Here's the code: https://github.com/DavidBuchanan314/dram_emfi/blob/main/linu... -- the basic idea is
> Hardware setup: This time I put the "antenna" wire on DQ25, which will fault 64-bit values to +/-32MiB
> Exploit strat: We fill up as much of physical memory as possible with page tables.
> When we fault a PTE read, we have a good chance of landing on a page table, giving us R/W access to a page table from userspace.