ISA Bus Sniffer update

Several years ago, I designed the ISA bus sniffer, a sort of special-purpose logic analyzer for capturing the signals from the CPU and ISA bus in an XT-class system. Well, I finally got around to finishing it, writing the three pieces of software needed to make it work (the microcontroller program, the 8088 test harness and the decoder, as well as making the changes to the XT Server to retrieve traces.

Here is what the contraption looks like:

ISA Bus Sniffer, completed

In this picture you can also see the board that goes into the 8087 FPU socket to probe the CPU pins. The yellow wires go to a switch so that I can remotely reset the microcontroller for reflashing.

Here is how it fits into the machine:

ISA Bus Sniffer in situ

Here is what the XT Server currently looks like:

ISA Bus Sniffer in situ

And here is an example of what the output from the sniffer looks like after decoding:

20FFF .p...  00F24 FF 00 FC .......
20FFF Ip...  00F24 FF 01 FC .......                          I
20FF1 SC...  00F24 FF 01 FC .......  T1                      S F6E1         MUL CL
00F25 .C...  00F25 FF 01 FC .....D.  T2 S0
20F25 .C...  00F25 FF 01 FC .....D.  T3 S1
20F25 .C...  0020B FF 10 FC .....D.  Tw S2
20F25 .C...  0020B FF 10 FC ..r..D.  Tw S3
20F25 .C...  0020B FF 10 FC .Wr..D.  Tw S4 FF <-d [   0020B]
20F25 .C...  0020B FF 00 FC .....D.  Tw
20FFF .C...  00F25 FF 00 FC ..r....  Tw
20FF6 .C...  00F25 F6 00 FC ..r....  Tw
20FF6 .p...  00F25 F6 00 FC ..r....  T4    F6 <-f [   00F25]
20FF6 .C...  00F25 F6 00 FC .......  T1
00F26 .C...  00F26 F6 00 FC .......  T2
20F26 .C...  00F26 FF 00 FC ..r....  T3
20FE1 .p...  00F26 E1 00 FC ..r....  T4    E1 <-f [   00F26]
20FE1 .p...  00F26 E1 00 FC .......

From left to right the columns are: CPU address/data, CPU flags, bus address, bus data, DMA requests and acks, interrupt requests, bus flags, bus states for CPU and DA accesses, transfers, prefetch queue status, instruction data and decoded instruction.

You can try this out! Grab these files:
https://github.com/reenigne/reenigne/blob/master/8088/defaults_bin.asm
https://github.com/reenigne/reenigne/blob/master/8088/defaults_common.asm
https://github.com/reenigne/reenigne/blob/master/8088/trace/trace.asm
https://github.com/reenigne/reenigne/blob/master/8088/trace/trace.asm
http://yasm.tortall.net/Download.html (NASM should work too with minor modifications).

Replace the code under "testRoutine:" with the code that you'd like to get a trace of (it needs to run exactly the same each time it's run, so be sure to initialize all registers and memory you use - I made that mistake and it has me scratching my head for a bit). Build trace.bin and upload it to http://www.reenigne.org/xtserver - within seconds you should get a link to a trace like the one above.

6 Responses to “ISA Bus Sniffer update”

  1. anormal says:

    Man, this is CRAZY... this is one the coolest thing i've seen in aeons.

    Can i a run a shellcode xploit, do some privileges scalating thing and format your C: ? xD xDD

    No seriously, downloading right now. I remember the old times where i wanted to know the exact length of the prefetch queues of different cpus :D

    Ummm... just thinking, what happens if i run no valid code?

    thanks!

    • Andrew says:

      Code that you upload to the XT Server only runs on the XT. There's no hard drive in there to reformat, and (unless I've made a mistake) it should not be possible to escalate privileges and run code on the webserver machine (if you do find such a mistake, please do let me know!)

      If you run a trace.bin with no code, the sniffer will just sniff what happens on the XT after that (the harness code that waits for the sniffer to complete before starting the next iteration). The result will be a relatively boring trace I'm afraid!

      If you sniff code that is invalid - well, the 8088 does something with every opcode (it's not like later CPUs which trigger an interrupt on invalid instructions). So maybe you will find a useful new undocumented instruction! (Most of the ones that I have tried so far are just aliases of real opcodes that differ by a bit from the invalid opcode).

  2. anormal says:

    I read the article, i was joking :D I've never seen nothing like that!

    I didn't know that about the 8088, ummm... i think i started right in the 8086 (my old Amstrad 1640), and never read a technical manual for the 8088.

    Of course this have many serious uses, as you guys did with the last demo, or timing exactly all opcodes, etc

    Do you think this is extrapolable to for example a 8086? or a 286? Without much mork i mean.

    • Andrew says:

      The 8086 doesn't trap on invalid opcodes either. Off the top of my head, I think the first x86 CPU that did that was the 286.

      The bus sniffer hardware and microcontroller software should work unmodified with an 8086 (and in fact I have an Amstrad PC1512 here that I intend to try it on at some point). The decoder will need some changes to recognize 16 bits of CPU data lines instead of 8. The trickier problem will be to get code running on it with exact repeatability as the CPU in that machine runs at 8MHz (but the PIT and hence the DRAM refresh are still driven from a 14.318MHz crystal). Perhaps I'll underclock it to 4.77MHz in order to measure 8086 timings.

      Bus-sniffing a 286 would require a whole new board, as there are a lot more connections on a 16-bit ISA bus, and a lot more connections on the 286 chip than on the 8088/8086 (so it'd need a more sophisticated way to tap the CPU lines as well). And there's a repeatability problem there too. If I can get hold of an IBM AT I might have a go at it once I'm done with the 8088 and 8086 though.

Leave a Reply