Overview of Pentium Probe Mode
by
Robert R. Collins


The Pentium is equipped with a debugging mode, known as Probe Mode. Probe mode is used for diagnostic purposes for newly designed motherboards, and In-Circuit Emulator (ICE) support. Probe mode is not an user-accessible operating mode which can be enabled or disabled through software control. Probe mode is only accessible through a combination of Boundary Scan registers and dedicated pins. The probe mode registers lie in the boundary scan register space of the Test Access Port (TAP), and are accessible only through the JTAG support pins[1].

While in probe mode, the Pentium may examine and modify the internal and external state of a system. Memory and I/O space may be examined and modified. All internal CPU registers may also be examined and modified -- including control registers (CRn), debug registers (DRn), and MSR's.

During probe mode, the normal execution of instructions is interrupted, and the Pentium enters a dormant state. While previous x86 processors with embedded ICE support were in ICE mode, unbeknownst to the target system, they were still executing x86 ICE program instructions. In these processors, ICE mode was an alternate operating mode of the CPU, with its own dedicated program and memory space (exactly like System Management Mode (SMM) is to the Pentium). But unlike these previous x86 processors, Pentium probe mode is truly a static state whereby prefetch and decode does not occur at any level, for any purpose. Probe mode instructions to examine or modify registers, memory, or I/O space are fed directly into the Pentium's execution unit(s), thereby bypassing the prefetch and decode stages altogether.

Probe Mode Implementation

Probe mode is implemented via extensions to the boundary scan instruction set, two pins, and three (or possibly more) probe mode registers. The boundary scan extensions which support probe mode include instructions to Begin Probe Mode, End Probe Mode, Build Probe Instruction, Execute Probe Instruction, Access Probe Data Register, and possibly (highly probable) instructions to Flush Data Cache, Flush Code Cache, and Flush Both Caches[4][5]. The probe mode boundary scan instructions are marked as Private Instructions in the Pentium boundary scan instruction set summary[2]. The two pins defined to support probe mode are R/S#, and PRDY. These pins are described (somewhat incompletely) in the Pentium data sheet. The registers used to support probe mode are the Probe Instruction Register (PIR), Probe Data Register (PDR),Probe Mode Control Register (PMCR), and possibly a Probe Status Register (PSR)[3].

When in probe mode, the processor is in a dormant state. Prefetch and decode do not occur. Any exceptions, NMI, or external interrupts which are pending, or may become pending are not serviced until termination of probe mode. Snoops, cache line fills, and writebacks may occur during probe mode, since probe mode may perform memory-based operations with the cache enabled[4].

To Enter and Exit Probe Mode

Probe mode is entered by three possible methods. First the processor may receive an Begin Probe Mode instruction from the boundary scan instruction set. Upon such a receipt, the processor immediately halts execution at the next instruction boundary, and asserts PRDY. Once PRDY is asserted, the processor is ready to receive probe mode instructions, via the boundary scan mechanism. To exit probe mode, execute the boundary scan instruction Exit Probe Mode, or external hardware must force R/S# from high to low, then to high again. It is the low-to-high transition which forces the Pentium to exit probe mode[4].

Secondly, probe mode may be entered when external hardware asserts R/S#. The processor will respond by asserting PRDY when it is ready to accept probe mode instructions. To exit probe mode, external hardware must force R/S# back high. The boundary scan instruction, End Probe Mode, will not work to exit probe mode for this entrance method. Since R/S# was asserted to enter probe mode, forcing it high is not only sufficient, but is the only means to exit[1].

Thirdly, the Pentium itself may enter probe mode whenever a debug exception occurs. For this to occur, the Probe Mode Control Register (PMCR) must be set to allow a debug exception to enter probe mode. When the PMCR is set in such a manner, any debug exception which occurs will cause the Pentium to enter probe mode. These conditions are debug exceptions which occur because a debug register breakpoint is detected, a single-step trap occurs, a task switch occurs into a TSS whose T-bit is set, DR7.GD=1, and there was an attempt to access one of the debug registers, or the debug exception instruction was executed -- ICEBP. When PMCR[0]=1, the occurrence of any of these conditions will cause the Pentium to enter probe mode. Once one of these conditions occurs, the Pentium will immediately enter probe mode, and assert PRDY and is ready to accept probe mode instructions. To exit probe mode, execute the boundary scan instruction End Probe Mode, or external hardware must force R/S# from high to low, then to high again[4].

Probe Mode Instructions

Probe instructions are composed in the Probe Instruction Register. The PIR has full control over the both Pentium execution units (u-pipe, and v-pipe), and the FPU core. The PIR format is logically split between the u-pipe and v-pipe, or the FPU pipe, and v-pipe Therefore two micro-coded instructions may be submitted simultaneously using the PIR. Composing probe mode instructions may require writing the PIR multiple times. If such is the case, the PIR is updated after each Build Probe Instruction boundary scan instruction is executed. Once the micro-instruction for each pipe is completely composed, issuance of Execute Probe Instruction will cause execution of the probe mode instruction[5].

Conclusions

Pentium probe mode is highly dependent on the dual pipe architecture of the Pentium. Probe mode provides a non-intrusive method to read and write any aspect of the microprocessor state, memory space, or I/O space. When in probe mode, the Pentium remains in a dormant state, waiting to accept probe mode instructions, until it is instructed to exit probe mode. Resumption from probe mode is equally non-intrusive -- as no states of the processor have changed, unless instructed to do so by probe mode instructions. Probe mode instructions are composed and fed directly into the u-pipe, v-pipe, and FPU of the Pentium. Instructions exist to examine and modify any internal register, including MSR's. There are no protection checks against probe mode instruction operands, and the results of submitting errant operands is indeterminate at this time. Probe mode provides an ideal means to implement a hardware-based debugger, due to its non-intrusive nature.


References

  1. Pentium Processor® Family Developer's Manual, Volume 1 (Chapter 31)
  2. Pentium Processor® Family Developer's Manual, Volume 1 (Chapter 11)
  3. Microtek In-Circuit Test Probe Manual, and Help files.
  4. Observed behavior using ICE, logic analyzer, or both.
  5. Pure Speculation.


Back to Books and Articles home page