LOADALL#80386

{{Short description|Undocumented Intel 80286 and 80386 instructions}}

LOADALL is the common name for two different undocumented machine instructions of Intel 80286 and Intel 80386 processors, which allow access to areas of the internal processor state that are normally outside of the IA-32 API scope, like descriptor cache registers. The LOADALL for 286 processors is encoded 0Fh 05h, while the LOADALL for 386 processors is 0Fh 07h.

Both variants – as the name implies – load all CPU internal registers in one operation. LOADALL had the unique ability to set up the visible part of the segment registers (selector) independently of their corresponding cached part, allowing the programmer to bring the CPU into states not otherwise allowed by the official programming model.

Usage

As an example of the usefulness of these techniques, LOADALL can set up the CPU to allow access to all memory from real mode, without having to switch it into unreal mode (which requires switching into protected mode, accessing memory and finally switching back to real mode). Programs such as the pre-XMS versions of RAMDRIVE.SYS (1985), SMARTDRV.SYS (1986) as well as HIMEM.SYS (2.03, 1988-08-04; 2.04, 1988-08-17) drivers in MS-DOS, Uniform Software Systems' The Extender (1985) and The Connector (1985) for Lotus 1-2-3, Above Disk (1986) (a LIMulator by Above Software (formerly Tele-Ware West aka Los Angeles Securities Group) that converted hard disk space or extended memory into expanded memory), and OS/2 1.0 and 1.1 used the 286 LOADALL instruction. DOS 3.3 and 4.0 reserved a 102-byte buffer at 0070:0100h (which was normally occupied by DOS BIOS data) so that there was no need to save & restore it for LOADALL. Microsoft's EMM386.EXE special-cases both the 286 and 386 LOADALL instructions in its invalid opcode handler. Examination of the virtual-machine monitor code in Windows/386 2.10 shows that it uses both the 286{{Citation needed|reason=How can the 386 VMM code use the 286 LOADALL instruction?|date=February 2016}} and the even less known 386 variant{{Citation needed|reason=Reliable source needed for documenting 386 LODALL usage since Windows/386 runs on 486+ CPUs|date=February 2016}}. Microsoft's HIMEM.SYS version 2.06 also used LOADALL to quickly copy to and from extended memory on 286 systems.

Another interesting usage of LOADALL, laid out in the book The Design of OS/2, would have been to allow running former real-mode programs in 16-bit protected mode, as utilized by Digital Research's Concurrent DOS 286 since 1985, as well as FlexOS 286 and IBM 4680 OS since 1986. Marking all the descriptor caches in the GDT and LDTs "not present" would allow the operating system to trap segment-register reloads, as well as attempts at performing real-mode–specific "segment arithmetic" and emulate the desired behavior by updating the segment descriptors (LOADALL again). This "8086 emulation mode" for the 80286 was, however, too slow to be practical. The idea had to be mostly discarded due to errata in some early Intel 80286 processors before the E-2 stepping. As a result, OS/2 1.x – and Windows in "standard" mode as well – had to run DOS programs in real mode. Nevertheless, the idea was not lost; it led Intel to introduce the virtual 8086 mode of the 80386, allowing the implementation of "DOS boxes" at last in a relatively efficient and documented way.

Because LOADALL did not perform any checks on the validity of the data loaded into processor registers, it was possible to load a processor state that could not be normally entered, such as using real mode (PE=0) together with paging (PG=1) on 386-class CPUs.

An in-circuit emulator (ICE) is a tool used for low-level debugging. On Intel 80386, asserting the undocumented pin at location B6 causes the microprocessor to halt execution and enter ICE mode. The microprocessor saves its entire state to an area of memory isolated from normal system memory. The layout of this area is suitable for the LOADALL instruction, and this instruction is used by ICE code to return to normal execution.

In later processors, this evolved into System Management Mode (SMM). In SMM, the RSM instruction is used to load a full CPU state from a memory area. The layout of this memory area is similar to one used by the LOADALL instruction. 386-style LOADALL instruction can be executed on 486 too, but only in SMM mode. In later processors, the RSM instruction, with a different encoding, took its role.

Microsoft's Codeview 3.0 and Borland's Turbo Debugger 2.0 correctly decode 286 and 386 LOADALL instructions.

As the two LOADALL instructions were never documented and do not exist on later processors, the opcodes were reused in the AMD64 architecture. The opcode for the 286 LOADALL instruction, 0F05, became the AMD64 instruction SYSCALL; the 386 LOADALL instruction, 0F07, became the SYSRET instruction. These definitions were implemented even on Intel CPUs with the introduction of the Intel 64 implementation of AMD64.

80286

Opcode 0F05. The instruction reads data from addresses 0x00800–0x00866, whatever the content of the segment registers.

class="wikitable" !Address	number of bytes!!register!!register!!register!!register
align="center" \|00800	6	not used
align="center" \|00806	2	MSW, machine status word
align="center" \|00808	14	not used
align="center" \|00816	2	TR (task register)
align="center" \|00818	2	flags
align="center" \|0081A	2	IP (instruction pointer)
align="center" \|0081C	2	LDTR, local descriptor table register
align="center" \|0081E	4× 2	DS (data segment)	SS (stack segment)	CS (code segment)	ES (extra segment)
align="center" \|00826	4× 2	DI (destination index)	SI (source index)	BP (base pointer)	SP (stack pointer)
align="center" \|0082E	4× 2	BX	DX	CX	AX
align="center" \|00836	4× 6	ES segment descriptor	CS segment descriptor	SS segment descriptor	DS segment descriptor
align="center" \|0084E	4× 6	GDT, global descriptor table	LDT, local descriptor table	IDT, interrupt descriptor table	TSS, task state segment

The 80286 LOADALL instruction can not be used to switch from protected back to real mode (it can't clear the PE bit in the MSW). However, use of the LOADALL instruction can avoid the need to switch to protected mode altogether.

80386

Opcode 0F07. The instruction loads data from address ES:EDI. It actually uses ES, not the ES descriptor.

class="wikitable" !Address	number of bytes!!register!!register!!register!!register
align="center" \|ES:EDI+00	4	CR0, control register 0
align="center" \|ES:EDI+04	4	EFLAGS
align="center" \|ES:EDI+08	4	EIP, instruction pointer
align="center" \|ES:EDI+0C	4× 4	EDI, destination index	ESI, source index	EBP, base pointer	ESP, stack pointer
align="center" \|ES:EDI+1C	4× 4	EBX	EDX	ECX	EAX
align="center" \|ES:EDI+2C	2× 4	DR6	DR7
align="center" \|ES:EDI+34	4	TR, task state selector
align="center" \|ES:EDI+38	4	LDTR, local descriptor table
align="center" \|ES:EDI+3C	4× 2	GS, extra segment	not used	FS, extra segment	not used
align="center" \|ES:EDI+44	4× 2	DS, data segment	not used	SS, stack segment	not used
align="center" \|ES:EDI+4C	4× 2	CS, code segment	not used	ES, extra segment	not used
align="center" \|ES:EDI+54	4× 12	TSS descriptor, task state selector	IDT descriptor, interrupt descriptor table	GDT descriptor, global descriptor table	LDT descriptor, local descriptor table
align="center" \|ES:EDI+84	4× 12	GS segment descriptor	FS segment descriptor	DS segment descriptor	SS segment descriptor
align="center" \|ES:EDI+B4	2× 12	CS segment descriptor	ES segment descriptor

References

{{reflist|refs=

{{cite book |author-first=Frank |author-last=Van Gilluwe |title=The Undocumented PC |date=1994 |edition=1 |publisher=Addison-Wesley |pages=62–70 |isbn=0-201-62277-7}} [https://web.archive.org/web/20200226144643/https://gopher.tildeverse.org/gopher.viste.fr/9/programming/PC/DOS/Undocumented%20PC/Undocumented_PC_1e.zip]

{{cite web |url=http://www.os2museum.com/wp/himem-sys-unreal-mode-and-loadall/ |title=HIMEM.SYS, unreal mode, and LOADALL |author-first=Michal |author-last=Necasek |work=OS/2 Museum |date=2011-03-18 |access-date=2017-01-03 |url-status=live |archive-url=https://web.archive.org/web/20170103214301/http://www.os2museum.com/wp/himem-sys-unreal-mode-and-loadall/ |archive-date=2017-01-03}}

{{Cite FTP |url=ftp://ftp.szif.hu/pub/demos/code/himemsys.zip |server=FTP server |url-status=dead |title=Microsoft HIMEM.SYS 2.06 source code }}

{{cite book |author-last1=Deitel |author-first1=Harvey M. |author-last2=Kogan |author-first2=Michael S. |title=The Design of OS/2 |date=1992 |publisher=Addison-Wesley |isbn=0-201-54889-5 |url-access=registration |url=https://archive.org/details/designofos20000deit}}

{{cite journal |author-first=Edward |author-last=Foster |title=Super DOS awaits new 80286 – Concurrent DOS 286 – delayed until Intel upgrades chip – offers Xenix's power and IBM PC compatibility |publisher=InfoWorld Media Group |journal=InfoWorld |volume=7 |issue=19 |date=1985-05-13 |issn=0199-6649 |pages=17–18 |url=https://books.google.com/books?id=2y4EAAAAMBAJ&pg=PA17 |access-date=2019-04-21 |url-status=live |archive-url=https://archive.today/20190421184610/https://books.google.de/books?id=2y4EAAAAMBAJ&lpg=PA57&pg=PA17&redir_esc=y%23v=onepage&q&f=false |archive-date=2019-04-21}}

{{cite journal |author-first=Edward |author-last=Foster |title=Intel shows new 80286 chip – Future of DRI's Concurrent DOS 286 still unclear after processor fixed |publisher=InfoWorld Media Group |journal=InfoWorld |volume=7 |issue=34 |date=1985-08-26 |issn=0199-6649 |page=21 |url=https://books.google.com/books?id=_y4EAAAAMBAJ&pg=PA21 |access-date=2019-04-21 |url-status=live |archive-url=https://archive.today/20190421184810/https://books.google.de/books?id=_y4EAAAAMBAJ&lpg=PA21&pg=PA21&redir_esc=y%23v=onepage&q&f=false |archive-date=2019-04-21}}

{{cite web |url=http://www.os2museum.com/wp/loadall-strikes-again/ |title=LOADALL Strikes Again |author-first=Michal |author-last=Necasek |work=OS/2 Museum |date=2013-10-18 |access-date=2016-01-27 |url-status=live |archive-url=https://web.archive.org/web/20170103213830/http://www.os2museum.com/wp/loadall-strikes-again/ |archive-date=2017-01-03}}

{{cite web |url=http://www.intel.com/content/dam/www/public/us/en/documents/manuals/64-ia-32-architectures-software-developer-vol-2b-manual.pdf |title=Intel 64 and IA-32 Architectures Software Developer's Manual, Volume 2B |volume=2B |publisher=Intel Corporation |date=December 2015 |access-date=2016-01-27 |url-status=live |archive-url=https://web.archive.org/web/20190421185002/https://www.intel.com/content/dam/www/public/us/en/documents/manuals/64-ia-32-architectures-software-developer-vol-2b-manual.pdf |archive-date=2019-04-21}}

{{cite journal |title=The LOADALL Instruction |author-first=Robert R. |author-last=Collins |date=October 1991 |journal=TECH Specialist - the Journal for Advanced PC Developers |volume=2 |issue=10 |issn=1049-913X |publisher=R&D Publications, Inc. |location=Lawrence, Kansas, USA |pages= |url=http://www.rcollins.org/articles/loadall/tspec_a3_doc.html |access-date=2018-10-17 |url-status=live |archive-url=https://web.archive.org/web/20200220132927/http://www.rcollins.org/articles/loadall/tspec_a3_doc.html |archive-date=2020-02-20}} [https://web.archive.org/web/20200220130024/https://www.pcorner.com/list/MAG/OCT91.ZIP/INFO/] (NB. The magazine was soon renamed into "The DOS Developers Journal" and eventually into "The Windows/DOS Developer's Journal" (ISSN 1059-2407).)

{{cite web |title=Intel's System Management Mode |author-first=Robert R. |author-last=Collins |date=January 1997 |url=http://www.rcollins.org/ddj/Jan97/Jan97.html |access-date=2017-01-03 |url-status=live |archive-url=https://web.archive.org/web/20170103214606/http://www.rcollins.org/ddj/Jan97/Jan97.html |archive-date=2017-01-03}}

{{cite journal |author-last=Slater |author-first=Michael |title=Secret 286 LOADALL instruction allows access to extended memory in real mode |journal=Microprocessor Report |date=October 1987}}

{{cite book |title=FlexOS Supplement for Intel iAPX 286-based Computers |publisher=Digital Research, Inc. |date=November 1986 |edition=1 |version=1.3 |url=http://www.bitsavers.org/pdf/digitalResearch/flexos/FlexOS_Suppliment_For_iAPX286_Computers_Nov86.pdf |access-date=2018-08-14 |url-status=live |archive-url=https://web.archive.org/web/20190421183934/http://www.bitsavers.org/pdf/digitalResearch/flexos/FlexOS_Suppliment_For_iAPX286_Computers_Nov86.pdf |archive-date=2019-04-21}}

{{cite web |title=Concurrent DOS 68K 1.2 – Developer Kit for Motorola VME/10 – Disk 2 |date=1986-08-06 |orig-year=1986-04-08 |url=http://www.cpm.z80.de/download/cdos2.zip |access-date=2018-09-13 |url-status=live |archive-url=https://web.archive.org/web/20190403010111/http://www.cpm.z80.de/download/cdos2.zip |archive-date=2019-04-03}} (NB. This package also includes some header files from Concurrent DOS 286, including STRUCT.H explicitly mentioning LOADALL for "8086 emulation".)

{{cite journal |publisher=Digital Research |title=IBM selects Concurrent DOS-286 for PC AT retail system |journal=European Review |date=March 1986 |issue=18 |page=1 |url=http://corphist.computerhistory.org/corphist/documents/doc-446a17c4d826e.pdf?PHPSESSID=afc1edd71684f4d749c58203befec8f0 |access-date=2018-09-15 |url-status=live |archive-url=https://web.archive.org/web/20190403215731/http://corphist.computerhistory.org/corphist/documents/doc-446a17c4d826e.pdf |archive-date=2019-04-03}}

{{cite journal |title=IBM to use a DRI operating system |author-first1=Melissa |author-last1=Calvo |author-first2=Jim |author-last2=Forbes |journal=InfoWorld |publisher=InfoWorld Media Group |date=1986-02-10 |url=https://books.google.com/books?id=oi8EAAAAMBAJ&pg=PA12 |access-date=2011-09-06 |url-status=live |archive-url=https://archive.today/20190421185117/https://books.google.de/books?id=oi8EAAAAMBAJ&pg=PA12&redir_esc=y%23v=onepage&q&f=false |archive-date=2019-04-21}}

{{cite web |title=More on LOADALL and OS/2 |author-first=Michal |author-last=Necasek |work=OS/2 Museum |date=2013-10-27 |url=http://www.os2museum.com/wp/more-on-loadall-and-os2/ |access-date=2018-10-17 |url-status=live |archive-url=https://archive.today/20181017111332/http://www.os2museum.com/wp/more-on-loadall-and-os2/ |archive-date=2018-10-17}}

{{cite book |author-first1=Ray |author-last1=Duncan |author-first2=Charles |author-last2=Petzold |author-link2=Charles Petzold |author-first3=M. Steven |author-last3=Baker |author-first4=Andrew |author-last4=Schulman |author-first5=Stephen R. |author-last5=Davis |author-first6=Ross P. |author-last6=Nelson |author-first7=Robert |author-last7=Moote |author-link7=Robert Moote |date=1990 |title=Extending DOS |edition=1 |location=Reading, MA, USA |publisher=Addison-Wesley Publishing Company, Inc. |isbn=0-20155053-9 |pages=100–103}}

{{cite book |author-first1=Andrew |author-last1=Schulman |author-first2=Raymond J. |author-last2=Michels |author-first3=Jim |author-last3=Kyle |author-first4=Tim |author-last4=Paterson |author-link4=Tim Paterson |author-first5=David |author-last5=Maxey |author-first6=Ralf D. |author-last6=Brown |author-link6=Ralf D. Brown |title=Undocumented DOS: A programmer's guide to reserved MS-DOS functions and data structures |publisher=Addison-Wesley |edition=1 |date=1990 |isbn=978-0-201-57064-9 |pages=14–15}} (xviii+694+viii pages, 2× 5.25"-floppies [https://web.archive.org/web/20200223185731/https://gopher.tildeverse.org/gopher.viste.fr/9/programming/PC/DOS/Undocumented%20DOS/Undocumented%20DOS%201st%20edition.zip]) Errata: [https://web.archive.org/web/20190417215541/http://www.cs.cmu.edu/afs/cs/user/ralf/pub/books/UndocumentedDOS/errata.ud1][https://web.archive.org/web/20190417212906/https://www.pcjs.org/pubs/pc/programming/Undocumented_DOS/#errata-1st-edition]

{{cite book |author-first1=Andrew |author-last1=Schulman |author-first2=Ralf D. |author-last2=Brown |author-link2=Ralf D. Brown |author-first3=David |author-last3=Maxey |author-first4=Raymond J. |author-last4=Michels |author-first5=Jim |author-last5=Kyle |title=Undocumented DOS: A programmer's guide to reserved MS-DOS functions and data structures - expanded to include MS-DOS 6, Novell DOS and Windows 3.1 |series=The Andrew Schulman Programming Series |publisher=Addison Wesley Publishing Company |editor-first=Andrew |editor-last=Williams |edition=1st printing, 2nd |date=1994 |orig-year=November 1993 |isbn=0-201-63287-X |location=Reading, Massachusetts, USA |page=[https://archive.org/details/undocumenteddosp00andr_0/page/42 42] |url=https://archive.org/details/undocumenteddosp00andr_0 |url-access=registration}} (xviii+856+vi pages, 3.5"-floppy [https://web.archive.org/web/20200223185605/https://gopher.tildeverse.org/gopher.viste.fr/9/programming/PC/DOS/Undocumented%20DOS/Undocumented%20DOS%202nd%20edition.zip]) Errata: [https://web.archive.org/web/20190417215556/http://www.cs.cmu.edu/afs/cs/user/ralf/pub/books/UndocumentedDOS/errata.ud2][https://web.archive.org/web/20190417212906/https://www.pcjs.org/pubs/pc/programming/Undocumented_DOS/#errata-2nd-edition]

}}

LOADALL#80386

Usage

80286

80386

See also

References

Further reading