• Please review our updated Terms and Rules here

Protected mode on 286 machines not designed for it

J

jrd

Member
Joined
Apr 29, 2015
Messages
37
I know that many low-end machines with a 286 processor used it only as fast 8088: the Tandy 1000 TX or TL, or many 286 accelerator cards for XTs. No 16-bit bus, no extended memory, no A20 line. So the usual verdict is they "can't run protected mode."

My question is: does that mean only "no Windows or DOS extender protected mode", or does that mean "protected mode is impossible so you can't even start it" for those machines?

I'm thinking of a simple demonstration program like the one mentioned in the "A toy protected mode program question" thread. If you wrote a custom program in assembly, setting up the GDT and IVT descriptors entirely in conventional memory and switched to protected mode, only touching hardware directly, surely the 286 would execute it? It wouldn't be DOS compatible at all, and you couldn't exit without rebooting, but has any TX owner ever tried it? Or are those machines specifically designed to defeat that, such as instantly rebooting when a switch to protected mode is detected? (Even then, at the very least I would expect LOADALL to work.)

I just wonder if anyone has ever performed the experiment on one of those low-end 286s.
 
As I understand it, and I reserve the right to be wrong, the problem isn't going to be starting protected mode; the problem is going to be switching back out, which requires the CPU to reset and BIOS support for that. It may be possible via triple fault to get the reset, and thus not have to have the AT keyboard controller hack, but unless I'm quite wrong (which is of course possible) you still need BIOS support to do The Right Thing after the reset.

If I were into x86 more it would sound like a cool hack; YMMV.

EDIT: I know you mentioned the boot cycle above, by the way.... There are ways of running protected mode programs in DOS; reference the 286 version of the Phar Lap extender. https://en.m.wikipedia.org/wiki/Phar_Lap_(company). If you could figure out how to save state across the triple fault and bring control back to your extender (maybe via the boot record; deathly slow, but maybe.....) perhaps you could pull it off.
 
Last edited:
It was possible to run OS/2 1.x without a DOS compatibility box and without ever returning to real mode. The software I wrote for OS/2 needed all the memory in protected mode in order to run on the selected hardware.

I did check but I can't find a reference to whether it is possible to switch into protected mode with a megabyte or less installed or what other specific conditions that these limited 286 machines might not meet.
 
I don't believe there's anything magic about protected mode on the 286 (well, maybe in the "cursed by a witch" sense.) Even the A20 hack is only needed to preserve 8086-specific behavior needed by a small handful of programs that rely on Dumb Tricks with it for no particularly compelling reason. A dedicated, non-BIOS, non-DOS protected-mode program shouldn't have any issue running on a non-AT 286 system, but it would of course have to be pretty specifically targeted at the hardware or risk running afoul of any subtle deviations from the PC/XT standard that the BIOS would normally mask.
 
It seems that Xenix 286 can run in protected mode on a system with as little as 512K so minimal protected mode operation should be possible.

I have no idea what will happen when the protected mode software discovers that the top address lines don't exist like with the Tandy 1000TX.
 
What difference would it make? Essentially, any program should be apprised of the amount of memory installed by the boot loader. Indeed, on a couple of non-PC systems, a reference outside of installed memory will cause a trap (each memory card or I/O device is required to acknowledge a valid address).
 
I had to refresh my knowledge before I could give you this comment. The 8088/8086 could only address up to 1 MB using a combination of segment and offset registers. When Intel developed the 80286 one goal was to be able to address more than 1 MB but what to do with backward compatibility? So the 80286 started up in 8086 mode, known as the "real"mode". When the user wanted to address the memory beyond the 1 MB, he had to switch the 80286 in what was called the "protected mode" using an opcode. In this mode the segment registers behave very differently. And that's why you have to turn of all interrupts when running DOS: all vectors are loaded with the "old" segment/offset words and have to be replaced by new ones first before they can be used again.

I have been experimenting with this all in the '80s but dropped that when the 80386 came on the market. What I can remember is:
- the 80286 checked after a reset if it was in protected mode by checking some memory locations. If the right code was found it skipped the POST and continued in real mode at a given address.
- a normal reset worked as well, you didn't need the 8042 to do that for you. I once used one of the pins of a custom I/O card to reset the AT.
- I know that I disconnected the circuit that disabled to use address line A20 and things still worked fine. As said above, maybe this is just needed for some software.

I hope this helps a bit.
 
Well, sort of. LOADALL allows for accessing memory beyond the 1MB boundary on the 80286 without switching to protected mode. It's only a little complicated in switching descriptor tables, but is lots faster than switching to PM and back again.
 
I agree that it's probably *possible* to flip the 286 into protected mode on a machine like a Tandy 1000 TX assuming you were diligent about making sure you've set up all the necessary moving parts, like setting suitable interrupt vectors and whatnot. But I'm also not sure what you'd really get out of it since, unlike protected mode on the 386, the memory model is still essentially the same as real mode (IE, you're not going to get a flat memory model or bigger registers, etc) and you'll also not gain any Extended memory. And, as noted, I don't think you'd be able to exit since so far as I'm aware the TX lacks the BIOS support for the "fast reset". (Per this document the "fast reset" depends on referencing a location in the CMOS RAM area; the 1000 TX or an XT with most 286 accelerator cards simply won't have this.) Also, because of that limitation, if you want to access disk drives or whatever you'll essentially need to write your own protected-mode replacements for the associated DOS and BIOS calls *that includes the raw hardware drivers*.

Not to discourage anyone from writing such a demo, but I'm curious what exactly you'd use to show off the difference of running in Protected Mode verses Real with only 640k to play with.
 
Well, you probably can switch back to real mode without supporting hardware by going through a full-scale reboot, but you'll have to save the previous contents of memory beforehand, as the POST tests wipe the contents of memory out, as well as re-initialize all of the peripherals.

In other words, it's not un-doable, but very slow and clumsy.
 
Chuck(G) said:
Well, you probably can switch back to real mode without supporting hardware by going through a full-scale reboot, but you'll have to save the previous contents of memory beforehand, as the POST tests wipe the contents of memory out, as well as re-initialize all of the peripherals.
Click to expand...

And of course you'll need your protected mode drivers for the bare hardware before you'll be able to save any memory contents to disk, so at that point there's not a lot to be gained in trying to return to real mode for anything because you've essentially already implemented a protected-mode BIOS/OS.
 
Yeah--I think it all goes to the idea that the 286 designers envisioned that once PM was entered, there would be no need to return to real mode. Indeed, I recall that Intel assumed the responsibility of getting the Xenix kernel working on the 286.
 
Tandy had a hand in 286 Xenix for the 3000; the developer of the z80ctl program under the kernel for the 6000 (68K) Xenix took great delight in the 6000 being faster than the 3000 running Xenix.....

As to why you'd want protected mode, well, extended memory is not the only feature. Protect mode is like Saturn; it has a ring system.
 
Ring-type protection systems (there are others) are useful primarily multi-user systems, where one user has a certain degree of protection against the bad actions of another. On a single-user system (which dominated the PC landscape in the 80286 era), not so much. I'd venture that the ability to designate access permissions on memory and I/O operations was far more valuable.

I was a bit surprised when the Cortex-M microcontrollers by STM all had memory management as well as privileged mode functions, which almost no code takes advantage of. Similar situation--if you write bad code, protections on a dedicated single-user system don't really matter.
 
lowen said:
As to why you'd want protected mode, well, extended memory is not the only feature. Protect mode is like Saturn; it has a ring system.
Click to expand...

Sure... but practically speaking I'm not sure where that's going to fit into a demo "interesting" enough to make it worth the trouble. "Hey, look, I intentionally wrote some bad code that tries to stomp on another process space, watch me make a Tandy 1000 TX be able to generate an exception instead!".

*shrug*, I guess 640k is more RAM than a PDP-11 with only the 18 bit address extension hardware had to play with, you could try porting UNIX 6 to it. But I think in the process you'd just start reliving the same agony as the people that struggled to get a decent UNIX-oid working on the 286 in the first place.
 
As far as memory, the Durango Poppy ran Xenix in 256K (80186/80286). The base machine came with 128K, but ISTR that Xenix in 128K wasn't a real possibility (my memory could be faulty). Probably one of the first 80286 boxes with Xenix; 1983.
 
Of course, does anyone actually have the source to Xenix to try to hack it to a new platform? If you had the source to both the 8086 version and a 286 port it might be possible to cobble something together for a 286-upgraded XT, but without it, well, good luck.
 
You must log in or register to reply here.
Back
Top