The last thing I see it do before triggering the reset in the log, is execute a C5 write multiple command to the hard disk?
The parameters are as follows(it's a 504MB HDD):
1F2=08h(thus a 4KB block being accessed)
1F3=30h
1F4=FFh
1F5=01h
1F6=A0h
1F7=C5h(write multiple).
That's found out by searching for "out " and "in " specifically in the log.
After that, port 1F7(the status register) reads 50h(which should mean that the drive is DSC, ready)?
It verifies that the write succeeded, and reaches 0008:8000312d.
One weird thing I also see, is that just before the reset, it writes 0xFE to CMOS register 15h, which should be the system base memory in KB LSB? So it's setting it to 254KB? That's according to http://bochs.sourceforge.net/techspec/PORTS.LST ?
It looks like it passed all tests, reaching 0008:800031e6.
Edit: Further down, it checks for AL=3, which passes again. It thus reaches 0008:80003440.
Edit: DRQ isn't set, so it reaches 0008:8000344a.
It loads something from a pointer, then loads ECX with it's value, finds it zeroed and jumps to 0008:800035aa.
It then checks some dword being 04h, not finding a match(it's 01h), then jumping to 0008:800035bc.
It then pushes something from the stack(03F6h)? It then calls the function pointer 80004c04, jumping to 0008:80014320.
It reads port 3F6 that was on the stack... It's 50h? So somehow, the drive/head register changed from A0h to 50h? So the top 4 bits somehow changed state after starting the command(without CPU intervention)?
So it looks like it somehow changed between CHS/LBA modes when executing the commands? Weird (bug???)?
It thus reaches 0008:800035c7 with the new drive/head register (50h) in the AL register?
Edit: So, it's changed from the master(boot disk) to the slave(not connected).
Edit: It compares BX with 1Eh(???) and finds it's not 1Eh. So it jumps to 0008:800035f6.
It checks the DRQ bit again, finds it not set. So it jumps to 0008:8000356f.
DI is set to non-zero, so it jumps to 0008:8000357b.
Some byte at [EDI+02] is not 02h, so it reaches to 0008:80003650.
ESI+49h is zero, so it jumps to 0008:800036ed.
EAX=0, so it jumps to 0008:80006614.
It loads EDX from the stack, then reaches 0008:80006617.
Don't have any time left right now. Need to resume checking the log later.
Edit: Resuming...
It loads ECX from EDX+Ch, loads said memory address data into EAX(10180h).
It then checks EAX bit 16. Finds it set and clears it. It then moves it back to said memory address(address 8076d254).
It then checks EDX+10h bit 4, finds it not 10h, thus jumping to 0008:80006658.
It sets up some parameters, then calls function 80008206.
Said function finds AL=FFh, thus reaching to 0008:80008211.
It pushes the equivalent of ECX from the stack(8076D200).
It then pushes said parameters once more and calls function 8000782c.
That function sets up it's stack frame, and loads the last pushed value into EAX.
It checks some parameter against 00h (02h). It finds that it's not lower or equal, thus reaches 0008:8000783c.
It looks said parameter up into a table(using EAX as a base), then finds it non-zero, thus reaching 0008:8000784e.
It does some more checks, thus reaching 0008:80007859.
Then one more check against the EAX memory address dereference itself, finding a match(00h), jumping to 8000786b.
This aborts the function?
It then checks EAX, finding it non-zero, thus reaching 0008:80008226. It then adds 40h to it, jumping to 80008251.
That aborts the function once again, reaching 0008:8000666e.
It loads ECX with ESI+CCh, then loads EDX from said address (807a91b4=>0h).
It then moves EAX(807aa3e8) into that location. So it's entering some kind of stack frame-like process?
It then jumps to 80006707.
That sets bits 2 of ESI+C8h.
It then returns to the caller, after restoring the ESI and EBP registers from the stack. It then reaches 0008:800036f7.
It then checks some byte against AL, reaching 0008:80003701 because it matches.
It saves ESI, then calls some function at [80004c18], at 0008:80003707, with parameter 01h at linear address f750e760.
This reaches the function at 0008:800065c4.
It sets up a stack frame, loads said 01h parameter into EAX, and sets up a stack frame. Thus reaching 0008:800065cb.
It finds EAX=01h(the function number pushes previously), thus setting 807a91B0(ESI+C8) bit 3.
Then it jumps to 0008:80006707, which sets bit 2 of said variable also.
It then returns to the caller, which resumes at 0008:8000370d.
That one cleans up, sets AL to 01h, then cleans up and returns once again. Thus reaching 0008:80006f61.
0008:80006f61 then checks bit 2, moves the result code into BL and because said bit was set reaches 0008:80006f68.
It then loads EAX from [EDI], adds 74h to it and pushes it on the stack(at f750e798). It then calls function pointer [80008778], which should be 0008:80116eae function 00h?
That pushes some more, then calling function pointer [80140bfc], jumping to 0008:80014410.
That loads al from the current thread ID low 8 bits(at 0008:80014412) from address FFDF024. The value of that is 0Dh.
It then changes that to 1Fh(which is the value of CL)? It then returns to 0008:80116ebd.
It stores the result in BL, then loads the process ID into EAX, which is ffdff120.
It the loads ESI, finds it zero, setting ECX to the process ID + 528h.
That's process ID ffdff648?
It then increases dword process ID+4F0 at 0008:80116ee2 by 1.
The same with process ID + 4E8.
It then stores ECX somewhere(807a90c0) at 0008:80116eee.
It then stores EBP somewhere(at 807a90b8).
It then sets EBP to process ID + 4E0.
It then clears EDX+18h by loading EDI there, at 0008:80116efa.
It then checks [EDX+03h] against 02h, which is 01h at 0008:80116efd. Finds it not 02h, thus jumping to 0008:80116f16.
It then loads EDI from the stack, becoming FFDFF600, storing at 807a90ac.
It then stores ECX at FFDFF600(at FS:600) at 0008:80116f21.
It checks [FS:60C] against zero, finds it zero, thus reaching 0008:80116f30.
Thus it sets EDI to ffdff5e0(FS:5E0).
It checks that location against zero, which it finds, ending up at 0008:80116f3a.
It checks 807a90a7 against 00h(CL), finds 01h. Thus jumps to 0008:80116f5b.
It then sets FS:5E0 to 01h. Then calls 0008:800149a4.
It sets FS:28h bit 2 at 0008:800149ad (Active RPC Handle).
The active RPC handle is now 04h. It loads something from address 8001575c+RPL handle low 2 bits into DL at 0008:800149c3.
It finds it's less or equal to 1Fh(CL) thus pops the flags and returns to 0008:80116f6c.
It then calls function 0008:80014440 after loading said limit(?) into EBX.
Thus it loads 0Dh into CX, masks it to 8-bits and switches the thread ID to 0Dh at 0008:80014448.
It then loads the RPC handle(04h) into and masks it using entry 0Dh(ECX), which is 0x3FFF0.
It finds it zero, thus reaching 0008:8001445d.
That returns to 0008:80116f74.
It eventually returns to caller because CL was 0, with AL=01h, reaching 0008:80006f78.
It then returns once again to caller, reaching 0008:8013f12a.
It then calls function pointer 80140c70, reaching 0008:80014494 after disabling interrupts.
It loads the RPC handle into EDX. ands it with ECX(0) entry at 80015680, which is FFFFFFFEh. Thus it stays 04h. Then it finds it non-zero and jumps to 0008:800144b4.
It then checks the Linear address of the thread-local storage array(FS:2C) mask FFFFFFF0 and finds it zeroed, thus reaching 0008:800144c0.
It finds said RPC handle highest bit set being 02h, which is less or equal to 02h, thus jumping to 0008:80014518.
It then jumps to the RPC handle? That's at 0008:8001451b, reaching 0008:80014b3b.
It saves the thread ID on the stack(00h). Then sets it to 02h.
It then clears the RPC handle bit 2, clearing it to 00h.
It then enables interrupts and calls function pointer 80015254 at 0008:80014b50, which is 0008:8013f470.
That loads the Environment Pointer into EBX.
It then adds 600h to it into EAX.
It compares it against that address(which reads 807A90A8), finds it not matching, reaching 0008:8013f481.
Ah well, after running the other thread(which should have been started with a MOV FS,BX(where BX=30h), thus reloading the current TIB?
It eventually calls a routine at 80006F80 at 0008:8013aaea?
And another subroutine is called at 0008:8013efd0, from 0008:80006fae.
So it's in the kernel somewhere now afaik?
Then another subroutine at 0008:80014410.
It then loads the thread ID into EAX again. 0Dh into CL and returns.
The caller stores it in stack address f750e728.
It then calls an address on the stack: 0008:80007722 from 0008:8013efee.
Well, it eventually tests the bitflags that had bit 2 and 3 set at 0008:80007732, reading from address 807a91b0, thus jumping to 0008:8000773e.
It then copies a block of memory (60 bytes) from 807a91b0 to f750e75c.
It then ANDs that flag(which was 0C) with 4180, thus it becoming zeroed.
It eventually calls routine 0008:8000782c.
And another zero check further down, reaching 0008:80007859, reaching 0008:8000785e.
Then once again zero, thus reaching 0008:8000786b.
It then checks CL from EDI+03(=01h) with 01h, which matches, jumping to 0008:800077d7. So something's changed now.
It sets CL to 1 and because EDI+08 was 0xFF, it jumps to 800077F5.
Because CL isn't zero, it reaches 0008:800077f9.
It checks if ECX is 64 ahead of EAX, which it is, reaching 0008:80007803.
It then sets EAX+30h to -1(all 32-bits set).
Then it jumps to 0008:80007818.
Then it loads ESI and finds it's zero, thus reaching 0008:80007823.
That sets AL(the result?) to 01h and returns to the caller at 0008:8013eff1.
It then calls function 0008:80014440.
It then sets the current thread ID to ECX, which is 2h.
Then the Active EPC handle(00h) into EDX?
It finds it's zeroed after masking, popping flags and returning to 0008:8013effc.
It then pops registers back, with EAX becoming EBX and returning to the caller using LEAVE and "RETD 0C".
The caller checks AL and finds it non-zero, reaching 0008:80006fb9.
It checks bit 4 of BP-40h, which isn't set, thus reaching 0008:80006fe9.
It then checks bit 5 as well, thus jumping to 0008:80007064.
It finds BP-3E bit 0 cleared, so jumping to 0008:800070b2.
It finds bit 3 of 0244e75c set, thus reaching 0008:800070b8.
It loads EAX from [ECX] ([807a90fc]) at 0008:800070bb, which is 1001h.
It masks DX with 1001h, and matches it, reaching 0008:800070cd.
It clears bit 0 and moves it back into [ECX].
It then checks bit 7 of said bitflags. It's cleared, reaching 0008:800070d7.
It then moves 0xFFFFFFFF into memory address 807a9104.
It then jumps to 0008:800070e8.
It checks bit 1 of a bitflag, finds it zeroed, jumping to 0008:800070f5.
And got no time left again. Need to resume the checking later.