LOADALL
Encyclopedia
LOADALL is the common name for two different, undocumented machine instructions of Intel 80286
and Intel 80386
processors, which allow access to areas normally outside of the IA-32
API
scope, like descriptor cache registers. The LOADALL for 286 processors is encoded 0Fh 05h, while the LOADALL for 386 processors is 0Fh 07h.
Both variants - as the name implies - load all CPU internal registers in one operation. LOADALL had the unique ability to set up the visible part of the segment registers (selector) independently of their corresponding cached part, allowing the programmer to bring the CPU into states not otherwise allowed by the official programming model.
As an example of the usefulness of these techniques, LOADALL can set up the CPU to allow access to all memory from real mode
, without having to switch it into protected mode
(the so-called 'unreal mode
'). Programs such as the RAMDRIVE and HIMEM drivers in MS-DOS
, AboveDisk (a commercial package by Above Software which converted hard disk
or extended memory
into expanded memory
), and OS/2
used LOADALL. Examination of the virtual machine monitor code in Windows/386 2.1
shows it uses both the 286 and the even less known 386 variant. Microsoft's HIMEM.SYS version 2.06 also used LOADALL to quickly copy to and from extended memory on 286 systems.
Another interesting usage of LOADALL, laid out in the book The Design of OS/2, would have been to allow running former real mode programs in 16-bit protected mode, as utilized by Digital Research
's Concurrent DOS 286 since 1985 as well as FlexOS 286 and IBM 4680 OS since 1986/1987. Marking all the descriptor caches in the GDT and LDTs "not present" would allow the operating system to trap segment register reloads as well as attempts at performing real-mode specific "segment arithmetic" and emulate the desired behavior by updating the segment descriptors (LOADALL again). This "virtual 8086 mode" for the 80286 was, however, too slow to be practical. The idea had to be mostly discarded, furthermore, due to errata in some early Intel 80286 processors before the E-2 stepping
. As a result, OS/2 1.x - and Windows in "standard" mode as well - had to run DOS programs in real mode. Nevertheless the idea was not lost; it led Intel to introduce the virtual mode of the 80386
, allowing the implementation of "DOS boxes" at last in a relatively efficient and documented way.
Because LOADALL did not perform any checks on the validity of the data loaded into processor registers, it was possible to load a processor state which could not be normally entered, such as using real mode
(PE=0) together with paging (PG=1) on 386 class CPUs.
Note that the 80286 LOADALL instruction can not be used to switch from protected back to real mode (it can't clear the PE bit in the MSW). However, use of the LOADALL instruction can avoid the need to switch to protected mode altogether.
Intel 80286
The Intel 80286 , introduced on 1 February 1982, was a 16-bit x86 microprocessor with 134,000 transistors. Like its contemporary simpler cousin, the 80186, it could correctly execute most software written for the earlier Intel 8086 and 8088...
and Intel 80386
Intel 80386
The Intel 80386, also known as the i386, or just 386, was a 32-bit microprocessor introduced by Intel in 1985. The first versions had 275,000 transistors and were used as the central processing unit of many workstations and high-end personal computers of the time...
processors, which allow access to areas normally outside of the IA-32
IA-32
IA-32 , also known as x86-32, i386 or x86, is the CISC instruction-set architecture of Intel's most commercially successful microprocessors, and was first implemented in the Intel 80386 as a 32-bit extension of x86 architecture...
API
Application programming interface
An application programming interface is a source code based specification intended to be used as an interface by software components to communicate with each other...
scope, like descriptor cache registers. The LOADALL for 286 processors is encoded 0Fh 05h, while the LOADALL for 386 processors is 0Fh 07h.
Both variants - as the name implies - load all CPU internal registers in one operation. LOADALL had the unique ability to set up the visible part of the segment registers (selector) independently of their corresponding cached part, allowing the programmer to bring the CPU into states not otherwise allowed by the official programming model.
As an example of the usefulness of these techniques, LOADALL can set up the CPU to allow access to all memory from real mode
Real mode
Real mode, also called real address mode, is an operating mode of 80286 and later x86-compatible CPUs. Real mode is characterized by a 20 bit segmented memory address space and unlimited direct software access to all memory, I/O addresses and peripheral hardware...
, without having to switch it into protected mode
Protected mode
In computing, protected mode, also called protected virtual address mode, is an operational mode of x86-compatible central processing units...
(the so-called 'unreal mode
Unreal mode
In x86 computing, unreal mode, also big real mode, huge real mode, or flat real mode, is a variant of real mode , in which one or more data segment registers have been loaded with 32-bit addresses and limits. Contrary to its name, it is not a separate addressing mode that the x86-32 and x86-64...
'). Programs such as the RAMDRIVE and HIMEM drivers in MS-DOS
MS-DOS
MS-DOS is an operating system for x86-based personal computers. It was the most commonly used member of the DOS family of operating systems, and was the main operating system for IBM PC compatible personal computers during the 1980s to the mid 1990s, until it was gradually superseded by operating...
, AboveDisk (a commercial package by Above Software which converted hard disk
Hard disk
A hard disk drive is a non-volatile, random access digital magnetic data storage device. It features rotating rigid platters on a motor-driven spindle within a protective enclosure. Data is magnetically read from and written to the platter by read/write heads that float on a film of air above the...
or extended memory
Extended memory
In DOS memory management, extended memory refers to memory above the first megabyte of address space in an IBM PC or compatible with an 80286 or later processor. The term is mainly used under the DOS and Windows operating systems...
into expanded memory
Expanded memory
In DOS memory management, expanded memory is a system of bank switching introduced April 24, 1985 that provided additional memory to DOS programs beyond the limit of conventional memory. Expanded memory uses parts of the address space normally dedicated to communication with peripherals for program...
), and OS/2
OS/2
OS/2 is a computer operating system, initially created by Microsoft and IBM, then later developed by IBM exclusively. The name stands for "Operating System/2," because it was introduced as part of the same generation change release as IBM's "Personal System/2 " line of second-generation personal...
used LOADALL. Examination of the virtual machine monitor code in Windows/386 2.1
Windows 2.0
Windows 2.0 is a 16-bit Microsoft Windows GUI-based operating environment that was released on December 9, 1987 and is the successor to Windows 1.0. With Windows 2.1x in 1988, Windows 2.0 was supplemented by Windows/286 and Windows/386...
shows it uses both the 286 and the even less known 386 variant. Microsoft's HIMEM.SYS version 2.06 also used LOADALL to quickly copy to and from extended memory on 286 systems.
Another interesting usage of LOADALL, laid out in the book The Design of OS/2, would have been to allow running former real mode programs in 16-bit protected mode, as utilized by Digital Research
Digital Research
Digital Research, Inc. was the company created by Dr. Gary Kildall to market and develop his CP/M operating system and related products. It was the first large software company in the microcomputer world...
's Concurrent DOS 286 since 1985 as well as FlexOS 286 and IBM 4680 OS since 1986/1987. Marking all the descriptor caches in the GDT and LDTs "not present" would allow the operating system to trap segment register reloads as well as attempts at performing real-mode specific "segment arithmetic" and emulate the desired behavior by updating the segment descriptors (LOADALL again). This "virtual 8086 mode" for the 80286 was, however, too slow to be practical. The idea had to be mostly discarded, furthermore, due to errata in some early Intel 80286 processors before the E-2 stepping
Stepping level
The term stepping level in the context of CPU architecture or integrated circuitry is a version number.Stepping level refers to the introduction or revision of the lithographic mask or masks within the set of plates that generate the pattern that produces the CPU or integrated circuit...
. As a result, OS/2 1.x - and Windows in "standard" mode as well - had to run DOS programs in real mode. Nevertheless the idea was not lost; it led Intel to introduce the virtual mode of the 80386
Virtual 8086 mode
In the 80386 microprocessor and later, virtual 8086 mode allows the execution of real mode applications that are incapable of running directly in protected mode while the processor is running a protected mode operating system.VM86 mode uses a segmentation scheme identical to that of real mode In...
, allowing the implementation of "DOS boxes" at last in a relatively efficient and documented way.
Because LOADALL did not perform any checks on the validity of the data loaded into processor registers, it was possible to load a processor state which could not be normally entered, such as using real mode
Real mode
Real mode, also called real address mode, is an operating mode of 80286 and later x86-compatible CPUs. Real mode is characterized by a 20 bit segmented memory address space and unlimited direct software access to all memory, I/O addresses and peripheral hardware...
(PE=0) together with paging (PG=1) on 386 class CPUs.
80286
Opcode 0F05. The instruction reads data from addresses 00800-00866, whatever the content of the segment registers.Address | number of bytes!!register!!register!!register!!register | ||||
---|---|---|---|---|---|
00800 | 6 | not used | |||
00806 | 2 | MSW, machine status word | |||
00808 | 14 | not used | |||
00816 | 2 | TR, task register | |||
00818 | 2 | flags | |||
0081A | 2 | IP, instruction pointer | |||
0081C | 2 | LDTR, local descriptor table register | |||
0081E | 4x2 | DS data segment | SS stack segment | CS code segment | ES extra segment |
00826 | 4x2 | DI destination index | SI source index | BP byte pointer | SP stack pointer |
0082E | 4x2 | BX | DX | CX | AX |
00836 | 4x6 | ES segment descriptor Segment descriptor In memory addressing for Intel x86 computer architectures, segment descriptors are a part of the segmentation unit, used for translating a logical address to a linear address... |
CS segment descriptor | SS segment descriptor | DS segment descriptor |
0084E | 4x6 | GDT, global descriptor table | LDT, local descriptor table | IDT, interrupt descriptor table | TSS, task state segment |
Note that the 80286 LOADALL instruction can not be used to switch from protected back to real mode (it can't clear the PE bit in the MSW). However, use of the LOADALL instruction can avoid the need to switch to protected mode altogether.
80386
Opcode 0F07. The instruction loads data from address ES:EDI. It actually uses ES, not the ES descriptor.Address | number of bytes!!register!!register!!register!!register | ||||
---|---|---|---|---|---|
ES:EDI+00 | 4 | CR0, control register 0 | |||
ES:EDI+04 | 4 | EFLAGS | |||
ES:EDI+08 | 4 | EIP, instruction pointer | |||
ES:EDI+0C | 4x4 | EDI, destination index | ESI, source index | EBP, byte pointer | ESP, stack pointer |
ES:EDI+1C | 4x4 | EBX | EDX | ECX | EAX |
ES:EDI+2C | 2x4 | DR6 | DR7 | ||
ES:EDI+34 | 4 | TR, task state selector | |||
ES:EDI+38 | 4 | LDTR, local descriptor table | |||
ES:EDI+3C | 4x2 | GS, extra segment | not used | FS, extra segment | not used |
ES:EDI+44 | 4x2 | DS, data segment | not used | SS, stack segment | not used |
ES:EDI+4C | 4x2 | CS, code segment | not used | ES, extra segment | not used |
ES:EDI+54 | 4x12 | TSS descriptor, task state selector | IDT descriptor, interrupt descriptor table | GDT descriptor, global descriptor table | LDT descriptor, local descriptor table |
ES:EDI+84 | 4x12 | GS segment descriptor Segment descriptor In memory addressing for Intel x86 computer architectures, segment descriptors are a part of the segmentation unit, used for translating a logical address to a linear address... |
FS segment descriptor | DS segment descriptor | SS segment descriptor |
ES:EDI+B4 | 2x12 | CS segment descriptor | ES segment descriptor |