cmos.lst

A Programmer s Reference to BIOS, DOS, and Third-Party Calls

CMOS-Memory Map			Release 61		Last change 16jul00
Copyright (c) 1989-1999,2000 Ralf Brown

Originally compiled from multiple sources by Padgett Peterson
<padgett@tccslr.dnet.mmc.com>.

No guarantees of any kind.

Copyrights/Trademarks belong to whoever they may belong to.

Found: Algorithm used by IBM in calculating CRC checksums for PS/2
       (see bytes 32h-33h). Complex (recursive part is 12 lines of
       assembly) and not yet validated for every model.
--------!---Note-----------------------------
			Background

The CMOS (complementary metal oxide semiconductor) memory is actually 
a 64 or 128 byte battery-backed RAM memory module that is a part of the 
system clock chip. Some IBM PS/2 models have the capability for a
2k (2048 byte) CMOS ROM Extension.

First used with clock-calender cards for the IBM PC-XT, when the PC/AT
(Advanced Technology) was introduced in 1985, the Motorola MC146818 
became a part of the motherboard. Since the clock only uses fourteen of 
the RAM bytes, the rest are available for storing system configuration data.

Interestingly, the original IBM-PC/AT (Advanced Technology) standard for 
the region 10h-3Fh is nearly universal with one notable exception: The 
IBM PS/2 systems deviate considerably (Note: AMSTRAD 8086 machines were 
among the first to actively use the CMOS memory available and since they 
*predate* the AT, do not follow the AT standard).

This is just another example of how IBM created a standard, lost control 
of it, tried to replace it, failed and lost market share in the process. 

Originally, the IBM PC/AT only made use of a small portion of CMOS memory
and was defined in the IBM PC/AT Technical Reference Manual, specifically 
bytes 10h, 12h, 14h-18h, 2Eh-33h. The balance was left undefined but was 
quickly appropriated by various BIOS manufacturers for such user-selectable 
options such as wait states, clock speeds, initial boot drive selection, and 
password storage.

Later, as CMOS memory requirements grew, newer clock chips with 128
bytes of RAM came into use. However the fact remains that once the AT 
standard was established, only IBM has tried to change the definitions 
of that first description.

			Accessing the CMOS

The CMOS memory exists outside of the normal address space and cannot
contain directly executable code. It is reachable through IN and OUT
commands at port number 70h (112d) and 71h (113d). To read a CMOS byte,
an OUT to port 70h is executed with the address of the byte to be read and
an IN from port 71h will then retrieve the requested information. The 
following BASIC fragment will read 128 CMOS bytes and print them to the 
screen in 8 rows of 16 values.

The CMOS RAM space has an upper limit of 128 bytes because of the structure
of port 70: only bits 0-6 are used for addressing, bit 7 is used to 
enable (0) or disable (1) Non-Maskable Interrupts (NMI) and explains why
IBM uses 80h OR <address> to read/write data & follows with  a "throw-away"
call.

Note that if the CMOS only has 64 bytes available, addressing will 
generally wrap and addresses from 40h-7Fh will mirror 00h-3Fh. Output will 
be hexadecimal.

10 CLS
20 FOR i = 0 TO &H7F 
30 OUT &H70, i
40 PRINT USING "\   \"; HEX$(INP(&H71));
50 NEXT i
60 PRINT " " 

Note: where not otherwise noted, all data points are expressed as BYTES
      these are eight bit values and are read from MSB to LSB e.g.
      0000 0000	    0101 1010 binary would be written as 5Ah
      7654 3210	    where only some bits are used this is represented with
		    Xs e.g bits 5-3 would be shown as 00xx x000

Note: the entries for AMI WinBIOS also apply to AMIBIOS with core dates of 
	12/15/95 or later


Newer BIOSes have two checksums in the CMOS RAM, the second one covering
bytes 40h through 7Ch (or 7Eh).  Unfortunately, the second checksum is at
a different location in different BIOSes.  The following code from 
Agapov Vasiliy Pavlovich <arhfond@online.ru> (28 Aug 1996) is designed to
find the location of the second checksum byte on *any* BIOS (successfully
tested on various versions of AMI and AWARD BIOSes).

Agapov's instructions for use:
> Before starting this code make sure to load the 128 bytes of CMOS data
> to the buffer at CMOS_DATA and assume DS as data area segment register.

START:	CALL	WHAT_CMOS
	JC	NO_SECOND_CHS

; Checksum location is in word at  CHECKS_ADDRESS

NO_SECOND_CHS:

; There's no second checksum in this CMOS

END:

;******************************* SUBS **********************************

WHAT_CMOS:	MOV	SI,OFFSET CMOS_DATA+40H
		MOV	DI,OFFSET CMOS_DATA+7EH
		CALL	FIND_CMOS_CHS
		JNC	END_WCMOS
		MOV	SI,OFFSET CMOS_DATA+41H
		MOV	DI,OFFSET CMOS_DATA+7EH
		CALL	FIND_CMOS_CHS
END_WCMOS:	RET


FIND_CMOS_CHS:	XOR	DX,DX
		MOV	AX,DX
FIND_CMOS_C1:	LODSB			; GET BYTE
		ADD	DX,AX
		CMP	SI,OFFSET CMOS_DATA+7CH	; ADDRESS OF CHECKSUM ?
		JB	FIND_CMOS_C1
		XCHG	DH,DL
		CMP	DX,[SI]		; CHECKSUM FOUND ?
		JZ	END_FCMOS
		XCHG	DH,DL
		CMP	SI,DI
		JB	FIND_CMOS_C1
		STC
		RET
END_FCMOS:	MOV	[CHECKS_ADDRESS],SI	; SAVE CHECKSUM POSITION
		CLC
		RET

******************************** DATA *******************************

CHECKS_ADDRESS	DW	0

CMOS_DATA	DB   128 DUP (?)

--------!---Note-----------------------------
		Organization of CMOS Memory - Clock

00h-0Eh is defined by the clock hardware and all must follow it.  Other 
manufacturers generally follow the same format as specified for the
region 10h - 2Fh. Some also follow the IBM format for 30h-33h but not all 
(Zenith in particular is different).

The first fourteen bytes are dedicated to the MC146818 chip clock functions 
and consist of ten read/write data registers and four status registers, two 
of which are read/write and two of which are read only.

The format of the ten clock data registers (bytes 00h-09h) is:

----------R00--------------------------------
CMOS 00h - RTC - SECONDS
Desc:	(BCD 00-59, Hex 00-3B)
Note: Bit 7 is read only	
SeeAlso: CMOS 01h,CMOS 02h,CMOS 04h
----------R01--------------------------------
CMOS 01h - RTC - SECOND ALARM
Desc:	(BCD 00-59, Hex 00-3B; "don't care" if C0-FF)
SeeAlso: CMOS 00h,CMOS 03h,CMOS 05h,CMOS 7Dh
----------R02--------------------------------
CMOS 02h - RTC - MINUTES
Desc:	(BCD 00-59, Hex 00-3B)
SeeAlso: CMOS 00h,CMOS 03h,CMOS 04h
----------R03--------------------------------
CMOS 03h - RTC - MINUTE ALARM
Desc:	(BCD 00-59, Hex 00-3B; "don't care" if C0-FF))	
SeeAlso: CMOS 00h,CMOS 02h,CMOS 05h,CMOS 7Dh,CMOS 7Eh"AMD-645"
----------R04--------------------------------
CMOS 04h - RTC - HOURS
Desc:	(BCD 00-23, Hex 00-17 if 24 hr mode)
	(BCD 01-12, Hex 01-0C if 12 hr am)
	(BCD 81-92. Hex 81-8C if 12 hr pm)	      
SeeAlso: CMOS 00h,CMOS 02h,CMOS 05h
----------R05--------------------------------
CMOS 05h - RTC - HOUR ALARM
Desc:	(same as hours; "don't care" if C0-FF))	    
SeeAlso: CMOS 01h,CMOS 03h,CMOS 04h
----------R06--------------------------------
CMOS 06h - RTC - DAY OF WEEK
Desc:	(01-07 Sunday=1)    
SeeAlso: CMOS 07h,CMOS 08h,CMOS 09h
----------R07--------------------------------
CMOS 07h - RTC - DATE OF MONTH
Desc:	(BCD 01-31, Hex 01-1F)
SeeAlso: CMOS 06h,CMOS 08h,CMOS 09h
----------R08--------------------------------
CMOS 08h - RTC - MONTH
Desc:	(BCD 01-12, Hex 01-0C)	  
SeeAlso: CMOS 06h,CMOS 07h,CMOS 09h
----------R09--------------------------------
CMOS 09h - RTC - YEAR
Desc:	(BCD 00-99, Hex 00-63)	  
Notes:	BCD/Hex selection depends on Bit 2 of register B (0Bh)
	12/24 Hr selection depends on Bit 1 of register B (0Bh)
	Alarm will trigger when contents of all three Alarm byte registers
	  match their companions.
SeeAlso: CMOS 06h,CMOS 07h,CMOS 08h

The following is the on-chip status register information. 

----------R0A--------------------------------
CMOS 0Ah - RTC - STATUS REGISTER A (read/write) (usu 26h)

Bitfields for Real-Time Clock status register A:
Bit(s)	Description	(Table C0001)
 7	=1 time update cycle in progress, data ouputs undefined 
	(bit 7 is read only)
 6-4	22 stage divider
	010 = 32768 Hz time base (default)
 3-0	rate selection bits for interrupt
	0000 none
	0011 122 microseconds (minimum)
	1111 500 milliseconds	
	0110 976.562 microseconds (default 1024 Hz)
Notes:	some operating systems seem to change the CMOS clock rate to slower
	  values for unknown purposes. Since on older ATs the clock rate does
	  not get restored after a cold boot, this may slow down disk
	  operations for example under PC DOS which depends on the clock rate.
	If IBMBIO.COM finds a model byte FCh (sub-models 00h, 01h, 02h, 03h,
	  or 06h) during init, it resets the clock rate to the default value
	  (00100110b).
SeeAlso: #C0002,#C0003,#C0004
----------R0B--------------------------------
CMOS 0Bh - RTC - STATUS REGISTER B (read/write) 

Bitfields for Real-Time Clock status register B:
Bit(s)	Description	(Table C0002)
 7	enable clock setting by freezing updates
 6	enable periodic interrupt
 5	enable alarm interrupt
 4	enable update-ended interrupt
 3	enable square wave output
 2	Data Mode - 0: BCD, 1: Binary
 1	24/12 hour selection - 1 enables 24 hour mode
 0	Daylight Savings Enable
	=1 enables automatic switching to/from DST in April and October
Notes:	some operating systems seem to change the CMOS clock rate to slower
	  values for unknown purposes. Since on older ATs the clock rate does
	  not get restored after a cold boot, this may slow down disk
	  operations for example under PC DOS which depends on the clock rate.
	If IBMBIO.COM finds a model byte FCh (sub-models 00h, 01h, 02h, 03h,
	  or 06h) during init, it resets the clock rate to the default value
	  (00100110b).
SeeAlso: #C0001,#C0003,#C0004
----------R0C--------------------------------
CMOS 0Ch - RTC - STATUS REGISTER C (Read only)

Bitfields for Real-Time Clock status register C:
Bit(s)	Description	(Table C0003)
 7	Interrupt request flag
	=1 when any or all of bits 6-4 are 1 and appropriate enables
	  (Register B) are set to 1. Generates IRQ 8 when triggered.
 6	Periodic Interrupt flag
 5	Alarm Interrupt flag 
 4	Update-Ended Interrupt Flag
 3-0	unused
SeeAlso: #C0001,#C0002,#C0004
----------R0D--------------------------------
CMOS 0Dh - RTC - STATUS REGISTER D (read only)

Bitfields for Real-Time Clock status register D:
Bit(s)	Description	(Table C0004)
 7	Valid RAM - 1 indicates battery power good, 0 if dead or disconnected.
 6-0	unused (0)
--------!---Note-----------------------------
		Organization of CMOS Memory - non-Clock

The last two bytes in the first hexadecimal decade (hexade ?) were not 
specified in the PC/AT but may have the following use on some systems:
----------R0E--------------------------------
CMOS 0Eh  - IBM PS/2 - DIAGNOSTIC STATUS BYTE 

Bitfields for IBM PS/2 diagnostic status byte:
Bit(s)	Description	(Table C0005)
 7	indicates clock has lost power
 6	incorrect checksum
 5	equipment configuration is incorrect
	  (power-on check requires that at least one floppy be installed)
 4	error in memory size
 3	controller or disk drive failed initialization
 2	time is invalid
 1	installed adaptors do not match configuration
 0	time-out while reading adaptor ID
Note:	Compaq machines with dual hard disk controllers support at least bits
	  7 and 6
----------R0E13------------------------------
CMOS 0Eh-13h - AMSTRAD - TIME AND DATE MACHINE LAST USED
----------R0F--------------------------------
CMOS 0Fh - IBM - RESET CODE (IBM PS/2 "Shutdown Status Byte")

(Table C0006)
Values for Reset Code / Shutdown Status Byte:
 00h-03h perform power-on reset
   00h	software reset or unexpected reset
   01h	reset after memory size check in real/virtual mode
	(or: chip set initialization for real mode reentry)
   02h	reset after successful memory test in real/virtual mode
   03h	reset after failed memory test in real/virtual mode
 04h	INT 19h reboot
 05h	flush keyboard (issue EOI) and jump via 40h:0067h
 06h	reset (after successful test in virtual mode)
	(or: jump via 40h:0067h without EOI)
 07h	reset (after failed test in virtual mode)
 08h	used by POST during protected-mode RAM test (return to POST)
 09h	used for INT 15/87h (block move) support
 0Ah	resume execution by jump via 40h:0067h
 0Bh	resume execution via IRET via 40h:0067h
 0Ch	resume execution via RETF via 40h:0067h
 0Dh-FFh perform power-on reset
--------!---Note-----------------------------

The second group of values extends from address 10h to 2Dh. The word at
2Eh-2Fh is a byte-wise summation of the values in these bytes. Most BIOSes
will generate a CMOS Checksum error if this value is invalid however many 
programs ignore the checksum and report the apparent value. The current
version of MSD reports my XT as having 20+ MB of extended memory. 

Where a definiton appears universal, no identification is made. Where
the definition is thought to be specific to a manufacturer/model (AMI, 
AMSTRAD, IBM AT, IBM PS/2) the identification is enclosed in parens. The
AMSTAD definitions appear to relate to 8088/8086 (PC and PC/XT class)
mchines only. AT class machines appear to adhere to IBM PC/AT fornat.

----------R10--------------------------------
CMOS 10h - IBM - FLOPPY DRIVE TYPE
Note:	a PC having a 5 1/4 1.2 Mb A: drive and a 1.44 Mb B: drive will
	  have a value of 24h in byte 10h. With a single 1.44 drive: 40h.

Bitfields for floppy drives A/B types:
Bit(s)	Description	(Table C0007)
 7-4	first floppy disk drive type (see #C0008)