Lee

Hardware glitching masters have taken on Intel's microarchitecture - very, very cool! I'm so glad our work is contributing to research that was previously unimaginable. Research into hardware attacks on Intel processors has enormous potential... download.vusec.net/papers/microsp…

@IntelSecurity Your email, project.circuit.breaker@intel.com, is not working. Getting error replies. I was told by the nice lady at the booth to email yall when I finished all 6 challenges since no one at the conference got them all.

Calling all #hackers and hobbyists, #ProjectCircuitBreaker will be at #ShmooCon starting this Friday. Our team has something special planned just for you, and we heard there are goodies for anyone who solves some #hacking challenges. Comment below if you are joining us.

@pcb_shmoocon24 , your email isn't working. I have the Color Challenge answer. Could you verify it please?

@gerhart_x @standa_t Can you write a blog on how exactly to set this up? I've only gotten it to work for QEMU and 32bit VMware. The support for 64bit Vmware guest was only committed last week, so I guess you made your own modifications to it?

@standa_t Did it for VMware 2-3 years ago. twitter.com/gerhart_x/stat… That theme have been discussing for a long time ago. EXDi is working for VMware, Qemu and, of course, Hyper-V. Btw, why remember now? And what will you remember next? )

Debugging low-level Windows components with QEMU. Not the main point of the article, but I am happy to discover EDXi for VMware is not dead. Has anyone successfully set up yet? github.com/microsoft/WinD…

@standa_t I've tried, but it doesn't seem to be working 🫤. I added "VMWare" to the ValidateSet for $ExdiTarget (not sure how the dev didn't put that in there..), In the .ps1. I get "Target initialization succeeded" and initial break-in, but lots of registers are 0 and can't step.

If you have a newer UP2 board (March 2020+), and you cannot boot the opensource firmware, I have a fix for you! github.com/henshaw777/UP2…

@ivanrouzanov Nevermind. Idk why my early experiments showed this. For some reason my new test loop shows that glm_cN maps to thread[N]. Thanks for the idea! I was definitely using glm_module0 beforehand though and that was previously mapping to thread[1]. There somehow was some swapping...

@ivanrouzanov Experimenting further. "glm_c0" will affect thread[2]. c1 and c2 also affect thread[2]. glm_c3 will affect thread[3]. Seems unintuitive to me. Any good resources on learning this stuff formally?

Finally figured out why my microcode patch didn't seem to be working at all. On a whim I decided to check the other cores. Turns out it worked, just only on one core? Why?

@ivanrouzanov Oh true! If I switch glm_module0 for the glm_module1 device, it works on thread 3. I don't know how to get it working on thread 0 or 2 though. Unfortunately, I don't see any explanation about how these scripts work or what some of the hardcoded values mean.

@ivanrouzanov I should've added more context. I am manually patching custom uCode based on the research and scripts from github.com/chip-red-pill/…. I'm guessing you think I meant a legit uCode update via the normal MSR procedures. I'm not sure how to specify the core # in those scripts.

@endbr64 You have to load it on each core, did you?

Want to unlock undocumented Intel instructions and execute custom microcode? I am starting a tutorial series to delve into some of the work from the uCode Research Team! Unlock your CPU and Execute Arbitrary Microcode! Tutorial Introduction youtu.be/jxU6uwGsO48

@standa_t Are you able to break on VMEntry/Exit? You mentioned in class that wasn't working (on UP2) and I noticed the same behavior.

Can confirm this works as advertised. Do not even need to flash BIOS to make DCI DbC3 work. Anyone who wants to debug and reverse engineer firmware from the reset vector, SMM, hypervisor, or any pieces of software that do not work with kernel debuggers, I recommend this

@HackingThings Does it work right out of the box? Or do you need additional documentation/files that you would otherwise need to get with an NDA?

✅ Received ✅ Tested ✅ Appropriately labeled