VGA System Services How to use Linux s vm86 system call to access the video ROM BIOS functions The SVGA firmware VESA compliant graphics systems provide built in service functions in adapter ROM Services normally execute during startup before processor enters protected mode But cpu can still emulate 8086 behavior after system has entered protected mode although kernel privileges are required Linux provides the system call vm86 8086 At startup the Pentium operates like 8086 Physical memory is directly addressable But memory addresses are only 20 bits CPU builds address from a pair of values Segment address 16 bits in special register Offset address 16 bits in register or memory Formula address segment 4 offset Address range 220 1 048 576 bytes 8086 real mode addresses logical address software 16 bits 16 bits segment address offset address x 16 physical address hardware 20 bit bus address Effect in the Pentium 4 Gigabyte address range 1 Megabyte address range Protected Mode At startup the Pentium essentially IS an 8086 processor operates in real mode It addresses physical memory like an 8086 It operates without any privilege restrictions But after building essential data structures the Pentium switches to protected mode and turns on virtual memory addressing To supports the execution of multiple tasks To impose restrictions on memory access Pentium can emulate 8086 Even after it enters protected mode the Pentium can still emulate 8086 behavior This works by creating a virtual 8086 cpu represented by a special data structure in memory and triggered by a special opcode But a few 8086 instructions aren t allowed if they could perhaps interfere with other tasks Device i o IN and OUT Interrupts CLI STI PUSHF POPF INT n IRET Execution HLT Entering virtual 8086 mode GS FS DS ES SS SP EFLAGS CS IP V M 1 N T 0 EFLAGS register image SS ESP Kernel s instruction stream CS EIP Kernel s stack iret Leaving virtual 8086 mode Once Pentium enters virtual 8086 mode it leaves only when an interrupt or exception occurs interrupts are caused by electrical signals from external devices such as the keyboard or mouse or by the timer and exceptions are caused by any attempts to execute privileged instructions to violate the system s protection restrictions or to perform some kind of illegal operation Handling exceptions If an exception occurs while the Pentium is executing in virtual 8086 mode registers are saved on the kernel stack and a kernel exception handler is executed The exception handler might decide to go ahead and perform an operation such as device i o that the virtual 8086 was not allowed to do on its own and then resume executing the suspended virtual 8086 task Linux s vm86 system call Linux allows privileged user programs to invoke the Pentium s capability to execute real mode 8086 code in virtual 8086 mode The user program submits the required data structure to the kernel and the kernel enters virtual 8086 mode If any restricted instruction is encountered the kernel returns to the user program the data structure storing the saved task state Recall the LRMI We used a software package called LRMI to assist us in executing real mode code The mode3 utility is built on this package Now we shall see how LRMI really works We propose to write a standalone demoprogram that executes a useful real mode video ROM BIOS routine using vm86 Linux Device Drivers We will need a way to map certain special memory regions into the user address space These regions must be mapped to addresses that an 8086 processor could access i e must be in bottom one megabyte of virtual memory Linux normally maps nothing else there We ll need device drivers to perform mappings dev zero This is a standard part of Linux dev dos This is a custom driver we built How dev zero works This device lets a user map some unused pages of physical memory into user space As the name zero suggests the memory that is provided is initialized to all zeros This region will be used for the real mode code s stack area and data structures it could also be loaded with executable code How dev dos works This device lets a user map conventional areas of initialized system memory into a user s virtual address space such as the real mode Interrupt Vector Table and the ROM BIOS Data Area and also the VGA system firmware There s a similar device dev mem that is a standard part of Linux but it requires root privileges for writing so we substitute our own device driver to avoid that hassle The 8086 memory map ROM BIOS 0xF0000 0xFFFFF VGA ROM 0xC0000 0xCFFFF VRAM 0xA0000 0xBFFFF Standard parts of the PC design that much code does rely upon one megabyte Real Mode Stack Area Data and Text BIOS DATA IVT This arena s location and size can be adjusted to suit our particular purpose 0x00400 0x00502 0x00000 0x003FF Standard parts of the PC design that much code does rely upon System preparation Your system needs a device node for the dev dos device special file normally it s created by a Linux System Administrator But you can use sudo to do it like this sudo mknod dev dos c 86 0 sudo chmod a rwx dev dos The actual program code Use header file include sys vm86 h Declare object struct vm86 struct vm Map in the necessary memory regions Initialize memory areas as appropriate Initialize register images in vm86 struct Call kernel int result vm86 vm Emulate any input and output instructions Specific SVGA ROM function We show how to execute VESA function 0 Get VESA BIOS Extensions Information It fills in the values of a data structure that gives information about our SVGA system Name of that data structure is VbeInfoBlk Structure size is 512 bytes documented in VESA white paper vbe3 pdf on website The calling convention VESA functions are designed to be called from an 8086 assembly language program that is executing in real mode i e startup Register AX is loaded with value 0x0F00 Registers ES DI are loaded with address segment offset of the memory block that is to be filled in 512 bytes initialized with 4 character string VBE2 Then software interrupt 0x10 is executed Software interrupt instruction The effect of executing int 0x10 is to transfer control to a function in ROM The entry point to that function was stored in the real mode Interrupt Vector Table by the ROM BIOS startup code We can extract that entry point address and use its pair of values as initial values for registers CS and IP in our virtual 8086 Emulating in and out Whenever an in or out instruction is