds # tracing around, found interesting sequence mov al, 37 out 22, al in al, 23 and dh, 3f # ram f000:b099 # code B0 37 E6 22 E4 23 80 E6 3F # kcore 000FB0B8 000FAFF5:i2BE4 sub sp,sp 000FAFF7:iB387 mov bl,87 000FAFF9:i2AE4 sub ah,ah 000FAFFB:i2AFF sub bh,bh ; bh = 0 000FAFFD:iB90400 mov cx,0004 000FB000:i8AC7 mov al,bh 000FB002:iE622 out 22,al 000FB004:iE423 in al,23 ; al = DRAM Bank 0 Configuration 000FB006:i22C3 and al,bl 000FB008:i38D8 cmp al,bl 000FB00A:i7402 je file:000FB00E 000FB00C:i0AE0 or ah,al 000FB00E:iE2F0 loop file:000FB000 000FB010:iF6C480 test (b) ah,80 000FB013:i7401 je file:000FB016 000FB015:i4C dec sp 000FB016:iFFE5 jmp (w) bp 000FB018:iB013 mov al,13 000FB01A:iE680 out 80,al 000FB01C:i0F08 invd 000FB01E:iB021 mov al,21 ; Linear ROMCS0/Shadow Register 000FB020:iE622 out 22,al 000FB022:iE423 in al,23 000FB024:i8AC8 mov cl,al 000FB026:i80E1DF and cl,DF 000FB029:iB021 mov al,21 000FB02B:iE622 out 22,al 000FB02D:i8AC1 mov al,cl 000FB02F:iE623 out 23,al 000FB031:iB022 mov al,22 ; Linear ROMCS0 Attributes Register 000FB033:iE622 out 22,al 000FB035:iB000 mov al,00 000FB037:iE623 out 23,al ; write 0 000FB039:iE6EE out EE,al 000FB03B:iB0C1 mov al,C1 ; Keyboard Configuration Register B 000FB03D:iE622 out 22,al 000FB03F:iE423 in al,23 000FB041:i8AC8 mov cl,al 000FB043:i80E183 and cl,83 000FB046:i80C908 or cl,08 000FB049:iB0C1 mov al,C1 000FB04B:iE622 out 22,al 000FB04D:i8AC1 mov al,cl 000FB04F:iE623 out 23,al 000FB051:iB005 mov al,05 000FB053:iE622 out 22,al 000FB055:iE423 in al,23 000FB057:i8AC8 mov cl,al 000FB059:i80E180 and cl,80 000FB05C:i80C940 or cl,40 000FB05F:iB005 mov al,05 000FB061:iE622 out 22,al 000FB063:i8AC1 mov al,cl 000FB065:iE623 out 23,al 000FB067:iB90010 mov cx,1000 000FB06A:iEB00 jmps file:000FB06C 000FB06C:iE2FC loop file:000FB06A 000FB06E:iFFE5 jmp (w) bp 000FB070:i0FA4C204 shld dx,ax,04 000FB074:i8BCA mov cx,dx 000FB076:iC1E909 shr (w) cx,09 000FB079:iF7D1 not (w) cx 000FB07B:i83E103 and (w) cx,+03 000FB07E:i81EABE00 sub dx,+00BE 000FB082:i50 push ax 000FB083:i9C pushf 000FB084:iFA cli 000FB085:iE422 in al,22 000FB087:i50 push ax 000FB088:iB02B mov al,2B ; Reserved ?? 000FB08A:iE622 out 22,al 000FB08C:iE423 in al,23 000FB08E:i50 push ax 000FB08F:iB4FC mov ah,FC 000FB091:i22E0 and ah,al 000FB093:i80CC03 or ah,03 000FB096:iB02B mov al,2B ; Reserved 000FB098:iE622 out 22,al 000FB09A:i8AC4 mov al,ah 000FB09C:iE623 out 23,al 000FB09E:iB02D mov al,2D ; Reserved 000FB0A0:iE622 out 22,al 000FB0A2:iE423 in al,23 000FB0A4:iB480 mov ah,80 000FB0A6:i0AE0 or ah,al 000FB0A8:iB02D mov al,2D ; Reserved 000FB0AA:iE622 out 22,al 000FB0AC:i8AC4 mov al,ah 000FB0AE:iE623 out 23,al 000FB0B0:iB036 mov al,36 ; Reserved 000FB0B2:iE622 out 22,al 000FB0B4:i8AC2 mov al,dl 000FB0B6:iE623 out 23,al 000FB0B8:iB037 mov al,37 ; Reserved 000FB0BA:iE622 out 22,al 000FB0BC:iE423 in al,23 000FB0BE:i80E63F and dh,3F 000FB0C1:i24C0 and al,C0 000FB0C3:i0AF0 or dh,al 000FB0C5:iB037 mov al,37 ; Reserved 000FB0C7:iE622 out 22,al 000FB0C9:i8AC6 mov al,dh 000FB0CB:iE623 out 23,al 000FB0CD:iB031 mov al,31 ; MMS Window C­F Device Select Register 000FB0CF:iE622 out 22,al 000FB0D1:iE423 in al,23 000FB0D3:i243F and al,3F 000FB0D5:iC1E106 shl (w) cx,06 000FB0D8:i0AC8 or cl,al 000FB0DA:iB031 mov al,31 ; MMS Window C­F Device Select Register 000FB0DC:iE622 out 22,al 000FB0DE:i8AC1 mov al,cl 000FB0E0:iE623 out 23,al 000FB0E2:i58 pop ax 000FB0E3:i8AE0 mov ah,al 000FB0E5:iB02B mov al,2B ; Reserved 000FB0E7:iE622 out 22,al 000FB0E9:i8AC4 mov al,ah 000FB0EB:iE623 out 23,al 000FB0ED:i58 pop ax 000FB0EE:iE622 out 22,al 000FB0F0:i9D popf 000FB0F1:i58 pop ax 000FB0F2:i25FF0F and ax,0FFF 000FB0F5:iB90020 mov cx,2000 000FB0F8:i2BC8 sub cx,ax 000FB0FA:i83C000 add (w) ax,+00 000FB0FD:iBA00BE mov dx,BE00 000FB100:iF9 stc 000FB101:iC3 retn 000FB102:i50 push ax 000FB103:i9C pushf 000FB104:iFA cli 000FB105:iE422 in al,22 000FB107:i50 push ax 000FB108:iB02B mov al,2B ; Reserved 000FB10A:iE622 out 22,al 000FB10C:iE423 in al,23 000FB10E:i50 push ax 000FB10F:iB4FC mov ah,FC 000FB111:i22E0 and ah,al 000FB113:i80CC03 or ah,03 000FB116:iB02B mov al,2B ; Res 000FB118:iE622 out 22,al 000FB11A:i8AC4 mov al,ah 000FB11C:iE623 out 23,al 000FB11E:iB02D mov al,2D ; Res 000FB120:iE622 out 22,al 000FB122:iE423 in al,23 000FB124:iB47F mov ah,7F 000FB126:i22E0 and ah,al 000FB128:iB02D mov al,2D ; Res 000FB12A:iE622 out 22,al 000FB12C:i8AC4 mov al,ah 000FB12E:iE623 out 23,al 000FB130:i58 pop ax 000FB131:i8AE0 mov ah,al 000FB133:iB02B mov al,2B ; Res 000FB135:iE622 out 22,al 000FB137:i8AC4 mov al,ah 000FB139:iE623 out 23,al 000FB13B:i58 pop ax 000FB13C:iE622 out 22,al 000FB13E:i9D popf 000FB13F:i58 pop ax 000FB140:iC3 retn 000FB141:i60 pusha 000FB142:i1E push ds 000FB143:i06 push es 000FB144:iBAD403 mov dx,03D4 000FB147:i2BF6 sub si,si 000FB149:i2E8B8472AA mov ax,[cs:si-558E] 000FB14E:i83F8FF cmp (w) ax,-01 000FB151:i740B je file:000FB15E 000FB153:iEE out dx,al 000FB154:i42 inc dx 000FB155:i8AC4 mov al,ah 000FB157:iEE out dx,al drive=0 does not work but drive=1 definitely does and drive=2 too # ndisasm looks handy but getting the addresses right seems to need # tricks. (I think i have garbage in the begining of kcore.4): $ dd bs=1 skip=983040 < kcore.4 > kcore.4.skip983040 $ ndisasm -o 983007 kcore.4.skip983040 now debug.exe and ndisasm show the same addresses. # 2005-03-06: More experiments with debug.exe. This time I used the # following program to read one sector from drive 1. # 'bios4.asm' org 100h mov ah, 2 mov al, 1 mov ch, 1 mov cl, 1 mov dh, 0 mov dl, 1 mov bx, buf int 13h sti mov ax, 4c00h int 21h buf times 512 db 42h # Then I wrote some debug commands to a file input.txt. (It had 10 # times "t200" and then two "q"'s). Next I executed the following: debug bios4.com < input.txt > bios4.txt # See http://iki.fi/lindi/bios4.txt.gz for the output. # 5*200 works, 10*200 works. 50*200 crashes. 15*200 just halts. # 13*200 works. 13*200+1*100 says "SEM busy, 0001", a garbage byte and # returns to shell. 13*200+50 says "SEM busy, " and does not return to shell. # Next I fed the output to a perl script #!/usr/bin/perl -w use strict; my ($al, $ah, $csc_index, $just_read_from); $csc_index = "unknown"; $just_read_from = 0; while(<>) { # other registers not needed currently if (/AX=(..)(..) /) { $ah = $1; $al = $2; if ($just_read_from != 0) { if ($just_read_from == 23) { print("$al <- $csc_index\n"); } $just_read_from = 0; } } if (/OUT\W+(\d+),AL/) { my $port = $1; if ($port == 22) { $csc_index = $al; } if ($port == 23) { print("$al -> $csc_index\n"); } } if (/IN\W+AL,(\d+)/) { my $port = $1; $just_read_from = $port; } } # The script parses DEBUG.EXE output and shows what bytes are # written/read from ioports: 03 <- 2B 03 -> 2B 00 <- 2D 80 -> 2D B2 -> 36 3A <- 37 3A -> 37 B0 <- 31 B0 -> 31 03 -> 2B 03 <- 2B 03 -> 2B 80 <- 2D 80 -> 2D B2 -> 36 BA <- 37 BA -> 37 .. int vm86(unsigned long fn, struct vm86plus_struct * v86); struct vm86plus_struct { struct vm86_regs regs; unsigned long flags; unsigned long screen_bitmap; unsigned long cpu_type; struct revectored_struct int_revectored; struct revectored_struct int21_revectored; struct vm86plus_info_struct vm86plus; }; struct vm86plus_info_struct { unsigned long force_return_for_pic:1; unsigned long vm86dbg_active:1; /* for debugger */ unsigned long vm86dbg_TFpendig:1; /* for debugger */ unsigned long unused:28; unsigned long is_vm86pus:1; /* for vm86 internal use */ unsigned char vm86dbg_intxxtab[32]; /* for debugger */ }; SVGALib [2] is a library that provides a generic VGA interface for older VGA cards. It includes a utility called vga reset to re-initialize VGA cards. The utility uses the vm86 mode of x86 processors to execute the VGA BIOS. In vm86 mode, an executing program is just like any other program executing in 32-bit mode, but it exe- cutes 16-bit code like a traditional 8086 CPU. To support this, Linux provides a system call to switch a process into vm86 mode. vga reset first maps in the BIOS code and data area from physical memory space to its virtual memory space. Then it sets up register values for instruc- tion and stack pointers. Finally, it enters vm86 mode by calling the vm86 system call. By default, both VGA BIOS and system BIOS call- backs are executed natively by the hardware, except some privileged instructions and I/O operations. By giv- ing different flags when entering the vm86 mode, it is possible to choose to intercept I/O and BIOS calls. This feature was used frequently in the early stage of the de- velopment of our solution as a debugging and verification tool. The I/O and BIOS call logs from vga reset and x86emu were compared to examine if both vga reset and x86emu had the same code execution path in the same hardware environment. If they both had the same execution path, it indicated that the emulator executes the VGA BIOS exactly as the real hardware. The disadvantage of vga reset is that the vm86 mode is not supported by the AMD x86 64 architecture. The 64-bit Linux kernel does not provide the vm86 sys- tem call. During our development, we had to install a 32- bit Linux distribution on our 64-bit AMD K8 platform to run vga reset. iopl(3); struct LRMI_regs r; r.eax = 0x4f04; r.ecx = 0xf; /* all states */ r.edx = 1; /* save state */ r.es = (unsigned int) buffer >> 4; r.ebx = (unsigned int) buffer & 0xf; if (!LRMI_int(0x10, &r)) { fprintf(stderr, "Can't save video state (vm86 failure)\n"); }