This is a follow-up to How can early BIOS use CALL?, same ROM file, same setting.
Thanks to Brendan I know that upon a cold boot the jump discussed there would be taken and a call instruction would be skipped at that moment. But there are other memory writes soon after that. This is a shortened listing, the full thing with all complete branches (55 lines) can be found at https://pastebin.com/wfT4np5u:
[Beginning is the same as in the first question]
f000:e045 out 0x70, al ; CMOS controller: disable NMI, set index 0xf
f000:e047 out 0xeb, al ; this port is presumably unoccupied: just a delay mechanism
f000:e049 in al, 0x71 ; read 0xf (CMOS Shutdown Status)
f000:e04b out 0xeb, al ; more delay
f000:e04d or al, al
f000:e04f jmp 0xf483
f000:f483 jne 0xf488
[assuming status ≥ 0x0D (cold boot) – jump:]
f000:f488 mov ax, 0x40
f000:f48b mov es, ax
f000:f48d cmp word es:[0x72], 0x1234
f000:f494 je 0xf49b
[Scenario 1: we find word 0x1234 at 0040:0072:]
[some further tests, always jumping to f000:f4c8 if a condition fails; if all passes, the flow reaches that address linearly]
[Scenario 2: 0040:0072 does not return 0x1234:]
f000:f496 jmp 0x3253
f000:3253 jmp 0xf499
f000:f499 jmp 0xf4c8
[All cases now converge HERE] <<< This is the interesting bit
f000:f4c8 mov ax, 0x30
f000:f4cb mov ss, ax
f000:f4cd mov sp, 0x100
f000:f4d0 mov al, 0x8f
f000:f4d2 call 0xe415 ; Hi again, now I'm unconditional
Apparently Scenario 1 requires that some memory remained initialized from earlier (unless it's some kind of ROM mapped to segment 0x40), so in a cold boot scenario I think we can ignore that. But regardless of the branches taken at f000:f494, we arrive at f000:f4c8. This sets up SS:SP to 0030:0100 and proceeds to call something.
Is it possible that the motherboard has a little amount of "safety net" RAM mapped there that's available even if I take out all the memory banks? Or does BIOS expect that the first few kilobytes will be accessible in any possible setup? What happens if they aren't?
