Operation
How Probe Mode works for the P6 is simple. To halt the processor, the engineer asserts the PREQ# pin on the CPU. The CPU then replies by asserting PRDY#. The engineer submits x86 instructions one at a time to the Probe Instruction Register using the WRSUBPIR TAP command. Using these instructions, he can write registers, memory and access I/O devices.
For instance to write registers, he can put the following x86 opcodes into the Probe Instruction Register:
mov register, value_to_write
Or to write memory:
mov edx, memory_address
mov eax, value_to_write
mov [edx], eax
Or to write I/O:
mov dx, io_address
mov ax, value_to_write
out dx, ax
To read registers and memory, he has to shift the data he needs to read to the EAX register. Subsequently he issues a RDMSR to the PDR MSR. He then executes the READPDR TAP command to read the PDR out of the JTAG shift register.
For example, to read memory,
mov edx, memory_address
mov eax, [edx]
mov ecx, 71h
rdmsr
Execute READPDR TAP command
Or to read registers,
mov eax, register_to_read
mov ecx, 71h
rdmsr
Execute READPDR TAP command
Tracing
For the Pentium M, an ODLAT (on-die logic analyzer trigger) feature has been added. This features 3 triggers that stop the processor when certain values are placed onto the processor bus. These triggers allow dont-care values to be set. Also, it is possible to make trigger C active only after trigger B has been hit, which is only active after trigger A has been hit. When these triggers are hit, the processor will toggle BPM0, BPM1 and BPM2 pins, depending on which trigger is hit. American Arium terms this as a 3-level bus analyer breakpoint feature.
Since the Pentium 4 processor, an Extended Execution Trace feature has been added. This makes the processor emit a packet over the BPM0-7 pins when special instructions are executed. These instructions are WRMSR, RDMSR, Interrupts, I/O transactions, MWAIT transitions etc. To enable Extended Execution Trace, special microcode patches must be applied through the BIOS microcode update feature. Similarly, special microcode patches can be applied so that BTM messages emitted by the processor can be configured to include timestamps.
For the Pentium 4 only, there exists a second type of Extended Execution Trace, called microcode Extended Execution Trace. It is suspected that this allows the CPU to emit special packets on the BPM pins when certain microcode instructions are executed.
Control bus
On most processors, it is also possible to access the Control Register Bus present on the CPU. This allows one to read/write internal registers that are not programmable-visible via TAP commands CRBGO and CRBNOGO. The Control Register Bus in turn allows access to internal arrays and functions on the processor, such as accessing the LLC and the microcode/VFuse PROM.
Fuses
It is possible also to read/write fuses on the CPU. There are two types of fuses. One type of fuse is called the VFuse, whereas the other is called the UFuse. VFuses are basically bits that exist on PROM that sits on the CPU package but is not within the CPU silicon die. This PROM also contains the microcode that the CPU loads during cold boot. This PROM, and thus VFuses, can be read or written by manipulating the internal registers on the Control Register Bus. The properties of UFuses are currently unknown, but UFuses are speculated to be fuses on the silicon die itself.
Microcode
There are 2 TAP registers that allows the engineer to breakpoint on a 48-bit microcode address. These registers can be accessed by the TAP commands BRKPTCTLA and BRKPTCTLB.
The author admits that this article is not comprehensive. If you have anything to add or contribute, please post your contributions in the comments below.
