notes.org 12 KB
## Copyright (C) 2016 Jeremiah Orians ## This file is part of stage0. ## ## stage0 is free software: you can redistribute it and/or modify ## it under the terms of the GNU General Public License as published by ## the Free Software Foundation, either version 3 of the License, or ## (at your option) any later version. ## ## stage0 is distributed in the hope that it will be useful, ## but WITHOUT ANY WARRANTY; without even the implied warranty of ## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ## GNU General Public License for more details. ## ## You should have received a copy of the GNU General Public License ## along with stage0. If not, see .
Purpose
These notes exist for those people who want to independently create their own bootstrap tree. Those wishing to save themselves decades of work, would be wise to use the below information and Plan on making the following tools: Hex Monitor which writes out binaries to external storage medium and Text input into another A Loader (especially on platforms that have a 512byte bootloader limitation) A Line Text editor (because perfect typing is hard) A hex/octal assembler (So that you will not need the Hex Monitor any further) An improved hex/octal assembler that supports labels and calculation of relative and absolute addresses A Cat equivalent (Because definition files are awesome) A Less equivalent (Because you want to be able to just read your written code) A line macro program (Because Hex mnemonics suck and ADD32I are a lot easier to identify) The compiler/interpreter for the higher language of your choice you plan on leveraging
Platform specific information
8086
To obtain a good reference for hex encoding of 8088 instructions, get a copy of Oscar Toledo Gutierrez's book: more boot sector games (If you are experienced in assembly) or programming boot sector games (If you need to learn assembly first)
WARNING encoding is an extremely slow and painful process by hand, BE VERY VERY THANKFUL for those that came before us and made such wonderful things as assemblers and C compilers that hide most of the horrible darkness from our eyes...
Default memory map
| 16-bit mem map (seg:off) | What is there |
|---|---|
| 0x0000:0x0000 -> 0x0000:0x03FF | Interrupt Vectors |
| 0x0000:0x0400 -> 0x0000:0x79FF | Stack space |
| 0x0000:0x7a00 -> 0x0000:0x7BFF | BootstrapOS |
| 0x0000:0x7c00 -> 0x9000:0xFFFF | 640KB of Base RAM |
| 0xa000:0x0000 -> 0xa000:0xFFFF | EGA/VGA graphics modes |
| 0xb000:0x0000 -> 0xb000:0x7FFF | Monochrome text mode |
| 0xb000:0x8000 -> 0xb000:0xFFFF | Color Text mode |
| 0xc000:0x0000 -> 0xd000:0xFFFF | Video card ROM |
| 0xd000:0x0000 -> 0xe000:0xFFFF | Reserved for ROMs |
| 0xf000:0x0000 -> 0xf000:0xFFFF | BIOS ROM |
The MBR is loaded into memory at address 0x0000:0x7C00 and its last 2 bytes must be: 0x55 and 0xAA
Segment registers
| name | function |
|---|---|
| cs | Segment code is in |
| ds | Segment data is in |
| es | Segment strings are in |
| ss | Segment stack is in |
Any instruction can be prefixed by cs, ds, es or ss to change which segment register is used by the instruction at the cost of an additional byte of for the instruction encoding.
Interrupts
Use a 256 entry table of 32bit words with a corresponding index to the interrupt number. Each entry is made of 2 16bit values: Target IP:Target CS (Code segment) Which then pushes the flags register, then the caller's CS register and then the caller's IP Then the IP and CS are loaded into their corresponding registers and the processor jumps to address CS:IP which must be in the first 1MB of memory
After completing its work, the function called must use iret to return to the caller and reset the flags register.
Standard Table
| Number | Description |
|---|---|
| 0 | CPU divide by zero |
| 1 | Debug single step |
| 2 | Non Maskable Interrupt (NMI input on processor) |
| 3 | Debug breakpoints |
| 4 | Arithmetic overflow |
| 5 | BIOS provided Print Screen routine |
| 6 -> 7 | Reserved |
| 8 | IRQ0, Time of day hardware services |
| 9 | IRQ1, Keyboard Interface |
| A | IRQ2, ISA Bus cascade services for second 8259 |
| B | IRQ3, Com 2 hardware |
| C | IRQ4, Com1 hardware |
| D | IRQ5, LPT2, Parallel port hardware (Hard Disk on XT) |
| E | IRQ6, Floppy Disk adaptor |
| F | IRQ7, LPT1, Parallel port hardware |
| 10 | Video services |
| 11 | Equipment check |
| 12 | Memory size determination |
| 13 | Floppy I/O routines |
| 14 | Serial port I/O routines |
| 15 | PC used for Cassette tape services |
| 16 | Keyboard I/O routines |
| 17 | Printer I/O routines |
| 18 | Points to basic interpreter in a "real" IBM PC |
| 19 | Bootstrap loader |
| 1A | Time of day services |
| 1B | Services Ctrl-Break service |
| 1C | Timer tick (provides 18.2 ticks per second) |
| 1D | Video parameters |
| 1E | Disk parameters |
| 1F | Video graphics |
| 20 | Program termination |
| 21 | All DOS services available through this Interrupt |
| 22 | Terminate address |
| 23 | Ctrl-Break exit address |
| 24 | Critical error handler |
| 25 | Read logical sectors |
| 26 | Write logical sectors |
| 27 | Terminate and stay resident routines (obsolete) |
| 28 -> 3F | Reserved for DOS |
| 40 -> 50 | Reserved for BIOS |
| 51 | Mouse functions |
| 52 -> 5F | Reserved for BIOS |
| 60 -> 66 | Reserved for User programs |
| 67 | Used for EMS functions |
| 68 -> 6F | Unused |
| 70 | IRQ8, ISA bus Real time clock |
| 71 | IRQ9, takes the place of IRQ2 |
| 72 | IRQ10 (available hardware interrupt) |
| 73 | IRQ11 (available hardware interrupt) |
| 74 | IRQ12 (available hardware interrupt) |
| 75 | IRQ13, maths co-processor |
| 76 | IRQ14, ISA bus hard disk controller |
| 77 | IRQ15, (available hardware interrupt) |
| 78 -> 7F | Unused |
| 80 -> 85 | Reserved for basic |
| 86 -> F0 | Used by basic |
| F1 -> FF | Unused |
Restart code
| o restart the segment loaded from the bootsector | |
| Hex | Assembly Equivalent |
| 68007C | push 7C00 |
| C3 | ret |
| or an intersegment restart | |
| Hex | Assembly Equivalent |
| 6A00 | push 0 |
| 68007C | push 7C00 |
| CB | retf |
Testing notes
Making blank floppy disk images
dd if=/dev/zero of=$filename.img count=1440 bs=1k
Changing floppies inside of qemu
While qemu is running it is possible to change floppies To achieve this you first must enter the qemu monitor by pressing: Ctrl-Alt-Shift-2
You then may change the floppy by typing: change $drivename $filename
for example to use the file blank_floppy.img in the A drive: change floppy0 blank_floppy.img
Building binaries for testing
stage0_monitor
There are literally hundreds of ways of building the root bootstrap binary.
All that is required is a simply hex compiler written in any language on any system available to the user.
This repository contains a hex compiler written for Linux in hex and assembly as well as a platform independent C implementation.
Then to complete the build process write to the master boot record of a floppy disk. Or should you desire simply use qemu to boot the compiled file directly.
Creation journal
Linux bootstrap
The initial prototyping was done on linux with the goal of not requiring anything other than the linux kernel.
However it was pointed out to me that should a trusting trust attack be in the compiled kernel, there would be no way to even trust the binaries produced by these programs.
That being said they may be of some use to you.
Stage 0
Lacking a good basis for reducing the trusting trust attack, it was decided to reduce the scope down.
By writing the stage 0 code in commented hex, it becomes possible for universal cross compilation and verification.
The only real problem is that the commented hex has to be manually validated [An insanely painful process] and each and every single platform has to perform the exact same tasks.
Since all such projects have to start somewhere, I have chosen to do it myself and with the 8088.
To make my work easier, I first created the working code in 16bit assembly.
Then after testing is validated, I begin the pain staking process of manually converting the code to hex [With usually a dozen bugs along the way].
What I however require is someone with a completely alien platform verify the compiled hex for the stage0_monitor.
Which is listed along with all of the checksums of the validated binaries produced thus far in the file Checksums.org
If your compiled hex is different in any way, please let me know as the process should produce bit identical binaries.
Stage 1
Stage 1 attempts to save myself from a lot of manual typing and the inevitable errors that occur.
It simply provides the functionality required to produce 32KB or smaller binaries from Commented Hex files.
This is a minor stopping point of functionality that provides a stable nub for our much more ambitious stages that come later.
The editors lack the ability to correct mistakes and always writes a 64KB file onto the B: floppy.
The loader is so stupid is only loads 64KB from the A: Floppy and doesn't even prompt the user.
However despite those stupid limitations, they have saved alot of manual work compared to stage0.
Having these binaries are a huge step forward compared to not having them but they assume you don't make mistakes.
Stage 2
Stage 2 will be introducing enhancements to Stage 1 programs that allow you to fix the problems you accidentally introduce.
We will also begin to introduce programs that make software development a lot easier.