LoopZ · shidel · Apr 3, 2026 · Apr 3, 2026 · Apr 3, 2026 · Apr 3, 2026
diff --git a/...4 SERIAL COMMUNICATIONS COM1 CPUgenerated 80286/INT 0C CPUgenerated 80286 STACK FAULT.txt b/...4 SERIAL COMMUNICATIONS COM1 CPUgenerated 80286/INT 0C CPUgenerated 80286 STACK FAULT.txt
@@ -9,8 +9,11 @@ Desc:	this interrupt is generated in protected mode on a stack overflow or
 	  underflow, or if an inter-level transition or task switch references
 	  a stack segment marked "not present"; it is generated in real mode
 	  on accessing a word operand at SS:FFFFh
+	generated on any access that crosses segment limits using SS
+	collides with IRQ #4 default handler. in Real 86 Mode, the two may
+	  be distinguished by checking the In-Service Register of the PIC
 Note:	the 80286 will shut down in real mode if SP=1 before a push.  On the
 	  PC AT and compatibles, external circuitry generates a reset on
 	  shutdown.
 SeeAlso: INT 0B"CPU",INT 0D"CPU"
-
+
diff --git a/...PT2reserved CPUgenerated 80286/INT 0D CPUgenerated 80286 GENERAL PROTECTION VIOLATION.txt b/...PT2reserved CPUgenerated 80286/INT 0D CPUgenerated 80286 GENERAL PROTECTION VIOLATION.txt
@@ -17,6 +17,8 @@ Notes:	called in real mode when
 	    an instruction exceeds the maximum length allowed (10 bytes for
 	      80286, 15 bytes for 80386/80486)
 	    an instruction wraps from offset FFFFh to offset 0000h
+	collides with IRQ #5 default handler. in Real 86 Mode, the two may
+	  be distinguished by checking the In-Service Register of the PIC
 	called in protected mode on protection violations not covered by INT 06
 	  through INT 0C, including
 	    segment limit violations
@@ -26,4 +28,4 @@ Notes:	called in real mode when
 	    wrong descriptor type
 	called on 80486 protected-mode floating-point protection fault
 SeeAlso: INT 09"80486",INT 0C"STACK"
-
+
diff --git a/...OS KERNEL DEALLOCATE HMA MEMORY BLOCK.txt → ... 7 kernel DEALLOCATE HMA MEMORY BLOCK.txt b/...OS KERNEL DEALLOCATE HMA MEMORY BLOCK.txt → ... 7 kernel DEALLOCATE HMA MEMORY BLOCK.txt
@@ -4,7 +4,7 @@
       Flag: U 	undocumented function
 --------------------------------------------------------------------------------
 
-INT 2F U - Windows95 - DOS KERNEL - (DE)ALLOCATE HMA MEMORY BLOCK
+INT 2F U - MS-DOS 7 kernel - (DE)ALLOCATE HMA MEMORY BLOCK
 	AX = 4A03h
 	CX = segment of block's owner to allocate, if 0 then 1 is used
 	    (MS-DOS v5 AX=4A02h passes INT 2F caller's CS as the owner)

diff --git a/... KERNEL GET START OF HMA MEMORY CHAIN.txt → ... kernel GET START OF HMA MEMORY CHAIN.txt b/... KERNEL GET START OF HMA MEMORY CHAIN.txt → ... kernel GET START OF HMA MEMORY CHAIN.txt
@@ -4,12 +4,12 @@
       Flag: U 	undocumented function
 --------------------------------------------------------------------------------
 
-INT 2F U - Windows95 - DOS KERNEL - GET START OF HMA MEMORY CHAIN
+INT 2F U - MS-DOS 7 kernel - GET START OF HMA MEMORY CHAIN
 	AX = 4A04h
 Return: AX = 0000h if function supported
 	    ES:DI -> first HMA memory control block (see #02800)
 
-Format of Windows95 HMA memory control block:
+Format of MS-DOS 7 kernel HMA memory control block:
 Offset	Size	Description	(Table 02800)
  00h  2 BYTEs	signature "MS" (4Dh 53h)
  02h	WORD	segment of owner (or segment at which to address block???)

diff --git a/...ws/INT 2F4A16 Windows95 OPEN BOOT LOG.txt → ...T 2F4A16 MSDOS 7 kernel OPEN BOOT LOG.txt b/...ws/INT 2F4A16 Windows95 OPEN BOOT LOG.txt → ...T 2F4A16 MSDOS 7 kernel OPEN BOOT LOG.txt
@@ -4,12 +4,12 @@
       Flag: U 	undocumented function
 --------------------------------------------------------------------------------
 
-INT 2F U - Windows95 - OPEN BOOT LOG
+INT 2F U - MS-DOS 7 kernel - OPEN BOOT LOG
 	AX = 4A16h
 Return: AX = status
 	    0000h successful
 	    FFFFh boot log file already open
 	    else  DOS error code
 	BX destroyed
 SeeAlso: AX=4A17h,AX=4A18h
-
+
diff --git a/...NT 2F4A17 Windows95 WRITE TO BOOT LOG.txt → ...4A17 MSDOS 7 kernel WRITE TO BOOT LOG.txt b/...NT 2F4A17 Windows95 WRITE TO BOOT LOG.txt → ...4A17 MSDOS 7 kernel WRITE TO BOOT LOG.txt
@@ -4,7 +4,7 @@
       Flag: U 	undocumented function
 --------------------------------------------------------------------------------
 
-INT 2F U - Windows95 - WRITE TO BOOT LOG
+INT 2F U - MS-DOS 7 kernel - WRITE TO BOOT LOG
 	AX = 4A17h
 	CX = number of bytes to write
 	DS:DX -> message to write (must include CR-LF if it is desired)
@@ -14,4 +14,4 @@ Return: AX = status
 	    else  DOS error code
 Note:	calls the code for INT 2F/AX=4A21h after writing to the file
 SeeAlso: AX=4A17h,AX=4A18h,AX=4A21h
-
+
diff --git a/...s/INT 2F4A18 Windows95 CLOSE BOOT LOG.txt → ... 2F4A18 MSDOS 7 kernel CLOSE BOOT LOG.txt b/...s/INT 2F4A18 Windows95 CLOSE BOOT LOG.txt → ... 2F4A18 MSDOS 7 kernel CLOSE BOOT LOG.txt
@@ -4,12 +4,12 @@
       Flag: U 	undocumented function
 --------------------------------------------------------------------------------
 
-INT 2F U - Windows95 - CLOSE BOOT LOG
+INT 2F U - MS-DOS 7 kernel - CLOSE BOOT LOG
 	AX = 4A18h
 Return: AX = status
 	    0000h successful
 	    FFFFh boot log file not open
 	    else  DOS error code from closing file
 	BX destroyed
 SeeAlso: AX=4A16h,AX=4A17h
-
+
diff --git a/...ultiplex/Windows/INT 2F4A21 Windows95.txt → ...ex/MS-DOS 7/INT 2F4A21 MSDOS 7 kernel.txt b/...ultiplex/Windows/INT 2F4A21 Windows95.txt → ...ex/MS-DOS 7/INT 2F4A21 MSDOS 7 kernel.txt
@@ -4,9 +4,9 @@
       Flag: U 	undocumented function
 --------------------------------------------------------------------------------
 
-INT 2F U - Windows95 - ???
+INT 2F U - MS-DOS 7 kernel - ???
 	AX = 4A21h
 Return: AX destroyed
 Note:	calls INT 21/AX=4404h"IOCTL" with a five-byte buffer containing "MDF??"
 SeeAlso: AX=4A17h
-
+
diff --git a/...ultiplex/Windows/INT 2F4A31 Windows95.txt → ...ex/MS-DOS 7/INT 2F4A31 MSDOS 7 kernel.txt b/...ultiplex/Windows/INT 2F4A31 Windows95.txt → ...ex/MS-DOS 7/INT 2F4A31 MSDOS 7 kernel.txt
@@ -4,9 +4,9 @@
       Flag: U 	undocumented function
 --------------------------------------------------------------------------------
 
-INT 2F U - Windows95 - ???
+INT 2F U - MS-DOS 7 kernel - ???
 	AX = 4A31h
 	CL = new value for ???
 	DS:SI -> BYTE to be set to CL
 Return: nothing
-
+
diff --git a/...ex/Windows/INT 2F4A32 Windows95 PATCH.txt → ...DOS 7/INT 2F4A32 MSDOS 7 kernel PATCH.txt b/...ex/Windows/INT 2F4A32 Windows95 PATCH.txt → ...DOS 7/INT 2F4A32 MSDOS 7 kernel PATCH.txt
@@ -4,7 +4,7 @@
       Flag: U 	undocumented function
 --------------------------------------------------------------------------------
 
-INT 2F U - Windows95 - PATCH ???
+INT 2F U - MS-DOS 7 kernel - PATCH ???
 	AX = 4A32h
 	BL = subfunction
 	    00h get ???
@@ -17,4 +17,4 @@ INT 2F U - Windows95 - PATCH ???
 	    05h unset ???, then do subfunction 02h
 	    else
 		Return: nothing
-
+
diff --git a/...F4A33 Windows95 CHECK MSDOS VERSION 7.txt → ... MSDOS 7 kernel CHECK MSDOS VERSION 7.txt b/...F4A33 Windows95 CHECK MSDOS VERSION 7.txt → ... MSDOS 7 kernel CHECK MSDOS VERSION 7.txt
@@ -4,14 +4,14 @@
       Flag: n/a
 --------------------------------------------------------------------------------
 
-INT 2F - Windows95 - CHECK MS-DOS VERSION 7
+INT 2F - MS-DOS 7 kernel - CHECK MS-DOS VERSION 7
 	AX = 4A33h
 Return: AX = 0000h for MS-DOS 7.00+
 	    (officially) BX,DX,SI,DS may be destroyed
 	    (undoc) DS:DX -> ASCIZ primary shell executable name
 	    (undoc) DS:SI -> CONFIG.SYS SHELL= command line (counted string)
-	    (undoc) BH = ??? (0000h)
-	    (undoc) BL = ??? (0000h)
+	    (undoc) BH = ??? (00h)
+	    (undoc) BL = ??? (00h)
 	AX nonzero (usually 4A33h) if MS-DOS 6- or other DOS
 SeeAlso: AX=1611h,INT 21/AH=30h
-
+
diff --git a/... FAR JMP instruction/INT 30 NOT A VECTOR DOS 1 FAR JMP instruction for CPMstyle calls.txt b/... FAR JMP instruction/INT 30 NOT A VECTOR DOS 1 FAR JMP instruction for CPMstyle calls.txt
@@ -5,8 +5,11 @@
 --------------------------------------------------------------------------------
 
 INT 30 - (NOT A VECTOR!) - DOS 1+ - FAR JMP instruction for CP/M-style calls
-   the CALL 5 entry point does a FAR jump to here
-Note:	under DOS 2+, the instruction at PSP:0005 points two bytes too low in
-	  memory
+   the CALL 5 entry point does a FAR call to here (linear 0_00C0h), or
+     to FFFFh:00D0h (linear 10_00C0h) where DOS has placed an equivalent
+     jump if DOS manages the High Memory Area
+BUGS:	in PSPs created by MS-DOS 2+ Debug, the instruction at PSP:0005h
+	  (see #01378) points two bytes too low in memory. fixed in lDOS
+	  MSDebug (fork based on MS-DOS v2 Debug)
 SeeAlso: INT 21/AH=26h
-
+
diff --git a/source/Memory Map/MEM 0040h 0041h DISKETTE LAST OPERATION STATUS.txt b/source/Memory Map/MEM 0040h 0041h DISKETTE LAST OPERATION STATUS.txt
@@ -6,6 +6,9 @@
 
 MEM 0040h:0041h - DISKETTE - LAST OPERATION STATUS
 Size:	BYTE
+BUGS:	Xi8088 BIOS version 0.9.4 fails to set DS (to 0040h) when it
+	  wants to write to this variable, upon encountering any
+	  unsupported INT 13 function, see INT 13/AH=41h"INT 13 Ext"
 SeeAlso: MEM 0040h:003Eh,MEM 0040h:0042h,INT 13/AH=01h
 
 Bitfields for diskette last operation status:
@@ -30,4 +33,4 @@ Note:	the following values for this byte differ somewhat from the
 	    31h no media in drive
 	    32h drive does not support media type
 	    AAh diskette drive not ready
-
+
diff --git a/source/Memory Map/MEM 0040h 006Ch TIMER TICKS SINCE MIDNIGHT.txt b/source/Memory Map/MEM 0040h 006Ch TIMER TICKS SINCE MIDNIGHT.txt
@@ -7,5 +7,25 @@
 MEM 0040h:006Ch - TIMER TICKS SINCE MIDNIGHT
 Size:	DWORD
 Desc:	updated approximately every 55 milliseconds by the BIOS INT 08 handler
+	after the INT 08 handler has incremented this DWORD, it checks for
+	  a value of 18_00B0h or 18_00B1h and if equal resets the count to 0.
+	  when resetting the count, it also increments or sets to 1 the flag
+	  at MEM 0040h:0070h to indicate midnight passed.
+Notes:	naive time-out loops will read this DWORD (or only the low WORD), add
+	  a delta, and wait until this DWORD equals or exceeeds the result.
+	  this has problems around the midnight wraparound though.
+	a better method is to read this DWORD or low WORD, then wait until
+	  the count has changed, indicating (at least) one tick has passed.
+	  loop until the desired amount of ticks has elapsed.
+	an even better way determines the delta between the prior WORD and
+	  the newly-observed one, if it is > 0 then consider that many ticks
+	  have elapsed, except if the delta exceeds a limit such as 6, which
+	  may happen due to the midnight rollover (or when debugging).
+	time-out loops should idle the machine. after checking that no
+	  inputs occurred (such as using INT 16/AH=01h), and no timer tick
+	  has passed yet, Real/Virtual 86 Mode STI and HLT may be used, or
+	  INT 2F/AX=1680h to allow multitaskers to register the idling.
+	  this allows reducing the CPU time spent on polling to < 5% as
+	  opposed to using 100% of a CPU core.
 SeeAlso: MEM 0040h:0070h,INT 08"IRQ0",INT 1A/AH=00h
-
+
diff --git a/source/Memory Map/MEM 0060h 0000h DOS 1 x IO SYS LOAD ADDRESS.txt b/source/Memory Map/MEM 0060h 0000h DOS 1 x IO SYS LOAD ADDRESS.txt
@@ -5,4 +5,19 @@
 --------------------------------------------------------------------------------
 
 MEM 0060h:0000h - DOS 1.x IO.SYS LOAD ADDRESS
-
+Notes:	lDOS stores its first true MCB at this point, but also addresses
+	  its DOSENTRY section with segment 0060h (sometimes). the MCB
+	  overlaps the first 16 bytes of DOSENTRY. (some lDOS entries
+	  are actually in DOSENTRY but addressed using segment 0026h.
+	  the relocating entry code normalises itself using a far jump.)
+	the lDOS DOSENTRY MCB may be hidden using the ldos.ini directive
+	  COMPAT=HIDEDOSENTRY, or COMPAT=DOSDATAFIRST,HIDEDOSDATAFIRST.
+	  in these cases the DOSENTRY MCB still exists, but it is not
+	  reachable from the MCB chain as the recorded first MCB is one
+	  or two MCBs behind the DOSENTRY MCB.
+	FreeDOS stores its init PSP at segment 0060h eventually.
+	the lDOS boot documentation manual lists some load protocols.
+	  the original FreeDOS load protocol loads the full kernel at
+	  linear 0_0600h and enters it with CS:IP = 0060h:0000h.
+	lDOS's inicomp (compressed payload stage) depacks to segment
+	  0060h and up when loading in kernel mode.
diff --git a/source/Memory Map/MEM 0070h 0000h DOS 2 IO SYS LOAD ADDRESS.txt b/source/Memory Map/MEM 0070h 0000h DOS 2 IO SYS LOAD ADDRESS.txt
@@ -5,4 +5,21 @@
 --------------------------------------------------------------------------------
 
 MEM 0070h:0000h - DOS 2+ IO.SYS LOAD ADDRESS
-
+Notes:	DOS usually addresses the DOSBIOS device headers and entrypoints
+	  using segment 0070h; this is true of lDOS even though its
+	  DOSENTRY section starts at linear 0_0600h. the entries are
+	  normalised by the same far jump that allows to address some
+	  entries using segment 0026h (see MEM 0060h:0000h notes).
+	the lDOS boot documentation manual lists some load protocols.
+	  EDR-DOS (FreeDOS based), IBM-DOS, and MS-DOS v6 load their
+	  full or initial loaders at linear 0_0700h and are entered at
+	  CS:IP = 0070h:0000h. MS-DOS v7 loads its initial loader at
+	  the same address but is entered at CS:IP = 0070h:0200h.
+	  older RxDOS.2 and lDOS would load the initial loader at
+	  linear 0_0700h but enter at 0070h:0400h, but recent RxDOS.3
+	  and lDOS use segment 0200h instead to avoid any possible
+	  64 KiB boundary crossing for sector sizes up to 8 KiB.
+	IBM-DOS and MS-DOS v6/v7 initial loaders (msload, aka the
+	  Non-Contiguous IBMBIO Loader) relocate themselves up to near
+	  the top of the Low Memory Area then load their payload
+	  (ibmbio/msbio) to linear 0_0700h, CS:IP = 0070h:0000h too.
diff --git a/source/Memory Map/MEM FFFFh 0010h HIGH MEMORY AREA HMA.txt b/source/Memory Map/MEM FFFFh 0010h HIGH MEMORY AREA HMA.txt
@@ -6,4 +6,5 @@
 
 MEM FFFFh:0010h - HIGH MEMORY AREA (HMA)
 Size:	65520 BYTEs
-
+SeeAlso: INT 2F/AX=4A01h,INT 2F/AX=4A02h,INT 2F/AX=4A03h,INT 2F/AX=4A04h
+SeeAlso: INT 2F/AX=4310h