Dietmar
Content Type
Profiles
Forums
Events
Posts posted by Dietmar
-
-
For the 486 cpu, this AMD64 opcode will look something like this
Dietmar
8B 01 ; mov eax, [ecx] 25 00 00 00 FE ; and eax, 0fe000000H #ifdef NTOS_KERNEL_RUNTIME 80 38 01 ; cmp byte ptr [eax], 1 F6 D1 ; not cl D1 C2 ; ror eax, 1 C1 F8 2B ; sar eax, 43 #else C1 F8 2A ; sar eax, 42 #endif C3 ; ret0 -
I think, this is a crazy nice way to overcome this problem, that works on all cpu.
Problem is only the translate from AMD64 with 64bit registers this opcode to x86 (486 cpu) with 32 bit registers.
I think, it can be done
Dietmar
For bit64 mov rax, [rcx] ; get address, sequence, and depth and rax, 0fe000000H ; isolate packed address ; ; The following code takes advantage of the fact that the high order bit ; for user mode addresses is zero and for system addresses is one. ; ifdef NTOS_KERNEL_RUNTIME cmp rax, 1 ; set carry if address is zero cmc ; set carry if address is not zero rcr rax, 1 ; rotate carry into high bit sar rax, 63 - 43 ; extract first entry address else shr rax, 63 - 42 ; extract first entry address endif ret ; return0 -
Hi, until now not.
But when I take a look at the Source Code from XP SP1 or even XP bit64, there is in each a file with name slist.asm.
The 64bit version is from 2000, same author. But 64bit slist.asm takes another way, not using cmpxchg8b.
If this opcodes from 64bit can be translated into x86 code, this would be also a possibility.
But I have no idea, how to reach this in Hex code.
It is unchanged since 1996 for NT4. "Only" the opcode cmpxchg8b has to be simulated with opcode from 486 cpu.
Cutler in 1996 and so also for XP SP1 solved this problem, just "jump" over this opcode during
assembly for .386 (and not .586). I make a try with 90 90 90 90 for all apearance of this opcode in XP SP3 in ntoskrnl.exe.
But Bsod. Strange, because also in XP SP3 there is exact the same code from Cutler used from 1996,
as you can see in ntoskrnl.exe via Ida Pro.
It is a heavy memory operation and with more than 1 cpu there can be problems with this "jump".
But the 486 cpu has only 1 processor, so it may be possible
Dietmar
EDIT: With Windbg, starting with bu ExInterlockedFlushSList I come to its driver entry point of my modded driver.
And via trace (t, F8) I can see, that the code in my modded driver was fully entered and left with retn, no Bsod.
slist.asm XP SP1
title "Interlocked Support" ;++ ; ; Copyright (c) 1996 Microsoft Corporation ; ; Module Name: ; ; slist.asm ; ; Abstract: ; ; This module implements functions to support interlocked S-List ; operations. ; ; Author: ; ; David N. Cutler (davec) 13-Mar-1996 ; ; Environment: ; ; Any mode. ; ; Revision History: ; ;-- .386p .xlist include ks386.inc include callconv.inc ; calling convention macros include mac386.inc .list _TEXT$00 SEGMENT DWORD PUBLIC 'CODE' ASSUME DS:FLAT, ES:FLAT, SS:NOTHING, FS:NOTHING, GS:NOTHING page , 132 subttl "Interlocked Flush Sequenced List" ;++ ; ; PSINGLE_LIST_ENTRY ; FASTCALL ; RtlpInterlockedFlushSList ( ; IN PSINGLE_LIST_ENTRY ListHead ; ) ; ; Routine Description: ; ; This function removes the entire list from a sequenced singly ; linked list so that access to the list is synchronized in an MP system. ; If there are no entries in the list, then a value of NULL is returned. ; Otherwise, the address of the entry at the top of the list is removed ; and returned as the function value and the list header is set to point ; to NULL. ; ; Arguments: ; ; (ecx) = ListHead - Supplies a pointer to the sequenced listhead from ; which the list is to be flushed. ; ; Return Value: ; ; The address of the entire current list, or NULL if the list is ; empty. ; ;-- ; ; These old interfaces just fall into the new ones ; cPublicFastCall ExInterlockedFlushSList, 1 fstENDP ExInterlockedFlushSList cPublicFastCall RtlpInterlockedFlushSList, 1 cPublicFpo 0,1 ; ; Save nonvolatile registers and read the listhead sequence number followed ; by the listhead next link. ; ; N.B. These two dwords MUST be read exactly in this order. ; push ebx ; save nonvolatile registers push ebp ; xor ebx, ebx ; zero out new pointer mov ebp, ecx ; save listhead address mov edx, [ebp] + 4 ; get current sequence number mov eax, [ebp] + 0 ; get current next link ; ; N.B. The following code is the retry code should the compare ; part of the compare exchange operation fail ; ; If the list is empty, then there is nothing that can be removed. ; Efls10: or eax, eax ; check if list is empty jz short Efls20 ; if z set, list is empty mov ecx, edx ; copy sequence number mov cx, bx ; clear depth leaving sequence number .586 ifndef NT_UP lock cmpxchg8b qword ptr [ebp] ; compare and exchange else cmpxchg8b qword ptr [ebp] ; compare and exchange endif .386 jnz short Efls10 ; if z clear, exchange failed ; ; Restore nonvolatile registers and return result. ; cPublicFpo 0,0 Efls20: pop ebp ; restore nonvolatile registers pop ebx ; fstRET RtlpInterlockedFlushSList fstENDP RtlpInterlockedFlushSList page , 132 subttl "Interlocked Pop Entry Sequenced List" ;++ ; ; PVOID ; FASTCALL ; RtlpInterlockedPopEntrySList ( ; IN PSLIST_HEADER ListHead ; ) ; ; Routine Description: ; ; This function removes an entry from the front of a sequenced singly ; linked list so that access to the list is synchronized in an MP system. ; If there are no entries in the list, then a value of NULL is returned. ; Otherwise, the address of the entry that is removed is returned as the ; function value. ; ; Arguments: ; ; (ecx) = ListHead - Supplies a pointer to the sequenced listhead from ; which an entry is to be removed. ; ; Return Value: ; ; The address of the entry removed from the list, or NULL if the list is ; empty. ; ;-- ; ; These older interfaces just fall into the new code below ; cPublicFastCall InterlockedPopEntrySList, 1 fstENDP InterlockedPopEntrySList cPublicFastCall ExInterlockedPopEntrySList, 2 fstENDP ExInterlockedPopEntrySList cPublicFastCall RtlpInterlockedPopEntrySList, 1 cPublicFpo 0,2 ; ; Save nonvolatile registers and read the listhead sequence number followed ; by the listhead next link. ; ; N.B. These two dwords MUST be read exactly in this order. ; push ebx ; save nonvolatile registers push ebp ; mov ebp, ecx ; save listhead address ; ; N.B. The following code is the continuation address should a fault ; occur in the rare case described below. ; public ExpInterlockedPopEntrySListResume public _ExpInterlockedPopEntrySListResume@0 ExpInterlockedPopEntrySListResume: ; _ExpInterlockedPopEntrySListResume@0: ; mov edx,[ebp] + 4 ; get current sequence number mov eax,[ebp] + 0 ; get current next link ; ; If the list is empty, then there is nothing that can be removed. ; Epop10: or eax, eax ; check if list is empty jz short Epop20 ; if z set, list is empty lea ecx, [edx-1] ; Adjust depth only ; ; N.B. It is possible for the following instruction to fault in the rare ; case where the first entry in the list is allocated on another ; processor and free between the time the free pointer is read above ; and the following instruction. When this happens, the access fault ; code continues execution by skipping the following instruction. ; This results in the compare failing and the entire operation is ; retried. ; public ExpInterlockedPopEntrySListFault ExpInterlockedPopEntrySListFault: ; mov ebx, [eax] ; get address of successor entry public _ExpInterlockedPopEntrySListEnd@0 _ExpInterlockedPopEntrySListEnd@0: ; .586 ifndef NT_UP lock cmpxchg8b qword ptr [ebp] ; compare and exchange else cmpxchg8b qword ptr [ebp] ; compare and exchange endif .386 jnz short Epop10 ; if z clear, exchange failed ; ; Restore nonvolatile registers and return result. ; cPublicFpo 0,0 Epop20: pop ebp ; restore nonvolatile registers pop ebx ; fstRET RtlpInterlockedPopEntrySList fstENDP RtlpInterlockedPopEntrySList page , 132 subttl "Interlocked Push Entry Sequenced List" ;++ ; ; PVOID ; FASTCALL ; RtlpInterlockedPushEntrySList ( ; IN PSLIST_HEADER ListHead, ; IN PVOID ListEntry ; ) ; ; Routine Description: ; ; This function inserts an entry at the head of a sequenced singly linked ; list so that access to the list is synchronized in an MP system. ; ; Arguments: ; ; (ecx) ListHead - Supplies a pointer to the sequenced listhead into which ; an entry is to be inserted. ; ; (edx) ListEntry - Supplies a pointer to the entry to be inserted at the ; head of the list. ; ; Return Value: ; ; Previous contents of ListHead. NULL implies list went from empty ; to not empty. ; ;-- ; ; This old interface just fall into the new code below. ; cPublicFastCall ExInterlockedPushEntrySList, 3 pop [esp] ; Drop the lock argument fstENDP ExInterlockedPushEntrySList cPublicFastCall InterlockedPushEntrySList, 2 fstENDP InterlockedPushEntrySList cPublicFastCall RtlpInterlockedPushEntrySList, 2 cPublicFpo 0,2 ; ; Save nonvolatile registers and read the listhead sequence number followed ; by the listhead next link. ; ; N.B. These two dwords MUST be read exactly in this order. ; push ebx ; save nonvolatile registers push ebp ; mov ebp, ecx ; save listhead address mov ebx, edx ; save list entry address mov edx,[ebp] + 4 ; get current sequence number mov eax,[ebp] + 0 ; get current next link Epsh10: mov [ebx], eax ; set next link in new first entry lea ecx, [edx+010001H] ; increment sequence number and depth .586 ifndef NT_UP lock cmpxchg8b qword ptr [ebp] ; compare and exchange else cmpxchg8b qword ptr[ebp] ; compare and exchange endif .386 jnz short Epsh10 ; if z clear, exchange failed ; ; Restore nonvolatile registers and return result. ; cPublicFpo 0,0 pop ebp ; restore nonvolatile registers pop ebx ; fstRET RtlpInterlockedPushEntrySList fstENDP RtlpInterlockedPushEntrySList ;++ ; ; SINGLE_LIST_ENTRY ; FASTCALL ; InterlockedPushListSList ( ; IN PSLIST_HEADER ListHead, ; IN PSINGLE_LIST_ENTRY List, ; IN PSINGLE_LIST_ENTRY ListEnd, ; IN ULONG Count ; ) ; ; Routine Description: ; ; This function will push multiple entries onto an SList at once ; ; Arguments: ; ; ListHead - List head to push the list to. ; ; List - The list to add to the front of the SList ; ListEnd - The last element in the chain ; Count - The number of items in the chain ; ; Return Value: ; ; PSINGLE_LIST_ENTRY - The old header pointer is returned ; ;-- cPublicFastCall InterlockedPushListSList, 4 cPublicFpo 0,4 push ebx ; save nonvolatile registers push ebp ; mov ebp, ecx ; save listhead address mov ebx, edx ; save list entry address mov edx,[ebp] + 4 ; get current sequence number mov eax,[ebp] + 0 ; get current next link Epshl10: mov ecx, [esp+4*3] ; Fetch address of list tail mov [ecx], eax ; Store new forward pointer in tail entry lea ecx, [edx+010000H] ; increment sequence number add ecx, [esp+4*4] ; Add in new count to create correct depth .586 ifndef NT_UP lock cmpxchg8b qword ptr [ebp] ; compare and exchange else cmpxchg8b qword ptr[ebp] ; compare and exchange endif .386 jnz short Epshl10 ; if z clear, exchange failed cPublicFpo 0,0 pop ebp ; restore nonvolatile registers pop ebx ; fstRET InterlockedPushListSList fstENDP InterlockedPushListSList ;++ ; ; PSINGLE_LIST_ENTRY ; FirstEntrySList ( ; IN PSLIST_HEADER SListHead ; ) ; ; Routine Description: ; ; This function returns the address of the fisrt entry in the SLIST or ; NULL. ; ; Arguments: ; ; ListHead (rcx) - Supplies a pointer to the sequenced listhead from ; which the first entry address is to be computed. ; ; Return Value: ; ; The address of the first entry is the specified, or NULL if the list is ; empty. ; ;-- cPublicProc _FirstEntrySList, 1 cPublicFpo 1,0 mov eax, [esp+4] mov eax, [eax] stdRET _FirstEntrySList stdENDP _FirstEntrySList ;++ ; ; LONGLONG ; FASTCALL ; RtlInterlockedCompareExchange64 ( ; IN OUT PLONGLONG Destination, ; IN PLONGLONG Exchange, ; IN PLONGLONG Comperand ; ) ; ; Routine Description: ; ; This function performs a compare and exchange of 64-bits. ; ; Arguments: ; ; (ecx) Destination - Supplies a pointer to the destination variable. ; ; (edx) Exchange - Supplies a pointer to the exchange value. ; ; (esp+4) Comperand - Supplies a pointer to the comperand value. ; ; Return Value: ; ; The current destination value is returned as the function value. ; ;-- cPublicFastCall RtlInterlockedCompareExchange64, 3 cPublicFpo 0,2 ; ; Save nonvolatile registers and read the exchange and comperand values. ; push ebx ; save nonvolatile registers push ebp ; mov ebp, ecx ; set destination address mov ebx, [edx] ; get exchange value mov ecx, [edx] + 4 ; mov edx, [esp] + 12 ; get comperand address mov eax, [edx] ; get comperand value mov edx, [edx] + 4 ; .586 ifndef NT_UP lock cmpxchg8b qword ptr [ebp] ; compare and exchange else cmpxchg8b qword ptr[ebp] ; compare and exchange endif .386 ; ; Restore nonvolatile registers and return result in edx:eax. ; cPublicFpo 0,0 pop ebp ; restore nonvolatile registers pop ebx ; fstRET RtlInterlockedCompareExchange64 fstENDP RtlInterlockedCompareExchange64 _TEXT$00 ends end0 -
Hi,
I found also this but have no idea how to make a simulation for 486 cpu from it, because it has an retn, a second retn is not good in a function
Dietmar
the single instruction lock cmpxchg8b qword ptr [ebp] is replaceable with the following sequence pushfd try: cli lock bts dword ptr [edi],0 jnb acquired popfd pushfd wait: test dword ptr [edi],1 je try pause ; if available jmp wait acquired: cmp eax,[ebp] jne keep cmp edx,[ebp+4] je exchange keep: mov eax,[ebp] mov edx,[ebp+4] jmp done exchange: mov [ebp],ebx mov [ebp+4],ecx done: mov byte ptr [edi],0 popfdand this
lock cmpxchg8b qword ptr [esi] is replaceable with the following sequence pushfd try: cli lock bts dword ptr [edi],0 jnb acquired popfd pushfd wait: test dword ptr [edi],1 je try pause ; if available jmp wait acquired: cmp eax,[esi] jne keep cmp edx,[esi+4] je exchange keep: mov eax,[esi] mov edx,[esi+4] jmp done exchange: mov [esi],ebx mov [esi+4],ecx done: mov byte ptr [edi],0 popfd0 -
Hi,
I try to install XP SP3 on the Shuttle Hot 433 board with 486 cpu.
But very early in Setup comes a message, that the 486 cpu does not support the hex opcode cmpxchg8b and so XP cant be installed.
I also try an XP SP3 from another compi in IDE mode, crash at once.
Now I look at the hex wíth Ida pro for this cmpxchg8b on an ready XP SP3 install.
On a first try I find it in ntoskrnl.exe (one cpu) and in ntdll.dll.
There may be other PE files in XP also with this opcode.
The use is always the same. This opcode does a atomic search in a register.
So, when a working solution is found, the replacement in other files is easy!
I try to replace it with a series of opcodes, that the 486 cpu understands.
This is not easy.
I found this (Edit: This is wrong).
push ebx ; save nonvolatile registers push ebp xor ebx, ebx ; zero out new pointer mov ebp, ecx ; save listhead address mov edx, [ebp] + 4 ; get current sequence number mov eax, [ebp] + 0 ; get current next link Efls10: or eax, eax ; check if list is empty jz short Efls20 ; if z set, list is empty mov ecx, edx ; copy sequence number mov cx, bx ; clear depth leaving sequence number jnz short Efls10 ; if z clear, exchange failed Efls20: pop ebp ; restore nonvolatile registers pop ebx retThis I try as a replacement for this function ExInterlockedFlushSList in ntoskrnl.exe in XP SP3.
The funny thing in this is, that simple the opcode cmpxchg8b qword ptr [ebp+0] is deleted. May be it works on NT4 but for me it crashes XP.
EDIT: May be, that this version for i368 cpu of ExInterlockedFlushSList works really only on a compi with 1 cpu and 1 core. Like in 1992 486 cpu.
Then, my test on modern compi will fail.
Also can be, that now I use a mix of cmpxchg8b, nothing from this, cmpxchg on one compi, because I simulated only one appearence of this function in ntoskrnl.exe. Funny, this is from Cutler, 13. March 1996, now also identic in XP SP3,
THis is the original ExInterlockedFlushSList in XP SP3, first introduced in NT4 Servicepack4,
Hex code 53 55 33 DB 8B E9 8B 55 04 8B 45 00 0B C0 74 0B 8B CA 66 8B CB 0F C7 4D 00 75 F1 5D 5B C3
.text:0040B0B2 ; Exported entry 7. ExInterlockedFlushSList .text:0040B0B2 .text:0040B0B2 ; =============== S U B R O U T I N E ======================================= .text:0040B0B2 .text:0040B0B2 .text:0040B0B2 public ExInterlockedFlushSList .text:0040B0B2 ExInterlockedFlushSList proc near ; CODE XREF: sub_45F0DF:loc_45F0F7p .text:0040B0B2 push ebx .text:0040B0B3 push ebp .text:0040B0B4 xor ebx, ebx .text:0040B0B6 mov ebp, ecx .text:0040B0B8 mov edx, [ebp+4] .text:0040B0BB mov eax, [ebp+0] .text:0040B0BE .text:0040B0BE loc_40B0BE: ; CODE XREF: ExInterlockedFlushSList+19j .text:0040B0BE or eax, eax .text:0040B0C0 jz short loc_40B0CD .text:0040B0C2 mov ecx, edx .text:0040B0C4 mov cx, bx .text:0040B0C7 cmpxchg8b qword ptr [ebp+0] .text:0040B0CB jnz short loc_40B0BE .text:0040B0CD .text:0040B0CD loc_40B0CD: ; CODE XREF: ExInterlockedFlushSList+Ej .text:0040B0CD pop ebp .text:0040B0CE pop ebx .text:0040B0CF retn .text:0040B0CF ExInterlockedFlushSList endp .text:0040B0CF .text:0040B0CF ; ---------------------------------------------------------------------------With PE Maker I make a relocate of this function in ntoskrnl.exe.
This works(!).
The relocation I do, because the following replacement is bigger than the original Hex code.
I split the cmpxchg8b opcode in 2 parts with lock cmpxchg,
because the 486 cpu understands this. But Bsod. I use Windbg, cant fetch the reason.
I check my hex code several times, find no error. The only thing in my eyes that can happen, is a missing syncronic between the 2 cmpxchg.
This does not happen on cmpxchg8b, because all memory is blocked during this operation.
Here is my last try for the replacement of the ExInterlockedFlushSList
.data:004762B2 ; --------------------------------------------------------------------------- .data:004762B2 ; Exported entry 7. ExInterlockedFlushSList .data:004762B2 .data:004762B2 public ExInterlockedFlushSList .data:004762B2 ExInterlockedFlushSList: ; CODE XREF: sub_45F0DF:loc_45F0F7p .data:004762B2 ; DATA XREF: .edata:off_5AC2A8o .data:004762B2 push ebx .data:004762B3 push ebp .data:004762B4 xor ebx, ebx .data:004762B6 mov ebp, ecx .data:004762B8 mov edx, [ebp+4] .data:004762BB mov eax, [ebp+0] .data:004762BE .data:004762BE loc_4762BE: ; CODE XREF: .data:004762D5j .data:004762BE or eax, eax .data:004762C0 jz short loc_4762DA .data:004762C2 mov ecx, edx .data:004762C4 mov cx, bx .data:004762C7 lock cmpxchg [ebp+4], eax .data:004762CC mov ecx, edx .data:004762CE mov edx, ecx .data:004762D0 lock cmpxchg [ebp+0], eax .data:004762D5 jnz short near ptr loc_4762BE+1 .data:004762D7 nop .data:004762D8 nop .data:004762D9 nop .data:004762DA .data:004762DA loc_4762DA: ; CODE XREF: .data:004762C0j .data:004762DA pop ebp .data:004762DB pop ebx .data:004762DC nop .data:004762DD nop .data:004762DE nop .data:004762DF retn .data:004762DF ; ---------------------------------------------------------------------------I put this via relocation to the new address 4762B2. This is in .data section and not in .text section. But this does not matter, because when I put the original Hex code to this new place, it works. The original place at 40B0B2 I fill with 00 00 00.. for to make sure, that now my function at this new place is used.
I want to get better in Assembler. No free KI for Assembler in Internet. Do you have an idea @Mov AX, 0xDEAD?
Chatgpt, Bard AI and Bing behave like crazy, when it comes to Hex code
Dietmar
1 -
Hi,
I get for few Euro an 486 board with empty Bios battery, Shuttle Hot 433 v1.
Oh crazy, I cant boot this compi without this Dallas battery.
I come to the idea, to modd the Bios, so that it does not longer wait for CMOS error.
From another old compi I put out its Bios chips, because only that chip is an EEprom, can be flashed without crazy UV light.
With EEpromer TL 866 Plus I read the Bios out and modd.
Now the fresh modded Bios recognices also my oldest 8.4 Gbyte harddisk, before it was not recogniced.
For full XP SP3 I need about 1 Gbyte harddisk at minimum.
Next problem was, that this board does not recognice my memory, PCI-graphik , mouse.
The Isa card now is recogniced with name Trident Super VGA from an i386 compi.
Still no mouse. The cache on this board is 256kB.
Just now I work with 4 Mb, which was the only stick, that was recogniced until now, brrr..
Win98SE boots, not slow. I add an AMD AM486 DX4-100 SV8T.
Oh..crazy to set that millions of jumpers. Something must be wrong in the head of those manufakturers, because for example 6 positions for one Jumper, but sometimes they are counted vertical, sometimes horizontal and sometimes mix. About 40 jumpers.
This cpu wants 3 Volt, the board offers ony 3.3 Volt, I choose this.
Voila, Win98SE works!
XP SP3 will be tomorrow;))..
Dietmar
EDIT: The 100MHZ cpu runs hot without any cooler, heatsink or fan.
The DX-33 MHZ cpu before does not need a cooler at all.
EDIT2: I succeed to install 256 MB of ram on this 486 board.
But still no mouse, no working PCI Graphik card.
EDIT3: The PCI GT610 graphik card is not recogniced, may be because it offers also HDMI and not only VGA(?!).
0 -
Off topic:
Soon I make a try to install XP on a i386 cpu, because with real i486 I already succeed.
I got an 386 dx-25 board Octek Jaguar II with 32 MB and will report soon
Dietmar
0 -
I just get my Vobis Highscreen Tower from May 1992 back
.
New Dallas batterie chip, 486 cpu DX 33 MHZ.
With 2x CD-rom, that I bought in 1993.
Oh..soso much fun to install XP SP3 there
Dietmar
1 -
3
-
Break instruction exception - code 80000003 (first chance) nt!KiDispatchInterrupt+0x38d: 804dcbdf f390 pause 1: kd> g Break instruction exception - code 80000003 (first chance) ******************************************************************************* * * * You are seeing this message because you pressed either * * CTRL+C (if you run console kernel debugger) or, * * CTRL+BREAK (if you run GUI kernel debugger), * * on your debugger machine's keyboard. * * * * THIS IS NOT A BUG OR A SYSTEM CRASH * * * * If you did not intend to break into the debugger, press the "g" key, then * * press the "Enter" key now. This message might immediately reappear. If it * * does, press "g" and "Enter" again. * * * ******************************************************************************* nt!DbgBreakPointWithStatus+0x4: 804e2a42 cc int 3 0: kd> g *** Fatal System Error: 0x0000007e (0xC0000005,0x00000000,0xF789E168,0xF789DE64) Break instruction exception - code 80000003 (first chance) A fatal system error has occurred. Debugger entered on first try; Bugcheck callbacks have not been invoked. A fatal system error has occurred. Connected to Windows XP 2600 x86 compatible target at (Thu Feb 29 19:05:36.031 2024 (UTC + 1:00)), ptr64 FALSE Loading Kernel Symbols .............................. Loading User Symbols ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck 7E, {c0000005, 0, f789e168, f789de64} Probably caused by : NDIS.sys ( NDIS!ndisMQueryNetworkAddress+23 ) Followup: MachineOwner --------- nt!RtlpBreakWithStatusInstruction: 804e2a42 cc int 3 11: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e) This is a very common bugcheck. Usually the exception address pinpoints the driver/function that caused the problem. Always note this address as well as the link date of the driver/image that contains this address. Arguments: Arg1: c0000005, The exception code that was not handled Arg2: 00000000, The address that the exception occurred at Arg3: f789e168, Exception Record Address Arg4: f789de64, Context Record Address Debugging Details: ------------------ EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung "0x%08lx" verweist auf Speicher bei "0x%08lx". Die Daten wurden wegen eines E/A-Fehlers in "0x%081x" nicht in den Arbeitsspeicher bertragen. FAULTING_IP: +1f451c801f451e8 00000000 ?? ??? EXCEPTION_RECORD: f789e168 -- (.exr 0xfffffffff789e168) ExceptionAddress: 00000000 ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: 00000000 Attempt to read from address 00000000 CONTEXT: f789de64 -- (.cxr 0xfffffffff789de64;r) eax=00000000 ebx=80702790 ecx=54445358 edx=00000001 esi=f7472b20 edi=807026c0 eip=00000000 esp=f789e230 ebp=f789e250 iopl=0 nv up ei pl zr na pe nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246 00000000 ?? ??? Last set context: eax=00000000 ebx=80702790 ecx=54445358 edx=00000001 esi=f7472b20 edi=807026c0 eip=00000000 esp=f789e230 ebp=f789e250 iopl=0 nv up ei pl zr na pe nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246 00000000 ?? ??? Resetting default scope DEFAULT_BUCKET_ID: DRIVER_FAULT PROCESS_NAME: System ERROR_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung "0x%08lx" verweist auf Speicher bei "0x%08lx". Die Daten wurden wegen eines E/A-Fehlers in "0x%081x" nicht in den Arbeitsspeicher bertragen. EXCEPTION_PARAMETER1: 00000000 EXCEPTION_PARAMETER2: 00000000 READ_ADDRESS: 00000000 FOLLOWUP_IP: NDIS!ndisMQueryNetworkAddress+23 bac63a56 e6ff out 0FFh,al FAILED_INSTRUCTION_ADDRESS: +23 00000000 ?? ??? BUGCHECK_STR: 0x7E ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) x86fre LAST_CONTROL_TRANSFER: from 00000000 to 00000000 SYMBOL_ON_RAW_STACK: 1 STACK_ADDR_RAW_STACK_SYMBOL: fffffffff789d9e0 STACK_COMMAND: dps fffffffff789d9e0-0x20 ; kb STACK_TEXT: f789d9c0 6c674a6f f789d9c4 6e666e67 f789d9c8 ee776a67 f789d9cc 6a676a67 f789d9d0 7e647a66 f789d9d4 7b667866 f789d9d8 38063a0e f789d9dc bac63a56 NDIS!ndisMQueryNetworkAddress+0x23 f789d9e0 3a063a06 f789d9e4 3a063206 f789d9e8 91ea67db f789d9ec c37cf2f2 f789d9f0 f1ea779b f789d9f4 e3ff5070 f789d9f8 b1eb67d3 f789d9fc e3fed2f2 f789da00 00008070 f789da04 00000000 f789da08 8071e0fe hal!HalpGetFeatureBits+0x52 [e:\xpsp1\nt\base\hals\halmps\i386\mphal.c @ 1097] f789da0c 00000001 f789da10 f78feb3c f789da14 f78feb38 f789da18 f78feb38 f789da1c 00008070 f789da20 00000000 f789da24 00000000 f789da28 756e6547 f789da2c 49656e69 f789da30 6c65746e f789da34 00d1e300 f789da38 00000000 f789da3c 00000000 SYMBOL_NAME: NDIS!ndisMQueryNetworkAddress+23 FOLLOWUP_NAME: MachineOwner MODULE_NAME: NDIS IMAGE_NAME: NDIS.sys DEBUG_FLR_IMAGE_TIMESTAMP: 48025d03 IMAGE_VERSION: 5.1.2600.5512 FAILURE_BUCKET_ID: 0x7E_NULL_IP_NDIS!ndisMQueryNetworkAddress+23 BUCKET_ID: 0x7E_NULL_IP_NDIS!ndisMQueryNetworkAddress+23 ANALYSIS_SOURCE: KM FAILURE_ID_HASH_STRING: km:0x7e_null_ip_ndis!ndismquerynetworkaddress+23 FAILURE_ID_HASH: {6cac7e57-f19c-4081-7e29-9f6a6f30cf6b} Followup: MachineOwner ---------1 -
nt!KiDispatchInterrupt+0x393: 804dcbe5 3b6d00 cmp ebp,dword ptr [ebp] 11: kd> p nt!KiDispatchInterrupt+0x396: 804dcbe8 740d je nt!KiDispatchInterrupt+0x3a5 (804dcbf7) 11: kd> p nt!KiDispatchInterrupt+0x3a5: 804dcbf7 83bb2801000000 cmp dword ptr [ebx+128h],0 11: kd> p nt!KiDispatchInterrupt+0x3ac: 804dcbfe 74d7 je nt!KiDispatchInterrupt+0x385 (804dcbd7) 11: kd> p Packet failed authentication. Please make sure the host and target encryption keys match exactly. Also make sure you don't have multiple target machines pointed at the same network port on your host. Bad packet sent from 192.168.2.102. Run nslookup 192.168.2.102 from a command prompt to get the machine name. Packet failed authentication. Please make sure the host and target encryption keys match exactly. Also make sure you don't have multiple target machines pointed at the same network port on your host. Bad packet sent from 192.168.2.102. Run nslookup 192.168.2.102 from a command prompt to get the machine name. Packet failed authentication. Please make sure the host and target encryption keys match exactly. Also make sure you don't have multiple target machines pointed at the same network port on your host. Bad packet sent from 192.168.2.102. Run nslookup 192.168.2.102 from a command prompt to get the machine name. nt!KiDispatchInterrupt+0x38d: 804dcbdf f390 pause 10: kd> p2 -
This is Bsod surrounding without any breakpoint, Windbg continous with "p", F10,
Dietmar
2 -
I have your hal.pdb integrated.
Now I get this,
looks like kind of loop, or if something cant be found
Dietmar
2 -
1
-
A first run shows only the same error as you have, that someone tries to write in forbidden memory
Dietmar
*** Fatal System Error: 0x0000007e (0xC0000005,0x00000000,0xF789E168,0xF789DE64) Break instruction exception - code 80000003 (first chance) A fatal system error has occurred. Debugger entered on first try; Bugcheck callbacks have not been invoked. A fatal system error has occurred. Connected to Windows XP 2600 x86 compatible target at (Wed Feb 28 18:25:27.820 2024 (UTC + 1:00)), ptr64 FALSE Loading Kernel Symbols .............................. Loading User Symbols ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck 7E, {c0000005, 0, f789e168, f789de64} Probably caused by : Unknown_Image ( ANALYSIS_INCONCLUSIVE ) Followup: MachineOwner --------- nt!RtlpBreakWithStatusInstruction: 804e2a42 cc int 3 11: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e) This is a very common bugcheck. Usually the exception address pinpoints the driver/function that caused the problem. Always note this address as well as the link date of the driver/image that contains this address. Arguments: Arg1: c0000005, The exception code that was not handled Arg2: 00000000, The address that the exception occurred at Arg3: f789e168, Exception Record Address Arg4: f789de64, Context Record Address Debugging Details: ------------------ EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung "0x%08lx" verweist auf Speicher bei "0x%08lx". Die Daten wurden wegen eines E/A-Fehlers in "0x%081x" nicht in den Arbeitsspeicher bertragen. FAULTING_IP: +150b5800150b78 00000000 ?? ??? EXCEPTION_RECORD: f789e168 -- (.exr 0xfffffffff789e168) ExceptionAddress: 00000000 ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: 00000000 Attempt to read from address 00000000 CONTEXT: f789de64 -- (.cxr 0xfffffffff789de64;r) eax=00000000 ebx=80702790 ecx=54445358 edx=00000001 esi=f7472b20 edi=807026c0 eip=00000000 esp=f789e230 ebp=f789e250 iopl=0 nv up ei pl zr na pe nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246 00000000 ?? ??? Last set context: eax=00000000 ebx=80702790 ecx=54445358 edx=00000001 esi=f7472b20 edi=807026c0 eip=00000000 esp=f789e230 ebp=f789e250 iopl=0 nv up ei pl zr na pe nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246 00000000 ?? ??? Resetting default scope DEFAULT_BUCKET_ID: DRIVER_FAULT PROCESS_NAME: System ERROR_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung "0x%08lx" verweist auf Speicher bei "0x%08lx". Die Daten wurden wegen eines E/A-Fehlers in "0x%081x" nicht in den Arbeitsspeicher bertragen. EXCEPTION_PARAMETER1: 00000000 EXCEPTION_PARAMETER2: 00000000 READ_ADDRESS: 00000000 FOLLOWUP_IP: +150b5800150b78 00000000 ?? ??? FAILED_INSTRUCTION_ADDRESS: +150b5800150b78 00000000 ?? ??? BUGCHECK_STR: 0x7E ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) x86fre LAST_CONTROL_TRANSFER: from 00000000 to 00000000 STACK_TEXT: f789e22c 00000000 00000000 00000000 f74774fc 0x0 STACK_COMMAND: kb SYMBOL_NAME: ANALYSIS_INCONCLUSIVE FOLLOWUP_NAME: MachineOwner MODULE_NAME: Unknown_Module IMAGE_NAME: Unknown_Image DEBUG_FLR_IMAGE_TIMESTAMP: 0 IMAGE_VERSION: FAILURE_BUCKET_ID: 0x7E_NULL_IP_ANALYSIS_INCONCLUSIVE BUCKET_ID: 0x7E_NULL_IP_ANALYSIS_INCONCLUSIVE ANALYSIS_SOURCE: KM FAILURE_ID_HASH_STRING: km:0x7e_null_ip_analysis_inconclusive FAILURE_ID_HASH: {dfedf0b5-2624-ece8-95fa-645295e3260a} Followup: MachineOwner ---------1 -
First I make small joke, just replace acpi.sys, halmacpi.dll and ntoskrn8.sys with your version on the XP SP3
Setup xp.iso.
But during the "Setup is inspecting your hardware configuration" comes message, that "acpi.sys is damaged".
Now I setup with the original files and debug
Dietmar
1 -
Yes, I fixed everything that is possible on the HP 255 g6 board. Now, there is ACPI-Multprocessor with mostly all drivers.
A lot of other notebooks boot with the same idea XP SP3 now, which show before Bsod, not direct related to acpi.sys.
All those Bsods happen because of their VGA settings in DSDT and their internal VGA cant be disabled via Bios.
Now I am just setting up a new XP SP3 on my Asrock z370 k6 board.
Without any extra driver, just naked and ready for debug.
This is possible, because it can use PS/2 for mouse and keyboard. Then I add your acpi.sys, hal.dll and ntoskrn8.sys.
Soon I report
Dietmar
2 -
Hi,
if somebody has interest for the whole ACPI Multiprocessor XP SP3 for the HP 255 g6,
just mail me
Dietmar
EDIT: This image works also for the HP 15-bw000ng.
But the Paragon 17 tool has problems with different sizes of harddisks.
1.) Unzip with 7zip all files. 2.) With Rufus 2.18 put the Paragon.iso to an empty USB stick. 3.) After this, copy the Job-202402251402635 (contains the XP SP3 image) to the same USB stick. 4.) Put the USB stick to the HP 255 g6 notebook. Be sure, that the harddisk from the HP 255 g6 is empty or can be formatted with NTFS and MBR. 5.) Boot the HP 255 g6 from this USB stick (F9). 6.) Extract the full ACPI-Multiprocessor XP SP3 image in Job-202402251402635 to this harddisk in the HP 255 g6 via Paragon. Good luck Dietmar1 -
And waaoh
,
now the HP 255 g6 is soso much faster than before. All videos at youtube in HD without any stopping.
Much faster XP SP3 than with win7 SP1 bit 32 or Win10 bit64.
Geekbench 2.4 (bit32) shows 2521 points with XP,
2200 with win7 sp1 bit 32
1800 with win10 bit 64
Dietmar
0 -
Yesssa, I got it
. Now I have 2 entries for processor in Device Manager
It belongs to DSDT.
In modmodmod DSDT I write now for the shortest possible way for the processor definition
Dietmar
Scope (_PR) { Processor (C000, 0x00, 0x00000410, 0x06){} Processor (C001, 0x01, 0x00000410, 0x06){} Processor (C002, 0x02, 0x00000410, 0x06){} Processor (C003, 0x03, 0x00000410, 0x06){} }
0 -
I get everything to work under Acpi Multiprocessor on the HP 255 g6 board.
Only one thing I do not understand.
Why is only one processor shown in Device Manager.
For sure, I make all correct in registry for the other processor also. This AMD E2-9000e is strange, because on Win7 it shows 2 processors
but also only 2 threads. The same is true for the Lenovo board with the same XP SP3 as for the HP, with the same AMD E2-9000e cpu. There also 2 processors are shown but also only 2 threads all together via Task Manager.
I tried a lot, only one processor is shown, when I start from Standard PC.
It seems, that when I use in first place "Standard PC", that at an unknown place is written,
that this means only one processor
Dietmar
0 -
I also succeed with next DSDT mod to setup XP SP3 on the
HP 15-bw000ng.
Without DSDT mod, XP SP3 shows Bsod
Dietmar
1 -
Yepp,
both devices are in the DSDT from the HP but NOT in the DSDT of the Lenovo.
EDIT: Yes, I succeed to integrate the HP PS/2 keyboard and PS/2 mouse into the modded DSDT from Lenovo.
There is a driver from HP for XP(!) for this keyboard. And the PS/2 mouse is simply the touchpad.
So, still it seems that the reason for Bsod with original HP DSDT is the settings for VGA in its DSDT.
Device (KBC0) { Name (_HID, EisaId ("HPQ8001")) // _HID: Hardware ID Name (_CID, EisaId ("PNP0303") /* IBM Enhanced Keyboard (101/102-key, PS/2 Mouse) */) // _CID: Compatible ID Name (_CRS, ResourceTemplate () // _CRS: Current Resource Settings { IO (Decode16, 0x0060, // Range Minimum 0x0060, // Range Maximum 0x01, // Alignment 0x01, // Length ) IO (Decode16, 0x0064, // Range Minimum 0x0064, // Range Maximum 0x01, // Alignment 0x01, // Length ) IRQNoFlags () {1} }) } Device (PS2M) { Name (_HID, EisaId ("SYN3254")) // _HID: Hardware ID Name (_CID, EisaId ("PNP0F13") /* PS/2 Mouse */) // _CID: Compatible ID Name (_CRS, ResourceTemplate () // _CRS: Current Resource Settings { IO (Decode16, 0x0060, // Range Minimum 0x0060, // Range Maximum 0x01, // Alignment 0x01, // Length ) IO (Decode16, 0x0064, // Range Minimum 0x0064, // Range Maximum 0x01, // Alignment 0x01, // Length ) IRQNoFlags () {12} }) }1 -
I take a look via Task Manager.
There are 2 Threads. So, this cpu from AMD E2-9000e has one (2?) core with all together 2 threads
Dietmar
EDIT: Under win7 SP1, there are 2 entries in processor in Device Manager.
The same 2 entries for XP SP3 on the Lenovo board with the same E2-9000e cpu.
But always only 2 entries for cpu in Taskmanager can be seen.
So, my modd of the Registry miss something. I think it happens, because with "Standard PC" you have only always one cpu with one core and one thread. The numbers of processors should be 2 here always, each with one Thread.
PS: Still I do not find the reason, why the HP 255 g6 crashes under XP SP3 with its orignial DSDT from HP.
Mostly all of the notebooks from HP around 2017-2018 have this problem under XP.
Now I think, the reason for this may be the PS/2 keyboard, because I do not find any device for this keyboard,
no HID, no USB no PS/2 device under XP. EDIT: The Bsod is not because of this PS/2 keyboard or PS/2 mouse.
I edit the Registry of the HP and modd the DSDT from Lenovo as careful as this is possible.
On win7 SP1 bit 7 on this HP notebook,
the Device Manager tells about the keyboard: PS/2 device: Acpi\HPQ8001
But tells also about an PS/2 mouse with: Acpi\Syn3254 , it is the Touchpad.
1
Compiling ACPI v2.0 driver for Windows XP SP3 and Windows 2003 SP2 (x32/x64)
in Windows XP
Posted · Edited by Dietmar
@PPeti66x
A nice solution for this would be,
when at the moment, when opcode for cmpxchg8b is asked from a file for the 486 cpu,
that there is something like a tender between the opcode and the cpu,
that makes exact the same operations on all the registers, that cmpxchg8b is doing.
It would be like a software simulation for cmpxchg8b direct before the cpu.
The program for this can be done in C language.
I will call it 486.dll .
At once, such an XP would work on 386, 486 586 686 cpu with all functionality.
And once it has been done one time, crazy work,
other unknown opcodes for other cpu can be done the same way.
Dietmar
PS: @Mov AX, 0xDEAD I remember, that you have a tool, that can check, if 2 binaries are doing the same.