
                                        /-----------------------------\
                                        | Xine - issue #4 - Phile 104 |
                                        \-----------------------------/


I discovered something tonight......

Everybody knows:

Since the 8086, the processor run under what is called real mode.

Since the 286, the processor can also use the protected mode, always in
a 16bits codec, but segments don't more represent translations, they mean
indexes in tables, interrupts are not at the beginning of memory, they are
somewhere, remembered in some CPU register (IDT), etc.

With the 386, the protected mode got some 32Bits functionalities, some
beautyful [eax+ecx*4+imm] possibilities, the old (16Bits) protected mode
is now known as virtual 8086, cuz any program made for real mode, that don't
use segment translation or interrupt redirection by themselves can be used in
virtual 8086.

Here are the 3 modes everybody use: real - virtual - protected

Here is the 4th: System Management Mode, aka SMM.

The SMM is something special, upon all... I mean all, NMI, faults,
even debug traps, only some interrupts could happend if the IF bit is set,
so u cannot debug in SMM, SMM is not multi-task, a HLT in SMM mode with
IF unset hang all....

SMM look like real mode, segments are shifted values, but can be used with
any register. In real mode, 1234:5678 => 12340+5678, in SMM, 1234:56789ABC
=>12340+5678ABC... quite 4gb to specify.

To return from SMM mode, there is one special op-code: RSM aka 0fh, 0aah
that mean... return from SMM mode ;)

SMM mode is like interrupt, the SMM base address is in a special register
of the CPU, SMBASE, and cannot be accessed directly, I'll talk about changing
its value later, but it's 30000h when the computer start up, that is called
SMRAM.

SMM mode is launched externally: a spin of the CPU, no op-code... or perhaps
should I have to look deeper? The spin signal wear the name of SMI.

When SMM is called, control is transfered at its EntryPoint that is at
offset 8000h from the base (at the begining: 38000h), it save all the
processor registers at offset FE00h, where data are saved, and can be
modified before RSM, except only some like DRx, IDT, LDT, etc. But where
the SMBASE register here, can.


So, what do we have: a mode upon even softice, where there is no rings,
no matter on I/Os, you can call interrupts u want that got run in SMM,
ever if it's not advised to do so, you can swap to 32Bit protected mode,
you cannot redirect it, cuz the only way to redirect SMBASE is to be in SMM
mode, you cannot access that memory if the OS is well done enough, i mean
50% fail, like NT an 2000, or unix, and others could success after some
nights of research, like 95/98, but that's not enough. It seem uncallable,
since the only moments the CPU reach this state is when an external pin
is launched (like NMI, but SMM don't refer to an interrupt)

I got that thing in the file 24319201.pdf, certainly foundable on my site,
at chapter 11, and I strongly hope I missed something and that someone
could idscover, one day, how to got that mode for us....

Unreachable power!


n0ph - 13/8/99 - http://n0ph.cjb.net