switching into Real Mode

[Wacky]

Hi

I've written a function to switch from PMode into Real Mode.
But if i execute this funktion, the cpu triple faults!

This is the funktion:

Code: Select all

[global _shutdown]
_shutdown:
[BITS 32]
   cli      ; Interrupts werden verboten
   
   mov   eax, REAL_CODE_SEL
   mov    ss, eax
   
   ;nun wechseln wir in den 16-Bit Protected Mode
   jmp   dword REAL_CODE_SEL:prm
   
[BITS 16]
prm:
   ; Wir verlassen den Protected Mode
   mov   eax, cr0
   and   al, 0xFE
   mov   cr0, eax

   jmp   dword 0x00:rm
   
   rm:
      ; Stack anpassen
      xor   ax, ax
      mov   ds, ax
      mov   es, ax
      mov   fs, ax
      mov   gs, ax
   
        mov   ax, 0x1000
        mov   ss, ax

        ; Die alte 16-Bit IDT wiederherstellen..
        mov   dx, 0x70
        in   al, dx
        and   al, 0x7F
        out   dx, al
        sti
       
        jmp $
            ; Shutdown will comming soon

The REAL_MODE_SEL:

Code: Select all

REAL_CODE_SEL equ $-gdt
dw 0xFFFF
dw 0
db 0
db 0x9A
db 0         ;16-bit
db 0

and this say Bochs:

Code: Select all

00968283000i[CPU  ] protected mode
00968283000i[CPU  ] CS.d_b = 32 bit
00968283000i[CPU  ] SS.d_b = 32 bit
00968283000i[CPU  ] | EAX=000006c4  EBX=00000fff  ECX=00000064  EDX=0000000f
00968283000i[CPU  ] | ESP=000006e0  EBP=000006e8  ESI=00000fff  EDI=000c3000
00968283000i[CPU  ] | IOPL=0 NV UP DI PL NZ NA PO NC
00968283000i[CPU  ] | SEG selector     base    limit G D
00968283000i[CPU  ] | SEG sltr(index|ti|rpl)     base    limit G D
00968283000i[CPU  ] |  DS:0010( 0002| 0|  0) 00000000 000fffff 1 1
00968283000i[CPU  ] |  ES:0010( 0002| 0|  0) 00000000 000fffff 1 1
00968283000i[CPU  ] |  FS:0010( 0002| 0|  0) 00000000 000fffff 1 1
00968283000i[CPU  ] |  GS:0010( 0002| 0|  0) 00000000 000fffff 1 1
00968283000i[CPU  ] |  SS:0010( 0002| 0|  0) 00000000 000fffff 1 1
00968283000i[CPU  ] |  CS:0018( 0003| 0|  0) 00000000 000fffff 1 1
00968283000i[CPU  ] | EIP=ff80ae37 (ff80ae37)
00968283000i[CPU  ] | CR0=0xe0000011 CR1=0x00000000 CR2=0x00000000
00968283000i[CPU  ] | CR3=0x0009e000 CR4=0x00000000
00968283000i[     ] restoring default signal behavior
00968283000i[CTRL ] quit_sim called with exit code 1

Why does my code not work?

thx for every help.. wacky

[Pype.Clicker]

considering the value of EIP, it looks that you're trying to return to realmode while being in the "high end" of the memory. Make sure your 'returning code" (both 16 and 32 bits) is 1:1 mapped below 1MB barrier will certainly lead to better results.

[ASHLEY4]

This code works, look at the difference .

Code: Select all

; switch to 16-bit protected mode on your way to real mode
   jmp REAL_CODE_SEL:do_16

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;   16-bit protected mode
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
[BITS 16]
; switch to 16-bit stack and data
do_16:   mov ax,REAL_DATA_SEL
   mov ds,ax
   mov ss,ax
   nop
; push real-mode CS:IP
   lea bx,[do_rm]
   push bp
   push bx
; clear PE [protected mode enable] bit and return to real mode
      mov eax,cr0
      and al,0xFE
      mov cr0,eax
      retf      ; jumps to do_rm
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;   16-bit real mode again
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; restore real-mode segment register values
do_rm:   mov ax,cs
   mov ds,ax
   mov ss,ax
   nop
   mov es,ax
   mov fs,ax
   mov gs,ax
; point to real-mode IDTR
   lidt [ridtr]
; re-enable interrupts
   sti
; exit to DOS with errorlevel 0
   mov ax,0x4C00
   int 0x21

ASHLEY4.

[Pype.Clicker]

ouch ouch ouch ... loading SS with a CODE selector ??

honestly, if you really need to go back to real mode, i suggest you use a dos extender (pmode32, tran's Start32 or something alike) as base and study how and why it works ...

[Wacky]

ouch ouch ouch ... loading SS with a CODE selector ??

... ups! ::)


OK, now i've changed the code. The CPU is in Real-Mode !
But i think there's still a Problem in my Far-Jump.

Please have a look at my (new) code:

Code: Select all

[global _shutdown]
_shutdown:
[BITS 32]

   cli      ; disable interrupts

   ; let's create a new stack
   mov   ax, REAL_DATA_SEL
   mov   ds, ax
   mov   ss, ax

   ; We're leaving PMode
   mov   eax, cr0
   and al,0xFE
   mov   cr0, eax
   
   jmp   REAL_CODE_SEL:rm

[BITS 16]
   
rm:
   
   ; Stack-Stuff
   mov   ax, cs
   mov   dx, ax
   mov   ss, ax
   mov   es, ax
   mov   fs, ax
   mov   gs, ax
   
   ; restore the Real-Mode IDT
   mov   dx, 0x70
   in   al, dx
   and   al, 0x7F
   out   dx, al
   sti

   [...]

IMHO it should work! But BOCHS isn't my opinion.. :-\

Code: Select all

00071628830p[CPU  ] >>PANIC<< prefetch: RIP > CS.limit
00071628830i[SYS  ] Last time is 1083337951
00071628830i[CPU  ] real mode
00071628830i[CPU  ] CS.d_b = 16 bit
00071628830i[CPU  ] SS.d_b = 16 bit
00071628830i[CPU  ] | EAX=e0000010  EBX=00000fff  ECX=00000064  EDX=0000001c
00071628830i[CPU  ] | ESP=0000ffff  EBP=0000075c  ESI=00000fff  EDI=000c3000
00071628830i[CPU  ] | IOPL=0 NV UP DI PL NZ NA PO NC
00071628830i[CPU  ] | SEG selector     base    limit G D
00071628830i[CPU  ] | SEG sltr(index|ti|rpl)     base    limit G D
00071628830i[CPU  ] |  DS:0028( 0005| 0|  0) 00000000 0000ffff 0 0
00071628830i[CPU  ] |  ES:0010( 0002| 0|  0) 00000000 000fffff 1 1
00071628830i[CPU  ] |  FS:0010( 0002| 0|  0) 00000000 000fffff 1 1
00071628830i[CPU  ] |  GS:0010( 0002| 0|  0) 00000000 000fffff 1 1
00071628830i[CPU  ] |  SS:0028( 0005| 0|  0) 00000000 0000ffff 0 0
00071628830i[CPU  ] |  CS:0020( 0003| 0|  0) 00000200 0000ffff 0 0
00071628830i[CPU  ] | EIP=ff800093 (ff800093)
00071628830i[CPU  ] | CR0=0xe0000010 CR1=0x00000000 CR2=0x00000000
00071628830i[CPU  ] | CR3=0x0009e000 CR4=0x00000000
00071628830i[     ] restoring default signal behavior
00071628830i[CTRL ] quit_sim called with exit code 1

>>PANIC<< prefetch: RIP > CS.limit
What does this mean? (Rest in peace, or what! )

The Question is: Why does this happen and how can i fix this?


Thanks for all answers and tips... wacky

[BI lazy]

your eip is is outta 16 bit mode realms, so no wonder it crashes.

you oughta jump to a location *inside* the first 1 mb of memory IRC

[DennisCGc]

I think it's because you run this >1 MB, or anyway, you try to run this over the CS limit.
So I would suggest that you run this < 1MB.

HTH, DennisCGc.

[Wacky]

your eip is is outta 16 bit mode

Code: Select all

[...]
jmp   REAL_CODE_SEL:rm

[BITS 16]
rm:
[...]

Shouldn't this be enought to set the eip < 1MB ? ???
If not, what is the best way to do this?

[BI lazy]

the problem is that you issue this jmp with 32 bit code albeit it is expected to be 16 bit code.

look at ashleys code. It should show you exactly, where the heck the dog is buried. (*chuckle* I'd prefer some juicy english idiom instead of a lame translation of a german one)

[ich_will]

My shutdown.asm: all works fine, I copy this function to 0x500
and jmp to it. But if i try to jump into realmode like this:

jmp word 0x20:real_mode (0x20 is the same selector Wacky sends as real_mode_sel)

bochs ends with:

00020520492i[CPU ] real mode
00020520492i[CPU ] CS.d_b = 16 bit
00020520492i[CPU ] SS.d_b = 16 bit
00020520492i[CPU ] | EAX=6000004d EBX=00000400 ECX=00000005 EDX=000003d8
00020520492i[CPU ] | ESP=00007fdc EBP=0000f829 ESI=0000f8fe EDI=000079d0
00020520492i[CPU ] | IOPL=0 NV UP DI PL NZ NA PE CY
00020520492i[CPU ] | SEG selector base limit G D
00020520492i[CPU ] | SEG sltr(index|ti|rpl) base limit G D
00020520492i[CPU ] | DS:0000( 0003| 0| 0) 00000000 0000ffff 0 0
00020520492i[CPU ] | ES:0000( 0003| 0| 0) 00000000 0000ffff 0 0
00020520492i[CPU ] | FS:0018( 0003| 0| 0) 00000000 0000ffff 0 0
00020520492i[CPU ] | GS:0018( 0003| 0| 0) 00000000 0000ffff 0 0
00020520492i[CPU ] | SS:9000( 0003| 0| 0) 00090000 0000ffff 0 0
00020520492i[CPU ] | CS:fcaf( 0005| 0| 0) 000fcaf0 0000ffff 0 0
00020520492i[CPU ] | EIP=00010510 (0001050f)
00020520492i[CPU ] | CR0=0x60000010 CR1=0x00000000 CR2=0x00000000
00020520492i[CPU ] | CR3=0x00000000 CR4=0x00000000
00020520492i[ ] restoring default signal behavior
========================================================================
Bochs is exiting with the following message:
[CPU ] prefetch: RIP > CS.limit
========================================================================
00020520492i[CTRL ] quit_sim called with exit code 1

EIP haven't every time the same value, but most 00007a0f. Or if I call an interrupt bochs ends with:

00026795750i[CPU ] real mode
00026795750i[CPU ] CS.d_b = 16 bit
00026795750i[CPU ] SS.d_b = 16 bit
00026795750i[CPU ] | EAX=600000f9 EBX=00000001 ECX=00000001 EDX=00000007
00026795750i[CPU ] | ESP=00000001 EBP=00007fca ESI=00000004 EDI=00000000
00026795750i[CPU ] | IOPL=0 NV UP DI NG NZ NA PE NC
00026795750i[CPU ] | SEG selector base limit G D
00026795750i[CPU ] | SEG sltr(index|ti|rpl) base limit G D
00026795750i[CPU ] | DS:0000( 0003| 0| 0) 00000000 0000ffff 0 0
00026795750i[CPU ] | ES:0000( 0003| 0| 0) 00000000 0000ffff 0 0
00026795750i[CPU ] | FS:0000( 0003| 0| 0) 00000000 0000ffff 0 0
00026795750i[CPU ] | GS:0000( 0003| 0| 0) 00000000 0000ffff 0 0
00026795750i[CPU ] | SS:9000( 0003| 0| 0) 00090000 0000ffff 0 0
00026795750i[CPU ] | CS:0000( 0005| 0| 0) 00000000 0000ffff 0 0
00026795750i[CPU ] | EIP=00000000 (00000000)
00026795750i[CPU ] | CR0=0x60000010 CR1=0x00000000 CR2=0x00000000
00026795750i[CPU ] | CR3=0x00000000 CR4=0x00000000
00026795750i[ ] restoring default signal behavior
========================================================================
Bochs is exiting with the following message:
[CPU ] CPU shutting down due to lack of stack space, SP==1
========================================================================
00026795750i[CTRL ] quit_sim called with exit code 1

before I load a Pmode IDT i save the real_mode IDT with this:

Code: Select all

old_idt:
   dw (256*8)-1
   dd 0x6000
...
sidt [old_idt]   ; save idt

Code: Select all

[ORG 0x500]
[BITS 32]
   ;------ clear the PG bit ------
   mov eax, cr0
   xor eax, 0x80000000
   mov cr0, eax

   ;------ clear the paging cache ------
   xor eax, eax
   mov cr3, eax

   mov ax, 0x18
   mov ds, ax
   mov es, ax
   mov fs, ax
   mov gs, ax
   mov ss, ax

   ;------ clear the PE bit ------   
   mov eax, cr0
   xor eax, 1
   mov cr0, eax

   ;------ do a far jump to a 16-bit code segment ------
   jmp word 0x00:real_mode

[BITS 16]
msg1 db "Test Text",0

    real_mode:
   lidt [real_idt_desc]

   xor ax, ax
   mov ds, ax
   mov es, ax
   mov fs, ax
   mov gs, ax

   mov ax, 0x9000
   mov ss, ax
   mov esp, 0x8000

   mov si, msg1
   call putstr

   cli
   hlt

real_idt_desc:
   dw (256*8)-1
   dd 0x6000

putstr:
   lodsb         ; load the next character
   or al,al      ; if al = 0 (= character)
   jz short putstrd   ; return
   mov ah, 0x0E      ; function 0x0E (display character)
   mov bh, 0x00      ; current page
   mov bl,   0x07      ; color
   int 0x10      ; call display interrupt
   jmp putstr
putstrd:
   ret

[ASHLEY4]

Take a look at the code i posted ,it works fine.

ASHLEY4.

[Pype.Clicker]

Wacky, i think you cannot so simply get back to real mode in the 32bits framework you've set up ... I suggest you take the following actions:

• make sure you didn't touch the real mode IVT nor the BIOS Data Area
• Make sure your 16 bits code contains no reference except references relative to the 16bits code itself (it should be assemblable as a separate .asm to a .com, for instance). Put an 'ORG 0' at the start of that 16 bits section.
• allocate some 16 bytes-aligned memory area between 0:0x1000 and 0x9000:0xffff. Copy your 16bits code there.
• compute the segment value of that allocated memory
• have a 16 bits protected mode descriptor that points wherever you wish (Hint: make sure your p16: is either in the first 64K or that the code16 descriptor has a base that will allow p16 to stay in the 64K limit.
• jump to code within that protected descriptor (jmp CODE16:p16_relative_to_code16_base)
• disable interrupts, reload all data selectors (including stack) with a DATA16, 64K-limited selector. Reload IDTR with IVT values
• clear the PM and PG bits of CR0 at once
• jump to your realmode terminator code (jmp <computed_segment>:0 )
• reload data segments with valid realmode values.
• enable interrupts and terminate your program.

All 'BITS 16' does is telling your assembler the following bytes should be assembled for 16 bits decoding. Nothing more ... Nothing less ...

[Therx]

couldn't you go into unreal mode so you can still access the full address space but also have BIOS access?

Pete

[Pype.Clicker]

couldn't you go into unreal mode so you can still access the full address space but also have BIOS access?

Pete

That won't solve his problem, imho. Even in unreal mode, code needs to be below 1MB and within a 64KB segment ... any attempt to enfringe this rule will break things badly

[ASHLEY4]

I would do this:
In real mode before going to pmode (eg: under 1mb)

Code: Select all

mov ax,cs
mov [real_mode_cs],ax
lea ax,[we_are_inreal_mode]
mov [Real_mode_IP],ax
jmp  OverThisCode
[bits 16]
we_are_inreal_mode:

;Put you real mode code here,that you want to jump back to.
;you must put realmode compaible reg in seg regs.
;you most restore the realmode ivt and then you can re-enable int's

OverThisCode:

Next we can do this,and you must diss-able int's first.

Code: Select all

jmp REAL_MODE_SEL:we_are_in_16bit_pmode
[bits 16]
we_are_in_16bit_pmode:

mov ax,REAL_DATA_SEL
mov ss,ax
mov ds,ax

mov eax,cr0
and al,0xfe
mov cr0,eax

jmp far [Real_mode_IP]

Code: Select all

Real_mode_IP:    
                    dw  0
real_mode_cs:
                    dw  0

This code has not been tested.

PS: Does any one know if you need to remap the pic's,when going from pmode to realmode and back to pmode ?,
I know you do when first going to pmode.

ASHLEY4.