the /dev/realmode intraface was not documented, but it is very simple.

/dev/realmodemem is just an image of the first megabyte of
physical memory that is addressable from 16 bit realmode.

plan9 reserves a 4k page at 0x9000 (defined as RMBUF) that can be
refered to in the bios call as data buffer.  previously, this was the
only offset range that could be written with /dev/realmodemem.

in /dev/realmode, you write a struct Ureg (from /386/include/ureg.h)
(in x86 machine byte order?) containing the register contents and the
interrupt number of the bios call you want to make.

the write returns when the BIOS call returns and the machine
state can be read back from /dev/realmode.

realemu did a little extension to the interface: it allows reading and
writing the whole address space and in case the trap is zero in the
Ureg, it will copy ss, sp, cs, and pc in the virtual cpu state too and not
make a BIOS interrupt.  this is used by loadcom.c to run dos .com
files in the emulator.

8i was never in a working or finished state...  it was able to execute
the modeinfo vbe calls on my t23 (after changing the KZERO offset) but
that was about it.  there are not many similarities with 8i anymore.
i worked on 8i for a while...  debugging 8i gave me a good overview of
whats needed for 80x86 interpretation so after some time i started
over from scratch as i had to look in the intel docs for every
instruction anyway to figure out whats wrong, so why not just look at
opcode details of opcodes being actually in use...  i borrowed optab
decode tables and the general structure from 8i but the rest is
different.  realemu implements the opcodes in a generic way without
all these switch(opsize){} cases in order to minimize code size.  and
it doesnt dereference pointers in the decode phase, but passes the
opcode handler a Iarg * that will be read or written with ar() or aw()
in the handler.

--
cinap