Mark Ermolov

Finally, the casket is opened: we (+@h0t_max and @_Dmit) have extracted Intel x86 microcode! One more Intel "top secret" information gets revealed... github.com/chip-red-pill/…

Using this vulnerability for the rdpmc instruction, we were able to read the SGX SVN Key - the first derived key from the Root Provisioning Key and Global Wrapping Key for Gemini Lake platform that's stored at 0x2205 and 0x2206 of the internal control registers

I'm amazed at Intel's ability to downplay the severity of published vulnerabilities. They described CVE-2018-3640 (Rogue System Register Read) as simply an ASLR bypass, but this vulnerability in fact allows the CPU internal CRBUS to be read (at least for Goldmont/Plus uarch)

The reason why Intel will continue to dominate on the server market is that server power efficiency is not determined by compute efficiency, but rather by the balance between idle power consumption and wake-up speed, which is something Intel excels at...

It confirms our previous assumptions (speculative micro-instruction execution), introduces a whole new class of spectre attacks (uspectre) and shows that a number of recent TE vulnerabilities (such as Rogue System Register Read) actually originate in the microcode...

This work is outstanding! arxiv.org/abs/2501.12890

Hardware glitching masters have taken on Intel's microarchitecture - very, very cool! I'm so glad our work is contributing to research that was previously unimaginable. Research into hardware attacks on Intel processors has enormous potential... download.vusec.net/papers/microsp…

In the screen below, after shutting down L2 via PCU (reducing its voltage to 0), the L2 Machine Check bank (CR 0x385) immediately shows an error, but C6SRAM (Staging Buffer in our paper for udbgrd/wr) is still working...

Finally, I was able to reliably answer the question of whether C6SRAM (holds CPU core context in C6 power state) is connected in any way to L2: no, it is an independent SRAM

There's nothing more interesting than reverse engineering undocumented (partially documented) Intel firmware commands...

Now, all the secrets of the hardware initialization/power management for CPU IPs can be studied. How many interesting things await us ahead...

However, using its internal ROM patching mechanism allowing controlling execution of each ROM instruction and post-execution analysis of output register context we reconstructed all the PCU 96kb ROM!

Intel p-unit microcontroller (Foxton) has Harvard architecture (independent addr spaces for code and data) and only a part of its firmware's (pcode) ROM is accessible for load instructions.

My new article: "Kernel-hack-drill and a new approach to exploiting CVE-2024-50264 in the Linux kernel"⚡️ I tell a bug collision story and introduce my pet project kernel-hack-drill, which helped me to exploit the hard bug that received @PwnieAwards 2025 a13xp0p0v.github.io/2025/09/02/ker…

New toy: Chip'olino board for fault injection! Big shoutout to @y0v1737! PCB + docs github.com/y0v1737/chipol…

The hidden JTAG in your Qualcomm/Snapdragon device’s USB port linaro.org/blog/hidden-jt…

The embargo (12:00 UTC 2025-06-10) is over, let's start a thread on Hydroph0bia (CVE-2025-4275), a trivial SecureBoot and FW updater signature bypass in almost any Insyde H2O-based UEFI firmware used since 2012 and still in use today. English writeup: coderush.me/hydroph0bia-pa…

Looks like this @Timesys Corporation did an amazing job [SARCASM] selling their Timesys Kernel Hardening Analysis Tool that simply provides the recommendations from my open source project kernel-hardening-checker. They don't even mention kernel-hardening-checker. Shame on them👎

BCLK – Base Clock, 100 MHz clock from PCH to CPU in desktops FCLK - system agent's clock in desktop CPUs ICLK - clock of i-unit (Imaging Unit)

ROSC - Ring Oscillator, a predecessor of CRO used in desktop platforms together with RTC clock PCLK - PCS clock, 1600 MHz SSC clock generated by LJPLL0 and used as a base for other clocks of PCS PLLs for CPU cores, memory controller, display engine and so on

Intel chips have very complex clocking architectures (clock domains, controllers, generators) and almost all their tech details are NDA-ed. However, studying JTAG/VISA you always encounter abbrivations/entities relating to clocks. Here's most important of them: