NakedCPU which provides full access to hardware and aCPU without any restrictions imposed by the OS Impor-tantly the processor isnrsquot obscured by Linux DOS orWindows and is operating in its most interesting andpowerful modemdashthe protected mode In this article theusers are referred to as inquirers because the NakedCPUis made for researchers (ie devoted geeks) rather thanregular users

My aim is to provide you inquirers with some help navi-gating hardware documentation which is confusing andotherwise difficult to find I wonrsquot restate the documenta-tion because many computer concepts and technologiesquickly become obsolete With this article howeveryoursquoll find it easier to follow the newer technologies anddocumentation

PROCESSORS amp PLATFORMSThink for a moment about one of the modern Intel CPU

varieties the Intel Core 2 Duo processor This impressive

lectronic projects involving microcontrollers arepopular among design enthusiasts and profession-

als alike Many interesting applications have been madewith microcontrollers and programming them can be alot of fun At the same time the powerful central pro-cessing unit (CPU) found in the personal computer(PC)mdashwhich serves every electronics designer on a dailybasis (including microcontroller programming)mdashis lack-ing such attention Most experimentation with a PC islimited to developing high-level code software with theaid of numerous libraries and technologies hiding thehardware beneath layers and layers of code Unlimitedexperimentation with PC hardware is rarely possibleHowever you have to install drivers enabling someaccess to hardware because the operating system (OS)naturally does not permit us to do any low-level activi-ties The sad part is that such drivers are mysteriousthemselves It is safe to say hardware programming waswell known to many computer professionals and enthusi-asts in the 1980s Later many people forgot about itwhile the technology tremendously leapt ahead In thisarticle I try to bridge the gap in time and revive interestin hardware programming based on state-of-the-art tech-nologies and concepts There is a Russian saying ldquoEvery-thing new is actually well-forgotten oldrdquo

WHAT IS THE NakedCPUThis article is a result of my interest in the Intel CPU

chipset IO controller and other essential PC devicesfrom the perspective of low-level hardware programmingunobstructed by an OS and drivers My motivation wasto reach out to people with inquisitive minds who wouldappreciate the possibility to directly experiment with theCPU chipset and other hardware Here Irsquoll present the

24 CIRCUIT CELLARreg bull wwwcircuitcellarcom

Febr

uary

201

2 ndash

Issue

259

The first part of this two-part series provides an overview of the NakedCPU This platformis designed to provide full access to hardware and a CPU without any operating systemrestrictions while working in the protected mode

The NakedCPU (Part 1)

E

FEAT

URE

ARTICLEby Alexander Pozhitkov (USA)

Hardware Experiments and a Roadmap forNavigating Documentation

Figure 1mdashThe NakedCPU and master computers are connected via aserial interface The NakedCPU does not need a keyboard or a monitor

NakedCPU Master

RS-232

easiest way to supply the NakedCPU with a start-up code isto prepare a bootable floppy disk with your own code Cer-tainly one can also put this code onto a hard driveThe start-up code (up to 512 bytes) was written in

Assembly language and must be stored in sector 0mdashthatis the master boot record (MBR) of the disk The Assem-bly language compilers and linkers such as MASM werenot used to prepare the MBR due to various difficultiesalthough they may be suitable as well There is howevera binary editor called HexIt which among other thingsenables direct conversion of Assembly commands intobinary code[5] Using this editor a binary file of the futureMBR was created The filersquos content is available on theCircuit Cellar FTP site Refer to Table 1 and Table 2 formore details about the contentA small utility Firstsectwriteexe (also available on the

Circuit Cellar FTP site) was written to transfer this fileinto sector 0 of the disk Although the code of this utilityis quite simple it deserves some attention A Windows APIcall to CreateFile(TEXT(ldquoArdquo)) opens rawcommunication with a diskmdasha floppy drive A in thiscasemdashto enable writes into the sector 0 It is important tonote that this call will be only be successful under theadministrator accountI used a Dell Optiplex 760 computer to conduct the

experiments It had a floppy drive attached via a USB BIOSstart-up options enabled me to boot up the computer fromsuch a drive

THE NakedOSIt may sound contradictive to the spirit of the article to be

OS-free however the NakedCPU is booted up with a tiny(262 bytes long) 32-bit ldquooperating systemrdquo the NakedOSwhich enables the NakedCPU to communicate with theoutside world via a serial port In fact I did not compromisemy principle of truly free exploration because the NakedOS

processor is capable of consuming up to 75 A of current[1] Itis not a simple processor Its documentation consists of fivevolumes with the total page count of approximately 3800pages[2] The Intel CPU does not operate alone It is inter-faced to a chipset known as a graphics and memory con-troller hub (GMCH) The chipset on the other side is con-nected to an IO controller hub (ICH) Interestingly thisarrangement is analogous to your nervous system with abrain a brainstem and a spinal cord GMCH and ICH areprocessors themselves containing hundreds of configura-tion and control registers The documentation on GMCHand ICH spans more than 1400 pages[3 4] Itrsquos no wonderOSes hide actual hardware under a thick blanket of inter-mediate codeIt is not easy to experiment with the Intel CPU given

the complexity of surrounding hardware such as thechipset network controller and so forth Another difficul-ty is the fact that the documentation is filled with electri-cal engineering abbreviations and concepts Also pervasivelayers of OS code interfere with truly free explorationThe NakedCPU is an experimental platform exposing

the hardware internals of a PC Experimentation withNakedCPU requires two computers (see Figure 1) One isthe master computer with Windows and Visual Studio soft-ware whose job is interacting with us and the second com-puter The second computermdashthe NakedCPUmdashis connect-ed to the master via an RS-232 interfaceThe NakedCPU computer is booted up with a small

amount of start-up code (available on the Circuit CellarFTP site) which enables it to communicate via RS-232with the master Upon start-up the NakedCPU expectstwo separate packages of bytes one is a stream of IntelCPU opcodes to be executed (ie the executable) and theother one is the data to be processed The executable canmodify any part of memory chipset registers and soforth and even overwrite the start-up code In otherwords the freedom is yours

STARTING THE NakedCPUThe NakedCPU wonrsquot run without some sort of a start-up

code At start-up two tasks must be accomplished switchthe CPU into the Protected mode and begin listening on theserial port for two packets of bytes executable and data The

25

Febr

uary

201

2 ndash

Issue

259

wwwcircuitcellarcom bull CIRCUIT CELLARreg

Table 2mdashCritical data structures

Structure MBR Location

Pseudo-descriptor IDT 0x194

Pseudo-descriptor GDT 0x1BA

Null descriptor 0x1C0

Table 1mdashAnatomy of the MBR

Description MBR Location

Determining the current address while the processor is still in real mode after power on BIOS has loaded the MBR somewhere

into the memory and transferred control to our code The current address is necessary to locate physical address of the pseudo-

descriptor which is in turn defining a physical address and a limit for the Global Descriptor Table (GDT)

0x3Endash0x4D

LGDT instruction (Load GDT register) is loading pseudodescriptor which is pointing to GDT 0x52

GDT and Interrupt Descriptor Table (IDT) are copied into a new memory location beginning from linear address 0x0 GDT

and IDT are defining memory segments for the processor to operate in protected mode

0x57ndash0x64

The MBR contains a very tiny 32-bit protected mode ldquooperating systemrdquo named the NakedOS 0x80ndash0x186

The NakedOS is copied into a new memory location beginning with linear address 0x800 0x65ndash0x71

Switching into protected mode is accomplished by adjusting the machine status word using a LMSW instruction 0x72ndash0x78

Transfer control to the NakedOS 0x7B

Set up 8259 interrupt controller 0xF5ndash0x105

Transfer control to the inquirerrsquos executable 0x106

26 CIRCUIT CELLARreg bull wwwcircuitcellarcom

Febr

uary

201

2 ndash

Issue

259

BIOS they are solely defined by the codeImmediately after start-up the NakedOS expects two

transactions one for the executable code and another fordata Each transaction is a stream of bytes sent via the

is absolutely transparent Its code is available on the CircuitCellar FTP site

The NakedOS defines several memory segments whichare useful as an initial environment for the inquirerrsquos exe-cutable (see Table 3) Intel documentation provides anexplanation for protected mode memory segments globaldescriptor table (GDT) and interrupt descriptor table(IDT)[2] In addition the NakedOS defines two softwareinterrupts and a base vector for hardware interrupts Notethat the IDT interrupts have nothing to do with DOS or

Table 4mdashThe format of NakedOS transactions The first 4 bytesindicate the length of the subsequent byte stream

Byte index 0 1 2 3 0 1 2 hellip N-1

Description Length N Executable code or data

Table 3mdashMemory segments and interrupts defined by the NakedOS

Segment Base Size Descriptors type

Extended memory 0x100000 ~128 Mb 0x28 data

Screen character mode 0x0B8000 4 Kb 0x20 data

Target executable 0x93B 64 Kb

0x30 code 32

0x38 data

NakedOS 0x800 315 bytes 0x10 code 32

Stack 0x400 1024 bytes 0x18 stack 32

System data

IDT 0x3FFndash0x200

GDT 0x1FFndash0

0x0 1024 bytes 0x8 data

Interrupts Info

INT 0x20 Read a packet from serial port destination ES[EDI] mandatory condition DS=ES First 4 bytes of the packet

indicate in bytes the length of the subsequent string Upon return ECX contains the number of bytes received

INT 0x21 Send to serial port a string of ECX bytes located at DS[ESI]

IRQ0 Hardware interrupts base vector is 0x28

Circuit Cellar feature articles are contributed by professional engineers academics and students from

around the globe Each month the editorial staff reviews dozens of article proposals and submissions

Only the best make it into the pages of this internationally respected magazine

Get PUBLISHED Get NOTICED Get PAID

Do you have what it takes

editorcircuitcellarcom

Contact C J Abate Editor-in-Chief

today to discuss the embedded design projects

and programming applications

yoursquove been working on and

your article could be featured

in an upcoming issue

of Circuit Cellar magazine

wwwcircuitcellarcom bull CIRCUIT CELLARreg 27

Febr

uary

201

2 ndash

Issue

259

RS-232 (see Table 4) The first transaction is written into thememory segment ldquotarget executablerdquo while the secondtransaction goes into the ldquoextended memoryrdquo segment After

the second transaction the NakedOStransfers control to the executable by along jump jmp 00030000000000 Fromthat moment in principle any memoryoccupied by the NakedOS can be overwrit-ten by the activities of your executable

The hardware interrupts are normallymasked when the NakedOS is runninghowever the 8259 interrupt controlleris set up (refer to the Circuit Cellar FTPsite) to handle them if you decide tounmask them Detailed instructions onprogramming the interrupt controllerare provided in the documentation forthe ICH[4]

THE NakedCPU EXPLORERAn important issue remains sending

an executable to the NakedCPU to con-duct experiments At the beginning ofthis article I said two computers areinvolved The master has a MicrosoftVisual C++ project the NakedCPUExplorer which acts as a ldquoshellrdquo thatenables the inspection and modification

of chipset registers and memory The code defines a classhaving a constructor which provides __asm brackets foryou to fill with executable code (see Listing 1)

Listing 1mdashA fragment of a constructor for a class derived from NakedCPUcode

DWORD pe ps__asm

mov pe offset end mandatory label endmov ps offset start mandatory label startjmp end master jumps over the codestart mov ax 0x28 loading

mov es ax data andmov ds ax stackmov ax 0x18 segment registersmov ss ax initializingmov esp 0x3fe stack pointerhere goes executable code_emit 0xEA this is_emit 0x00 a long jump to_emit 0x00 finish the executable_emit 0x00 and transfer control_emit 0x00 to NakedOS_emit 0x10 (if it is still_emit 0x00 in the memory)

end nop

Save 30 on all titles when you purchase from wwwnewnespresscomEnter promotional code Newnes30 at checkout

Register for our e-news at newnespresscom Find us on Facebook

By Peter WilsonISBN 9780080971384

By Lucio Di JasioISBN 9781856178709

By Morgan JonesISBN 9780080966403

By Art KayISBN 9780750685252

N e w n e s P r e s s

Education Never Ends Everything you need to know to get started

tiodu tiocaduEE

er Endser Enn Nevn New nw nN e

eed tu nog yerythinvE dsses P re

edtartt seo gw too kneed t

s

ed

avS

tioomorer ptEnen ys whn all title oe 30avave 30

kcebooan Fn Fas od uinFFin

cke cht as30eewnNe al codntiom wwwore fsahcuru poen y

ur e-nr ooer fer fotter fRegis

touckmcosserpsewnenm www

cosserrepsspeewnt news aur e-n

mco

28 CIRCUIT CELLARreg bull wwwcircuitcellarcom

Febr

uary

201

2 ndash

Issue

259

Dr Alexander Pozhitkov (pozhituwedu) has an MS degree inChemistry and a PhD in Genetics from Albertus Magnus Universityin Cologne Germany He has been working for 12 years oninterdisciplinary research involving molecular biology physicalchemistry software and electrical engineering Currently DrPozhitkov is a researcher at the University of WashingtonSeattle His technical interests include hardware programmingvacuum tubes and high-voltage electronics

PROJECT FILESTo download the code go to ftpftpcircuitcellarcompubCircuit_Cellar2012259

REFERENCES[1] Intel Corp ldquoIntel Core 2 Duo Processor E8000 andE7000 Series Datasheetrdquo 2009 httpdownloadintelcomdesignprocessordatashts318732pdf

[2] mdashmdashmdash ldquoIntel 64 and IA-32 Architectures SoftwareDeveloperrsquos Manualsrdquo wwwintelcomcontentwwwusenprocessorsarchitectures-software-developer-manualshtml

[3] mdashmdashmdash ldquoIntel 4 Series Chipset Family Datasheetrdquo2010 wwwintelcomAssetsPDFdatasheet319970pdf

[4] mdashmdashmdash ldquoIntel IO Controller Hub 10 (ICH10) Fami-ly Datasheetrdquo 2008 wwwintelcomcontentwwwusenioio-controller-hub-10-family-datasheethtml

[5] M Klasson ldquoHexIt ndash The Hex Editorrdquo 2011httpmklassoncomhexitphp

RESOURCEE Nisley ldquoJourney to the Protected Landrdquo CircuitCellar 48ndash65 1994ndash1995

SOURCESIntel Core 2 Duo ProcessorIntel Corp | wwwintelcom

Visual C++ Integrated development environment (IDE)Microsoft Corp | wwwmicrosoftcom

Since Visual C++ is running on the master PC with anIntel CPU the compiler translates the Assembly codeinto appropriate opcodes which are naturally suitable forthe NakedCPU Specifically this class is derived fromanother class NakedCPUcode which performs preparato-ry work by extracting the opcodes produced from thecode in the __asm brackets and making them availablefor sending over to the NakedCPU Note that the Naked-CPU only receives the code between start and endlabels It is important to understand that the mastercomputer will not execute the code in the __asmbrackets it simply jumps over it The strange keyword_emit enables the direct placement of opcodes by theirhexadecimal values For some reason a long jump is notpermitted when using the Visual Studio compilerThe project also defines a class SerialComm and a

function SendNakedCPUdataRecvResponse to send andreceive data It is worthwhile to examine the projectrsquosstraightforward code to understand the details of communica-tion with the NakedCPU Besides serving as an example theNakedCPU Explorer sends an executable to the NakedCPUwhich permits the interactive examination and modificationof various chipset and IO controller registers The Naked-CPU Explorer offers eight commands write write32read read32 pci memread memwrite and quit The firstfour commands will ask for a port address (ie an address inthe CPU IO space) With these commands the NakedCPUwill write to and read from a GMCH or ICH register 1 or 4bytes The fifth command will ask for Bus (decimal) Device(decimal) Function (decimal) and Register (hexadecimal) val-ues Their values will be packed into the port 0xCF8 to opena ldquowindowrdquo into the PCI configuration space thatrsquos accessiblevia port 0xCFC Details on addressing PCI devices are provid-ed in the chipset documentation[3] The memread andmemwrite commands enable the reading and writing of dou-ble words from and to the memory respectively A regular PC ubiquitous in most homes is filled with

powerful and interesting hardware Unfortunately it tends tobe difficult to experiment with PCs due to the lack of docu-mentation and overly protective OSes The first part of thisarticle detailed at the path to the hard-to-find documentation

I also described the NakedCPU which is my OS-freeplatform for experimenting with a PCrsquos internals

NEW EXPERIMENTSThe NakedCPU is controlled from another computer the

master which provides you with an interface In the nextpart of this series Irsquoll describe how to use the NakedCPUExplorer for experiments with the speaker parallel portand LAN adapter In addition Irsquoll give you a peek at theBIOSmdashthe power-on code in particular Undoubtedly thesuggested experiments will be stepping stones to help youbegin even more interesting research I

Authorrsquos note The NakedCPU Explorer does not use anyhidden ldquohelperrdquo drivers or libraries The code is entirelytransparent for the inquirerrsquos perusal

ldquoImmediately after start-up the NakedOSexpects two transactions one for theexecutable code and another for dataEach transaction is a stream of bytessent via the RS-232 The first transactionis written into the memory segmentlsquotarget executablersquo while the secondtransaction goes into the lsquoextendedmemoryrsquo segment After the secondtransaction the NakedOS transferscontrol to the executable by a longjump jmp 00030000000000rdquo