├── README.md
├── ms_irom.txt
├── ms_match_patch.txt
├── ms_patch_imm.txt
├── ms_patch_ram.txt
├── ms_rom.txt
└── pic
    ├── 1.jpg
    └── 2.jpg


/README.md:
--------------------------------------------------------------------------------
 1 | # **Disclaimer**
 2 | 
 3 | **All information is provided for educational purposes only. Follow these instructions at your own risk. Neither the authors nor their employer are responsible for any direct or consequential damage or loss arising from any person or organization acting or failing to act on the basis of information contained in this page.**
 4 | 
 5 | # Description
 6 | Five [Intel Microcode](https://en.wikipedia.org/wiki/Intel_Microcode) (uCode) Sequencer's arrays for Atom Goldmont core named according to our guesses:
 7 | 
 8 | **ms_rom.txt** - the first array of Microcode Sequencer, with triads of 48 bits micro-operations of the Intel Small Core
 9 | 
10 | **ms_irom.txt** - the second read-only array which we think contains immediate used in msrom
11 | 
12 | **ms_patch_imm.txt** - immediates for ucode patch from patch RAM
13 | 
14 | **ms_match_patch.txt** - dump of 31 bits match/patch registers pairs. They refer directly to msrom with 0-15 bits of match register and 16-30 bits of patch register shifted right by one bit
15 | 
16 | **ms_patch_ram.txt** - extracted content of MS Patch RAM. It contains uops divided into four groups (1st is all first uops from each triad, 2nd - all second uops and so on). This data combined into triads can be found in msrom at 0x7c00 UIP
17 | 
18 | [IPC Scripts](https://github.com/chip-red-pill/crbus_scripts)
19 | 
20 | [RED Unlock PoC](https://github.com/chip-red-pill/IntelTXE-PoC)
21 | 
22 | ![screenshot](pic/1.jpg)
23 | ![screenshot](pic/2.jpg)
24 | 
25 | # Research Team
26 | 
27 | Mark Ermolov ([@\_markel___][1])
28 | 
29 | Maxim Goryachy ([@h0t_max][2])
30 | 
31 | Dmitry Sklyarov ([@_Dmit][3])
32 | 
33 | 
34 | [1]: https://twitter.com/_markel___
35 | [2]: https://twitter.com/h0t_max
36 | [3]: https://twitter.com/_Dmit
37 | 


--------------------------------------------------------------------------------
/ms_match_patch.txt:
--------------------------------------------------------------------------------
1 | array 03:
2 | 0000:  000000000000 00003e573a3b 00003e8f6ef7 00003e8c6217
3 | 0004:  00003eaa29a3 00003e5d69ef 00003e1b18b3 00003e1f2833
4 | 0008:  00003e27549b 00003e2f23ab 00003e042011 00003e0018dd
5 | 000c:  00003e2e4589 00003e854c33 00003e553a03 00003e533603
6 | 0010:  00003e6d31a5 00003e77758f 000000000000 000000000000
7 | 0014:  000000000000 000000000000 000000000000 000000000000
8 | 0018:  000000000000 000000000000 000000000000 000000000000
9 | 001c:  000000000000 000000000000 000000000000 000000000000


--------------------------------------------------------------------------------
/ms_patch_imm.txt:
--------------------------------------------------------------------------------
 1 | array 02:
 2 | 0000:  0000070000ce 000018201a50 000018201a50 0000384c0600
 3 | 0004:  000021a04800 000011a83400 00002460d200 000031fce000
 4 | 0008:  0000085c6640 000028fc6192 000035763040 000012b39951
 5 | 000c:  000021a03110 000011a9ad40 00000198b400 000021fce040
 6 | 0010:  000004a83a00 0000300000c0 000023204080 0000285b9640
 7 | 0014:  000021d49c00 0000300000c0 000001805180 000021a71140
 8 | 0018:  000011a3ac00 0000300000c0 0000300000c0 000011e1ea89
 9 | 001c:  0000048000c0 000026263c00 0000300000c0 0000300000c0
10 | 0020:  0000300000c0 000001fc9a40 0000300000c0 0000300000c0
11 | 0024:  000031fc8900 0000300000c0 0000300000c0 000018757c88
12 | 0028:  0000180000c0 0000387ca440 000029360400 000011ba0400
13 | 002c:  000011ba3c40 000028671440 000011a4be40 00002632cd40
14 | 0030:  000031e9f000 0000300000c0 00001481598d 0000300000c0
15 | 0034:  0000090000c0 00002183be80 00000429cc00 00001d0000c0
16 | 0038:  000031b1a640 0000300000c0 0000300000c0 000011fc6192
17 | 003c:  000031f59040 0000300000c0 0000300000c0 000001d4a800
18 | 0040:  000031d87555 0000300000c0 000011b9f640 0000300000c0
19 | 0044:  0000090000c0 000011cc3480 000001ddae00 000008621800
20 | 0048:  0000300000c0 0000300000c0 000038283a80 0000300000c0
21 | 004c:  0000300000c0 000011a82500 0000300000c0 0000300000c0
22 | 0050:  0000300000c0 0000300000c0 0000300000c0 0000300000c0
23 | 0054:  000021805100 000001fc2a00 000031a9b500 000000000000
24 | 0058:  000000000000 000000000000 000000000000 000000000000
25 | 005c:  000000000000 000000000000 000000000000 000000000000
26 | 0060:  000000000000 000000000000 000000000000 000000000000
27 | 0064:  000000000000 000000000000 000000000000 000000000000
28 | 0068:  000000000000 000000000000 000000000000 000000000000
29 | 006c:  000000000000 000000000000 000000000000 000000000000
30 | 0070:  000000000000 000000000000 000000000000 000000000000
31 | 0074:  000000000000 000000000000 000000000000 000000000000
32 | 0078:  000000000000 000000000000 000000000000 000000000000
33 | 007c:  000000000000 000000000000 000000000000 000000000000


--------------------------------------------------------------------------------
/ms_patch_ram.txt:
--------------------------------------------------------------------------------
  1 | array 04:
  2 | 0000:  c0053d03ffc8 815d757002c0 815d757002c0 415100000fb0
  3 | 0004:  80420000023f c062f01f1200 a04337080235 417000035d71
  4 | 0008:  815d65700280 41420b000f80 00012b039e48 00002003cf08
  5 | 000c:  800e06600240 804800035d72 80070043ef9f 400505031c88
  6 | 0010:  e96270800240 a90205c00200 813f0003f03f 815d0d7002c0
  7 | 0014:  c0563103f23f 808805030c08 9062810f2240 c00524071e08
  8 | 0018:  286a8429027e 80850003dc7f 40160403f23f 40e100039032
  9 | 001c:  c06213174200 69620bc00240 03800003f03e 00040303ffc8
 10 | 0020:  c004ff03ffc8 40054703ffc8 40620103f200 c0a40503e23e
 11 | 0024:  c00a01000200 c0410003efbf c0637f03f200 00620c036200
 12 | 0028:  0fff00000000 e86a446d023f c06350032200 80400403ef88
 13 | 002c:  486aee140330 786a11310631 406387030200 b86aba3102f1
 14 | 0030:  796289480200 ed0be443f00a c0010003fffe 40070103ffc8
 15 | 0034:  20438e08023f 40070103ffc8 0e750003003c 800610131e08
 16 | 0038:  40653d031235 4004a1032c90 803200032cb0 7929e42c0032
 17 | 003c:  80012c039e48 8131010b1231 000100031c7d 7d0f00035c88
 18 | 0040:  4008e0036008 c00588078e08 00080103d008 c0330003bd7b
 19 | 0044:  c007fc035d48 c007fc035d48 800a28000200 c150197402fb
 20 | 0048:  4004a1032c90 803200032cb0 7929e42c0032 806353030200
 21 | 004c:  007300030c38 40360003cf38 e38000030c00 c0a100031ef1
 22 | 0050:  4c4b80231000 8c4b80372000 8062091b2200 00620e075200
 23 | 0054:  800c64300280 900a00000300 4042bb1f5232 000000000000
 24 | 0058:  000000000000 000000000000 000000000000 000000000000
 25 | 005c:  000000000000 000000000000 000000000000 000000000000
 26 | 0060:  000000000000 000000000000 000000000000 000000000000
 27 | 0064:  000000000000 000000000000 000000000000 000000000000
 28 | 0068:  000000000000 000000000000 000000000000 000000000000
 29 | 006c:  000000000000 000000000000 000000000000 000000000000
 30 | 0070:  000000000000 000000000000 000000000000 000000000000
 31 | 0074:  000000000000 000000000000 000000000000 000000000000
 32 | 0078:  000000000000 000000000000 000000000000 000000000000
 33 | 007c:  000000000000 000000000000 000000000000 000000000000
 34 | 0080:  4152f45c027f 000c44f7e208 400c98f7e208 00620003f200
 35 | 0084:  20432b040200 006205071200 817000035d72 c00d09800000
 36 | 0088:  c00d09800000 415dca680280 0152217002ff 400e08400240
 37 | 008c:  8000803fcfc9 c042bb1f5235 000501031c88 417000035d71
 38 | 0090:  e96272c003c0 80636103e200 417e0003effe 10628e0f0240
 39 | 0094:  40401803ce08 804147030c10 400e02000200 4150157002f1
 40 | 0098:  c0638a03f200 c0141003f23f c0852403ffc8 00a100039e7d
 41 | 009c:  2a6213540734 00430c00023f 80434500023f 39299a71023f
 42 | 00a0:  392886f1077f 0150867002ff 80087817e008 ce750003e03e
 43 | 00a4:  00626703e200 00620003f200 b92941310ffe 000000000000
 44 | 00a8:  29628903f200 40628903f200 000000000000 000000000000
 45 | 00ac:  0fef01000000 9062f91f6240 800000031c30 c00d03800000
 46 | 00b0:  000000000000 0004001bffc8 ad0fe443f00a ed0f1833f00a
 47 | 00b4:  00633703f200 ce250003f03f 000000000000 f928197102b1
 48 | 00b8:  c00405031c48 80635c030200 000812030008 000000000000
 49 | 00bc:  01521d7002ff c005202fdc8a 404700035d71 000000000000
 50 | 00c0:  4008a0037008 80240103c23b 433a5173a00b 80250203b23b
 51 | 00c4:  c001a0035d48 8001a4035d48 9062cd0bb240 000000000000
 52 | 00c8:  80635c030200 000812030008 40634703c200 00635c038200
 53 | 00cc:  c0540f030230 000000000000 0c4b8027b000 402100030c31
 54 | 00d0:  c0a100031ef1 c0a100032ef2 00620a1b3200 c040d803ce48
 55 | 00d4:  000000000000 8e750003203c 000000000000 000000000000
 56 | 00d8:  000000000000 000000000000 000000000000 000000000000
 57 | 00dc:  000000000000 000000000000 000000000000 000000000000
 58 | 00e0:  000000000000 000000000000 000000000000 000000000000
 59 | 00e4:  000000000000 000000000000 000000000000 000000000000
 60 | 00e8:  000000000000 000000000000 000000000000 000000000000
 61 | 00ec:  000000000000 000000000000 000000000000 000000000000
 62 | 00f0:  000000000000 000000000000 000000000000 000000000000
 63 | 00f4:  000000000000 000000000000 000000000000 000000000000
 64 | 00f8:  000000000000 000000000000 000000000000 000000000000
 65 | 00fc:  000000000000 000000000000 000000000000 000000000000
 66 | 0100:  c21e0303d23d 000000000000 400100030030 4004f007ffd0
 67 | 0104:  c048fe7fc00a 586b119c0231 800509031c88 400c24f002c0
 68 | 0108:  2d0ba0030008 40880003a031 c042bb1c0200 800800000000
 69 | 010c:  8e750003203c c86a1d50037f 417000035d71 29632b040600
 70 | 0110:  a0437f00023e 00634503f200 80630c03f200 80210003fcbf
 71 | 0114:  806306030200 1062850f1240 800c1c300280 d962dd480300
 72 | 0118:  80850803ffc8 40330003ff7f 40850b03ffc8 00080003203a
 73 | 011c:  800800000000 00436100023e 40620403f200 c0620c03f200
 74 | 0120:  792886f1073f 000e0c000200 80000883ef88 39289a310fbf
 75 | 0124:  40641003e23e 786b41f103ff a9626dc003c0 0007070b9e48
 76 | 0128:  800800000000 4eff00000000 c0520568027a 9062b40b0240
 77 | 012c:  c0632b031200 2d0be41e100a 1062e70b1240 0042bb1c0235
 78 | 0130:  a0435c00023f 40250403f23f 800155020c08 41080003f010
 79 | 0134:  386b4e00003f 80638e03f200 c02510032235 f92839710231
 80 | 0138:  9062800b2240 805410030230 80a100070c08 40880003a031
 81 | 013c:  c005883f1c8a 41312203d23d 7d0b00031c88 80632003b200
 82 | 0140:  400580079e48 c0003427c23c 40141e03b23d b92912b5033b
 83 | 0144:  392916b503fb c06430035235 40047003bec8 9062800b2240
 84 | 0148:  805410030230 80a100070c08 100a00000380 001407038238
 85 | 014c:  813e75338c08 c062fe1f0200 cc4b802b1000 8c4b802fb000
 86 | 0150:  0c4b8033b000 802100031c72 80620d074200 c00e05000200
 87 | 0154:  000000000000 804800035d72 000000000000 000000000000
 88 | 0158:  000000000000 000000000000 000000000000 000000000000
 89 | 015c:  000000000000 000000000000 000000000000 000000000000
 90 | 0160:  000000000000 000000000000 000000000000 000000000000
 91 | 0164:  000000000000 000000000000 000000000000 000000000000
 92 | 0168:  000000000000 000000000000 000000000000 000000000000
 93 | 016c:  000000000000 000000000000 000000000000 000000000000
 94 | 0170:  000000000000 000000000000 000000000000 000000000000
 95 | 0174:  000000000000 000000000000 000000000000 000000000000
 96 | 0178:  000000000000 000000000000 000000000000 000000000000
 97 | 017c:  000000000000 000000000000 000000000000 000000000000
 98 | 0180:  c00000000000 000000000000 400000000000 400000000000
 99 | 0184:  c00000000000 400000000000 800000000000 400000000000
100 | 0188:  000000000000 400000000000 c00000000000 800000000000
101 | 018c:  800000000000 c00000000000 400000000000 000000000000
102 | 0190:  800000000000 000000000000 800000000000 800000000000
103 | 0194:  800000000000 000000000000 800000000000 c00000000000
104 | 0198:  800000000000 400000000000 400000000000 000000000000
105 | 019c:  800000000000 000000000000 400000000000 c00000000000
106 | 01a0:  400000000000 000000000000 800000000000 000000000000
107 | 01a4:  400000000000 400000000000 800000000000 000000000000
108 | 01a8:  800000000000 400000000000 c00000000000 800000000000
109 | 01ac:  c00000000000 000000000000 000000000000 000000000000
110 | 01b0:  800000000000 400000000000 800000000000 400000000000
111 | 01b4:  000000000000 800000000000 c00000000000 c00000000000
112 | 01b8:  800000000000 800000000000 800000000000 400000000000
113 | 01bc:  c00000000000 400000000000 400000000000 800000000000
114 | 01c0:  400000000000 c00000000000 400000000000 800000000000
115 | 01c4:  000000000000 c00000000000 400000000000 800000000000
116 | 01c8:  800000000000 800000000000 000000000000 000000000000
117 | 01cc:  800000000000 c00000000000 c00000000000 800000000000
118 | 01d0:  000000000000 800000000000 800000000000 c00000000000
119 | 01d4:  000000000000 800000000000 000000000000 000000000000
120 | 01d8:  000000000000 000000000000 000000000000 000000000000
121 | 01dc:  000000000000 000000000000 000000000000 000000000000
122 | 01e0:  000000000000 000000000000 000000000000 000000000000
123 | 01e4:  000000000000 000000000000 000000000000 000000000000
124 | 01e8:  000000000000 000000000000 000000000000 000000000000
125 | 01ec:  000000000000 000000000000 000000000000 000000000000
126 | 01f0:  000000000000 000000000000 000000000000 000000000000
127 | 01f4:  000000000000 000000000000 000000000000 000000000000
128 | 01f8:  000000000000 000000000000 000000000000 000000000000
129 | 01fc:  000000000000 000000000000 000000000000 000000000000


--------------------------------------------------------------------------------
/pic/1.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chip-red-pill/glm-ucode/59f3b0a116807171862a25a163098b4c25a5c65e/pic/1.jpg


--------------------------------------------------------------------------------
/pic/2.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chip-red-pill/glm-ucode/59f3b0a116807171862a25a163098b4c25a5c65e/pic/2.jpg


--------------------------------------------------------------------------------