US007290175B1

(12) United States Patent (10) Patent N0.: US 7,290,175 B1 Kessler et a]. (45) Date of Patent: Oct. 30, 2007

(54) FORCING A MEMORY DUMP FOR 6,543,010 B1* 4/2003 Gaudet et a1...... 714/45 COMPUTER SYSTEM DIAGNOSIS 6,697,973 B1 * 2/2004 Baumeister et a1...... 7l4/55 6,738,932 Bl * 5/2004 Price ...... 7l4/38 (75) lnvemorsi 23mg“? L Kessler, West chisters PA 7,010,724 B1 * 3/2006 Hicok ...... 714/39 US ; Robert J. Ohren, C ester Springs, PA (US) (73) Assignee: glsiiys Corporation, Blue Bell, PA OTHER PUBLICATIONS BIOSihttp://en.wikipedia.0rg/wiki/BIOS.* ( * ) Nonce: subleqw any ((111S(C11a1me5{ the fiermdof ?glg Storage deviceihttp://en.wikipedia.org/wiki/Storagefdevice.* patent 1s exten e or a Juste un er U.S.C. 154(b) by 530 days. * cited by examiner p10‘Z Primary ExamineriYolanda L Wilson (74) Attorney, Agent, or FirmiRlchard J. Gregson (22) Filed: Aug. 25, 2003 (57) ABSTRACT Related US. Application Data (60) 52021830211211 application NO‘ 60/405’951’?1edOnAug' Diagnostic memory images are obtained from a computer ’ ' system when a system freezes or fails to take a memory dump when otherwise needed. A computer system provides (51) Int. Cl. an lmproved. mechamsm. for obtalmng. . a memory dump of G06F 11/00 (2006.01) . . . 52 U 5 Cl 71467 71464 the contents of the memory assoc1ated w1th the part1cular ( ) I...... , ...... , Computing system When a system freeze or Crash Occurs (58) Field of Classi?cation Search ...... 714/23, The Computing System may also correspond to a Software _ _ 714/21’ 24’ 34’ 37’ 242 partition running within a computing system. A software See apphcanon ?le for Complete Search hlstory' partition corresponds to a subset of the hardware under (56) References Cited control of an instance of an operation system executing on a full computer system. US. PATENT DOCUMENTS

6,226,761 Bl* 5/2001 Berstis ...... 714/37 29 Claims, 7 Drawing Sheets

@ .6 é U.S. Patent 0a. 30, 2007 Sheet 1 0f 7 US 7,290,175 B1

( W" > 12 mam bytehffewim 4 / tfesnea'pawm [#7

Witethebdferto thefistSlogjcd md?'e WM

Fig. 1 U.S. Patent 0a. 30, 2007 Sheet 2 0f 7 US 7,290,175 B1

19 \

21

SetupGIobalDescriptorTable

22 > 20

ForceDump

J

U.S. Patent 0a. 30, 2007 Sheet 4 0f 7 US 7,290,175 B1

45A 41 /

For K=0 wbu?er y K 0? KH 42 \ YT Gob Start thewrite yes——> buffer and Protected Nbde wr?nue 43 45 \ "° > ‘

Repeating F|Il the read buffer I 7‘

A 44 45B no yes —\ r ‘ 45C Reunn to / Real-ajdrais NewEntry AddEnh'y Mocb

J

Is the write bufferfml'? "° ’ / Y? 40 WriteToDsk L46 Fig. 4 U.S. Patent 0a. 30, 2007 Sheet 5 0f 7 US 7,290,175 B1

31 242322212019 161514131211 6 7 0 D A Seq. 0 Base 31:24 G .r 0 v Llmit P P 8 Type Base 23:16 4 5 L 19:16 |_

31 1s 15 0

Base Address 15:00 Segment Limit 15:00 0

AVL — Available for use by system software BASE — Segment base address D1’B — Default operation size (0 = 16-bit segment; 1 = 32-bit segment) DPL - Descriptor privilege level G — Granularity LlMiT -- Segment Limit P — Segment present 8 —- Descrlptoa' type (0 = system; 1 = code or data) TYPE -— Segment type Fig. 5 U.S. Patent 0a. 30, 2007 Sheet 6 0f 7 US 7,290,175 B1

IP’s

Caches‘

A

Fig. 6 U.S. Patent Oct. 30, 2007 Sheet 7 0f 7 US 7,290,175 B1

[70

Memory may not be present f"

Code Cloud

Consolidator Reserved Smear Memory BCD

Memory may not be present

Fig. 7 US 7,290,175 B1 1 2 FORCING A MEMORY DUMP FOR SUMMARY OF THE INVENTION COMPUTER SYSTEM DIAGNOSIS This invention provides a system and method for obtain RELATED APPLICATIONS ing diagnostically useful memory image from a computer system When the system freeZes or fails to take a memory This patent is based on and claims priority from the dump. The computer system may be a partition (subset of the Provisional Application Ser. No. 60/405,951, ?led Aug. 26, hardWare under control of an OS) or a full system. 2002. A computer system is considered froZen or hung When it no longer responds to input from the keyboard or mouse, or BACKGROUND raising of an NMI (N on-maskable ), or fails to take a memory dump. This patent relates generally to computer operating sys The folloWing provides a summary of the components tem and BIOS level features for providing enhanced debug that are used by the preferred embodiment to provide the ging capability to users and builders of large-scale computer Boot Crash Dump feature. systems, particularly multiprocessor computer systems. It OS () component or driveriThis com can be applied to such Systems having Service Processors ponent is used on Systems that do not collect information and to those Which do not have Service Processors. about the OS key components until the OS is about to take a crash dump. The purpose of this component is to gather Computer systems that stop running, hang, or freeze, need key information about the System on Which it is running and to be studied to ?nd out What Went Wrong, in order to ?x the problem With some degree of con?dence. Traditionally this 20 store it in memory in a Way that it can be found later (either by storing it at a ?xed location or storing it in non meant dumping the core memory and looking at the data in overlayable memory With tags around the structure (other it to discover What Went Wrong. While there are many other methods may be used for making the structure identi?able)). things one can do, this traditional operation is still valuable. Unfortunately, rebooting the System destroys the memory The information gathered is later used by the OS’s dump image from the failure. Traditional methods relied on debug 25 analysis tool. ging the problem in real-time, looking at the memory live. Storage device (removable, ?xed, or netWorked) for stor ing the memory imageiThis is preferably a disk drive that This approach is impractical from a customer point of vieW is accessible from BIOS boot as one of the ?rst 8 disks Which Where the system needs to be halted for an undetermined the BIOS normally has ready access to. It must be large amount of time. 30 enough to hold the dumped contents of System memory. Unfortunately, many modern systems don’t have a Way to Although, any type of storage that is accessible by the BIOS dump the core memory from such systems Without a process or a BIOS driver can be used. The storage can be comprised or hardWare to prevent the memory image from being of a single storage unit or multiple storage units. This storage corrupted ?rst. For example, When a running an or other unit is identi?ed in the System by a “dump” pattern that is INTEL-architecture operating system, and it “freezes” (that 35 Written by the Smear program. is, it no longer responds to input or raising of an NMI A Smear applicationiThis is an application that can be (Non-maskable Interrupt) or fails to take a memory dump), used to Write a recogniZable “dump” pattern to a storage it is very dif?cult to diagnose the problem Without the ability device. It is used to prepare the storage device (removable to capture the contents of memory for analysis, but there is or ?xed) for use by the Boot Crash Dump feature in our no current facility to obtain the needed uncorrupted memory 40 preferred embodiments. dump. Thus, X86 and other INTEL-architecture operation BIOS or Service Processor support for Boot Crash system computers can bene?t from such a facility and Would DumpiIn order for Boot Crash Dump to capture a true be a valuable contribution to the use of the technology. dump of a System, the ?rst 4 Meg bytes of the System The inventors herein employ the process itself to memory must be preserved immediately folloWing the inci assist in capturing the memory image, Which is unlike the 45 dent that required the System to be dumped. This is prior designs Which used non-reboot processes for looking at explained in further detail later in this document. The BIOS the memory images. Further, We are able to send the memory and platform must also support the partition Without image to long term storage for analysis at a later time and/or reinitialiZing the memory contents. When taking a Boot other location. Crash Dump the BIOS should not do any destructive Appropriate background documentation for understand 50 memory testing. ing the X86 environment include: The Boot Crash Dump (BCD) applicationiThis is a 1. MICROSOFT WINDOWS operating system 2003 BIOS application that is usually available on a bootable DDK (build 3790)4contains the compilers used for the media, such as ?oppy or CDROM. Its purpose is to capture BCD program. the contents of the System memory, compress it and store it 2. The Undocumented PC 2'” edition (for INT informa 55 to the storage device mentioned above. It searches for a tion) ISBN 0-201-47950-8ifor the documentation of storage device, such as one of the ?rst 8 disks visible to the BIOS INT 10h, INT 13b, and INT 15h interfaces. BIOS, With the “dump” pattern and takes a dump of the System memory to that storage device. It is strongly pre 3. IA-32 INTEL microprocessor Architecture SoftWare ferred that it Will ONLY take a dump to a storage device that Developer’s Manual Volumes 1-3 (Order numbers 60 contains the “dump” pattern in order to avoid overWriting 245470, 245471, and 245472). user data. Other methods for setting aside a save area for the 4. Advanced Con?guration and PoWer Interface Speci? dump may also be used if desired. Note: We prefer to begin cation Revision 2.0 Jul. 27, 2000 Chapter 15 for the With a “smear program” to safely prepare storage device System Address Map Interface. (removable or ?xed usually a disk drive, for example). The It should be noted that the concepts taught herein can be 65 method of using a previously prepared storage device applied to IA64, EFI, and possibly other processor computer ensures that user data is not overWritten by the Boot Crash environments With appropriate modi?cation. Dump program. This behavior is optional. US 7,290,175 B1 3 4 A Consolidator applicationiThis is What We call an memory-dumping program (Boot Crash Dump (BCD)) that application that is used to consolidate the dump that Was either resides on bootable media (on a ?oppy/CDROM/etc.) captured and saved to the storage device by the BIOS or is a BIOS extension. application mentioned above. The storage device on Which The memory-dumping program (BCD) captures all usable the dump Was taken must be moved to a running OS system system memory above the loWer portion already preserved Where this application is run. This application decompresses by the Service Processor or BIOS, and transfers it to a the dump, locates the region containing the ?rst 4 Meg bytes storage device. This is done in such a Way that the associa of memory saved by BIOS or Service Processor and formats tion betWeen the contents of the memory and its physical the result into a dump ?le. This application is necessarily OS address is maintained. The memory ranges (E820 informa centric. Each OS has its oWn dump analysis tool and the tion) are also stored to the storage device. format of the dump ?le is speci?c to the tool. Likewise, each OS may have particular information that it uses for essential To make the raW system memory analyZable by a dump features and in applying this invention to such OSs, the user analysis tool, the memory needs to be consolidated and should take care to preserve the information for use by their formatted into the layout expected by the dump analysis Consolidator program. For Systems running Windows, the tool. Each OS has its oWn dump analysis tool and format the application Would create a DMP ?le that can then be tool expects for the dump ?le. For open source systems, it is analyZed by MICROSOFT® WinDbg. The reader of ordi easier to derive the dump ?le layout. HoWever, for a nary skill in this art is expected to be thoroughly familiar proprietary OS this is a dif?cult (if not impossible) task. A With the OS system being catered to in implementing this Consolidator program is used to decompress the dump, invention as Well as the System in Which it Will be used. 20 locate the region containing the ?rst 4 Meg bytes of memory A ?rst part of the method and system generally provides saved by BIOS or Service Processor and format the result a Way to dump the contents of system memory essentially as into a dump ?le. This application is OS centric. it exists at the point of a freeZe of the System, after the One piece of critical information needed for analyZing a System has been rebooted. This is accomplished by either 25 froZen system is the contents of the internal registers of the using a modi?ed BIOS or a Service Processor, and a processor at the time the system stopped responding (reg bootable program to capture the memory image to some isters such as: eax, ebx, ecx, edx, esi, edi, eip, esp, ebp, cs, storage device (removable or ?xed). ss, ds, es, fs, gs, e?, cr0, cr2, cr3, cr4, gdtr, gdtl, idtr, idtl, tr, A second part of the method and system describes a means and ldtr to name a feW). Unfortunately, the information on to make the memory dump image readable by operating 30 hoW to access these registers from a Service Processor system’s memory dump analysis tools. For some Operating (using JTAG or other interfaces) is proprietary to the pro Systems, such as MICROSOFT® WINDOWS, that do not cessor chip manufacturer and not generally available With collect information about the OS key components until the out access to con?dential information. One method to cap OS is about to take a crash dump, an active piece of ture the register information is to use System Management softWare, such as a driver, collects physical addresses of 35 necessary OS speci?c information needed to analyZe the Mode (SMM). This requires support of SMM from the BIOS dump, and stores it into permanent memory before the and the use of a Service Processor to raise the System system freeZes/hangs. This can generally be done When the Management Interrupt (SMI). The particulars of this Will be OS instance that runs the System is ?rst started. The unique to each individual computer system. The ES7000 information collected must be stored in a Way or a place that multiprocessor computer system from Unisys uses the TAP 40 is knoWn or identi?able so that the Consolidator program linker (an IEEE standard interface) to communicate data can later ?nd it. betWeen the System and the Service Processor using JTAG The act of rebooting a System changes the contents of softWare conventions. memory. The ?rst several MB of memory and certain other Even Without the processor register information, the locations are used by the BIOS or other basic operating 45 dump still contains valuable information about What Was system for its code and stack. Also, many Write happening When the system froZe. We are able to locate the memory during the discovery/testing of memory. One stacks the processors are running on, but We Will not be able approach is to access the memory through the use of a to pinpoint the exact location in the stack the processor Was Service Processor associated With the System, in order to executing or the code being executed. preserve the memory about to be overWritten through the 50 subsequent system initialization. A method for preserving Note that the folloWing conditions are not addressed by our the ?rst several MB of memory is to have the Service BCD program: Processor, using an existing hardWare associated mainte Broken hardWare Which cause the integrity of the memory nance interface Which provides access into the froZen sys to be corrupted; systems not bootable; and no accessible tem, capture the contents of the memory and transfer these 55 storage device to preserve the memory contents. contents to a storage device. Another method is to use the Also, it is relevant to note that When We discuss a Service Processor to set a ?ag to signal a modi?ed BIOS to Maintenance Interface, We are talking about one that pro copy the ?rst several MB of memory to a reserved area of vides the interface for the Service Processor to access the memory. The BIOS Was also modi?ed to ensure that it only hardWare state (read/Write) and identi?cation information. In executes and stores data in the preserved memory region 60 the preferred embodiment it may utiliZe the Command (Speci?cally, and most importantly, it does not do memory Management Interface (CMI), Which is based on IEEE testing, Which Would destroy the contents of the main 1149.1, also called JTAG. Also When We talk about the memory Which We are trying to preserve.) The Service Service Processor, in the Unisys ES7000 computer systems Processor also gathers all relevant hardWare state informa this is a separate entity (PC, embedded system) that can tion to be used later during analysis. 65 connect to and can drive the maintenance interface. Other Once the BIOS or other basic operating system has systems can use similar maintenance systems as may be ?nished its function, control is then transferred to the desired. US 7,290,175 B1 5 6 BRIEF DESCRIPTION OF DRAWINGS control of the OS. Pointers to or data from these should be identi?able through information in the header to the ?le that FIG. 1 is a How diagram of a program for preparing a the Consolidator produces in order to alloW the debug storage device (removable or ?xed such as a disk drive) to facility to ?nd them. Such memory areas should clearly be accept a crash dump in accord With a preferred embodiment saved if We Want to have the optimum diagnostic memory of the invention. dump. In the OS, these structures and resources are in FIG. 2 is a high level How diagram of a boot crash dump What is called a MAP ?le. program How in accord With a preferred embodiment of the In systems having multiple partitions With different types invention. of OSs running in them, clearly adaptations for the OS for FIG. 3 is a How diagram of program How for the Force each partition Will be required. Dump procedure of the preferred embodiment of the inven For the BCD to successfully dump the full contents of tion. memory, the region of memory modi?ed by the BIOS needs FIG. 4 is a How diagram of program How for the dumping to be captured before the BIOS changes it during the neW loop of the preferred embodiment of the invention. boot sequence. The most straightforWard approach is to FIG. 5 is a block diagram of the descriptor format used in modify the BIOS to help in the collection and maintaining the preferred embodiment. of the contents of memory. These changes are described in FIG. 6 is a block diagram of a typical computer system for the folloWing section. Which this invention may be employed. If the BIOS does not support our BCD and the ability to FIG. 7 is a limited memory map diagram of a main modify the BIOS code is not available, there are a couple of memory for a computer system such as the computer system 20 rules the BIOS must adhere to, in order for BCD to Work of FIG. 6, employing the invention. properly and assure that the data that needs to be dumped does not get overWritten. This unmodi?able BIOS (or one DETAILED DESCRIPTION OF THE modi?ed to Work With our BCD) must support the ability to PREFERRED EMBODIMENT turn off any destructive POST memory tests. The BIOS 25 should not Write to any memory above 4 MB that is not The preferred embodiment employs a program that We marked reserved in the E820h. The system must be capable call “Boot Crash Dump” (BCD) for obtaining a diagnostic of capturing the ?rst 4 MB of memory to some form of memory image from a non-responding X86 computer sys external storage. Systems such as the Unisys ES7000 con tem (a system that is hung/froZen or fails to take an Oper tain a Service Processor Which can capture the ?rst 4 MB of ating System (OS) initiated memory dump) by collecting the 30 memory, and it is capable of running a TCL (Tool Command memory image after the system is rebooted. Language) script that uses a JTAG interface to capture the Typical computer systems for Which this invention may ?rst 4 MB of memory of a partition and store it on the be used are similar in basic design to that system 60 shoWn Service Processor’s hard drive. This captured memory can in FIG. 6. The Service Processor 65 has access to the bus 64 later be transferred to another system to be combined With (and/or through other means (such as a TAP linker interface 35 the contents of memory captured by the BCD program. (We using JTAG, not shoWn)) to the other components of the use 4 MB because that is the area dedicated to the BIOS computer 61. This system has a single main memory 62 and initial load typically, if using this invention for other systems a number of instruction processors and their caches 63 the 4 MB siZe may be varied.) Which also access the bus 64 for moving data around the The BCD Program is loaded from a bootable media; in the computer 61. Some multiprocessor computer systems Will 40 present system this is either a bootable ?oppy or CDROM by have the main memory divided amongst the processor units a loader program on the bootable media. The BCD’s main as cells, but this invention can Work With such designs as function is to dump the contents of memory above 4 MB to Well. A console or af?liated system 67 Will be available a storage device that has preferably been prepared by a through Which a bootable volume may be provided. Smear program. The easiest storage devices to capture the The memory 62 is redraWn in FIG. 7 as a logical memory 45 contents of memory are ones that are supported by the BIOS, space 70, pointing out the ?rst four megabytes of storage 72, ie one of the ?rst eight enumerated hard drives discovered also knoWn as Lo Mem, Which is copied into the reserved by the BIOS. To use a different storage device, a BIOS region of memory beloW 4 GB also knoWn as Hi Mem space may need to be Written. There are BIOS drivers 73 as indicated elseWhere in this description for the pre that support other types of long term memory devices and ferred embodiment. The three main softWare components 50 these may be easily substituted as the media to capture the illustrated in the code cloud 71 are sWapped into and out of contents of memory if desired and Where appropriate. The the main memory space 70 as needed to run. storage device used can be comprised of multiple storage The act of rebooting the system generally changes the devices. In our preferred embodiment, to ensure that the contents of memory. The BIOS uses the system memory dump does not overWrite storage With valid data on it, the beloW 4 MB for the BIOS (Basic Input Output System) 55 BCD veri?es that the ?rst 3 sectors of a storage device code, stack, local data and so forth. Many BIOS’s test contains a predetermined pattern. Prior to the system ever memory during POST (PoWer On Self Test) including failing, the Smear program is run on a storage device and address line tests, read/Write tests of conventional and overWrites the ?rst feW sectors With a pattern knoW by the extended memory, etc. These tests can change the memory BCD program. This storage device is then set aside. There image that needs to be dumped, thus making the contents 60 are many other Ways to ensure that the storage device used after the BIOS boots unusable for diagnostic purposes. by the BCD program is ok to overWrite. This checking is Some BIOS’s use regions of memory above 4 MB as scratch optional. The BCD program also veri?es that the storage memory for building structures such as the ACPI tables device chosen is at least 1.5 times the siZe of memory to be (such as the MAPIC tables). These tables are required by copied. (1.5 times the siZe of memory Was chosen to alloW PnP (Plug n Play) architecture. Other OSs may have other 65 room for the maximum siZe of a badly compressed ?le and structures and procedures saved to various designated alloW the ability to skip over bad sectors, other siZe multi memory regions to set up the running of the system under pliers can clearly be chosen if desired.) US 7,290,175 B1 7 8 The BCD Program initially runs in Big and The bootable ?oppy/CDROM is removed from the sys then switches back and forth betWeen Big Real Mode and tem and the storage device used by the BCD program may . (These names for modes are documented in or may not be removed publicly available INTEL microprocessor Architecture Later, on the original system or on another system, the manuals). When running in Protected Mode, BCD uses Consolidator Program runs and creates a dump ?le that PSE-36 Page Mode. PSE-36 Page Mode is supported on contains the contents of memory that has been dumped to the INTEL X86 processors of INTEL-type “PENTIUM III” prepared storage device. The exact format of the dump ?le microprocessor and later. created by the Consolidator program is dependent on the OS When in Real Mode, the BCD Program using the BIOS version running on the system at the time of the failure. The interrupt interface to Get System Memory Map E820 (INT resulting dump ?le is then used in the analysis of the cause 15h), Read/Write and get hard drive information (INT 13h), of the system failure (Why the system from or hung). and initialiZe the console screen (INT 10h). When in Pro Compilers used to compile the preferred embodiment tected Mode, the BCD Program copies and compresses the Boot Crash Dump Program are MICROSOFT® C/C++ system memory to a buffer allocated beloW 4 MB. The buffer Compiler Version 8.00c, and MICROSOFT® MASM com is Written out in 127K blocks to the prepared hard drive piler 6.15.8803, and MICROSOFT® Linker version using INT 13h. After all the memory has been compressed 5.60.339 (Which are included in the WindoWs 2003 DDK in and Written to the hard drive, the BCD Program Halts. the bin16 directory). The compiler used to compile the The use of data compression by the BCD Program is preferred embodiment Smear Program, and the preferred optional, but in a large majority of the time, using compres embodiment Consolidator Program is MICROSOFT® sion signi?cantly decreases the amount of time needed to 20 VISUAL STUDIO 2002 C/C++ Compiler Version Write the contents of memory to the hard drive. The type of 13.00.9466. compression used by BCD is a Real Time Compression algorithm although any one of the many compression algo BIOS Modi?cation rithms available could have been used. The BIOS modi?ed and used in the preferred embodiment 25 Was the PHOENIX Desktop BIOS Version 4 release 6, The general How of the process is as folloWs: although other vendor’s BIOS should be able to be modi?ed Prior to failure, a hard drive or other storage device to achieve the same functionality. (removable, ?xed, or remote) that contains at least 1.5 times The BIOS initially is loaded and runs in a reserved 256K the siZe of the memory of the computer system is prepared region of memory, Which in the PHOENIX BIOS is at by the Smear Program Which reserves the storage device by 30 C0000H to F0000H. This region is a shadoW copy of loading it With easily identi?able data. The smeared storage memory at FFFCOOOOH to FFFFOOOOH (System ROM). Part device is preferably of the same type of hard drive (IDE, of the 256K region of memory contains the BIOS Setup SCSI, FIBRE, etc.) as the ?rst eight hard drives enumerated utility. by the BIOS, as mentioned above. Although other BIOS There are tWo preferred methods for triggering the BIOS supported storage media devices can be used. This is accom 35 to copy ?rst 4 MB of memory to the reserved region of plished in the preferred embodiment as per the How chart 10 memory. One method is to add a neW setup option Which of FIG. 1. The folloWing assumes that one of the ?rst eight When set causes the BIOS to copy the ?rst 4 MB of memory. enumerated hard drives is used to take the dump to. The setup option is then reset after the memory has been Later, after the system has froZen or hung: copied. (BIOS setup is usually invoked by hitting the F2 key The prepared storage device is installed into the system as 40 during the booting of the system.) The draW back for using one of the ?rst eight hard drives enumerated by the BIOS (or the setup option is that it causes the system to be rebooted if a different from the preferred form is used, one of the again. The second method is to have a Service Processor set enumerated knoWn storage device (removable or ?xed)). a speci?ed bit in the CMOS (or con?guration data bit) to The bootable ?oppy or CDROM containing the BCD specify coping the ?rst 4 MB of memory. While the BIOS program is inserted into the system by an operator. 45 is running in the reserved 256K region of memory, it checks In the preferred embodiment, the operator indicates to the to see if the bit is set and if so copies the ?rst 4 MB of modi?ed BIOS or the Service Processor to capture the ?rst memory. Once the BIOS has copied the ?rst 4 MB of 4 MB of memory (described in more detail beloW). The memory to a reserved region of memory, the CMOS (or Service Processor may initiate the processes itself, if it con?guration data bit) bit is reset. detects loss of heartbeat from the system. (Many large 50 The region of memory the BIOS reserves to hold the computer systems have a Service Processor that continually contents of the ?rst 4 MB of memory must be locatable by monitors the computer system using a so called “heartbeat” What We call a Consolidator Program (Consolidator Program or “I’m still alive” signal, the loss of Which indicates a is described in a later section). One method is to select a failure of the main computer system.) ?xed address. For the Unisys ES7000 computer system, a When using the a BIOS setup option to capture the ?rst 4 55 reserved region of memory at FFF40000h Was used. MB of memory, in some systems a second boot may be Memory locations for our example Will be those We used to required to load the BCD program, but it is preferred if the run this invention in a Unisys ES7000, but clearly, other BCD program can be loaded on the same boot. suitable memory locations could be used in other computer The BIOS transfers control to the bootable media con systems. Another method is to add a neW memory type to the taining the BCD program, Which is loaded into the lo Mem 60 BIOS Get System Memory Map function (interrupt 15h area. DOS may be used to load the BCD program into function E820h). Currently only address range type values memory. The preferred method is to use a small loader to of 1 to 4 are de?ned. The BIOS interrupt call 15h type E820 pull the BCD program into the lo Mem area and transfer returns a table that describes the memory on the system. This control directly to the BCD program. The BCD program table is used to knoW What memory needs to be dumped. copies and compresses the memory above the ?rst 4 MB and 65 Type 1 memory is available for OS use. Type 2 is reserved Writes it to the prepared storage device. The use of com and should not be touched. One familiar With INTEL pro pression is optional. cessors and BIOS systems for computers Which use them US 7,290,175 B1 9 10 will know what these calls are with a great deal of particu The UINT64 class has two private data members: larity that therefore need not be described here. low:low-order 32 bits highIhigh-order 32 bits Smear Program Constructors provide methods for initializing and copying In the preferred embodiment, the Smear program will UINT64 data objects. The following constructors are imple smear the ?rst 3 sectors of a hard drive with a pattern mented: compatible with the Boot Crash Dump program. Without a Default constructorisets both low and high to 0 valid smeared disk attached to the system, the Boot Crash InitialiZing constructorisets both low and high to an Dump program will not proceed in taking the dump. initial value passed in The easiest hard drive to use is one for the Boot Crash InitialiZing constructorisets low to an initial value Dump program is one of the ?rst eight hard drives enumer passed in, sets high to 0 ated by the BIOS. The siZe of the hard drive should be at Copy constructoriused for temporary UINT64 objects. least 1.5 times the amount of memory on the system that Overloaded operators (with a UINT64 as an argument) may be dumped by the BCD Program. Other storage devices implemented in this class: can be used as log as it is supported by the BIOS or a BIOS driver. Overloaded operators (with a 32-bit unsigned integer as In the preferred embodiment, the Smear Program (FIG. 1, an argument) implemented in this class: ?owchart 10) begins by prompting the user for a physical disk number to smear. Once that has been entered and read Methods for accessing the low-order and high-order 32 (step 12), an attempt is made 13 to open this drive for 20 bits of the UINT64 separately: GENERIC_WRITE access. If successful, the user is LowPartiretums the low-order 32 bits prompted, preferably at least twice 14, to de?nitively verify HighPartireturns the high-order 32 bits they wish to smear the drive. The ?rst 3 sectors are then E820 Descriptor smeared 15 with the ASCII pattern “DISKDUMP”. The BIOS used by our preferred embodiment provides NOTE: Overwriting the ?rst 3 sectors will destroy the 25 support for the Get System Memory Map function (Interrupt and any ?le system that may have been 15h, Function E820h), which returns a series of structures on the drive, therefore only users with an appropriate (E820_Descriptor) describing system memory usage. The privilege level should have access to this program and it is Boot Crash Dump program requires this information to strongly recommended that the double check of step 14 be determine which address ranges to actually dump. Other carried out. 30 BIOS’ may have similar support and could be used if desired We include a check for I/O errors 16 for completeness. and the capacity to return this information is supported. Once the Smear Program has completed its task, the Crash Format of Bios system memory map address range Dump program can be activated without concern about descriptor: overwriting user data. If however, this invention is being used in a system where that is not a concern, it would be 35 advantageous to skip all steps relating to the Smear Program Offset Size Description since there would be no concern for user data. 00h QWORD base address Boot Crash Dump Program 08h QWORD length in bytes 10h DWORD type of address range (see table below) This program performs the dumping of physical memory 40 to a previously prepared hard drive. Classes/Structures The following sections provide a detailed overview into the classes and data structures that are used in the Boot Value Mnemonic Description Crash Dump program. 45 1 AddressRangeMemory This range is available RAM usable by Segment Descriptor the operating system. A segment descriptor is a data structure that provides the 2 AddressRangeReserved This range of addresses is in use or processor with the siZe and location of a segment, as well as reserved by the system and must not access control and status information. FIG. 5 illustrates a be used by the operating system. 3 AddressRangeACPI ACPI Reclaim Memory. This range general descriptor format for all types of segment descrip is available RAM usable by the OS tors in two 32-bit words as used in the preferred embodi after it reads the ACPI tables. ment. The details of the general descriptor format will be 4 AddressRangeNVS ACPI NVS Memory. This range of addresses is in use or reserve by the apparent to one of ordinary skill in this art by a quick system and must not be used by the reference to FIG. 5, but is should be understood that the 55 operating system. This range is required invention is not limited to the exact organiZation or siZe of to be saved and restored across and the segment descriptors, rather that this is the preferred NVS sleep. Other Unde?ned Unde?ned. Reserved for future use. embodiment illustration only. OSPM must treat any range of this UINT64 type as if the type returned was AddressRangeReserved. (Used to make it easier to use a 16-bit compiler to address 60 the memory and disk.) MICROSOFT® C/C++ OptimiZing Compiler Version PMAP Descriptor 8.00c contains no intrinsic data type representing an “PMAP Descriptors” describe the system memory map unsigned 64-bit integer. UINT64 class provides an unsigned address ranges that will actually be dumped. The PMAP_ 64-bit data type and member functions for manipulating 64 65 Descriptors contains a cleaned up version of the memory bit data types. The following is an overview of the func map returned by E820. The format of this 10h-byte structure tionality included in this class: is as follows: US 7,290,175 B1

Olfset Size Description Offset Size Description 00h QWORD base address 08h QWORD length in bytes 00h BYTE low 4 bits = ?rst DWORD count high 4 bits = second DWORD count 01h DWORD ?rst DWORD Sector Pairs 05h DWORD second DWORD “Sector Pairs” are pairs of sectors that represent ranges on 10 the physical disk where data has been dumped. The format of this 10h-byte structure is as follows: Extended_Drive_Information_Table The BIOS provides supports for the Get Extended Drive Parameters function (Interrupt 13h, Function 48h). This function returns the extended drive parameter table infor Offset Size Description mation (Extened_Drive_Information_Table_type) for a 00h QWORD starting sector nurnber speci?ed drive number. Here is the format of that structure: 08h QWORD ending sector nurnber

20 FD_Header Offset Size Description

This 600h-byte (3 sectors) structure is written as a header 00h WORD (call) size of buffer before the dump. It will contain all the information used to (ret) size of returned data perform the dump, as well as information required by the 02h WORD information ?ags 04h DWORD nurnber of physical cylinders on drive Consolidation program to recreate an OS-compatible crash 08h DWORD nurnber of physical heads on drive dump ?le. The format is as follows: OCh DWORD nurnber of physical sectors on drive 10h QWORD total number of sectors on drive 18h WORD bytes per sector

Offset Size Description 30 Boot/Initialization Environment 00h DWORD header tag #1 04h DWORD header tag #2 For completeness some basic information about a boot 08h DWORD major release version able ?oppy format used for the preferred embodiment of the OCh DWORD minor release version 10h QWORD sum of memory regions to be durnped invention has been included. 18h BYTE number of entries in the system Master Boot Record layout is as follows: memory rnap (E820) 19h E820iDescriptior[20h] system memory rnap (E820) 299h BYTE number of entries in the PMAP 29Ah PMAPiDescriptor[20h] durnped memory rnap (PMAP) 49Ah BYTE number of entries describing sector 40 Offset Size Description ranges 49Bh SectoriPairs[10h] array storing ranges of sectors con 0 1F8h BYTES loader code taining the dump 1F8h WORD initial offset of execution (de?ned by the Start 59Bh BYTE[65h] random ?ll characters label lFAh WORD offset of the data segment with respect to the code segment 45 lFCh WORD size of the prograrn (in sectors) Disk_Addres s_Packet lFEh WORD AASSh = closing tags for a valid MBR Hard drives that support Enhanced BIOS functions require a Disk Address Packet to specify the number of sectors to transfer, the starting logical sector for the transfer, The Master Boot Record is written to Track 0, Sector 1, and the memory location for the transfer. The following is Head 0 (the ?rst logical sector on the diskette). the format of a Disk Address Packet for Extended Disk Next, the BCD program is saved to the diskette using the Services: following loop algorithm: 1. Start at Track 1, Sector 1, Head 0. 55 2. Write the maximum number of sectors per track each Offset Size Description time, unless the remainder is less than the maximum. In that 00h BYTE size of packet (10h for our purposes) case, write the remainder. 01h BYTE reserved (0) 02h WORD number of blocks to transfer 3. Each successive time through the loop, increment only 04h DWORD pointer to the transfer buffer 60 the Track number. 08h QWORD starting absolute block number 4. Attempt each write up to 3 times before a failure is con?rmed. Compressed_Entry Below is an example ?gure showing the physical loca For run-time compression, a buffer containing a series of 65 tions of the Master Boot Record and program after having 9-byte structures is used to describe the original data. Here been successfully written to the diskette. In this example, the is the format of that structure: size of the program was 23 sectors. US 7,290,175 B1 13 14

Sector Number

HeadO 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18

Track. NumberZXXXXX IXXXXX XXXXXXXXXXXXX OY

Y = Master Boot Record X = Program location

Loader create the appropriate segment descriptor. All other segment During the boot process in the preferred embodiment, the descriptors/attributes can be explicitly de?ned. BIOS attempts to read the ?rst logical sector from the diskette into memory at location 0000:7C00h. The BIOS then determines if this sector is a Master Boot Record by verifying that the ?nal word is AA55h. If the MBR (Master Entry CS DS SS Page Directory Read Buffer Boot Record) is valid, execution of the loader begins at 20 AVL 0 0 0 0 0 location 0000:7C00h. The loader will perform the following BASE i i i 00070000h 00080000h steps: D/B 0 0 0 0 0 DPL 0 0 0 0 0 Read the program from the diskette into memory at G 0 0 0 0 0 location 5000:0000h using a loop similar to that in LIMIT OFFFFh OFFFFh OFFFFh OFFFFh OFFFFh SaveToDisk. The size of the program (in sectors) is 25 P 1 1 1 1 1 S 1 1 1 1 1 stored in the Master Boot Record. See Section 5.4.2.1. TYPE Bh 3 3 3 3 Set the data segment to 5000h plus its offset with respect to the code segment. The Master Boot Record contains this value. See Section 5.4.2.1. ForceDumpi22 30 After setting up the GDT, a call is made to an external C Set the stack segment equal to the data segment. function called _ForceDump. (The C calling convention Set the stack pointer to FFFFh. requires the leading underscore.) See description of FIGS. 3 Push the new code segment of 5000h onto the stack and 4 for detailed description of this ForceDump procedure Push the offset of the Start label onto the stack. The 22. Master Boot Record contains this value. See Section 35 Mode Switching 5.4.2.1. To access memory up to 64 GB, the processor needs to be Perform a RETF instruction (a “retum far” instruction in in protected mode and have paging enabled. The following MASM (MICROSOFT Macro Assembler) code mne sections give the preferred steps to achieve these mode monics) A RETURN could be substituted for the RETF. switches, since they will be needed when this invention is Start 40 used in its preferred target computer systems having large This is the point of execution after the RETF instruction main memory stores running Windows operating system. by the loader. Start is an offset (identi?ed by a label) within Real-Address Mode to Protected Mode with Paging the Main assembly procedure 19. The ?ow chart 20 of FIG. To switch to protected mode, the following steps are 2 describes the overall ?ow of the BCD program. 45 performed: SetupGlobalDescriptorTablei21 1. Disable maskable hardware with a CLI Once the loader has handed olf execution to the program, instruction. the processor is still in real-address mode. Because the Boot 2. Push the current, real-address mode CS on the stack. Crash Dump program will eventually enter protected mode, 3. Backup the SS, DS, ES, FS, and GS registers so they can be restored once we return to real-address mode. each real-address mode segment will need to have a segment 50 descriptor in the Global Descriptor Table (GDT). The ?rst 4. Execute the LGDT instruction to load the GDTR entry in the GDT is called the NULL descriptor. Since the register with the base address of the GDT that was setup in processor never references the NULL descriptor, then this SetupGlobalDescriptorTable. implies that the data stored in its place can be used for any 5. Load the CR3 register with the physical address of the purpose. Therefore you can use the NULL descriptor to store 55 Page Directory. a pointer to the GDT itself. The Load Global Descriptor 6. Set the PSE bit and clear the PAE bit of the CR4 register Table Register (LGDT) instruction needs a six-byte pointer 7. Set the PG and PE bits of the CRO register. to the GDT and the NULL descriptor has 8 bytes that aren’t 8. Execute a far JMP to the next instruction in the accessed by the CPU, making it an ideal candidate for this instruction stream. This will reset the CS register. NOTE: purpose. The lowest 2 bytes of the NULL descriptor are used 60 The code for the MOV CRO instruction and the IMP to store the size of the GDT and the next highest 4 bytes to instruction must come from a page that is identity mapped store the physical address. (that is, the linear address before the jump is the same as the The chart below serves as a guide for the construction of physical address after paging protected mode is enabled). each segment descriptors. Note that the CS, DS, and SS 9. Update the contents of the remaining segment registers registers all have base addresses that are determined at 65 with protected mode selectors. run-time. SetupGlobalDescriptorTable must convert these 10. Execute the STI instruction to enable maskable hard real-address mode addresses to physical addresses, and then ware interrupts. US 7,290,175 B1 15 16 Protected Mode With Paging to Real-Address Mode the Disk Access Packet (DAP) to read the ?rst three sectors To re-enter real-address mode, the following steps are of the disk. Then procedure ExtendedReadSectors (also not performed: shoWn) is called to transfer the contents of the three disk 1. Disable maskable hardware interrupts With a CH sectors to the read buffer in memory. The ExtendedRead instruction. Sectors procedure may call for compression in storing the 2. Clear the PG and PE bits of the CRO register. data to the buffer in memory if desired. The presence or 3. Move 00000000h into the CR3 register to ?ush the absence and status of each present disk drive examined is TLB. preferably displayed on the console screen. 4. Clear the PSE and PAE bits of the CR4 register. For each drive identi?ed by GetExtendedDriveParam 5. Push the offset of the next instruction onto the stack and 10 eters, the capacity of the drive is compared to the total siZe execute a RETF instruction that jumps to that instruction. of the memory to be dumped and procedure VerifySmear (The real-address mode CS Was previously pushed onto the Pattern 36A is called to determine if the ?rst three disk stack during the sWitch to protected mode.) This operation sectors contain the ‘signature’ of the Boot Memory Dump ?ushes the instruction queue and loads the appropriate base disk. If both tests are successful, the Boot Memory Dump and access rights values in the CS register. disk has been identi?ed and the disk identi?er and capacity 6. Restore the SS, DS, ES, FS, and GS registers as needed are displayed on the console screen. If none of the eight by the real-address mode code. drives tested is identi?ed as a dump disk, an error message 7. Execute the STI instruction to enable maskable hard is displayed on the console screen and the program termi Ware interrupts. nates. 20 Procedure ClearPageDirectory 37 is called to initialiZe ForceDump (clear to Zero) the page directory. The ForceDump procedure is the ‘driver’ portion of the Progress ?elds “ of ”, “Compressed SiZe”, and “Percent and dumps it to disk. The process is outlined in a How chart Complete” are initialiZed and preferably displayed on the 22A in FIG. 3. It is called by the Main console screen by ClearPageDirectory procedure 37. procedure, after the console screen has been initialiZed and The (preliminary) contents of the Force Dump Header are the Global Descriptor Table (GDT) has been set up With the Written to the Boot Memory Dump disk 38. Procedure addresses of the memory buffers and tables used by Force PrepareDAP is called to set up the Disk Access Packet Dump. Procedure ForceDump accomplishes the memory (DAP) to Write three sectors of the disk, starting at sector read/Write to disk process through both its oWn internal code 30 three. Procedure ExtendedWriteSectors is called to perform and calls to the assembly and C++ procedures described the Write operation. If the disk Write operation fails, the disk above. It does not process any parameters. address for the Write operation is advanced by three sectors Procedure ForceDump does the folloWing: and ExtendedWriteSectors is called to retry the Write opera A ‘Welcome’ message is displayed on the console screen. tion. When the Write operation succeeds, usable disk sector Procedure VerifyPSE is called to verify 31 that the pro 35 information maintained by the program is initialiZed. If three cessor supports the Page SiZe Extension (PSE-36) feature, Write failures occur, an error message is displayed on the Which is required by ForceDump. If the feature is not console screen and the program terminates. A simpli?ed supported, an error message is displayed on the console description of this test for Whether the Write operation Was screen and the program terminates 31A. performed is indicated at 39 in How chart 22A. Procedure EnableA20Gate is called to enable access to 40 The address and siZe of the ?rst OS-accessible memory extended memory (memory addresses over 1 MB, 10 0000h) segment is obtained from the PMAP (from step 34). A 32. If the ensuing BIOS call fails, an error message is generaliZed form of the Dumping Loop is illustrated in the displayed on the console screen and the program terminates How diagram 40 of FIG. 4. The buffer siZe is checked and 32A. the system is put into protected mode for the remainder of Procedure GetSystemMemoryMap is called to obtain the 45 this procedure. system memory map maintained by the BIOS 33. The A Procedure named SetupPageDirectoryEntries (de memory map obtained by GetSystemMemoryMap is stored scribed in detail later) is called to place the address of the in the Force Dump Header and displayed on the console system memory to be accessed into the proper ?elds of a screen. If the call returns a failure result, an error message Page Directory Entry. is displayed on the console screen and the program termi 50 System memory is accessed in pieces of 64,512 (FCOOh) nates 33A. bytes, ie 126 segments in our preferred computer systems. Procedure CreatePMAP is called to convert the system Accordingly, a procedure called FillBulfer (described later) memory map into a page map (PMAP) 34 that is used is called to transfer 64,512 bytes of memory to a read buffer directly by the Boot Memory Dump program to determine (step 43) for further processing. The system is returned to the total amount of memory needed to store the dump 35. 55 Real-address mode 44. The PMAP is stored in the Force Dump Header and dis Each 32-bit Word in the read buffer is compared to the played on the console screen. 32-bit Word preceding it from the read buffer. This is The siZes of all the OS-accessible memory segments illustrated as beginning With the loop instruction 45A for listed in the PMAP entries are summed to obtain the total KIO to K, Where K is the number of Words in the read buffer siZe of the memory to be dumped. The total siZe of the 60 (FCOOh) 45. If the tWo 32-bit Words match, procedure memory to be dumped is displayed on the console screen as AddEntry 45B is called; if they don’t match, procedure a part of step 35. NeWEntry 45C is called. These tWo procedures, described A series of up to eight calls to procedure GetExtended later, implement the program’s simple compression algo DriveParameters are made to identify the Boot Memory rithm. They store the compressed memory information in the Dump disk and to determine its drive parameters 36. For 65 Write buffer. each drive identi?ed by GetExtendedDriveParameters, a When AddEntry and NeWEntry have ?lled the Write procedure named PrepareDAP (not shoWn) is called to set up buffer, a procedure named WriteToDisk 46 is called to US 7,290,175 B1 17 transfer the contents of the Write buffer to the (preferably prepared by a smear program) dump disk. The usable disk sector information in the Force Dump Header is maintained Called by: ForceDump by the WriteToDisk procedure. Parameters: none Progress ?elds “ of ”, “Compressed Size”, and “Percent AX = 0001b - the PSE feature is supported Complete” are preferably updated and displayed on the console screen While the procedures execute. WriteToVRAM When all of the memory described by the current PMAP WriteToVRAM displays a NULL terminated, ASCII entry has been processed, the address and siZe of the next string at a speci?ed location on the console terminal by OS-accessible memory segment to be processed is obtained Writing it directly to video memory. WriteToVRAM initially from the next PMAP entry, and the above steps are repeated. checks the current processor mode. If the processor is in When all of the memory described by the ?nal PMAP real-address mode, the real-address mode video memory entry has been processed, procedure WriteToDisk is called segment (B800h) is referenced; otherWise the equivalent to transfer any remaining data in the Write buffer to the dump protected mode selector is referenced. The starting roW and disk. column are used to calculate an offset Within video memory The ?nal contents of the Force Dump Header, With the from Which to Write the string. A loop Will Write the ASCII updated usable disk sector information, are Written to the characters and their speci?ed video attribute into video Boot Memory Dump disk. Procedure PrepareDAP is called memory at successive locations until a NULL (00h) char 20 to set up the Disk Access Packet (DAP) to Write three sectors acter is encountered. of the disk, starting at disk address of the original successful Force Dump Header Write operation. Procedure Extended WriteSectors is called to perform the Write operation. If the disk Write operation fails, an error message is displayed on Called by: ForceDump, WriteToDisk the console screen and the program terminates. 25 Parameters: WORD - pointer to the NULL terminated, ASCII string BYTE - starting column Otherwise, a successful termination message is displayed BYTE - starting roW on the console screen, procedure ForceDump returns to BYTE - video attribute byte(bit 7 = blink, bits 6-4 = background, bits 3-0 assembly procedure MAIN Which called it, and the program 3-0 = foreground) Return: nothing terminates. 30 GetSystemMemoryMap Called by: Main This procedure obtains the system memory map main Parameters: none tained by the BIOS. The only parameter passed to this Return: nothing 35 procedure is a pointer to an array of E820_Descriptor type that Will store the system memory map. The BIOS provides a Get System Memory Map function (detailed beloW), Additional Assembly Procedures Which returns a single memory map entry These procedures, mentioned in the description above, are (E820_Descriptor). Using this function in a loop, each entry described in detail in the sections beloW. 40 Will be saved to the array structure. Each successful function MICROSOFT (R) C/C++ OptimiZing Compiler Version call Will increment a counter representing the number of 8.00c is a 16-bit compiler. Therefore, the inline assembler memory map entries. The calls continue until either the Will only alloW use of l6-bit registers. Due to this restriction BIOS indicates the end of the memory map has been and the loW-level nature of the Boot Crash Dump program, reached, the limit of 20 h entries has been reached, or an it is necessary to Write some external procedures in assembly 45 error has occurred. language. EnableA20Gate The processor’s A20 address line controls the accessibil Called by: ForceDump ity of extended memory (memory addressed over 1 MB, Parameters: WORD - pointer to a ZOh-element array of type l00000h). EnableA20Gate calls the BIOS Interrupt 15h 50 E820iDescriptor (See Section 5.4.1.3) Function 240lh to enable access to extended memory. Return: AX = number of entries in the system memory map Get System Memory Map - Interrupt 15h Function E820h AX = E820h EAX = 0000E820h EDX = 534D4l50h (‘SMAP’) Called by: ForceDump 55 EBX = continuation value or OOOOOOOOh to start Parameters: none at beginning of map Return: AX = OOOOh - failure ECX = size of buffer for result, in bytes (should AX = 000lh - success be >= 20 bytes) ES:DI —> buffer for result (See Section 5.4.1.3) Return: CF clear if successful VerifyPSE 60 EAX = 534D4l50h (‘SMAP’) The Boot Crash Dump program utiliZes the Page SiZe ES:DI buffer ?lled EBX = next offset from Which to copy of Extension (PSE) feature of the IA-32 processor to access OOOOOOOOh if all done memory addresses greater than 4 GB (40000000h). Veri ECX = actual length returned in bytes fyPSE issues the CPUID instruction to the processor, Which CF set on error returns processor identi?cation and feature information in 65 AH = error code (86h) the general registers. Bit 17 of the EDX register is tested to determine Whether the processor supports the PSE feature. US 7,290,175 B1 19 Get Extended Drive Parameters This function uses the Get Extended Drive Parameters BIOS function (detailed below) to obtain the extended drive Called by: ForceDump, WriteToDisk information for a speci?ed hard disk. ForceDump needs this Parameters: BYTE - drive number information to compare the disk drive capacity to the total WORD - pointer to a DiskiAddressiPacket (See Section 5.4.1.7) system memory to be dumped. Parameters passed in are the Return: AX = OOOOh - failure speci?c drive number and a pointer to a buffer for the results. AX = OOOIh - success Extended Write Sectors - Interrupt 13h Function 43h GetExtendedDriveParameters Will fail if the drive does not AH = 43h exist. AL = Write ?ags bit 0: verify Write bits 7-1 = reserved (0) DL = drive number Called by: ForceDump DS:SI —> disk address packet (See Section 5.4.1.7) Return: CF clear 1fS1lCC6SSfLl1 Parameters: BYTE - drive number (80h-FFh) AH = 00h WORD - pointer to an ExtendediDriveiInformationiTab1e (See Section 15 CF set on error 5.4.1.9) AH = error code Return: AX = OOOOh - failure disk address packet’s block count ?eld set to number AX = OOOIh - success of block successfully transferred Get Extended Drive Parameters - Interrupt 13h Function 48h AH = 48h DL = drive number (80h-FFh) DS:SI —> buffer for drive parameters (See Section 20 FillBulfer 5.4.1.9) FillBulfer is the assembly procedure used to transfer Return: CF clear if successful memory (address ranges up to 64 GB) to a real-address AH = 00h DS:SI buffer ?lled mode buffer for further processing (compression and trans CF set on error fer to disk). The caller of FillBulfer creates a Page Directory AH = error code 25 Entry (PDE) for access to a speci?c location Within the linear address space (up to 36 bits:64 GB). This PDE is used by the Page SiZe Extension (PSE-36) paging mechanism to ExtendedReadSectors address memory above the 4 GB limit imposed by 32-bit This procedure uses the BIOS function ExtendedRead addressing. Sectors (detailed beloW) to read sectors from the hard disk When called, procedure FillBulfer is passed tWo param into memory. ExtendedReadSectors requires the use of a 30 eters on the stack: a 32-bit count representing the total Disk Address Packet (DAP) structure to specify the number number of bytes of memory to be transferred (up to FCOOh of sectors to transfer, Where on the disk to begin reading, and bytes), and a 32-bit offset Within the current 4 MB page from Where to load the data into memory. The DAP should be Which to begin transfer. FillBulfer ?rst disables maskable con?gured properly before calling ExtendedReadSectors. hardWare interrupts and invokes assembly macro Protected The speci?ed drive number and a pointer to the DAP are 35 Mode (See Section 5.4.3.1) to put the processor into pro passed in as parameters to this procedure. tected mode and enable PSE-36 addressing. The parameters are then retrieved from the stack. Memory is transferred 32 bits at a time from 4 MB page to the destination buffer. After Called by: ForceDump 40 each 32-bit transfer, the source and destination addresses are Parameters: BYTE - drive number incremented by 4 bytes, and the current number of bytes WORD - pointer to a DiskiAddressiPacket (See Section 5.4.1.7) transferred is compared to the transfer count parameter Return: AX = OOOOh - failure provided on the stack. When the transfer is complete, AX = OOOIh - success Extended Read Sectors - Interrupt 13h Function 42h assembly macro RealMode (See Section 5.4.3.2) is invoked AH = 42h 45 to return the processor to real-address mode. Maskable DL = drive number hardWare interrupts are re-enabled and FillBulfer exits. DS:SI —> disk address packet (See Section 5.4.1.7) Return: CF clear if successful AH = 00h CF set on error Called by: ForceDump 50 AH = error code Parameters: DWORD - size of the read buffer to transfer disk address packet’s block count ?eld set DWORD - starting offset into the 4MB page to number of block success?illy transferred Return: nothing

ExtendedWriteSectors Halt 55 This procedure uses the BIOS function ExtendedWrite Halt is an assembly routine that terminates the Boot Crash Sectors (detailed beloW) to Write sectors to the hard disk Dump program by issuing the Clear Interrupt Flag (CLI) and from memory. ExtendedWriteSectors requires the use of a Halt (HLT) instructions. Maskable interrupts are ?rst dis Disk Address Packet (DAP) to specify the number of sectors abled because the possibility exists for an interrupt to resume execution after a HLT instruction. to transfer, Where on the disk to begin Writing, and Where to 60 get the data from memory. The DAP should be con?gured properly before calling ExtendedWriteSectors. The speci?ed drive number and a pointer to the DAP are passed in as Called by: ForceDump, WriteToDisk parameters to this procedure. Parameters: none Return: nothing NOTE: An option is provided to verify the Write. This 65 feature is not available on the ES7000 PHOENIX BIOS implementation. Therefore, you must Write With verify OFF. US 7,290,175 B1 21 22 Additional C++ Procedures Since the ForceDump procedure is Written in C++, any -continued additional procedures that do not require the use of external unsigned long - pointer to the transfer buffer assembly language should be Written in C++. UINT64 - starting absolute block number CreatePMAP 5 Return: nothing Procedure CreatePMAP is passed a single parameter: a pointer to the Force Dump Header structure in memory. CreatePMAP converts the system memory map produced VerifySmearPattern by assembly language procedure GetSystemMemoryMap, This procedure is passed a pointer to a buffer containing into a page map (PMAP) Which is used directly by the Boot the ?rst 3 sectors from the hard disk. VerifySmearPattern Memory Dump program. GetSystemMemoryMap creates an Will loop through this 600h-byte buffer to verify that it is array (E820) of entries of E820_Descriptor_type that is smeared With the ASCII pattern “DISKDUMP”. stored in the Force Dump Header (see FD_Header_type above). Each E820 entry describes a region of main memory: the starting address of the memory region, its Called by: ForceDump length in bytes, and the type of memory (i.e. Whether Parameters: unsigned long far* - pointer to a buffer containing the ?rst accessible to the OS, or not). CreatePMAP uses the infor 3 sectors from the hard disk mation in the E820 array to build a second array (PMAP), Return: - 1 - smear pattern is invalid also stored in the Force Dump Header, Whose entries contain int - 0 - smear pattern is valid the starting address (UINT64) and siZe (UINT64) of only 20 those memory regions that are accessible to the OS. ClearPageDirectory The system BIOS, as part of the system boot process, copies the ?rst 4 MB (40 0000h) of main memory to a ClearPageDirectory does exactly What its’ name implies. memory area (address 0xFF400000) that is reserved for use It clears all page directory entries in the page directory by by the BIOS and is not accessible to the OS. CreatePMAP 25 setting them to 00000000h. places this area’s address and siZe as the starting address and siZe of the ?rst entry in the PMAP array. CreatePMAP then examines those entries in the E820 array that describe Called by: ForceDump regions of memory that are accessible to the OS. E820 Parameters: unsigned long far* - pointer to the Page Directory entries describing regions that are contained Within the ?rst 30 Return: nothing 4 MB of memory are discarded, as they are already included in the ?rst entry of the PMAP array. For an E820 entry that overlaps the 4 MB address boundary, CreatePMAP adjusts SetupPageDirectoryEntries the starting address and siZe so that only the region above the The Boot Memory Dump program uses the paging 4 MB boundary is placed in the next PMAP array entry. The 35 mechanism provided by the IA-32 processor’s protected starting address and siZe of OS-accessible E820 entries are mode to access system memory. The Page SiZe Extension placed in subsequent PMAP array entries. The ?nal number (PSE) facility, Which permits the use of 36-bit addressing, is of entries in the PMAP array is kept in a variable, PMA used to access system memory of up to 64 GB (10 0000 PLength, Which is stored in the Force Dump Header. 0000h bytes). The PSE facility accesses physical memory as The Boot Memory Dump program uses the memory map 40 a series of 4 MB (40 0000h) pages. The addresses of the information provided in the PMAP array to identify the pages are kept in a page directory, an array of page directory memory ranges available to the OS, Which are dumped to entries (PDE) in Which each directory entry contains the disk for analysis by the Windbg tool. 14-bit address of a 4 MB page. The physical address of each

45 memory byte is comprised of the 14-bit page address and a 22-bit offset into the page. Called by: ForceDump Boot Memory Dump Walks through the system memory Parameters: PFDiHeader - pointer to the FDiHeader structure that Will to be dumped (memory accessible to the OS, as determined be Written before the dump (See Section 5.4.1.6) Return: nothing by the entries in the PMAP array described above) by 50 sequentially inserting the 14-bit address of each 4 MB page in a PDE that is an entry in a page directory array stored in PrepareDAP program memory, then reading up to 4 MB of memory PrepareDAP is passed 4 parameters: a pointer to the Disk accessible through that page. The page directory array has Address Packet (DAP) structure, the number of sectors of tWo PDE entries; the ?rst containing the base address of the data to transfer, a pointer to a buffer from/to Which data is 55 4 MB page currently being processed, and the second to be transferred, and the sector address on disk from/to containing the base address of the folloWing 4 MB page Which data is to be transferred. The values of the latter three Which is used for possible address over?oW for the memory parameters are loaded into the appropriate ?elds of the DAP area being processed. structure pointed to by the ?rst parameter. PrepareDAP returns no value. 60 Procedure SetupPageDirectoryEntries is passed tWo parameters: a pointer to the page directory in memory, and a 64-bit linear address of the memory area being accessed. SetupPageDirectoryEntries segregates the upper 14 bits of Called by: ForceDump, WriteToDisk the 36-bit linear address, and places them in the appropriate Parameters: PDiskiAddressiPacket - pointer to a DiskiAddressiPacket (See Section 5.4.1.7) 65 ?elds (bits 13 . . . 16 and 22 . . . 31) of the page directory unsigned short - number of blocks to transfer entry (PDE). Then the Page SiZe (4 MB), Read/Write and Present ?ag bits of the PDE are set. US 7,290,175 B1 23 24 NeWEntry is called. NeWEntry is passed the same ?ve parameters as AddEntry: (1) a 2-element array containing the current counts of each of the tWo dWords being processed Called by: ForceDump Parameters: unsigned long far* - pointer to the Page Directory for the Compressed_Entry_type record, (2) an indicator of UINT64 - physical address of the memory area to be Which dWord of the pair is being processed by this call, (3) accessed a pointer to the buffer Which Will be Written to disk, (4) the Return: nothing Write buffer index of the record being processed, and (5) the value of the dWord being processed. AddEntry NeWEntry moves to the next ?eld available to receive Procedure AddEntry is one of the tWo procedures that data, either the second ?eld in the current record or the ?rst implement the compression algorithm of the Boot memory ?eld in the next record. The value of the dWord being Dump program. The runtime compression algorithm oper processed is entered in that ?eld With a count of 1. ates by identifying repeating sequences of 32-bit double Words (dWords) in memory, eg a memory area that has been zeroed, and reducing each repeating sequence of up to Called by: ForceDuInp ?fteen such dWords to a 4-bit count and the 32-bit value of ParaIneters: unsigned long - the DWORD currently being processed the dWord. The compressed memory dump ?le is a series of unsigned char[ ] - pointer to a 2-element array containing records of structure Compressed_Entry_type, previously the current counts of each of the 2 DWORDS being described. Each 9-byte record contains in the ?rst byte an processed. unsigned char& - an reference to an indicator of Which 8-bit unsigned integer containing in the upper four bits the 20 DWORD of the pair is being processed by this call repetition count, from 1 to 15, of a single or repeated dWord, CompressediEntry far* - pointer to the buffer of type and in the loWer four bits the repetition count, again from 1 CompressediEntry (See Section 5.4.1.8) that is eventually to 15, of the succeeding single or repeated dWord. The Written to disk unsigned short& - a reference to the index into the Write ‘counts’ byte is followed by tWo 4-byte ?elds, each ?eld buffer containing the 32-bit value of a dWord represented by a 25 Returns: nothing count in the ?rst byte. When the main loop in procedure ForceDump of the Boot WriteToDisk Memory Dump program encounters a 32-bit Word in WriteToDisk is the procedure called to transfer com memory that is the same as the preceding 32-bit Word, procedure AddEntry is called. AddEntry is passed ?ve 30 pressed system memory data from the Write buffer to the disk drive. It incorporates softWare mechanisms for identi parameters: (1) a 2-element array containing the current counts of each of the tWo dWords being processed for the fying and reporting the usable disk sectors on Which valid data is Written. WriteToDisk calls assembly procedure Compressed_Entry_type record, (2) an indicator of Which dWord of the pair is being processed by this call, (3) a pointer ExtendedWriteSectors to perform the actual disk Write operation. ExtendedWriteSectors uses the Extended Write to the buffer Which Will be Written to disk, (4) the Write 35 buffer index of the record being processed, and (5) the value capabilities of the BIOS to transfer a speci?ed number of of the dWord being processed. sectors of data from the Write buffer to the disk. The Extended Write function requires used of a Disk Address Procedure AddEntry increments the count value of the dWord being processed, and updates the Compressed_En Packet (DAP), Whose format Was previously discussed. try_type record. If the updated count exceeds ?fteen, 40 Procedure WriteToDisk is passed ?ve parameters: (1) a AddEntry sets the count of the current ?eld to 15 and moves pointer to the Disk Address Packet (DAP) structure in to the next ?eld available to receive data, either the second memory, (2) a pointer to the Force Dump Header structure ?eld in the current record or the ?rst ?eld in the next record. in memory, (3) the BIOS identi?er of the disk drive to Which The value of the dWord being processed is entered in that the dump data is being Written, (4) the sector address of the ?eld With a count of 1. 45 starting sector to Which data is to be Written, and (5) the number of sectors to be Written. WriteToDisk maintains information in the Force Dump Header about the disk sectors on Which the dump data is Written. This information Called by: ForceDump is maintained in an array, each element of the array contains ParaIneters: unsigned long - the DWORD currently being processed 50 the starting and ending sector addresses of a set of contigu unsigned char[ ] - pointer to a 2-element array containing the current counts of each of the 2 DWORDS being ous disk sectors containing dump data. processed. WriteToDisk ?rst calls procedure PrepareDAP, passing unsigned char& - an reference to an indicator of Which the DAP, the number of sectors to be Written, a pointer to the DWORD of the pair is being processed by this call Write buffer from Which data is to be transferred, and the CompressediEntry far* - pointer to the buffer of type CompressediEntry (See Section 5.4.1.8) that is eventually number of sectors to be Written. PrepareDAP places these Written to disk values in the DAP Which Will be used for the Write operation. unsigned short& - a reference to the index into the Write WriteToDisk then calls assembly procedure ExtendedWri buffer teSectors, passing the dump disk drive identi?er and the Returns: nothing pointer to the DAP, to perform the Write operation. If the call 60 to ExtendedWriteSectors returns a Write failure indication a NeWEntry counter of the sets of usable sectors is incremented and Procedure NeWEntry is the other of the tWo procedures compared to a maximum value (10). If this maximum is that implement the compression algorithm of the Boot exceeded, an error message is displayed on the console and memory Dump program (see AddEntry above). When the the Boot Memory Dump program terminates. If the sets of main loop in procedure ForceDump of the Boot Memory 65 usable sectors maximum is not exceeded, the current set of Dump program encounters a 32-bit Word in memory that is usable sectors is terminated and a neW set is started. Then the the not same as the preceding 32-bit Word, procedure starting sector address is incremented and the Write is again