DOS ,一個很經典的作業系統,但是我對他的了解還是不夠清楚。
以前如果要在DOS下做Reboot ,在我寫程式的經驗中不外乎就是下面幾種方式:
1. Jmp FFFF:0
2.KBC Cmd FEh
3.CF9h
4.Port 92h
沒想到,在我接觸麥金塔作業系統測試工作的時間中竟然讓我荒廢了那麼多的該學習的知識沒去學,果然前一份工作不應該搞太久的 >.< ! 亡羊補牢,所以我在處理ㄧ些BIOS Bug的過程中所找到的相關文獻中發現,原來Jmp FFFF:0 這個動作不是那麼的安全,有可能會造成問題,這個問題還真的很特別。 因為在一些含有記憶體管理的作業系統中,原來在做這個動作前還需要廣播給相關的程式去做一些動作,例如通知EMM386去清除一些相關設定..等,等他清除完畢後在做Jmp FFFF:0 才不會造成一些不可預期的事情,而這個方式是透過INT 15h/AH=4F來做的。 話雖如此,一般應用程式在Jmp FFFF:0 之後,通常都會Jmp F000:E05B的位址,而這個位址內會放著"相容性的BIOS程式碼位址",簡言之這邊就是BIOS負責Reboot動作的程式碼。 而這段程式碼內,每家的作法都不太ㄧ樣,但最後都會做ㄧ個Warm Boot動作,即CPU Reset。 當CPU Reset後,會從4G頂端開始執行,因此在做Warm boot前,BIOS一般都會把A20打開,然後才做Warm Boot。 而4G頂端的BIOS程式碼,一般都會去判斷ㄧ個條件(目前),而這個條件就是判斷系統是Warm boot/Cold boot ,如果是Warm boot,則BIOS會在做ㄧ次Cold boot,因為做了Cold boot,所以就算沒有透過INT15h廣播,你重新進入到DOS下時也不會有問題。 所以看起來整個DOS下的流程如下所示:
1. DOS下的AP要做Reboot
2.DOS下的AP透過INT15去廣播,告知相關軟體要重新開機了
3.相關軟體因為有Hook INT15h,所以得知要關機了,所以各自負責相關需要關閉或是清理的部份。
4.控制權回到DOS下的AP,此AP做了一個Jum FFFF:0的動作
5.控制權交給BIOS,BIOS檢查相關Flag,BIOS廣播INT15h,BIOS設定BDA Flag=1234h,BIOS設定System Flag,BIOS開啟A20,BIOS做ㄧ個Warm boot(KBC Feh或是CF9)
6.系統重新開機,CPU從4G那邊的Code開始跑
7.BIOS檢查System Flag , 如果是Warm boot -->在做ㄧ次Cold boot,此次 Cold boot 會清除所有的Flag,所以下次從4G那邊開始Run的時候就不會檢查到Warm boot -->正常開機程序
[註1] 開啟A20有三種方式
1.KBC Cmd (D1h - 設定 , D0h讀取狀態)
如果你有I公司的Kx工具 ,你可以使用下列參數去做:
Enable: Kx Cd1 W02 (寫入02或是FEh都可以,因為A20 在bit 1)
Disable: Kx Cd1 W00 (寫入00或是FDh都可以,因為A20 在bit 1)
Read Status: Kx Cd0 I1 (I1,代表讀取1次)
2.Port 92h
需查看EDS Spec,一般都在Bit 1=A20
Enable : Out 92h,02h (或是FEh)
Disable: Out 92h,00h(或是FDh)
3.Call INT 15h/AH=24 (Fast A20)
AL=01 - Enable A20
AL=00 - Disable A20
其實呼叫的中斷內所做的事情就是方式2的方式
[註2] A20開關程式的撰寫
ㄧ般我們會先去呼叫INT15h來開啟,如果失敗則試試看Port 92h方式,如果在失敗才又使用KBC Cmd方式,你可能會問說INT15h不是跟Port 92hㄧ樣嗎,對他們最後都是ㄧ樣方式,但是INT15h是透過BIOS提供的中斷服務程式介面,簡單說就是BIOS可能沒寫INT 15h Services,所以你只好手動去開啟。
[註3]A20是否開啟成功
檢查方式是透過檢查記憶體內容是否ㄧ樣,因為如果A20沒有開啟成功,則記憶體會迴繞,因此你去讀取0000:0000 所看到的資料會跟FFFF:10所看到的一樣,因此我們去比對這兩個記憶體的內容:
相同 : A20開啟失敗
不相同: A20開啟成功,也就是可以存取1M以上的內容
Debug.com方式:
-D 0000:0000
-D FFFF:0010
[註4] INT 15h/AH=4F廣播
1.呼叫INT15h廣播前,須手動設定BDA 40:17內的旗標,bit 3:2=11,也就是填0Ch (Ctrl與Alt Flag=1)
2.呼叫INT15h時,須把DEL key的Scancode放在AL,即AL=53h
其實就是模擬Ctrl+Alt+Del動作,很類似Windows底下的API去通知Driver關閉他們負責的設備,其實DOS下也有,酷吧!
Win98 - 本身沒有記憶體管理,除非掛Himem.sys 掛的時候他會去呼叫INT15h/E820h來得到記憶體容量,因此沒掛的時候你在DOS下A20應該是預設被關閉的,如果有被打開應該就是BIOS開的。
WinME-本身就有記憶體管理,自己會開啟A20,開啟的時候不ㄧ定是透過KBC/Port 92h ,我還沒找到判斷的地方,因此目前我手上的機器中所看到的現象是有可能OS會透過Port 92h來開,也有可能會透過KBC來開,因此BIOS端應該有地方提供資訊,不過我還沒找到~~~
[註5] BIOS真的要開啟A20後ㄧ定要做Warm Boot嗎?
上述的動作是:
Jmp F000:E05b -->BIOS Enable A20-->BIOS檢查/設定Flag -->BIOS Warm boot --> CPU Frist Instruction --> BIOS check Cold/Warm boot --> If warm boot , do cold boot.
我懷疑某些BIOS廠商的動作會變成是:
Jmp F000:E05b -->BIOS Enable A20 --> BIOS檢查/設定Flag -->BIOS check System Flag --> If System flag=warm boot --> do cold boot.
兩者的差別在於有沒有回到4G 頂端。
[註6] Ctrl+Alt+Del
這個對我來說還是個謎,因為DOS會去Hook INT09h,所以搞不清楚到底是誰去判斷Ctrl+Alt+Del,有家BIOS廠商的程式碼中看起來DOS並不會去處理他們,所以會回到BIOS的INT09h中斷去處理,因此我可以在這邊去做ㄧ些事情,但是又有的BIOS廠商在Win98時會回到INT09h,但是在WinME DOS環境下時我又攔截不到OS會把控制權交回去BIOS INT09h,所以只能說 OEM/ODM端的BIOS能拿到的資料還是有限,有時候想追問題也是心有餘而力不足啦~~~
P.S 有時間在去寫一個Hook INT09h來自己處理Ctrl+Alt+Del好了 >.<
以上純屬個人實驗筆記,未必正確!請大家不吝指正!
將自己踏入BIOS領域中所學習到的知識做一些心得整理,像是Legacy BIOS、EFI BIOS、Windows Driver...etc. ※版權與智慧財產權聲明:保留所有法律權利。我在寫文章時如果有引用到其他人的地方我會盡量說明參考出處,如果有遺漏的地方請告訴我,我會馬上註明! 而轉貼我的文章時也請您註明出處!
星期五, 5月 16, 2008
星期四, 5月 15, 2008
Windows下存取4G Memory方式
存取的方式有很多種,我就列幾種比較常看到的方式:
1. WinIo -有開放原始碼,有興趣的可以研究一下,透過Driver層下去做
2. 呼叫NTDll.dll內的函數 - 這是原本我在XP的做法如下!
wchar_t strPath[30]=L"\\device\\physicalmemory";
LoadLibrary("ntdll.dll");
然後使用下列函數:
ZwOpenSection
ZwMapViewOfSection
ZwUnmapViewOfSection
這些函數可以對實體記憶體映射,不過這個方式在Vista下會無法使用,看樣子VISTA基於安全性考量已經這些功能拿掉了!
3.而在Vista下我目前是直接寫IO Driver,然後AP去Call我自己寫的Driver來讀,作法其實是如同WinIO.. ,只是我把我要的功能抽取出來而已,這個方式就是我用來撰寫DumpBIOS這個工具的作法,原本是用方式2,但是Vista不支援因此才改成方式3,你可能會問我為什麼不用方式1 ?
沒為什麼,就是想自己寫個IO Driver而已~~
Reference
Microsoft
Google
1. WinIo -有開放原始碼,有興趣的可以研究一下,透過Driver層下去做
2. 呼叫NTDll.dll內的函數 - 這是原本我在XP的做法如下!
wchar_t strPath[30]=L"\\device\\physicalmemory";
LoadLibrary("ntdll.dll");
然後使用下列函數:
ZwOpenSection
ZwMapViewOfSection
ZwUnmapViewOfSection
這些函數可以對實體記憶體映射,不過這個方式在Vista下會無法使用,看樣子VISTA基於安全性考量已經這些功能拿掉了!
3.而在Vista下我目前是直接寫IO Driver,然後AP去Call我自己寫的Driver來讀,作法其實是如同WinIO.. ,只是我把我要的功能抽取出來而已,這個方式就是我用來撰寫DumpBIOS這個工具的作法,原本是用方式2,但是Vista不支援因此才改成方式3,你可能會問我為什麼不用方式1 ?
沒為什麼,就是想自己寫個IO Driver而已~~
Reference
Microsoft
標籤:
Windows 程式相關
星期三, 5月 14, 2008
你看過古董嗎?
個人電腦發展至今已經數十年了,我當初最早接觸到的電腦是80386年代,在更早之前的連看都沒看過,而教科書上偶爾也會放一些老電腦的照片讓大家看看科技是進步的多麼的快速ㄚ!
我在查資料的過程中遇見了這個網站,他整理了一些老古董電腦,還很認真的幫他寫上規格註解,如果大家有興趣的話可以去這個網站看看,順便懷舊一下喔~~~
http://www.vintage-computer.com/ibm_pc.shtml
我在查資料的過程中遇見了這個網站,他整理了一些老古董電腦,還很認真的幫他寫上規格註解,如果大家有興趣的話可以去這個網站看看,順便懷舊一下喔~~~
http://www.vintage-computer.com/ibm_pc.shtml
星期二, 5月 13, 2008
BIOS Data Area
放一些查資料的網站方便查閱一些資料。
BDA - BIOS Data Area - PC Memory Map
Address Size Description
00:00 256dwords Interrupt vector table
30:00 256bytes Stack area used during post and bootstrap
40:00 word COM1 port address
40:02 word COM2 port address
40:04 word COM3 port address
40:06 word COM4 port address
40:08 word LPT1 port address
40:0A word LPT2 port address
40:0C word LPT3 port address
40:0E word LPT4 port address (except PS/2)
Extended BIOS Data Area segment (PS/2, see EBDA)
40:10 2 bytes Equipment list flags (see INT 11)
|7|6|5|4|3|2|1|0| 40:10 (value in INT 11 register AL)
| | | | | | | `- IPL diskette installed
| | | | | | `-- math coprocessor
| | | | |-+-- old PC system board RAM < 256K
| | | | | `-- pointing device installed (PS/2)
| | | | `--- not used on PS/2
| | `------ initial video mode
`--------- # of diskette drives, less 1
|7|6|5|4|3|2|1|0| 40:11 (value in INT 11 register AH)
| | | | | | | `- 0 if DMA installed
| | | | `------ number of serial ports
| | | `------- game adapter
| | `-------- not used, internal modem (PS/2)
`----------- number of printer ports
40:12 byte PCjr: infrared keyboard link error count
40:13 word Memory size in Kbytes (see INT 12)
40:15 byte Reserved
40:16 byte PS/2 BIOS control flags
40:17 byte Keyboard flag byte 0 (see KB FLAGS)
|7|6|5|4|3|2|1|0| keyboard flag byte 0
| | | | | | | `--- right shift key depressed
| | | | | | `---- left shift key depressed
| | | | | `----- CTRL key depressed
| | | | `------ ALT key depressed
| | | `------- scroll-lock is active
| | `-------- num-lock is active
| `--------- caps-lock is active
`---------- insert is active
40:18 byte Keyboard flag byte 1 (see KB FLAGS)
|7|6|5|4|3|2|1|0| keyboard flag byte
| | | | | | | `--- left CTRL key depressed
| | | | | | `---- left ALT key depressed
| | | | | `----- system key depressed and held
| | | | `------ suspend key has been toggled
| | | `------- scroll lock key is depressed
| | `-------- num-lock key is depressed
| `--------- caps-lock key is depressed
`---------- insert key is depressed
40:19 byte Storage for alternate keypad entry
40:1A word Offset from 40:00 to keyboard buffer head
40:1C word Offset from 40:00 to keyboard buffer tail
40:1E 32bytes Keyboard buffer (circular queue buffer)
40:3E byte Drive recalibration status
|7|6|5|4|3|2|1|0| drive recalibration status
| | | | | | | `-- 1=recalibrate drive 0
| | | | | | `--- 1=recalibrate drive 1
| | | | | `---- 1=recalibrate drive 2
| | | | `----- 1=recalibrate drive 3
| `---------- unused
`----------- 1=working interrupt flag
40:3F byte Diskette motor status
|7|6|5|4|3|2|1|0| diskette motor status
| | | | | | | `-- 1=drive 0 motor on
| | | | | | `--- 1=drive 1 motor on
| | | | | `---- 1=drive 2 motor on
| | | | `----- 1=drive 3 motor on
| `---------- unused
`----------- 1=write operation
40:40 byte Motor shutoff counter (decremented by INT 8)
40:41 byte Status of last diskette operation (see INT 13,1)
|7|6|5|4|3|2|1|0| status of last diskette operation
| | | | | | | `--- invalid diskette command
| | | | | | `---- diskette address mark not found
| | | | | `----- sector not found
| | | | `------ diskette DMA error
| | | `------- CRC check / data error
| | `-------- diskette controller failure
| `--------- seek to track failed
`---------- diskette time-out
40:42 7 bytes NEC diskette controller status (see FDC)
40:49 byte Current video mode (see VIDEO MODE)
40:4A word Number of screen columns
40:4C word Size of current video regen buffer in bytes
40:4E word Offset of current video page in video regen buffer
40:50 8 words Cursor position of pages 1-8, high order byte=row
low order byte=column; changing this data isn't
reflected immediately on the display
40:60 byte Cursor ending (bottom) scan line (don't modify)
40:61 byte Cursor starting (top) scan line (don't modify)
40:62 byte Active display page number
40:63 word Base port address for active 6845 CRT controller
3B4h = mono, 3D4h = color
40:65 byte 6845 CRT mode control register value (port 3x8h)
EGA/VGA values emulate those of the MDA/CGA
40:66 byte CGA current color palette mask setting (port 3d9h)
EGA and VGA values emulate the CGA
40:67 dword CS:IP for 286 return from protected mode
dword Temp storage for SS:SP during shutdown
dword Day counter on all products after AT
dword PS/2 Pointer to reset code with memory preserved
5 bytes Cassette tape control (before AT)
40:6C dword Daily timer counter, equal to zero at midnight;
incremented by INT 8; read/set by INT 1A
40:70 byte Clock rollover flag, set when 40:6C exceeds 24hrs
40:71 byte BIOS break flag, bit 7 is set if Ctrl-Break was
*ever* hit; set by INT 9
40:72 word Soft reset flag via Ctl-Alt-Del or JMP FFFF:0
1234h Bypass memory tests & CRT initialization
4321h Preserve memory
5678h System suspend
9ABCh Manufacturer test
ABCDh Convertible POST loop
????h many other values are used during POST
40:74 byte Status of last hard disk operation (see INT 13,1)
40:75 byte Number of hard disks attached
40:76 byte XT fixed disk drive control byte
40:77 byte Port offset to current fixed disk adapter
40:78 4 bytes Time-Out value for LPT1,LPT2,LPT3(,LPT4 except PS/2)
40:7C 4 bytes Time-Out value for COM1,COM2,COM3,COM4
40:80 word Keyboard buffer start offset (seg=40h,BIOS 10-27-82)
40:82 word Keyboard buffer end offset (seg=40h,BIOS 10-27-82)
40:84 byte Rows on the screen (less 1, EGA)
40:85 word Point height of character matrix (EGA)
byte PCjr: character to be repeated if the typematic
repeat key takes effect
40:86 byte PCjr: initial delay before repeat key action begins
40:87 byte PCjr: current Fn function key number
byte Video mode options (EGA)
|7|6|5|4|3|2|1|0| Video mode options (EGA)
| | | | | | | `-- 1=alphanumeric cursor emulation enabled
| | | | | | `--- 1=video subsystem attached to monochrome
| | | | | `---- reserved
| | | | `----- 1=video subsystem is inactive
| | | `------ reserved
| `--------- video RAM 00-64K 10-192K 01-128K 11-256K
`---------- video mode number passed to INT 10, function 0
40:88 byte PCjr: third keyboard status byte
EGA feature bit switches, emulated on VGA
|7|6|5|4|3|2|1|0| EGA feature bit switches (EGA)
| | | | | | | `-- EGA SW1 config (1=off)
| | | | | | `--- EGA SW2 config (1=off)
| | | | | `---- EGA SW3 config (1=off)
| | | | `----- EGA SW4 config (1=off)
| | | `------ Input FEAT0 (ISR0 bit 5) after output on FCR0
| | `------- Input FEAT0 (ISR0 bit 6) after output on FCR0
| `-------- Input FEAT1 (ISR0 bit 5) after output on FCR1
`--------- Input FEAT1 (ISR0 bit 6) after output on FCR1
40:89 byte Video display data area (MCGA and VGA)
|7|6|5|4|3|2|1|0| Video display data area (MCGA and VGA)
| | | | | | | `-- 1=VGA is active
| | | | | | `--- 1=gray scale is enabled
| | | | | `---- 1=using monochrome monitor
| | | | `----- 1=default palette loading is disabled
| | | `------ see table below
| | `------- reserved
| `-------- 1=display switching enabled
`--------- alphanumeric scan lines (see table below)
Bit7 Bit4 Scan Lines
0 0 350 line mode
0 1 400 line mode
1 0 200 line mode
1 1 reserved
40:8A byte Display Combination Code (DCC) table index (EGA)
40:8B byte Last diskette data rate selected
|7|6|5|4|3|2|1|0| last diskette data rate selected
| | | | `--------- reserved
| | `------------ last floppy drive step rate selected
`-------------- last floppy data rate selected
Data Rate Step Rate
00 500K bps 00 step rate time of 0C
01 300K bps 01 step rate time of 0D
10 250K bps 10 step rate time of 0A
11 reserved 11 reserved
40:8C byte Hard disk status returned by controller
40:8D byte Hard disk error returned by controller
40:8E byte Hard disk interrupt control flag(bit 7=working int)
40:8F byte Combination hard/floppy disk card when bit 0 set
40:90 4 bytes Drive 0,1,2,3 media state
|7|6|5|4|3|2|1|0| drive media state (4 copies)
| | | | | `------- drive/media state (see below)
| | | | `------- reserved
| | | `------- 1=media/drive established
| | `------- double stepping required
`--------- data rate: 00=500K bps 01=300K bps
10=250K bps 11=reserved
Bits
210 Drive Media State
000 360Kb diskette/360Kb drive not established
001 360Kb diskette/1.2Mb drive not established
010 1.2Mb diskette/1.2Mb drive not established
011 360Kb diskette/360Kb drive established
100 360Kb diskette/1.2Mb drive established
101 1.2Mb diskette/1.2Mb drive established
110 Reserved
111 None of the above
40:94 byte Track currently seeked to on drive 0
40:95 byte Track currently seeked to on drive 1
40:96 byte Keyboard mode/type
|7|6|5|4|3|2|1|0| Keyboard mode/type
| | | | | | | `--- last code was the E1 hidden code
| | | | | | `---- last code was the E0 hidden code
| | | | | `----- right CTRL key depressed
| | | | `------ right ALT key depressed
| | | `------- 101/102 enhanced keyboard installed
| | `-------- force num-lock if Rd ID & KBX
| `--------- last char was first ID char
`---------- read ID in process
40:97 byte Keyboard LED flags
|7|6|5|4|3|2|1|0| Keyboard LED flags
| | | | | | | `--- scroll lock indicator
| | | | | | `---- num-lock indicator
| | | | | `----- caps-lock indicator
| | | | `------ circus system indicator
| | | `------- ACK received
| | `-------- re-send received flag
| `--------- mode indicator update
`---------- keyboard transmit error flag
40:98 dword Pointer to user wait complete flag
40:9C dword User wait Time-Out value in microseconds
40:A0 byte RTC wait function flag
|7|6|5|4|3|2|1|0| INT 15,86 RTC wait function flag
| | | | | | | `--- 1= wait pending
| `-------------- not used
`--------------- 1=INT 15,86 wait time elapsed
40:A1 byte LANA DMA channel flags
40:A2 2 bytes Status of LANA 0,1
40:A4 dword Saved hard disk interrupt vector
40:A8 dword BIOS Video Save/Override Pointer Table address
(see VIDEO TABLES)
40:AC 8 bytes Reserved
40:B4 byte Keyboard NMI control flags (convertible)
40:B5 dword Keyboard break pending flags (convertible)
40:B9 byte Port 60 single byte queue (convertible)
40:BA byte Scan code of last key (convertible)
40:BB byte NMI buffer head pointer (convertible)
40:BC byte NMI buffer tail pointer (convertible)
40:BD 16bytes NMI scan code buffer (convertible)
40:CE word Day counter (convertible and after)
40:F0 16bytes Intra-Applications Communications Area (IBM Technical
Reference incorrectly locates this at 50:F0-50:FF)
Address Size Description (BIOS/DOS Data Area)
50:00 byte Print screen status byte
00 = PrtSc not active,
01 = PrtSc in progress
FF = error
50:01 3 bytes Used by BASIC
50:04 byte DOS single diskette mode flag, 0=A:, 1=B:
50:05 10bytes POST work area
50:0F byte BASIC shell flag; set to 2 if current shell
50:10 word BASICs default DS value (DEF SEG)
50:12 dword Pointer to BASIC INT 1C interrupt handler
50:16 dword Pointer to BASIC INT 23 interrupt handler
50:1A dword Pointer to BASIC INT 24 disk error handler
50:20 word DOS dynamic storage
50:22 14bytes DOS diskette initialization table (INT 1E)
50:30 4bytes MODE command
70:00 I/O drivers from IO.SYS/IBMBIO.COM
The following map varies in size and locus
07C0:0 Boot code is loaded here at startup (31k mark)
A000:0 EGA/VGA RAM for graphics display mode 0Dh & above
B000:0 MDA RAM, Hercules graphics display RAM
B800:0 CGA display RAM
C000:0 EGA/VGA BIOS ROM (thru C7FF)
C400:0 Video adapter ROM space
C600:0 256bytes PGA communication area
C800:0 16K Hard disk adapter BIOS ROM
C800:5 XT Hard disk ROM format, AH=Drive, AL=Interleave
D000:0 32K Cluster adapter BIOS ROM
D800:0 PCjr conventionalsoftware cartridge address
E000:0 64K Expansion ROM space (hardwired on AT)
128K PS/2 System ROM (thru F000)
F000:0 System monitor ROM
PCjr: software cartridge override address
F400:0 System expansion ROMs
F600:0 IBM ROM BASIC (AT)
F800:0 PCjr software cartridge override address
FC00:0 BIOS ROM
FF00:0 System ROM
FFA6:E ROM graphics character table
FFFF:0 ROM bootstrap code
FFFF:5 8 bytes ROM date (not applicable for all clones)
FFFF:E byte ROM machine id (see MACHINE ID)
Reference
http://docs.huihoo.com/help-pc/index.html
標籤:
IA32 相關基礎知識
訂閱:
文章 (Atom)