A20 gate

The A20-Gate is an electronic circuit in a PC which enables or blocks the 21st address line of a CPU compatible with the 80286 processor .

A20 means “address line 20”. This is the 21st address line, since the counting starts from A0. The English term gate refers to a logic gate . One also speaks of the "A20-line" or the "A20 line".

If the gate is "set", the A20 line output by the CPU is forwarded to the address bus of the system (and thus ultimately to the main memory) ; if the gate is "deleted", the CPU will do this on the A20 line output signal suppressed, and always a logical 0 applied to the system bus.

The A20 gate allows a 286 (and larger) processor with more than 20 address lines to emulate an older 8086 with only 20 address lines (A0 to A19).

Architecture of the 8086

The Intel 8086 CPU addresses the memory according to a segmentation model. The available main memory is divided into 64 KiB units (so-called segments, in certain contexts also called paragraphs). Each of these segments can be used to address 64 KiB of memory by adding an offset. Both the segment and the offset are 16-bit values. The 20-bit address of the addressed memory area is then calculated using the formula

Segment 16 + offset,

which results in an address space of a little more than 1 MiB .

The 8086 has a physical 20-bit address bus, with which exactly 1 MiB of memory can be addressed, with the addresses 0 ₁₆ to FFFFF ₁₆ . If you now use the maximum segment value of FFFF ₁₆ and an offset of 0 ₁₆ to F _{16 as a} basis, the address range can be from

FFFF ₁₆ · 10 ₁₆ + 0 ₁₆ = FFFF0 ₁₆

to

FFFF ₁₆ · 10 ₁₆ + F ₁₆ = FFFFF ₁₆

can be achieved. However, if the offset is greater, a carry over to the 21st bit takes place. In total, 65520 bytes more can be addressed than the 20 address lines can address. The 8086 ignores this carry, so that there is an overflow to the first 65520 bytes of the main memory. Since the segments overlap, all addresses can be represented with exactly 4096 combinations of segment and offset. The address 12345 ₁₆ can e.g. B. with segment 1234 ₁₆ and offset 5 ₁₆ , but also with segment 1200 ₁₆ and offset 345 ₁₆ . If the limit of 1 MiB is exceeded, there are further combinations that access the same memory cell. The resulting ambiguity complicates the use of the memory u. U. considerably.

Architecture of the 80286

With the introduction of protection mode (protected mode), the address was 80286 CPU increases over their predecessors to 24 bits. As a result, this CPU can now address 16 MiB instead of just 1 MiB. However, the address calculation logic of the CPU can no longer simply ignore transfers (like the one to the 21st address line). The calculation FFFF ₁₆ · 10 ₁₆ + FFFF ₁₆ on an 80286 CPU no longer results in the address FFEF ₁₆ , but rather 10FFEF ₁₆ .

MS-DOS 1.25 and some application programs, however, assume that the transfer to the 21st address line will be cut off and will otherwise not work properly. The problem arose that the new PC / AT would not be sufficiently compatible with the PC / XT . But you couldn't simply disconnect the A20 line either, otherwise you would still have been limited to a maximum of 1 MiB memory - a key selling point for the PC / AT would have been invalid. The A20 gate was invented as a solution.

How the A20 gate works

To maintain backward compatibility, IBM built a logic gate into the A20 address line to make this address line switchable. In order to save chip, the gate on the already existing will Keyboard - Controller controlled, the one previously unused bit of the control register for it provides.

Problems with the A20 gate

The first problem is that the keyboard controller is a slow and complicated detour by PC standards. The second, by far more serious problem, however, is that the state of the gate was nowhere to be found. Only later was a possibility for querying via a BIOS function implemented by IBM. When the first caches external to the processor appeared, further problems arose: The cache must be able to differentiate between the two states in order to not deliver obsolete data from the wrong memory area. Another problem arises from the switch between protected mode and real mode. Since the 80286 does not plan to switch from Protected Mode back to Real Mode, but this functionality is required in the PC / AT, IBM used another interconnection that ensures that the CPU receives a reset signal, and so that it falls back into real mode as soon as it goes into shutdown mode (with triple fault ). It was possible to switch back to real mode by specifically provoking a triple fault. If, however, the A20 line is masked, the CPU searches for its first command to be executed after the reset instead of the address FFFFF0 ₁₆ at EFFFF0 ₁₆ - a memory area that was rarely equipped with RAM or ROM at the time. When the HMA is used by MS-DOS (version 4 and higher), the state of the masking often has to be changed, which requires a complex control of the state of the gate.

From the i486 onwards, a pin A20M was made available on the processor. The AT keyboard controller (or its compatible, but faster equivalent) can use this to report the need for masking directly to the CPU, which then carries out the masking itself. The state of the pin is only queried and implemented in real mode of the CPU. There is no masking in Protected Mode and Virtual 8086 Mode. The emulated masking of the A20 in virtual 8086 mode can be solved via paging.

Hack possibilities on systems with A20 masking

Xbox

The A20-Gate can be used to bypass the secret ROM and to run programs in the flash memory . To do this, the address line A20 # of the CPU is connected to GND. The Xbox then does not start from the address FFFFFFF0 ₁₆ in the secret ROM, but from the address FFEFFFF0 ₁₆ , which is in the flash. A program can be stored there, for example, which reads the secret ROM via the I²C bus.

Future of the A20 gate

Since the Intel Haswell micro-architecture , the A20-Gate is no longer supported by Intel desktop CPUs. Until then, all current (Intel-compatible) computers had an A20 gate. In fact, it is rarely used. To be precise, it is needed every time the computer is started because it is switched over by the operating system. It would be easier, however, to deactivate the memory circulation from the beginning, only then DOS would no longer run (correctly) on current computers. B. would prevent the use of many startup disks.

Individual evidence

↑ Michael Steil, 17 Mistakes Microsoft Made in the Xbox Security System (PDF; 246 kB).
↑ Intel® 64 and IA-32 Architectures Developer's Manual: Vol. 3A. In: Intel. Retrieved November 1, 2016 .

Web links

A20 gate in the electronics compendium

[1] Michael Steil, 17 Mistakes Microsoft Made in the Xbox Security System (PDF; 246 kB).

[2] Intel® 64 and IA-32 Architectures Developer's Manual: Vol. 3A. In: Intel. Retrieved November 1, 2016 .