Mark Ermolov

Finally, the casket is opened: we (+@h0t_max and @_Dmit) have extracted Intel x86 microcode! One more Intel "top secret" information gets revealed... github.com/chip-red-pill/…

@marcrygamerbr In C-states CPU doesn't execute anything, in C6 it's even power gated, but C6SRAM is accessible via LDAT. Usb2dbc can debug all IPs until DCI isn't turned off (Sx/S0ix)

@_markel___ So i can see what the CPU is executing in the deep C-states?

I found the description of Intel Core CPUs hardware straps and the way to override them using JTAG (without any physical rework)

@cortexauth No, this's from a laptop Service Manual

@_markel___ Is this from some SBC schematics?

@marcrygamerbr Usb2dbc debug cable is enough. I made it myself (removing VCC from standard USB2 A to A cable)

@_markel___ how i can get intel jtag debugger? where i can buy the xdp itp? is there a clone of such complex debug probe?

Next are the most interesting: EAR - CPU bringup stall in PCU fw PHYSICAL_DEBUG_ENABLED - sets CONSET in DFX AGG CFG_UNLOCK - activates NOA (Node Observation Architecture) bus in DFX Green SAFE_MODE_BOOT - disables active state power management

@mayorhardin Until recently, all such NDA-ed info was a real secret, but now AI collects everything (open source code, LinkedIn, doc storages), all where sometimes private info leaks

@_markel___ If AI can find, then is it really a secret?

In the era of AI, Intel will find it very difficult to hide its secrets...

What a huge field to research: rdmsr microcode for desktop CPUs speculates that CREGPLA (data struct describing each MSR, hardcoded in HW and obtained via MSR2CR uop) entry is valid! Below is a fragment of CNL microcode simulation via Archsim tool for rdmsr instruction:

@Sparkys_Adv This is exactly for Rocket Lake (which is 14nm backport of Tiger Lake)...

@_markel___ Interesting, is this also present in Rocket Lake?

Ha-ha, Intel implemented a super protection😀 in the new CPUs (TGL+): pcode/ucode throws #MC (Machine Check) exception if DAM (Delayed Authentication Mode) is enabled and UEFI/BIOS signals BIOS Reset Complete...

🔥 Read the new article by our researcher Timofey Duditsky. The write-up dives into the AMD Platform Configuration Blobs mechanism, shows how it works, and reveals the vulnerability CVE-2025-54502. swarm.ptsecurity.com/slowburn-looki…

AMD has published Security Bulletin AMD-SB-7054 with my vulnerability CVE-2025-54502. There has been no feedback on my research (as well as my mention), so I will publish my work as it is and as soon as possible.

@Gyzome Yes, all standard JTAG IRs (SAMPLE, PRELOAD and others) are supported at CLTAP, BSDL also exists for each CPU/PCH/SOC but unfortunatelly it's not public

@_markel___ Does a BSDL exist for these chips? I suppose a whole bunch of private instructions are involved? Do they even have boundary-scan or is JTAG only used for debug?

Metal Unlock JTAG password for one of very old Atoms...

@AbeiV No, we use Intel DCI CCA/DbC with Intel System Studio. There's very limited number of information available in public on the subject. All necessary info is under NDA...

@_markel___ is this how you tapped into the JTAG? wheres the rest of the info

@GabrielKerneis There's also a difference in the keys generation: GWK is created by simply xor from HW and FW 16- byte constants, while for FEK the hardware shuffle of 48 bytes embedded in HW and 16 bytes from FW is used

@GabrielKerneis As you can see from the phyton code, GWK is used to encrypt Fuse Key 0 (hence the "wrapping" in the name), while FEK decrypts Security Fuses for CSME

Intel SGX has fallen! Its most important key is in our hands: we extracted the Global Wrapping Key from an instance of the Intel Gemini Lake platform

@c_sharp_gr Thanks. For SGX it doesn't matter how, only the key matters...

@_markel___ Great job! Still I guess this requires red unlocked state and physical access.

@AkshayJS_TRM @f4micom Yes, it can't be patched/fixed by any means

@samlafer tee.fail compromized the derived key, not the RoT

@_markel___ Wait so this is sgx v1? Meaning not the one used by tdx which we already know is broken via tee.fail?

Yes, Intel has declared this first SGX implementation as obsolete and unsupported, but its fundamental break means that the HW Root of Trust approach is not unshakable. The full white paper is coming...

This is made possible by executing arbitrary microcode on the DFX-locked system. And although this was a truly challenging task, we were able to do it after researching in details the interaction between PMC and PUNIT