6600sirt@ucsbuxa.ucsb.edu (Mike O'Brien) (02/14/91)
I have heard that there is an undocumented LOADALL instruction on the 286 which allows you to access any part of extended memory without leaving "real" mode. This sounds very useful! The person who first posted it (a few months ago) said that he had a 50k ZIPed text file explaining how to use it, and that he would send it to people if they sent him mail on CI$ requesting it. However, I sent him mail, and it bounced! Is this file available from FTP anywhere? If not, does anybody know this person's new address? Does anybody have a copy of the file? Or, last but not least, would anybody be willing to explain on this newsgroup how to use LOADALL? Thanks in advance, Mike O'Brien 6600sirt@ucsbuxa.ucsb.edu
anto@vaxb.acs.unt.edu (02/14/91)
In article <4620@uniol.UUCP>, Norbert.Zacharias@arbi.informatik.uni-oldenburg.de (Norbert Zacharias) writes: > 6600sirt@ucsbuxa.ucsb.edu (Mike O'Brien) writes: > >>I have heard that there is an undocumented LOADALL instruction on the >>286 which allows you to access any part of extended memory without >>leaving "real" mode. > > I'm interested too The file XMS20.ARC on SIMTEL20 (I think it's in <MSDOS.SYSUTL> subdirectory) contains real code using LOADALL. It is the source for HIMEM.SYS. 'Hope this helps, Anto.
Norbert.Zacharias@arbi.informatik.uni-oldenburg.de (Norbert Zacharias) (02/14/91)
6600sirt@ucsbuxa.ucsb.edu (Mike O'Brien) writes: >I have heard that there is an undocumented LOADALL instruction on the >286 which allows you to access any part of extended memory without >leaving "real" mode. This sounds very useful! The person who first >posted it (a few months ago) said that he had a 50k ZIPed text file >explaining how to use it, and that he would send it to people if they >sent him mail on CI$ requesting it. However, I sent him mail, and it >bounced! >Is this file available from FTP anywhere? If not, does anybody know >this person's new address? Does anybody have a copy of the file? >Or, last but not least, would anybody be willing to explain on this >newsgroup how to use LOADALL? I'm interested too Norbert -- ============================================================================= Norbert Zacharias Norbert.Zacharias@arbi.informatik.uni-oldenburg.de FB Physik 148964@DOLUNI1.bitnet Carl-von-Ossietzky-Universitaet Tel. 0049-441-7983527 Was Du nicht willst das man Dir tu, das will auch nicht was willst denn Du? Heinz Erhard =============================================================================
rcollins@altos86.Altos.COM (Robert Collins) (02/16/91)
In article <9091@hub.ucsb.edu> 6600sirt@ucsbuxa.ucsb.edu writes: >I have heard that there is an undocumented LOADALL instruction on the >286 which allows you to access any part of extended memory without >leaving "real" mode. This sounds very useful! The person who first I've recently completed writing a magazine article on 80286 LOADALL, and 80386 LOADALL. However, for probably obvious reasons, I can't post the article. It will be in the October issue of Tech Specialist. 80286 LOADALL, opcode 0F05, requires a 102-byte table at physical address 800h. 80286 LOADALL is described in an Intel-confidential 15-page document. If you bug Intel long enough, and have a good enough reason, they might give it to you. 80386 LOADALL, opcode 0F07, requires a similar table, but is pointed to by ES:EDI. Segment overrides are allowed, but apparently have no affect. To my knowledge, there is no known document describing this instruction. However, I have reverse engineered it, and offer the following description: 386 LOADALL 386 LOADALL instruction (0F07) is similar to the 286 LOADALL instruction (0F05). The 286 instruction requires a 102-byte table to be located at physical address 800h. The 386 LOADALL doesn't have this restriction, and due to the added registers, and features in the 386, has a different table layout. ;--------------------------------------------------------------------- ; 386_LOADALL: ;--------------------------------------------------------------------- ; Opcode: 0F07 ;--------------------------------------------------------------------- ; Input: ES:EDI = Pointer to LOADALL table ; Output: Registers modified to specified values ;--------------------------------------------------------------------- ; Structure definitions: ;--------------------------------------------------------------------- REG_STRUC STRUC REG_VAL DW ? DW 0 ENDS DESC_CACHE STRUC DB 0 _Type DB ? DB 0 DB 0 _Addr DD ? _Limit DD ? ENDS ;--------------------------------------------------------------------- ; Segment descriptor cache register ; ; 9 6 3 2 1 1 0 0 ; 5 3 1 3 5 3 7 0 ; +--------------+---------------------+---+---------------+---+---+ ; | 32-bit limit | 32-bit base address | 0 | Access Rights | 0 | 0 | ; +--------------+---------------------+---+---------------+---+---+ ; ;--------------------------------------------------------------------- ; 386 Descriptor Cache Access Rights ; ; ++++++++----------------------------- 0=Undefined ; |||||||| +--------------------------- Present 0=No 1=Yes ; |||||||| |++------------------------- Descriptor privelege level ; |||||||| |||+------------------------ System Desc. 0=Sys 1=Code/Data ; |||||||| ||||+++--------------------- Type(*) ; |||||||| ||||||+-----------------------Read/Write 0=R/O 1=R/W ; |||||||| |||||+|-----------------------Expansion 0=Up 1=Dwn ; |||||||| ||||+||-----------------------Executable 0=No 1=Yes* ; |||||||| ||||||| 000=Read Only ; |||||||| ||||||| 001=Read/Write ; |||||||| ||||||| 010=Read Only, Expand down ; |||||||| ||||||| 011=Read/Write, Expand down ; |||||||| ||||||| 100=Execute only ; |||||||| ||||||| 101=Execute/Read ; |||||||| ||||||| 110=Execute only, conforming ; |||||||| ||||||| 111=Execute/Read, conforming ; |||||||| |||||||+-------------------- Accessed ; |||||||| |||||||| +------------------ 0=Undefined ; |||||||| |||||||| |+----------------- Default operand size(+) ; |||||||| |||||||| || 0=16-bit operands ; |||||||| |||||||| || 1=32-bit operands ; |||||||| |||||||| || ; |||||||| |||||||| ||++++++-++++++++-- 0=Undefined ; |||||||| |||||||| |||||||| |||||||| ; |||||||| |||||||| |||||||| |||||||| ; 3||||||||2||||||||1||||||||0||||||||0 Bit ; 1||||||||3||||||||5||||||||7||||||||0 Offset ; +++++++++++++++++++++++++++++++++++++ ; | Intel |22221111|11|Intel| Intel | (*) = CS can be marked as a R/W ; |Reserved|32109876|54|Rsvd.|Reserved| data segment if LOADALL ; +++++++++++++++++++++++++++++++++++++ is used to load register. ; (+) = Only applicable for CS ; ;--------------------------------------------------------------------- ;--------------------------------------------------------------------- ; ; A closer look at the access rights field definitions: ; ; 2 2 2 2 1 1 1 1 1 1 1 Bit 2 2 2 2 1 1 1 1 1 1 1 ; 3 2 1 0 9 8 7 6 5 4 3 Offset 3 2 1 0 9 8 7 6 5 4 3 ; +-+---+-+-----+-+-+-+-+ +-+---+-+-----+-+-+-+-+ ; |P|DPL|S|Type |A|0|G|D| |P|DPL|S| Type |0|G|D| ; | | | |0| | | | | | | | | | | |1| | | | | | | | ; +-+---+-+-----+-+-+-+-+ +-+---+-+-----+-+-+-+-+ ; ; Bit: ; P Present bit. 1=Present, 0=Not present. ; This bit signals the CPU if the segment addressed by the ; segment base address is actually present in memory. ; DPL Descriptor Privilege Level: 0=highest, 3=lowest ; S System descriptor: 0=Code, Data; 1=System descriptor ; Type Segment Type: (S=0) ; +-+-+-+ ; |X|Y|Z| ; +-+-+-+ ; | | | ; | | +-- Read/Write 0=Read-only 1=Read/Write ; | +---- Expansion direction. 0=Expand up 1=Expand down ; +------ Executable 0=Data Seg 1=Code Seg ; ; Type Segment Type: (S=1) ; 0000 = Reserved ; 0001 = Available 286 TSS ; 0010 = LDT ; 0011 = Busy 286 TSS ; 0100 = 286 Call Gate ; 0101 = Task Gate ; 0110 = 286 Interrupt Gate ; 0111 = 286 Trap Gate ; 1000 = Reserved ; 1001 = Available 386, 486 TSS ; 1010 = Reserved ; 1011 = Busy 386, 486 TSS ; 1100 = 386, 486 Call Gate ; 1101 = Reserved ; 1110 = 386, 486 Interrupt Gate ; 1111 = 386, 486 Trap Gate ; ; A Accessed (S=0) 0=Not Accessed 1=Accessed ; The processor sets this bit when the descriptor is ; accessed. ; G Granularity 0=Byte 1=4k ; When set, upon loading the limit field of the descriptor ; cache register, the CPU shifts the limit by 12, and fills ; in the 1st 12 bits with 1's as follows: ; SHL LIMIT,12 ; OR LIMIT,0FFFh ; D Default operand size 0=16-bit 1=32-bit ; When set, the CPU interprets all operands, and effective ; addresses as 32-bit values. When clear, all operands ; and effective addresses are 16-bit values. This bit ; is only applicable to the CS descriptor cache. ; ;--------------------------------------------------------------------- ;--------------------------------------------------------------------- ; The definition of these bits is exactly as that of the access ; rights in the descriptor table, with the following exceptions: ; 1) The "PRESENT" bit becomes a valid bit. Using LOADALL, you ; may load a descriptor cache register whose P bit is marked ; not present (P=0). During normal CPU operaion, simply ; loading the segment selector with a descriptor table entry ; whose P=0 will cause an exception-11. This is different ; that operating with LOADALL. LOADALL will let you load the ; descriptor cache register with P=0. But any memory ; reference using that segment selector will cause exception- ; 13. ; 2) The DPL field for SS & CS descriptors determine the CPL. ; 3) The DPL field for DS, ES, FS, & GS should be 3. ; 4) The Granularity (G) bit has no effect on the limit field ; in the descriptor cache register ; 5) A Code segment (CS) may be Read/Write/Executable by setting ; the access rights as a Read/Write/Data segment. This will ; even work in protected mode. ;--------------------------------------------------------------------- ;--------------------------------------------------------------------- ; LOADALL table: ;--------------------------------------------------------------------- Offset Description Size Value ====== =========== ==== ===== [00] CR0 DD ? [04] EFLAGS DD ? [08] EIP DD ? [0C] EDI DD ? [10] ESI DD ? [14] EBP DD ? [18] ESP DD ? [1C] EBX DD ? [20] EDX DD ? [24] ECX DD ? [28] EAX DD ? [2C] DR6 DD ? [30] DR7 DD ? [34] TR_REG REG_STRUC <?> [38] LDT_REG REG_STRUC <?> [3C] GS_REG REG_STRUC <?> [40] FS_REG REG_STRUC <?> [44] DS_REG REG_STRUC <?> [48] SS_REG REG_STRUC <?> [4C] CS_REG REG_STRUC <?> [50] ES_REG REG_STRUC <?> [54] TSS_DESC DESC_CACHE <?,?,?> [60] IDT_DESC DESC_CACHE <0,?,?> [6C] GDT_DESC DESC_CACHE <0,?,?> [78] LDT_DESC DESC_CACHE <?,?,?> [84] GS_DESC DESC_CACHE <?,?,?> [90] FS_DESC DESC_CACHE <?,?,?> [9C] DS_DESC DESC_CACHE <?,?,?> [A8] SS_DESC DESC_CACHE <?,?,?> [B4] CS_DESC DESC_CACHE <?,?,?> [C0] ES_DESC DESC_CACHE <?,?,?> [CC] LENGTH OF TABLE -- "Worship the Lord your God, and serve him only." Mat. 4:10 Robert Collins UUCP: ...!sun!altos86!rcollins HOME: (408) 225-8002 WORK: (408) 432-6200 x4356
w8sdz@rigel.acs.oakland.edu (Keith Petersen) (02/18/91)
6600sirt@ucsbuxa.ucsb.edu (Mike O'Brien) writes: >I have heard that there is an undocumented LOADALL instruction on the >286 which allows you to access any part of extended memory without >leaving "real" mode. This sounds very useful. [...] Is this file >available from FTP anywhere? WSMR-SIMTEL20.ARMY.MIL [26.2.0.74] NOTE; Type B is Binary: Type A is ASCII Directory PD1:<MSDOS.SYSUTL> Filename Type Length Date Description ============================================== VU-XM1C.ZIP B 36202 900602 286 extended memory peeker using LOADALL This file is also available from Detroit Download Central. Keith -- Keith Petersen Co-SysOp, Detroit Download Central 313-885-3956 (212/V22bis/HST/V32/V42bis) Internet: w8sdz@vela.acs.oakland.edu, w8sdz@eddie.mit.edu, w8sdz@brl.mil Uucp: uunet!umich!vela!w8sdz BITNET: w8sdz@OAKLAND