Path: utzoo!mnetor!tmsoft!torsqnt!news-server.csri.toronto.edu!cs.utexas.edu!sun-barr!apple!altos!altos86!rcollins
From: rcollins@altos86.Altos.COM (Robert Collins)
Newsgroups: comp.os.msdos.programmer
Subject: Re: LOADALL
Message-ID: <4743@altos86.Altos.COM>
Date: 15 Feb 91 16:29:12 GMT
References: <9091@hub.ucsb.edu>
Reply-To: rcollins@altos86.UUCP (Robert Collins)
Organization: Altos Computer Systems, San Jose, CA
Lines: 227

In article <9091@hub.ucsb.edu> 6600sirt@ucsbuxa.ucsb.edu writes:
>I have heard that there is an undocumented LOADALL instruction on the
>286 which allows you to access any part of extended memory without
>leaving "real" mode.  This sounds very useful!  The person who first

I've recently completed writing a magazine article on 80286 LOADALL, and
80386 LOADALL.  However, for probably obvious reasons, I can't post the
article.  It will be in the October issue of Tech Specialist.

80286 LOADALL, opcode 0F05, requires a 102-byte table at physical address
800h.  80286 LOADALL is described in an Intel-confidential 15-page
document.  If you bug Intel long enough, and have a good enough reason,
they might give it to you.

80386 LOADALL, opcode 0F07, requires a similar table, but is pointed to
by ES:EDI.  Segment overrides are allowed, but apparently have no
affect.  To my knowledge, there is no known document describing this
instruction.  However, I have reverse engineered it, and offer the
following description:

  
				 386 LOADALL

	386 LOADALL instruction (0F07) is similar to the 286 LOADALL
	instruction (0F05).  The 286 instruction requires a 102-byte
	table to be located at physical address 800h.  The 386 LOADALL
	doesn't have this restriction, and due to the added registers,
	and features in the 386, has a different table layout.

	;---------------------------------------------------------------------
	; 386_LOADALL:
	;---------------------------------------------------------------------
	; Opcode:  0F07
	;---------------------------------------------------------------------
	; Input:   ES:EDI = Pointer to LOADALL table
	; Output:  Registers modified to specified values
	;---------------------------------------------------------------------
	; Structure definitions:
	;---------------------------------------------------------------------
	REG_STRUC	STRUC
		REG_VAL DW	?
			DW	0
		ENDS


	DESC_CACHE	STRUC
			DB	0
		_Type	DB	?
			DB	0
			DB	0
		_Addr	DD	?
		_Limit	DD	?
		ENDS

	;---------------------------------------------------------------------
	; Segment descriptor cache register
	;
	; 9		 6		       3   2		 1 1   0   0
	; 5		 3		       1   3		 5 3   7   0
	; +--------------+---------------------+---+---------------+---+---+
	; | 32-bit limit | 32-bit base address | 0 | Access Rights | 0 | 0 |
	; +--------------+---------------------+---+---------------+---+---+
	;
	;---------------------------------------------------------------------
	; 386 Descriptor Cache Access Rights
	;
	;  ++++++++----------------------------- 0=Undefined
	;  |||||||| +--------------------------- Present      0=No  1=Yes
	;  |||||||| |++------------------------- Descriptor privelege level
	;  |||||||| |||+------------------------ System Desc. 0=Sys 1=Code/Data
	;  |||||||| ||||+++--------------------- Type(*)
	;  |||||||| ||||||+-----------------------Read/Write 0=R/O 1=R/W
	;  |||||||| |||||+|-----------------------Expansion  0=Up  1=Dwn
	;  |||||||| ||||+||-----------------------Executable 0=No  1=Yes*
	;  |||||||| |||||||			   000=Read Only
	;  |||||||| |||||||			   001=Read/Write
	;  |||||||| |||||||			   010=Read Only, Expand down
	;  |||||||| |||||||			   011=Read/Write, Expand down
	;  |||||||| |||||||			   100=Execute only
	;  |||||||| |||||||			   101=Execute/Read
	;  |||||||| |||||||			   110=Execute only, conforming
	;  |||||||| |||||||			   111=Execute/Read, conforming
	;  |||||||| |||||||+-------------------- Accessed
	;  |||||||| |||||||| +------------------ 0=Undefined
	;  |||||||| |||||||| |+----------------- Default operand size(+)
	;  |||||||| |||||||| || 		   0=16-bit operands
	;  |||||||| |||||||| || 		   1=32-bit operands
	;  |||||||| |||||||| ||
	;  |||||||| |||||||| ||++++++-++++++++-- 0=Undefined
	;  |||||||| |||||||| |||||||| ||||||||
	;  |||||||| |||||||| |||||||| ||||||||
	; 3||||||||2||||||||1||||||||0||||||||0 Bit
	; 1||||||||3||||||||5||||||||7||||||||0 Offset
	; +++++++++++++++++++++++++++++++++++++
	; | Intel  |22221111|11|Intel| Intel  | (*) = CS can be marked as a R/W
	; |Reserved|32109876|54|Rsvd.|Reserved|       data segment if LOADALL
	; +++++++++++++++++++++++++++++++++++++       is used to load register.
	;					(+) = Only applicable for CS
	;
	;---------------------------------------------------------------------

	;---------------------------------------------------------------------
	;
	; A closer look at the access rights field definitions:
	;
	;  2 2 2 2 1 1 1 1 1 1 1  Bit	  2 2 2 2 1 1 1 1 1 1 1
	;  3 2 1 0 9 8 7 6 5 4 3  Offset  3 2 1 0 9 8 7 6 5 4 3
	; +-+---+-+-----+-+-+-+-+	 +-+---+-+-----+-+-+-+-+
	; |P|DPL|S|Type |A|0|G|D|	 |P|DPL|S| Type  |0|G|D|
	; | | | |0| | | | | | | |	 | | | |1| | | | | | | |
	; +-+---+-+-----+-+-+-+-+	 +-+---+-+-----+-+-+-+-+
	;
	; Bit:
	; P	Present bit.  1=Present, 0=Not present.
	;	  This bit signals the CPU if the segment addressed by the
	;	  segment base address is actually present in memory.
	; DPL	Descriptor Privilege Level:  0=highest, 3=lowest
	; S	System descriptor:  0=Code, Data; 1=System descriptor
	; Type	Segment Type:  (S=0)
	;	  +-+-+-+
	;	  |X|Y|Z|
	;	  +-+-+-+
	;	   | | |
	;	   | | +-- Read/Write		 0=Read-only  1=Read/Write
	;	   | +---- Expansion direction.  0=Expand up  1=Expand down
	;	   +------ Executable		 0=Data Seg   1=Code Seg
	;
	; Type	Segment Type:  (S=1)
	;	  0000 = Reserved
	;	  0001 = Available 286 TSS
	;	  0010 = LDT
	;	  0011 = Busy 286 TSS
	;	  0100 = 286 Call Gate
	;	  0101 = Task Gate
	;	  0110 = 286 Interrupt Gate
	;	  0111 = 286 Trap Gate
	;	  1000 = Reserved
	;	  1001 = Available 386, 486 TSS
	;	  1010 = Reserved
	;	  1011 = Busy 386, 486 TSS
	;	  1100 = 386, 486 Call Gate
	;	  1101 = Reserved
	;	  1110 = 386, 486 Interrupt Gate
	;	  1111 = 386, 486 Trap Gate
	;
	; A	Accessed  (S=0) 		 0=Not Accessed 1=Accessed
	;	  The processor sets this bit when the descriptor is
	;	  accessed.
	; G	Granularity			 0=Byte 	1=4k
	;	  When set, upon loading the limit field of the descriptor
	;	  cache register, the CPU shifts the limit by 12, and fills
	;	  in the 1st 12 bits with 1's as follows:
	;	    SHL   LIMIT,12
	;	    OR	  LIMIT,0FFFh
	; D	Default operand size		 0=16-bit	1=32-bit
	;	  When set, the CPU interprets all operands, and effective
	;	  addresses as 32-bit values.  When clear, all operands
	;	  and effective addresses are 16-bit values.  This bit
	;	  is only applicable to the CS descriptor cache.
	;
	;---------------------------------------------------------------------

	;---------------------------------------------------------------------
	; The definition of these bits is exactly as that of the access
	; rights in the descriptor table, with the following exceptions:
	; 1) The "PRESENT" bit becomes a valid bit.  Using LOADALL, you
	;    may load a descriptor cache register whose P bit is marked
	;    not present (P=0).  During normal CPU operaion, simply
	;    loading the segment selector with a descriptor table entry
	;    whose P=0 will cause an exception-11.  This is different
	;    that operating with LOADALL.  LOADALL will let you load the
	;    descriptor cache register with P=0.  But any memory
	;    reference using that segment selector will cause exception-
	;    13.
	; 2) The DPL field for SS & CS descriptors determine the CPL.
	; 3) The DPL field for DS, ES, FS, & GS should be 3.
	; 4) The Granularity (G) bit has no effect on the limit field
	;    in the descriptor cache register
	; 5) A Code segment (CS) may be Read/Write/Executable by setting
	;    the access rights as a Read/Write/Data segment.  This will
	;    even work in protected mode.
	;---------------------------------------------------------------------

	;---------------------------------------------------------------------
	; LOADALL table:
	;---------------------------------------------------------------------
	Offset	Description	Size	Value
	======	===========	====	=====
	[00]	CR0		DD	?
	[04]	EFLAGS		DD	?
	[08]	EIP		DD	?
	[0C]	EDI		DD	?
	[10]	ESI		DD	?
	[14]	EBP		DD	?
	[18]	ESP		DD	?
	[1C]	EBX		DD	?
	[20]	EDX		DD	?
	[24]	ECX		DD	?
	[28]	EAX		DD	?
	[2C]	DR6		DD	?
	[30]	DR7		DD	?
	[34]	TR_REG		REG_STRUC  <?>
	[38]	LDT_REG 	REG_STRUC  <?>
	[3C]	GS_REG		REG_STRUC  <?>
	[40]	FS_REG		REG_STRUC  <?>
	[44]	DS_REG		REG_STRUC  <?>
	[48]	SS_REG		REG_STRUC  <?>
	[4C]	CS_REG		REG_STRUC  <?>
	[50]	ES_REG		REG_STRUC  <?>
	[54]	TSS_DESC	DESC_CACHE <?,?,?>
	[60]	IDT_DESC	DESC_CACHE <0,?,?>
	[6C]	GDT_DESC	DESC_CACHE <0,?,?>
	[78]	LDT_DESC	DESC_CACHE <?,?,?>
	[84]	GS_DESC 	DESC_CACHE <?,?,?>
	[90]	FS_DESC 	DESC_CACHE <?,?,?>
	[9C]	DS_DESC 	DESC_CACHE <?,?,?>
	[A8]	SS_DESC 	DESC_CACHE <?,?,?>
	[B4]	CS_DESC 	DESC_CACHE <?,?,?>
	[C0]	ES_DESC 	DESC_CACHE <?,?,?>
	[CC]	LENGTH OF TABLE


-- 
"Worship the Lord your God, and serve him only."  Mat. 4:10
Robert Collins                 UUCP:  ...!sun!altos86!rcollins
HOME:  (408) 225-8002
WORK:  (408) 432-6200 x4356