Trying to load GDT into a psycho-Pentium

From: Ignacio G.T. (igtorque.remove_at_evomer.yahoo.es)
Date: 09/30/04 

Date: Thu, 30 Sep 2004 13:53:09 GMT

Hello everybody.

I'm having problems trying to start up a new Pentium-based CPU. It has 8 MB of
RAM (lowest addresses) and 8 MB of FLASH memory (highest addresses).

I can load programs with a PC via JTAG into the FLASH (4 chips of 1Mx16,
arranged as 1 Mibi of 64-bit words), and I can control the CPU with a Microtek
JTAG-ICE (with no trace memory).

I can start the programs, step by step or with a 'go forever' command, and all
my real-mode programs work as expected. But when I try to load the GDT before
switching to protected mode, the program seems to jump to a random address,
where it sometimes stops (perhaps after executing a break instruction) and
sometimes not (in which cause I can stop the ICE, and CS:EIP is pointing to a
random address, anyway)

I tried to stop the program with a HLT instruction after the LGDT instruction,
to no avail.

This is the reset vector, as disassembled by the ICE:

dasm cs:fff0 cs:fff1
// CS:FFF0 FA CLI
// CS:FFF1 E90CF8 JMP F800

This is the code from the first jump target. Remeber, I can execute the code
just up to (and excluding) CS:F810.

dasm cs:f800
// CS:F800 FA CLI
// CS:F801 B001 MOV AL,01
// CS:F803 B200 MOV DL,00
// CS:F805 B602 MOV DH,02
// CS:F807 EE OUT DX,AL
// CS:F808 67668D1D4BF8 LEA EBX,[FFFFF84B]
// CS:F80E FFFF
// CS:F810 67660F011588 LGDT [FFFFF888]
// CS:F816 F8FFFF
// CS:F819 F4 HLT
// CS:F81A 90 NOP
// CS:F81B 90 NOP

This the GDT length + linear address:

dump fffff888p
// FFFFF888P 17 00 90 F8 FF FF

i.e., length = 0x17 +1 = 24 (3 entries), address = 0xFFFFF890

This is the GDT:

dump fffff890p fffff8a7p word
// FFFFF890P 0000 0000 0000 0000 FFFF 0000 9A00 00CF
// FFFFF8A0P FFFF 0000 9200 00CF

i.e.:
selector 0 (0x00): null descriptor
selector 1 (0x08): code, 32 GB, read-only
selector 2 (0x10): data, 32 GB, read-write

These are the CPU registers before execution the LGDT instruction:

// EIP = 0x0000F810
// ESP = 0x00000000
// EBP = 0x00000000
// EAX = 0x00000001
// EBX = 0xFFFFF84B
// ECX = 0x00000000
// EDX = 0x00000200
// ESI = 0x00000000
// EDI = 0x00000000
// EFLAGS = 0x00000002
// = ivfavrn0oditszapc
// CS = 0xF000
// DS = 0x0000
// ES = 0x0000
// FS = 0x0000
// GS = 0x0000
// SS = 0x0000
// GDTBASE = 0x00000000
// GDTLIMIT = 0xFFFF
// IDTBASE = 0x00000000
// IDTLIMIT = 0xFFFF
// LDTR = 0x0000
// TR = 0x0000
// CR0 = 0x60000010
// CR2 = 0x00000000
// CR3 = 0x00000000
// CR4 = 0x00000008
// LDTBASE = 0x00000000
// LDTLIMIT = 0xFFFF
// CSBASE = 0xFFFF0000
// DSBASE = 0x00000000
// ESBASE = 0x00000000
// FSBASE = 0x00000000
// GSBASE = 0x00000000
// SSBASE = 0x00000000
// CSLIMIT = 0x0000FFFF
// DSLIMIT = 0x0000FFFF
// ESLIMIT = 0x0000FFFF
// FSLIMIT = 0x0000FFFF
// GSLIMIT = 0x0000FFFF
// SSLIMIT = 0x0000FFFF
// CSAR = 0x00009300
// DSAR = 0x00009300
// ESAR = 0x00009300
// FSAR = 0x00009300
// GSAR = 0x00009300
// SSAR = 0x00009300
// GDTAR = 0x00008200
// IDTAR = 0x00008200
// LDTAR = 0x00008200
// TSSBASE = 0x00000000
// TSSLIMIT = 0x0000FFFF
// TSSAR = 0x00008200

And these are the CPU register after the LGDT instruction + unknown
instructions:

register
// EIP = 0x00007D07
// ESP = 0x0000FFF3
// EBP = 0x00000000
// EAX = 0x00000001
// EBX = 0xFFFFA04B
// ECX = 0x00005FBE
// EDX = 0x000001FF
// ESI = 0x00000000
// EDI = 0x00000000
// EFLAGS = 0x00000016
// = ivfavrn0oditszAPc
// CS = 0x46BB
// DS = 0x0000
// ES = 0x0000
// FS = 0x0000
// GS = 0x0000
// SS = 0x0000
// GDTBASE = 0x00000000
// GDTLIMIT = 0xFFFF
// IDTBASE = 0x00000000
// IDTLIMIT = 0xFFFF
// LDTR = 0x0000
// TR = 0x0000
// CR0 = 0x60000010
// CR2 = 0x00000000
// CR3 = 0x00000000
// CR4 = 0x00000008
// LDTBASE = 0x00000000
// LDTLIMIT = 0xFFFF
// CSBASE = 0x00046BB0
// DSBASE = 0x00000000
// ESBASE = 0x00000000
// FSBASE = 0x00000000
// GSBASE = 0x00000000
// SSBASE = 0x00000000
// CSLIMIT = 0x0000FFFF
// DSLIMIT = 0x0000FFFF
// ESLIMIT = 0x0000FFFF
// FSLIMIT = 0x0000FFFF
// GSLIMIT = 0x0000FFFF
// SSLIMIT = 0x0000FFFF
// CSAR = 0x00009300
// DSAR = 0x00009300
// ESAR = 0x00009300
// FSAR = 0x00009300
// GSAR = 0x00009300
// SSAR = 0x00009300
// GDTAR = 0x00008200
// IDTAR = 0x00008200
// LDTAR = 0x00008200
// TSSBASE = 0x00000000
// TSSLIMIT = 0x0000FFFF
// TSSAR = 0x00008200

Can anybody please throw some light ? 

--
Ignacio G.T.

Relevant Pages

  • Re: gcc -S test.c -o test ??
    ... well, these are the CPU registers, you can refer 8086 CPU documentation ... %ebp is extended base pointer, ... in you code sub: is a SYMBOL or althernative in more easier we may call ...
    (comp.lang.c)
  • Re: Keyloggers and Linux
    ... That USB flash memory device is merely an example of how small the ... In many keyboards there is an ... communication with the CPU is over a one-wire, ... Change the 8051 microcode to record keystrokes to special-purpose flash ...
    (comp.os.linux.misc)
  • Re: [DOCUMENTATION] Revised Unreliable Kernel Locking Guide
    ... >operations on CPU registers (MSRs and the like) needs to be protected ... >operations that it expects to run on a specific CPU. ... send the line "unsubscribe linux-kernel" in ...
    (Linux-Kernel)