Posterous
Joel is using Posterous to post everything online. Shouldn't you?
Dsc_5799_-_version_2__1__thumb
Joel Reymont
owns this site
5
subscribers
 

Tenerife Skunkworks

Boldly going where few have gone before

Creating Mac binaries on any platform, by hand and without using a linker

I'm in love with Forth but there are no commercial Forth environments for Mac OSX. GForth is a free, fast and portable implementation of ANS Forth but it requires GCC and does not allow for binary distribution of code that uses foreign functions. 

There are two excellent commercial implementations of ANS Forth and both run on Linux. I asked one of the companies if I could port their Forth to the Mac and promptly ended up with a tarball on my lap. There were no C or assembler files, it was all Forth source code. 

The proper bootstrapping approach turned out to generate a Mac kernel on Linux, copy it over to the Mac and use it to compile the rest of the Forth environment. It's called cross-compiling!

This required me to investigate how Mac binaries are laid out and how I could generate them without using gcc or a linker. 

I would like to explain how I did it. Let's start with a simple C program and feel free to browse the full source code.

#include <stdio.h>
#include <stdlib.h>

int main(int argc, char **argv)
{
  printf("Hello world!\n");
  exit(0);
}

It can't get any simpler!

gcc hello.c -o hello
./hello
Hello world!

What does it look like in assembler, though?

The IMPORT section is where gcc allocates stubs for external functions. The dynamic linker will replace these with a jump to the real printf once libc is loaded.

What the code above does not include is proper alignment of the stack before the calls to printf and exit. This is required according to the Mac OSX ABI IA-32 Function Calling Conventions. It's a slight of hand on the part of gcc which inserts a prolog before invoking our main function. 

This prolog sets up the stack and gets hold of our program arguments, i.e. argc, argv and envp.

  Let's tidy things up into a single NASM file. It's less verbose than GAS and I much prefer it.

bits  32

section .text

GLOBAL start
extern _printf, _exit

start:
  and esp, 0xFFFFFFF0
  sub esp, 0x10
  mov dword [esp], hello.msg
  call _printf
  add esp, 0x10
  mov eax, 0          ; set return code
  call _exit
  hlt

section .data

hello.msg db 'Hello, World!', 0x0a, 0x00

The stubs are taken care of by nasm in Mach-O mode (-f macho below) and the code still works.

nasm -f macho hello.asm -o hello.o
ld hello.o -o hello -lc

./hello
Hello, World!

otool is indispensable for any sort of involved Mac forensics and the Mach-O file format is very well explained by Apple.

The Mach-O header is normally generated by the compiler and the linker (GCC & LD) but I'm using neither so I have to generate the header by hand. It's doable, as long as NASM is instructed to simply dump a binary image to disk (-f bin) and it actually works!

nasm -f bin hello1.asm -o hello1
chmod +x hello1
./hello1
Hello, World!

Note that this can be done on any platform NASM runs on. I did it on Linux but assume it will work just as well on Windows.

Now, let's take a good look at the code...

We need to tell NASM we are in 32-bit mode and that program code starts on the second VM page (0x1000 or 4096). The first page (PAGEZERO) is there to catch null pointer references. 

;;; File: hello1.asm
;;; Build: nasm -f bin -o hello1 hello1.asm && chmod +x hello1

bits  32
org   0x1000

The header specifies that this is an x86-32 binary and a full-fledged executable file and that there are 10 load commands in the header.

mhdr:
   dd 0xFEEDFACE  ; magic
   dd 7           ; cputype
   dd 3           ; cpusubtype
   dd 2           ; filetype
   dd 10          ; ncmds
   dd sizeofcmds  ; sizeofcmds
   dd 0x85        ; flags
       

PAGEZERO is where you end up when dereferencing a 0 pointer. This page is protected from reading and writing so any access to it causes a page fault and a memory access violation. This segment does not take any space in the file so it's filesize is set to 0.

;;; Load command #0

pagezero: 
   dd 1              ; LC_SEGMENT
   dd _pagezero      ; size
   db '__PAGEZERO'   ; segname
   times 6 db 0      ; padding to 16 chars
   dd 0              ; vmaddr
   dd 0x1000         ; vmsize
   dd 0              ; fileoff
   dd 0              ; filesize
   dd 0              ; maxprot
   dd 0              ; initprot
   dd 0              ; nsects
   dd 0              ; flags
_pagezero equ $-pagezero
    

The text segment is where our code lives. It's readable and executable (initprot). The load commands that form part of the Mach-O header itself need to be loaded somewhere. Here, they are part of the text segment which is why the segment starts at the beginning of the file (fileoff 0).

;;; Load command #1

code: 
   dd 1              ; LC_SEGMENT
   dd _code          ; size
   db '__TEXT'       ; segname 
   times 10 db 0     ; padding to 16 chars
   dd 0x1000         ; vmaddr
   dd 0x1000         ; vmsize
   dd 0              ; fileoff
   dd 0x1000         ; filesize
   dd 7              ; maxprot
   dd 5              ; initprot
   dd 1              ; nsects
   dd 0              ; flags

sect1:               ; section 0
   db '__text'       ; sectname
   times 10 db 0     ; padding to 16 chars
   db '__TEXT'       ; segname 
   times 10 db 0     ; padding to 16 chars
   dd start          ; addr
   dd codesize       ; size
   dd start-$$       ; offset
   dd 0              ; align on 2^0
   dd 0              ; reloff
   dd 0              ; nreloc
   dd 0x80000400     ; flags
   dd 0              ; reserved1
   dd 0              ; reserved2
_code equ $-code

The data segment holds our "Hello world!" string. 

;;; Load command #2

data: 
   dd 1              ; LC_SEGMENT
   dd _data          ; size
   db '__DATA'       ; segname 
   times 10 db 0     ; padding to 16 chars
   dd 0x2000         ; vmaddr
   dd 0x1000         ; vmsize
   dd 0x1000         ; fileoff
   dd 0x1000         ; filesize
   dd 7              ; maxprot
   dd 3              ; initprot
   dd 1              ; nsects
   dd 0              ; flags

sect2:               ; section 0
   db '__const'      ; sectname
   times 9 db 0      ; padding to 16 chars
   db '__DATA'       ; segname 
   times 10 db 0     ; padding to 16 chars
   dd 0x2000         ; addr
   dd 15             ; size, our string 
   dd 4096           ; offset
   dd 0              ; align on 2^0
   dd 0              ; reloff
   dd 0              ; nreloc
   dd 0              ; flags
   dd 0              ; reserved1
   dd 0              ; reserved2
_data equ $-data

The IMPORT segment holds our jump table, the stubs for printf and exit. The dynamic linker will fill in the stubs for us with a jump to printf and exit in libc. This segment needs to be readable, writable and executable (initprot). 

;;; Load command #3

stubs: 
   dd 1              ; LC_SEGMENT
   dd _stubs         ; size
   db '__IMPORT'     ; segname 
   times 8 db 0      ; padding to 16 chars
   dd 0x3000         ; vmaddr
   dd 0x1000         ; vmsize
   dd 0x2000         ; fileoff
   dd 0x1000         ; filesize
   dd 7              ; maxprot
   dd 7              ; initprot
   dd 1              ; nsects
   dd 0              ; flags

sect3:               ; section 0
   db '__jump_table' ; sectname
   times 4 db 0      ; padding to 16 chars
   db '__IMPORT'     ; segname 
   times 8 db 0      ; padding to 16 chars
   dd 0x3000         ; addr
   dd 10             ; size, two stubs
   dd 0x2000         ; offset
   dd 6              ; align on 2^6
   dd 0              ; reloff
   dd 0              ; nreloc
   dd 0x04000008     ; flags
   dd 0              ; reserved1
   dd 5              ; reserved2, stub size
_stubs equ $-stubs

The LINKEDIT segment holds the symbol table. 

;;; Load command #4

linkage: 
   dd 1              ; LC_SEGMENT
   dd _linkage       ; size
   db '__LINKEDIT'   ; link table 
   times 6 db 0      ; padding 
   dd 0x4000         ; vmaddr
   dd 0x1000         ; vmsize
   dd symbols-$$     ; fileoff
   dd _symbols       ; filesize
   dd 7              ; maxprot
   dd 1              ; initprot
   dd 0              ; nsects
   dd 0              ; flags
_linkage equ $-linkage

This segment describes our symbol table, including where the symbols and the strings naming them are located. I believe it's mostly for the benefit of the debugger.

;;; Load command #5

symtab: 
   dd 2              ; LC_SYMTAB
   dd _symtab        ; size
   dd symbols-$$     ; symoff
   dd 4              ; nsyms
   dd strings-$$     ; stroff
   dd _strings       ; strsize
_symtab equ $-symtab

This load command describes the dynamic symbol table. This is how the dynamic linker knows to plug the stubs (indirect).

;;; Load command #6

dysymtab: 
   dd 0x0b           ; LC_DYSYMTAB
   dd _dysymtab      ; size
   dd 0              ; ilocalsym
   dd 1              ; nlocalsym
   dd 1              ; iextdefsym
   dd 2              ; nextdefsym
   dd 2              ; iundefsym
   dd 2              ; nundefsym
   dd 0              ; tocoff
   dd 0              ; ntoc
   dd 0              ; modtaboff
   dd 0              ; nmodtab
   dd 0              ; extrefsymoff
   dd 0              ; nextrefsyms
   dd indirect-$$    ; indirectsymoff
   dd 2              ; nindirectsyms
   dd 0              ; extreloff
   dd 0              ; nextrel
   dd 0              ; locreloff
   dd 0              ; nlocrel
_dysymtab equ $-dysymtab

My guess is as good as yours here. I'm not ready to use a dynamic linker of my own but this is a distinct possibility! This load command clearly provides for it.

;;; Load command #7

dylinker: 
   dd 0x0e           ; LC_LOAD_DYLINKER
   dd _dylinker      ; size
   dd 12             ; nameoff
   db '/usr/lib/dyld', 0
   align 4
_dylinker equ $-dylinker

This load command specifies the contents of the registers at startup. I haven't seen anything other than EIP populated, though. The program will not run unless this load command is present!

;;; Load command #8

thrstate:
   dd 0x5            ; LC_UNIXTHREAD
   dd _thrstate      ; size
   dd 0x01           ; i386_THREAD_STATE
   dd 0x10           ; i386_THREAD_STATE_COUNT
   times 10 dd 0x00  ; cpu thread state
   dd start          ; eip
   times 05 dd 0x00  ; 
_thrstate equ $-thrstate

We can have as many dylib segments as dynamic libraries we would like to use. I'm only using libc since that's where printf and exit live. I could have created stubs for dlopen, dlclose, dlsym and dlerror and used them to load libc and pull out printf and exit. Why bother, though, when the dynamic linker can do it for us?

;;; Load command #9

dylib: 
   dd 0x0c           ; LC_LOAD_DYLIB
   dd _dylib         ; size
   dd 0x18           ; nameoff
   dd 0x02           ; timestamp
   dd 0x006F0103     ; currentver
   dd 0x00010000     ; compatver
   db '/usr/lib/libSystem.B.dylib', 0
   align 4
_dylib equ $-dylib

It was a long road through the Mach-O header but we can finally relax and get some work done. There isn't much to do apart from printing hello world and exiting but note the alignment of the stack on a 16-byte boundary, before each function call. 

I'm taking the easy way out and aligning the stack one extra time, at the beginning of the program. This makes the rest of the alignment work much easier! 

All values in the stack are 32-bit values. We are pushing a single argument which requires us to pad the stack with 12 more bytes (sub esp, 0x10). We pop arguments and padding right after the call to printf.

GLOBAL start

start:

  and esp, 0xFFFFFFF0
  sub esp, 0x10
  mov dword [esp], hello.msg
  call _printf
  add esp, 0x10
  mov eax, 0          ; set return code
  call _exit
  hlt

codesize equ $-start

Data and stubs are easy. Note the alignment to a page boundary. A jump to a 32-bit address takes 5 bytes, thus 5 halt instructions are used for each stub.  

;;; Data

align 4096

hello.msg db 'Hello, World!', 0x0a, 0x00

;;; Stubs

align 4096

_printf:
  times 5 hlt

_exit:
  times 5 hlt
   

The symbol table has a well-defined format and each symbol needs to be described in excruciating detail!

;;; Linkage

align 4096

symbols:           ; symbol table

   ; hello.msg

   dd str01off    ; nstrx
   db 0x0e        ; type
   db 0x02        ; sect
   dw 0x00        ; desc
   dd hello.msg   ; value

   ; start

   dd str02off    ; nstrx
   db 0x0f        ; type
   db 0x01        ; sect
   dw 0x00        ; desc
   dd start       ; value

   ; _printf

   dd str03off    ; nstrx
   db 0x01        ; type N_EXT
   db 0x00        ; sect
   dw 0x0101      ; desc
   dd _printf     ; value

   ; _exit

   dd str04off    ; nstrx
   db 0x01        ; type N_EXT
   db 0           ; sect
   dw 0x0101      ; desc
   dd _exit       ; value

The indirect symbol table tells the dynamic linker that elements 2 and 3 of the symbol table need to be looked up and their stubs plugged.

indirect:         ; indirect symbol table

   dd 0x02        ; _printf        
   dd 0x03        ; _exit

The string table names the symbols above.

strings:          ; string table

      db 0x20, 0x00

str01 db 'hello.msg', 0x00
str02 db 'start', 0x00
str03 db '_printf', 0x00
str04 db '_exit', 0x00

str01off equ str01 - strings
str02off equ str02 - strings
str03off equ str03 - strings
str04off equ str04 - strings

_strings equ $-strings   
_symbols equ $-symbols

I don't expect you to generate Mac binaries by hand on Linux or Windows but I hope this tutorial will be of help if you ever decide to try!

Filed under  //   asm   hacks   mac   mach-o  
Posted January 26, 2009
// 0 Comments

Mnesia Unlimited

Mnesia is the Erlang embbedded distributed DBMS, that supports high scalability and fault tolerance through replication. Mnesia has been used to great success in all kinds of applications but it's not without limitations. These limitations mainly stem from the underlying ETS and DETS mechanisms used to implement Mnesia tables. 

There have been attempts to hack around Mnesia limitations before, e.g I wrote a Mnesia backend for Amazon S3 just last summer. All these attempts to add external table functionality to Mnesia suffered from being hard to extend, or were closed source implementations. 

Thanks to the Dukes of Erl, I finally got a chance to do a proper Mnesia extension, the one to rule them all! The result is a series of about 50 careful git patches that support all the features of regular Mnesia tables such as indexing, replication, distribution, fragmentation and backup, as well as set or bag semantics. Best of all, this functionality is available to anyone using OTP release R11B5. 

The external table API is supplied as an Erlang behavior so all you need to do is supply a callback module that conforms to it. 

You can now use Mnesia as a front-end to disk-based hash tables like SleepyCat/BerkeleyDB or Tokyo Cabinet, a memory-mapped table or MySQL.

You are no longer constrained by the scalability or size limitations of ETS and DETS so go wild and let me know what you come up with. Oh, and please petition the Erlang/OTP team to include this work in the official Erlang distribution!

Mnesia 4.3.5 with the extension mechanism is available from Google Code and so is the Tokyo Cabinet external table.

Filed under  //   erlang   hacks   mnesia  
Posted June 23, 2008
// 2 Comments

Hacking the Mac OSX Unified Buffer Cache

Files read and written get cached in the Unified Buffer Cache (UBC) on Mac OSX.
The UBC was hindering me because I was processing a huge file in chunks but throwing out each chunk, never to be reused again, after writing out the processed chunk. I would see gigabytes of memory get eaten away by the UBC until the system started swapping and became unresponsive.

UBC cannot be limited to a given maximum amount of memory.

UBC cannot be inspected programmatically.

UBC can be cleared by running 'purge' which allocates a lot of memory to force the cache to clear. The following bit of code can be used turn caching off for a particular file: 

 
fcntl(fd, F_GLOBAL_NOCACHE, 1)

This can be done in any process and the file can be closed after. The setting persists through out the lifetime of the file. If the file is removed and re-created then the setting is lost.

How can you tell if the setting took hold and the file is indeed NOT being cached? 

 
dd if=/db1/cdr.csv bs=1m count=1024 of=/dev/null 
1073741824 bytes transferred in 12.030688 secs (89250242 bytes/sec) 
 
dd if=/db1/cdr.csv bs=1m count=1024 of=/dev/null 
1073741824 bytes transferred in 11.867947 secs (90474101 bytes/sec) 
 
dd if=/db1/cdr.csv bs=1m count=1024 of=/dev/null 
1073741824 bytes transferred in 12.037562 secs (89199278 bytes/sec)

Tried reading the file three times. Speed is about the same.

What about a regular file that's cached by default? 

 
dd if=/db1/cdr1.csv bs=1m count=1024 of=/dev/null 
1073741824 bytes transferred in 11.505857 secs (93321325 bytes/sec) 
 
dd if=/db1/cdr1.csv bs=1m count=1024 of=/dev/null 
1073741824 bytes transferred in 0.500468 secs (2145475416 bytes/sec)

Notice that reading from the cache is much faster the second time around.

Kudos to Dominic Giampaolo from Apple for explaining all this to me!

Filed under  //   hacks   mac   performance  
Posted March 4, 2008
// 1 Comment

Writing a Mac OSX USB device driver that implements SCSI pass-through

I've been on a coding tear since the beginning of this year, when I decided to dump Erlang and focus on all things low-level. I've been much happier since, although not much richer. Do you need a Mac OSX device driver written? Talk to me!

In this post I will explain how I wrote a Mac OSX USB device driver for the IntellaSys 24-core CPU on a thumbstick, also known as FORTHdrive. I will skip the parts that are reasonably clear from Apple documentation and focus on the bits I had trouble with. I will also leave two-machine driver and kernel debugging over FireWire for another post. 

It will be helpful for you to first read about IOKit fundamentals, as well as Mass storage device driver programming and the SCSI device architecture model device interface. SCSI in particular is how I started down this slippery slope. 

Introduction

The USB flash drive format is popular with hardware vendors. It's possible to buy security tokens on a thumb stick and even 24-core Forth processors. The stick will most likely have a small disk partition that will house the vendor development kit or tools. It will look like a regular flash drive to the operating system (OS) and the OS will use SCSI over USB to access the data. 

The manufacturer will implement vendor-specific SCSI commands to give you access the core functionality of the device such as the encryption API of a security token or storing and fetching data from a custom CPU. The OS will let you send custom SCSI commands to a SCSI device, this is called SCSI pass-through. You can use SGIO for SCSI pass-through on Linux. This boils down to a series of ioctl calls from your application and all is well... except on Mac OSX.

In its infinite wisdom, Apple decided to disable SCSI pass-through lest you send a format command to an attached device or do something equally evil. Apple really really wants you to go through official and established channels to talk to devices under Mac OSX, particularly SCSI devices. Apple will not and cannot establish channels for every custom device out there, which means that the hard work to implement SCSI pass-through on Mac OSX falls squarely on your shoulders.

Writing a Mac OSX device driver is not particularly hard. It took me all of about a week to get my driver ready and working. There's definitely a dearth of information on writing Mac OSX device drivers and existing examples are too simple to be of much use. I hunted far and wide (and way back in time!) through various Apple driver development lists to collect the information I needed and I'm summarizing it for you here, as well as providing full working source code to my driver.

Did I mention that Mac OSX drivers are written in C++? Not C, not Objective-C but C++! The original IOKit used to be called DriverKit and was written in Objective-C. Apple, apparently, felt C++ would be easier on third-party driver writers. Say what you want but C++ does simplify reuse. You don't need to re-implement the full driver, you can subclass and change or add tiny bits and pieces.

Fundamentals

Your application lives in user land whereas the driver lives in kernel land. The two cannot talk to one another, except through a Mach port. Normally, your application would first locate the driver in the I/O registry.The SimpleUserClient and VendorSpecificType00 examples that Apple provides for developers show you how this is done. 

Once you get a handle to your driver (service), you can open a connection to it like this

io_connect_t connect;
kern_return_t kernResult = IOServiceOpen(service, mach_task_self(), 0, &connect);

This gets you a handle that you can use to access your driver in kernel land.

User client

Once you get through the Mach port, you land in something called user client. The user client mechanism is designed to allow calls from a user process to be dispatched to any IOService-based object in the kernel. Your driver would normally be a subclass of IOService but you would not access it directly. You would create a series of adapter functions that verify and perhaps massage the data and then pass it to your driver.

You can invoke user client functions that are set up via the external method dispatch table. This is a series of structures that describe each method of your user client, including the function pointer, number of integer arguments that the method takes in, number of integer values it returns and the same for structures. The table will look like this

const IOExternalMethodDispatch UserClientClassName::Methods[kNumberOfMethods] =
{
  { // kS24ClientOpen
    (IOExternalMethodAction) &UserClientClassName::sOpenUserClient,
    0,                            
    0,                            
    0,                            
    0                            
  }, 
  ...}

  The SimpleUserClient example shows you how to set up and use various external method configurations.

Your user land method invocation will end up in _externalMethod_ below. This is where you will look up your method using the selector to index your method table.

IOReturn UserClientClassName::externalMethod(uint32_t selector, IOExternalMethodArguments* arguments,
    IOExternalMethodDispatch* dispatch, OSObject* target, void* reference)
 
{
    IOLog("%s[%p]::%s(%d, %p, %p, %p, %p)\n", getName(), this, __FUNCTION__,
        selector, arguments, dispatch, target, reference);
        
    if (selector < (uint32_t) kNumberOfMethods)
    {
        dispatch = (IOExternalMethodDispatch *) &Methods[selector];
        
        if (!target)
     target = this;  }

A lot of methods in the user client are boilerplate but you do not want to miss initWithTask! This is the method where you should take owningTask and save it. This is the Mach task of your user land application and you will need it to map memory buffers from user space to kernel space. owningTask here will correspond to mach_task_self() in the call to IOServiceOpen above.

bool UserClientClassName::initWithTask(task_t owningTask, void* securityToken, UInt32 type)
{
    bool success = super::initWithTask(owningTask, securityToken, type);  
  
  // This IOLog must follow super::initWithTask because getName relies on the superclass initialization.
  IOLog("%s[%p]::%s(%p, %p, %ld)\n", getName(), this, __FUNCTION__, owningTask, securityToken, type);
 
    fTask = owningTask;
    fProvider = NULL;
        
    return success;
}

Methods in your dispatch table will be static and you will need a way to map those to methods of your user client class. Fortunately, every method has a target argument just for this purpose.

IOReturn UserClientClassName::sInit(UserClientClassName* target, void* reference, IOExternalMethodArguments* arguments)
{
    return target->S24IO(NULL, 0, 0, 0, kIODirectionNone);
}

The code above does not use any of the external arguments but this method does

IOReturn UserClientClassName::sRead(UserClientClassName* target, void* reference, IOExternalMethodArguments* arguments)
{
    return target->S24IO(
        arguments->scalarInput[0],
        arguments->scalarInput[1],
        arguments->scalarInput[2],
        0,
        kIODirectionIn
        );}

Simply pull your values from external method arguments and pass them to a method in your user client class, e.g. S24IO. fprovider is our driver handle that we set up in the start method, invoked as a result of us calling IOService open in our user land application.

Talking to the user client

To talk to the driver's user client from your application we need to invoke IOConnectCallScalarMethod and friends. The SimpleUserClient example shows how this is done.

Passing buffers into the kernel

Apple has guidelines for how to allocate and share memory with user space from an I/O kit driver but what do you do if you need to pass a buffer from user space into the kernel? Simple! The kernel works with I/O memory descriptors and we need to create one for our user space buffer like so

IOMemoryDescriptor *iomd = IOMemoryDescriptor::withAddress(
      (vm_address_t)buffer,
      size,
      direction,
      fTask
    );

See IOMemoryDescriptor documentation for more details. 

Note fTask and direction above. You must tell the kernel which task this memory pointer belongs to so that the kernel can properly translate this address into physical memory. You also must tell the kernel whether you are going to be reading from this memory buffer or writing to it. This is what direction is for.

This is by no means conclusive documentation for IOMemoryDescriptor. Please read about IOBufferMemoryDescriptor and feel free to poke around further.

We are still in driver adapter and glue code here but we are getting close to the driver itself.

Driver

The salient points here are the InitializeDeviceSupport method and the way to send SCSI commands to the device.

Use InitializeDeviceSupport if you need to send SCSI commands to your device during driver initialization. Do not use the probe method for this since the command gate (don't ask!) will not be allocated yet and you will panic the kernel.

Here I'm initializing my device by sending it the vendor-specific initialization command in S24Init().

bool com_wagerlabs_driver_SEAforth24::InitializeDeviceSupport(void)
{
    bool result = false;
 
    result = super::InitializeDeviceSupport();
 
    if ( result == true )
        result = (S24Init() == kIOReturnSuccess);
 
    return result;
}

The S24SyncIO method is the heart and soul of my driver. Your driver will look different but things are easy and downhill from this point on since you have everything you need to send any kind of SCSI command to your device. You just need to go through a few more steps before you are done.

1) You get hold of a SCSI task.

req = GetSCSITask();

require(req != NULL, ErrorExit);

2) You populate the SCSI Command Descriptor Block (CDB) according to your vendor instructions.

switch (kind)
{
    case kS24Write:
        direction = kSCSIDataTransfer_FromInitiatorToTarget;
        b1 = 0xFB;
        b2 = 0x00;
        break;
    case kS24WriteLast:
        direction = kSCSIDataTransfer_FromInitiatorToTarget;
        b1 = 0xFB;
        b2 = 0x02;
        break;
    case kS24Read:
        direction = kSCSIDataTransfer_FromTargetToInitiator;
        b1 = 0xFB;
        b2 = 0x01;
        break;
    default: // kS24Init
        direction = kSCSIDataTransfer_NoDataTransfer;
        b1 = 0xFA;
        b2 = 0x00;
}

SetCommandDescriptorBlock(req, 0x20, b1, b2, 0x00, 0x00, 0x00, 0x00, hi, lo, 0x00);

3) You set a timeout for completion of your SCSI request and the data transfer direction.

SetTimeoutDuration(req, 10000);
SetDataTransferDirection(req, direction);

4) Mac OSX uses virtual memory which means that at the time of your SCSI command your buffer may be paged out to disk and not in physical memory. It's crucial that you tell Mac OSX to prepare your memory buffer by mapping it back into memory and do any necessary housekeeping for your driver to be able to access your memory.

Other than that, don't forget to tell the SCSI task to use your buffer and tell it how many bytes you are looking to transfer. It's not necessary to set the direction of the transfer (from driver to device or vise versa) if this has already been set in the I/O memory descriptor (which is what we did).

if (buffer != NULL)
{
    buffer->prepare();
    SetDataBuffer(req, buffer);
    SetRequestedDataTransferCount(req, buffer->getLength());
}

5) Finally, send the command to the device and tell Mac OSX that your are done using your memory buffer for direct memory access (DMA) by invoking the _complete_ method of the I/O memory descriptor. You will also want to check the status of your SCSI request, the number of bytes transferred and you may also want to use the SCSI Request Sense command if your request was unsuccessful.

serviceResponse = SendCommand(req, 10000);

if (buffer != NULL)
{
    buffer->complete();
}

  That's it folks! Let me know if I have omitted something crucial and I'll try to expand this post as time allows.

Filed under  //   c++   drivers   forth   hacks   mac   scsi  
Posted February 4, 2008
// 0 Comments