Monster Media 1996 #15

home *** CD-ROM | disk | FTP | other *** search

/ Monster Media 1996 #15 / Monster Media Number 15 (Monster Media)(July 1996).ISO / prog_gen / ssd40.zip / SSD.DOC < prev next >

Wrap

Text File | 1996-04-19 | 137KB | 2,977 lines

SERVILE SOFTWARE DECODER Version 4.0 Shareware Version Disk Manual 2 DISCLAIMER The Servile Software Decoder is supplied as a tool to assist in the reverse- engineering of IBM PC software, with special attention to computer viruses. Because of the nature of the subject, no guarrantees can be made that a program analysed with SSD will behave in the same manner when executed outside of the SSD environment. Years of development and rigourous testing have gone into SSD, including testing it on hundreds of Shareware, freeware and commercial programs, including computer viruses. Some programs, by their nature, exhibit pecuiliar behaviour when analysed with SSD which they do not exhibit otherwise. Use of SSD is at your own risk. The author accepts no liability in any form and makes no guarrantees as to the suitability of this product for any purpose what so ever. Please note that in particular some software may bypass SSD's safety measures and could damage data or hardware. It is impossible to make a completely safe environment for testing malicious software. 3 INTRODUCTION The Servile Software Decoder (SSD) is a powerful code and program analyser for the IBM PC. SSD is neither a disassembler nor a debugger, although it shares some similarities with both. Unlike a disassembler, SSD activately analyses the code of a program, this allows SSD to analyse encrypted programs, unlike a disassemler. Unlike a debugger, SSD interprets the program under analysis. This has the advantage that SSD is safe to use with computer viruses as dangerous commands are inhibited. It also implies that SSD is not prone to anti-debugger instructions which are often contained in computer viruses. Because SSD interprets programs, rather than passing them straight to DOS for execution, some programs may exhibit slightly different behaviour when analysed than when executed. This is unfortunately unavoidable. When SSD starts execution, or loads a new file, the PC interrupt vector table is copied into memory. All subsequent reads and writes to the first 1024 bytes of RAM (vector table) are then redirected to the SSD copy of the interrupt vector table. This allows programs to think they have changed an interrupt vector, but at the same time retains security by not changing the real vector. Execute Record Utility File Exit ╔═══════════Trace════════════╦════════════════════Analysis═════════════════════╗ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ╔════════════About═════════════╗ ║ ║ ║ Servile Software Decoder ║ ║ ║ ║ ║ ║ ║ ║ Version 4.0 ║ ║ ║ ║ (Shareware Version) ║ ║ ║ ║ ║ ║ ║ ║ Copyright (c)1996 by ║ ║ ║ ║ ║ ║ ║ ║ Servile Software ║ ║ ║ ╚══════════════════════════════╝ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ╠════════════════════════════╩═════════════════════════════════════════════════╣ ║ AX 0000 BX 0000 CX 0000 DX 0000 SI 0000 DI 0000 BP 0000 ║ ║ CS 53C8 DS 53B8 ES 53B8 SS 552C SP 0080 IP 0000 0000000 ║ ║ ZCSOAPD ║ ╚═════════Registers════════════════════════════════════════════════════════════╝ 4 DISPLAY SSD uses two display pages. Page 0, the normal default DOS display page is used for output from the program being analysed. Page 1 is used for the SSD main display which is divided into the following component parts: Menu bar, containing drop-down menus of facilities. Code window, which displays the dissasembly of each instruction as it occurs. Analysis window, which displays analysis information about the running program and also data dumps when requested. And the registers window which displays the current contents of the CPU registers as they appear to the program being analysed. Execute Record Utility File Exit ╔═══════════Trace════════════╦════════════════════Analysis═════════════════════╗ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ╠════════════════════════════╩═════════════════════════════════════════════════╣ ║ AX 0000 BX 0000 CX 0000 DX 0000 SI 0000 DI 0000 BP 0000 ║ ║ CS 4B4B DS 4B4B ES 0000 SS 4C8D SP 0200 IP 0100 0000000 ║ ║ 4B4B:0423 01 A5 12 48 00 E9 ZCSOAPD ║ ╚═════════Registers════════════════════════════════════════════════════════════╝ 5 FACILITIES This section describes the various facilities available from the drop-down menus. Each menu is tackled in turn, with the menu name shown in CAPITALS, followed by the facilities available from that menu. Execute: The "Execute" menu provides access to the various facilities for "running" the loaded program. In brief, the loaded program may be single stepped, run at maximum speed or traced at three different speeds. A program which is being either traced or run may be stopped by pressing the Esc key. When single stepping a program each instruction is fetched and interpreted and then execution pauses. You may then repeatedly press return whilst the "Step" prompt is highlighted to facilitate single-stepping through the code. Execute Record Utility File Exit ╔════════╗ ║ Step ║══Trace════════════╦════════════════════Analysis═════════════════════╗ ║ Run ║ ║ ║ ║ Slow ║ ║ ║ ║ Medium ║ ║ ║ ║ Fast ║ ║ ║ ╚════════╝ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ╠════════════════════════════╩═════════════════════════════════════════════════╣ ║ AX 0000 BX 0000 CX 0000 DX 0000 SI 0000 DI 0000 BP 0000 ║ ║ CS 53C8 DS 53B8 ES 53B8 SS 552C SP 0080 IP 0000 0000000 ║ ║ ZCSOAPD ║ ╚═════════Registers════════════════════════════════════════════════════════════╝ 6 Step: Single step the loaded program. Only the next instruction is interpreted, and then SSD returns to the Execute menu. Run: Run the program at maximum speed. SSD does not display the results of the analysis, but will echo all selected "trace" output analysis to the selected file as normal. This allows a program to be executed at the fastest possible speed and then the analysis may be reviewed later. Slow: Trace the program slowly. As each instruction is fetched and interpreted, it's dissamembly and any resulting analysis are displayed along with the new contents of all the registers. However, should the program be in a loop command, only the effect upon the registers is displayed untill the loop finishes. When looping the "trace" window will appear to pause, but the "registers" window will be animated displaying the changes to the registers during the loop (most commonly CX will increment or decrement by single values). Medium: Trace the program fairly slowly. As each instruction is fetched and interpreted, its dissamembly and analysis are displayed togther with the new contents of all the registers. However, should the program be in a loop command, only the effect upon the registers is displayed untill the loop finishes. Fast: Trace the program quickly. As each instruction is fetched and interpreted, its dissamembly and analysis are displayed togther with the new contents of all the registers. However, should the program be in a loop command, only the effect upon the registers is displayed untill the loop finishes. 7 RECORD: Toggle which trace and analysis details will be echoed to an output file. The details are cumulative. Selecting an option low in the list will result in details higher in the list also being recorded. Selecting the "Code & Regs" option results in all trace and analysis details being recorded. A tick (√) appears next to the currently selected level of recording. SSD requires you to enter a name of a file to which the details will be echoed. If you want the details echoed to the printer directly, rather than to a disk file, then enter the file name PRN. This can be useful for tracing code which destroys the display, such as tracing interrupt 10h for example. Notice that if the printer is switched off, off-line or out-of-paper SSD will continue regardless, but nothing will be echoed to the printer until the problem is resolved. Execute Record Utility File Exit ╔══════════════╗ ╔═══════════Trace══║ √None ║═══════════════Analysis═════════════════════╗ ║ ║ Analysis ║ ║ ║ ║ Code ║ ║ ║ ║ Code & Regs ║ ║ ║ ╚══════════════╝ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ╠════════════════════════════╩═════════════════════════════════════════════════╣ ║ AX 0000 BX 0000 CX 0000 DX 0000 SI 0000 DI 0000 BP 0000 ║ ║ CS 53C8 DS 53B8 ES 53B8 SS 552C SP 0080 IP 0000 0000000 ║ ║ ZCSOAPD ║ ╚═════════Registers════════════════════════════════════════════════════════════╝ The Record Menu (no recording selected) 8 UTILITY: Miscellaneous utility facilities. About....: Displays information about SSD. After reading the information displayed, press any key to remove the "about" window from the display. Change Regs: Allows any register value to be changed. Highlight the required register, and press return to enter a new value. Trace Int: Allows an interrupt to be specified instead of a program. To trace the interrupt use the Execute facilities as for a program. (CS and IP are set to the values stored in the appropriate interrupt vector). In effect, the ROM code pointed to by the interrupt vector may be viewed like a COM file, but rather than loading it with the "file" facility, you load it with the "Trace Int." facility. SSD sets execution to commence at the start of the code - just as it does when you load a program. For Example; if you want to trace interrupt 10 you should first select the Trace Int facility from the Utility menu and enter the number, in hexadecimal notation, of the interrup to trace. In this case 10. Then set the registers to any required values. Finally the interrupt may be called and traced with the Execute facilities: Step, Slow etc. Dump: Display the values in RAM at a specified segment:offset address. Registers may be specified for the address, eg: es:di is a valid address. This facility is typically used to view messages within encrypted programs, thus allowing the true identity of encrypted computer viruses to be determined. You may also like to execute an encrypted .COM program until it finishes decrypting and then use the "write" facility to write the memory image to disk where from you may view it using a hex disk editor. Watch: The Watch facility is similar Dump, but displays the six bytes at the specified address. These bytes are reread and displayed as the program is executed - like the register's display. This allows you to watch the values at a specified memory address. The data is displayed as the segment:offset of the address followed by each data byte in hexadecimal format. Output: Display the program's output screen. Press a key to return to the analysis screen. Interrupts: Displays the values recorded in the interrupt vector table (SSD's copy). The listing is displayed onescreen page at a time. To continue the listing press any key except the Esc key, pressing the Esc key will terminate the listing. 9 Execute Record Utility File Exit ╔═════════════╗ ╔═══════════Trace════════════╦════════║ About.... ║lysis═════════════════════╗ ║ ║ ║ Change Regs ║ ║ ║ ║ ║ Trace Int ║ ║ ║ ║ ║ Dump ║ ║ ║ ║ ║ Watch ║ ║ ║ ║ ║ Output ║ ║ ║ ║ ║ Interrupts ║ ║ ║ ║ ╚═════════════╝ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ╠════════════════════════════╩═════════════════════════════════════════════════╣ ║ AX 0000 BX 0000 CX 0000 DX 0000 SI 0000 DI 0000 BP 0000 ║ ║ CS 4B4B DS 4B4B ES 4B4B SS 4C8D SP 0200 IP 0100 0000000 ║ ║ ZCSOAPD ║ ╚═════════Registers════════════════════════════════════════════════════════════╝ 10 FILE: The "File" menu provides facilities for opening and writing program files and also for specifying command line arguments to be supplied to the program under analysis. Open: Allows you to specify a program to load and analyse. You may also specify the name of a program on the command line when you start SSD, for example: SSD myprog.exe Write: Writes a memory image of the current .COM program to disk. As EXE files are not binary images (they contain redirection code for example) they cannot be written to disk and an error is reported if the loaded program is a .EXE program and you try to write the memory image to disk. This facility is used for decoding and unencrypting .COM files which may then be written to disk for disassembly with more traditional tools such as "Sourcer" and "The Interactive Disassembler". 11 Arguments: Allows command line arguments to be specified. These are then passed to the program being analysed. For example; if a program normally expects a command line to include parameters, such as the DOS "type" command, as in TYPE myfile.doc Then you may need to supply command line arguments to the program when analysing it with SSD. This facility allows you to do this. Execute Record Utility File Exit ╔═══════════╗ ╔═══════════Trace════════════╦════════════════════Analysis══║ Open ║══════╗ ║ ║ ║ Write ║ ║ ║ ║ ║ Arguments ║ ║ ║ ║ ╚═══════════╝ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ╠════════════════════════════╩═════════════════════════════════════════════════╣ ║ AX 0000 BX 0000 CX 0000 DX 0000 SI 0000 DI 0000 BP 0000 ║ ║ CS 53C8 DS 53B8 ES 53B8 SS 552C SP 0080 IP 0000 0000000 ║ ║ ZCSOAPD ║ ╚═════════Registers════════════════════════════════════════════════════════════╝ The File Menu EXIT: Returns to DOS. When you have finished analysing programs select this option to exit SSD and return to the operating system. 12 USING SSD SSD may be started with an optional command line parameter describing a program to be loaded and analysed. This program may include a path statement such as: SSD C:\TEST\MYPROG.EXE Also the program need not be suffixed with the usual .EXE or .COM as required by DOS. SSD will attempt to load and interpret any file specified, for example: SSD C:\MYBOOT.BIN Will cause SSD to start and load the file "myboot.bin" from the root directory of drive C. If this file is a valid binary image, such as a capture of a disk boot sector program, then it may be traced and analysed with SSD. 13 EXAMPLE Tracing a boot sector virus: In order to trace a boot sector virus one must first capture the boot sector into a file, using a tool such as Servile Software's "Getboot" facility. The created file may then be treated like a COM file. For example. Say you have captured the ExeBug virus into a file named "exebug.bin". This may then be traced through SSD as follows. First start SSD with the command line: SSD exebug.bin You may then use the step command to follow each command, as illustrated in the following screen shots: Execute Record Utility File Exit ╔═══════════Trace════════════╦════════════════════Analysis═════════════════════╗ ║0100 jmp short 011E ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ╠════════════════════════════╩═════════════════════════════════════════════════╣ ║ AX 0000 BX 0000 CX 0000 DX 0000 SI 0000 DI 0000 BP 0000 ║ ║ CS 507A DS 507A ES 507A SS 507A SP FFFE IP 011E 0000000 ║ ║ ZCSOAPD ║ ╚═════════Registers════════════════════════════════════════════════════════════╝ Tracing ExeBug 14 Execute Record Utility File Exit ╔═══════════Trace════════════╦════════════════════Analysis═════════════════════╗ ║0100 jmp short 011E ║ ║ ║011E xor ax,ax ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ ╠════════════════════════════╩═════════════════════════════════════════════════╣ ║ AX 0000 BX 0000 CX 0000 DX 0000 SI 0000 DI 0000 BP 0000 ║ ║ CS 507A DS 507A ES 507A SS 507A SP FFFE IP 0120 1000010 ║ ║ ZCSOAPD ║ ╚═════════Registers════════════════════════════════════════════════════════════╝ Tracing ExeBug Execute Record Utility File Exit ╔═══════════Trace════════════╦════════════════════Analysis═════════════════════╗ ║0100 jmp short 011E ║ ║ ║011E xor ax,ax ║ ║ ║0120 mov ds,ax ║ ║ ║0122 mov di,ax ║ ║ ║0124 mov ss,ax ║ ║ ║0126 mov sp,7C00 ║ ║ ║0129 mov cl,06 ║ ║ ║012B mov si,sp ║ ║ ║012D mov bx,sp ║ ║ ║012F les ax,[004C] ║ ║ ║0133 mov [7CAD],ax ║ ║ ║0136 mov ax,[0413] ║ ║ ║0139 mov [7CAF],es ║ ║ ║013D dec ax ║ ║ ║013E mov [0413],ax ║ ║ ║0141 shl ax,cl ║ ║ ║ ║ ║ ╠════════════════════════════╩═════════════════════════════════════════════════╣ ║ AX 9F80 BX 7C00 CX 0006 DX 0000 SI 7C00 DI 0000 BP 0000 ║ ║ CS 507A DS 0000 ES 08A9 SS 0000 SP 7C00 IP 0143 0011100 ║ ║ ZCSOAPD ║ ╚═════════Registers════════════════════════════════════════════════════════════╝ Tracing ExeBug 15 Execute Record Utility File Exit ╔═══════════Trace════════════╦════════════════════Analysis═════════════════════╗ ║0122 mov di,ax ║Set vector 13 segment to 0122: ║ ║0124 mov ss,ax ║ ║ ║0126 mov sp,7C00 ║ ║ ║0129 mov cl,06 ║ ║ ║012B mov si,sp ║ ║ ║012D mov bx,sp ║ ║ ║012F les ax,[004C] ║ ║ ║0133 mov [7CAD],ax ║ ║ ║0136 mov ax,[0413] ║ ║ ║0139 mov [7CAF],es ║ ║ ║013D dec ax ║ ║ ║013E mov [0413],ax ║ ║ ║0141 shl ax,cl ║ ║ ║0143 mov es,ax ║ ║ ║0145 push ax ║ ║ ║0146 mov [004C],0122 ║ ║ ║ ║ ║ ╠════════════════════════════╩═════════════════════════════════════════════════╣ ║ AX 9F80 BX 7C00 CX 0006 DX 0000 SI 7C00 DI 0000 BP 0000 ║ ║ CS 507A DS 0000 ES 9F80 SS 0000 SP 7BFE IP 014C 0011100 ║ ║ ZCSOAPD ║ ╚═════════Registers════════════════════════════════════════════════════════════╝ Tracing ExeBug - A crafty write to the BIOS disk vector Execute Record Utility File Exit ╔═══════════Trace════════════╦════════════════════Analysis═════════════════════╗ ║0124 mov ss,ax ║Set vector 13 segment to 0122: ║ ║0126 mov sp,7C00 ║Set vector 13 offset to :9F80 ║ ║0129 mov cl,06 ║ ║ ║012B mov si,sp ║ ║ ║012D mov bx,sp ║ ║ ║012F les ax,[004C] ║ ║ ║0133 mov [7CAD],ax ║ ║ ║0136 mov ax,[0413] ║ ║ ║0139 mov [7CAF],es ║ ║ ║013D dec ax ║ ║ ║013E mov [0413],ax ║ ║ ║0141 shl ax,cl ║ ║ ║0143 mov es,ax ║ ║ ║0145 push ax ║ ║ ║0146 mov [004C],0122 ║ ║ ║014C mov [004E],ax ║ ║ ║ ║ ║ ╠════════════════════════════╩═════════════════════════════════════════════════╣ ║ AX 9F80 BX 7C00 CX 0006 DX 0000 SI 7C00 DI 0000 BP 0000 ║ ║ CS 507A DS 0000 ES 9F80 SS 0000 SP 7BFE IP 014F 0011100 ║ ║ ZCSOAPD ║ ╚═════════Registers════════════════════════════════════════════════════════════╝ Tracing ExeBug - A crafty write to the BIOS disk vector 16 INHIBITED COMMANDS SSD inhibits all attempts to disable hardware by writing to I/O ports, generation of audible tones, attempts to create new files, closing of the standard files; stdin, stdout, stderr, stdaux and stdprn, write to disk and disk formatting instructions. Instructions which attempt to write to memory occupied by SSD are also rejected. Inhibiting operations allows a greater degree of safety when analysing computer viruses, but has the disadvantage that subsequent program behaviour may be altered in some circumstances. SSD inhibits attempts to change the following interrupt vectors: 08, 0A, 0B, 0C, 0D, 0E, 0F, 1C, 21, 24, 70 However, subsequent reads of these vectors will return a value as though the change had occured. 17 DOS ERROR CODES DOS error codes are usually returned in the AX register following an abortive DOS interrupt call, usually indicated by a set carry flag. Code Meaning 01 Invalid function 02 File not found 03 Path not found 04 No handles available 05 Access denied 06 Invalid handle 07 Memory control blocks destroyed 08 Insufficient memory 09 Invalid memory block address 0A Invalid environment 0B Invalid format 0C Invalid access code 0D Invalid data 0F Invalid drive 10 Attempt to remove current directory 11 Not the same device 12 No more files 13 Disk write-protected 14 Unknown unit 15 Drive not ready 16 Unknown command 17 CRC error 18 Bad request structure length 19 Seek error 1A Unknown media type 1B Sector not found 1C Out of paper 1D Write fault 1E Read fault 1F General failure 20 Sharing violation 21 Lock violation 22 Invalid disk change 23 FCB unavailable 24 Sharing buffer overflow 18 MEMORY MAP The following table describes the layout of conventional RAM (memory) within the IBM PC and compatibles. Each address is shown in the format segment:offset, as is conventional with Intel's approach to memory addressing with the 8080 family of CPUs. 0000:0000 RAM Vector Table 256 entries stored as segment word offset word 0040:0000 BIOS data area :0000 Base I/O address of 1st serial I/O port, zero if none :0002 Base I/O address of 2nd serial I/O port, zero if none :0004 Base I/O address of 3rd serial I/O port, zero if none :0006 Base I/O address of 4th serial I/O port, zero if none :0008 Base I/O address of 1st parallel I/O port, zero if none :000A Base I/O address of 2nd parallel I/O port, zero if none :000C Base I/O address of 3rd parallel I/O port, zero if none :000E Base I/O address of 4th parallel port, zero if none Segment of Extended BIOS Data Segment (PS/2) :0010 Installed hardware :0012 POST status :0013 Base memory size in kbytes (0-640) :0015 Manufacturing test scratch pad :0016 Manufacturing test scratch pad BIOS control flags (PS/2 mod 30) Keyclick loudness 00h-7Fh (Compaq Deskpro 386K) :0017 Keyboard status flags 1 :0018 Keyboard status flags 2 :0019 Keyboard: Alt-nnn keypad workspace :001A Keyboard: ptr to next character in keyboard buffer :001C Keyboard: ptr to first free slot in keyboard buffer :001E Keyboard circular buffer :003E Diskette recalibrate status :003F Diskette motor status :0040 Diskette motor turn-off time-out count :0041 Diskette last operation status :0042 XT: command byte to hard disk controller AT: write precompensation cylinder number / 4 :0043 XT: bit 5 = drive number, bits 3-0=head number AT: sector count :0044 XT: bits 6,7 = high bits of track, bits 5-0 = start sector-1 AT: starting sector :0045 low byte of track number :0046 XT: sector count AT: high bits of track number :0047 XT: control byte from HD parameters (step rate,...) AT: 101DHHHH, D=drive number, HHHH=head number :0048 XT: INT 13 subfunction number AT: comand byte to hard disk controller :0049 Current video mode :004A Video columns on screen :004C Video page (regen buffer) size in bytes :004E Video current page start address in regen buffer 19 :0050 Video cursor position (col, row) for eight pages :0060 Video cursor type, hi=startline, lo=endline :0062 Video current page number :0063 Video CRT controller base address :0065 Video current setting of mode select register :0066 Video current setting of CGA palette register 03D9h :0067 POST real mode re-entry point after certain resets pointer to reset code upon system reset (PS/2 except mod 25,30) with memory preserved :006B POST last unexpected interrupt :006C Timer ticks since midnight :0070 Timer overflow :0071 Ctrl-Break flag :0072 POST reset flag :0074 Fixed disk last operation status, except ESDI drives :0075 Number of fixed disk drives :0076 Fixed disk control byte :0077 Fixed disk I/O port offset :0078 Parallel devices 1-3 time-out counters :007B parallel device 4 time-out counter (non-PS/2 and PS/2 Mod 25,30) :007C Serial devices 1-4 time-out counters :0080 Keyboard buffer start as offset from segment 40h :0082 Keyboard buffer end+1 as offset from segment 40h :0084 Video EGA/MCGA/VGA rows on screen minus one :0085 Video EGA/MCGA/VGA character height in scan-lines :0087 Video EGA/VGA control :0088 Video EGA/VGA switches :0089 Video MCGA/VGA mode-set option control :008A Video MCGA/VGA index into Display Combination Code table :008B Diskette media control (not XT) :008C Fixed disk controller status (not XT) :008D Fixed disk controller Error Status (not XT) :008E Fixed disk Interrupt Control (not XT) :008F Diskette controller information (not XT) :0090 Diskette drive 0 media state :0091 Diskette drive 1 media state :0092 Diskette drive 0 media state at start of operation :0093 Diskette drive 1 media state at start of operation :0094 Diskette drive 0 current track number :0095 Diskette drive 1 current track number :0096 Keyboard status byte 1 :0097 Keyboard status byte 2 :0098 Timer2 :009C Timer2 :00A0 Timer2 :00A1 LAN Support Program Interrupt Arbitrator present :00A2 Reserved for network adapters :00A4 Saved Fixed Disk Interrupt Vector (PS/2 Mod 30) :00A8 Video: EGA/MCGA/VGA ptr to Video Save Pointer Table :00AC Reserved :00B0 Vendor specific :00CE Count of days since last boot :00D0 Reserved :00F0 Reserved for user :0100 Print Screen Status byte :010E State of BREAK at start of BASICA.COM execution :010F BASICA v2.10 running flag :0116 INT 1B at start of BASICA.COM execution 20 :011A INT 24 at start of BASICA.COM execution 0040:011E DOS kernel ????:???? Device drivers ????:???? Resident part of COMMAND.COM ????:???? FREE SPACE A000:0000 EGA/VGA Video RAM B000:0000 Video RAM C000:0000 EGA/VGA BIOS ROM extension ) DOS C000:8000 Hard drive ROM extension ) HIGH MEMORY E000:0000 Other BIOS ROM extensions ) AREA F000:0000 BIOS ROM :EFC7 Floppy disk parameters :F0A4 Video hardware table :FEF3 Initial interrupt vector table values :FFF5 BIOS version date code :FFFE Model type :FFFF Model sub type 21 XT, AT and PS/2 I/O port addresses This data is provided for the purpose of providing an understanding into the nature of a program being analysed which accesses hardware ports. It is not intended to describe how to program the IBM PC hardware ports since this can lead to damage of the hardware. Note, although SSD has several safeguards inbuilt to prevent programs carrying out harmful port writes, it is not possible to catch all and a determined program may still damage your hardware even when analysed with SSD. "r" indicates port may be read. "w" indicates port may be written to (programmed). "r/w" indicates that the port may be both read and written to. 0000-001F ---- DMA 1 (first Direct Memory Access controller 8237) 0000 r/w DMA channel 0 address byte 0, then byte 1. 0001 r/w DMA channel 0 word count byte 0, then byte 1. 0002 r/w DMA channel 1 address byte 0, then byte 1. 0003 r/w DMA channel 1 word count byte 0, then byte 1. 0004 r/w DMA channel 2 address byte 0, then byte 1. 0005 r/w DMA channel 2 word count byte 0, then byte 1. 0006 r/w DMA channel 3 address byte 0, then byte 1. 0007 r/w DMA channel 3 word count byte 0, then byte 1. 0008 r DMA channel 0-3 status register bit 7 = 1 channel 3 request bit 6 = 1 channel 2 request bit 5 = 1 channel 1 request bit 4 = 1 channel 0 request bit 3 = 1 channel terminal count on channel 3 bit 2 = 1 channel terminal count on channel 2 bit 1 = 1 channel terminal count on channel 1 bit 0 = 1 channel terminal count on channel 0 0008 w DMA channel 0-3 command register bit 7 = 1 DACK sense active high = 0 DACK sense active low bit 6 = 1 DREQ sense active high = 0 DREQ sense active low bit 5 = 1 extended write selection = 0 late write selection bit 4 = 1 rotating priority = 0 fixed priority bit 3 = 1 compressed timing = 0 normal timing bit 2 = 1 enable controller = 0 enable memory-to-memory 0009 w DMA write request register 22 000A r/w DMA channel 0-3 mask register bit 7-3 = 0 reserved bit 2 = 0 clear mask bit = 1 set mask bit bit 1-0 = 00 channel 0 select = 01 channel 1 select = 10 channel 2 select = 11 channel 3 select 000B w DMA channel 0-3 mode register bit 7-6 = 00 demand mode = 01 single mode = 10 block mode = 11 cascade mode bit 5 = 0 address increment select = 1 address decrement select bit 3-2 = 00 verify operation = 01 write to memory = 10 read from memory = 11 reserved bit 1-0 = 00 channel 0 select = 01 channel 1 select = 10 channel 2 select = 11 channel 3 select 000C w DMA clear byte pointer flip-flop 000D r DMA read temporary register 000D w DMA master clear 000E w DMA clear mask register 000F w DMA write mask register 0010-001F ---- DMA controller (8237) on PS/2 model 60 & 80 0018 w PS/2 extended function register 001A PS/2 extended function execute 0020-003F ---- PIC 1 (Programmable Interrupt Controller 8259) 0020 w PIC initialization command word ICW1 bit 7-5 = 0 only used in 80/85 mode bit 4 = 1 ICW1 is being issued bit 3 = 0 edge triggered mode = 1 level triggered mode bit 2 = 0 successive interrupt vectors use 8 bytes = 1 successive interrupt vectors use 4 bytes bit 1 = 0 cascade mode = 1 single mode, no ICW3 needed bit 0 = 0 no ICW4 needed = 1 ICW4 needed 0021 w PIC ICW2,ICW3,ICW4 after ICW1 to 0020 ICW2: bit 7-3 = address lines A0-A3 of base vector address for PIC bit 2-0 = reserved ICW3: bit 7-0 = 0 slave controller not attached to corresponding 23 interrupt pin = 1 slave controller attached to corresponding interrupt pin ICW4: bit 7-5 = 0 reserved bit 4 = 0 no special fully-nested mode = 1 special fully-nested mode bit 3-2 = 0x nonbuffered mode = 10 buffered mode/slave = 11 buffered mode/master bit 1 = 0 normal EOI = 1 Auto EOI bit 0 = 0 8085 mode = 1 8086/8088 mode 0021 r/w PIC master interrupt mask register OCW1: bit 7 = 0 enable parallel printer interrupt bit 6 = 0 enable diskette interrupt bit 5 = 0 enable fixed disk interrupt bit 4 = 0 enable serial port 1 interrupt bit 3 = 0 enable serial port 2 interrupt bit 2 = 0 enable video interrupt bit 1 = 0 enable keyboard, mouse, RTC interrupt bit 0 = 0 enable timer interrupt OCW2: bit 7-5 = 000 rotate in auto EOI mode (clear) = 001 nonspecific EOI = 010 no operation = 011 specific EOI = 100 rotate in auto EOI mode (set) = 101 rotate on nonspecific EOI command = 110 set priority command = 111 rotate on specific EOI command bit 4 = 0 reserved bit 3 = 0 reserved bit 2-0 interrupt request to which the command applies 0020 r PIC interrupt request/in-service registers by OCW3 request register: bit 7-0 = 0 no active request for the corresponding int. line = 1 active request for corresponding interrupt line in-service register: bit 7-0 = 0 corresponding line not currently being serviced = 1 corresponding int. line currently being serviced 24 0020 w PIC OCW3 bit 7 = 0 reserved bit 6-5 = 0x no operation = 10 reset special mask = 11 set special mask bit 4 = 0 reserved bit 3 = 1 reserved bit 2 = 0 no poll command = 1 poll command bit 1-0 = 0x no operation = 10 read int.request register on next read at 0020 = 11 read int.in-service register on next read 0020 0022-002B ---- Intel 82355, part of chipset for 386sx initialisation in POST will disable these addresses, only a hard reset will enable them again. 0022 r/w 82335 MCR memory configuration register 0024 82335 RC1 roll compare register 0026 82335 RC2 roll compare register 0028 82335 CC0 compare register 002A 82335 CC1 compare register values for CC0 and CC1: 00F9,0000 enable range compare CC0 0-512K CC1 disable 00F1,0000 enable range compare CC0 0-1024K CC1 disable 00F1,10F9 enable range compare CC0 0-1M CC1 1M-1M5 00E1,0000 enable range compare CC0 0-2M CC1 disable 00E1,0000 enable range compare CC0 0-2M CC1 disable 00C1,0000 enable range compare CC0 0-4M CC1 disable 00C1,40E1 enable range compare CC0 0-4M CC1 4M-6M 0081,0000 enable range compare CC0 0-8M CC1 disable 0040-005F ---- PIT (Programmable Interrupt Timer 8253, 8254) XT & AT uses 40-43 PS/2 uses 40, 42,43,44, 47 0040 r/w PIT counter 0, counter divisor (XT, AT, PS/2) 0041 r/w PIT counter 1, RAM refresh counter (XT, AT) 0042 r/w PIT counter 2, cassette & speaker (XT, AT, PS/2) 25 0043 r/w PIT mode port, control word register for counters 0-2 bit 7-6 = 00 counter 0 select = 01 counter 1 select (not PS/2) = 10 counter 2 select bit 5-4 = 00 counter latch command = 01 read/write counter bits 0-7 only = 10 read/write counter bits 8-15 only = 11 read/write counter bits 0-7 first, then 8-15 bit 3-1 = 000 mode 0 select = 001 mode 1 select - programmable one shot = x10 mode 2 select - rate generator = x11 mode 3 select - square wave generator = 100 mode 4 select - software triggered strobe = 101 mode 5 select - hardware triggered strobe bit 0 = 0 binary counter 16 bits = 1 BCD counter 0044 r/w PIT counter 3 (PS/2, EISA) used as fail-safe timer. generates an NMI on time out. for user generated NMI see at 0462. 0047 w PIT control word register counter 3 (PS/2, EISA) bit 7-6 = 00 counter 3 select = 01 reserved = 10 reserved = 11 reserved bit 5-4 = 00 counter latch command counter 3 = 01 read/write counter bits 0-7 only = 1x reserved bit 3-0 = 00 0048 EISA 004A EISA 004B EISA 26 0060-006F ---- Keyboard controller (8041, 8042) (or PPI (8255) on XT) XT uses 60-63, AT uses 60-64 AT keyboard controller input port bit definitions bit 7 = 0 keyboard inhibited bit 6 = 0 CGA, else MDA bit 5 = 0 manufacturing jumper installed bit 4 = 0 system RAM 512K, else 640K bit 3-0 reserved AT keyboard controller input port bit definitions by Compaq bit 7 = 0 security lock is locked bit 6 = 0 Compaq dual-scan display = 1 non-Compaq display bit 5 = 0 system board dip switch 5 is ON bit 4 = 0 auto speed selected = 1 high speed selected bit 3 = 0 slow (4MHz) = 1 fast (8MHz) bit 2 = 0 80287 installed = 1 no NDP installed bit 1-0 reserved AT keyboard controller output port bit definitions bit 7 = keyboard data output bit 6 = keyboard clock output bit 5 = 0 input buffer full bit 4 = 0 output buffer empty bit 3 = reserved (see note) bit 2 = reserved (see note) bit 1 = gate A20 bit 0 = system reset Note: bits 2 and 3 are the turbo speed switch or password lock on Award/AMI/Phoenix BIOSes. These bits make use of nonstandard keyboard controller BIOS functionality to manipulate pin 23 (8041 port 22) as turbo switch for AWARD pin 35 (8041 port 15) as turbo switch/pw lock for Phoenix 0060 r/w KB controller data port or keyboard input buffer (ISA, EISA) should only be read from after status port bit0 = 1 should only be written to if status port bit1 = 0 keyboard commands (data goes also to port 0060): ED dbl set/reset mode indicators Caps Num Scrl EE sngl diagnostic echo. returns EE. EF-F2 sngl NOP (No OPeration). reserved for future use F3 dbl set typematic rate/delay F4 sngl enable keyboard F5 sngl disable keyboard. set default parameters F6 sngl set default parameters F7-FD sngl NOP FE sngl resend last scancode FF sngl perform internal power-on reset function 0060 r KeyBoard or KB controller data output buffer (via PPI on XT) 0061 w KB controller port B (ISA, EISA) (PS/2 port A is at 0092) system control port for compatibility with 8255 27 bit 7 (1= IRQ 0 reset ) bit 6-4 reserved bit 3 = 1 channel check enable bit 2 = 1 parity check enable bit 1 = 1 speaker data enable bit 0 = 1 timer 2 gate to speaker enable 0061 r KB controller port B control register (ISA, EISA) system control port for compatibility with 8255 bit 7 parity check occurred bit 6 channel check occurred bit 5 mirrors timer 2 output condition bit 4 toggles with each refresh request bit 3 channel check status bit 2 parity check status bit 1 speaker data status bit 0 timer 2 gate to speaker status 0061 w PPI Programmable Peripheral Interface 8255 (XT only) system control port bit 7 = 1 clear keyboard bit 6 = 0 hold keyboard clock low bit 5 = 0 I/O check enable bit 4 = 0 RAM parity check enable bit 3 = 0 read low switches bit 2 reserved, often used as turbo switch bit 1 = 1 speaker data enable bit 0 = 1 timer 2 gate to speaker enable 0062 r/w PPI (XT only) bit 7 = 1 RAM parity check bit 6 = 1 I/O channel check bit 5 = 1 timer 2 channel out bit 4 reserved bit 3 = 1 system board RAM size type 1 bit 2 = 1 system board RAM size type 2 bit 1 = 1 coprocessor installed bit 0 = 1 loop in POST 28 0063 r/w PPI (XT only) command mode register (read dipswitches) bit 7-6 = 00 1 diskette drive = 01 2 diskette drives = 10 3 diskette drives = 11 4 diskette drives bit 5-4 = 00 reserved = 01 40*25 color (mono mode) = 10 80*25 color (mono mode) = 11 MDA 80*25 bit 3-2 = 00 256K (using 256K chips) = 01 512K (using 256K chips) = 10 576K (using 256K chips) = 11 640K (using 256K chips) bit 3-2 = 00 64K (using 64K chips) = 01 128K (using 64K chips) = 10 192K (using 64K chips) = 11 256K (using 64K chips) bit 1-0 reserved 0064 r KB controller read status (ISA, EISA) bit 7 = 1 parity error on transmission from keyboard bit 6 = 1 receive timeout bit 5 = 1 transmit timeout bit 4 = 0 keyboard inhibit bit 3 = 1 data in input register is command 0 data in input register is data bit 2 = 0 system flag status = 0 power up or reset = 1 selftest OK bit 1 = 1 input buffer full (input 60/64 has data for 8042) bit 0 = 1 output buffer full (output 60 has data for system) 0064 r KB controller read status by Compaq bit 7 = 1 parity error detected (11-bit format only). If an error is detected, a Resend command is sent to the keyboard once only, as an attempt to recover. bit 6 = 1 receive timeout. transmission didn't finish in 2mS. bit 5 = 1 transmission timeout error bit 5,6,7 cause 1 0 0 No clock 1 1 0 Clock OK, no response 1 0 1 Clock OK, parity error bit 4 = 0 security lock engaged bit 3 = 1 data in OUTPUT register is command 0 data in OUTPUT register is data bit 2 = 0 system flag status = 0 power up or reset = 1 soft reset bit 1 = 1 input buffer full (output 60/64 has data) bit 0 = 0 no new data in buffer (input 60 has data) 29 0064 w KB controller input buffer (ISA, EISA) KB controller commands (data goes to port 0060): 20 read read byte zero of internal RAM, this is the last KB command send to 8041 Compaq Put current command byte on port 0060 command structure: bit 7 reserved bit 6 = 1 convert KB codes to 8086 scan codes bit 5 = 0 use 11-bit codes = 1 use 8086 codes bit 4 = 0 enable keyboard = 1 disable keyboard bit 3 = 1 ignore security lock state bit 2 this bit goes into bit2 status reg. bit 1 = 0 reserved bit 0 = 1 generate int. when output buffer full 21-3F read reads the byte specified in the lower 5 bits of the command in the 8041's internal RAM 60-7F dbl writes the data byte to the address specified in the 5 lower bits of the command. Alternate description KB IO command 60 summary: bit7 = 0 reserved bit6 = IBM PC compatibility mode bit5 = IBM PC mode bit4 = disable kb bit3 = inhibit override bit2 = system flag bit1 = 0 reserved bit0 = enableoutput buffer full interrupt 60 Compaq Load new command (60 to [64], command to [60]) A1 Compaq unknown speedfunction A2 Compaq unknown speedfunction A3 Compaq Enable system speed control A4 Compaq Toggle speed A5 Compaq Special reed. the 8042 places the real values of port 2 except for bits 4 and 5 wich are given a new definition in the output buffer. No output buffer full is generated. if bit 5 = 0, a 9-bit keyboard is in use if bit 5 = 1, an 11-bit keyboard is in use if bit 4 = 0, outp-buff-full interrupt disabled if bit 4 = 1, output-buffer-full int. enabled A6 Compaq unknown speedfunction AA sngl initiate self-test. will return 55 to data port Compaq Initializes ports 1 and 2, disables the keyboard and clears the buffer pointers. It then places 55 in the output buffer. AB sngl initiate interface test. result values: 0 = no error 1 = keyboard clock line stuck low 2 = keyboard clock line stuck high 3 = keyboard data line is stuck low 4 = keyboard data line stuck high Compaq 5 = Compaq diagnostic feature AC read diagnostic dump. the contents of the 8041 RAM, output port, input port, status word are send. AD sngl disable keyboard (sets bit 4 of commmand byte) AE sngl enable keyboard (resets bit 4 of commmand byte) 30 AF AWARD Enhanced Command: read keyboard version C0 read read input port Compaq Places status of input port in output buffer. use this command only when the output buffer is empty C1 AWARD Enhanced Command: poll input port Low nibble C2 AWARD Enhanced Command: poll input port High nibble D0 read read output port Compaq Places byte in output port in output buffer. use this command only when the output buffer is empty D1 dbl write output port. next byte written to 0060 will be written to the 8041 output port Compaq The system speed bits are not set by this command use commands A1-A6 (!) for speed functions. D2 AWARD Enhanced Command: write keyboard output buffer D3 AWARD Enhanced Command: write pointing device out.buf. D4 AWARD Enhanced Command: write to auxiliary device DD sngl disable address line A20. default in Real Mode DF sngl enable address line A20 E0 read read test inputs. bit0 = T0 and bit1 = T1 Exx AWARD Enhanced Command: active output port ED Compaq This is a two part command to control the state of the NumLock CpasLock and ScrollLock LEDs The second byte contains the state to set LEDs. bit 7-3 reserved. should be set to 0. bit 2 = 0 Caps Lock LED off bit 1 = 0 Num Lock LED off bit 0 = 0 Scroll Lock LED off F0-FF sngl pulse output port low for 6 microseconds. bits 0-3 contain the mask for the bits to be pulsed. a bit is pulsed if its mask bit is zero. bit0=system reset. Don't set to zero. Pulse only! 0065 r communications port (Olivetti M24) 0068 w HP-Vectra control buffer (HP commands) 0069 r HP-Vectra SVC (keyboard request SerViCe port) 006A w HP-Vectra clear processing, done 006C-006F HP-HIL (Human Interface Link = async. serial inputs 0-7) 0070-007F ---- CMOS RAM/RTC (Real Time Clock MC146818) 31 0070 w CMOS RAM index register port (ISA, EISA) bit 7 = 1 NMI disabled = 0 NMI enabled bit 6-0 CMOS RAM index (64 bytes, sometimes 128 bytes) any write to 0070 should be followed by an action to 0071 or the RTC wil be left in an unknown state. 0071 r/w CMOS RAM data port (ISA, EISA) RTC registers: 00 current second in BCD 01 alarm second in BCD 02 current minute in BCD 03 alarm minute in BCD 04 current hour in BCD 05 alarm hour in BCD 06 day of week in BCD 07 day of month in BCD 08 month in BCD 09 year in BCD (00-99) 0A status register A bit 7 = 1 update in progress bit 6-4 divider that identifies the time-based frequency bit 3-0 rate selection output frequency and int. rate 0B status register B bit 7 = 0 run = 1 halt bit 6 = 1 enable periodic interrupt bit 5 = 1 enable alarm interrupt bit 4 = 1 enable update-ended interrupt bit 3 = 1 enable square wave interrupt bit 2 = 1 calendar is in binary format = 0 calendar is in BCD format bit 1 = 1 24-hour mode = 0 12-hour mode bit 0 = 1 enable daylight savings time. only in USA. useless in Europe. Some DOS versions clear this bit when you use the DAT/TIME command. 0C status register C bit 7 = interrupt request flag bit 6 = peridoc interrupt flag bit 5 = alarm interrupt flag bit 4 = update interrupt flag bit 3-0 reserved 0D status register D bit 7 = 1 Real-Time Clock has power bit 6-0 reserved 0E diagnostics status byte bit 7 = 0 RTC lost power bit 6 = 1 CMOS RAM checksum bad bit 5 = 1 invalid configuration information at POST bit 4 = 1 memory size error at POST bit 3 = 1 fixed disk/adapter failed initialization bit 2 = 1 CMOS RAM time found invalid bit 1 = 1 adapters do not match configuration (EISA) bit 0 = 1 time out reading an adapter ID (EISA) 0F shutdown status byte 00 = normal execution of POST 01 = chip set initialization for real mode reentry 32 04 = jump to bootstrap code 05 = issue an EOI an JMP to Dword ptr at 40:67 06 = JMP to Dword ptrv at 40:67 without EOI 07 = return to INT15/87 (block move) 08 = return to POST memory test 09 = return to INT15/87 (block move) 0A = JMP to Dword ptr at 40:67 without EOI 0B = return IRETS through 40:67 10 diskette drive type for A: and B: bit 7-4 drive type of drive 0 bit 3-0 drive type of drive 1 = 0000 no drive = 0001 360K = 0010 1M2 = 0011 720K = 0100 1M44 = 0101-1111 reserved 11 reserved / AMI Extended CMOS setup (AMI Hi-Flex BIOS) bit 7 = 1 Typematic Rate Programming bit 6-5 = 00 Typematic Rate Delay 250 mSec bit 4-0 = 00011 Typematic Rate 21.8 Chars/Sec 12 fixed disk drive type for drive 0 and drive 1 bit 7-4 drive type of drive 0 bit 3-0 drive type of drive 1 if either of the nibbles equals 0F, then bytes 19 an 1A are valid 13 reserved / AMI Extended CMOS setup (AMI Hi-Flex BIOS) bit 7 = 1 Mouse Support Option bit 6 = 1 Above 1 MB Memory Test disable bit 5 = 1 Memory Test Tick Sound disable bit 4 = 1 Memory Parity Error Check enable bit 3 = 1 Hit <ESC> Message Display disabled bit 2 = 1 Hard Disk Type 47 Data Area at address 0:300 bit 1 = 1 Wait For <F1> If Any Error enabled bit 0 = 1 System Boot Up Num Lock is On 14 equipment byte bit 7-6 diskette drives installed = 00 1 drive installed = 01 2 drives installed = 10 reserved = 11 reserved bit 5-4 primary display = 00 adapter card with option ROM = 01 40*25 color = 10 80*25 color = 11 monochrome bit 3-2 reserved bit 1 = 1 coprocessor installed (non-Weitek) bit 0 diskette drive avaliable for boot 15 LSB of systemn base memory in Kb 16 MSB of systemn base memory in Kb 17 LSB of total extended memory in Kb 18 MSB of total extended memory in Kb 19 drive C extension byte 1A drive D extension byte 1B-27 reserved 1B/1C word to 82335 RC1 roll compare register at [24] (Phoenix) 1D/1E word to 82335 RC2 roll compare register at [26] (Phoenix) 33 28 HP-Vectra checksum over 29-2D 29-2D reserved 29/2A word to Intel 82335 CC0 compare register at [28] (Phoenix) 2B/2C word send to 82335 CC1 compare register at [2A] (Phoenix) 2D AMI Extended CMOS setup (AMI Hi-Flex BIOS) (Phoenix BIOS checks for the values AA or CC) bit 7 = 1 Weitek Processor Absent bit 6 = 1 Floppy Drive Seek At Boot disabled bit 5 = 1 System Boot Up Sequence C:, A: bit 4 = 1 System Boot Up Speed is high bit 3 = 1 Cache Memory enabled bit 2 = 1 Internal Cache Memory <1> bit 1-0 reserved 2E CMOS MSB checksum over 10-2D 2F CMOS LSB checksum over 10-2D 30 LSB of extended memory found above 1Mb at POST 31 MSB of extended memory found above 1Mb at POST 32 date century in BCD 33 information flags bit4 = bit4 from CPU register CR0 (Phoenix) this bit is only known as INTEL RESERVED 34-3F reserved 34 bit4 bit5 (Phoenix BIOS) 3D/3E word to 82335 MCR memory config register at [22] (Phoenix) 3D bit3 base memsize 512/640 (Phoenix) 3E bit7 = 1 relocate enable (Phoenix) bit1 = 1 shadow video enable (Phoenix) bit0 = 1 shadow BIOS enable (Phoenix) User Definable Drive Parameters are also stored in CMOS RAM: AMI (386sx BIOS 1989) first user definable drive (type 47) 1B L cylinders 1C H cylinders 1D heads 1E L Write Precompensation Cylinder 1F H Write Precompensation Cylinder 20 ?? 21 L cylinders parking zone 22 H cylinders parking zone 23 sectors AMI (386sx BIOS 1989) second user definable drive (type 48) 24 L cylinders 25 H cylinders 26 heads 27 L Write Precompensation Cylinder 28 H Write Precompensation Cylinder 29 ?? 2A L cylinders parking zone 2B H cylinders parking zone 2C sectors Phoenix (386BIOS v1.10.03 1988) 1st user definable drv (type48) 20 L cylinders 21 H cylinders 34 22 heads 23 L Write Precompensation Cylinder 24 H Write Precompensation Cylinder 25 L cylinders parking zone 26 H cylinders parking zone 27 sectors Phoenix (386BIOS v1.10.03 1988) 2nd user definable drv (type49) (when PS/2-style password option is not used) 35 L cylinders 36 H cylinders 37 heads 38 L Write Precompensation Cylinder 39 H Write Precompensation Cylinder 3A L cylinders parking zone 3B H cylinders parking zone 3C sectors 0078 HP-Vectra Hard Reset: NMI enable/disable bit 7 = 0 disable & clear hard reset from HP-HIL controller = 1 enable hard reset from HP-HIL controller chip bit 6-0 reserved 007C-007D ---- HP-Vectra PIC 3 (Programmable Interrupt Controller 8259) cascaded to first controller. used for keyboard and input device interface. 007C r/w HP-Vectra PIC 3 see at 0020 PIC 1 007D r/w HP-Vectra PIC 3 see at 0021 PIC 1 0080 w Manufacturing Diagnostics port 35 0080-008F ---- DMA page registers (74612) 0080 r/w extra page register (temporary storage) 0081 r/w DMA channel 2 address byte 2 0082 r/w DMA channel 3 address byte 2 0083 r/w DMA channel 1 address byte 2 0084 r/w extra page register 0085 r/w extra page register 0086 r/w extra page register 0087 r/w DMA channel 0 address byte 2 0088 r/w extra page register 0089 r/w DMA channel 6 address byte 2 0089 r/w DMA channel 7 address byte 2 0089 r/w DMA channel 5 address byte 2 008C r/w extra page register 008D r/w extra page register 008E r/w extra page register 008F r/w DMA refresh page register 0090-009F ---- PS/2 POS (Programmable Option Select) 0090 Central arbitration control port 0091 Card selection feedback 0092 r/w PS/2 system control port A (port B is at 0061) bit 7-6 any bit set to 1 turns activity light on bit 5 reserved bit 4 = 1 watchdog timout occurred bit 3 = 0 RTC/CMOS security lock (on password area) unlocked = 1 CMOS locked (done by POST) bit 2 reserved bit 1 = 1 indicates A20 active bit 0 = 0 system reset or write 1 pulse alternate reset pin (alternate CPU reset) 0094 w system board enable/setup register bit 7 = 1 enable functions = 0 setup functions bit 5 = 1 enables VGA = 0 setup VGA 0095 reserved 0096 w adapter enable /setup register bit 3 = 1 setup adapters = 0 enable registers 0097 reserved 36 00A0-00AF ---- PIC 2 (Programmable Interrupt Controller 8259) 00A0 r/w NMI mask register (XT) 00A0 r/w PIC 2 same as 0020 for PIC 1 00A1 r/w PIC 2 same as 0021 for PIC 1 except for OCW1: bit 7 = 0 reserved bit 6 = 0 enable fixed disk interrupt bit 5 = 0 enable coprocessor exception interrupt bit 4 = 0 enable mouse interrupt bit 3 = 0 reserved bit 2 = 0 reserved bit 1 = 0 enable redirect cascade bit 0 = 0 enable real-time clock interrupt 00C0 ---- TI SN746496 programmable tone/noise generator PCjr 00C0-00DF ---- DMA 2 (second Direct Memory Access controller 8237) 00C0 r/w DMA channel 4 memory address bytes 1 and 0 (low) (ISA, EISA) 00C2 r/w DMA channel 4 transfer count bytes 1 and 0 (low) (ISA, EISA) 00C4 r/w DMA channel 5 memory address bytes 1 and 0 (low) (ISA, EISA) 00C6 r/w DMA channel 5 transfer count bytes 1 and 0 (low) (ISA, EISA) 00C8 r/w DMA channel 6 memory address bytes 1 and 0 (low) (ISA, EISA) 00CA r/w DMA channel 6 transfer count bytes 1 and 0 (low) (ISA, EISA) 00CC r/w DMA channel 7 memory address byte 0 (low), then 1 (ISA, EISA) 00CE r/w DMA channel 7 transfer count byte 0 (low), then 1 (ISA, EISA) 00D0 r DMA channel 4-7 status register (ISA, EISA) bit 7 = 1 channel 7 request bit 6 = 1 channel 6 request bit 5 = 1 channel 5 request bit 4 = 1 channel 4 request bit 3 = 1 terminal count on channel 7 bit 2 = 1 terminal count on channel 6 bit 1 = 1 terminal count on channel 5 bit 0 = 1 terminal count on channel 4 00D0 w DMA channel 4-7 command register (ISA, EISA) bit 7 = 1 DACK sense active high = 0 DACK sense active low bit 6 = 1 DREQ sense active high = 0 DREQ sense active low bit 5 = 1 extended write selection = 0 late write selection bit 4 = 1 rotating priority = 0 fixed priority bit 3 = 1 compressed timing = 0 normal timing bit 2 = 0 enable controller bit 1 = 1 enable memory-to-memory transfer bit 0 ..... 00D2 w DMA channel 4-7 write request register (ISA, EISA) 00D4 w DMA channel 4-7 write single mask register (ISA, EISA) bit 7-3 reserved bit 2 = 0 clear mask bit 37 = 1 set mask bit bit 1-0 = 00 channel 4 select = 01 channel 5 select = 10 channel 6 select = 11 channel 7 select 00D6 w DMA channel 4-7 mode register (ISA, EISA) bit 7-6 = 00 demand mode = 01 single mode = 10 block mode = 11 cascade mode bit 5 = 0 address increment select = 1 address decrement select bit 4 = 0 autoinitialisation disable = 1 autoinitialisation enable bit 3-2 = 00 verify operation = 01 write to memory = 10 read from memory = 11 reserved bit 1-0 = 00 channel 4 select = 01 channel 5 select = 10 channel 6 select = 11 channel 7 select 00D8 w DMA channel 4-7 clear byte pointer flip-flop (ISA, EISA) 00DA r DMA channel 4-7 read temporary register (ISA, EISA) 00DA w DMA channel 4-7 master clear (ISA, EISA) 00DC w DMA channel 4-7 clear mask register (ISA, EISA) 00DE w DMA channel 4-7 write mask register (ISA, EISA) 00E0 split address register, memory encoding registers PS/2m80 only 00F0-00F5 ---- PCjr Disk Controller 00F0 disk controller 00F2 disk controller control port 00F4 disk controller status register 00F5 disk controller data port 00F0-00FF ---- coprocessor (8087..80387) 00F0 math coprocessor clear busy latch 00F1 math coprocessor reset 00F8-00FF math coprocessor 0100-010F ---- CompaQ Tape drive adapter. alternate address at 0300 0100-0107 ---- PS/2 POS (Programmable Option Select) 0100 r POS register 0 Low adapter ID byte 0101 r POS register 1 High adapter ID byte 0102 r/w POS register 2 option select data byte 1 bit 0 is card enable (CDEN) 0103 r/w POS register 3 option select data byte 2 38 0104 r/w POS register 4 option select data byte 3 0105 r/w POS register 5 option select data byte 4 bit 7 channel active (-CHCK) bit 6 channel status 0106 r/w POS register 6 Low subaddress extension 0107 r/w POS register 7 High subaddress extension 0108-010F ---- 8 digit LED info panel on IBM PS/2 010F w leftmost character on display 010E w second character .... w 0108 w eighth character 0130-013F ---- CompaQ SCSI adapter. alternate address at 0330 0130-0133 ---- Adaptec 154xB/154xC SCSI adapter. alternate address at 0134, 0230, 0234 ,0330 and 0334 0134-0137 ---- Adaptec 154xB/154xC SCSI adapter. alternate address at 0130, 0230, 0234 ,0330 and 0334 0140-014F ---- SCSI (alternate Small Computer System Interface) adapter (1st at 0340-034F) 0140-0157 ---- RTC (alternate Real Time Clock for XT) (1st at 0340-0357) 0170-0177 ---- HDC 2 (2nd Fixed Disk Controller) same as 01Fx (ISA, EISA) 01E8-01EF ---- System Control. Laptop chipset: Headland HL21 & Acer M5105 01ED r/w select internal register. Data to/from 01EF 01EE r 01EF r/w reg. 5 = 1000xxxx for low CPU clock speed (4MHz on Morse/Mitac) = 0xxxxxxx for high CPU clock speed (16MHz on Morse/Mitac) 01F0-01F7 ---- HDC 1 (1st Fixed Disk Controller) same as 017x (ISA, EISA) 01F0 r/w data register 01F1 r error register diagnostic mode errors: bit 7-3 reserved bit 2-1 = 001 no error detected = 010 formatter device error = 011 sector buffer error = 100 ECC circuitry error = 101 controlling microprocessor error operation mode: 39 bit 7 = 1 bad block detected = 0 block OK bit 6 = 1 uncorrectable ECC error = 0 no error bit 5 reserved bit 4 = 1 ID found = 0 ID not found bit 3 reserved bit 2 = 1 command completed = 0 command aborted bit 1 = 1 track 000 not found = 0 track 000 found bit 0 = 1 DAM not found = 0 DAM found (CP-3022 always 0) 01F1 w WPC/4 (Write Precompensation Cylinder divided by 4) 01F2 r/w sector count 01F3 r/w sector number 01F4 r/w cylinder low 01F5 r/w cylinder high 01F6 r/w drive/head bit 7 = 1 bit 6 = 0 bit 5 = 1 bit 4 = 0 drive 0 select = 1 drive 1 select bit 3-0 head select bits 01F7 r status register bit 7 = 1 controller is executing a command bit 6 = 1 drive is ready bit 5 = 1 write fault bit 4 = 1 seek complete bit 3 = 1 sector buffer requires servicing bit 2 = 1 disk data read successfully corrected bit 1 = 1 index - set to 1 each disk revolution bit 0 = 1 previous command ended in an error 40 01F7 w command register commands: 98 E5 check power mode (IDE) 90 execute drive diagnostics 50 format track EC identify drive (IDE) 97 E3 idle (IDE) 95 E1 idle immediatete (IDE) 91 initialize drive parameters 1x recalibrate E4 read buffer (IDE) C8 read DMA with retry (IDE) C9 read DMA without retry (IDE) C4 read multiplec (IDE) 20 read sectors with retry 21 read sectors without retry 22 read long with retry 23 read long without retry 40 read verify sectors with retry 41 read verify sectors without retry 7x seek EF set features (IDE) C6 set multiple mode (IDE) 99 E6 set sleep mode (IDE) 96 E2 standby (IDE) 94 E0 standby immediate (IDE) E8 write buffer (IDE) CA write DMA with retry (IDE) CB write DMA with retry (IDE) C5 write multiple (IDE) E9 write same (IDE) 30 write sectors with retry 31 write sectors without retry 32 write long with retry 33 write long without retry 3C write verify (IDE) 9A vendor unique (IDE) C0-C3 vendor unique (IDE) 8x vendor unique (IDE) F0-F4 EATA standard (IDE) F5-FF vendor unique (IDE) 41 0200-020F ---- Game port reserved I/O address space 0200-0207 ---- Game port, eight identical addresses on some boards 0201 r read joystick position and status bit 7 status B joystick button 2 / D paddle button bit 6 status B joystick button 1 / C paddle button bit 5 status A joystick button 2 / B paddle button bit 4 status A joystick button 1 / A paddle button bit 3 B joystick Y coordinate / D paddle coordinate bit 2 B joystick X coordinate / C paddle coordinate bit 1 A joystick Y coordinate / B paddle coordinate bit 0 A joystick X coordinate / A paddle coordinate w fire joysticks four one-shots 0210-0217 ---- Expansion unit (XT) 0210 w latch expansion bus data r verify expansion bus data 0211 w clear wait, test latch r High byte data address 0212 r Low byte data address 0213 w 0=enable, 1=disable expansion unit 0214 w latch data (receiver card port) r read data (receiver card port) 0215 r High byte of address, then Low byte (receiver card port) 0220-0227 ---- Soundblaster PRO and SSB 16 ASP 0220-022F ---- Soundblaster PRO 2.0 0220-022F ---- Soundblaster PRO 4.0 0220 r left FM status port 0220 w left FM music register address port (index) 0221 r/w left FM music data port 0222 r right FM status port 0222 w right FM music register address port (index) 0223 r/w right FM music data port 0224 w mixer register address port (index) 0225 r/w mixer data port 0226 w DSP reset 0228 r FM music status port 0228 w FM music register address port (index) 0229 w FM music data port 022A r DSP read data (voice I/O and Midi) 022C w DSP write data / write command 022C r DSP write buffer status (bit 7) 022E r DSP data available status (bit 7) The FM music is accessible on 0388/0389 for compatibility. 0230-0233 ---- Adaptec 154xB/154xC SCSI adapter. alternate address at 0130, 0134, 0230, 0330 and 0334 42 0234-0237 ---- Adaptec 154xB/154xC SCSI adapter. alternate address at 0130, 0134, 0230 ,0330 and 0334 0240-0257 ---- RTC (alternate Real Time Clock for XT) (1st at 0340-0357) (used by TIMER.COM v1.2 which is the 'standard' timer program) 0258-025F ---- Intel Above Board 0278-027E ---- parallel printer port, same as 0378 and 03BC 0278 w data port 0279 r/w status port 027A r/w control port 02A2-02A3 ---- MSM58321RS clock 02B0-02BF ---- Trantor SCSI adapter 02B0-02DF ---- alternate EGA, primary EGA at 03C0 02C0-02Cx ---- AST-clock 02E0-02EF ---- GPIB (General Purpose Interface Bus, IEEE 488 interface) (GAB 0 on XT) 02E1 GPIB (adapter 0) 02E2 02E3 02E0-02EF ---- data aquisition (AT) 02E2 data aquisition (adapter 0) 02E3 data aquisition (adapter 0) 02E8-02EF ---- serial port, same as 02F8, 03E8, and 03F8 43 02F8-02FF ---- serial port, same as 02E8, 02F8, and 03F8 02F8 w transmitter holding register 02F8 r receiver buffer register r/w divisor latch, low byte when DLAB=1 02F9 r/w divisor latch, high byte when DLAB=1 r/w interrupt enable register when DLAB=0 02FA r interrupt identification register 02FB r/w line control register 02FC r/w modem control register 02FD r line status register 02FF r/w scratch register 0300-0301 ---- Soundblaster 16 ASP MPU-Midi 0300-031F ---- prototype cards Periscope hardware debugger 0300-030F ---- Philips CD-ROM player CM50 0310-031F ---- Philips CD-ROM player CM50 0320-0323 ---- XT HDC 1 (Hard Disk Controller) 0320 r/w data register 0321 w reset controller r read controller hardware status bit 7-6 = 0 bit 5 logical unit number bit 4-2 = 0 bit 1 = 0 no error bit 0 = 0 0322 r read DIPswitch setting on XT controller card w generate controller-select pulse 0323 w write pattern to DMA and INT mask register 0324-0327 ---- XT HDC 2 (Hard Disk Controller) 0328-032B ---- XT HDC 3 (Hard Disk Controller) 032C-032F ---- XT HDC 4 (Hard Disk Controller) 0330-0331 ---- MIDI interface 0330-0333 ---- Adaptec 154xB/154xC SCSI adapter. default address. alternate address at 0130, 0134, 0230, 0234 and 0334 0330-033F ---- CompaQ SCSI adapter. alternate address at 0130 0330-033F ---- Philips CD-ROM player CM50 0334-0337 ---- Adaptec 154xB/154xC SCSI adapter. 44 alternate address at 0130, 0134, 0230 ,0234 and 0330 0338 ---- AdLib soundblaster card 0340-034F ---- Philips CD-ROM player CM50 0340-034F ---- SCSI (1st Small Computer System Interface) adapter (alternate at 0140-014F) 0340-0357 ---- RTC (1st Real Time Clock for XT), (alternate at 0240-0257) (used by TIMER.COM v1.2 which is the 'standard' timer program) 0340 r/w 0.01 seconds 0-99 0341 r/w 0.1 seconds 0-99 0342 r/w seconds 0-59 0343 r/w minutes 0-59 0343 r/w hours 0-23 0345 r/w day of week 1-7 0346 r/w day of month 1-31 0347 r/w month 1-12 0348 0349 r/w year 0-99 034A 034B 034C 034D 034E 034F 0350 r status? 0351 0352 0353 0354 r status? 0355 0356 0357 0348-0357 ---- DCA 3278 0360-036F ---- PC network (AT) 0360-0367 ---- PC network (XT only) 45 0370-0377 ---- FDC 2 (2nd Floppy Disk Controller 8272) same as 03F0 0372 w diskette controller DOR (Digital Output Register) 0374 r diskette controller status register 0375 r/w diskette controller data register 0376 r/w FIXED disk controller data register 0377 r diskette controller DIR (Digital Input Register) 0377 w select register for diskette data transfer rate 0378-037A ---- parallel printer port, same as 0278 and 03BC 0378 w data port 0379 r/w status port 037A r/w control port 0380-038F ---- 2nd Binary Synchronous Data Link Control adapter (see 03A0) 0380 r/w on board 8255 port A, internal/external sense 0381 r/w on board 8255 port B, external modem interface 0382 r/w on board 8255 port C, internal control and gating 0383 r/w on board 8255 mode register 0384 r/w on board 8253 channel square wave generator 0385 r/w on board 8253 channel 1 inactivity time-out 0386 r/w on board 8253 channel 2 inactivity time-out 0387 r/w on board 8253 mode register 0388 r/w on board 8273 read: status write: command 0389 r/w on board 8273 read: response write: parameter 038A r/w on board 8273 transmit interrupt status 038B r/w on board 8273 receiver interrupt status 038C r/w on board 8273 data 0388-0389 ---- Soundblaster PRO FM-Chip 0388-038B ---- Soundblaster 16 ASP FM-Chip 0390-039F ---- Cluster adapter (AT) 0390-0393 (adapter 0) (XT) 46 03A0-03AF ---- 1st SDLC (Binary Synchronous Data Link Control adapter) 0380 r/w on board 8255 port A, internal/external sense 0381 r/w on board 8255 port B, external modem interface 0382 r/w on board 8255 port C, internal control and gating 0383 r/w on board 8255 mode register 0384 r/w on board 8253 counter 0 unused 0385 r/w on board 8253 channel 1 inactivity time-out 0386 r/w on board 8253 channel 2 inactivity time-out 0387 r/w on board 8253 mode register 0388 r/w on board 8251 data 0389 r/w on board 8251 command/mode/status register 03B0-03BF ---- MDA (Monochrome Display Adapter based on 6845) 03B0 same as 03B4 03B1 same as 03B5 03B2 same as 03B4 03B3 same as 03B5 03B4 w MDA CRT index register (EGA/VGA) selects which register (0-11h) is to be accessed through 3B5 03B5 r/w MDA CRT data register (EGA/VGA) selected by port 3B4. registers C-F may be read 00 horizontal total 01 horizontal displayed 02 horizontal sync position 03 horizontal sync pulse width 04 vertical total 05 vertical displayed 06 vertical sync position 07 vertical sunc pulse width 08 interlace mode 09 maximum scan lines 0A cursor start 0B cursor end 0C start address high 0D start address low 0E cursor location high 0F cursor location low 10 light pen high 11 light pen low 03B6 same as 03B4 03B7 same as 03B5 03B8 r/w MDA mode control register bit 7 not used bit 6 not used bit 5 enable blink bit 4 not used bit 3 video enable bit 2 not used bit 1 not used bit 0 high resolution mode 03B9 reserved for color select register on color adapter 03BA r CRT status register EGA/VGA: input status 1 register bit 7-4 reserved bit 3 black/white video bit 2-1 reserved 47 bit 0 horizontal drive bit 7 (MSD says) if this bit changes within 8000h reads then bit 6-4 = 000 adapter is Hercules or compatible = 001 adapter is Hercules+ = 101 adapter is Hercules InColor else adapter is unknown 03BA w EGA/VGA feature control register 03BB reserved for light pen strobe reset 03BC-03BF ---- parallel printer port, same as 0278 and 0378 03BC w data port 03BD r/w status port bit 7 = 0 busy bit 6 = 0 acknowledge bit 5 = 1 out of paper bit 4 = 1 printer is selected bit 3 = 0 error bit 2 = 0 IRQ has occurred bit 1-0 reserved 03BE r/w control port bit 7-5 reserved bit 4 = 1 enable IRQ bit 3 = 1 select printer bit 2 = 0 initialize printer bit 1 = 1 automatic line feed bit 0 = 1 strobe 03BF r/w Hercules configuration switch register bit 7-2 bit 1 = 0 disables upper 32K of graphics mode buffer 1 enables upper 32K of graphics mode buffer bit 0 = 0 prevents graphics mode 1 allows graphics mode 48 03C0-03CF ---- EGA (1st Enhanced Graphics Adapter) alternate at 02C0 03C0 (r)/w EGA VGA ATC index/data register 03C1 r VGA other attribute register 03C2 r EGA VGA input status 0 register w VGA miscellaneous output register 03C3 r/w VGA video subsystem enable 03C4 w EGA TS index register r/w VGA sequencer index register 03C5 w EGA TS data register r/w VGA other sequencer register 03C6 r/w VGA PEL mask register 03C7 r/w VGA PEL address read mode r VGA DAC state register 03C8 r/w VGA PEL address write mode 03C9 r/w VGA PEL data register 03CA w EGA graphics 2 position register r VGA feature control register 03CC w EGA graphics 1 position register r VGA miscellaneous output register 03CE w EGA GDC index register r/w VGA graphics address register 03CF w EGA GDC data register r/w VGA other graphics register 03D0-03DF ---- CGA (Color Graphics Adapter) 03D0 same as 03D4 03D1 same as 03D5 03D2 same as 03D4 03D3 same as 03D5 03D4 w CRT (6845) index register (EGA/VGA) selects which register (0-11h) is to be accessed through 3B5 03D5 w CRT (6845) data register (EGA/VGA) selected by port 3B4. registers C-F may be read (for registers see at 3B5) 03D6 same as 03D4 03D7 same as 03D5 03D8 r/w CGA mode control register (except PCjr) bit 7-6 not used bit 5 = 1 blink enabled bit 4 = 1 640*200 graphics mode bit 3 = 1 video enabled bit 2 = 1 monochrome signal bit 1 = 0 text mode = 1 320*200 graphics mode bit 0 = 0 40*25 text mode = 1 80*25 text mode 49 03D9 r/w CGA palette register bit 7-6 not used bit 5 = 0 active color set: red, green brown = 1 active color set: cyan, magenta, white bit 4 intense colors in graphics, background colors text bit 3 intense border in 40*25, intense background in 320*200, intense foreground in 640*200 bit 2 red border in 40*25, red background in 320*200, red foreground in 640*200 bit 1 green border in 40*25, green background in 320*200, green foreground in 640*200 bit 0 blue border in 40*25, blue background in 320*200, blue foreground in 640*200 03DA r CGA status register EGA/VGA: input status 1 register bit 7-4 not used bit 3 = 1 in vertical retrace bit 2 = 1 light pen switch is off bit 1 = 1 positive edge from light pen has set trigger bit 0 = 0 do not use memory = 1 memory access without interfering with display 03DA w EGA/VGA feature control register 03DB w clear light pen latch 03DC r/w preset licht pen latch 03DF CRT/CPU page register PCjr only 03E8-03EF ---- serial port, same as 02E8, 02F8, and 03F8 03F0-03F7 ---- FDC 1 (1st Floppy Disk Controller 8272) same as 0370 03F0 diskette controller status A (PS/2) bit 7 interrupt pending bit 6 second drive installed bit 5 step bit 4 track 0 bit 3 head 1 select bit 2 index bit 1 write protect bit 0 direction 03F1 r diskette controller status B (PS/2) bit 7-6 reserved bit 5 drive select (0=A:, 1=B:) bit 4 write data bit 3 read data bit 2 write enable bit 1 motor enable 1 bit 0 motor enable 0 03F2 w diskette controller DOR (Digital Output Register) bit 7-6 reserved PS/2 bit 7 = 1 drive 3 motor enable bit 6 = 1 drive 2 motor enable bit 5 = 1 drive 1 motor enable bit 4 = 1 drive 0 motor enable 50 bit 3 = 1 diskette DMA enable (reserved PS/2) bit 2 = 1 FDC enable (controller reset) = 0 hold FDC at reset bit 1-0 drive select (0=A 1=B ..) 03F4 r diskette controller status register bit 7 = 1 data register is ready bit 6 = 1 transfer is from controller to system 0 transfer is from system to controller bit 5 = 1 non-DMA mode bit 4 = 1 diskette controller busy bit 3 = 1 drive 3 busy (reserved on PS/2) bit 2 = 1 drive 2 busy (reserved on PS/2) bit 1 = 1 drive 1 busy bit 0 = 1 drive 0 busy 03F5 r diskette command status register 0 bit 7-6 last command status = 00 command terminated successfully = 01 command terminated abnormally = 10 invalid command = 11 terminated abnormally by change in ready signal bit 5 = 1 seek completed bit 4 = 1 equipment check occurred after error bit 3 = 1 not ready bit 2 = 1 head number at interrupt bit 1-0 = 1 unit select (0=A 1=B .. ) (on PS/2 01=A 10=B) status register 1 bit 7 end of cylinder; sector# greater then sectors/track bit 6 = 0 bit 5 = 1 CRC error in ID or data field bit 4 = 1 overrun bit 3 = 0 bit 2 = 1 sector ID not found bit 1 = 1 write protect detected during write bit 0 = 1 ID address mark not found status register 2 bit 7 = 0 bit 6 = 1 deleted Data Eddress Mark detected bit 5 = 1 CRC error in data bit 4 = 1 wrong cylinder detected bit 3 = 1 scan command equal condition satisfied bit 2 = 1 scan command failed, sector not found bit 1 = 1 bad cylinder, ID not found bit 0 = 1 missing Data Address Mark status register 3 bit 7 fault status signal bit 6 write protect status bit 5 ready status bit 4 track zero status bit 3 two sided status signal bit 2 side select (head select) bit 1-0 unit select (0=A 1=B .. ) 03F6 r/w FIXED disk controller data register bit 7-4 reserved 51 bit 3 = 0 reduce write current 1 head select 3 enable bit 2 = 1 disk reset enable 0 disk reset disable bit 1 = 0 disk initialization enable 1 disk initialization disable bit 0 reserved 03F7 r diskette controller DIR (Digital Input Register) bit 7 = 1 diskette change bit 6 FIXED DISK write gate bit 5 FIXED DISK head select 3 / reduced write current bit 4 FIXED DISK head select 2 bit 3 FIXED DISK head select 1 bit 2 FIXED DISK head select 0 bit 1 FIXED DISK drive 1 select bit 0 FIXED DISK drive 0 select conflicts with: bit 0 diskette high density select 03F7 w select register for diskette data transfer rate bit 7-2 reserved bit 1-0 = 00 500 Kb/S mode = 01 300 Kb/S mode = 10 250 Kb/S mode = 11 reserved 03F8-03FF ---- serial port (8250,8251,16450,16550), same as 02E8,02F8,and 03F8 03F8 w serial port, transmitter holding register, which contains the character to be sent. Bit 0 is sent first. bit 7-0 data bits when DLAB=0 (Divisor Latch Access Bit) r receiver buffer register, which contains the received character Bit 0 is received first bit 7-0 data bits when DLAB=0 (Divisor Latch Access Bit) r/w divisor latch low byte when DLAB=1 52 03F9 r/w divisor latch high byte when DLAB=1 r/w interrupt enable register when DLAB=0 bits 7-4 reserved bit 3 = 1 modem-status interrupt enable bit 2 = 1 receiver-line-status interrupt enable bit 1 = 1 transmitter-holding-register empty interrupt enable bit 0 = 1 received-data-avail.int. enable (and 16550 timeout) - 16550 will interrupt if data exists in the FIFO and isn't read within the time it takes to receive four bytes or if no data is received within the time it takes to receive four bytes 03FA r interrupt identification register. Information about a pending interrupt is stored here. When the ID register is addressed, the highest priority interrupt is held, and no other interrupts are acknowledged until the CPU services that interrupt. bit 7-6 = 00 reserved on 8250, 8251, 16450 = 11 if FIFO queues are enabled (16550 only) bit 5-4 = 0 reserved bit 3 = 0 reserved 8250, 16450 = 1 16550 timeout int. pending bit 2-1 identify pending interrupt with the highest priority = 11 receiver line status interrupt. priority = highest = 10 received data available register interrupt. priority = second = 01 transmitter holding register empty interrupt. priority = third = 00 modem status interrupt. priority = fourth bit 0 = 0 interrupt pending. Contents of register can be used as a pointer to the appropriate interrupt service routine = 1 no interrupt pending - interrupt pending flag uses reverse logic, 0 = pending, 1 = none - interrupt will occur if any of the line status bits are set - THRE bit is set when THRE register is emptied into the TSR 53 03FA w 16650 FCR (FIFO Control Register) bit 7-6 = 00 1 byte = 01 4 bytes = 10 8 bytes = 11 14 bytes bit 5-4 = 00 reserved bit 3 = 1 change RXRDY TXRDY pins from mode 0 to mode 1 bit 2 = 1 clear XMIT FIFO bit 1 = 1 clear RCVR FIFO bit 0 = 1 enable clear XMIT and RCVR FIFO queues - bit 0 must be set in order to write to other FCR bits - bit 1 when set the RCVR FIFO is cleared and this bit is reset the receiver shift register is not cleared - bit 2 when set the XMIT FIFO is cleared and this bit is reset the transmit shift register is not cleared 03FB r/w line control register bit 7 = 1 divisor latch access bit (DLAB) 0 receiver buffer, transmitter holding, or interrupt enable register access bit 6 = 1 set break enable. serial ouput is forced to spacing state and remains there. bit 5 = stick parity bit 4 = 1 even parity select bit 3 = parity enable 1 even number of ones are sent and checked in the data word bits and parity bit 0 odd number of ones are sent and checked bit 2 = 0 one stop bit 1 zero stop bit bit 1-0 00 word length is 5 bits 01 word length is 6 bits 10 word length is 7 bits 11 word length is 8 bits 03FC r/w modem control register bit 7-5 = 0 reserved bit 4 = 1 loopback mode for diagnostic testing of serial port output of transmitter shift register is looped back to receiver shift register input. In this mode transmitted data is received immediately so that the CPU can verify the transmit data/receive data serial port paths. bit 3 = 1 auxiliary user-designated output 2 bit 2 = 1 auxiliary user-designated output 1 bit 1 = 1 force request-to-send active bit 0 = 1 force data-terminal-ready active 54 03FD r line status register bit 7 = 0 reserved bit 6 = 1 transmitter shift and holding registers empty bit 5 = 1 transmitter holding register empty. Controller is ready toaccept a new character to send. bit 4 = 1 break interrupt. the received data input is held in in the zero bit state longer than the time of start bit + data bits + parity bit + stop bits. bit 3 = 1 framing error. the stop bit that follows the last parity or data bit is a zero bit. bit 2 = 1 parity error. Character has wrong parity bit 1 = 1 overrun error. a character was sent to the receiver buffer before the previous character in the buffer could be read. This destroys the previous character. bit 0 = 1 data ready. a complete incoming character has been received and sent to the receiver buffer register. 03FE r modem status register bit 7 = 1 data carrier detect bit 6 = 1 ring indicator bit 5 = 1 data set ready bit 4 = 1 clear to send bit 3 = 1 delta data carrier detect bit 2 = 1 trailing edge ring indicator bit 1 = 1 delta data set ready bit 0 = 1 delta clear to send - bits 0-3 are reset when the CPU reads the MSR - bit 4 is the Modem Control Register RTS during loopback test - bit 5 is the Modem Control Register DTR during loopback test - bit 6 is the Modem Control Register OUT1 during loopback test - bit 7 is the Modem Control Register OUT2 during loopback test 03FF r/w scratch register Adresses above 03FF apply to EISA machines only 1000-1FFF slot 1 EISA 2000-2FFF slot 2 EISA 3000-3FFF slot 3 EISA 4000-4FFF slot 4 EISA 5000-5FFF slot 5 EISA 6000-6FFF slot 6 EISA 7000-7FFF slot 7 EISA 0401-04D6 ---- used by EISA systems only 0401 r/w DMA channel 0 word count byte 2 (high) 0403 r/w DMA channel 1 word count byte 2 (high) 0405 r/w DMA channel 2 word count byte 2 (high) 0407 r/w DMA channel 3 word count byte 2 (high) 040A w extended DMA chaining mode register, channels 0-3 bit 7-5 reserved bit 4 = 0 generates IRQ13 = 1 generates terminal count bit 3 = 0 do not start chaining = 1 programming complete 55 bit 2 = 0 disable buffer chaining mode (default) = 1 enable buffer chaining mode bit 1-0 DMA channel select 040A r channel interrupt (IRQ13) status register bit 7-5 interrupt on channels 7-5 bit 4 reserved bit 3-0 interrupt on channels 3-0 040B w DMA extended mode register for channels 3-0. bit settings same as 04D6 bit 7 = 0 enable stop register bit 6 = 0 terminal count is an output for this channel (default) bit 5-4 DMA cycle timing = 00 ISA-compatible (default) = 01 type A timing mode = 10 type B timing mode = 11 burst DMA mode bit 3-2 Address mode = 00 8-bit I/O, count by bytes (default) = 01 16-bit I/O, count by words, address shifted = 10 32-bit I/O, count by bytes = 11 16-bit I/O, count by bytes bit 1-0 DMA channel select 0461 r/w Extended NMI status/control register bit 7 = 1 NMI pending from fail-safe timer (read only) bit 6 = 1 NMI pending from bus timeout NMI status (read only) bit 5 = 1 NMI pending (read only) bit 4 reserved bit 3 = 1 bus timeout NMI enable (read/write) bit 2 = 1 fail-safe NMI enable (read/write) bit 1 = 1 NMI I/O port enable (read/write) bit 0 RSTDRV. bus reset (read/write) = 0 normal bus reset operation = 1 reset bus asserted 0462 w Software NMI register. writing to this register causes an NMI if NMI's are enabled bit 7 = 1 generates an NMI 56 0464 r bus master status latch register (slots 1-8). identifies the last bus master that had control of the bus bit 7 = 0 slot 8 had control last bit 6 = 0 slot 7 had control last bit 5 = 0 slot 6 had control last bit 4 = 0 slot 5 had control last bit 3 = 0 slot 4 had control last bit 2 = 0 slot 3 had control last bit 1 = 0 slot 2 had control last bit 0 = 0 slot 1 had control last 0465 r bus master status latch register (slots 9-16) bit 7 = 0 slot 16 had control last bit 6 = 0 slot 15 had control last bit 5 = 0 slot 14 had control last bit 4 = 0 slot 13 had control last bit 3 = 0 slot 12 had control last bit 2 = 0 slot 11 had control last bit 1 = 0 slot 10 had control last bit 0 = 0 slot 9 had control last 0481 r/w DMA channel 2 address byte 3 (high) 0482 r/w DMA channel 3 address byte 3 (high) 0483 r/w DMA channel 1 address byte 3 (high) 0487 r/w DMA channel 0 address byte 3 (high) 0489 r/w DMA channel 6 address byte 3 (high) 048A r/w DMA channel 7 address byte 3 (high) 048B r/w DMA channel 5 address byte 3 (high) 04C6 r/w DMA channel 5 word count byte 2 (high) 04CA r/w DMA channel 6 word count byte 2 (high) 04CE r/w DMA channel 7 word count byte 2 (high) 04D0 w IRQ 0-7 interrupt edge/level registers bit 7 = 1 IRQ 7 is level sensitive bit 6 = 1 IRQ 6 is level sensitive bit 5 = 1 IRQ 5 is level sensitive bit 4 = 1 IRQ 4 is level sensitive bit 3 = 1 IRQ 3 is level sensitive bit 2-0 reserved 04D1 w IRQ 8-15 interrupt edge/level registers bit 7 = 1 IRQ 15 is level sensitive bit 6 = 1 IRQ 14 is level sensitive bit 5 = 1 reserved bit 4 = 1 IRQ 12 is level sensitive bit 3 = 1 IRQ 11 is level sensitive bit 2 = 1 IRQ 10 is level sensitive bit 1 = 1 IRQ 9 is level sensitive bit 0 reserved 57 04D4 w extended DMA chaining mode register, channels 4-7 bit 7-5 = 0 reserved bit 4 = 0 generates IRQ 13 = 1 generates terminal count bit 3 = 0 do not start chaining = 1 programming complete bit 2 = 0 disable buffer chaining mode (default) = 1 enable buffer chaining mode bit 1-0 DMA channel select 04D6 w DMA extended mode register for channels 4-7 bit settings same as 04B bit 7 = 0 enable stop register bit 6 = 0 terminal count is an output for this channel (default) bit 5-4 DMA cycle timing = 00 ISA-compatible (default) = 01 type A timing mode = 10 type B timing mode = 11 burst DMA mode bit 3-2 Address mode = 00 8-bit I/O, count by bytes (default) = 01 16-bit I/O, count by words, address shifted = 10 32-bit I/O, count by bytes = 11 16-bit I/O, count by bytes bit 1-0 DMA channel select 0601 w System control. Laptop chipset: Headland HL21 & Acer M5105 bit 7 = 1 power led on bit 6 = 1 LCD backlight off bit 5 bit 4 bit 3 bit 2 = 1 video chips disabled, screen blanked. bit 1 bit 0 = 1 will lock up your machine! r =04 (always reads back this value) 0620-0627 ---- PC network (adapter 1) 0628-062F ---- PC network (adapter 2) 06E2-06E3 ---- data aquisition (adapter 1) 0790-0793 ---- cluster (adapter 1) 0800-08FF ---- I/O port access registers for extended CMOS RAM or SRAM (256 bytes at a time) Sometimes plain text can be seen here. 0A20-0A23 ---- Token Ring (adapter 1) 0A24-0A27 ---- Token Ring (adapter 2) 58 0AE2-0AE3 ---- cluster (adapter 2) 0B90-0B93 ---- cluster (adapter 2) 0C00 r/w page register to write to SRAM or I/O 0C80-0C83 ---- system board ID registers 1390-1393 ---- cluster (adapter 3) 2100-210F ---- IBM XGA (eXtended Graphics Adapter 8514/A) 2110-211F ---- IBM XGA (eXtended Graphics Adapter 8514/A) 2120-212F ---- IBM XGA (eXtended Graphics Adapter 8514/A) 2130-213F ---- IBM XGA (eXtended Graphics Adapter 8514/A) 2140-214F ---- IBM XGA (eXtended Graphics Adapter 8514/A) 2150-215F ---- IBM XGA (eXtended Graphics Adapter 8514/A) 2160-216F ---- IBM XGA (eXtended Graphics Adapter 8514/A) 2170-217F ---- IBM XGA (eXtended Graphics Adapter 8514/A) 2390-2393 ---- cluster (adapter 4) 3220-3227 ---- serial port 3, description same as 03F8 3228-322F ---- serial port 4, description same as 03F8 3540-354F ---- IBM SCSI (Small Computer System Interface) adapter 3550-355F ---- IBM SCSI (Small Computer System Interface) adapter 3560-356F ---- IBM SCSI (Small Computer System Interface) adapter 3570-357F ---- IBM SCSI (Small Computer System Interface) adapter 4220-4227 ---- serial port, description same as 03F8 4228-422F ---- serial port, description same as 03F8 42E0-42EF ---- GPIB (General Purpose Interface Bus, IEEE 488 interface) 42E1 r/w GPIB (adapter 2) 5220-5227 ---- serial port, description same as 03F8 5228-522F ---- serial port, description same as 03F8 62E0-62EF ---- GPIB (General Purpose Interface Bus, IEEE 488 interface) 62E1 r/w GPIB (adapter 3) 82E0-82EF ---- GPIB (General Purpose Interface Bus, IEEE 488 interface) 82E1 r/w GPIB (adapter 4) 82F8-82FF ---- serial port, description same as 03F8 59 83F8-83FF ---- serial port, description same as 03F8 A220 ???? soundblaster support in AMI Hi-Flex BIOS ???? A2E0-A2EF ---- GPIB (General Purpose Interface Bus, IEEE 488 interface) A2E1 r/w GPIB (adapter 5) AFFF r/w plane 0-3 system latch (video register) B220-B227 ---- serial port, description same as 03F8 B228-B22F ---- serial port, description same as 03F8 C220-C227 ---- serial port, description same as 03F8 C228-C22F ---- serial port, description same as 03F8 D220-D227 ---- serial port, description same as 03F8 D228-D22F ---- serial port, description same as 03F8 C2E0-C2EF ---- GPIB (General Purpose Interface Bus, IEEE 488 interface) C2E1 r/w GPIB (adapter 6) E2E0-E2EF ---- GPIB (General Purpose Interface Bus, IEEE 488 interface) E2E1 r/w GPIB (adapter 7) MEMORY-MAPPED ADDRESSES 80C00000 Compaq Deskpro 386 system memory board register 60 80C00000 w RAM relocation register bit 7-2 Reserved, always write 1's. bit 1 = 0 Write-protect 128-Kbyte RAM at FE0000. = 1 Do not write-protect RAM at FE0000. bit 0 = 0 Relocate 128-Kbyte block at FE0000 to address 0E0000 = 1 128-Kbyte RAM is addressed only at FE0000. 80C00000 r Diagnostics register bit 7 = 0 memory expansion board is installed bit 6 = 0 second 1 MB of system memory board is installed bit 5-4 = 00 base memory set to 640 KB = 01 invalid = 10 base memory set to 512 KB = 11 base memory set to 256 KB bit 3 = 0 parity error in byte 3 bit 2 = 0 parity error in byte 2 bit 1 = 0 parity error in byte 1 bit 0 = 0 parity error in byte 0 (in 32-bit double word) 61 Program Segment Prefix Data Structure When DOS loads a program for execution it creates a data structure in memory called the "Program Segment Prefix", or PSP for short. This structure occupies the 256 bytes of memory immediately preceeding the memory occupied by the loaded program. The PSP contains useful information which is often accessed by the running program. The following table describes the structure of the PSP. Offset Description 00 INT 20 instruction for CP/M CALL 0 program termination 02 segment of first byte beyond memory allocated to program 04 unused filler 05 CP/M CALL 5 service request (FAR JMP to 000C0h) BUG: (DOS 2+) PSPs created by INT 21/AH=4B point at 000BE 06 CP/M compatibility - size of first segment for .COM files 08 remainder of FAR JMP at 05 0A stored INT 22 termination address 0E stored INT 23 control-Break handler address 12 DOS 1.1+ stored INT 24 critical error handler address 16 segment of parent PSP 18 DOS 2+ Job File Table, one byte per file handle, FFh = closed 2C DOS 2+ segment of environment for process 2E DOS 2+ process's SS:SP on entry to last INT 21 call 32 DOS 3+ number of entries in JFT (default 20) 34 DOS 3+ pointer to JFT (default PSP:0018) 38 DOS 3+ pointer to previous PSP (default FFFFFFFFh in 3.x) used by SHARE in DOS 3.3 3C apparently unused by DOS versions <= 6.00 3D (APPEND) TrueName flag 3E (Novell NetWare) flag: next byte initialized if CEh 3F (Novell NetWare) Novell task number if previous byte is CEh 40 DOS 5+ version to return on INT 21/AH=30 42 (MSWindows3) selector of next PSP (PDB) in linked list Windows keeps a linked list of Windows programs only 44 unused by DOS versions <= 6.00 48 (MSWindows3) bit 0 set if non-Windows application (WINOLDAP) 49 unused by DOS versions <= 6.00 50 DOS 2+ service request (INT 21/RETF instructions) 53 unused in DOS versions <= 6.00 55 unused in DOS versions <= 6.00; can be used to make first FCB into an extended FCB 5C first default FCB, filled in from first command tail argument overwrites second FCB if opened 6C second default FCB, filled in from second command tail argument overwrites beginning of command tail if opened 7C unused 80 Length of command tail 81 Command tail terminated by 0D 62 CREDITS The following publications have proved useful in the production of SSD: 8086/8088 User's Manual, Intel 1989 PC Intern, Michael Tischer, Abacus 1992 DOS Programmer's Reference, Terry R Dettmann, Que 1988 Interrupt List edited by Ralf Brown. Including details of the multiplex interrupt, described by Robin Walker. The author is grateful to the cooperation of the virus writer "Black Baron" (Chris Pile) in supplying copies of his polymorphic computer viruses and supplying information about the SMEG engine. As well as testing early versions of SSD against his own polymorphic viruses. Thanks Chris! 63 Program Design & Coding: Matthew Probert Version 4.0 published by Servile Software April 1996. All rights reserved. With effect from version 2.4, SSD became SHAREWARE and you are required to register your copy or stop using it. Registration costs 29.95 pounds sterling (UK pounds). Please make cheques payable to "M. Probert" ONLY, and send with the enclosed order form (order.doc) to: Matthew Probert 5 Longcroft Close Basinsgtoke Hampshire RG21 8XG Telephone +44 (0)1256 414072