NakedCPU which provides full access to hardware and aCPU without any restrictions imposed by the OS Impor-tantly the processor isnrsquot obscured by Linux DOS orWindows and is operating in its most interesting andpowerful modemdashthe protected mode In this article theusers are referred to as inquirers because the NakedCPUis made for researchers (ie devoted geeks) rather thanregular users
My aim is to provide you inquirers with some help navi-gating hardware documentation which is confusing andotherwise difficult to find I wonrsquot restate the documenta-tion because many computer concepts and technologiesquickly become obsolete With this article howeveryoursquoll find it easier to follow the newer technologies anddocumentation
PROCESSORS amp PLATFORMSThink for a moment about one of the modern Intel CPU
varieties the Intel Core 2 Duo processor This impressive
lectronic projects involving microcontrollers arepopular among design enthusiasts and profession-
als alike Many interesting applications have been madewith microcontrollers and programming them can be alot of fun At the same time the powerful central pro-cessing unit (CPU) found in the personal computer(PC)mdashwhich serves every electronics designer on a dailybasis (including microcontroller programming)mdashis lack-ing such attention Most experimentation with a PC islimited to developing high-level code software with theaid of numerous libraries and technologies hiding thehardware beneath layers and layers of code Unlimitedexperimentation with PC hardware is rarely possibleHowever you have to install drivers enabling someaccess to hardware because the operating system (OS)naturally does not permit us to do any low-level activi-ties The sad part is that such drivers are mysteriousthemselves It is safe to say hardware programming waswell known to many computer professionals and enthusi-asts in the 1980s Later many people forgot about itwhile the technology tremendously leapt ahead In thisarticle I try to bridge the gap in time and revive interestin hardware programming based on state-of-the-art tech-nologies and concepts There is a Russian saying ldquoEvery-thing new is actually well-forgotten oldrdquo
WHAT IS THE NakedCPUThis article is a result of my interest in the Intel CPU
chipset IO controller and other essential PC devicesfrom the perspective of low-level hardware programmingunobstructed by an OS and drivers My motivation wasto reach out to people with inquisitive minds who wouldappreciate the possibility to directly experiment with theCPU chipset and other hardware Here Irsquoll present the
24 CIRCUIT CELLARreg bull wwwcircuitcellarcom
Febr
uary
201
2 ndash
Issue
259
The first part of this two-part series provides an overview of the NakedCPU This platformis designed to provide full access to hardware and a CPU without any operating systemrestrictions while working in the protected mode
The NakedCPU (Part 1)
E
FEAT
URE
ARTICLEby Alexander Pozhitkov (USA)
Hardware Experiments and a Roadmap forNavigating Documentation
Figure 1mdashThe NakedCPU and master computers are connected via aserial interface The NakedCPU does not need a keyboard or a monitor
NakedCPU Master
RS-232
easiest way to supply the NakedCPU with a start-up code isto prepare a bootable floppy disk with your own code Cer-tainly one can also put this code onto a hard driveThe start-up code (up to 512 bytes) was written in
Assembly language and must be stored in sector 0mdashthatis the master boot record (MBR) of the disk The Assem-bly language compilers and linkers such as MASM werenot used to prepare the MBR due to various difficultiesalthough they may be suitable as well There is howevera binary editor called HexIt which among other thingsenables direct conversion of Assembly commands intobinary code[5] Using this editor a binary file of the futureMBR was created The filersquos content is available on theCircuit Cellar FTP site Refer to Table 1 and Table 2 formore details about the contentA small utility Firstsectwriteexe (also available on the
Circuit Cellar FTP site) was written to transfer this fileinto sector 0 of the disk Although the code of this utilityis quite simple it deserves some attention A Windows APIcall to CreateFile(TEXT(ldquoArdquo)) opens rawcommunication with a diskmdasha floppy drive A in thiscasemdashto enable writes into the sector 0 It is important tonote that this call will be only be successful under theadministrator accountI used a Dell Optiplex 760 computer to conduct the
experiments It had a floppy drive attached via a USB BIOSstart-up options enabled me to boot up the computer fromsuch a drive
THE NakedOSIt may sound contradictive to the spirit of the article to be
OS-free however the NakedCPU is booted up with a tiny(262 bytes long) 32-bit ldquooperating systemrdquo the NakedOSwhich enables the NakedCPU to communicate with theoutside world via a serial port In fact I did not compromisemy principle of truly free exploration because the NakedOS
processor is capable of consuming up to 75 A of current[1] Itis not a simple processor Its documentation consists of fivevolumes with the total page count of approximately 3800pages[2] The Intel CPU does not operate alone It is inter-faced to a chipset known as a graphics and memory con-troller hub (GMCH) The chipset on the other side is con-nected to an IO controller hub (ICH) Interestingly thisarrangement is analogous to your nervous system with abrain a brainstem and a spinal cord GMCH and ICH areprocessors themselves containing hundreds of configura-tion and control registers The documentation on GMCHand ICH spans more than 1400 pages[3 4] Itrsquos no wonderOSes hide actual hardware under a thick blanket of inter-mediate codeIt is not easy to experiment with the Intel CPU given
the complexity of surrounding hardware such as thechipset network controller and so forth Another difficul-ty is the fact that the documentation is filled with electri-cal engineering abbreviations and concepts Also pervasivelayers of OS code interfere with truly free explorationThe NakedCPU is an experimental platform exposing
the hardware internals of a PC Experimentation withNakedCPU requires two computers (see Figure 1) One isthe master computer with Windows and Visual Studio soft-ware whose job is interacting with us and the second com-puter The second computermdashthe NakedCPUmdashis connect-ed to the master via an RS-232 interfaceThe NakedCPU computer is booted up with a small
amount of start-up code (available on the Circuit CellarFTP site) which enables it to communicate via RS-232with the master Upon start-up the NakedCPU expectstwo separate packages of bytes one is a stream of IntelCPU opcodes to be executed (ie the executable) and theother one is the data to be processed The executable canmodify any part of memory chipset registers and soforth and even overwrite the start-up code In otherwords the freedom is yours
STARTING THE NakedCPUThe NakedCPU wonrsquot run without some sort of a start-up
code At start-up two tasks must be accomplished switchthe CPU into the Protected mode and begin listening on theserial port for two packets of bytes executable and data The
25
Febr
uary
201
2 ndash
Issue
259
wwwcircuitcellarcom bull CIRCUIT CELLARreg
Table 2mdashCritical data structures
Structure MBR Location
Pseudo-descriptor IDT 0x194
Pseudo-descriptor GDT 0x1BA
Null descriptor 0x1C0
Table 1mdashAnatomy of the MBR
Description MBR Location
Determining the current address while the processor is still in real mode after power on BIOS has loaded the MBR somewhere
into the memory and transferred control to our code The current address is necessary to locate physical address of the pseudo-
descriptor which is in turn defining a physical address and a limit for the Global Descriptor Table (GDT)
0x3Endash0x4D
LGDT instruction (Load GDT register) is loading pseudodescriptor which is pointing to GDT 0x52
GDT and Interrupt Descriptor Table (IDT) are copied into a new memory location beginning from linear address 0x0 GDT
and IDT are defining memory segments for the processor to operate in protected mode
0x57ndash0x64
The MBR contains a very tiny 32-bit protected mode ldquooperating systemrdquo named the NakedOS 0x80ndash0x186
The NakedOS is copied into a new memory location beginning with linear address 0x800 0x65ndash0x71
Switching into protected mode is accomplished by adjusting the machine status word using a LMSW instruction 0x72ndash0x78
Transfer control to the NakedOS 0x7B
Set up 8259 interrupt controller 0xF5ndash0x105
Transfer control to the inquirerrsquos executable 0x106
26 CIRCUIT CELLARreg bull wwwcircuitcellarcom
Febr
uary
201
2 ndash
Issue
259
BIOS they are solely defined by the codeImmediately after start-up the NakedOS expects two
transactions one for the executable code and another fordata Each transaction is a stream of bytes sent via the
is absolutely transparent Its code is available on the CircuitCellar FTP site
The NakedOS defines several memory segments whichare useful as an initial environment for the inquirerrsquos exe-cutable (see Table 3) Intel documentation provides anexplanation for protected mode memory segments globaldescriptor table (GDT) and interrupt descriptor table(IDT)[2] In addition the NakedOS defines two softwareinterrupts and a base vector for hardware interrupts Notethat the IDT interrupts have nothing to do with DOS or
Table 4mdashThe format of NakedOS transactions The first 4 bytesindicate the length of the subsequent byte stream
Byte index 0 1 2 3 0 1 2 hellip N-1
Description Length N Executable code or data
Table 3mdashMemory segments and interrupts defined by the NakedOS
Segment Base Size Descriptors type
Extended memory 0x100000 ~128 Mb 0x28 data
Screen character mode 0x0B8000 4 Kb 0x20 data
Target executable 0x93B 64 Kb
0x30 code 32
0x38 data
NakedOS 0x800 315 bytes 0x10 code 32
Stack 0x400 1024 bytes 0x18 stack 32
System data
IDT 0x3FFndash0x200
GDT 0x1FFndash0
0x0 1024 bytes 0x8 data
Interrupts Info
INT 0x20 Read a packet from serial port destination ES[EDI] mandatory condition DS=ES First 4 bytes of the packet
indicate in bytes the length of the subsequent string Upon return ECX contains the number of bytes received
INT 0x21 Send to serial port a string of ECX bytes located at DS[ESI]
IRQ0 Hardware interrupts base vector is 0x28
Circuit Cellar feature articles are contributed by professional engineers academics and students from
around the globe Each month the editorial staff reviews dozens of article proposals and submissions
Only the best make it into the pages of this internationally respected magazine
Get PUBLISHED Get NOTICED Get PAID
Do you have what it takes
editorcircuitcellarcom
Contact C J Abate Editor-in-Chief
today to discuss the embedded design projects
and programming applications
yoursquove been working on and
your article could be featured
in an upcoming issue
of Circuit Cellar magazine
wwwcircuitcellarcom bull CIRCUIT CELLARreg 27
Febr
uary
201
2 ndash
Issue
259
RS-232 (see Table 4) The first transaction is written into thememory segment ldquotarget executablerdquo while the secondtransaction goes into the ldquoextended memoryrdquo segment After
the second transaction the NakedOStransfers control to the executable by along jump jmp 00030000000000 Fromthat moment in principle any memoryoccupied by the NakedOS can be overwrit-ten by the activities of your executable
The hardware interrupts are normallymasked when the NakedOS is runninghowever the 8259 interrupt controlleris set up (refer to the Circuit Cellar FTPsite) to handle them if you decide tounmask them Detailed instructions onprogramming the interrupt controllerare provided in the documentation forthe ICH[4]
THE NakedCPU EXPLORERAn important issue remains sending
an executable to the NakedCPU to con-duct experiments At the beginning ofthis article I said two computers areinvolved The master has a MicrosoftVisual C++ project the NakedCPUExplorer which acts as a ldquoshellrdquo thatenables the inspection and modification
of chipset registers and memory The code defines a classhaving a constructor which provides __asm brackets foryou to fill with executable code (see Listing 1)
Listing 1mdashA fragment of a constructor for a class derived from NakedCPUcode
DWORD pe ps__asm
mov pe offset end mandatory label endmov ps offset start mandatory label startjmp end master jumps over the codestart mov ax 0x28 loading
mov es ax data andmov ds ax stackmov ax 0x18 segment registersmov ss ax initializingmov esp 0x3fe stack pointerhere goes executable code_emit 0xEA this is_emit 0x00 a long jump to_emit 0x00 finish the executable_emit 0x00 and transfer control_emit 0x00 to NakedOS_emit 0x10 (if it is still_emit 0x00 in the memory)
end nop
Save 30 on all titles when you purchase from wwwnewnespresscomEnter promotional code Newnes30 at checkout
Register for our e-news at newnespresscom Find us on Facebook
By Peter WilsonISBN 9780080971384
By Lucio Di JasioISBN 9781856178709
By Morgan JonesISBN 9780080966403
By Art KayISBN 9780750685252
N e w n e s P r e s s
Education Never Ends Everything you need to know to get started
tiodu tiocaduEE
er Endser Enn Nevn New nw nN e
eed tu nog yerythinvE dsses P re
edtartt seo gw too kneed t
s
ed
avS
tioomorer ptEnen ys whn all title oe 30avave 30
kcebooan Fn Fas od uinFFin
cke cht as30eewnNe al codntiom wwwore fsahcuru poen y
ur e-nr ooer fer fotter fRegis
touckmcosserpsewnenm www
cosserrepsspeewnt news aur e-n
mco
28 CIRCUIT CELLARreg bull wwwcircuitcellarcom
Febr
uary
201
2 ndash
Issue
259
Dr Alexander Pozhitkov (pozhituwedu) has an MS degree inChemistry and a PhD in Genetics from Albertus Magnus Universityin Cologne Germany He has been working for 12 years oninterdisciplinary research involving molecular biology physicalchemistry software and electrical engineering Currently DrPozhitkov is a researcher at the University of WashingtonSeattle His technical interests include hardware programmingvacuum tubes and high-voltage electronics
PROJECT FILESTo download the code go to ftpftpcircuitcellarcompubCircuit_Cellar2012259
REFERENCES[1] Intel Corp ldquoIntel Core 2 Duo Processor E8000 andE7000 Series Datasheetrdquo 2009 httpdownloadintelcomdesignprocessordatashts318732pdf
[2] mdashmdashmdash ldquoIntel 64 and IA-32 Architectures SoftwareDeveloperrsquos Manualsrdquo wwwintelcomcontentwwwusenprocessorsarchitectures-software-developer-manualshtml
[3] mdashmdashmdash ldquoIntel 4 Series Chipset Family Datasheetrdquo2010 wwwintelcomAssetsPDFdatasheet319970pdf
[4] mdashmdashmdash ldquoIntel IO Controller Hub 10 (ICH10) Fami-ly Datasheetrdquo 2008 wwwintelcomcontentwwwusenioio-controller-hub-10-family-datasheethtml
[5] M Klasson ldquoHexIt ndash The Hex Editorrdquo 2011httpmklassoncomhexitphp
RESOURCEE Nisley ldquoJourney to the Protected Landrdquo CircuitCellar 48ndash65 1994ndash1995
SOURCESIntel Core 2 Duo ProcessorIntel Corp | wwwintelcom
Visual C++ Integrated development environment (IDE)Microsoft Corp | wwwmicrosoftcom
Since Visual C++ is running on the master PC with anIntel CPU the compiler translates the Assembly codeinto appropriate opcodes which are naturally suitable forthe NakedCPU Specifically this class is derived fromanother class NakedCPUcode which performs preparato-ry work by extracting the opcodes produced from thecode in the __asm brackets and making them availablefor sending over to the NakedCPU Note that the Naked-CPU only receives the code between start and endlabels It is important to understand that the mastercomputer will not execute the code in the __asmbrackets it simply jumps over it The strange keyword_emit enables the direct placement of opcodes by theirhexadecimal values For some reason a long jump is notpermitted when using the Visual Studio compilerThe project also defines a class SerialComm and a
function SendNakedCPUdataRecvResponse to send andreceive data It is worthwhile to examine the projectrsquosstraightforward code to understand the details of communica-tion with the NakedCPU Besides serving as an example theNakedCPU Explorer sends an executable to the NakedCPUwhich permits the interactive examination and modificationof various chipset and IO controller registers The Naked-CPU Explorer offers eight commands write write32read read32 pci memread memwrite and quit The firstfour commands will ask for a port address (ie an address inthe CPU IO space) With these commands the NakedCPUwill write to and read from a GMCH or ICH register 1 or 4bytes The fifth command will ask for Bus (decimal) Device(decimal) Function (decimal) and Register (hexadecimal) val-ues Their values will be packed into the port 0xCF8 to opena ldquowindowrdquo into the PCI configuration space thatrsquos accessiblevia port 0xCFC Details on addressing PCI devices are provid-ed in the chipset documentation[3] The memread andmemwrite commands enable the reading and writing of dou-ble words from and to the memory respectively A regular PC ubiquitous in most homes is filled with
powerful and interesting hardware Unfortunately it tends tobe difficult to experiment with PCs due to the lack of docu-mentation and overly protective OSes The first part of thisarticle detailed at the path to the hard-to-find documentation
I also described the NakedCPU which is my OS-freeplatform for experimenting with a PCrsquos internals
NEW EXPERIMENTSThe NakedCPU is controlled from another computer the
master which provides you with an interface In the nextpart of this series Irsquoll describe how to use the NakedCPUExplorer for experiments with the speaker parallel portand LAN adapter In addition Irsquoll give you a peek at theBIOSmdashthe power-on code in particular Undoubtedly thesuggested experiments will be stepping stones to help youbegin even more interesting research I
Authorrsquos note The NakedCPU Explorer does not use anyhidden ldquohelperrdquo drivers or libraries The code is entirelytransparent for the inquirerrsquos perusal
ldquoImmediately after start-up the NakedOSexpects two transactions one for theexecutable code and another for dataEach transaction is a stream of bytessent via the RS-232 The first transactionis written into the memory segmentlsquotarget executablersquo while the secondtransaction goes into the lsquoextendedmemoryrsquo segment After the secondtransaction the NakedOS transferscontrol to the executable by a longjump jmp 00030000000000rdquo
easiest way to supply the NakedCPU with a start-up code isto prepare a bootable floppy disk with your own code Cer-tainly one can also put this code onto a hard driveThe start-up code (up to 512 bytes) was written in
Assembly language and must be stored in sector 0mdashthatis the master boot record (MBR) of the disk The Assem-bly language compilers and linkers such as MASM werenot used to prepare the MBR due to various difficultiesalthough they may be suitable as well There is howevera binary editor called HexIt which among other thingsenables direct conversion of Assembly commands intobinary code[5] Using this editor a binary file of the futureMBR was created The filersquos content is available on theCircuit Cellar FTP site Refer to Table 1 and Table 2 formore details about the contentA small utility Firstsectwriteexe (also available on the
Circuit Cellar FTP site) was written to transfer this fileinto sector 0 of the disk Although the code of this utilityis quite simple it deserves some attention A Windows APIcall to CreateFile(TEXT(ldquoArdquo)) opens rawcommunication with a diskmdasha floppy drive A in thiscasemdashto enable writes into the sector 0 It is important tonote that this call will be only be successful under theadministrator accountI used a Dell Optiplex 760 computer to conduct the
experiments It had a floppy drive attached via a USB BIOSstart-up options enabled me to boot up the computer fromsuch a drive
THE NakedOSIt may sound contradictive to the spirit of the article to be
OS-free however the NakedCPU is booted up with a tiny(262 bytes long) 32-bit ldquooperating systemrdquo the NakedOSwhich enables the NakedCPU to communicate with theoutside world via a serial port In fact I did not compromisemy principle of truly free exploration because the NakedOS
processor is capable of consuming up to 75 A of current[1] Itis not a simple processor Its documentation consists of fivevolumes with the total page count of approximately 3800pages[2] The Intel CPU does not operate alone It is inter-faced to a chipset known as a graphics and memory con-troller hub (GMCH) The chipset on the other side is con-nected to an IO controller hub (ICH) Interestingly thisarrangement is analogous to your nervous system with abrain a brainstem and a spinal cord GMCH and ICH areprocessors themselves containing hundreds of configura-tion and control registers The documentation on GMCHand ICH spans more than 1400 pages[3 4] Itrsquos no wonderOSes hide actual hardware under a thick blanket of inter-mediate codeIt is not easy to experiment with the Intel CPU given
the complexity of surrounding hardware such as thechipset network controller and so forth Another difficul-ty is the fact that the documentation is filled with electri-cal engineering abbreviations and concepts Also pervasivelayers of OS code interfere with truly free explorationThe NakedCPU is an experimental platform exposing
the hardware internals of a PC Experimentation withNakedCPU requires two computers (see Figure 1) One isthe master computer with Windows and Visual Studio soft-ware whose job is interacting with us and the second com-puter The second computermdashthe NakedCPUmdashis connect-ed to the master via an RS-232 interfaceThe NakedCPU computer is booted up with a small
amount of start-up code (available on the Circuit CellarFTP site) which enables it to communicate via RS-232with the master Upon start-up the NakedCPU expectstwo separate packages of bytes one is a stream of IntelCPU opcodes to be executed (ie the executable) and theother one is the data to be processed The executable canmodify any part of memory chipset registers and soforth and even overwrite the start-up code In otherwords the freedom is yours
STARTING THE NakedCPUThe NakedCPU wonrsquot run without some sort of a start-up
code At start-up two tasks must be accomplished switchthe CPU into the Protected mode and begin listening on theserial port for two packets of bytes executable and data The
25
Febr
uary
201
2 ndash
Issue
259
wwwcircuitcellarcom bull CIRCUIT CELLARreg
Table 2mdashCritical data structures
Structure MBR Location
Pseudo-descriptor IDT 0x194
Pseudo-descriptor GDT 0x1BA
Null descriptor 0x1C0
Table 1mdashAnatomy of the MBR
Description MBR Location
Determining the current address while the processor is still in real mode after power on BIOS has loaded the MBR somewhere
into the memory and transferred control to our code The current address is necessary to locate physical address of the pseudo-
descriptor which is in turn defining a physical address and a limit for the Global Descriptor Table (GDT)
0x3Endash0x4D
LGDT instruction (Load GDT register) is loading pseudodescriptor which is pointing to GDT 0x52
GDT and Interrupt Descriptor Table (IDT) are copied into a new memory location beginning from linear address 0x0 GDT
and IDT are defining memory segments for the processor to operate in protected mode
0x57ndash0x64
The MBR contains a very tiny 32-bit protected mode ldquooperating systemrdquo named the NakedOS 0x80ndash0x186
The NakedOS is copied into a new memory location beginning with linear address 0x800 0x65ndash0x71
Switching into protected mode is accomplished by adjusting the machine status word using a LMSW instruction 0x72ndash0x78
Transfer control to the NakedOS 0x7B
Set up 8259 interrupt controller 0xF5ndash0x105
Transfer control to the inquirerrsquos executable 0x106
26 CIRCUIT CELLARreg bull wwwcircuitcellarcom
Febr
uary
201
2 ndash
Issue
259
BIOS they are solely defined by the codeImmediately after start-up the NakedOS expects two
transactions one for the executable code and another fordata Each transaction is a stream of bytes sent via the
is absolutely transparent Its code is available on the CircuitCellar FTP site
The NakedOS defines several memory segments whichare useful as an initial environment for the inquirerrsquos exe-cutable (see Table 3) Intel documentation provides anexplanation for protected mode memory segments globaldescriptor table (GDT) and interrupt descriptor table(IDT)[2] In addition the NakedOS defines two softwareinterrupts and a base vector for hardware interrupts Notethat the IDT interrupts have nothing to do with DOS or
Table 4mdashThe format of NakedOS transactions The first 4 bytesindicate the length of the subsequent byte stream
Byte index 0 1 2 3 0 1 2 hellip N-1
Description Length N Executable code or data
Table 3mdashMemory segments and interrupts defined by the NakedOS
Segment Base Size Descriptors type
Extended memory 0x100000 ~128 Mb 0x28 data
Screen character mode 0x0B8000 4 Kb 0x20 data
Target executable 0x93B 64 Kb
0x30 code 32
0x38 data
NakedOS 0x800 315 bytes 0x10 code 32
Stack 0x400 1024 bytes 0x18 stack 32
System data
IDT 0x3FFndash0x200
GDT 0x1FFndash0
0x0 1024 bytes 0x8 data
Interrupts Info
INT 0x20 Read a packet from serial port destination ES[EDI] mandatory condition DS=ES First 4 bytes of the packet
indicate in bytes the length of the subsequent string Upon return ECX contains the number of bytes received
INT 0x21 Send to serial port a string of ECX bytes located at DS[ESI]
IRQ0 Hardware interrupts base vector is 0x28
Circuit Cellar feature articles are contributed by professional engineers academics and students from
around the globe Each month the editorial staff reviews dozens of article proposals and submissions
Only the best make it into the pages of this internationally respected magazine
Get PUBLISHED Get NOTICED Get PAID
Do you have what it takes
editorcircuitcellarcom
Contact C J Abate Editor-in-Chief
today to discuss the embedded design projects
and programming applications
yoursquove been working on and
your article could be featured
in an upcoming issue
of Circuit Cellar magazine
wwwcircuitcellarcom bull CIRCUIT CELLARreg 27
Febr
uary
201
2 ndash
Issue
259
RS-232 (see Table 4) The first transaction is written into thememory segment ldquotarget executablerdquo while the secondtransaction goes into the ldquoextended memoryrdquo segment After
the second transaction the NakedOStransfers control to the executable by along jump jmp 00030000000000 Fromthat moment in principle any memoryoccupied by the NakedOS can be overwrit-ten by the activities of your executable
The hardware interrupts are normallymasked when the NakedOS is runninghowever the 8259 interrupt controlleris set up (refer to the Circuit Cellar FTPsite) to handle them if you decide tounmask them Detailed instructions onprogramming the interrupt controllerare provided in the documentation forthe ICH[4]
THE NakedCPU EXPLORERAn important issue remains sending
an executable to the NakedCPU to con-duct experiments At the beginning ofthis article I said two computers areinvolved The master has a MicrosoftVisual C++ project the NakedCPUExplorer which acts as a ldquoshellrdquo thatenables the inspection and modification
of chipset registers and memory The code defines a classhaving a constructor which provides __asm brackets foryou to fill with executable code (see Listing 1)
Listing 1mdashA fragment of a constructor for a class derived from NakedCPUcode
DWORD pe ps__asm
mov pe offset end mandatory label endmov ps offset start mandatory label startjmp end master jumps over the codestart mov ax 0x28 loading
mov es ax data andmov ds ax stackmov ax 0x18 segment registersmov ss ax initializingmov esp 0x3fe stack pointerhere goes executable code_emit 0xEA this is_emit 0x00 a long jump to_emit 0x00 finish the executable_emit 0x00 and transfer control_emit 0x00 to NakedOS_emit 0x10 (if it is still_emit 0x00 in the memory)
end nop
Save 30 on all titles when you purchase from wwwnewnespresscomEnter promotional code Newnes30 at checkout
Register for our e-news at newnespresscom Find us on Facebook
By Peter WilsonISBN 9780080971384
By Lucio Di JasioISBN 9781856178709
By Morgan JonesISBN 9780080966403
By Art KayISBN 9780750685252
N e w n e s P r e s s
Education Never Ends Everything you need to know to get started
tiodu tiocaduEE
er Endser Enn Nevn New nw nN e
eed tu nog yerythinvE dsses P re
edtartt seo gw too kneed t
s
ed
avS
tioomorer ptEnen ys whn all title oe 30avave 30
kcebooan Fn Fas od uinFFin
cke cht as30eewnNe al codntiom wwwore fsahcuru poen y
ur e-nr ooer fer fotter fRegis
touckmcosserpsewnenm www
cosserrepsspeewnt news aur e-n
mco
28 CIRCUIT CELLARreg bull wwwcircuitcellarcom
Febr
uary
201
2 ndash
Issue
259
Dr Alexander Pozhitkov (pozhituwedu) has an MS degree inChemistry and a PhD in Genetics from Albertus Magnus Universityin Cologne Germany He has been working for 12 years oninterdisciplinary research involving molecular biology physicalchemistry software and electrical engineering Currently DrPozhitkov is a researcher at the University of WashingtonSeattle His technical interests include hardware programmingvacuum tubes and high-voltage electronics
PROJECT FILESTo download the code go to ftpftpcircuitcellarcompubCircuit_Cellar2012259
REFERENCES[1] Intel Corp ldquoIntel Core 2 Duo Processor E8000 andE7000 Series Datasheetrdquo 2009 httpdownloadintelcomdesignprocessordatashts318732pdf
[2] mdashmdashmdash ldquoIntel 64 and IA-32 Architectures SoftwareDeveloperrsquos Manualsrdquo wwwintelcomcontentwwwusenprocessorsarchitectures-software-developer-manualshtml
[3] mdashmdashmdash ldquoIntel 4 Series Chipset Family Datasheetrdquo2010 wwwintelcomAssetsPDFdatasheet319970pdf
[4] mdashmdashmdash ldquoIntel IO Controller Hub 10 (ICH10) Fami-ly Datasheetrdquo 2008 wwwintelcomcontentwwwusenioio-controller-hub-10-family-datasheethtml
[5] M Klasson ldquoHexIt ndash The Hex Editorrdquo 2011httpmklassoncomhexitphp
RESOURCEE Nisley ldquoJourney to the Protected Landrdquo CircuitCellar 48ndash65 1994ndash1995
SOURCESIntel Core 2 Duo ProcessorIntel Corp | wwwintelcom
Visual C++ Integrated development environment (IDE)Microsoft Corp | wwwmicrosoftcom
Since Visual C++ is running on the master PC with anIntel CPU the compiler translates the Assembly codeinto appropriate opcodes which are naturally suitable forthe NakedCPU Specifically this class is derived fromanother class NakedCPUcode which performs preparato-ry work by extracting the opcodes produced from thecode in the __asm brackets and making them availablefor sending over to the NakedCPU Note that the Naked-CPU only receives the code between start and endlabels It is important to understand that the mastercomputer will not execute the code in the __asmbrackets it simply jumps over it The strange keyword_emit enables the direct placement of opcodes by theirhexadecimal values For some reason a long jump is notpermitted when using the Visual Studio compilerThe project also defines a class SerialComm and a
function SendNakedCPUdataRecvResponse to send andreceive data It is worthwhile to examine the projectrsquosstraightforward code to understand the details of communica-tion with the NakedCPU Besides serving as an example theNakedCPU Explorer sends an executable to the NakedCPUwhich permits the interactive examination and modificationof various chipset and IO controller registers The Naked-CPU Explorer offers eight commands write write32read read32 pci memread memwrite and quit The firstfour commands will ask for a port address (ie an address inthe CPU IO space) With these commands the NakedCPUwill write to and read from a GMCH or ICH register 1 or 4bytes The fifth command will ask for Bus (decimal) Device(decimal) Function (decimal) and Register (hexadecimal) val-ues Their values will be packed into the port 0xCF8 to opena ldquowindowrdquo into the PCI configuration space thatrsquos accessiblevia port 0xCFC Details on addressing PCI devices are provid-ed in the chipset documentation[3] The memread andmemwrite commands enable the reading and writing of dou-ble words from and to the memory respectively A regular PC ubiquitous in most homes is filled with
powerful and interesting hardware Unfortunately it tends tobe difficult to experiment with PCs due to the lack of docu-mentation and overly protective OSes The first part of thisarticle detailed at the path to the hard-to-find documentation
I also described the NakedCPU which is my OS-freeplatform for experimenting with a PCrsquos internals
NEW EXPERIMENTSThe NakedCPU is controlled from another computer the
master which provides you with an interface In the nextpart of this series Irsquoll describe how to use the NakedCPUExplorer for experiments with the speaker parallel portand LAN adapter In addition Irsquoll give you a peek at theBIOSmdashthe power-on code in particular Undoubtedly thesuggested experiments will be stepping stones to help youbegin even more interesting research I
Authorrsquos note The NakedCPU Explorer does not use anyhidden ldquohelperrdquo drivers or libraries The code is entirelytransparent for the inquirerrsquos perusal
ldquoImmediately after start-up the NakedOSexpects two transactions one for theexecutable code and another for dataEach transaction is a stream of bytessent via the RS-232 The first transactionis written into the memory segmentlsquotarget executablersquo while the secondtransaction goes into the lsquoextendedmemoryrsquo segment After the secondtransaction the NakedOS transferscontrol to the executable by a longjump jmp 00030000000000rdquo
26 CIRCUIT CELLARreg bull wwwcircuitcellarcom
Febr
uary
201
2 ndash
Issue
259
BIOS they are solely defined by the codeImmediately after start-up the NakedOS expects two
transactions one for the executable code and another fordata Each transaction is a stream of bytes sent via the
is absolutely transparent Its code is available on the CircuitCellar FTP site
The NakedOS defines several memory segments whichare useful as an initial environment for the inquirerrsquos exe-cutable (see Table 3) Intel documentation provides anexplanation for protected mode memory segments globaldescriptor table (GDT) and interrupt descriptor table(IDT)[2] In addition the NakedOS defines two softwareinterrupts and a base vector for hardware interrupts Notethat the IDT interrupts have nothing to do with DOS or
Table 4mdashThe format of NakedOS transactions The first 4 bytesindicate the length of the subsequent byte stream
Byte index 0 1 2 3 0 1 2 hellip N-1
Description Length N Executable code or data
Table 3mdashMemory segments and interrupts defined by the NakedOS
Segment Base Size Descriptors type
Extended memory 0x100000 ~128 Mb 0x28 data
Screen character mode 0x0B8000 4 Kb 0x20 data
Target executable 0x93B 64 Kb
0x30 code 32
0x38 data
NakedOS 0x800 315 bytes 0x10 code 32
Stack 0x400 1024 bytes 0x18 stack 32
System data
IDT 0x3FFndash0x200
GDT 0x1FFndash0
0x0 1024 bytes 0x8 data
Interrupts Info
INT 0x20 Read a packet from serial port destination ES[EDI] mandatory condition DS=ES First 4 bytes of the packet
indicate in bytes the length of the subsequent string Upon return ECX contains the number of bytes received
INT 0x21 Send to serial port a string of ECX bytes located at DS[ESI]
IRQ0 Hardware interrupts base vector is 0x28
Circuit Cellar feature articles are contributed by professional engineers academics and students from
around the globe Each month the editorial staff reviews dozens of article proposals and submissions
Only the best make it into the pages of this internationally respected magazine
Get PUBLISHED Get NOTICED Get PAID
Do you have what it takes
editorcircuitcellarcom
Contact C J Abate Editor-in-Chief
today to discuss the embedded design projects
and programming applications
yoursquove been working on and
your article could be featured
in an upcoming issue
of Circuit Cellar magazine
wwwcircuitcellarcom bull CIRCUIT CELLARreg 27
Febr
uary
201
2 ndash
Issue
259
RS-232 (see Table 4) The first transaction is written into thememory segment ldquotarget executablerdquo while the secondtransaction goes into the ldquoextended memoryrdquo segment After
the second transaction the NakedOStransfers control to the executable by along jump jmp 00030000000000 Fromthat moment in principle any memoryoccupied by the NakedOS can be overwrit-ten by the activities of your executable
The hardware interrupts are normallymasked when the NakedOS is runninghowever the 8259 interrupt controlleris set up (refer to the Circuit Cellar FTPsite) to handle them if you decide tounmask them Detailed instructions onprogramming the interrupt controllerare provided in the documentation forthe ICH[4]
THE NakedCPU EXPLORERAn important issue remains sending
an executable to the NakedCPU to con-duct experiments At the beginning ofthis article I said two computers areinvolved The master has a MicrosoftVisual C++ project the NakedCPUExplorer which acts as a ldquoshellrdquo thatenables the inspection and modification
of chipset registers and memory The code defines a classhaving a constructor which provides __asm brackets foryou to fill with executable code (see Listing 1)
Listing 1mdashA fragment of a constructor for a class derived from NakedCPUcode
DWORD pe ps__asm
mov pe offset end mandatory label endmov ps offset start mandatory label startjmp end master jumps over the codestart mov ax 0x28 loading
mov es ax data andmov ds ax stackmov ax 0x18 segment registersmov ss ax initializingmov esp 0x3fe stack pointerhere goes executable code_emit 0xEA this is_emit 0x00 a long jump to_emit 0x00 finish the executable_emit 0x00 and transfer control_emit 0x00 to NakedOS_emit 0x10 (if it is still_emit 0x00 in the memory)
end nop
Save 30 on all titles when you purchase from wwwnewnespresscomEnter promotional code Newnes30 at checkout
Register for our e-news at newnespresscom Find us on Facebook
By Peter WilsonISBN 9780080971384
By Lucio Di JasioISBN 9781856178709
By Morgan JonesISBN 9780080966403
By Art KayISBN 9780750685252
N e w n e s P r e s s
Education Never Ends Everything you need to know to get started
tiodu tiocaduEE
er Endser Enn Nevn New nw nN e
eed tu nog yerythinvE dsses P re
edtartt seo gw too kneed t
s
ed
avS
tioomorer ptEnen ys whn all title oe 30avave 30
kcebooan Fn Fas od uinFFin
cke cht as30eewnNe al codntiom wwwore fsahcuru poen y
ur e-nr ooer fer fotter fRegis
touckmcosserpsewnenm www
cosserrepsspeewnt news aur e-n
mco
28 CIRCUIT CELLARreg bull wwwcircuitcellarcom
Febr
uary
201
2 ndash
Issue
259
Dr Alexander Pozhitkov (pozhituwedu) has an MS degree inChemistry and a PhD in Genetics from Albertus Magnus Universityin Cologne Germany He has been working for 12 years oninterdisciplinary research involving molecular biology physicalchemistry software and electrical engineering Currently DrPozhitkov is a researcher at the University of WashingtonSeattle His technical interests include hardware programmingvacuum tubes and high-voltage electronics
PROJECT FILESTo download the code go to ftpftpcircuitcellarcompubCircuit_Cellar2012259
REFERENCES[1] Intel Corp ldquoIntel Core 2 Duo Processor E8000 andE7000 Series Datasheetrdquo 2009 httpdownloadintelcomdesignprocessordatashts318732pdf
[2] mdashmdashmdash ldquoIntel 64 and IA-32 Architectures SoftwareDeveloperrsquos Manualsrdquo wwwintelcomcontentwwwusenprocessorsarchitectures-software-developer-manualshtml
[3] mdashmdashmdash ldquoIntel 4 Series Chipset Family Datasheetrdquo2010 wwwintelcomAssetsPDFdatasheet319970pdf
[4] mdashmdashmdash ldquoIntel IO Controller Hub 10 (ICH10) Fami-ly Datasheetrdquo 2008 wwwintelcomcontentwwwusenioio-controller-hub-10-family-datasheethtml
[5] M Klasson ldquoHexIt ndash The Hex Editorrdquo 2011httpmklassoncomhexitphp
RESOURCEE Nisley ldquoJourney to the Protected Landrdquo CircuitCellar 48ndash65 1994ndash1995
SOURCESIntel Core 2 Duo ProcessorIntel Corp | wwwintelcom
Visual C++ Integrated development environment (IDE)Microsoft Corp | wwwmicrosoftcom
Since Visual C++ is running on the master PC with anIntel CPU the compiler translates the Assembly codeinto appropriate opcodes which are naturally suitable forthe NakedCPU Specifically this class is derived fromanother class NakedCPUcode which performs preparato-ry work by extracting the opcodes produced from thecode in the __asm brackets and making them availablefor sending over to the NakedCPU Note that the Naked-CPU only receives the code between start and endlabels It is important to understand that the mastercomputer will not execute the code in the __asmbrackets it simply jumps over it The strange keyword_emit enables the direct placement of opcodes by theirhexadecimal values For some reason a long jump is notpermitted when using the Visual Studio compilerThe project also defines a class SerialComm and a
function SendNakedCPUdataRecvResponse to send andreceive data It is worthwhile to examine the projectrsquosstraightforward code to understand the details of communica-tion with the NakedCPU Besides serving as an example theNakedCPU Explorer sends an executable to the NakedCPUwhich permits the interactive examination and modificationof various chipset and IO controller registers The Naked-CPU Explorer offers eight commands write write32read read32 pci memread memwrite and quit The firstfour commands will ask for a port address (ie an address inthe CPU IO space) With these commands the NakedCPUwill write to and read from a GMCH or ICH register 1 or 4bytes The fifth command will ask for Bus (decimal) Device(decimal) Function (decimal) and Register (hexadecimal) val-ues Their values will be packed into the port 0xCF8 to opena ldquowindowrdquo into the PCI configuration space thatrsquos accessiblevia port 0xCFC Details on addressing PCI devices are provid-ed in the chipset documentation[3] The memread andmemwrite commands enable the reading and writing of dou-ble words from and to the memory respectively A regular PC ubiquitous in most homes is filled with
powerful and interesting hardware Unfortunately it tends tobe difficult to experiment with PCs due to the lack of docu-mentation and overly protective OSes The first part of thisarticle detailed at the path to the hard-to-find documentation
I also described the NakedCPU which is my OS-freeplatform for experimenting with a PCrsquos internals
NEW EXPERIMENTSThe NakedCPU is controlled from another computer the
master which provides you with an interface In the nextpart of this series Irsquoll describe how to use the NakedCPUExplorer for experiments with the speaker parallel portand LAN adapter In addition Irsquoll give you a peek at theBIOSmdashthe power-on code in particular Undoubtedly thesuggested experiments will be stepping stones to help youbegin even more interesting research I
Authorrsquos note The NakedCPU Explorer does not use anyhidden ldquohelperrdquo drivers or libraries The code is entirelytransparent for the inquirerrsquos perusal
ldquoImmediately after start-up the NakedOSexpects two transactions one for theexecutable code and another for dataEach transaction is a stream of bytessent via the RS-232 The first transactionis written into the memory segmentlsquotarget executablersquo while the secondtransaction goes into the lsquoextendedmemoryrsquo segment After the secondtransaction the NakedOS transferscontrol to the executable by a longjump jmp 00030000000000rdquo
wwwcircuitcellarcom bull CIRCUIT CELLARreg 27
Febr
uary
201
2 ndash
Issue
259
RS-232 (see Table 4) The first transaction is written into thememory segment ldquotarget executablerdquo while the secondtransaction goes into the ldquoextended memoryrdquo segment After
the second transaction the NakedOStransfers control to the executable by along jump jmp 00030000000000 Fromthat moment in principle any memoryoccupied by the NakedOS can be overwrit-ten by the activities of your executable
The hardware interrupts are normallymasked when the NakedOS is runninghowever the 8259 interrupt controlleris set up (refer to the Circuit Cellar FTPsite) to handle them if you decide tounmask them Detailed instructions onprogramming the interrupt controllerare provided in the documentation forthe ICH[4]
THE NakedCPU EXPLORERAn important issue remains sending
an executable to the NakedCPU to con-duct experiments At the beginning ofthis article I said two computers areinvolved The master has a MicrosoftVisual C++ project the NakedCPUExplorer which acts as a ldquoshellrdquo thatenables the inspection and modification
of chipset registers and memory The code defines a classhaving a constructor which provides __asm brackets foryou to fill with executable code (see Listing 1)
Listing 1mdashA fragment of a constructor for a class derived from NakedCPUcode
DWORD pe ps__asm
mov pe offset end mandatory label endmov ps offset start mandatory label startjmp end master jumps over the codestart mov ax 0x28 loading
mov es ax data andmov ds ax stackmov ax 0x18 segment registersmov ss ax initializingmov esp 0x3fe stack pointerhere goes executable code_emit 0xEA this is_emit 0x00 a long jump to_emit 0x00 finish the executable_emit 0x00 and transfer control_emit 0x00 to NakedOS_emit 0x10 (if it is still_emit 0x00 in the memory)
end nop
Save 30 on all titles when you purchase from wwwnewnespresscomEnter promotional code Newnes30 at checkout
Register for our e-news at newnespresscom Find us on Facebook
By Peter WilsonISBN 9780080971384
By Lucio Di JasioISBN 9781856178709
By Morgan JonesISBN 9780080966403
By Art KayISBN 9780750685252
N e w n e s P r e s s
Education Never Ends Everything you need to know to get started
tiodu tiocaduEE
er Endser Enn Nevn New nw nN e
eed tu nog yerythinvE dsses P re
edtartt seo gw too kneed t
s
ed
avS
tioomorer ptEnen ys whn all title oe 30avave 30
kcebooan Fn Fas od uinFFin
cke cht as30eewnNe al codntiom wwwore fsahcuru poen y
ur e-nr ooer fer fotter fRegis
touckmcosserpsewnenm www
cosserrepsspeewnt news aur e-n
mco
28 CIRCUIT CELLARreg bull wwwcircuitcellarcom
Febr
uary
201
2 ndash
Issue
259
Dr Alexander Pozhitkov (pozhituwedu) has an MS degree inChemistry and a PhD in Genetics from Albertus Magnus Universityin Cologne Germany He has been working for 12 years oninterdisciplinary research involving molecular biology physicalchemistry software and electrical engineering Currently DrPozhitkov is a researcher at the University of WashingtonSeattle His technical interests include hardware programmingvacuum tubes and high-voltage electronics
PROJECT FILESTo download the code go to ftpftpcircuitcellarcompubCircuit_Cellar2012259
REFERENCES[1] Intel Corp ldquoIntel Core 2 Duo Processor E8000 andE7000 Series Datasheetrdquo 2009 httpdownloadintelcomdesignprocessordatashts318732pdf
[2] mdashmdashmdash ldquoIntel 64 and IA-32 Architectures SoftwareDeveloperrsquos Manualsrdquo wwwintelcomcontentwwwusenprocessorsarchitectures-software-developer-manualshtml
[3] mdashmdashmdash ldquoIntel 4 Series Chipset Family Datasheetrdquo2010 wwwintelcomAssetsPDFdatasheet319970pdf
[4] mdashmdashmdash ldquoIntel IO Controller Hub 10 (ICH10) Fami-ly Datasheetrdquo 2008 wwwintelcomcontentwwwusenioio-controller-hub-10-family-datasheethtml
[5] M Klasson ldquoHexIt ndash The Hex Editorrdquo 2011httpmklassoncomhexitphp
RESOURCEE Nisley ldquoJourney to the Protected Landrdquo CircuitCellar 48ndash65 1994ndash1995
SOURCESIntel Core 2 Duo ProcessorIntel Corp | wwwintelcom
Visual C++ Integrated development environment (IDE)Microsoft Corp | wwwmicrosoftcom
Since Visual C++ is running on the master PC with anIntel CPU the compiler translates the Assembly codeinto appropriate opcodes which are naturally suitable forthe NakedCPU Specifically this class is derived fromanother class NakedCPUcode which performs preparato-ry work by extracting the opcodes produced from thecode in the __asm brackets and making them availablefor sending over to the NakedCPU Note that the Naked-CPU only receives the code between start and endlabels It is important to understand that the mastercomputer will not execute the code in the __asmbrackets it simply jumps over it The strange keyword_emit enables the direct placement of opcodes by theirhexadecimal values For some reason a long jump is notpermitted when using the Visual Studio compilerThe project also defines a class SerialComm and a
function SendNakedCPUdataRecvResponse to send andreceive data It is worthwhile to examine the projectrsquosstraightforward code to understand the details of communica-tion with the NakedCPU Besides serving as an example theNakedCPU Explorer sends an executable to the NakedCPUwhich permits the interactive examination and modificationof various chipset and IO controller registers The Naked-CPU Explorer offers eight commands write write32read read32 pci memread memwrite and quit The firstfour commands will ask for a port address (ie an address inthe CPU IO space) With these commands the NakedCPUwill write to and read from a GMCH or ICH register 1 or 4bytes The fifth command will ask for Bus (decimal) Device(decimal) Function (decimal) and Register (hexadecimal) val-ues Their values will be packed into the port 0xCF8 to opena ldquowindowrdquo into the PCI configuration space thatrsquos accessiblevia port 0xCFC Details on addressing PCI devices are provid-ed in the chipset documentation[3] The memread andmemwrite commands enable the reading and writing of dou-ble words from and to the memory respectively A regular PC ubiquitous in most homes is filled with
powerful and interesting hardware Unfortunately it tends tobe difficult to experiment with PCs due to the lack of docu-mentation and overly protective OSes The first part of thisarticle detailed at the path to the hard-to-find documentation
I also described the NakedCPU which is my OS-freeplatform for experimenting with a PCrsquos internals
NEW EXPERIMENTSThe NakedCPU is controlled from another computer the
master which provides you with an interface In the nextpart of this series Irsquoll describe how to use the NakedCPUExplorer for experiments with the speaker parallel portand LAN adapter In addition Irsquoll give you a peek at theBIOSmdashthe power-on code in particular Undoubtedly thesuggested experiments will be stepping stones to help youbegin even more interesting research I
Authorrsquos note The NakedCPU Explorer does not use anyhidden ldquohelperrdquo drivers or libraries The code is entirelytransparent for the inquirerrsquos perusal
ldquoImmediately after start-up the NakedOSexpects two transactions one for theexecutable code and another for dataEach transaction is a stream of bytessent via the RS-232 The first transactionis written into the memory segmentlsquotarget executablersquo while the secondtransaction goes into the lsquoextendedmemoryrsquo segment After the secondtransaction the NakedOS transferscontrol to the executable by a longjump jmp 00030000000000rdquo
28 CIRCUIT CELLARreg bull wwwcircuitcellarcom
Febr
uary
201
2 ndash
Issue
259
Dr Alexander Pozhitkov (pozhituwedu) has an MS degree inChemistry and a PhD in Genetics from Albertus Magnus Universityin Cologne Germany He has been working for 12 years oninterdisciplinary research involving molecular biology physicalchemistry software and electrical engineering Currently DrPozhitkov is a researcher at the University of WashingtonSeattle His technical interests include hardware programmingvacuum tubes and high-voltage electronics
PROJECT FILESTo download the code go to ftpftpcircuitcellarcompubCircuit_Cellar2012259
REFERENCES[1] Intel Corp ldquoIntel Core 2 Duo Processor E8000 andE7000 Series Datasheetrdquo 2009 httpdownloadintelcomdesignprocessordatashts318732pdf
[2] mdashmdashmdash ldquoIntel 64 and IA-32 Architectures SoftwareDeveloperrsquos Manualsrdquo wwwintelcomcontentwwwusenprocessorsarchitectures-software-developer-manualshtml
[3] mdashmdashmdash ldquoIntel 4 Series Chipset Family Datasheetrdquo2010 wwwintelcomAssetsPDFdatasheet319970pdf
[4] mdashmdashmdash ldquoIntel IO Controller Hub 10 (ICH10) Fami-ly Datasheetrdquo 2008 wwwintelcomcontentwwwusenioio-controller-hub-10-family-datasheethtml
[5] M Klasson ldquoHexIt ndash The Hex Editorrdquo 2011httpmklassoncomhexitphp
RESOURCEE Nisley ldquoJourney to the Protected Landrdquo CircuitCellar 48ndash65 1994ndash1995
SOURCESIntel Core 2 Duo ProcessorIntel Corp | wwwintelcom
Visual C++ Integrated development environment (IDE)Microsoft Corp | wwwmicrosoftcom
Since Visual C++ is running on the master PC with anIntel CPU the compiler translates the Assembly codeinto appropriate opcodes which are naturally suitable forthe NakedCPU Specifically this class is derived fromanother class NakedCPUcode which performs preparato-ry work by extracting the opcodes produced from thecode in the __asm brackets and making them availablefor sending over to the NakedCPU Note that the Naked-CPU only receives the code between start and endlabels It is important to understand that the mastercomputer will not execute the code in the __asmbrackets it simply jumps over it The strange keyword_emit enables the direct placement of opcodes by theirhexadecimal values For some reason a long jump is notpermitted when using the Visual Studio compilerThe project also defines a class SerialComm and a
function SendNakedCPUdataRecvResponse to send andreceive data It is worthwhile to examine the projectrsquosstraightforward code to understand the details of communica-tion with the NakedCPU Besides serving as an example theNakedCPU Explorer sends an executable to the NakedCPUwhich permits the interactive examination and modificationof various chipset and IO controller registers The Naked-CPU Explorer offers eight commands write write32read read32 pci memread memwrite and quit The firstfour commands will ask for a port address (ie an address inthe CPU IO space) With these commands the NakedCPUwill write to and read from a GMCH or ICH register 1 or 4bytes The fifth command will ask for Bus (decimal) Device(decimal) Function (decimal) and Register (hexadecimal) val-ues Their values will be packed into the port 0xCF8 to opena ldquowindowrdquo into the PCI configuration space thatrsquos accessiblevia port 0xCFC Details on addressing PCI devices are provid-ed in the chipset documentation[3] The memread andmemwrite commands enable the reading and writing of dou-ble words from and to the memory respectively A regular PC ubiquitous in most homes is filled with
powerful and interesting hardware Unfortunately it tends tobe difficult to experiment with PCs due to the lack of docu-mentation and overly protective OSes The first part of thisarticle detailed at the path to the hard-to-find documentation
I also described the NakedCPU which is my OS-freeplatform for experimenting with a PCrsquos internals
NEW EXPERIMENTSThe NakedCPU is controlled from another computer the
master which provides you with an interface In the nextpart of this series Irsquoll describe how to use the NakedCPUExplorer for experiments with the speaker parallel portand LAN adapter In addition Irsquoll give you a peek at theBIOSmdashthe power-on code in particular Undoubtedly thesuggested experiments will be stepping stones to help youbegin even more interesting research I
Authorrsquos note The NakedCPU Explorer does not use anyhidden ldquohelperrdquo drivers or libraries The code is entirelytransparent for the inquirerrsquos perusal
ldquoImmediately after start-up the NakedOSexpects two transactions one for theexecutable code and another for dataEach transaction is a stream of bytessent via the RS-232 The first transactionis written into the memory segmentlsquotarget executablersquo while the secondtransaction goes into the lsquoextendedmemoryrsquo segment After the secondtransaction the NakedOS transferscontrol to the executable by a longjump jmp 00030000000000rdquo