├── .gitignore ├── LICENSE ├── Makefile ├── Notes.md ├── README.md ├── bios ├── custom-processing-unit.c ├── dumps │ ├── SMM.txt │ ├── imms.txt │ ├── msrs.txt │ └── rom.txt ├── efi-mp.h ├── exceptions.h ├── experiments.h ├── glm-intel-ucode │ ├── 06-5c-09 │ ├── 06-5c-09.h │ ├── 06-5c-0a │ └── 06-5c-0a.h ├── goldmont_core_perf_counters.h ├── goldmont_core_v13.tsv ├── raw_msr.h ├── raw_perf.h ├── traces │ ├── cld_std_cld.txt │ ├── cld_std_cld_trace.txt │ ├── cpuid_80000002.txt │ ├── cpuid_80000002_trace.txt │ ├── denormal_fp.txt │ ├── denormal_fp_trace.txt │ ├── int1.txt │ ├── int1_trace.txt │ ├── int3.txt │ ├── int3_trace.txt │ ├── iretq_trace.txt │ ├── popa.txt │ ├── popa_trace.txt │ ├── rdmsr_0017.txt │ ├── rdmsr_0017_trace.txt │ ├── rdmsr_0x29_trace.txt │ ├── rdmsr_0x2a_trace.txt │ ├── read_dr0.txt │ ├── read_dr0_trace.txt │ ├── syscall.txt │ ├── syscall_trace.txt │ ├── trigger_dr0.txt │ ├── trigger_dr0_trace.txt │ ├── ucode_update.txt │ ├── ucode_update_trace.txt │ ├── ud2.txt │ ├── ud2_trace.txt │ ├── verw.txt │ ├── verw_trace.txt │ ├── write_dr0.txt │ ├── write_dr0_trace.txt │ └── wrmsr_0x1b_trace.txt ├── ucode_dump.h └── ucode_patches │ ├── condhwbp.h │ ├── condhwbp.u │ ├── ctdiv.h │ ├── ctdiv.u │ ├── dump_smm.h │ ├── dump_smm.u │ ├── fastbp.h │ ├── fastbp.u │ ├── get_value_and_resume.h │ ├── get_value_and_resume.u │ ├── ldat_read.h │ ├── ldat_read.u │ ├── match_patch_hook.h │ ├── match_patch_hook.u │ ├── match_patch_init.h │ ├── match_patch_init.u │ ├── match_patch_init_glm_new.h │ ├── match_patch_init_glm_new.u │ ├── msr2cr_dump.h │ ├── msr2cr_dump.u │ ├── pac_sign.h │ ├── pac_sign.u │ ├── pac_sign_weak.h │ ├── pac_sign_weak.u │ ├── pac_verify.h │ ├── pac_verify.u │ ├── pac_verify_weak.h │ ├── pac_verify_weak.u │ ├── time_access_hook.h │ ├── time_access_hook.u │ ├── trace_and_resume.h │ ├── trace_and_resume.u │ ├── ucode_patch.h │ └── ucode_patch.u ├── ghidra-processor-module ├── .gitattributes ├── .gitignore ├── LICENSE ├── Module.manifest ├── README.md ├── bin │ ├── README.txt │ ├── help │ │ ├── TOC_Source.xml │ │ ├── shared │ │ │ └── Frontpage.css │ │ └── topics │ │ │ └── x86_ucode │ │ │ └── help.html │ └── images │ │ └── README.txt ├── build.gradle ├── data │ ├── README.txt │ ├── buildLanguage.xml │ ├── languages │ │ ├── x86ucode.cspec │ │ ├── x86ucode.ldefs │ │ ├── x86ucode.pspec │ │ └── x86ucode.slaspec │ └── sleighArgs.txt ├── extension.properties ├── ghidra_scripts │ └── README.txt ├── images │ ├── Screenshot1.png │ └── Screenshot2.png ├── lib │ └── txt2ghidra.py ├── os │ ├── linux64 │ │ └── README.txt │ ├── osx64 │ │ └── README.txt │ └── win64 │ │ └── README.txt └── src │ ├── main │ ├── help │ │ └── help │ │ │ ├── TOC_Source.xml │ │ │ ├── shared │ │ │ └── Frontpage.css │ │ │ └── topics │ │ │ └── x86_ucode │ │ │ └── help.html │ └── resources │ │ └── images │ │ └── README.txt │ └── test │ └── java │ └── README.test.txt ├── images └── cpu_logo.svg ├── slides.pdf ├── uasm-lib ├── 0x000506C9 │ ├── ms_array0.txt │ ├── ms_array1.txt │ ├── ms_array2.txt │ ├── ms_array3.txt │ └── ms_array4.txt ├── 0x000506CA │ ├── ms_array0.txt │ ├── ms_array1.txt │ ├── ms_array2.txt │ ├── ms_array3.txt │ └── ms_array4.txt ├── custom_sha.py ├── hard_imm.txt ├── labels.csv ├── opcodes.txt ├── parse_all_ucodes.py ├── uasm.py └── ucode_parser.py └── ucode_collection ├── cpu506C2_plat01_ver0000000E_2017-06-06_PRD_C7BCD215.bin ├── cpu506C2_plat01_ver0000000E_2017-06-06_PRD_C7BCD215.bin.dec ├── cpu506C2_plat01_ver0000000E_2017-06-06_PRD_C7BCD215.bin.patch_0001.txt ├── cpu506C2_plat01_ver0000000E_2017-06-06_PRD_C7BCD215.bin.patch_026e.txt ├── cpu506C2_plat01_ver0000000E_2017-06-06_PRD_C7BCD215.bin.txt ├── cpu506C2_plat01_ver00000014_2018-05-11_PRD_BD3490B6.bin ├── cpu506C2_plat01_ver00000014_2018-05-11_PRD_BD3490B6.bin.dec ├── cpu506C2_plat01_ver00000014_2018-05-11_PRD_BD3490B6.bin.patch_0001.txt ├── cpu506C2_plat01_ver00000014_2018-05-11_PRD_BD3490B6.bin.patch_01ee.txt ├── cpu506C2_plat01_ver00000014_2018-05-11_PRD_BD3490B6.bin.patch_2d0e.txt ├── cpu506C2_plat01_ver00000014_2018-05-11_PRD_BD3490B6.bin.txt ├── cpu506C8_plat01_ver00000010_2016-03-04_PRD_DE6EBB18.bin ├── cpu506C8_plat01_ver00000010_2016-03-04_PRD_DE6EBB18.bin.dec ├── cpu506C8_plat01_ver00000010_2016-03-04_PRD_DE6EBB18.bin.patch_0001.txt ├── cpu506C8_plat01_ver00000010_2016-03-04_PRD_DE6EBB18.bin.patch_0276.txt ├── cpu506C8_plat01_ver00000010_2016-03-04_PRD_DE6EBB18.bin.txt ├── cpu506C9_plat03_ver0000002E_2017-11-22_PRD_2798C414.bin ├── cpu506C9_plat03_ver0000002E_2017-11-22_PRD_2798C414.bin.dec ├── cpu506C9_plat03_ver0000002E_2017-11-22_PRD_2798C414.bin.patch_0001.txt ├── cpu506C9_plat03_ver0000002E_2017-11-22_PRD_2798C414.bin.patch_02ae.txt ├── cpu506C9_plat03_ver0000002E_2017-11-22_PRD_2798C414.bin.txt ├── cpu506C9_plat03_ver00000032_2018-05-11_PRD_2F66EBE0.bin ├── cpu506C9_plat03_ver00000032_2018-05-11_PRD_2F66EBE0.bin.dec ├── cpu506C9_plat03_ver00000032_2018-05-11_PRD_2F66EBE0.bin.patch_0001.txt ├── cpu506C9_plat03_ver00000032_2018-05-11_PRD_2F66EBE0.bin.patch_01ee.txt ├── cpu506C9_plat03_ver00000032_2018-05-11_PRD_2F66EBE0.bin.patch_2e8c.txt ├── cpu506C9_plat03_ver00000032_2018-05-11_PRD_2F66EBE0.bin.txt ├── cpu506C9_plat03_ver00000036_2018-09-14_PRD_98CF60E7.bin ├── cpu506C9_plat03_ver00000036_2018-09-14_PRD_98CF60E7.bin.dec ├── cpu506C9_plat03_ver00000036_2018-09-14_PRD_98CF60E7.bin.patch_0001.txt ├── cpu506C9_plat03_ver00000036_2018-09-14_PRD_98CF60E7.bin.patch_01ee.txt ├── cpu506C9_plat03_ver00000036_2018-09-14_PRD_98CF60E7.bin.patch_2f34.txt ├── cpu506C9_plat03_ver00000036_2018-09-14_PRD_98CF60E7.bin.txt ├── cpu506C9_plat03_ver00000038_2019-01-15_PRD_99AA67D7.bin ├── cpu506C9_plat03_ver00000038_2019-01-15_PRD_99AA67D7.bin.dec ├── cpu506C9_plat03_ver00000038_2019-01-15_PRD_99AA67D7.bin.patch_0001.txt ├── cpu506C9_plat03_ver00000038_2019-01-15_PRD_99AA67D7.bin.patch_01ee.txt ├── cpu506C9_plat03_ver00000038_2019-01-15_PRD_99AA67D7.bin.patch_2f34.txt ├── cpu506C9_plat03_ver00000038_2019-01-15_PRD_99AA67D7.bin.txt ├── cpu506C9_plat03_ver0000003C_2019-07-22_PRD_5BBF33D5.bin ├── cpu506C9_plat03_ver0000003C_2019-07-22_PRD_5BBF33D5.bin.dec ├── cpu506C9_plat03_ver0000003C_2019-07-22_PRD_5BBF33D5.bin.patch_0001.txt ├── cpu506C9_plat03_ver0000003C_2019-07-22_PRD_5BBF33D5.bin.patch_01ee.txt ├── cpu506C9_plat03_ver0000003C_2019-07-22_PRD_5BBF33D5.bin.patch_2f34.txt ├── cpu506C9_plat03_ver0000003C_2019-07-22_PRD_5BBF33D5.bin.txt ├── cpu506C9_plat03_ver00000040_2020-02-27_PRD_2FC3D618.bin ├── cpu506C9_plat03_ver00000040_2020-02-27_PRD_2FC3D618.bin.dec ├── cpu506C9_plat03_ver00000040_2020-02-27_PRD_2FC3D618.bin.patch_0001.txt ├── cpu506C9_plat03_ver00000040_2020-02-27_PRD_2FC3D618.bin.patch_01ee.txt ├── cpu506C9_plat03_ver00000040_2020-02-27_PRD_2FC3D618.bin.patch_2f9c.txt ├── cpu506C9_plat03_ver00000040_2020-02-27_PRD_2FC3D618.bin.txt ├── cpu506C9_plat03_ver00000044_2020-10-23_PRD_4682D493.bin ├── cpu506C9_plat03_ver00000044_2020-10-23_PRD_4682D493.bin.dec ├── cpu506C9_plat03_ver00000044_2020-10-23_PRD_4682D493.bin.patch_0001.txt ├── cpu506C9_plat03_ver00000044_2020-10-23_PRD_4682D493.bin.patch_02b1.txt ├── cpu506C9_plat03_ver00000044_2020-10-23_PRD_4682D493.bin.patch_307f.txt ├── cpu506C9_plat03_ver00000044_2020-10-23_PRD_4682D493.bin.txt ├── cpu506C9_plat03_ver00000046_2021-05-10_PRD_EF971B58.bin ├── cpu506C9_plat03_ver00000046_2021-05-10_PRD_EF971B58.bin.dec ├── cpu506C9_plat03_ver00000046_2021-05-10_PRD_EF971B58.bin.patch_0001.txt ├── cpu506C9_plat03_ver00000046_2021-05-10_PRD_EF971B58.bin.patch_041c.txt ├── cpu506C9_plat03_ver00000046_2021-05-10_PRD_EF971B58.bin.patch_32f2.txt ├── cpu506C9_plat03_ver00000046_2021-05-10_PRD_EF971B58.bin.txt ├── cpu506CA_plat03_ver00000008_2017-11-22_PRD_32F41375.bin ├── cpu506CA_plat03_ver00000008_2017-11-22_PRD_32F41375.bin.dec ├── cpu506CA_plat03_ver00000008_2017-11-22_PRD_32F41375.bin.patch_0001.txt ├── cpu506CA_plat03_ver00000008_2017-11-22_PRD_32F41375.bin.patch_021b.txt ├── cpu506CA_plat03_ver00000008_2017-11-22_PRD_32F41375.bin.txt ├── cpu506CA_plat03_ver0000000C_2018-05-11_PRD_ACEA9DD5.bin ├── cpu506CA_plat03_ver0000000C_2018-05-11_PRD_ACEA9DD5.bin.dec ├── cpu506CA_plat03_ver0000000C_2018-05-11_PRD_ACEA9DD5.bin.patch_0001.txt ├── cpu506CA_plat03_ver0000000C_2018-05-11_PRD_ACEA9DD5.bin.patch_01bb.txt ├── cpu506CA_plat03_ver0000000C_2018-05-11_PRD_ACEA9DD5.bin.patch_2df9.txt ├── cpu506CA_plat03_ver0000000C_2018-05-11_PRD_ACEA9DD5.bin.txt ├── cpu506CA_plat03_ver00000010_2018-09-20_PRD_C2DD4FDC.bin ├── cpu506CA_plat03_ver00000010_2018-09-20_PRD_C2DD4FDC.bin.dec ├── cpu506CA_plat03_ver00000010_2018-09-20_PRD_C2DD4FDC.bin.patch_0001.txt ├── cpu506CA_plat03_ver00000010_2018-09-20_PRD_C2DD4FDC.bin.patch_01bb.txt ├── cpu506CA_plat03_ver00000010_2018-09-20_PRD_C2DD4FDC.bin.patch_2ea1.txt ├── cpu506CA_plat03_ver00000010_2018-09-20_PRD_C2DD4FDC.bin.txt ├── cpu506CA_plat03_ver00000016_2019-03-01_PRD_A1AC5A6B.bin ├── cpu506CA_plat03_ver00000016_2019-03-01_PRD_A1AC5A6B.bin.dec ├── cpu506CA_plat03_ver00000016_2019-03-01_PRD_A1AC5A6B.bin.patch_0001.txt ├── cpu506CA_plat03_ver00000016_2019-03-01_PRD_A1AC5A6B.bin.patch_01bb.txt ├── cpu506CA_plat03_ver00000016_2019-03-01_PRD_A1AC5A6B.bin.patch_2ef1.txt ├── cpu506CA_plat03_ver00000016_2019-03-01_PRD_A1AC5A6B.bin.txt ├── cpu506CA_plat03_ver0000001A_2019-07-22_PRD_71479BDE.bin ├── cpu506CA_plat03_ver0000001A_2019-07-22_PRD_71479BDE.bin.dec ├── cpu506CA_plat03_ver0000001A_2019-07-22_PRD_71479BDE.bin.patch_0001.txt ├── cpu506CA_plat03_ver0000001A_2019-07-22_PRD_71479BDE.bin.patch_01bb.txt ├── cpu506CA_plat03_ver0000001A_2019-07-22_PRD_71479BDE.bin.patch_2ef1.txt ├── cpu506CA_plat03_ver0000001A_2019-07-22_PRD_71479BDE.bin.txt ├── cpu506CA_plat03_ver0000001C_2019-08-12_PRD_D83D9090.bin ├── cpu506CA_plat03_ver0000001C_2019-08-12_PRD_D83D9090.bin.dec ├── cpu506CA_plat03_ver0000001C_2019-08-12_PRD_D83D9090.bin.patch_0001.txt ├── cpu506CA_plat03_ver0000001C_2019-08-12_PRD_D83D9090.bin.patch_01bb.txt ├── cpu506CA_plat03_ver0000001C_2019-08-12_PRD_D83D9090.bin.patch_2ef9.txt ├── cpu506CA_plat03_ver0000001C_2019-08-12_PRD_D83D9090.bin.txt ├── cpu506CA_plat03_ver0000001E_2020-02-27_PRD_F8A4D999.bin ├── cpu506CA_plat03_ver0000001E_2020-02-27_PRD_F8A4D999.bin.dec ├── cpu506CA_plat03_ver0000001E_2020-02-27_PRD_F8A4D999.bin.patch_0001.txt ├── cpu506CA_plat03_ver0000001E_2020-02-27_PRD_F8A4D999.bin.patch_01bb.txt ├── cpu506CA_plat03_ver0000001E_2020-02-27_PRD_F8A4D999.bin.patch_2f09.txt ├── cpu506CA_plat03_ver0000001E_2020-02-27_PRD_F8A4D999.bin.txt ├── cpu506CA_plat03_ver00000020_2020-10-23_PRD_C4E546D7.bin ├── cpu506CA_plat03_ver00000020_2020-10-23_PRD_C4E546D7.bin.dec ├── cpu506CA_plat03_ver00000020_2020-10-23_PRD_C4E546D7.bin.patch_0001.txt ├── cpu506CA_plat03_ver00000020_2020-10-23_PRD_C4E546D7.bin.patch_027e.txt ├── cpu506CA_plat03_ver00000020_2020-10-23_PRD_C4E546D7.bin.patch_2fcc.txt ├── cpu506CA_plat03_ver00000020_2020-10-23_PRD_C4E546D7.bin.txt ├── cpu506CA_plat03_ver00000024_2021-05-10_PRD_AB75708E.bin ├── cpu506CA_plat03_ver00000024_2021-05-10_PRD_AB75708E.bin.dec ├── cpu506CA_plat03_ver00000024_2021-05-10_PRD_AB75708E.bin.patch_0001.txt ├── cpu506CA_plat03_ver00000024_2021-05-10_PRD_AB75708E.bin.patch_0404.txt ├── cpu506CA_plat03_ver00000024_2021-05-10_PRD_AB75708E.bin.patch_3252.txt ├── cpu506CA_plat03_ver00000024_2021-05-10_PRD_AB75708E.bin.txt ├── cpu506F0_plat01_ver00000010_2016-06-07_PRD_4ED9573A.bin ├── cpu506F0_plat01_ver00000010_2016-06-07_PRD_4ED9573A.bin.dec ├── cpu506F0_plat01_ver00000010_2016-06-07_PRD_4ED9573A.bin.patch_0018.txt ├── cpu506F0_plat01_ver00000010_2016-06-07_PRD_4ED9573A.bin.patch_03a1.txt ├── cpu506F0_plat01_ver00000010_2016-06-07_PRD_4ED9573A.bin.txt ├── cpu506F1_plat01_ver00000020_2017-11-22_PRD_1B275D2A.bin ├── cpu506F1_plat01_ver00000020_2017-11-22_PRD_1B275D2A.bin.dec ├── cpu506F1_plat01_ver00000020_2017-11-22_PRD_1B275D2A.bin.patch_0001.txt ├── cpu506F1_plat01_ver00000020_2017-11-22_PRD_1B275D2A.bin.patch_025e.txt ├── cpu506F1_plat01_ver00000020_2017-11-22_PRD_1B275D2A.bin.txt ├── cpu506F1_plat01_ver00000024_2018-05-11_PRD_A1B0E19C.bin ├── cpu506F1_plat01_ver00000024_2018-05-11_PRD_A1B0E19C.bin.dec ├── cpu506F1_plat01_ver00000024_2018-05-11_PRD_A1B0E19C.bin.patch_0001.txt ├── cpu506F1_plat01_ver00000024_2018-05-11_PRD_A1B0E19C.bin.patch_01be.txt ├── cpu506F1_plat01_ver00000024_2018-05-11_PRD_A1B0E19C.bin.patch_1768.txt ├── cpu506F1_plat01_ver00000024_2018-05-11_PRD_A1B0E19C.bin.txt ├── cpu506F1_plat01_ver0000002A_2019-02-11_PRD_40664937.bin ├── cpu506F1_plat01_ver0000002A_2019-02-11_PRD_40664937.bin.dec ├── cpu506F1_plat01_ver0000002A_2019-02-11_PRD_40664937.bin.patch_0001.txt ├── cpu506F1_plat01_ver0000002A_2019-02-11_PRD_40664937.bin.patch_01be.txt ├── cpu506F1_plat01_ver0000002A_2019-02-11_PRD_40664937.bin.patch_197f.txt ├── cpu506F1_plat01_ver0000002A_2019-02-11_PRD_40664937.bin.txt ├── cpu506F1_plat01_ver0000002E_2019-03-21_PRD_4F7008D6.bin ├── cpu506F1_plat01_ver0000002E_2019-03-21_PRD_4F7008D6.bin.dec ├── cpu506F1_plat01_ver0000002E_2019-03-21_PRD_4F7008D6.bin.patch_0001.txt ├── cpu506F1_plat01_ver0000002E_2019-03-21_PRD_4F7008D6.bin.patch_01f1.txt ├── cpu506F1_plat01_ver0000002E_2019-03-21_PRD_4F7008D6.bin.patch_19b2.txt ├── cpu506F1_plat01_ver0000002E_2019-03-21_PRD_4F7008D6.bin.txt ├── cpu506F1_plat01_ver00000032_2020-03-07_PRD_6538E5EA.bin ├── cpu506F1_plat01_ver00000032_2020-03-07_PRD_6538E5EA.bin.dec ├── cpu506F1_plat01_ver00000032_2020-03-07_PRD_6538E5EA.bin.patch_0001.txt ├── cpu506F1_plat01_ver00000032_2020-03-07_PRD_6538E5EA.bin.patch_01f1.txt ├── cpu506F1_plat01_ver00000032_2020-03-07_PRD_6538E5EA.bin.patch_1aba.txt ├── cpu506F1_plat01_ver00000032_2020-03-07_PRD_6538E5EA.bin.txt ├── cpu506F1_plat01_ver00000034_2020-10-23_PRD_1E364CDF.bin ├── cpu506F1_plat01_ver00000034_2020-10-23_PRD_1E364CDF.bin.dec ├── cpu506F1_plat01_ver00000034_2020-10-23_PRD_1E364CDF.bin.patch_0001.txt ├── cpu506F1_plat01_ver00000034_2020-10-23_PRD_1E364CDF.bin.patch_01f1.txt ├── cpu506F1_plat01_ver00000034_2020-10-23_PRD_1E364CDF.bin.patch_1aba.txt ├── cpu506F1_plat01_ver00000034_2020-10-23_PRD_1E364CDF.bin.txt ├── cpu506F1_plat01_ver00000036_2021-05-10_PRD_60ADB6C8.bin ├── cpu506F1_plat01_ver00000036_2021-05-10_PRD_60ADB6C8.bin.dec ├── cpu506F1_plat01_ver00000036_2021-05-10_PRD_60ADB6C8.bin.patch_0001.txt ├── cpu506F1_plat01_ver00000036_2021-05-10_PRD_60ADB6C8.bin.patch_026c.txt ├── cpu506F1_plat01_ver00000036_2021-05-10_PRD_60ADB6C8.bin.patch_1c45.txt ├── cpu506F1_plat01_ver00000036_2021-05-10_PRD_60ADB6C8.bin.txt ├── m_03_506ca_00000022.bin ├── m_03_506ca_00000022.bin.dec ├── m_03_506ca_00000022.bin.patch_0001.txt ├── m_03_506ca_00000022.bin.patch_0299.txt ├── m_03_506ca_00000022.bin.patch_2fe7.txt └── m_03_506ca_00000022.bin.txt /.gitignore: -------------------------------------------------------------------------------- 1 | *.o 2 | *.so 3 | *.pyc 4 | .vscode 5 | cpu.efi 6 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | GNU_EFI_DIR?=/home/user/gnu-efi 2 | 3 | all: build-ucode build-cpu 4 | 5 | build-ucode: 6 | uasm-lib/uasm.py -i bios/ucode_patches/ucode_patch.u --avoid_unk_256 -o ./bios/ucode_patches/ucode_patch.h 7 | uasm-lib/uasm.py -i bios/ucode_patches/dump_smm.u -o ./bios/ucode_patches/dump_smm.h 8 | uasm-lib/uasm.py -i bios/ucode_patches/match_patch_init.u -o ./bios/ucode_patches/match_patch_init.h 9 | uasm-lib/uasm.py -i bios/ucode_patches/match_patch_init_glm_new.u -o ./bios/ucode_patches/match_patch_init_glm_new.h 10 | uasm-lib/uasm.py -i bios/ucode_patches/match_patch_hook.u -o ./bios/ucode_patches/match_patch_hook.h 11 | uasm-lib/uasm.py -i bios/ucode_patches/ldat_read.u -o ./bios/ucode_patches/ldat_read.h 12 | uasm-lib/uasm.py -i bios/ucode_patches/trace_and_resume.u -o ./bios/ucode_patches/trace_and_resume.h 13 | uasm-lib/uasm.py -i bios/ucode_patches/get_value_and_resume.u -o ./bios/ucode_patches/get_value_and_resume.h 14 | uasm-lib/uasm.py -i bios/ucode_patches/time_access_hook.u -o ./bios/ucode_patches/time_access_hook.h 15 | uasm-lib/uasm.py -i bios/ucode_patches/msr2cr_dump.u -o ./bios/ucode_patches/msr2cr_dump.h 16 | uasm-lib/uasm.py -i bios/ucode_patches/fastbp.u --avoid_unk_256 -o ./bios/ucode_patches/fastbp.h 17 | uasm-lib/uasm.py -i bios/ucode_patches/condhwbp.u --avoid_unk_256 -o ./bios/ucode_patches/condhwbp.h 18 | uasm-lib/uasm.py -i bios/ucode_patches/ctdiv.u -o ./bios/ucode_patches/ctdiv.h 19 | uasm-lib/uasm.py -i bios/ucode_patches/pac_sign.u --avoid_unk_256 -o ./bios/ucode_patches/pac_sign.h 20 | uasm-lib/uasm.py -i bios/ucode_patches/pac_verify.u --avoid_unk_256 -o ./bios/ucode_patches/pac_verify.h 21 | uasm-lib/uasm.py -i bios/ucode_patches/pac_sign_weak.u --avoid_unk_256 -o ./bios/ucode_patches/pac_sign_weak.h 22 | uasm-lib/uasm.py -i bios/ucode_patches/pac_verify_weak.u --avoid_unk_256 -o ./bios/ucode_patches/pac_verify_weak.h 23 | 24 | build-cpu: 25 | xxd -i bios/glm-intel-ucode/06-5c-09 > bios/glm-intel-ucode/06-5c-09.h 26 | xxd -i bios/glm-intel-ucode/06-5c-0a > bios/glm-intel-ucode/06-5c-0a.h 27 | gcc -mno-sse -mno-sse2 -mno-mmx -mno-avx -Ibios -I$(GNU_EFI_DIR)/inc -fpic -ffreestanding -fno-stack-protector -fno-stack-check -fshort-wchar -mno-red-zone -maccumulate-outgoing-args -c bios/custom-processing-unit.c -o bios/custom-processing-unit.o 28 | ld -shared -Bsymbolic -L$(GNU_EFI_DIR)/x86_64/gnuefi -L$(GNU_EFI_DIR)/x86_64/lib -T$(GNU_EFI_DIR)/gnuefi/elf_x86_64_efi.lds $(GNU_EFI_DIR)/x86_64/gnuefi/crt0-efi-x86_64.o bios/custom-processing-unit.o -o bios/custom-processing-unit.so -lgnuefi -lefi 29 | objcopy -j .text -j .sdata -j .data -j .dynamic -j .dynsym -j .rel -j .rela -j .rel.* -j .rela.* -j .reloc --target efi-app-x86_64 --subsystem=10 bios/custom-processing-unit.so bios/cpu.efi 30 | 31 | .PHONY: build-cpu build-ucode -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Custom Processing Unit 2 | 3 | [![DOI](https://zenodo.org/badge/522085221.svg)](https://zenodo.org/badge/latestdoi/522085221) 4 | 5 | 6 | 7 | Custom Processing Unit is the first dynamic analysis framework able to hook, patch and trace CPU microcode at the software level. 8 | 9 | It works by leveraging [undocumented instructions](https://github.com/chip-red-pill/udbgInstr) in Intel CPUs that allow access to the CRBUS. 10 | Using our [microcode decompiler](https://github.com/pietroborrello/ghidra-atom-microcode) we reverse engineered how the CPU uses the CRBUS and by replicating the interactions we have full control of the CPU. 11 | 12 | Find the static analysis framework as subtree in [this](./ghidra-processor-module) folder, or at https://github.com/pietroborrello/ghidra-atom-microcode. 13 | 14 | Check out our slides describing this work [here](./slides.pdf). 15 | 16 | **Note**: Custom Processing Unit requires a Red-Unlocked CPU: currently, only [Goldmont CPUs](https://en.wikipedia.org/wiki/Goldmont) (GLM) have a [public Red Unlock](https://github.com/ptresearch/IntelTXE-PoC). We tested Gigabyte GB-BPCE-3350C with CPU stepping 0x9 and 0xa (cpuid 0x000506C9 and 0x000506CA). 17 | 18 | Custom Processing Unit is made up of a UEFI application and a few libraries. The UEFI application interacts with the GLM CPU, while the libraries provide different helpers to compile microcode into the UEFI application and analyze its output. 19 | 20 | ## Prerequisites 21 | 22 | 1. Follow the steps to red unlock your Goldmont CPU from https://github.com/ptresearch/IntelTXE-PoC. 23 | 2. Create a bootable USB key with an EFI shell 24 | 3. Install [gnu-efi](https://wiki.osdev.org/GNU-EFI) on your main host 25 | 26 | ## Setup 27 | 28 | ``` 29 | GNU_EFI_DIR= make 30 | ``` 31 | 32 | This will build the source microcode files and the UEFI application into `cpu.efi`. 33 | Copy `cpu.efi` into the `\EFI\` folder of the USB key, plug it in the GLM and boot into the EFI shell. 34 | 35 | Run `map -r` in the efi shell to identify the USB key device and `:` to mount it. 36 | 37 | ## Run Custom Processing Unit 38 | 39 | Run `./cpu.efi` to print the help: 40 | 41 | ``` 42 | Usage: 43 | patch: p 44 | patch & exec: x 45 | perf: f 46 | zero out m&p: z 47 | hook: h [m&p idx] [uop addr] [patch addr] 48 | template: m 49 | dump imms: di 50 | dump rom: dr 51 | dump msrs: dm 52 | dump SMM: ds [address] [size] 53 | cpuid: c [rax] [rcx] 54 | rdmsr: rm [msr] 55 | wrmsr: wm [msr] 56 | read: r [cmd] [addr] 57 | write: w [cmd] [addr] [value] 58 | invoke: i [addr] 59 | update ucode: u [size] 60 | ldat read: lr [port] [array] [bank] [idx] [addr] [optional size] 61 | ldat write: lw [port] [array] [bank] [idx] [addr] [value] 62 | ``` 63 | 64 | ### Simple instructions 65 | 66 | `cpu` provides helpers to run simple instructions from the command line: 67 | * cpuid 68 | * rdmsr 69 | * wrmsr 70 | 71 | ### Complex actions 72 | `cpu` provides interfaces to complex CPU routines that are interesting to execute to study cpu behavior: 73 | * `u`: update the CPU ucode with the provided (signed) patch 74 | * `f`: collect performance counters while running microcode 75 | 76 | ### Raw udbgrd and udbwr 77 | 78 | `cpu` provides raw interfaces to the undocumented instructions `udbrd` and `udbgwr`. 79 | The most interesting commands they provide are: 80 | * 0x0: access CRBUS 81 | * 0x10: access UROM 82 | * 0x40: access stgbuf 83 | * 0xd8: invoke ucode routine from address 84 | 85 | ### LDAT access 86 | `cpu` exposes LDAT access routines to read and write. Specify the parameters `[port] [array] [bank] [idx] [addr]` to read or write there. 87 | Interesting ports are: 88 | * 0x6a0: microcode sequencer, which has access to the internal the ucode ROM and RAM 89 | * 0x120: load/store buffers 90 | * 0x3c0: instruction cache 91 | * 0x630: ITLB 92 | 93 | Please notice that accessing some of these internal components may cause the CPU to freeze. 94 | 95 | ### Patch microcode 96 | 97 | `cpu` provides functionalities to install patches in the microcode. 98 | 1. Write your microcode patch in `bios/ucode_patches/ucode_patch.u` (look at the other patches for examples) 99 | 2. Build the UEFI application 100 | 3. Execute `cpu.efi p` to install the patch at the address provided in `.org`. 101 | 102 | Notice that in the microcode, only the addresses between 0x7c00 and 0x7e00 are writable and meaningful to patch. 103 | 104 | Running `cpu.efi x`, it will also execute the microcode patched and print the `rax, rbx, rcx, rdx` registers as result. 105 | 106 | ### Match & Patch 107 | 108 | To automatically execute microcode at certain CPU events or microcode points, `cpu` leverages the Match and Patch. 109 | It defines a microcode address to hook and the microcode address to jump to when the hook is triggered. 110 | 111 | * `z`: resets all the match & patch. 112 | * `h`: installs an hook, given an index (0-0x20), an address to hook (0-0x7c00) and a target address to execute (0x7c00-0x7e00). 113 | 114 | ### Tracing microcode 115 | 116 | By installing multiple hooks and continuously executing an instruction, `cpu` is able to trace the microoperations performed by such an instruction, and dump them. To trace: 117 | 118 | 1. Write the instruction to be traced after the `// [TRACED INSTRUCTION HERE]` in `get_trace_clock_at()`. 119 | 2. Build the UEFI application. 120 | 3. Trace with: `cpu.efi m`. 121 | It will create a `trace.txt` file that contains all the addresses that have been hit. 122 | 4. Execute `uasm-lib/uasm.py -t trace.txt > parsed_trace.txt`. 123 | It will generate a full trace of the microcode executed during the instruction. 124 | 125 | Notice that `uasm.py` will leverage the `ms_arrayX.txt` files in its folder to generate a disassembly of the microinstructions executed. These are for GLM with stepping 0x9 (cpuid 0x000506C9). Please generate the proper arrays in case you have a different stepping. 126 | You can use the LDAT dump functionalities for this purpose. 127 | 128 | ### Secret memory dumpers 129 | 130 | The CPU has different inaccessible buffers from the architecture, for which we provide routines to dump: 131 | * `smm`: SMROM (or any other address while disabling SMM protection) 132 | * `rom`: internal ROM 133 | * `imms`: CPU hardcoded immediates 134 | * `msrs`: internal MSRs configurations 135 | 136 | ### Writing microcode patches 137 | 138 | We provide an assembler that generates header files to be compiled into the `cpu.efi` UEFI application. 139 | Look into the provided patches in `bios/ucode_patches` for the syntax. 140 | It supports simple operations and labels. 141 | Assemble a microcode patch with `uasm.py -i ucode_patch.u -o ucode_patch.h`. 142 | `cpu.efi` will be compiled and automatically include the microcode patch that you want to apply. 143 | 144 | #### Example 145 | 146 | file: `code_patch.u` 147 | ``` 148 | .org 0x7c00 149 | 150 | rax:= ZEROEXT_DSZ32(0x00001337) 151 | rbx:= ZEROEXT_DSZ32(0x00001337) 152 | rcx:= ZEROEXT_DSZ32(0x00001337) 153 | rdx:= ZEROEXT_DSZ32(0x00001337) 154 | ``` 155 | 156 | recompile, then run in the GLM: 157 | ``` 158 | cpu.efi z # zero out match & patch 159 | cpu.efi p # apply the patch 160 | cpu.efi h 0 0x0428 0x7c00 # rdrand entry point 161 | ``` 162 | now every time `rdrand` is executed, it will return `0x1337` in the registers. 163 | 164 | ### Cite Us 165 | 166 | Our work has been published in a [paper](https://pietroborrello.com/publication/woot23/woot23.pdf) at [WOOT](https://wootconference.org/) 2023: 167 | ``` 168 | @inproceedings{Borrello2023CustomProcessingUnit, 169 | title = {{CustomProcessingUnit}: Reverse Engineering and Customization of Intel Microcode}, 170 | author = {Borrello, Pietro and Easdon, Catherine and Schwarzl, Martin and Czerny, Roland and Schwarz, Michael}, 171 | booktitle = {IEEE Workshop on Offensive Technologies (WOOT 23)}, 172 | year = {2023}, 173 | } 174 | ``` 175 | 176 | ### Experiments 177 | 178 | The experiments described in the paper can be run with: 179 | ``` 180 | cpu.efi e [exp_idx] 181 | ``` 182 | 183 | with `[exp_idx]`: 184 | 185 | 0. Fast ucode breakpoints 186 | 1. Constant-Time ucode division 187 | 2. x86 PAC 188 | 3. Attack x86 PAC with PACMAN 189 | 4. Conditional Hardware Breakpoints 190 | -------------------------------------------------------------------------------- /bios/dumps/SMM.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pietroborrello/CustomProcessingUnit/4237524fe7545c66e42dd986113f220662c06f6a/bios/dumps/SMM.txt -------------------------------------------------------------------------------- /bios/efi-mp.h: -------------------------------------------------------------------------------- 1 | #ifndef _EFI_MP_ 2 | #include 3 | #include 4 | #include 5 | #endif 6 | 7 | #define EFI_MP_SERVICES_PROTOCOL_GUID \ 8 | { 0x3fdda605, 0xa76e, 0x4f46, {0xad, 0x29, 0x12, 0xf4, 0x53, 0x1b, 0x3d, 0x08} } 9 | 10 | typedef struct _EFI_MP_SERVICES_PROTOCOL EFI_MP_SERVICES_PROTOCOL; 11 | 12 | #define PROCESSOR_AS_BSP_BIT 0x00000001 13 | #define PROCESSOR_ENABLED_BIT 0x00000002 14 | #define PROCESSOR_HEALTH_STATUS_BIT 0x00000004 15 | 16 | typedef struct { 17 | UINT64 ProcessorId; 18 | UINT32 StatusFlag; 19 | } EFI_PROCESSOR_INFORMATION; 20 | 21 | typedef 22 | EFI_STATUS 23 | (EFIAPI *EFI_MP_SERVICES_DUMMY)( 24 | IN EFI_MP_SERVICES_PROTOCOL *This 25 | ); 26 | 27 | typedef 28 | VOID 29 | (EFIAPI *EFI_AP_PROCEDURE)( 30 | IN OUT VOID *Buffer 31 | ); 32 | 33 | typedef 34 | EFI_STATUS 35 | (EFIAPI *EFI_MP_SERVICES_GET_NUMBER_OF_PROCESSORS)( 36 | IN EFI_MP_SERVICES_PROTOCOL *This, 37 | OUT UINTN *NumberOfProcessors, 38 | OUT UINTN *NumberOfEnabledProcessors 39 | ); 40 | 41 | typedef 42 | EFI_STATUS 43 | (EFIAPI *EFI_MP_SERVICES_GET_PROCESSOR_INFO)( 44 | IN EFI_MP_SERVICES_PROTOCOL *This, 45 | IN UINTN ProcessorNumber, 46 | OUT EFI_PROCESSOR_INFORMATION *ProcessorInfoBuffer 47 | ); 48 | 49 | typedef 50 | EFI_STATUS 51 | (EFIAPI *EFI_MP_SERVICES_STARTUP_ALL_APS) ( 52 | IN EFI_MP_SERVICES_PROTOCOL *This, 53 | IN EFI_AP_PROCEDURE Procedure, 54 | IN BOOLEAN SingleThread, 55 | IN EFI_EVENT WaitEvent OPTIONAL, 56 | IN UINTN TimeoutInMicroSeconds, 57 | IN VOID *ProcedureArgument OPTIONAL, 58 | OUT UINTN **FailedCpuList OPTIONAL 59 | ); 60 | 61 | typedef 62 | EFI_STATUS 63 | (EFIAPI *EFI_MP_SERVICES_STARTUP_THIS_AP)( 64 | IN EFI_MP_SERVICES_PROTOCOL *This, 65 | IN EFI_AP_PROCEDURE Procedure, 66 | IN UINTN ProcessorNumber, 67 | IN EFI_EVENT WaitEvent OPTIONAL, 68 | IN UINTN TimeoutInMicroseconds, 69 | IN VOID *ProcedureArgument OPTIONAL, 70 | OUT BOOLEAN *Finished OPTIONAL 71 | ); 72 | 73 | typedef 74 | EFI_STATUS 75 | (EFIAPI *EFI_MP_SERVICES_WHOAMI) ( 76 | IN EFI_MP_SERVICES_PROTOCOL *This, 77 | OUT UINTN *ProcessorNumber 78 | ); 79 | 80 | struct _EFI_MP_SERVICES_PROTOCOL { 81 | EFI_MP_SERVICES_GET_NUMBER_OF_PROCESSORS GetNumberOfProcessors; 82 | EFI_MP_SERVICES_GET_PROCESSOR_INFO GetProcessorInfo; 83 | EFI_MP_SERVICES_STARTUP_ALL_APS StartupAllAPs; 84 | EFI_MP_SERVICES_STARTUP_THIS_AP StartupThisAP; 85 | EFI_MP_SERVICES_DUMMY SwitchBSP; 86 | EFI_MP_SERVICES_DUMMY EnableDisableAP; 87 | EFI_MP_SERVICES_WHOAMI WhoAmI; 88 | }; -------------------------------------------------------------------------------- /bios/glm-intel-ucode/06-5c-09: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pietroborrello/CustomProcessingUnit/4237524fe7545c66e42dd986113f220662c06f6a/bios/glm-intel-ucode/06-5c-09 -------------------------------------------------------------------------------- /bios/glm-intel-ucode/06-5c-0a: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pietroborrello/CustomProcessingUnit/4237524fe7545c66e42dd986113f220662c06f6a/bios/glm-intel-ucode/06-5c-0a -------------------------------------------------------------------------------- /bios/goldmont_core_perf_counters.h: -------------------------------------------------------------------------------- 1 | #define INST_RETIRED_ANY ((0x01 << 8) | 0x00) 2 | #define CPU_CLK_UNHALTED_CORE ((0x02 << 8) | 0x00) 3 | #define CPU_CLK_UNHALTED_REF_TSC ((0x03 << 8) | 0x00) 4 | #define LD_BLOCKS_DATA_UNKNOWN ((0x01 << 8) | 0x03) 5 | #define LD_BLOCKS_STORE_FORWARD ((0x02 << 8) | 0x03) 6 | #define LD_BLOCKS_4K_ALIAS ((0x04 << 8) | 0x03) 7 | #define LD_BLOCKS_UTLB_MISS ((0x08 << 8) | 0x03) 8 | #define LD_BLOCKS_ALL_BLOCK ((0x10 << 8) | 0x03) 9 | #define PAGE_WALKS_D_SIDE_CYCLES ((0x01 << 8) | 0x05) 10 | #define PAGE_WALKS_I_SIDE_CYCLES ((0x02 << 8) | 0x05) 11 | #define PAGE_WALKS_CYCLES ((0x03 << 8) | 0x05) 12 | #define UOPS_ISSUED_ANY ((0x00 << 8) | 0x0E) 13 | #define MISALIGN_MEM_REF_LOAD_PAGE_SPLIT ((0x02 << 8) | 0x13) 14 | #define MISALIGN_MEM_REF_STORE_PAGE_SPLIT ((0x04 << 8) | 0x13) 15 | #define LONGEST_LAT_CACHE_MISS ((0x41 << 8) | 0x2E) 16 | #define LONGEST_LAT_CACHE_REFERENCE ((0x4F << 8) | 0x2E) 17 | #define L2_REJECT_XQ_ALL ((0x00 << 8) | 0x30) 18 | #define CORE_REJECT_L2Q_ALL ((0x00 << 8) | 0x31) 19 | #define CPU_CLK_UNHALTED_CORE_P ((0x00 << 8) | 0x3C) 20 | #define CPU_CLK_UNHALTED_REF ((0x01 << 8) | 0x3C) 21 | #define DL1_DIRTY_EVICTION ((0x01 << 8) | 0x51) 22 | #define ICACHE_HIT ((0x01 << 8) | 0x80) 23 | #define ICACHE_MISSES ((0x02 << 8) | 0x80) 24 | #define ICACHE_ACCESSES ((0x03 << 8) | 0x80) 25 | #define ITLB_MISS ((0x04 << 8) | 0x81) 26 | #define FETCH_STALL_ALL ((0x00 << 8) | 0x86) 27 | #define FETCH_STALL_ITLB_FILL_PENDING_CYCLES ((0x01 << 8) | 0x86) 28 | #define FETCH_STALL_ICACHE_FILL_PENDING_CYCLES ((0x02 << 8) | 0x86) 29 | #define UOPS_NOT_DELIVERED_ANY ((0x00 << 8) | 0x9C) 30 | #define INST_RETIRED_ANY_P ((0x00 << 8) | 0xC0) 31 | #define UOPS_RETIRED_ANY ((0x00 << 8) | 0xC2) 32 | #define UOPS_RETIRED_MS ((0x01 << 8) | 0xC2) 33 | #define UOPS_RETIRED_FPDIV ((0x08 << 8) | 0xC2) 34 | #define UOPS_RETIRED_IDIV ((0x10 << 8) | 0xC2) 35 | #define MACHINE_CLEARS_ALL ((0x00 << 8) | 0xC3) 36 | #define MACHINE_CLEARS_SMC ((0x01 << 8) | 0xC3) 37 | #define MACHINE_CLEARS_MEMORY_ORDERING ((0x02 << 8) | 0xC3) 38 | #define MACHINE_CLEARS_FP_ASSIST ((0x04 << 8) | 0xC3) 39 | #define MACHINE_CLEARS_DISAMBIGUATION ((0x08 << 8) | 0xC3) 40 | #define BR_INST_RETIRED_ALL_BRANCHES ((0x00 << 8) | 0xC4) 41 | #define BR_INST_RETIRED_JCC ((0x7E << 8) | 0xC4) 42 | #define BR_INST_RETIRED_ALL_TAKEN_BRANCHES ((0x80 << 8) | 0xC4) 43 | #define BR_INST_RETIRED_FAR_BRANCH ((0xBF << 8) | 0xC4) 44 | #define BR_INST_RETIRED_NON_RETURN_IND ((0xEB << 8) | 0xC4) 45 | #define BR_INST_RETIRED_RETURN ((0xF7 << 8) | 0xC4) 46 | #define BR_INST_RETIRED_CALL ((0xF9 << 8) | 0xC4) 47 | #define BR_INST_RETIRED_IND_CALL ((0xFB << 8) | 0xC4) 48 | #define BR_INST_RETIRED_REL_CALL ((0xFD << 8) | 0xC4) 49 | #define BR_INST_RETIRED_TAKEN_JCC ((0xFE << 8) | 0xC4) 50 | #define BR_MISP_RETIRED_ALL_BRANCHES ((0x00 << 8) | 0xC5) 51 | #define BR_MISP_RETIRED_JCC ((0x7E << 8) | 0xC5) 52 | #define BR_MISP_RETIRED_NON_RETURN_IND ((0xEB << 8) | 0xC5) 53 | #define BR_MISP_RETIRED_RETURN ((0xF7 << 8) | 0xC5) 54 | #define BR_MISP_RETIRED_IND_CALL ((0xFB << 8) | 0xC5) 55 | #define BR_MISP_RETIRED_TAKEN_JCC ((0xFE << 8) | 0xC5) 56 | #define ISSUE_SLOTS_NOT_CONSUMED_ANY ((0x00 << 8) | 0xCA) 57 | #define ISSUE_SLOTS_NOT_CONSUMED_RESOURCE_FULL ((0x01 << 8) | 0xCA) 58 | #define ISSUE_SLOTS_NOT_CONSUMED_RECOVERY ((0x02 << 8) | 0xCA) 59 | #define HW_INTERRUPTS_RECEIVED ((0x01 << 8) | 0xCB) 60 | #define HW_INTERRUPTS_MASKED ((0x02 << 8) | 0xCB) 61 | #define HW_INTERRUPTS_PENDING_AND_MASKED ((0x04 << 8) | 0xCB) 62 | #define CYCLES_DIV_BUSY_ALL ((0x00 << 8) | 0xCD) 63 | #define CYCLES_DIV_BUSY_IDIV ((0x01 << 8) | 0xCD) 64 | #define CYCLES_DIV_BUSY_FPDIV ((0x02 << 8) | 0xCD) 65 | #define MEM_UOPS_RETIRED_DTLB_MISS_LOADS ((0x11 << 8) | 0xD0) 66 | #define MEM_UOPS_RETIRED_DTLB_MISS_STORES ((0x12 << 8) | 0xD0) 67 | #define MEM_UOPS_RETIRED_DTLB_MISS ((0x13 << 8) | 0xD0) 68 | #define MEM_UOPS_RETIRED_LOCK_LOADS ((0x21 << 8) | 0xD0) 69 | #define MEM_UOPS_RETIRED_SPLIT_LOADS ((0x41 << 8) | 0xD0) 70 | #define MEM_UOPS_RETIRED_SPLIT_STORES ((0x42 << 8) | 0xD0) 71 | #define MEM_UOPS_RETIRED_SPLIT ((0x43 << 8) | 0xD0) 72 | #define MEM_UOPS_RETIRED_ALL_LOADS ((0x81 << 8) | 0xD0) 73 | #define MEM_UOPS_RETIRED_ALL_STORES ((0x82 << 8) | 0xD0) 74 | #define MEM_UOPS_RETIRED_ALL ((0x83 << 8) | 0xD0) 75 | #define MEM_LOAD_UOPS_RETIRED_L1_HIT ((0x01 << 8) | 0xD1) 76 | #define MEM_LOAD_UOPS_RETIRED_L2_HIT ((0x02 << 8) | 0xD1) 77 | #define MEM_LOAD_UOPS_RETIRED_L1_MISS ((0x08 << 8) | 0xD1) 78 | #define MEM_LOAD_UOPS_RETIRED_L2_MISS ((0x10 << 8) | 0xD1) 79 | #define MEM_LOAD_UOPS_RETIRED_HITM ((0x20 << 8) | 0xD1) 80 | #define MEM_LOAD_UOPS_RETIRED_WCB_HIT ((0x40 << 8) | 0xD1) 81 | #define MEM_LOAD_UOPS_RETIRED_DRAM_HIT ((0x80 << 8) | 0xD1) 82 | #define BACLEARS_ALL ((0x01 << 8) | 0xE6) 83 | #define BACLEARS_RETURN ((0x08 << 8) | 0xE6) 84 | #define BACLEARS_COND ((0x10 << 8) | 0xE6) 85 | #define MS_DECODED_MS_ENTRY ((0x01 << 8) | 0xE7) 86 | #define DECODE_RESTRICTION_PREDECODE_WRONG ((0x01 << 8) | 0xE9) 87 | -------------------------------------------------------------------------------- /bios/raw_msr.h: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | #ifndef __RAW_MSR__ 4 | #define __RAW_MSR__ 5 | 6 | #define wrmsr(msr, val) asm volatile("wrmsr\n" : : "a"((uint32_t) (val)), "d"((uint32_t) ((val)>>32)), "c"(msr)); 7 | 8 | static uint64_t rdmsr(uint32_t msr) 9 | { 10 | uint64_t lo, hi; 11 | asm volatile("rdmsr" : "=a"(lo), "=d"(hi) : "c"(msr)); 12 | return ((hi<<32) | lo); 13 | } 14 | 15 | #endif -------------------------------------------------------------------------------- /bios/raw_perf.h: -------------------------------------------------------------------------------- 1 | #include 2 | #include "raw_msr.h" 3 | 4 | /* PERF EVENT DEFS */ 5 | #define IA32_PERFEVTSEL0 0x186 6 | #define IA32_PERFEVTSEL1 0x187 7 | #define IA32_PERFEVTSEL2 0x188 8 | #define IA32_PERFEVTSEL3 0x189 9 | 10 | #define IA32_PMC0 0xc1 11 | #define IA32_PMC1 0xc2 12 | #define IA32_PMC2 0xc3 13 | #define IA32_PMC3 0xc4 14 | 15 | #define IA32_FIXED_CTR0 0x309 // Counts number of retired instructions 16 | #define IA32_FIXED_CTR1 0x30a // Counts number of core cycles while the processor is not halted 17 | #define IA32_FIXED_CTR2 0x30b // Counts number of timestamp counts (TSC) while the processor is not halted 18 | 19 | #define IA32_FIXED_CTR_CTRL 0x38d 20 | #define IA32_PERF_GLOBAL_STATUS 0x38e 21 | #define IA32_PERF_GLOBAL_CTRL 0x38f 22 | #define IA32_PERF_GLOBAL_STATUS_RESET 0x390 23 | #define IA32_DEBUGCTL 0x1d9 24 | 25 | #define PERF_USER_MODE (1<<16) 26 | #define PERF_OS_MODE (1<<17) 27 | #define PERF_ANY_THREAD (1<<21) 28 | #define PERF_ENABLE (1<<22) 29 | 30 | #define PERF_UOPS_DISPATCHED 0xa1 31 | #define PERF_UOPS_PORT0 1 32 | #define PERF_UOPS_PORT1 2 33 | #define PERF_UOPS_PORT2 4 34 | #define PERF_UOPS_PORT3 8 35 | #define PERF_UOPS_PORT4 0x10 36 | #define PERF_UOPS_PORT5 0x20 37 | #define PERF_UOPS_PORT6 0x40 38 | #define PERF_UOPS_PORT7 0x80 39 | 40 | uint64_t pmc0 = -1, pmc1 = -1, pmc2 = -1, pmc3 = -1, pmc_fixed_1 = -1; 41 | 42 | #define APIC_LVTPC 0x340 43 | #define APIC_DM_NMI 0x00400 44 | 45 | /*END PERF EVENT DEFS*/ 46 | 47 | static inline __attribute__((always_inline)) void perf_disable_globally(){ 48 | // wrmsr(IA32_PERF_GLOBAL_CTRL, 0); 49 | asm volatile("wrmsr" : : "a"(0), "d"(0), "c"(IA32_PERF_GLOBAL_CTRL)); 50 | } 51 | 52 | static inline __attribute__((always_inline)) void perf_enable_globally(){ 53 | /* enable IA32_PMC0 to IA32_PMC3 and fixed PMC#1 to count cycles*/ 54 | // wrmsr(IA32_PERF_GLOBAL_CTRL, 0x20000000f); 55 | asm volatile("wrmsr" : : "a"(0xf), "d"(0x2), "c"(IA32_PERF_GLOBAL_CTRL)); 56 | } 57 | 58 | static inline __attribute__((always_inline)) void perf_program_event(uint32_t pmc_idx, uint32_t event, uint32_t umask) { 59 | uint64_t event_mask = (umask << 8) | event | PERF_ENABLE | PERF_OS_MODE | PERF_USER_MODE; 60 | /* program the counter*/ 61 | wrmsr(IA32_PERFEVTSEL0 + pmc_idx, event_mask); 62 | /* reset the counter */ 63 | wrmsr(IA32_PMC0 + pmc_idx, 0uL); 64 | } 65 | 66 | static inline __attribute__((always_inline)) void perf_program_fixed_1(uint64_t initial_value) { 67 | /* program the counter: enable OS + PMI */ 68 | wrmsr(IA32_FIXED_CTR_CTRL, 0x90uL); 69 | /* reset the counter */ 70 | wrmsr(IA32_FIXED_CTR1, initial_value); 71 | wrmsr(IA32_PERF_GLOBAL_STATUS_RESET, (1UL<<33UL) | (1UL<<59)); 72 | } 73 | 74 | static inline __attribute__((always_inline)) uint64_t perf_read_fixed_1() { 75 | return rdmsr(IA32_FIXED_CTR1); 76 | } 77 | 78 | static inline __attribute__((always_inline)) uint64_t perf_read(uint32_t pmc_idx) { 79 | return rdmsr(IA32_PMC0 + pmc_idx); 80 | } 81 | 82 | static inline __attribute__((always_inline)) void perf_freeze_pmc_on_pmi() { 83 | wrmsr(IA32_DEBUGCTL, rdmsr(IA32_DEBUGCTL) | (1UL<<12)); 84 | } -------------------------------------------------------------------------------- /bios/traces/cld_std_cld.txt: -------------------------------------------------------------------------------- 1 | 0488 144 2 | 048A 155 3 | 06D0 141 4 | 06D2 205 5 | 06D4 204 6 | 21FE 205 7 | 221E 142 8 | -------------------------------------------------------------------------------- /bios/traces/cld_std_cld_trace.txt: -------------------------------------------------------------------------------- 1 | [ 141] U06d0: tmp1:= unk_109(0x00000001) 2 | [ 0] U06d1: UJMPCC_DIRECT_NOTTAKEN_CONDB(tmp1, U06d2) SEQW GOTO U221e 3 | [ 0] U221d: TESTUSTATE( , UCODE, UST_MSLOOPCTR_NONZERO) ? SEQW GOTO U2218 4 | [ 142] U221e: NOP SEQW UEND0 5 | [ 144] U0488: tmp5:= MOVEFROMCREG_DSZ64( , 0x7fe) !m2 6 | [ 0] U0489: tmp5:= OR_DSZ32(0x00000400, tmp5) 7 | [ 155] U048a: SYNCFULL-> MOVETOCREG_BTR_DSZ64(tmp5, 0x00000010, 0x7fe) !m2 SEQW GOTO U221e 8 | [ 204] U06d4: MOVETOCREG_BTR_DSZ64(tmp5, 0x0000000a, 0x7fe) !m0 SEQW GOTO U21fe 9 | [ 0] U06d5: tmp4:= LDZX_DSZN_ASZ32_SC1(tmp2, mode=0x18, tmp1) !m1 10 | [ 205] U06d2: tmp5:= MOVEFROMCREG_DSZ64( , 0x7fe) 11 | [ 0] U21fd: MOVETOCREG_DSZ64(tmp9, 0x48c) !m2 12 | [ 205] U21fe: SYNCFULL-> NOP SEQW GOTO U1bd0 13 | -------------------------------------------------------------------------------- /bios/traces/cpuid_80000002.txt: -------------------------------------------------------------------------------- 1 | 0BE0 142 2 | 1BCE 192 3 | 1BD0 191 4 | 1BD2 193 5 | 1BD4 193 6 | 1BD6 194 7 | 1BD8 194 8 | 21B4 211 9 | 21B6 3474 10 | 21C8 3477 11 | 21CA 3484 12 | 4760 145 13 | 4762 160 14 | 4764 161 15 | 4776 161 16 | 4778 161 17 | 477A 168 18 | 477C 163 19 | 477E 164 20 | 4780 164 21 | 4782 165 22 | 4784 165 23 | 4786 166 24 | 4788 166 25 | -------------------------------------------------------------------------------- /bios/traces/cpuid_80000002_trace.txt: -------------------------------------------------------------------------------- 1 | [ 142] U0be0: tmp0:= MOVE_DSZ32(0x0000000a) 2 | [ 0] U0be1: LFNCEMARK-> TESTUSTATE( , SYS, !UST_USER_MODE) ? SEQW GOTO U4760 3 | [ 145] U4760: tmp11:= SUB_DSZ32(0x00000000, rax) 4 | [ 0] U4761: LFNCEMARK-> LBSYNC(0x00000002) 5 | [ 160] U4762: TESTUSTATE( , SYS, UST_VMX_GUEST) ? SEQW GOTO U4e80 6 | [ 161] U4764: TESTUSTATE( , SYS, !UST_VMX_DUAL_MON) ? SEQW GOTO U4776 7 | [ 0] U4765: tmp1:= READURAM( , 0x0011, 64) 8 | [ 0] U4775: CMPUJNZ_DIRECT_NOTTAKEN(tmp2, 0x00000000, U1f90) 9 | [ 161] U4776: tmp0:= READURAM( , 0x0006, 64) 10 | [ 161] U4778: WRITEURAM(tmp0, 0x0171, 64) 11 | [ 0] U4779: tmp8:= ADD_DSZ32(rcx) 12 | [ 163] U477c: tmp6:= READURAM( , 0x0035, 64) 13 | [ 0] U477d: tmp7:= READURAM( , 0x0077, 64) 14 | [ 164] U477e: rax:= ZEROEXT_DSZ32(0x00000000) 15 | [ 164] U4780: rbx:= ZEROEXT_DSZ32(0x00000000) 16 | [ 0] U4781: rcx:= ZEROEXT_DSZ32(0x00000000) 17 | [ 165] U4782: rdx:= ZEROEXT_DSZ32(0x00000000) 18 | [ 165] U4784: tmp10:= READURAM( , 0x0041, 64) 19 | [ 0] U4785: tmp10:= BT_DSZ64(tmp10, 0x00000016) 20 | [ 166] U4786: tmp2:= MOVEMERGEFLGS_DSZ32(0x00000015, tmp10) 21 | [ 166] U4788: tmp2:= CMOVCC_DSZ32_CONDNB(tmp2, 0x00000002) 22 | [ 0] U4789: UJMPCC_DIRECT_NOTTAKEN_CONDS(tmp11, U1bce) 23 | [ 168] U477a: tmp9:= SUB_DSZ32(0x00000002, tmp8) 24 | [ 191] U1bd0: tmp0:= SUB_DSZ32(0x00000008, tmp0) 25 | [ 0] U1bd1: tmp2:= MOVEMERGEFLGS_DSZ32(tmp2, tmp0) 26 | [ 0] U1bcd: SAVEUIP( , 0x01, U008e) SEQW GOTO U5f31 27 | [ 192] U1bce: tmp0:= BTR_DSZ32(tmp11, 0x0000001f) 28 | [ 193] U1bd2: tmp11:= CMOVCC_DSZ32_CONDNBE(tmp2, tmp11) 29 | [ 193] U1bd4: UJMPCC_DIRECT_NOTTAKEN_CONDNBE(tmp0, U478e) 30 | [ 0] U1bd5: LFNCEMARK-> tmp0:= SHL_DSZ32(tmp11, 0x00000003) 31 | [ 194] U1bd6: tmp1:= ADD_DSZ32(tmp0, 0x000021a4) 32 | [ 194] U1bd8: LFNCEMARK-> UJMPCC_DIRECT_NOTTAKEN_CONDNZ(tmp0, tmp1) 33 | [ 0] U1bd9: rax:= ZEROEXT_DSZ16(0x00000008, tmp11) SEQW GOTO U17ec 34 | [ 211] U21b4: tmp0:= PORTIN_DSZ64_ASZ16_SC1(0x4840) 35 | [ 0] U21b5: tmp1:= PORTIN_DSZ64_ASZ16_SC1(0x4848) 36 | [ 3474] U21b6: rax:= ZEROEXT_DSZ32(tmp0) SEQW GOTO U21c8 37 | [ 3477] U21c8: rbx:= SHR_DSZ64(tmp0, 0x00000020) 38 | [ 0] U21c9: rcx:= ZEROEXT_DSZ32(tmp1) 39 | [ 3484] U21ca: rdx:= SHR_DSZ64(tmp1, 0x00000020) SEQW GOTO U17ec -------------------------------------------------------------------------------- /bios/traces/denormal_fp.txt: -------------------------------------------------------------------------------- 1 | 08CE 399 2 | 0CA2 356 3 | 0CA4 356 4 | 0CA6 357 5 | 1000 384 6 | 1002 384 7 | 1004 384 8 | 1006 385 9 | 1008 386 10 | 100A 386 11 | 100C 387 12 | 1546 341 13 | 1548 345 14 | 154A 347 15 | 154C 352 16 | 2188 208 17 | 220E 382 18 | 2362 271 19 | 2364 272 20 | 2366 271 21 | 2BDE 272 22 | 368E 209 23 | 3690 210 24 | 3692 211 25 | 3694 216 26 | 3696 217 27 | 3698 217 28 | 369A 218 29 | 369C 218 30 | 369E 219 31 | 36A0 220 32 | 36A2 225 33 | 36A4 224 34 | 36A6 226 35 | 36A8 228 36 | 36AA 229 37 | 36AC 232 38 | 36AE 230 39 | 36B0 234 40 | 36B2 237 41 | 36B4 238 42 | 36B6 236 43 | 36B8 236 44 | 36BA 236 45 | 36BC 237 46 | 36BE 238 47 | 36C0 238 48 | 4250 267 49 | 42FA 269 50 | 42FC 269 51 | 4332 264 52 | 43DC 313 53 | 6006 273 54 | 6008 277 55 | 600A 276 56 | 600C 282 57 | 600E 281 58 | 6010 287 59 | 6012 288 60 | 6014 289 61 | -------------------------------------------------------------------------------- /bios/traces/denormal_fp_trace.txt: -------------------------------------------------------------------------------- 1 | [ 208] U2188: tmp4:= MOVEFROMCREG_DSZ64( , 0x48f) 2 | [ 0] U2189: tmp5:= MOVEFROMCREG_DSZ64( , 0x013) SEQW GOTO U368d 3 | [ 0] U368d: LFNCEMARK-> tmm7:= unk_698( , xmm0) 4 | [ 209] U368e: tmp0:= MOVEFROMCREG_DSZ64( , 0x01b) 5 | [ 210] U3690: tmp6:= SHR_DSZ64(tmp0, 0x00000016) 6 | [ 0] U3691: tmp11:= SHR_DSZ32(tmp4, 0x00000012) 7 | [ 211] U3692: MOVETOCREG_DSZ64( , 0x00000000, 0x48f) !m2 8 | [ 216] U3694: tmp6:= AND_DSZ32(0x00001000, tmp6) 9 | [ 0] U3695: tmp7:= AND_DSZ32(0x00002000, tmp5) 10 | [ 217] U3696: tmp12:= AND_DSZ32(0x00000007, tmp11) 11 | [ 217] U3698: tmp12:= SUB_DSZ32(0x00000003, tmp12) 12 | [ 0] U3699: tmp12:= MOVEMERGEFLGS_DSZ32(0x0000000d, tmp12) 13 | [ 218] U369a: tmp12:= CMOVCC_DSZ32_CONDNL(tmp12, 0x00000008) 14 | [ 218] U369c: tmp12:= SHL_DSZ64(tmp12, 0x0000000b) 15 | [ 0] U369d: tmp11:= OR_DSZ32(tmp6, tmp11) 16 | [ 219] U369e: tmp8:= ZEROEXT_DSZ32(0x00000005) 17 | [ 220] U36a0: tmp11:= OR_DSZ32(tmp7, tmp11) 18 | [ 0] U36a1: LFNCEWAIT-> tmm5:= unk_704(tmm0) 19 | [ 224] U36a4: tmm5:= unk_694(tmm5, tmm2) 20 | [ 0] U36a5: tmp15:= MOVEFROMCREG_DSZ64( , 0x480) 21 | [ 225] U36a2: tmm2:= unk_704(tmm3) 22 | [ 226] U36a6: tmp3:= PINTMOVDTMM2I_DSZ32(tmm5) 23 | [ 228] U36a8: tmp9:= ZEROEXT_DSZ64() 24 | [ 0] U36a9: tmp6:= AND_DSZ32(0x00000003, tmp3) 25 | [ 229] U36aa: tmp6:= SHL_DSZ64(tmp6, 0x00000023) 26 | [ 230] U36ae: tmp0:= MOVEMERGEFLGS_DSZ64(tmp0, tmp7) 27 | [ 232] U36ac: tmp7:= BT_DSZ32(tmp3, 0x00000007) 28 | [ 0] U36ad: tmp5:= NOTAND_DSZ32(0x00002000, tmp5) 29 | [ 234] U36b0: tmp7:= CMOVCC_DSZ32_CONDNB(tmp0, tmp5) 30 | [ 0] U36b1: tmp7:= NOTAND_DSZ64(0x00007800, tmp7) 31 | [ 236] U36b6: tmm5:= unk_620(tmm2) 32 | [ 236] U36b8: tmp5:= PINTMOVDTMM2I_DSZ32(tmm5) 33 | [ 0] U36b9: SYNCMARK-> UFLOWCTRL( , tmp5, URET0) 34 | [ 236] U36ba: tmp11:= AND_DSZ32(0x00000020, tmp4) 35 | [ 237] U36b2: tmp7:= OR_DSZ64(tmp7, tmp12) 36 | [ 237] U36bc: tmp6:= MOVEFROMCREG_DSZ64( , 0x7fe) 37 | [ 0] U36bd: tmp7:= AND_DSZ32(0x00000007, tmp4) 38 | [ 238] U36b4: MOVETOCREG_OR_DSZ64(tmp7, 0x752, tmp6) 39 | [ 0] U36b5: MOVETOCREG_AND_DSZ64(tmp3, 0x0000000c, 0x6c5) 40 | [ 238] U36be: tmp4:= AND_DSZ32(0x0000003f, tmp4) 41 | [ 238] U36c0: tmp10:= NOTAND_DSZ32(0x0000003f, tmp15) 42 | [ 0] U36c1: MOVETOCREG_BTR_DSZ64(tmp6, 0x00000010, 0x7fe) 43 | [ 0] U4331: tmp3:= AND_DSZ16(0x00000040, tmp3) SEQW URET0 44 | [ 264] U4332: tmm7:= unk_5b9(xmmsrc) SEQW GOTO U4250 45 | [ 267] U4250: tmp13:= ZEROEXT_DSZ64(0x000043dc) SEQW GOTO U42fa 46 | [ 0] U4251: LFNCEMARK-> tmm6:= unk_743(mm0) !m2 47 | [ 0] U42f9: tmp13:= ZEROEXT_DSZ64(0x000043c4) 48 | [ 269] U42fa: tmm4:= unk_5b9(xmmdst) 49 | [ 269] U42fc: TESTUSTATE( , UCODE, !0x0010) !m0 ? SEQW GOTO U2362 50 | [ 0] U42fd: tmp11:= ZEROEXT_DSZ32(0x0000220e) 51 | [ 0] U2361: SAVEUIP( , 0x01, U6868) !m0 SEQW GOTO U59b5 52 | [ 271] U2362: tmp14:= SAVEUIP(0x01, U0ca2) !m0 53 | [ 271] U2366: tmp8:= ZEROEXT_DSZ16(0x0000fc01) SEQW GOTO U2bde 54 | [ 272] U2364: tmp12:= ZEROEXT_DSZ8() 55 | [ 0] U2365: tmp11:= ZEROEXT_DSZ32(0x0000220e) 56 | [ 0] U2bdd: STADSTGBUF_DSZ64_ASZ16_SC1(0x00000100, , tmp0) SEQW URET0 57 | patch_handle_0x07_write_uram: 58 | [ 272] U2bde: TESTUSTATE( , UCODE, !0x0010) !m0 ? SEQW GOTO U6005 59 | [ 0] U6005: tmm0:= unk_574(tmm4) 60 | [ 273] U6006: tmm1:= unk_574(tmm7) 61 | [ 276] U600a: tmp6:= PINTMOVDTMM2I_DSZ32(tmm5) 62 | [ 277] U6008: tmm5:= unk_664(tmm1, tmm0) 63 | [ 0] U6009: tmm5:= unk_694(tmm5, tmm2) 64 | [ 281] U600e: tmp6:= BT_DSZ32(tmp6, 0x00000010) 65 | [ 282] U600c: tmp4:= SHR_DSZ32(tmp6, 0x00000008) 66 | [ 0] U600d: tmp6:= NOTAND_DSZ32(0x00000f00, tmp6) 67 | [ 287] U6010: tmp6:= CMOVCC_DSZ64_CONDB(tmp6, tmp13) 68 | [ 0] U6011: SYNCMARK-> tmp6:= UFLOWCTRL( , tmp6, URET0) 69 | [ 288] U6012: tmp4:= AND_DSZ32(0x0000000f, tmp4) 70 | [ 289] U6014: tmm0:= unk_69d( , tmm0) 71 | [ 0] U6015: tmm1:= unk_69d( , tmm1) 72 | [ 313] U43dc: tmm3:= unk_626(tmm1, tmm0) SEQW GOTO U1545 73 | [ 0] U43dd: NOP 74 | [ 0] U1545: tmm5:= unk_7c2(tmm0) 75 | [ 341] U1546: tmm1:= unk_6aa(tmm3, tmm5) 76 | [ 345] U1548: tmm3:= unk_62f(tmm3) !m1 77 | [ 0] U1549: tmm1:= unk_62f(tmm1) !m1 78 | [ 347] U154a: tmm5:= unk_637(tmm1, tmm3) !m1 79 | [ 352] U154c: tmp4:= PINTMOVDTMM2I_DSZ32(tmm5) 80 | [ 0] U154d: tmp10:= OR_DSZ32(tmp4, tmp10) SEQW GOTO U2281 81 | [ 0] U0ca1: tmp12:= SUBR_DSZ64(tmp12, 0x00000001) SEQW GOTO U2e3d 82 | [ 356] U0ca2: tmp14:= SAVEUIP(0x01, U1000) !m0 83 | [ 356] U0ca4: NOP 84 | [ 0] U0ca5: NOP 85 | [ 357] U0ca6: UJMP( , tmp11) 86 | [ 0] U220d: tmp13:= SAVEUIP(0x00, U576d) SEQW GOTO U01c2 87 | [ 382] U220e: tmp13:= SAVEUIP(0x00, U08ce) SEQW URET1 88 | [ 384] U1000: unk_256() !m1 89 | [ 0] U1001: tmp3:= NOTAND_DSZ32(tmp10, 0x00001f80) 90 | [ 384] U1002: tmp3:= SHR_DSZ32(tmp3, 0x00000007) 91 | [ 384] U1004: tmp3:= AND_DSZ32(tmp3, tmp10) 92 | [ 0] U1005: UJMPCC_DIRECT_NOTTAKEN_CONDNZ(tmp3, U5ec9) 93 | [ 385] U1006: tmp0:= OR_DSZ32(tmp10, tmp15) 94 | [ 386] U1008: tmm5:= unk_707(mm0) 95 | [ 0] U1009: LFNCEMARK-> tmm6:= unk_691(tmm5) 96 | [ 386] U100a: NOP 97 | [ 387] U100c: LFNCEWAIT-> NOP SEQW URET0 98 | [ 0] U100d: tmp1:= TESTUSTATE( , SYS, !UST_VMX_GUEST) !m0,m1 ? SEQW GOTO U1010 99 | [ 0] U08cd: LFNCEWAIT-> tmp5:= READURAM( , 0x001f, 64) SEQW GOTO U18d6 100 | [ 399] U08ce: xmm2:= unk_430(tmm7, xmmdst) !m1 SEQW UEND0 101 | -------------------------------------------------------------------------------- /bios/traces/int1.txt: -------------------------------------------------------------------------------- 1 | 068E 326 2 | 07C8 452 3 | 07CA 458 4 | 07CC 455 5 | 0816 222 6 | 081E 383 7 | 09B0 382 8 | 09B2 385 9 | 09B4 384 10 | 09B6 385 11 | 0C40 149 12 | 0C42 151 13 | 0C44 150 14 | 0C46 153 15 | 0C48 163 16 | 0C4A 166 17 | 195C 568 18 | 195E 573 19 | 1960 576 20 | 19D8 573 21 | 19DA 577 22 | 19DC 581 23 | 19DE 582 24 | 19E0 581 25 | 1DD6 341 26 | 1DD8 346 27 | 1DDA 344 28 | 1DDC 348 29 | 1DE2 345 30 | 1DE4 349 31 | 1DE8 347 32 | 1DEA 349 33 | 1DEC 350 34 | 1DEE 358 35 | 1DF0 357 36 | 1DF2 359 37 | 1DF4 357 38 | 2178 226 39 | 2782 580 40 | 2784 357 41 | 2786 366 42 | 2788 366 43 | 278A 366 44 | 278C 366 45 | 278E 371 46 | 2790 373 47 | 2794 371 48 | 2C00 301 49 | 2C02 304 50 | 2C04 306 51 | 2E5C 340 52 | 2E5E 343 53 | 2E60 343 54 | 3006 571 55 | 33E6 539 56 | 33E8 544 57 | 33EA 551 58 | 33EC 554 59 | 356E 497 60 | 3570 499 61 | 3572 502 62 | 3574 501 63 | 3AA4 334 64 | 3AA6 336 65 | 3AA8 338 66 | 3AB0 339 67 | 3BC6 532 68 | 3BC8 531 69 | 3BCA 538 70 | 3BCC 541 71 | 3BCE 541 72 | 3BD0 538 73 | 3C00 307 74 | 3C02 311 75 | 3C04 310 76 | 3C06 311 77 | 3C08 311 78 | 3C0C 310 79 | 3C0E 322 80 | 3C10 325 81 | 3D36 476 82 | 3D38 479 83 | 3D3A 480 84 | 3D3C 478 85 | 3D40 480 86 | 3D4E 476 87 | 3D50 484 88 | 3D52 482 89 | 3D54 487 90 | 3D56 484 91 | 3D58 496 92 | 3E56 505 93 | 3E58 505 94 | 3E5A 507 95 | 3E5C 509 96 | 3E72 236 97 | 3E74 236 98 | 3E76 238 99 | 3E78 239 100 | 3E7A 240 101 | 3E7C 238 102 | 3E7E 239 103 | 3E80 239 104 | 3E82 241 105 | 3E84 244 106 | 3E86 254 107 | 3E88 254 108 | 3E96 255 109 | 3E98 254 110 | 3E9A 257 111 | 3E9C 256 112 | 3EA0 257 113 | 3EA2 256 114 | 3EA4 257 115 | 3EA6 258 116 | 3EA8 259 117 | 3EAA 260 118 | 3EAC 262 119 | 3EAE 266 120 | 3EB0 267 121 | 3EB2 268 122 | 3EB4 273 123 | 3EB6 274 124 | 3EB8 275 125 | 408C 452 126 | 4736 457 127 | 4738 459 128 | 4DC8 303 129 | 4DCA 307 130 | 4DCC 307 131 | 4DCE 308 132 | 4DD0 308 133 | 4DD2 311 134 | 59C4 223 135 | 59C6 228 136 | 59C8 229 137 | 59CA 233 138 | 59CC 234 139 | 59D0 234 140 | 5B2E 296 141 | 5B30 297 142 | 5B32 299 143 | 6404 462 144 | 6406 474 145 | 6408 469 146 | 640A 478 147 | 640C 476 148 | 640E 476 149 | 64F4 282 150 | 64F6 284 151 | 64F8 284 152 | 64FA 280 153 | 64FC 280 154 | 64FE 282 155 | 6500 282 156 | 6502 283 157 | 6504 282 158 | 6560 297 159 | 6562 299 160 | 6564 304 161 | 6678 165 162 | 667A 174 163 | 667C 174 164 | 667E 175 165 | 6680 175 166 | 6684 175 167 | 6686 183 168 | 6688 188 169 | 668A 195 170 | 668C 195 171 | 668E 196 172 | 6690 196 173 | -------------------------------------------------------------------------------- /bios/traces/int3.txt: -------------------------------------------------------------------------------- 1 | 068E 273 2 | 07C8 396 3 | 07CA 427 4 | 07CC 397 5 | 081E 329 6 | 09B0 333 7 | 09B2 331 8 | 09B4 330 9 | 09B6 331 10 | 0A78 149 11 | 0A7A 151 12 | 0A7C 150 13 | 0A7E 153 14 | 0DC6 173 15 | 0DC8 172 16 | 0DCA 179 17 | 195C 511 18 | 195E 518 19 | 1960 519 20 | 19D8 518 21 | 19DA 523 22 | 19DC 524 23 | 19DE 523 24 | 19E0 524 25 | 1A00 171 26 | 1DB2 172 27 | 1DD6 288 28 | 1DD8 291 29 | 1DDA 291 30 | 1DDC 294 31 | 1DE2 292 32 | 1DE4 295 33 | 1DE8 293 34 | 1DEA 295 35 | 1DEC 296 36 | 1DEE 304 37 | 1DF0 303 38 | 1DF2 305 39 | 1DF4 303 40 | 2414 153 41 | 241A 152 42 | 2782 523 43 | 2784 303 44 | 2786 311 45 | 2788 311 46 | 278A 312 47 | 278C 314 48 | 278E 317 49 | 2790 319 50 | 2792 320 51 | 2794 319 52 | 27CA 153 53 | 27CC 168 54 | 27CE 169 55 | 27D0 169 56 | 27D2 170 57 | 27D4 172 58 | 2C00 248 59 | 2C02 250 60 | 2C04 252 61 | 2E5C 287 62 | 2E5E 289 63 | 2E60 289 64 | 3006 517 65 | 33E6 482 66 | 33E8 490 67 | 33EA 493 68 | 33EC 500 69 | 356E 439 70 | 3570 454 71 | 3572 443 72 | 3574 467 73 | 3722 170 74 | 3724 171 75 | 3AA4 280 76 | 3AA6 281 77 | 3AA8 284 78 | 3AB0 285 79 | 3BC6 473 80 | 3BC8 476 81 | 3BCA 494 82 | 3BCC 481 83 | 3BCE 483 84 | 3BD0 485 85 | 3C00 254 86 | 3C02 256 87 | 3C04 256 88 | 3C06 257 89 | 3C08 256 90 | 3C0C 256 91 | 3C0E 268 92 | 3C10 272 93 | 3D36 420 94 | 3D38 423 95 | 3D3A 423 96 | 3D3C 423 97 | 3D40 421 98 | 3D4E 421 99 | 3D50 425 100 | 3D52 425 101 | 3D54 425 102 | 3D56 427 103 | 3D58 439 104 | 3E56 448 105 | 3E58 452 106 | 3E5A 467 107 | 3E5C 453 108 | 3E72 188 109 | 3E74 187 110 | 3E76 187 111 | 3E78 186 112 | 3E7A 190 113 | 3E7C 188 114 | 3E7E 189 115 | 3E80 189 116 | 3E82 193 117 | 3E84 193 118 | 3E86 197 119 | 3E88 196 120 | 3E94 197 121 | 3E96 199 122 | 3E98 199 123 | 3E9A 199 124 | 3E9C 203 125 | 3EA0 204 126 | 3EA2 203 127 | 3EA4 204 128 | 3EA6 204 129 | 3EA8 206 130 | 3EAA 207 131 | 3EAC 207 132 | 3EAE 211 133 | 3EB0 213 134 | 3EB2 218 135 | 3EB4 219 136 | 3EB6 216 137 | 3EB8 221 138 | 408C 398 139 | 4736 401 140 | 4738 404 141 | 4DC8 250 142 | 4DCA 253 143 | 4DCC 252 144 | 4DCE 254 145 | 4DD0 254 146 | 4DD2 256 147 | 5B2E 242 148 | 5B30 243 149 | 5B32 245 150 | 6404 408 151 | 6406 414 152 | 6408 414 153 | 640A 420 154 | 640C 421 155 | 640E 422 156 | 64F4 228 157 | 64F6 230 158 | 64F8 229 159 | 64FA 231 160 | 64FC 231 161 | 64FE 232 162 | 6500 228 163 | 6502 229 164 | 6504 229 165 | 6560 244 166 | 6562 245 167 | 6564 250 168 | -------------------------------------------------------------------------------- /bios/traces/iretq_trace.txt: -------------------------------------------------------------------------------- 1 | 2 | [ 452] U07c8: tmp4:= MOVE_DSZ32(IMM_MACRO_ALIAS_RIP) !m0 3 | [ 0] U07c9: LFNCEMARK-> AETTRACE( , 0x08, IMM_MACRO_ALIAS_INSTRUCTION) !m0 4 | [ 452] U408c: NOP SEQW GOTO U3a2d 5 | [ 0] U408d: NOP 6 | [ 455] U07cc: tmp1:= ZEROEXT_DSZ32(0x00000301) SEQW GOTO U605d 7 | [ 0] U07cd: rax:= ZEROEXT_DSZ32() 8 | [ 0] U4735: tmp6:= SUB_DSZ32(0x00000008, tmp6) SEQW GOTO U4731 9 | [ 457] U4736: tmp9:= ZEROEXT_DSZ8N(IMM_MACRO_1b) !m0,m1 10 | [ 458] U07ca: tmp10:= READAFLAGS() !m2 11 | [ 459] U4738: LFNCEWAIT-> tmp0:= READURAM( , 0x0070, 64) 12 | [ 0] U4739: tmp7:= TESTUSTATE( , SYS, !UST_VMX_DUAL_MON | UST_VMX_GUEST) !m0,m1 ? SEQW GOTO U6404 13 | [ 462] U6404: TESTUSTATE( , VMX, !0x0002) !m0,m2 ? SEQW GOTO U6408 14 | [ 0] U6405: LFNCEWAIT-> tmp1:= MOVETOCREG_BTR_DSZ64(tmp0, 0x0000000a, 0x2c4) !m0,m1 15 | [ 469] U6408: WRITEURAM(tmp0, 0x000a, 32) !m2 16 | [ 0] U6409: LFNCEWAIT-> tmp0:= MOVEFROMCREG_DSZ64( , 0x7fe) 17 | [ 474] U6406: WRITEURAM(tmp1, 0x0070, 64) !m2 18 | [ 0] U3d35: LFNCEMARK-> BTUJB_DIRECT_NOTTAKEN(tmp0, 0x0000000e, U60c9) !m0,m1 19 | ldat_read_arr6: 20 | [ 476] U3d36: tmp7:= LDZX_DSZN_ASZ32_SC1(rsp, SS, IMM_MACRO_13, mode=0x0a) !m0,m1 21 | [ 0] U3d4d: tmp7:= OR_DSZ32(tmp7, tmp0) 22 | [ 476] U3d4e: unk_13f(tmp7) !m2 23 | [ 476] U640c: tmp10:= OR_DSZ32(tmp0, tmp10) 24 | [ 0] U640d: MOVETOCREG_DSZ64(0x00000016, 0x000) 25 | [ 476] U640e: TESTUSTATE( , SYS, !UST_8086_MODE) !m0,m1 ? SEQW GOTO U3d35 26 | [ 478] U3d3c: TESTUSTATE( , SYS, !UST_USER_MODE) !m0,m1 ? SEQW GOTO U3d40 27 | [ 0] U3d3d: tmp5:= unk_20d(0x00000200) 28 | [ 478] U640a: MOVETOCREG_OR_DSZ64( , 0x00000002, 0x6c5) !m0 29 | [ 479] U3d38: tmp2:= LDZX_DSZ16_ASZ32_SC1(rsp, SS, IMM_MACRO_ALIAS_DATASIZE, mode=0x0a) !m0 30 | [ 0] U3d39: LFNCEMARK-> tmp3:= LDZX_DSZN_ASZ32_SC1(rsp, SS, mode=0x0a) !m1 31 | [ 480] U3d3a: tmp5:= ZEROEXT_DSZ32N(0x003f7700) !m1 32 | [ 480] U3d40: TESTUSTATE( , SYS, !UST_8086_MODE) !m0,m1 ? SEQW GOTO U3d4e 33 | [ 0] U3d41: tmp5:= unk_203(0x00257700, tmp5) 34 | patch_handle_0x10_mailboxes: 35 | [ 482] U3d52: tmp7:= OR_DSZ32(tmp5, tmp7) 36 | [ 484] U3d50: tmp7:= AND_DSZ32(tmp5, tmp7) 37 | [ 0] U3d51: tmp5:= NOTAND_DSZ32(tmp5, tmp10) 38 | [ 484] U3d56: LFNCEWAIT-> MOVETOCREG_BTR_DSZ64(tmp7, 0x00000011, 0x7fe) 39 | [ 487] U3d54: tmp13:= SAVEUIP(0x00, U33e5) 40 | [ 0] U3d55: TESTUSTATE( , SYS, UST_OP_SIZE_32BIT) !m1 ? SEQW GOTO U5fc4 41 | [ 496] U3d58: tmp14:= SAVEUIP(0x01, U356e) !m0 SEQW GOTO U2c01 42 | [ 0] U3d59: tmp9:= ZEROEXT_DSZ32(0x0000010a) 43 | [ 0] U356d: MSLOOP-> UJMPCC_DIRECT_NOTTAKEN_CONDZ(tmp4, U0465) SEQW GOTO U3568 44 | [ 497] U356e: LFNCEMARK-> tmp1:= unk_e6b(tmp0, tmp2) !m1,m2 45 | [ 499] U3570: LFNCEMARK-> UJMPCC_DIRECT_NOTTAKEN_CONDO(tmp1, tmp1) 46 | [ 0] U3571: TESTUSTATE( , SYS, UST_ADDR_SIZE_64BIT) !m1 ? SEQW GOTO U0095 47 | [ 501] U3574: tmp6:= MOVETOCREG_DSZ64(0x00000017, 0x000) !m2 SEQW GOTO U3e56 48 | [ 0] U3575: rsp:= ZEROEXT_DSZ8N(rsp, tmp5) !m1 49 | [ 502] U3572: tmp11:= MOVEFROMCREG_DSZ64( , 0x79e) 50 | [ 0] U3e55: TESTUSTATE( , UCODE, !0x0008) !m0 ? SEQW GOTO U3574 51 | [ 505] U3e56: tmp5:= MOVE_DSZ64(rsp, rsp) !m1 52 | [ 505] U3e58: rsp:= ADD_DSZN(tmp9, rsp) !m1 53 | [ 0] U3e59: tmp2:= LDZX_DSZ16_ASZ32_SC1(rsp, SS, IMM_MACRO_ALIAS_DATASIZE, mode=0x0a) !m0 54 | [ 507] U3e5a: LFNCEMARK-> rsp:= LDZX_DSZN_ASZ32_SC1(rsp, SS, mode=0x0a) !m1 55 | [ 509] U3e5c: LFNCEMARK-> MOVETOCREG_DSZ64(tmp11, 0x79e) !m2 56 | [ 0] U3e5d: tmp14:= SAVEUIP(0x01, U3bc6) !m0 SEQW GOTO U2c01 57 | [ 531] U3bc8: LFNCEWAIT-> MOVETOCREG_DSZ64(tmp1, 0x7f5) !m2 58 | [ 0] U3bc9: TESTUSTATE( , SYS, UST_OP_SIZE_32BIT) !m1 ? SEQW GOTO U33e6 59 | [ 0] U3bc5: MOVETOCREG_BTS_DSZ64(tmp1, 0x0000001f, 0x29d) !m0,m1 SEQW GOTO U2ba1 60 | [ 532] U3bc6: LFNCEWAIT-> tmp1:= RDSEGFLD(UNK_SEG_09, FLGS) 61 | [ 538] U3bca: tmp14:= SAVEUIP(0x01, U33e6) !m0 62 | [ 538] U3bd0: UJMPCC_DIRECT_NOTTAKEN_CONDNZ(tmp11, tmp14) SEQW URET1 63 | [ 0] U3bd1: TESTUSTATE( , SYS, !UST_OP_SIZE_32BIT) !m0,m1 ? SEQW GOTO U0092 64 | [ 0] U33e5: SAVEUIP( , 0x01, U2782) !m0 SEQW GOTO U19d9 65 | [ 539] U33e6: MOVETOCREG_DSZ64(tmp6, 0x000) !m2 66 | [ 541] U3bcc: tmp11:= RDSEGFLD(CS, FLGS) 67 | [ 0] U3bcd: tmp11:= XOR_DSZ32(tmp1, tmp11) 68 | [ 541] U3bce: tmp11:= AND_DSZ32(0x00002000, tmp11) 69 | [ 544] U33e8: tmp14:= SAVEUIP(0x01, U3006) !m0 70 | [ 0] U33e9: TESTUSTATE( , SYS, UST_OP_SIZE_32BIT) !m1 ? SEQW GOTO U1959 71 | [ 551] U33ea: LFNCEWTMRK-> unk_e7b(tmp0, tmp2) !m1,m2 72 | [ 554] U33ec: LFNCEWAIT-> tmp1:= RDSEGFLD(SS_USERM, FLGS) SEQW GOTO U195c 73 | [ 0] U33ed: tmp2:= READURAM( , 0x005c, 64) 74 | [ 568] U195c: LEA_DSZ8_ASZ32_SC1(tmp3) 75 | [ 0] U195d: MOVETOCREG_DSZ64(tmp1, 0x73c) !m2 76 | [ 0] U3005: tmp5:= ZEROEXT_DSZ32N(tmp5) !m1 SEQW GOTO U189a 77 | [ 571] U3006: rsp:= ZEROEXT_DSZ8N(rsp, tmp5) !m1 SEQW URET0 78 | [ 573] U195e: tmp11:= RDSEGFLD(SS, FLGS) 79 | [ 573] U19d8: TESTUSTATE( , UCODE, !0x0008) !m0 ? SEQW GOTO U33e5 80 | [ 0] U19d9: LFNCEWAIT-> tmp11:= RDSEGFLD(UNK_SEG_09, LIMIT) 81 | [ 576] U1960: tmp11:= XOR_DSZ32(tmp11, tmp1) 82 | [ 0] U1961: tmp11:= AND_DSZ32(0x00004000, tmp11) SEQW GOTO U3bd0 83 | [ 577] U19da: MOVETOCREG_DSZ64(tmp11, 0x410) 84 | [ 0] U2781: unk_d68(tmp15, , tmp0) !m2 SEQW GOTO U2db0 85 | [ 580] U2782: LFNCEMARK-> LBSYNC(0x00000002) 86 | [ 581] U19dc: tmp11:= ADD_DSZ32(0x00000001, tmp11) 87 | [ 0] U19dd: MOVETOCREG_DSZ64(tmp11, 0x700) 88 | [ 581] U19e0: LFNCEMARK-> MOVETOCREG_DSZ64(tmp11, 0x78e) SEQW URET1 89 | [ 0] U19e1: tmp5:= ZEROEXT_DSZ32(0x000019e4) 90 | [ 582] U19de: tmp11:= RDSEGFLD(UNK_SEG_09, UNK_FLD_0c) -------------------------------------------------------------------------------- /bios/traces/popa.txt: -------------------------------------------------------------------------------- 1 | 040C 181 2 | 040E 182 3 | 068E 331 4 | 07C8 461 5 | 07CA 462 6 | 07CC 461 7 | 081E 388 8 | 09B0 387 9 | 09B2 390 10 | 09B4 390 11 | 09B6 390 12 | 0DC2 232 13 | 0DC4 232 14 | 0DC6 233 15 | 0DC8 232 16 | 0DCA 239 17 | 1894 213 18 | 195C 574 19 | 195E 585 20 | 1960 587 21 | 19D8 581 22 | 19DA 586 23 | 19DC 586 24 | 19DE 587 25 | 19E0 588 26 | 19FE 214 27 | 1A00 214 28 | 1DB2 215 29 | 1DD6 346 30 | 1DD8 351 31 | 1DDA 350 32 | 1DDC 353 33 | 1DE2 350 34 | 1DE4 355 35 | 1DE8 352 36 | 1DEA 355 37 | 1DEC 355 38 | 1DEE 363 39 | 1DF0 363 40 | 1DF2 364 41 | 1DF4 363 42 | 1E38 193 43 | 1E3A 191 44 | 1E3C 192 45 | 1E3E 201 46 | 1E40 204 47 | 1E42 213 48 | 1E44 214 49 | 1E46 215 50 | 1E48 216 51 | 1E4A 216 52 | 1E4C 219 53 | 1E4E 219 54 | 1E50 221 55 | 1E52 219 56 | 1E54 220 57 | 1E56 221 58 | 1E58 222 59 | 1E5A 231 60 | 2018 179 61 | 201A 177 62 | 201C 181 63 | 201E 179 64 | 2768 149 65 | 2782 589 66 | 2784 363 67 | 2786 371 68 | 2788 371 69 | 278A 372 70 | 278C 372 71 | 278E 375 72 | 2790 378 73 | 2792 379 74 | 2794 379 75 | 2C00 306 76 | 2C02 309 77 | 2C04 311 78 | 2E5C 346 79 | 2E5E 348 80 | 2E60 347 81 | 3006 581 82 | 3136 183 83 | 3138 186 84 | 313A 185 85 | 313C 186 86 | 313E 185 87 | 33E6 545 88 | 33E8 557 89 | 33EA 562 90 | 33EC 566 91 | 356E 506 92 | 3570 506 93 | 3572 512 94 | 3574 511 95 | 3AA4 338 96 | 3AA6 340 97 | 3AA8 344 98 | 3AB0 343 99 | 3BC6 536 100 | 3BC8 542 101 | 3BCA 545 102 | 3BCC 545 103 | 3BCE 549 104 | 3BD0 548 105 | 3C00 312 106 | 3C02 316 107 | 3C04 315 108 | 3C06 316 109 | 3C08 316 110 | 3C0C 314 111 | 3C0E 328 112 | 3C10 331 113 | 3D36 482 114 | 3D38 489 115 | 3D3A 494 116 | 3D3C 487 117 | 3D40 487 118 | 3D4E 488 119 | 3D50 491 120 | 3D52 495 121 | 3D54 490 122 | 3D56 490 123 | 3D58 503 124 | 3E56 512 125 | 3E58 515 126 | 3E5A 516 127 | 3E5C 518 128 | 3E72 243 129 | 3E74 242 130 | 3E76 245 131 | 3E78 244 132 | 3E7A 245 133 | 3E7C 244 134 | 3E7E 246 135 | 3E80 245 136 | 3E82 249 137 | 3E84 249 138 | 3E86 259 139 | 3E88 258 140 | 3E96 258 141 | 3E98 259 142 | 3E9A 260 143 | 3E9C 259 144 | 3EA0 260 145 | 3EA2 262 146 | 3EA4 264 147 | 3EA6 263 148 | 3EA8 265 149 | 3EAA 263 150 | 3EAC 265 151 | 3EAE 270 152 | 3EB0 272 153 | 3EB2 277 154 | 3EB4 278 155 | 3EB6 279 156 | 3EB8 281 157 | 408C 464 158 | 4736 465 159 | 4738 469 160 | 4DC8 308 161 | 4DCA 311 162 | 4DCC 312 163 | 4DCE 313 164 | 4DD0 313 165 | 4DD2 315 166 | 5B2E 300 167 | 5B30 302 168 | 5B32 304 169 | 608C 180 170 | 6404 470 171 | 6406 478 172 | 6408 481 173 | 640A 484 174 | 640C 483 175 | 640E 488 176 | 64F4 286 177 | 64F6 289 178 | 64F8 289 179 | 64FA 290 180 | 64FC 286 181 | 64FE 287 182 | 6500 287 183 | 6502 288 184 | 6504 288 185 | 6560 302 186 | 6562 307 187 | 6564 308 188 | 6A56 207 189 | 6A58 208 190 | 6A5A 208 191 | 6A5C 209 192 | 6A5E 209 193 | 6A60 210 194 | 6A62 211 195 | 6A64 211 196 | 6A66 211 197 | 6A68 212 198 | 6A6A 212 199 | 6A6C 213 200 | -------------------------------------------------------------------------------- /bios/traces/rdmsr_0017.txt: -------------------------------------------------------------------------------- 1 | 0686 172 2 | 0906 2062 3 | 0AE0 142 4 | 0AE2 145 5 | 0AE4 144 6 | 0AE6 147 7 | 2E2A 2061 8 | 2E2C 2057 9 | 3198 197 10 | 3700 175 11 | 3720 174 12 | 3CE2 145 13 | 3CE4 146 14 | 3CE6 146 15 | 3CE8 147 16 | 3CEA 148 17 | 3CEC 149 18 | 3CEE 149 19 | 3CF0 150 20 | 3CF2 157 21 | 3CF4 158 22 | 3CF6 157 23 | 3CF8 158 24 | 3CFA 158 25 | 3CFC 159 26 | 3CFE 159 27 | 3D00 161 28 | 3D02 160 29 | 3D04 164 30 | 3D06 163 31 | 3D08 164 32 | 3D0A 164 33 | 3D0C 165 34 | 3D0E 164 35 | 3D10 165 36 | 3D12 165 37 | 3D14 166 38 | 3D16 165 39 | 3D18 166 40 | 3D1A 166 41 | -------------------------------------------------------------------------------- /bios/traces/rdmsr_0017_trace.txt: -------------------------------------------------------------------------------- 1 | [ 142] U0ae0: tmp8:= MOVEINSERTFLGS_DSZ64(0x00000031, rcx) 2 | [ 0] U0ae1: LFNCEMARK-> tmp1:= ZEROEXT_DSZ32(0x00000000) 3 | [ 144] U0ae4: tmp10:= NOTAND_DSZ32(0x0001c000, tmp8) 4 | [ 0] U0ae5: tmp10:= MSR2CR( , tmp10) 5 | [ 145] U0ae2: tmp5:= TESTUSTATE(tmp1, SYS, UST_USER_MODE | UST_VMX_DUAL_MON | UST_VMX_GUEST) ? SEQW SAVEUIP0 U0ae4? SEQW GOTO U677d 6 | [ 0] U3ce1: tmp13:= SHR_DSZ32(tmp10, 0x00000003) 7 | [ 145] U3ce2: tmp13:= AND_DSZ32(0x00000078, tmp13) 8 | [ 146] U3ce4: tmp13:= OR_DSZ32(0x00523700, tmp13) 9 | [ 0] U3ce5: tmp14:= SELECTCC_DSZ32_CONDB(tmp8, 0x00000080) 10 | [ 146] U3ce6: tmp13:= OR_DSZ32(tmp13, tmp14) 11 | [ 147] U0ae6: SAVEUIP( , 0x00, U0686) SEQW GOTO U3ce1 12 | [ 147] U3ce8: tmp2:= AND_DSZ32(0x0000003f, tmp10) 13 | [ 0] U3ce9: tmp2:= OR_DSZ32(tmp1, tmp2) 14 | [ 148] U3cea: tmp2:= UFLOWCTRL(tmp2, tmp2, USTATE) 15 | [ 149] U3cec: UFLOWCTRL(tmp2, tmp13, URET0) 16 | [ 0] U3ced: tmp1:= AND_DSZ32(0x00000004, tmp10) 17 | [ 149] U3cee: tmp1:= SHL_DSZ64(tmp1, 0x00000021) 18 | [ 150] U3cf0: LFNCEWTMRK-> MOVETOCREG_DSZ64(tmp1, 0x752) 19 | [ 0] U3cf1: tmp14:= SHR_DSZ32(tmp10, 0x00000016) 20 | [ 157] U3cf2: tmp14:= AND_DSZ32(0x000003fc, tmp14) 21 | [ 157] U3cf6: tmp2:= AND_DSZ32(0x3ffff000, tmp8) 22 | [ 158] U3cf4: tmp14:= OR_DSZ32(0x00523000, tmp14) 23 | [ 0] U3cf5: SYNCWTMRK-> UFLOWCTRL(tmp2, tmp14, URET1) 24 | [ 158] U3cf8: LFNCEMARK-> UJMPCC_DIRECT_NOTTAKEN_CONDNZ(tmp2, U2711) 25 | [ 0] U3cf9: tmp10:= SHR_DSZ32(tmp10, 0x0000000a) 26 | [ 158] U3cfa: tmp12:= OR_DSZ32(0x0000c000, tmp8) 27 | [ 159] U3cfc: tmp12:= MSR2CR( , tmp12) 28 | [ 0] U3cfd: tmp2:= OR_DSZ32(0x00014000, tmp8) 29 | [ 159] U3cfe: tmp2:= MSR2CR( , tmp2) 30 | [ 160] U3d02: tmp1:= CONCAT_DSZ32(0x90810200, tmp1) 31 | [ 161] U3d00: tmp12:= CONCAT_DSZ32(tmp2, tmp12) 32 | [ 0] U3d01: tmp1:= ZEROEXT_DSZ32(0x00100408) 33 | [ 163] U3d06: tmp1:= ZEROEXT_DSZ32(0x020b8000) 34 | [ 164] U3d04: tmp3:= READURAM( , 0x0035, 64) 35 | [ 0] U3d05: tmp3:= AND_DSZ64(tmp1, tmp3) 36 | [ 164] U3d08: tmp1:= CONCAT_DSZ32(0x003c491c, tmp1) 37 | [ 0] U3d09: tmp2:= READURAM( , 0x0077, 64) 38 | [ 164] U3d0a: tmp1:= AND_DSZ64(tmp1, tmp2) 39 | [ 164] U3d0e: tmp2:= BTC_DSZ64(tmp1, 0x00000023) 40 | [ 165] U3d0c: tmp2:= BTR_DSZ64(tmp1, 0x00000023) 41 | [ 0] U3d0d: TESTUSTATE( , SYS, UST_SMM) ? SEQW GOTO U3d16 42 | [ 165] U3d10: tmp1:= READURAM( , 0x0023, 64) 43 | [ 0] U3d11: tmp1:= AND_DSZ32(0x00000040, tmp1) 44 | [ 165] U3d12: tmp3:= OR_DSZ64(tmp1, tmp3) 45 | [ 165] U3d16: tmp3:= OR_DSZ64(tmp2, tmp3) 46 | [ 166] U3d14: TESTUSTATE( , UCODE, 0x0800) ? SEQW GOTO U3d16 47 | [ 0] U3d15: tmp3:= BTS_DSZ64(tmp3, 0x0000003d) 48 | [ 166] U3d18: tmp3:= XOR_DSZ64(0x00020008, tmp3) 49 | [ 0] U3d19: tmp2:= AND_DSZ32(0x00003fff, tmp10) 50 | [ 166] U3d1a: tmp2:= SHL_DSZ32(tmp2, 0x00000002) SEQW URET0 51 | [ 0] U0685: NOP 52 | [ 172] U0686: URET(0x00) 53 | [ 174] U3720: tmp1:= READURAM( , 0x005c, 64) 54 | [ 0] U3721: SYNCMARK-> BTUJB_DIRECT_NOTTAKEN(tmp1, 0x0000001d, U4e75) SEQW GOTO U3700 55 | [ 175] U3700: SAVEUIP( , 0x00, U2e2a) 56 | [ 0] U3701: SYNCWAIT-> TESTUSTATE( , UCODE, !0x00e4) ? SEQW URET1 57 | [ 197] U3198: tmp5:= PORTIN_DSZ32_ASZ16_SC1(0x0000, tmp2) SEQW GOTO U2e2a 58 | [ 0] U3199: NOP 59 | [ 2057] U2e2c: LFNCEWAIT-> rax:= TESTUSTATE(tmp5, UCODE, 0x3000) ? SEQW GOTO U0906 60 | [ 0] U2e2d: tmp2:= ZEROEXT_DSZ32(0x00000523) 61 | [ 0] U2e29: SYNCFULL-> MOVETOCREG_DSZ64(tmp15, 0x518) SEQW URET1 62 | [ 2061] U2e2a: TESTUSTATE( , SYS, !0x8000) ? SEQW GOTO U5da8 63 | [ 0] U0905: UJMPCC_DIRECT_NOTTAKEN_CONDNB(tmp0, U2769) SEQW GOTO U54f2 64 | [ 2062] U0906: SYNCWAIT-> rdx:= SHR_DSZ64(tmp5, 0x00000020) SEQW UEND0 -------------------------------------------------------------------------------- /bios/traces/rdmsr_0x2a_trace.txt: -------------------------------------------------------------------------------- 1 | rdmsr_xlat: 2 | [ 155] U0ae0: tmp8:= MOVEINSERTFLGS_DSZ64(0x00000031, rcx) !m1 3 | [ 0] U0ae1: LFNCEMARK-> tmp1:= ZEROEXT_DSZ32() 4 | [ 158] U0ae2: tmp5:= TESTUSTATE(tmp1, SYS, UST_USER_MODE | UST_VMX_DUAL_MON | UST_VMX_GUEST) !m1 ? SEQW SAVEUIP0 U0ae4? SEQW GOTO U677d 5 | [ 159] U0ae4: tmp10:= NOTAND_DSZ32(0x0001c000, tmp8) 6 | [ 0] U0ae5: tmp10:= MSR2CR( , tmp10) 7 | [ 0] U3ce1: tmp13:= SHR_DSZ32(tmp10, 0x00000003) 8 | [ 159] U3ce2: tmp13:= AND_DSZ32(0x00000078, tmp13) 9 | [ 162] U0ae6: SAVEUIP( , 0x00, U0686) SEQW GOTO U3ce1 10 | [ 162] U3ce4: tmp13:= OR_DSZ32(0x00523700, tmp13) 11 | [ 0] U3ce5: tmp14:= SELECTCC_DSZ32_CONDB(tmp8, 0x00000080) 12 | [ 165] U3ce8: tmp2:= AND_DSZ32(0x0000003f, tmp10) 13 | [ 0] U3ce9: tmp2:= OR_DSZ32(tmp1, tmp2) 14 | [ 166] U3cea: tmp2:= UFLOWCTRL(tmp2, tmp2, USTATE) 15 | [ 166] U3cec: UFLOWCTRL(tmp2, tmp13, URET0) 16 | [ 0] U3ced: tmp1:= AND_DSZ32(0x00000004, tmp10) 17 | [ 167] U3ce6: tmp13:= OR_DSZ32(tmp13, tmp14) 18 | [ 167] U3cee: tmp1:= SHL_DSZ64(tmp1, 0x00000021) 19 | [ 170] U3cf0: LFNCEWTMRK-> MOVETOCREG_DSZ64(tmp1, 0x752) 20 | [ 0] U3cf1: tmp14:= SHR_DSZ32(tmp10, 0x00000016) 21 | [ 174] U3cf2: tmp14:= AND_DSZ32(0x000003fc, tmp14) 22 | [ 175] U3cf8: LFNCEMARK-> UJMPCC_DIRECT_NOTTAKEN_CONDNZ(tmp2, U2711) 23 | [ 0] U3cf9: tmp10:= SHR_DSZ32(tmp10, 0x0000000a) 24 | [ 175] U3cfa: tmp12:= OR_DSZ32(0x0000c000, tmp8) 25 | [ 176] U3cf4: tmp14:= OR_DSZ32(0x00523000, tmp14) 26 | [ 0] U3cf5: SYNCWTMRK-> UFLOWCTRL(tmp2, tmp14, URET1) 27 | [ 176] U3cf6: tmp2:= AND_DSZ32(0x3ffff000, tmp8) 28 | [ 176] U3cfe: tmp2:= MSR2CR( , tmp2) 29 | [ 177] U3d02: tmp1:= CONCAT_DSZ32(0x90810200, tmp1) 30 | [ 178] U3cfc: tmp12:= MSR2CR( , tmp12) 31 | [ 0] U3cfd: tmp2:= OR_DSZ32(0x00014000, tmp8) 32 | [ 178] U3d0a: tmp1:= AND_DSZ64(tmp1, tmp2) 33 | [ 179] U3d00: tmp12:= CONCAT_DSZ32(tmp2, tmp12) 34 | [ 0] U3d01: tmp1:= ZEROEXT_DSZ32(0x00100408) 35 | [ 179] U3d06: tmp1:= ZEROEXT_DSZ32(0x020b8000) 36 | [ 180] U3d04: tmp3:= READURAM( , 0x0035, 64) 37 | [ 0] U3d05: tmp3:= AND_DSZ64(tmp1, tmp3) 38 | [ 180] U3d08: tmp1:= CONCAT_DSZ32(0x003c491c, tmp1) 39 | [ 0] U3d09: tmp2:= READURAM( , 0x0077, 64) 40 | [ 180] U3d0e: tmp2:= BTC_DSZ64(tmp1, 0x00000023) 41 | [ 0] U0685: NOP 42 | [ 181] U0686: URET(0x00) 43 | [ 181] U3d10: tmp1:= READURAM( , 0x0023, 64) 44 | [ 0] U3d11: tmp1:= AND_DSZ32(0x00000040, tmp1) 45 | [ 182] U3d12: tmp3:= OR_DSZ64(tmp1, tmp3) 46 | [ 182] U3d14: TESTUSTATE( , UCODE, 0x0800) ? SEQW GOTO U3d16 47 | [ 0] U3d15: tmp3:= BTS_DSZ64(tmp3, 0x0000003d) 48 | [ 182] U3d18: tmp3:= XOR_DSZ64(0x00020008, tmp3) 49 | [ 0] U3d19: tmp2:= AND_DSZ32(0x00003fff, tmp10) 50 | [ 183] U3d0c: tmp2:= BTR_DSZ64(tmp1, 0x00000023) 51 | [ 0] U3d0d: TESTUSTATE( , SYS, UST_SMM) !m1 ? SEQW GOTO U3d16 52 | [ 183] U3d1a: tmp2:= SHL_DSZ32(tmp2, 0x00000002) SEQW URET0 53 | [ 184] U3d16: tmp3:= OR_DSZ64(tmp2, tmp3) 54 | [ 189] U3700: SAVEUIP( , 0x00, U2e2a) 55 | [ 0] U3701: SYNCWAIT-> TESTUSTATE( , UCODE, !0x00e4) !m0 ? SEQW URET1 56 | [ 193] U3184: tmp5:= ZEROEXT_DSZ32() SEQW GOTO U2e2a 57 | [ 0] U3185: NOP 58 | [ 0] U2e29: SYNCFULL-> MOVETOCREG_DSZ64(tmp15, 0x518) !m2 SEQW URET1 59 | [ 195] U2e2a: TESTUSTATE( , SYS, !0x8000) !m0,m1 ? SEQW GOTO U5da8 60 | [ 0] U0905: UJMPCC_DIRECT_NOTTAKEN_CONDNB(tmp0, U2769) SEQW GOTO U54f2 61 | [ 197] U0906: SYNCWAIT-> rdx:= SHR_DSZ64(tmp5, 0x00000020) SEQW UEND0 62 | [ 200] U2e2c: LFNCEWAIT-> rax:= TESTUSTATE(tmp5, UCODE, 0x3000) ? SEQW GOTO U0906 63 | [ 0] U2e2d: tmp2:= ZEROEXT_DSZ32(0x00000523) 64 | -------------------------------------------------------------------------------- /bios/traces/read_dr0.txt: -------------------------------------------------------------------------------- 1 | 0454 186 2 | 0456 188 3 | 05F8 149 4 | 05FA 152 5 | 05FC 151 6 | 05FE 154 7 | 29EC 153 8 | 29EE 175 9 | 29F4 177 10 | 29F6 179 11 | 29F8 182 12 | 29FA 185 13 | 29FC 188 14 | -------------------------------------------------------------------------------- /bios/traces/read_dr0_trace.txt: -------------------------------------------------------------------------------- 1 | [ 149] U05f8: tmp1:= UPDATEUSTATE(!0x40) !m0 2 | [ 0] U05f9: LFNCEMARK-> tmp15:= ZEROEXT_DSZ64(IMM_MACRO_ALIAS_INSTRUCTION) !m0 3 | [ 151] U05fc: tmp12:= ZEROEXT_DSZ64N(IMM_MACRO_ALIAS_RIP) !m0,m1 4 | [ 0] U05fd: tmp0:= SHR_DSZ32(tmp15, 0x0000001c) 5 | [ 152] U05fa: TESTUSTATE( , SYS, UST_VMX_DUAL_MON | UST_VMX_GUEST) !m1 ? SEQW GOTO U603e 6 | [ 153] U29ec: WRITEURAM(tmpv0, 0x015c, 64) !m2 SEQW URET1 7 | [ 0] U29ed: SYNCFULL-> UFLOWCTRL( , tmp13, USTATE) 8 | [ 154] U05fe: tmp13:= OR_DSZ32(tmp1, tmp0) SEQW GOTO U29ed 9 | [ 175] U29ee: TESTUSTATE( , UCODE, 0x0010) ? SEQW GOTO U29f4 10 | [ 177] U29f4: TESTUSTATE( , UCODE, 0x1000) ? SEQW GOTO U29f9 11 | [ 0] U29f5: tmp2:= MOVEFROMCREG_DSZ64( , 0x7f8) 12 | [ 179] U29f6: tmp2:= BTR_DSZ32(tmp2, 0x0000000d) 13 | [ 182] U29f8: UJMPCC_DIRECT_NOTTAKEN_CONDB(tmp2, U24c1) 14 | [ 0] U29f9: TESTUSTATE( , SYS, UST_USER_MODE) !m1 ? SEQW GOTO U2711 15 | [ 185] U29fa: tmp1:= ADD_DSZ32(tmp0, 0x0000007b) 16 | [ 186] U0454: TESTUSTATE( , UCODE, !0x0010) !m0 ? SEQW GOTO U05b4 17 | [ 0] U0455: tmp7:= READURAM( , tmp1) 18 | [ 188] U29fc: TESTUSTATE( , UCODE, !0x0040) !m0 ? SEQW GOTO U0454 19 | [ 0] U29fd: tmp4:= MOVEFROMCREG_DSZ64( , 0x2df, 32) !m1 20 | [ 188] U0456: rax:= ZEROEXT_DSZ64N(tmp7) !m1 SEQW UEND0 21 | -------------------------------------------------------------------------------- /bios/traces/syscall.txt: -------------------------------------------------------------------------------- 1 | 02E0 149 2 | 02E2 150 3 | 040C 200 4 | 040E 200 5 | 068E 350 6 | 07C8 476 7 | 07CA 482 8 | 07CC 482 9 | 081E 407 10 | 09B0 409 11 | 09B2 409 12 | 09B4 409 13 | 09B6 412 14 | 0BB2 150 15 | 0BB4 153 16 | 0DC2 251 17 | 0DC4 251 18 | 0DC6 252 19 | 0DC8 252 20 | 0DCA 259 21 | 1894 231 22 | 195C 592 23 | 195E 602 24 | 1960 602 25 | 19D8 599 26 | 19DA 604 27 | 19DC 607 28 | 19DE 605 29 | 19E0 608 30 | 19FE 233 31 | 1A00 234 32 | 1DB2 234 33 | 1DD6 365 34 | 1DD8 370 35 | 1DDA 369 36 | 1DDC 372 37 | 1DE2 369 38 | 1DE4 374 39 | 1DE8 370 40 | 1DEA 374 41 | 1DEC 374 42 | 1DEE 382 43 | 1DF0 382 44 | 1DF2 382 45 | 1DF4 382 46 | 1E38 212 47 | 1E3A 211 48 | 1E3C 211 49 | 1E3E 221 50 | 1E40 224 51 | 1E42 233 52 | 1E44 233 53 | 1E46 235 54 | 1E48 236 55 | 1E4A 236 56 | 1E4C 237 57 | 1E4E 239 58 | 1E50 240 59 | 1E52 238 60 | 1E54 240 61 | 1E56 239 62 | 1E58 241 63 | 1E5A 251 64 | 2018 198 65 | 201A 196 66 | 201C 200 67 | 201E 199 68 | 2768 178 69 | 2782 603 70 | 2784 382 71 | 2786 390 72 | 278A 388 73 | 278C 391 74 | 278E 396 75 | 2790 397 76 | 2C00 325 77 | 2C02 328 78 | 2C04 329 79 | 2E5C 364 80 | 2E5E 366 81 | 2E60 366 82 | 3006 597 83 | 3136 202 84 | 33E6 563 85 | 33E8 573 86 | 33EA 577 87 | 33EC 583 88 | 356E 519 89 | 3570 524 90 | 3572 525 91 | 3574 526 92 | 3AA4 357 93 | 3AA6 360 94 | 3AA8 363 95 | 3AB0 362 96 | 3BC6 553 97 | 3BC8 561 98 | 3BCA 565 99 | 3BCC 565 100 | 3BCE 565 101 | 3BD0 567 102 | 3C00 332 103 | 3C02 335 104 | 3C04 334 105 | 3C06 335 106 | 3C08 334 107 | 3C0C 333 108 | 3C0E 348 109 | 3C10 351 110 | 3D36 500 111 | 3D38 506 112 | 3D3A 505 113 | 3D3C 504 114 | 3D40 505 115 | 3D4E 502 116 | 3D50 507 117 | 3D52 506 118 | 3D54 509 119 | 3D56 507 120 | 3D58 522 121 | 3E56 531 122 | 3E58 534 123 | 3E5A 534 124 | 3E5C 533 125 | 3E72 261 126 | 3E74 261 127 | 3E76 265 128 | 3E78 264 129 | 3E7A 265 130 | 3E7C 263 131 | 3E7E 266 132 | 3E80 265 133 | 3E82 268 134 | 3E84 269 135 | 3E86 278 136 | 3E88 278 137 | 3E96 277 138 | 3E98 277 139 | 3E9A 279 140 | 3E9C 279 141 | 3EA0 278 142 | 3EA2 282 143 | 3EA4 282 144 | 3EA6 282 145 | 3EA8 284 146 | 3EAA 282 147 | 3EAC 285 148 | 3EAE 290 149 | 3EB0 292 150 | 3EB2 297 151 | 3EB4 297 152 | 3EB6 299 153 | 3EB8 299 154 | 408C 478 155 | 4736 483 156 | 4738 487 157 | 4DC8 327 158 | 4DCA 331 159 | 4DCC 332 160 | 4DCE 333 161 | 4DD0 333 162 | 4DD2 334 163 | 5B2E 319 164 | 5B30 321 165 | 5B32 322 166 | 608C 199 167 | 6404 490 168 | 6406 495 169 | 6408 495 170 | 640A 501 171 | 640C 505 172 | 640E 501 173 | 64F4 304 174 | 64F6 307 175 | 64F8 308 176 | 64FA 310 177 | 64FC 304 178 | 64FE 306 179 | 6500 306 180 | 6502 306 181 | 6504 307 182 | 6560 321 183 | 6562 323 184 | 6564 327 185 | 6A56 225 186 | 6A58 228 187 | 6A5A 228 188 | 6A5C 228 189 | 6A5E 228 190 | 6A60 230 191 | 6A62 229 192 | 6A64 231 193 | 6A66 231 194 | 6A68 232 195 | 6A6A 232 196 | 6A6C 233 197 | -------------------------------------------------------------------------------- /bios/traces/trigger_dr0.txt: -------------------------------------------------------------------------------- 1 | 040C 378 2 | 040E 383 3 | 067C 305 4 | 067E 305 5 | 068E 529 6 | 07C8 660 7 | 07CA 663 8 | 07CC 667 9 | 081E 586 10 | 0826 372 11 | 09B0 587 12 | 09B2 588 13 | 09B4 599 14 | 09B6 591 15 | 0DC2 427 16 | 0DC4 433 17 | 0DC6 429 18 | 0DC8 431 19 | 0DCA 435 20 | 1894 409 21 | 195C 781 22 | 195E 782 23 | 1960 786 24 | 19D8 790 25 | 19DA 788 26 | 19DC 796 27 | 19DE 784 28 | 19E0 793 29 | 19FE 410 30 | 1A00 412 31 | 1DB2 412 32 | 1DD6 544 33 | 1DD8 549 34 | 1DDA 548 35 | 1DDC 553 36 | 1DE2 548 37 | 1DE4 554 38 | 1DE8 548 39 | 1DEA 554 40 | 1DEC 566 41 | 1DEE 564 42 | 1DF0 561 43 | 1DF2 562 44 | 1DF4 294 45 | 1E38 390 46 | 1E3A 392 47 | 1E3C 389 48 | 1E3E 398 49 | 1E40 400 50 | 1E42 410 51 | 1E44 410 52 | 1E46 414 53 | 1E48 412 54 | 1E4A 413 55 | 1E4C 415 56 | 1E4E 420 57 | 1E50 418 58 | 1E52 417 59 | 1E54 417 60 | 1E56 418 61 | 1E58 421 62 | 1E5A 429 63 | 1ECC 207 64 | 1ECE 204 65 | 1ED0 206 66 | 1ED2 208 67 | 1ED4 209 68 | 1ED6 223 69 | 1ED8 227 70 | 1EDA 225 71 | 1EDC 226 72 | 1EDE 229 73 | 1EE0 228 74 | 1EE2 230 75 | 1EE4 232 76 | 1EE6 233 77 | 1EE8 242 78 | 1EEA 240 79 | 1EEC 241 80 | 1EEE 238 81 | 1EF0 239 82 | 1EF2 285 83 | 2018 374 84 | 201A 378 85 | 201C 376 86 | 201E 378 87 | 2708 149 88 | 270A 165 89 | 270C 181 90 | 2782 788 91 | 2784 561 92 | 2786 571 93 | 2788 571 94 | 278A 570 95 | 278C 570 96 | 278E 574 97 | 2790 580 98 | 2792 577 99 | 2794 578 100 | 2B36 304 101 | 2B38 307 102 | 2B3A 309 103 | 2B3C 311 104 | 2C00 506 105 | 2C02 507 106 | 2C04 510 107 | 2E5C 545 108 | 2E5E 546 109 | 2E60 546 110 | 3006 782 111 | 3138 380 112 | 313C 382 113 | 313E 383 114 | 33E6 742 115 | 33E8 760 116 | 33EA 751 117 | 33EC 760 118 | 356E 698 119 | 3570 700 120 | 3572 708 121 | 3574 707 122 | 37FC 293 123 | 37FE 298 124 | 3800 299 125 | 3AA4 536 126 | 3AA6 540 127 | 3AA8 542 128 | 3AB0 541 129 | 3BC6 730 130 | 3BC8 739 131 | 3BCA 744 132 | 3BCC 741 133 | 3BCE 741 134 | 3BD0 744 135 | 3C00 510 136 | 3C02 517 137 | 3C04 514 138 | 3C06 514 139 | 3C08 515 140 | 3C0C 512 141 | 3C0E 527 142 | 3C10 529 143 | 3D36 679 144 | 3D38 687 145 | 3D3A 686 146 | 3D3C 686 147 | 3D40 682 148 | 3D4E 681 149 | 3D50 684 150 | 3D52 683 151 | 3D54 685 152 | 3D56 684 153 | 3D58 702 154 | 3E56 706 155 | 3E58 714 156 | 3E5A 712 157 | 3E5C 715 158 | 3E72 440 159 | 3E74 441 160 | 3E76 443 161 | 3E78 442 162 | 3E7A 441 163 | 3E7C 442 164 | 3E7E 444 165 | 3E80 443 166 | 3E82 445 167 | 3E84 448 168 | 3E86 455 169 | 3E88 456 170 | 3E96 454 171 | 3E98 457 172 | 3E9A 456 173 | 3E9C 457 174 | 3EA0 457 175 | 3EA2 459 176 | 3EA4 460 177 | 3EA6 460 178 | 3EA8 462 179 | 3EAA 461 180 | 3EAC 461 181 | 3EAE 470 182 | 3EB0 468 183 | 3EB2 474 184 | 3EB4 474 185 | 3EB6 480 186 | 3EB8 477 187 | 408C 656 188 | 4736 657 189 | 4738 671 190 | 4DC8 506 191 | 4DCA 510 192 | 4DCC 511 193 | 4DCE 514 194 | 4DD0 511 195 | 4DD2 515 196 | 5A24 291 197 | 5B2E 499 198 | 5B30 503 199 | 5B32 502 200 | 608C 376 201 | 6404 663 202 | 6406 679 203 | 6408 676 204 | 640A 681 205 | 640C 681 206 | 640E 685 207 | 64F4 485 208 | 64F6 486 209 | 64F8 488 210 | 64FA 489 211 | 64FC 484 212 | 64FE 485 213 | 6500 485 214 | 6502 485 215 | 6504 489 216 | 6560 499 217 | 6562 504 218 | 6564 511 219 | 6676 318 220 | 6678 318 221 | 667A 325 222 | 667C 326 223 | 667E 326 224 | 6680 328 225 | 6684 326 226 | 6686 335 227 | 6688 341 228 | 668A 347 229 | 668C 348 230 | 668E 348 231 | 6690 349 232 | 6A56 403 233 | 6A58 404 234 | 6A5A 407 235 | 6A5C 405 236 | 6A5E 406 237 | 6A60 406 238 | 6A62 407 239 | 6A64 407 240 | 6A66 408 241 | 6A68 408 242 | 6A6A 412 243 | 6A6C 410 244 | -------------------------------------------------------------------------------- /bios/traces/ud2.txt: -------------------------------------------------------------------------------- 1 | 040C 181 2 | 040E 182 3 | 068E 331 4 | 07C8 454 5 | 07CA 458 6 | 07CC 461 7 | 081E 388 8 | 09B0 387 9 | 09B2 392 10 | 09B4 390 11 | 09B6 393 12 | 0DC2 232 13 | 0DC4 233 14 | 0DC6 233 15 | 0DC8 233 16 | 0DCA 240 17 | 1894 213 18 | 195C 573 19 | 195E 580 20 | 1960 583 21 | 19D8 577 22 | 19DA 580 23 | 19DC 586 24 | 19DE 584 25 | 19E0 588 26 | 19FE 214 27 | 1A00 216 28 | 1DB2 215 29 | 1DD6 346 30 | 1DD8 352 31 | 1DDA 350 32 | 1DDC 353 33 | 1DE2 350 34 | 1DE4 355 35 | 1DE8 351 36 | 1DEA 356 37 | 1DEC 356 38 | 1DEE 364 39 | 1DF0 364 40 | 1DF2 364 41 | 1DF4 366 42 | 1E38 193 43 | 1E3A 192 44 | 1E3C 193 45 | 1E3E 202 46 | 1E40 205 47 | 1E42 214 48 | 1E44 215 49 | 1E46 216 50 | 1E48 217 51 | 1E4A 217 52 | 1E4C 220 53 | 1E4E 220 54 | 1E50 221 55 | 1E52 220 56 | 1E54 221 57 | 1E56 221 58 | 1E58 222 59 | 1E5A 232 60 | 2018 179 61 | 201A 178 62 | 201C 181 63 | 201E 180 64 | 2768 149 65 | 2782 585 66 | 2784 363 67 | 2786 371 68 | 2788 371 69 | 278A 373 70 | 278C 372 71 | 278E 378 72 | 2790 378 73 | 2792 382 74 | 2C00 306 75 | 2C02 309 76 | 2C04 312 77 | 2E5C 345 78 | 2E5E 349 79 | 2E60 348 80 | 3006 576 81 | 3138 186 82 | 33E6 544 83 | 33E8 554 84 | 33EA 553 85 | 33EC 569 86 | 356E 497 87 | 3570 505 88 | 3572 509 89 | 3574 505 90 | 3AA4 338 91 | 3AA6 341 92 | 3AA8 344 93 | 3AB0 344 94 | 3BC6 534 95 | 3BC8 539 96 | 3BCA 540 97 | 3BCC 545 98 | 3BCE 544 99 | 3BD0 543 100 | 3C00 313 101 | 3C02 317 102 | 3C04 316 103 | 3C06 317 104 | 3C08 317 105 | 3C0C 315 106 | 3C0E 329 107 | 3C10 331 108 | 3D36 483 109 | 3D38 483 110 | 3D3A 491 111 | 3D3C 484 112 | 3D40 480 113 | 3D4E 480 114 | 3D50 489 115 | 3D52 490 116 | 3D54 487 117 | 3D56 494 118 | 3D58 499 119 | 3E56 508 120 | 3E58 516 121 | 3E5A 515 122 | 3E5C 515 123 | 3E72 243 124 | 3E74 242 125 | 3E76 246 126 | 3E78 245 127 | 3E7A 246 128 | 3E7C 245 129 | 3E7E 247 130 | 3E80 246 131 | 3E82 250 132 | 3E84 250 133 | 3E86 259 134 | 3E88 259 135 | 3E96 259 136 | 3E98 260 137 | 3E9A 261 138 | 3E9C 259 139 | 3EA0 259 140 | 3EA2 263 141 | 3EA4 265 142 | 3EA6 264 143 | 3EA8 266 144 | 3EAA 266 145 | 3EAC 266 146 | 3EAE 271 147 | 3EB0 273 148 | 3EB2 278 149 | 3EB4 279 150 | 3EB6 279 151 | 3EB8 281 152 | 408C 456 153 | 4736 459 154 | 4738 464 155 | 4DC8 308 156 | 4DCA 313 157 | 4DCC 313 158 | 4DCE 313 159 | 4DD0 314 160 | 4DD2 316 161 | 5B2E 301 162 | 5B30 303 163 | 5B32 305 164 | 608C 180 165 | 6404 474 166 | 6406 477 167 | 6408 474 168 | 640A 480 169 | 640C 479 170 | 640E 484 171 | 64F4 286 172 | 64F6 290 173 | 64F8 289 174 | 64FA 291 175 | 64FC 287 176 | 64FE 288 177 | 6500 288 178 | 6502 289 179 | 6504 288 180 | 6560 303 181 | 6562 305 182 | 6564 310 183 | 6A56 207 184 | 6A58 209 185 | 6A5A 209 186 | 6A5C 210 187 | 6A5E 210 188 | 6A60 211 189 | 6A62 211 190 | 6A64 212 191 | 6A66 212 192 | 6A68 213 193 | 6A6A 213 194 | 6A6C 214 195 | -------------------------------------------------------------------------------- /bios/traces/verw.txt: -------------------------------------------------------------------------------- 1 | 0118 143 2 | 038A 149 3 | 07F6 145 4 | 0860 142 5 | 0862 144 6 | 0864 142 7 | 2220 171 8 | 2222 170 9 | 2BFE 144 10 | 2C00 143 11 | 2C02 145 12 | 2C04 147 13 | -------------------------------------------------------------------------------- /bios/traces/verw_trace.txt: -------------------------------------------------------------------------------- 1 | [ 143] U0118: tmp14:= SAVEUIP(0x01, U07f6) !m0 SEQW GOTO U0861 2 | [ 0] U0119: tmp1:= READURAM( , 0x0042, 64) 3 | [ 142] U0860: tmp14:= SAVEUIP(0x01, U3a92) !m0 4 | [ 0] U0861: tmp2:= SAVEUIP(r64src, 0x00, U2bfe) 5 | [ 142] U0864: TESTUSTATE( , SYS, UST_8086_MODE) !m1 ? SEQW GOTO U2769 6 | [ 0] U0865: tmp9:= ZEROEXT_DSZ64N(IMM_MACRO_ALIAS_RIP) !m0,m1 SEQW URET0 7 | [ 143] U2c00: AETTRACE( , 0x08, IMM_MACRO_ALIAS_INSTRUCTION) !m0 8 | [ 0] U2c01: tmp14:= READUIP_REGOVR(0x01) !m0 9 | [ 144] U0862: AETTRACE( , 0x08, IMM_MACRO_ALIAS_INSTRUCTION) !m0 10 | [ 0] U2bfd: tmp2:= LDZX_DSZ16_ASZ32_SC1(tmp2, mode=0x18) 11 | [ 144] U2bfe: SIGEVENT( , 0x00000017) 12 | [ 0] U07f5: rdx:= ZEROEXT_DSZ16(tmp1, rdx) SEQW UEND0 13 | [ 145] U07f6: tmp11:= unk_e6b(tmp0, tmp2) !m2 SEQW GOTO U038a 14 | [ 145] U2c02: LFNCEWAIT-> tmp0:= unk_d61(tmp2) 15 | [ 147] U2c04: tmp1:= unk_d61(tmp2) 16 | [ 0] U2c05: tmp0:= CMOVCC_DSZ64_CONDNB(tmp1, tmp0) SEQW URET1 17 | [ 0] U0389: NOP SEQW GOTO U2769 18 | [ 149] U038a: UJMPCC_DIRECT_NOTTAKEN_CONDO(tmp11, tmp11) 19 | [ 170] U2222: GENARITHFLAGS(tmp13) !m2 SEQW UEND0 20 | [ 171] U2220: FETCHFROMEIP1_ASZ64( , tmp9) !m1 21 | [ 0] U2221: tmp13:= MOVEMERGEFLGS_DSZ32(0x00000008) !m2 22 | -------------------------------------------------------------------------------- /bios/traces/write_dr0.txt: -------------------------------------------------------------------------------- 1 | 05F8 171 2 | 05FA 169 3 | 05FC 168 4 | 05FE 171 5 | 0780 149 6 | 0782 169 7 | 29EC 164 8 | 29EE 190 9 | 29F4 192 10 | 29F6 194 11 | 29F8 197 12 | 29FA 198 13 | 29FC 203 14 | 29FE 205 15 | 2A00 208 16 | 2A02 213 17 | 2A04 215 18 | 2A06 214 19 | 2A08 216 20 | 2A0A 215 21 | 2A0C 216 22 | 2A0E 216 23 | 2A10 217 24 | -------------------------------------------------------------------------------- /bios/traces/write_dr0_trace.txt: -------------------------------------------------------------------------------- 1 | [ 149] U0780: tmp7:= MOVE_DSZ64(r64src, r64src) !m1 2 | [ 0] U0781: LFNCEMARK-> LBSYNC(0x00000002) 3 | [ 164] U29ec: WRITEURAM(tmpv0, 0x015c, 64) !m2 SEQW URET1 4 | [ 0] U29ed: SYNCFULL-> UFLOWCTRL( , tmp13, USTATE) 5 | [ 168] U05fc: tmp12:= ZEROEXT_DSZ64N(IMM_MACRO_ALIAS_RIP) !m0,m1 6 | [ 0] U05fd: tmp0:= SHR_DSZ32(tmp15, 0x0000001c) 7 | [ 169] U05fa: TESTUSTATE( , SYS, UST_VMX_DUAL_MON | UST_VMX_GUEST) !m1 ? SEQW GOTO U603e 8 | [ 169] U0782: tmp1:= UPDATEUSTATE( , 0xfc) SEQW GOTO U05f9 9 | [ 171] U05f8: tmp1:= UPDATEUSTATE(!0x40) !m0 10 | [ 0] U05f9: LFNCEMARK-> tmp15:= ZEROEXT_DSZ64(IMM_MACRO_ALIAS_INSTRUCTION) !m0 11 | [ 171] U05fe: tmp13:= OR_DSZ32(tmp1, tmp0) SEQW GOTO U29ed 12 | [ 190] U29ee: TESTUSTATE( , UCODE, 0x0010) ? SEQW GOTO U29f4 13 | [ 192] U29f4: TESTUSTATE( , UCODE, 0x1000) ? SEQW GOTO U29f9 14 | [ 0] U29f5: tmp2:= MOVEFROMCREG_DSZ64( , 0x7f8) 15 | [ 194] U29f6: tmp2:= BTR_DSZ32(tmp2, 0x0000000d) 16 | [ 197] U29f8: UJMPCC_DIRECT_NOTTAKEN_CONDB(tmp2, U24c1) 17 | [ 0] U29f9: TESTUSTATE( , SYS, UST_USER_MODE) !m1 ? SEQW GOTO U2711 18 | [ 198] U29fa: tmp1:= ADD_DSZ32(tmp0, 0x0000007b) 19 | [ 203] U29fc: TESTUSTATE( , UCODE, !0x0040) !m0 ? SEQW GOTO U0454 20 | [ 0] U29fd: tmp4:= MOVEFROMCREG_DSZ64( , 0x2df, 32) !m1 21 | [ 205] U29fe: BTUJB_DIRECT_NOTTAKEN(tmp4, 0x0000000e, U1bd0) !m0,m2 22 | [ 208] U2a00: TESTUSTATE( , UCODE, !0x0010) !m0 ? SEQW GOTO U3a58 23 | [ 0] U2a01: WRITEURAM(tmp7, tmp1) !m2 24 | [ 213] U2a02: tmp1:= ADD_DSZ32(tmp0, 0x000007a8) 25 | [ 214] U2a06: tmp2:= AND_DSZ32(0xffff0000, tmp4) 26 | [ 215] U2a04: tmp1:= ADD_DSZ32(tmp0, tmp1) 27 | [ 0] U2a05: tmp4:= SHR_DSZ64(tmp7, 0x00000020) 28 | [ 215] U2a0a: tmp3:= SELECTCC_DSZ32_CONDNZ(tmp3, 0x80000000) 29 | [ 216] U2a08: tmp2:= SELECTCC_DSZ32_CONDNZ(tmp2, 0x80000000) 30 | [ 0] U2a09: tmp3:= NOTAND_DSZ32(tmp4, 0xffff0000) 31 | [ 216] U2a0c: tmp2:= OR_DSZ32(tmp3, tmp2) 32 | [ 0] U2a0d: tmp4:= NOTAND_DSZ32(0x80000000, tmp4) 33 | [ 216] U2a0e: tmp4:= OR_DSZ32(tmp2, tmp4) 34 | [ 217] U2a10: tmp7:= CONCAT_DSZ32(tmp4, tmp7) 35 | [ 0] U2a11: LFNCEMARK-> MOVETOCREG_DSZ64(tmp7, tmp1) !m2 SEQW GOTO U1bd0 36 | -------------------------------------------------------------------------------- /bios/traces/wrmsr_0x1b_trace.txt: -------------------------------------------------------------------------------- 1 | wrmsr_xlat: 2 | [ 145] U0c80: MOVE_DSZ32() 3 | [ 0] U0c81: LFNCEMARK-> tmp8:= MOVEINSERTFLGS_DSZ64(0x00000030, rcx) !m1 4 | [ 145] U0c82: tmp5:= CONCAT_DSZ32(rdx, rax) 5 | [ 146] U0c84: NOP 6 | [ 0] U0c85: NOP 7 | [ 146] U0c86: tmp1:= TESTUSTATE( , SYS, UST_USER_MODE | UST_VMX_DUAL_MON | UST_VMX_GUEST) !m1 ? SEQW SAVEUIP0 U0c88? SEQW GOTO U677d 8 | [ 146] U0c88: tmp2:= AND_DSZ32(0xc0000f80, rcx) 9 | [ 0] U0c89: tmp2:= SUB_DSZ32(0x00000800, tmp2) 10 | [ 147] U00f8: tmp14:= SAVEUIP(0x01, U4055) !m0 SEQW GOTO U0861 11 | [ 0] U00f9: tmp2:= SUB_DSZN(0x000006e0, rcx) !m1 12 | [ 148] U00fa: UJMPCC_DIRECT_NOTTAKEN_CONDZ(tmp2, U00fd) 13 | [ 148] U0c8a: UJMPCC_DIRECT_NOTTAKEN_CONDZ(tmp2, U00fd) SEQW GOTO U00f9 14 | [ 162] U3ce8: tmp2:= AND_DSZ32(0x0000003f, tmp10) 15 | [ 0] U3ce9: tmp2:= OR_DSZ32(tmp1, tmp2) 16 | [ 163] U3cec: UFLOWCTRL(tmp2, tmp13, URET0) 17 | [ 0] U3ced: tmp1:= AND_DSZ32(0x00000004, tmp10) 18 | [ 164] U3cee: tmp1:= SHL_DSZ64(tmp1, 0x00000021) 19 | [ 164] U3cf0: LFNCEWTMRK-> MOVETOCREG_DSZ64(tmp1, 0x752) 20 | [ 0] U3cf1: tmp14:= SHR_DSZ32(tmp10, 0x00000016) 21 | [ 0] U00fd: tmp10:= OR_DSZ32(0x00004000, tmp8) 22 | [ 165] U00fe: tmp10:= NOTAND_DSZ32(0x00018000, tmp10) SEQW GOTO U0ae5 23 | [ 165] U0ae4: tmp10:= NOTAND_DSZ32(0x0001c000, tmp8) 24 | [ 0] U0ae5: tmp10:= MSR2CR( , tmp10) 25 | [ 165] U0ae6: SAVEUIP( , 0x00, U0686) SEQW GOTO U3ce1 26 | [ 165] U3cf2: tmp14:= AND_DSZ32(0x000003fc, tmp14) 27 | [ 165] U3cf4: tmp14:= OR_DSZ32(0x00523000, tmp14) 28 | [ 0] U3cf5: SYNCWTMRK-> UFLOWCTRL(tmp2, tmp14, URET1) 29 | [ 0] U3ce1: tmp13:= SHR_DSZ32(tmp10, 0x00000003) 30 | [ 166] U3ce2: tmp13:= AND_DSZ32(0x00000078, tmp13) 31 | [ 166] U3ce4: tmp13:= OR_DSZ32(0x00523700, tmp13) 32 | [ 0] U3ce5: tmp14:= SELECTCC_DSZ32_CONDB(tmp8, 0x00000080) 33 | [ 166] U3cf6: tmp2:= AND_DSZ32(0x3ffff000, tmp8) 34 | [ 166] U3cf8: LFNCEMARK-> UJMPCC_DIRECT_NOTTAKEN_CONDNZ(tmp2, U2711) 35 | [ 0] U3cf9: tmp10:= SHR_DSZ32(tmp10, 0x0000000a) 36 | [ 167] U3ce6: tmp13:= OR_DSZ32(tmp13, tmp14) 37 | [ 167] U3cfa: tmp12:= OR_DSZ32(0x0000c000, tmp8) 38 | [ 167] U3cfc: tmp12:= MSR2CR( , tmp12) 39 | [ 0] U3cfd: tmp2:= OR_DSZ32(0x00014000, tmp8) 40 | [ 168] U3cea: tmp2:= UFLOWCTRL(tmp2, tmp2, USTATE) 41 | [ 168] U3cfe: tmp2:= MSR2CR( , tmp2) 42 | [ 168] U3d00: tmp12:= CONCAT_DSZ32(tmp2, tmp12) 43 | [ 0] U3d01: tmp1:= ZEROEXT_DSZ32(0x00100408) 44 | [ 169] U3d02: tmp1:= CONCAT_DSZ32(0x90810200, tmp1) 45 | [ 169] U3d04: tmp3:= READURAM( , 0x0035, 64) 46 | [ 0] U3d05: tmp3:= AND_DSZ64(tmp1, tmp3) 47 | [ 170] U3d06: tmp1:= ZEROEXT_DSZ32(0x020b8000) 48 | [ 170] U3d08: tmp1:= CONCAT_DSZ32(0x003c491c, tmp1) 49 | [ 0] U3d09: tmp2:= READURAM( , 0x0077, 64) 50 | [ 171] U3d0a: tmp1:= AND_DSZ64(tmp1, tmp2) 51 | [ 171] U3d0c: tmp2:= BTR_DSZ64(tmp1, 0x00000023) 52 | [ 0] U3d0d: TESTUSTATE( , SYS, UST_SMM) !m1 ? SEQW GOTO U3d16 53 | [ 172] U3d0e: tmp2:= BTC_DSZ64(tmp1, 0x00000023) 54 | [ 172] U3d10: tmp1:= READURAM( , 0x0023, 64) 55 | [ 0] U3d11: tmp1:= AND_DSZ32(0x00000040, tmp1) 56 | [ 173] U3d12: tmp3:= OR_DSZ64(tmp1, tmp3) 57 | [ 173] U3d14: TESTUSTATE( , UCODE, 0x0800) ? SEQW GOTO U3d16 58 | [ 0] U3d15: tmp3:= BTS_DSZ64(tmp3, 0x0000003d) 59 | [ 174] U3d16: tmp3:= OR_DSZ64(tmp2, tmp3) 60 | [ 174] U3d18: tmp3:= XOR_DSZ64(0x00020008, tmp3) 61 | [ 0] U3d19: tmp2:= AND_DSZ32(0x00003fff, tmp10) 62 | [ 0] U0685: NOP 63 | [ 175] U0686: URET(0x00) 64 | [ 175] U3d1a: tmp2:= SHL_DSZ32(tmp2, 0x00000002) SEQW URET0 65 | [ 179] U37b8: tmp2:= SAVEUIP( , 0x00, U3780) 66 | [ 0] U37b9: tmp1:= READURAM( , 0x0010, 64) 67 | [ 180] U37ba: tmp1:= NOTAND_DSZ64(0xffffffff, tmp1) 68 | [ 180] U37bc: tmp1:= NOTAND_DSZ64(tmp2, tmp1) 69 | [ 0] U37bd: tmp1:= AND_DSZ64(tmp5, tmp1) 70 | [ 180] U37be: LFNCEWTMRK-> UJMPCC_DIRECT_NOTTAKEN_CONDNZ(tmp1, U2711) SEQW URET0 71 | [ 184] U3780: SAVEUIP( , 0x00, U60d2) 72 | [ 0] U3781: TESTUSTATE( , UCODE, 0x000c) ? SEQW GOTO U3701 73 | [ 186] U3782: SYNCWAIT-> tmp12:= ZEROEXT_DSZ32N(tmp12) !m1 74 | [ 192] U3784: TESTUSTATE( , SYS, 0x4000) !m1 ? SEQW GOTO U3786 75 | [ 0] U3785: tmp12:= PORTIN_DSZ32_ASZ16_SC1(0x0078) !m1,m2 76 | [ 194] U3700: SAVEUIP( , 0x00, U2e2a) 77 | [ 0] U3701: SYNCWAIT-> TESTUSTATE( , UCODE, !0x00e4) !m0 ? SEQW URET1 78 | [ 194] U3786: tmp1:= NOTAND_DSZ64(tmp12, tmp5) 79 | [ 194] U3788: LFNCEWTMRK-> UJMPCC_DIRECT_NOTTAKEN_CONDNZ(tmp1, U0009) SEQW GOTO U3701 80 | [ 0] U3789: NOP 81 | [ 198] U3246: BTUJB_DIRECT_NOTTAKEN(tmp2, 0x0000000a, U2711) !m0,m1 SEQW GOTO U69d1 82 | [ 199] U3244: tmp2:= SHR_DSZ64(tmp3, 0x0000000f) 83 | [ 0] U3245: tmp2:= NOTAND_DSZ32(tmp2, tmp5) 84 | [ 0] U69d1: tmp1:= SHR_DSZ64(tmp5, 0x00000020) 85 | [ 199] U69d2: tmp3:= MOVEFROMCREG_DSZ64( , 0x573) 86 | [ 201] U69d4: tmp2:= NOTAND_DSZ32(tmp3, 0x00000800) 87 | [ 0] U69d5: tmp1:= OR_DSZ32(tmp2, tmp1) 88 | [ 201] U69d6: TESTUSTATE( , UCODE, 0x0800) ? SEQW GOTO U69e0 89 | [ 205] U69d8: tmp3:= AND_DSZ32(tmp3, tmp5) 90 | [ 0] U69d9: tmp2:= MOVEFROMCREG_DSZ64( , 0x572) 91 | [ 205] U69da: tmp3:= XOR_DSZ32(tmp2, tmp3) 92 | [ 205] U69dc: tmp3:= NOTAND_DSZ32(0x00000fff, tmp3) 93 | [ 0] U69dd: tmp1:= OR_DSZ32(tmp3, tmp1) 94 | [ 205] U69de: UJMPCC_DIRECT_NOTTAKEN_CONDZ(tmp1, U2711) 95 | [ 205] U69e0: tmp1:= MOVEFROMCREG_DSZ64( , 0x575) 96 | [ 0] U69e1: tmp2:= SAVEUIP(tmp5, 0x01, U5919) !m0 SEQW SAVEUIP0 U69e2SEQW GOTO U5918 97 | FUN_ucode_0005918: 98 | [ 207] U5918: tmp3:= SUB_DSZ64(0x00000001) 99 | FUN_ucode_0005919: 100 | [ 0] U5919: SYNCMARK-> BTUJNB_DIRECT_NOTTAKEN(tmp1, 0x0000000a, U304e) !m0,m1,m2 101 | [ 0] U304d: NOP 102 | uret: 103 | [ 231] U304e: URET(0x00) 104 | [ 233] U69e2: tmp1:= AND_DSZ32(0x00000c00, tmp5) 105 | [ 233] U69e6: tmp3:= MOVEFROMCREG_DSZ64( , 0x7bb) 106 | [ 234] U69e4: tmp1:= SHR_DSZ32(tmp1, 0x0000000a) 107 | [ 0] U69e5: CMPUJZ_DIRECT_NOTTAKEN(tmp1, 0x00000001, U2711) !m1 108 | [ 234] U69ea: tmp3:= OR_DSZ32(tmp1, tmp3) 109 | [ 235] U69e8: tmp3:= AND_DSZ32(0x00000c00, tmp3) 110 | [ 0] U69e9: tmp3:= SHR_DSZ32(tmp3, 0x00000008) 111 | [ 236] U69ec: CMPUJZ_DIRECT_NOTTAKEN(tmp3, 0x00000003, U2711) !m0,m1 112 | [ 0] U69ed: CMPUJZ_DIRECT_NOTTAKEN(tmp3, 0x0000000e, U2711) !m0,m1 113 | [ 239] U69ee: MOVETOCREG_DSZ64(tmp5, 0x7bb) !m2 114 | [ 246] U69f0: tmp3:= AND_DSZ32(0x00000800, tmp5) 115 | [ 0] U69f1: tmp3:= SELECTCC_DSZ32_CONDNZ(tmp3, 0x00020003) 116 | [ 247] U69f2: LFNCEMARK-> MOVETOCREG_DSZ64(tmp3, 0x2d6, 32) !m1,m2 SEQW GOTO U60d2 117 | [ 0] U60d1: UJMPCC_DIRECT_NOTTAKEN_CONDNZ(tmp1, tmpv2) SEQW URET1 118 | [ 253] U60d2: LFNCEWAIT-> TESTUSTATE( , SYS, 0x8000) !m1 ? SEQW GOTO U320c 119 | [ 268] U320c: unk_256() 120 | [ 0] U320d: tmp2:= ZEROEXT_DSZ32(0x00000503) 121 | [ 269] U320e: LFNCEWAIT-> TESTUSTATE( , UCODE, !0x3000) !m0 ? SEQW GOTO U2e30 122 | uend: 123 | [ 269] U3210: SYNCWAIT-> NOP SEQW UEND0 124 | [ 0] U3211: tmp13:= MOVEFROMCREG_DSZ64( , 0x000) 125 | -------------------------------------------------------------------------------- /bios/ucode_patches/condhwbp.h: -------------------------------------------------------------------------------- 1 | unsigned long addr = 0x7c00; 2 | unsigned long hook_address = 0x1ee4; 3 | unsigned long hook_entry = 0x00; 4 | unsigned long ucode_patch[][4] = { 5 | // U7c00: tmp10:= SUB_DSZ64(0x1337, rdi); UJMPCC_DIRECT_NOTTAKEN_CONDNZ(tmp10, U7c08); tmp10:= SHL_DSZ32(0x00000000, tmp8) 6 | {0xc045374fa9c8, 0x8151087002fa, 0xc0240003ae08, 0x300000c0}, 7 | // U7c04: tmp10:= SELECTCC_DSZ32_CONDNZ(tmp5, tmp10); tmp10:= SELECTCC_DSZ32_CONDNB(tmp12, tmp10); UJMP(, 0x1ee8) 8 | {0x1310003aeb5, 0x330003aebc, 0x815de8780200, 0x300000c0}, 9 | // U7c08: UJMP(, 0x270d); NOP; NOP SEQW LFNCEWAIT, UEND0 10 | {0x15d0d1c0240, 0x0, 0x0, 0x130000f2}, 11 | }; 12 | -------------------------------------------------------------------------------- /bios/ucode_patches/condhwbp.u: -------------------------------------------------------------------------------- 1 | .org 0x7c00 2 | .patch 0x1ee4 3 | .entry 0 4 | 5 | # we can reuse tmp10 since it will be overwritten anyways 6 | tmp10:= SUB_DSZ64(0x1337, rdi) # trigger only if rdi==0x1337 7 | UJMPCC_DIRECT_NOTTAKEN_CONDNZ(tmp10, ) 8 | 9 | 10 | tmp10:= SHL_DSZ32(0x00000000, tmp8) 11 | tmp10:= SELECTCC_DSZ32_CONDNZ(tmp5, tmp10) 12 | tmp10:= SELECTCC_DSZ32_CONDNB(tmp12, tmp10) 13 | UJMP(, 0x1ee8) # continue 14 | 15 | 16 | UJMP(, 0x270d) # goto uend 17 | NOP 18 | -------------------------------------------------------------------------------- /bios/ucode_patches/ctdiv.h: -------------------------------------------------------------------------------- 1 | unsigned long addr = 0x7c00; 2 | unsigned long hook_address = 0x0c40; 3 | unsigned long hook_entry = 0x00; 4 | unsigned long ucode_patch[][4] = { 5 | // U7c00: tmp0 := ZEROEXT_DSZ64(0x0); tmp1 := ZEROEXT_DSZ64(0x0); tmp2 := ZEROEXT_DSZ64(0x3f) 6 | {0x804800030008, 0xc04800031008, 0xc0483f032008, 0x300000c0}, 7 | // U7c04: UJMPCC_DIRECT_NOTTAKEN_CONDB(tmp2, U7c14); tmp3:= SHL_DSZ64(tmp1, 0x1); tmp4:= SHR_DSZ64(rax, tmp2) 8 | {0x52147002f2, 0xc06401033231, 0x806500034ca0, 0x300000c0}, 9 | // U7c08: tmp4:= AND_DSZ64(tmp4, 0x1); tmp1 := OR_DSZ64(tmp3, tmp4); tmp6 := SUB_DSZ64(rcx, tmp1) 10 | {0xc04401034234, 0x4100031d33, 0x4500036c61, 0x300000c0}, 11 | // U7c0c: tmp5:= SELECTCC_DSZ64_CONDB(tmp6, rcx); tmp1 := SUB_DSZ64(tmp5, tmp1); tmp7:= SHL_DSZ64(0x1, tmp2) 12 | {0x7200035876, 0x804500031c75, 0x406401037c88, 0x300000c0}, 13 | // U7c10: tmp8:= SELECTCC_DSZ64_CONDB(tmp6, tmp7); tmp0 := OR_DSZ64(tmp0, tmp8); tmp2 := SUB_DSZ64(0x1, tmp2) SEQW GOTO 0x7c04 14 | {0x7200038df6, 0x404100030e30, 0x804501032c88, 0x11fc0480}, 15 | // U7c14: rax := ZEROEXT_DSZ64(tmp0); rdx := ZEROEXT_DSZ64(0x0); unk_256() !m1 SEQW LFNCEWAIT, UEND0 16 | {0x804800020030, 0x404800022008, 0x125600000000, 0x130000f2}, 17 | }; 18 | -------------------------------------------------------------------------------- /bios/ucode_patches/ctdiv.u: -------------------------------------------------------------------------------- 1 | .org 0x7c00 2 | .patch 0xc40 3 | .entry 0 4 | 5 | # unsigned long long ctudiv(unsigned long long dividend, unsigned long long divisor, size_t size) 6 | let [dividend] := rax 7 | let [divisor] := rcx 8 | let [size] := 0x3f 9 | # unsigned long long quotient = 0, temp = 0; 10 | let [quotient] := tmp0 11 | let [temp] := tmp1 12 | [quotient] := ZEROEXT_DSZ64(0x0) 13 | [temp] := ZEROEXT_DSZ64(0x0) 14 | 15 | let [temp1] := tmp3 16 | let [temp2] := tmp4 17 | let [temp3] := tmp5 18 | let [temp4] := tmp7 19 | let [temp5] := tmp8 20 | 21 | let [cmp] := tmp6 22 | 23 | let [i] := tmp2 24 | [i] := ZEROEXT_DSZ64([size]) # int i = size*8-1 25 | 26 | 27 | 28 | UJMPCC_DIRECT_NOTTAKEN_CONDB([i], ) # if (i < 0 ) goto end; 29 | [temp1]:= SHL_DSZ64([temp], 0x1) # temp1 = (temp << 1uLL); 30 | [temp2]:= SHR_DSZ64([dividend], [i]) # temp2 = (dividend >> i); 31 | [temp2]:= AND_DSZ64([temp2], 0x1) # temp2 = (temp2 & 1) 32 | [temp] := OR_DSZ64([temp1], [temp2]) # temp = temp1 | temp2; 33 | [cmp] := SUB_DSZ64([divisor], [temp]) # bool cmp = (temp - divisor); 34 | [temp3]:= SELECTCC_DSZ64_CONDB([cmp], [divisor]) # temp3 = (cmp>=0)? divisor : 0; 35 | [temp] := SUB_DSZ64([temp3], [temp]) # temp -= temp3; 36 | [temp4]:= SHL_DSZ64(0x1, [i]) # temp4 = 1uLL << i; 37 | [temp5]:= SELECTCC_DSZ64_CONDB([cmp], [temp4]) # temp5 = (cmp>=0) ? temp4 : 0; 38 | [quotient] := OR_DSZ64([quotient], [temp5]) # quotient |= temp5; 39 | 40 | [i] := SUB_DSZ64(0x1, [i]) SEQW GOTO # i-- 41 | 42 | 43 | rax := ZEROEXT_DSZ64([quotient]) 44 | rdx := ZEROEXT_DSZ64(0x0) 45 | -------------------------------------------------------------------------------- /bios/ucode_patches/dump_smm.h: -------------------------------------------------------------------------------- 1 | unsigned long addr = 0x7da0; 2 | unsigned long ucode_patch[][4] = { 3 | // U7da0: tmp1:= MOVEFROMCREG_DSZ64( , 0x573) !m2; tmp2:= ZEROEXT_DSZ64(0x0); MOVETOCREG_DSZ64(tmp2, 0x573) !m2 4 | {0xa06273171200, 0x4800032008, 0xe04273140232, 0x300000c0}, 5 | // U7da4: rax:= LDPPHYSTICKLE_DSZ64_ASZ64_SC1(tmp0); rbx:= ZEROEXT_DSZ64(tmp0); rcx:= MOVEFROMCREG_DSZ64( , 0x573) !m2 6 | {0xce6500020030, 0x404800023030, 0xe06273161200, 0x300000c0}, 7 | // U7da8: rdx:= ZEROEXT_DSZ64(0x1337); MOVETOCREG_DSZ64(tmp1, 0x573) !m2; unk_256() !m1 SEQW LFNCEWAIT, UEND0 8 | {0x8048374e2008, 0x204273140231, 0x125600000000, 0x130000f2}, 9 | }; 10 | -------------------------------------------------------------------------------- /bios/ucode_patches/dump_smm.u: -------------------------------------------------------------------------------- 1 | .org 0x7da0 2 | 3 | tmp1:= MOVEFROMCREG_DSZ64( , 0x573) !m2 4 | tmp2:= ZEROEXT_DSZ64(0x0) 5 | MOVETOCREG_DSZ64(tmp2, 0x573) !m2 6 | 7 | rax:= LDPPHYSTICKLE_DSZ64_ASZ64_SC1(tmp0) 8 | rbx:= ZEROEXT_DSZ64(tmp0) 9 | rcx:= MOVEFROMCREG_DSZ64( , 0x573) !m2 10 | rdx:= ZEROEXT_DSZ64(0x1337) 11 | 12 | MOVETOCREG_DSZ64(tmp1, 0x573) !m2 -------------------------------------------------------------------------------- /bios/ucode_patches/fastbp.h: -------------------------------------------------------------------------------- 1 | unsigned long addr = 0x7c00; 2 | unsigned long hook_address = 0x0c40; 3 | unsigned long hook_entry = 0x00; 4 | unsigned long ucode_patch[][4] = { 5 | // U7c00: tmp1:= LDSTGBUF_DSZ64_ASZ16_SC1(0xba00); tmp2:= ZEROEXT_DSZ64(0x1); tmp0:= ZEROEXT_DSZ64(IMM_MACRO_ALIAS_RIP) !m0 6 | {0x8e75006b100d, 0x404801032008, 0x404804830008, 0x300000c0}, 7 | // U7c04: tmp0:= AND_DSZ64(0xffff, tmp0); tmp2:= LDPPHYS_DSZ8_ASZ64_SC1(tmp1, tmp0); tmp2:= ADD_DSZ64(0x1, tmp2) 8 | {0x4044ff7f0c0f, 0xeea00032c31, 0x804001032c88, 0x300000c0}, 9 | // U7c08: STADPPHYS_DSZ8_ASZ64_SC1(tmp1, tmp0, tmp2); NOP; NOP SEQW LFNCEWAIT, UEND0 10 | {0x8ee800032c31, 0x0, 0x0, 0x130000f2}, 11 | }; 12 | -------------------------------------------------------------------------------- /bios/ucode_patches/fastbp.u: -------------------------------------------------------------------------------- 1 | .org 0x7c00 2 | .patch 0xc40 3 | .entry 0 4 | 5 | tmp1:= LDSTGBUF_DSZ64_ASZ16_SC1(0xba00) 6 | tmp2:= ZEROEXT_DSZ64(0x1) 7 | tmp0:= ZEROEXT_DSZ64(IMM_MACRO_ALIAS_RIP) !m0 8 | tmp0:= AND_DSZ64(0xffff, tmp0) 9 | tmp2:= LDPPHYS_DSZ8_ASZ64_SC1(tmp1, tmp0) 10 | tmp2:= ADD_DSZ64(0x1, tmp2) 11 | STADPPHYS_DSZ8_ASZ64_SC1(tmp1, tmp0, tmp2) 12 | -------------------------------------------------------------------------------- /bios/ucode_patches/get_value_and_resume.h: -------------------------------------------------------------------------------- 1 | unsigned long addr = 0x7dd0; 2 | unsigned long ucode_patch[][4] = { 3 | // U7dd0: STADSTGBUF_DSZ64_ASZ16_SC1(0xba40, , r10) !m2; STADSTGBUF_DSZ64_ASZ16_SC1(0xba80, , r11) !m2; STADSTGBUF_DSZ64_ASZ16_SC1(0xbac0, , r12) !m2 4 | {0xee7d406aa00d, 0x6e7d806ab00d, 0xae7dc06ac00d, 0x300000c0}, 5 | // U7dd4: STADSTGBUF_DSZ64_ASZ16_SC1(0xbb00, , r13) !m2; r10:= ZEROEXT_DSZ32(0x00000000); r12:= MOVEFROMCREG_DSZ64( , 0x38c) 6 | {0x6e7d006ed00d, 0x80080002a008, 0x628c0ec200, 0x300000c0}, 7 | // U7dd8: MOVETOCREG_DSZ64(r10, 0x38c) !m2; r13:= ZEROEXT_DSZ32(0x00000303); r13:= SHL_DSZ32(r13, 0x00000008) 8 | {0xe0428c0c022a, 0x8030ed008, 0xc0240802d22d, 0x300000c0}, 9 | // U7ddc: MOVETOCREG_DSZ64(r13, 0x6a1) !m2; MOVETOCREG_DSZ64(r10, 0x6a0) !m2; MOVETOCREG_DSZ64(r10, 0x6a4) !m2 10 | {0x6042a118022d, 0xa042a018022a, 0xe042a418022a, 0x300000c0}, 11 | // U7de0: MOVETOCREG_DSZ64(r10, 0x6a4) !m2; MOVETOCREG_DSZ64(r10, 0x6a1) !m2; MOVETOCREG_DSZ64(r12, 0x38c) !m2 12 | {0xe042a418022a, 0xe042a118022a, 0x20428c0c022c, 0x300000c0}, 13 | // U7de4: r10:= MOVE_DSZ64(tmp0); STADSTGBUF_DSZ64_ASZ16_SC1(0xba00, , r10) !m2; r10:= MOVE_DSZ64(tmp1) 14 | {0xc0490002a030, 0xae7d006aa00d, 0x80490002a031, 0x300000c0}, 15 | // U7de8: STADSTGBUF_DSZ64_ASZ16_SC1(0xbb40, , r10) !m2; r10:= MOVE_DSZ64(tmp2); STADSTGBUF_DSZ64_ASZ16_SC1(0xbb80, , r10) !m2 16 | {0xae7d406ea00d, 0x40490002a032, 0x6e7d806ea00d, 0x300000c0}, 17 | // U7dec: r10:= MOVE_DSZ64(tmp3); STADSTGBUF_DSZ64_ASZ16_SC1(0xbbc0, , r10) !m2; r10 := LDSTGBUF_DSZ64_ASZ16_SC1(0xba40) !m2 18 | {0x490002a033, 0x2e7dc06ea00d, 0x6e75406aa00d, 0x300000c0}, 19 | // U7df0: r11 := LDSTGBUF_DSZ64_ASZ16_SC1(0xba80) !m2; r12 := LDSTGBUF_DSZ64_ASZ16_SC1(0xbac0) !m2; r13 := LDSTGBUF_DSZ64_ASZ16_SC1(0xbb00) !m2 20 | {0xee75806ab00d, 0x2e75c06ac00d, 0xee75006ed00d, 0x300000c0}, 21 | // U7df4: NOP; unk_256() !m1; NOP SEQW LFNCEWAIT, UEND0 22 | {0x0, 0x125600000000, 0x0, 0x130000f2}, 23 | }; 24 | -------------------------------------------------------------------------------- /bios/ucode_patches/get_value_and_resume.u: -------------------------------------------------------------------------------- 1 | .org 0x7dd0 2 | 3 | # 1) save all the registers to restore them 4 | # NOTICE: assume no one else uses [0xba00, 0xbb00] in the staging buffer 5 | 6 | STADSTGBUF_DSZ64_ASZ16_SC1(0xba40, , r10) !m2 7 | STADSTGBUF_DSZ64_ASZ16_SC1(0xba80, , r11) !m2 8 | STADSTGBUF_DSZ64_ASZ16_SC1(0xbac0, , r12) !m2 9 | STADSTGBUF_DSZ64_ASZ16_SC1(0xbb00, , r13) !m2 10 | 11 | # 2) remove the hook in the match&patch assuming it is at 0 12 | 13 | r10:= ZEROEXT_DSZ32(0x00000000) 14 | 15 | # pause frontend 16 | r12:= MOVEFROMCREG_DSZ64( , 0x38c) 17 | MOVETOCREG_DSZ64(r10, 0x38c) !m2 18 | 19 | # write match&patch at location 0 with the value of 0 20 | 21 | r13:= ZEROEXT_DSZ32(0x00000303) 22 | r13:= SHL_DSZ32(r13, 0x00000008) 23 | 24 | MOVETOCREG_DSZ64(r13, 0x6a1) !m2 25 | MOVETOCREG_DSZ64(r10, 0x6a0) !m2 26 | 27 | MOVETOCREG_DSZ64(r10, 0x6a4) !m2 28 | MOVETOCREG_DSZ64(r10, 0x6a4) !m2 29 | 30 | MOVETOCREG_DSZ64(r10, 0x6a1) !m2 31 | 32 | # restore frontend 33 | MOVETOCREG_DSZ64(r12, 0x38c) !m2 34 | 35 | #### INSERT HERE THE DUMPING LOGIC TO 0xba00, 0xbb40, 0xbb80, 0xbbc0 ####### 36 | 37 | r10:= MOVE_DSZ64(tmp0) 38 | # # r10:= LDPPHYSTICKLE_DSZ64_ASZ64_SC1(r10) 39 | STADSTGBUF_DSZ64_ASZ16_SC1(0xba00, , r10) !m2 40 | 41 | r10:= MOVE_DSZ64(tmp1) 42 | STADSTGBUF_DSZ64_ASZ16_SC1(0xbb40, , r10) !m2 43 | 44 | r10:= MOVE_DSZ64(tmp2) 45 | STADSTGBUF_DSZ64_ASZ16_SC1(0xbb80, , r10) !m2 46 | 47 | r10:= MOVE_DSZ64(tmp3) 48 | STADSTGBUF_DSZ64_ASZ16_SC1(0xbbc0, , r10) !m2 49 | 50 | ############################################################################ 51 | 52 | 53 | # 3) restore r1 regs 54 | r10 := LDSTGBUF_DSZ64_ASZ16_SC1(0xba40) !m2 55 | r11 := LDSTGBUF_DSZ64_ASZ16_SC1(0xba80) !m2 56 | r12 := LDSTGBUF_DSZ64_ASZ16_SC1(0xbac0) !m2 57 | r13 := LDSTGBUF_DSZ64_ASZ16_SC1(0xbb00) !m2 58 | # 4) finally continue execution, this will have the GOTO addr injected from the C code 59 | NOP -------------------------------------------------------------------------------- /bios/ucode_patches/ldat_read.h: -------------------------------------------------------------------------------- 1 | unsigned long addr = 0x7da0; 2 | unsigned long ucode_patch[][4] = { 3 | // U7da0: tmp10:= ZEROEXT_DSZ32(0x00000000); tmp11:= ADD_DSZ32(tmp0, 0x00000001); tmp12:= ADD_DSZ32(tmp0, 0x00000002) 4 | {0xc0080003a008, 0x80000103b230, 0xc0000203c230, 0x300000c0}, 5 | // U7da4: tmp9:= MOVEFROMCREG_DSZ64( , 0x38c); MOVETOCREG_DSZ64(tmp10, 0x38c) !m2; tmp13:= MOVEFROMCREG_DSZ64( , tmp11) !m2 6 | {0x40628c0f9200, 0xa0428c0c023a, 0x20620003dec0, 0x300000c0}, 7 | // U7da8: MOVETOCREG_DSZ64(tmp1, tmp11) !m2; MOVETOCREG_DSZ64(tmp2, tmp0) !m2; rax:= MOVEFROMCREG_DSZ64( , tmp12) !m2 8 | {0x604200000ef1, 0xe04200000c32, 0x606200020f00, 0x300000c0}, 9 | // U7dac: MOVETOCREG_DSZ64(tmp10, tmp11) !m2; MOVETOCREG_DSZ64(tmp9, 0x38c) !m2; unk_256() !m1 SEQW LFNCEWAIT, UEND0 10 | {0x204200000efa, 0x60428c0c0239, 0x125600000000, 0x130000f2}, 11 | }; 12 | -------------------------------------------------------------------------------- /bios/ucode_patches/ldat_read.u: -------------------------------------------------------------------------------- 1 | .org 0x7da0 2 | # def ldat_read(tmp0: pdat_reg, tmp1: array_bank_sel, tmp2: addr) 3 | tmp10:= ZEROEXT_DSZ32(0x00000000) 4 | 5 | tmp11:= ADD_DSZ32(tmp0, 0x00000001) 6 | tmp12:= ADD_DSZ32(tmp0, 0x00000002) 7 | 8 | # pause frontend 9 | tmp9:= MOVEFROMCREG_DSZ64( , 0x38c) 10 | MOVETOCREG_DSZ64(tmp10, 0x38c) !m2 11 | 12 | # program the LDAT to read from memory 13 | 14 | # it sometimes hangs, if not reading from PDAT before writing to it 15 | tmp13:= MOVEFROMCREG_DSZ64( , tmp11) !m2 16 | 17 | MOVETOCREG_DSZ64(tmp1, tmp11) !m2 18 | MOVETOCREG_DSZ64(tmp2, tmp0) !m2 19 | 20 | rax:= MOVEFROMCREG_DSZ64( , tmp12) !m2 21 | 22 | MOVETOCREG_DSZ64(tmp10, tmp11) !m2 23 | 24 | # restore frontend 25 | MOVETOCREG_DSZ64(tmp9, 0x38c) !m2 -------------------------------------------------------------------------------- /bios/ucode_patches/match_patch_hook.h: -------------------------------------------------------------------------------- 1 | unsigned long addr = 0x7da0; 2 | unsigned long ucode_patch[][4] = { 3 | // U7da0: tmp10:= ZEROEXT_DSZ32(0x00000000); tmp12:= MOVEFROMCREG_DSZ64( , 0x38c); MOVETOCREG_DSZ64(tmp10, 0x38c) !m2 4 | {0xc0080003a008, 0x40628c0fc200, 0xa0428c0c023a, 0x300000c0}, 5 | // U7da4: tmp9:= ZEROEXT_DSZ32(0x00000303); tmp9:= SHL_DSZ32(tmp9, 0x00000008); MOVETOCREG_DSZ64(tmp9, 0x6a1) !m2 6 | {0x8030f9008, 0xc02408039239, 0x6042a1180239, 0x300000c0}, 7 | // U7da8: MOVETOCREG_DSZ64(tmp1, 0x6a0) !m2; MOVETOCREG_DSZ64(tmp0, 0x6a4) !m2; MOVETOCREG_DSZ64(tmp10, 0x6a4) !m2 8 | {0xa042a0180231, 0xa042a4180230, 0xa042a418023a, 0x300000c0}, 9 | // U7dac: MOVETOCREG_DSZ64(tmp10, 0x6a1) !m2; MOVETOCREG_DSZ64(tmp12, 0x38c) !m2; rax:= ZEROEXT_DSZ32(0x00001337) 10 | {0xa042a118023a, 0x60428c0c023c, 0x4008374e0008, 0x300000c0}, 11 | // U7db0: rax:= CONCAT_DSZ32(rax, 0x00001337); unk_256() !m1; NOP SEQW LFNCEWAIT, UEND0 12 | {0x8021374e0220, 0x125600000000, 0x0, 0x130000f2}, 13 | }; 14 | -------------------------------------------------------------------------------- /bios/ucode_patches/match_patch_hook.u: -------------------------------------------------------------------------------- 1 | .org 0x7da0 2 | # def hook(tmp0: value, tmp1: addr) 3 | tmp10:= ZEROEXT_DSZ32(0x00000000) 4 | # pause frontend 5 | tmp12:= MOVEFROMCREG_DSZ64( , 0x38c) 6 | MOVETOCREG_DSZ64(tmp10, 0x38c) !m2 7 | 8 | # write match&patch at location tmp1 with the value of tmp0 9 | 10 | tmp9:= ZEROEXT_DSZ32(0x00000303) 11 | tmp9:= SHL_DSZ32(tmp9, 0x00000008) 12 | 13 | MOVETOCREG_DSZ64(tmp9, 0x6a1) !m2 14 | MOVETOCREG_DSZ64(tmp1, 0x6a0) !m2 15 | 16 | MOVETOCREG_DSZ64(tmp0, 0x6a4) !m2 17 | MOVETOCREG_DSZ64(tmp10, 0x6a4) !m2 18 | 19 | MOVETOCREG_DSZ64(tmp10, 0x6a1) !m2 20 | 21 | # restore frontend 22 | MOVETOCREG_DSZ64(tmp12, 0x38c) !m2 23 | 24 | rax:= ZEROEXT_DSZ32(0x00001337) 25 | rax:= CONCAT_DSZ32(rax, 0x00001337) -------------------------------------------------------------------------------- /bios/ucode_patches/match_patch_init.h: -------------------------------------------------------------------------------- 1 | unsigned long addr = 0x7da0; 2 | unsigned long ucode_patch[][4] = { 3 | // U7da0: tmp0:= ZEROEXT_DSZ32(0x00000000); tmp2:= MOVEFROMCREG_DSZ64( , 0x38c); MOVETOCREG_DSZ64(tmp0, 0x38c) !m2 4 | {0xc00800030008, 0x628c0f2200, 0xa0428c0c0230, 0x300000c0}, 5 | // U7da4: tmp3:= ZEROEXT_DSZ32(0x0000003e); tmp4:= ZEROEXT_DSZ32(0x00004589); tmp4:= CONCAT_DSZ16(0x00003efe, tmp4) 6 | {0x80083e033008, 0x40088917400a, 0xc0a1fe7b4d09, 0x300000c0}, 7 | // U7da8: tmp9:= ZEROEXT_DSZ32(0x00000303); tmp9:= SHL_DSZ32(tmp9, 0x00000008); MOVETOCREG_DSZ64(tmp9, 0x6a1) !m2 8 | {0x8030f9008, 0xc02408039239, 0x6042a1180239, 0x300000c0}, 9 | // U7dac: MOVETOCREG_DSZ64(tmp3, 0x6a0) !m2; MOVETOCREG_DSZ64(tmp4, 0x6a4) !m2; MOVETOCREG_DSZ64(tmp0, 0x6a4) !m2 10 | {0x2042a0180233, 0xe042a4180234, 0xa042a4180230, 0x300000c0}, 11 | // U7db0: MOVETOCREG_DSZ64(tmp0, 0x6a1) !m2; tmp1:= ZEROEXT_DSZ32(0x0000001f); tmp9:= ZEROEXT_DSZ32(0x00000303) 12 | {0xa042a1180230, 0xc0081f031008, 0x8030f9008, 0x300000c0}, 13 | // U7db4: tmp9:= SHL_DSZ32(tmp9, 0x00000008); MOVETOCREG_DSZ64(tmp9, 0x6a1) !m2; MOVETOCREG_DSZ64(tmp0, 0x6a0) !m2 14 | {0xc02408039239, 0x6042a1180239, 0xe042a0180230, 0x300000c0}, 15 | // U7db8: MOVETOCREG_DSZ64(tmp0, 0x6a4) !m2; MOVETOCREG_DSZ64(tmp0, 0x6a4) !m2; tmp1:= SUB_DSZ32(0x00000001, tmp1) 16 | {0xa042a4180230, 0xa042a4180230, 0xc00501031c48, 0x300000c0}, 17 | // U7dbc: UJMPCC_DIRECT_NOTTAKEN_CONDNZ(tmp1, U7db8); MOVETOCREG_DSZ64(tmp0, 0x6a1) !m2; MOVETOCREG_DSZ64(tmp2, 0x38c) !m2 18 | {0xc151b87402f1, 0xa042a1180230, 0x20428c0c0232, 0x300000c0}, 19 | // U7dc0: rax:= ZEROEXT_DSZ32(0x00001337); rax:= CONCAT_DSZ32(rax, 0x00001337); unk_256() !m1 SEQW LFNCEWAIT, UEND0 20 | {0x4008374e0008, 0x8021374e0220, 0x125600000000, 0x130000f2}, 21 | }; 22 | -------------------------------------------------------------------------------- /bios/ucode_patches/match_patch_init.u: -------------------------------------------------------------------------------- 1 | .org 0x7da0 2 | tmp0:= ZEROEXT_DSZ32(0x00000000) 3 | # pause frontend 4 | tmp2:= MOVEFROMCREG_DSZ64( , 0x38c) 5 | MOVETOCREG_DSZ64(tmp0, 0x38c) !m2 6 | 7 | # write match&patch 0x1f, but rewire it to jump to 0x7dfc (0xfe target) 8 | tmp3:= ZEROEXT_DSZ32(0x0000003e) # 0x1f*2 9 | tmp4:= ZEROEXT_DSZ32(0x00004589) 10 | tmp4:= CONCAT_DSZ16(0x00003efe, tmp4) # 0x3efe4589 11 | 12 | tmp9:= ZEROEXT_DSZ32(0x00000303) 13 | tmp9:= SHL_DSZ32(tmp9, 0x00000008) 14 | 15 | MOVETOCREG_DSZ64(tmp9, 0x6a1) !m2 16 | MOVETOCREG_DSZ64(tmp3, 0x6a0) !m2 17 | 18 | MOVETOCREG_DSZ64(tmp4, 0x6a4) !m2 19 | MOVETOCREG_DSZ64(tmp0, 0x6a4) !m2 20 | 21 | MOVETOCREG_DSZ64(tmp0, 0x6a1) !m2 22 | 23 | # write match&patch [0, 0x1f] 24 | tmp1:= ZEROEXT_DSZ32(0x0000001f) 25 | 26 | tmp9:= ZEROEXT_DSZ32(0x00000303) 27 | tmp9:= SHL_DSZ32(tmp9, 0x00000008) 28 | 29 | 30 | MOVETOCREG_DSZ64(tmp9, 0x6a1) !m2 31 | MOVETOCREG_DSZ64(tmp0, 0x6a0) !m2 32 | 33 | 34 | MOVETOCREG_DSZ64(tmp0, 0x6a4) !m2 35 | MOVETOCREG_DSZ64(tmp0, 0x6a4) !m2 36 | tmp1:= SUB_DSZ32(0x00000001, tmp1) 37 | UJMPCC_DIRECT_NOTTAKEN_CONDNZ(tmp1, ) 38 | 39 | MOVETOCREG_DSZ64(tmp0, 0x6a1) !m2 40 | 41 | # restore frontend 42 | MOVETOCREG_DSZ64(tmp2, 0x38c) !m2 43 | 44 | rax:= ZEROEXT_DSZ32(0x00001337) 45 | rax:= CONCAT_DSZ32(rax, 0x00001337) -------------------------------------------------------------------------------- /bios/ucode_patches/match_patch_init_glm_new.h: -------------------------------------------------------------------------------- 1 | unsigned long addr = 0x7da0; 2 | unsigned long ucode_patch[][4] = { 3 | // U7da0: tmp0:= ZEROEXT_DSZ32(0x00000000); tmp1:= ZEROEXT_DSZ32(0x00000020); tmp9:= ZEROEXT_DSZ32(0x00000303) 4 | {0xc00800030008, 0x820031008, 0x8030f9008, 0x300000c0}, 5 | // U7da4: tmp9:= SHL_DSZ32(tmp9, 0x00000008); MOVETOCREG_DSZ64(tmp9, 0x6a1) !m2; MOVETOCREG_DSZ64(tmp0, 0x6a0) !m2 6 | {0xc02408039239, 0x6042a1180239, 0xe042a0180230, 0x300000c0}, 7 | // U7da8: MOVETOCREG_DSZ64(tmp0, 0x6a4) !m2; MOVETOCREG_DSZ64(tmp0, 0x6a4) !m2; tmp1:= SUB_DSZ32(0x00000001, tmp1) 8 | {0xa042a4180230, 0xa042a4180230, 0xc00501031c48, 0x300000c0}, 9 | // U7dac: UJMPCC_DIRECT_NOTTAKEN_CONDNZ(tmp1, U7da8); MOVETOCREG_DSZ64(tmp0, 0x6a1) !m2; rax:= ZEROEXT_DSZ32(0x00001337) 10 | {0x8151a87402f1, 0xa042a1180230, 0x4008374e0008, 0x300000c0}, 11 | // U7db0: rax:= CONCAT_DSZ32(rax, 0x00001337); unk_256() !m1; NOP SEQW LFNCEWAIT, UEND0 12 | {0x8021374e0220, 0x125600000000, 0x0, 0x130000f2}, 13 | }; 14 | -------------------------------------------------------------------------------- /bios/ucode_patches/match_patch_init_glm_new.u: -------------------------------------------------------------------------------- 1 | .org 0x7da0 2 | tmp0:= ZEROEXT_DSZ32(0x00000000) 3 | 4 | # write match&patch [0, 0x20] 5 | tmp1:= ZEROEXT_DSZ32(0x00000020) 6 | 7 | tmp9:= ZEROEXT_DSZ32(0x00000303) 8 | tmp9:= SHL_DSZ32(tmp9, 0x00000008) 9 | 10 | 11 | MOVETOCREG_DSZ64(tmp9, 0x6a1) !m2 12 | MOVETOCREG_DSZ64(tmp0, 0x6a0) !m2 13 | 14 | 15 | MOVETOCREG_DSZ64(tmp0, 0x6a4) !m2 16 | MOVETOCREG_DSZ64(tmp0, 0x6a4) !m2 17 | tmp1:= SUB_DSZ32(0x00000001, tmp1) 18 | UJMPCC_DIRECT_NOTTAKEN_CONDNZ(tmp1, ) 19 | 20 | MOVETOCREG_DSZ64(tmp0, 0x6a1) !m2 21 | 22 | rax:= ZEROEXT_DSZ32(0x00001337) 23 | rax:= CONCAT_DSZ32(rax, 0x00001337) -------------------------------------------------------------------------------- /bios/ucode_patches/msr2cr_dump.h: -------------------------------------------------------------------------------- 1 | unsigned long addr = 0x7da0; 2 | unsigned long ucode_patch[][4] = { 3 | // U7da0: tmp1:= ZEROEXT_DSZ64(tmp0); tmp1:= OR_DSZ32(0x00004000, tmp1); tmp2:= ZEROEXT_DSZ64(0x8000) 4 | {0x804800031030, 0x400100031c4a, 0x40480003200c, 0x300000c0}, 5 | // U7da4: tmp2:= CONCAT_DSZ16(0x0001, tmp2); tmp1:= NOTAND_DSZ32(tmp2, tmp1); rax:= MSR2CR( , tmp1) 6 | {0x80a101032c88, 0xc00700031c72, 0x822800020c40, 0x300000c0}, 7 | // U7da8: tmp1:= ZEROEXT_DSZ64(tmp0); tmp2:= ZEROEXT_DSZ64(0xc000); tmp2:= CONCAT_DSZ16(0x0001, tmp2) 8 | {0x804800031030, 0xc0480003200e, 0x80a101032c88, 0x300000c0}, 9 | // U7dac: tmp1:= NOTAND_DSZ32(tmp2, tmp1); rbx:= MSR2CR( , tmp1); tmp1:= ZEROEXT_DSZ64(tmp0) 10 | {0xc00700031c72, 0x422800023c40, 0x804800031030, 0x300000c0}, 11 | // U7db0: tmp1:= OR_DSZ32(0x0000c000, tmp1); rcx:= MSR2CR( , tmp1); tmp1:= ZEROEXT_DSZ64(tmp0) 12 | {0x100031c4e, 0xc22800021c40, 0x804800031030, 0x300000c0}, 13 | // U7db4: tmp2:= ZEROEXT_DSZ64(0x4000); tmp2:= CONCAT_DSZ16(0x0001, tmp2); tmp1:= OR_DSZ32(tmp2, tmp1) 14 | {0x80480003200a, 0x80a101032c88, 0x100031c72, 0x300000c0}, 15 | // U7db8: rdx:= MSR2CR( , tmp1); unk_256() !m1; NOP SEQW LFNCEWAIT, UEND0 16 | {0x22800022c40, 0x125600000000, 0x0, 0x130000f2}, 17 | }; 18 | -------------------------------------------------------------------------------- /bios/ucode_patches/msr2cr_dump.u: -------------------------------------------------------------------------------- 1 | .org 0x7da0 2 | 3 | # def dump(tmp0: msr) 4 | 5 | # get the WR descriptor 6 | tmp1:= ZEROEXT_DSZ64(tmp0) 7 | tmp1:= OR_DSZ32(0x00004000, tmp1) 8 | tmp2:= ZEROEXT_DSZ64(0x8000) 9 | tmp2:= CONCAT_DSZ16(0x0001, tmp2) 10 | tmp1:= NOTAND_DSZ32(tmp2, tmp1) 11 | rax:= MSR2CR( , tmp1) 12 | 13 | # get the RD descriptor 14 | tmp1:= ZEROEXT_DSZ64(tmp0) 15 | tmp2:= ZEROEXT_DSZ64(0xc000) 16 | tmp2:= CONCAT_DSZ16(0x0001, tmp2) 17 | tmp1:= NOTAND_DSZ32(tmp2, tmp1) 18 | rbx:= MSR2CR( , tmp1) 19 | 20 | # get the first param 21 | tmp1:= ZEROEXT_DSZ64(tmp0) 22 | tmp1:= OR_DSZ32(0x0000c000, tmp1) 23 | rcx:= MSR2CR( , tmp1) 24 | 25 | # get the second param 26 | tmp1:= ZEROEXT_DSZ64(tmp0) 27 | tmp2:= ZEROEXT_DSZ64(0x4000) 28 | tmp2:= CONCAT_DSZ16(0x0001, tmp2) 29 | tmp1:= OR_DSZ32(tmp2, tmp1) 30 | rdx:= MSR2CR( , tmp1) -------------------------------------------------------------------------------- /bios/ucode_patches/pac_sign.h: -------------------------------------------------------------------------------- 1 | unsigned long addr = 0x7c00; 2 | unsigned long hook_address = 0x0c40; 3 | unsigned long hook_entry = 0x01; 4 | unsigned long ucode_patch[][4] = { 5 | // U7c00: tmp0:= ZEROEXT_DSZ64(0x1122); tmp0:= SHL_DSZ64(tmp0, 0x10); tmp0:= OR_DSZ64(tmp0, 0x3344) 6 | {0x804822470008, 0x406410030230, 0x4041444f0270, 0x300000c0}, 7 | // U7c04: tmp0:= SHL_DSZ64(tmp0, 0x10); tmp0:= OR_DSZ64(tmp0, 0x5566); tmp0:= SHL_DSZ64(tmp0, 0x10) 8 | {0x406410030230, 0x4041665702b0, 0x406410030230, 0x300000c0}, 9 | // U7c08: tmp0:= OR_DSZ64(tmp0, 0x7788); tmp1 := ZEROEXT_DSZ64(0x6575); tmp1 := XOR_DSZ64(tmp1, tmp0) 10 | {0x8041885f02f0, 0x80487517100b, 0x404600031c31, 0x300000c0}, 11 | // U7c0c: tmp2 := ZEROEXT_DSZ64(0x6f6d); tmp2 := XOR_DSZ64(tmp2, rcx); tmp3 := ZEROEXT_DSZ64(0x7261) 12 | {0x80486d3f200b, 0x404600032872, 0xc048614b300b, 0x300000c0}, 13 | // U7c10: tmp3 := XOR_DSZ64(tmp3, tmp0); tmp4 := ZEROEXT_DSZ64(0x6573); tmp4 := XOR_DSZ64(tmp4, rcx) 14 | {0x404600033c33, 0x40487317400b, 0x404600034874, 0x300000c0}, 15 | // U7c14: tmp4 := XOR_DSZ64(tmp4, rax); tmp1 := ADD_DSZ64(tmp1, tmp2); tmp3 := ADD_DSZ64(tmp3, tmp4) 16 | {0x4600034834, 0x4000031cb1, 0xc04000033d33, 0x300000c0}, 17 | // U7c18: tmp2 := ROL_DSZ64(tmp2, 0xd); tmp4 := ROL_DSZ64(tmp4, 0x10); tmp2 := XOR_DSZ64(tmp2, tmp1) 18 | {0x6c0d032232, 0xc06c10034234, 0x4600032c72, 0x300000c0}, 19 | // U7c1c: tmp4 := XOR_DSZ64(tmp4, tmp3); tmp1 := ROL_DSZ64(tmp1, 0x20); tmp3 := ADD_DSZ64(tmp3, tmp2) 20 | {0x804600034cf4, 0x6c20031231, 0x4000033cb3, 0x300000c0}, 21 | // U7c20: tmp1 := ADD_DSZ64(tmp1, tmp4); tmp2 := ROL_DSZ64(tmp2, 0x11); tmp4 := ROL_DSZ64(tmp4, 0x15) 22 | {0xc04000031d31, 0x806c11032232, 0xc06c15034234, 0x300000c0}, 23 | // U7c24: tmp2 := XOR_DSZ64(tmp2, tmp3); tmp4 := XOR_DSZ64(tmp4, tmp1); tmp3 := ROL_DSZ64(tmp3, 0x20) 24 | {0x804600032cf2, 0x4600034c74, 0x6c20033233, 0x300000c0}, 25 | // U7c28: tmp1 := XOR_DSZ64(tmp1, rax); tmp3 := XOR_DSZ64(tmp3, 0xff); tmp1 := ADD_DSZ64(tmp1, tmp2) 26 | {0x4600031831, 0x46ff033233, 0x4000031cb1, 0x300000c0}, 27 | // U7c2c: tmp3 := ADD_DSZ64(tmp3, tmp4); tmp2 := ROL_DSZ64(tmp2, 0xd); tmp4 := ROL_DSZ64(tmp4, 0x10) 28 | {0xc04000033d33, 0x6c0d032232, 0xc06c10034234, 0x300000c0}, 29 | // U7c30: tmp2 := XOR_DSZ64(tmp2, tmp1); tmp4 := XOR_DSZ64(tmp4, tmp3); tmp1 := ROL_DSZ64(tmp1, 0x20) 30 | {0x4600032c72, 0x804600034cf4, 0x6c20031231, 0x300000c0}, 31 | // U7c34: tmp3 := ADD_DSZ64(tmp3, tmp2); tmp1 := ADD_DSZ64(tmp1, tmp4); tmp2 := ROL_DSZ64(tmp2, 0x11) 32 | {0x4000033cb3, 0xc04000031d31, 0x806c11032232, 0x300000c0}, 33 | // U7c38: tmp4 := ROL_DSZ64(tmp4, 0x15); tmp2 := XOR_DSZ64(tmp2, tmp3); tmp4 := XOR_DSZ64(tmp4, tmp1) 34 | {0xc06c15034234, 0x804600032cf2, 0x4600034c74, 0x300000c0}, 35 | // U7c3c: tmp3 := ROL_DSZ64(tmp3, 0x20); tmp5 := XOR_DSZ64(tmp1, tmp2); tmp5 := XOR_DSZ64(tmp5, tmp3) 36 | {0x6c20033233, 0x804600035cb1, 0x804600035cf5, 0x300000c0}, 37 | // U7c40: tmp5 := XOR_DSZ64(tmp5, tmp4); tmp5 := SHL_DSZ64(tmp5, 0x30); rax := XOR_DSZ64(tmp5, rax) SEQW LFNCEWAIT, UEND0 38 | {0x4600035d35, 0xc06430035235, 0x404600020835, 0x130000f2}, 39 | }; 40 | -------------------------------------------------------------------------------- /bios/ucode_patches/pac_sign.u: -------------------------------------------------------------------------------- 1 | .org 0x7c00 2 | .patch 0xc40 3 | .entry 1 4 | 5 | # pac_sign(ptr: rax, ctx: rcx) -> signed_ptr: rax 6 | # Compute the PAC signature using a single round SipHash algorithm and embed it in the high 16 bits of a ptr 7 | # declare variables 8 | let [key] := tmp0 9 | let [ptr] := rax 10 | let [ctx] := rcx 11 | 12 | let [v0] := tmp1 13 | let [v1] := tmp2 14 | let [v2] := tmp3 15 | let [v3] := tmp4 16 | 17 | let [pac] := tmp5 18 | 19 | # --- initialize --- 20 | # static key for now 21 | [key] := ZEROEXT_MACRO(0x1122334455667788) 22 | 23 | # v0 = 0x736f6d6570736575 ^ key; 24 | [v0] := ZEROEXT_DSZ64(0x6575) 25 | [v0] := XOR_DSZ64([v0], [key]) 26 | # v1 = 0x646f72616e646f6d ^ ctx; 27 | [v1] := ZEROEXT_DSZ64(0x6f6d) 28 | [v1] := XOR_DSZ64([v1], [ctx]) 29 | # v2 = 0x6c7967656e657261 ^ key; 30 | [v2] := ZEROEXT_DSZ64(0x7261) 31 | [v2] := XOR_DSZ64([v2], [key]) 32 | # v3 = 0x7465646279746573 ^ ctx; 33 | [v3] := ZEROEXT_DSZ64(0x6573) 34 | [v3] := XOR_DSZ64([v3], [ctx]) 35 | 36 | # --- update --- 37 | # v3 ^= ptr; 38 | [v3] := XOR_DSZ64([v3], [ptr]) 39 | 40 | # v0 += v1; 41 | [v0] := ADD_DSZ64([v0], [v1]) 42 | # v2 += v3; 43 | [v2] := ADD_DSZ64([v2], [v3]) 44 | # v1 = RotateLeft<13>(v1); 45 | [v1] := ROL_DSZ64([v1], 0xd) 46 | # v3 = RotateLeft<16>(v3); 47 | [v3] := ROL_DSZ64([v3], 0x10) 48 | # v1 ^= v0; 49 | [v1] := XOR_DSZ64([v1], [v0]) 50 | # v3 ^= v2; 51 | [v3] := XOR_DSZ64([v3], [v2]) 52 | 53 | # v0 = RotateLeft<32>(v0); 54 | [v0] := ROL_DSZ64([v0], 0x20) 55 | 56 | # v2 += v1; 57 | [v2] := ADD_DSZ64([v2], [v1]) 58 | # v0 += v3; 59 | [v0] := ADD_DSZ64([v0], [v3]) 60 | # v1 = RotateLeft<17>(v1); 61 | [v1] := ROL_DSZ64([v1], 0x11) 62 | # v3 = RotateLeft<21>(v3); 63 | [v3] := ROL_DSZ64([v3], 0x15) 64 | # v1 ^= v2; 65 | [v1] := XOR_DSZ64([v1], [v2]) 66 | # v3 ^= v0; 67 | [v3] := XOR_DSZ64([v3], [v0]) 68 | 69 | # v2 = RotateLeft<32>(v2); 70 | [v2] := ROL_DSZ64([v2], 0x20) 71 | 72 | # v0 ^= ptr; 73 | [v0] := XOR_DSZ64([v0], [ptr]) 74 | 75 | # --- finalize --- 76 | # v2 ^= 0xFF; 77 | [v2] := XOR_DSZ64([v2], 0xff) 78 | 79 | # v0 += v1; 80 | [v0] := ADD_DSZ64([v0], [v1]) 81 | # v2 += v3; 82 | [v2] := ADD_DSZ64([v2], [v3]) 83 | # v1 = RotateLeft<13>(v1); 84 | [v1] := ROL_DSZ64([v1], 0xd) 85 | # v3 = RotateLeft<16>(v3); 86 | [v3] := ROL_DSZ64([v3], 0x10) 87 | # v1 ^= v0; 88 | [v1] := XOR_DSZ64([v1], [v0]) 89 | # v3 ^= v2; 90 | [v3] := XOR_DSZ64([v3], [v2]) 91 | 92 | # v0 = RotateLeft<32>(v0); 93 | [v0] := ROL_DSZ64([v0], 0x20) 94 | 95 | # v2 += v1; 96 | [v2] := ADD_DSZ64([v2], [v1]) 97 | # v0 += v3; 98 | [v0] := ADD_DSZ64([v0], [v3]) 99 | # v1 = RotateLeft<17>(v1); 100 | [v1] := ROL_DSZ64([v1], 0x11) 101 | # v3 = RotateLeft<21>(v3); 102 | [v3] := ROL_DSZ64([v3], 0x15) 103 | # v1 ^= v2; 104 | [v1] := XOR_DSZ64([v1], [v2]) 105 | # v3 ^= v0; 106 | [v3] := XOR_DSZ64([v3], [v0]) 107 | 108 | # v2 = RotateLeft<32>(v2); 109 | [v2] := ROL_DSZ64([v2], 0x20) 110 | 111 | [pac] := XOR_DSZ64([v0], [v1]) 112 | [pac] := XOR_DSZ64([pac], [v2]) 113 | [pac] := XOR_DSZ64([pac], [v3]) 114 | 115 | # pac = ((v0 ^ v1) ^ (v2 ^ v3)) << 48; 116 | [pac] := SHL_DSZ64([pac], 0x30) 117 | 118 | # sign ptr 119 | [ptr] := XOR_DSZ64([pac], [ptr]) 120 | -------------------------------------------------------------------------------- /bios/ucode_patches/pac_sign_weak.h: -------------------------------------------------------------------------------- 1 | unsigned long addr = 0x7c00; 2 | unsigned long hook_address = 0x0c40; 3 | unsigned long hook_entry = 0x01; 4 | unsigned long ucode_patch[][4] = { 5 | // U7c00: tmp0:= ZEROEXT_DSZ64(0x1122); tmp0:= SHL_DSZ64(tmp0, 0x10); tmp0:= OR_DSZ64(tmp0, 0x3344) 6 | {0x804822470008, 0x406410030230, 0x4041444f0270, 0x300000c0}, 7 | // U7c04: tmp0:= SHL_DSZ64(tmp0, 0x10); tmp0:= OR_DSZ64(tmp0, 0x5566); tmp0:= SHL_DSZ64(tmp0, 0x10) 8 | {0x406410030230, 0x4041665702b0, 0x406410030230, 0x300000c0}, 9 | // U7c08: tmp0:= OR_DSZ64(tmp0, 0x7788); tmp1 := ZEROEXT_DSZ64(0x6575); tmp1 := XOR_DSZ64(tmp1, tmp0) 10 | {0x8041885f02f0, 0x80487517100b, 0x404600031c31, 0x300000c0}, 11 | // U7c0c: tmp2 := ZEROEXT_DSZ64(0x6f6d); tmp2 := XOR_DSZ64(tmp2, rcx); tmp3 := ZEROEXT_DSZ64(0x7261) 12 | {0x80486d3f200b, 0x404600032872, 0xc048614b300b, 0x300000c0}, 13 | // U7c10: tmp3 := XOR_DSZ64(tmp3, tmp0); tmp4 := ZEROEXT_DSZ64(0x6573); tmp4 := XOR_DSZ64(tmp4, rcx) 14 | {0x404600033c33, 0x40487317400b, 0x404600034874, 0x300000c0}, 15 | // U7c14: tmp4 := XOR_DSZ64(tmp4, rax); tmp1 := ADD_DSZ64(tmp1, tmp2); tmp3 := ADD_DSZ64(tmp3, tmp4) 16 | {0x4600034834, 0x4000031cb1, 0xc04000033d33, 0x300000c0}, 17 | // U7c18: tmp2 := ROL_DSZ64(tmp2, 0xd); tmp4 := ROL_DSZ64(tmp4, 0x10); tmp2 := XOR_DSZ64(tmp2, tmp1) 18 | {0x6c0d032232, 0xc06c10034234, 0x4600032c72, 0x300000c0}, 19 | // U7c1c: tmp4 := XOR_DSZ64(tmp4, tmp3); tmp3 := ROL_DSZ64(tmp3, 0x20); tmp5 := XOR_DSZ64(tmp1, tmp2) 20 | {0x804600034cf4, 0x6c20033233, 0x804600035cb1, 0x300000c0}, 21 | // U7c20: tmp5 := XOR_DSZ64(tmp5, tmp3); tmp5 := XOR_DSZ64(tmp5, tmp4); tmp5 := SHL_DSZ64(tmp5, 0x30) 22 | {0x804600035cf5, 0x4600035d35, 0xc06430035235, 0x300000c0}, 23 | // U7c24: rax := XOR_DSZ64(tmp5, rax); NOP; NOP SEQW LFNCEWAIT, UEND0 24 | {0x404600020835, 0x0, 0x0, 0x130000f2}, 25 | }; 26 | -------------------------------------------------------------------------------- /bios/ucode_patches/pac_sign_weak.u: -------------------------------------------------------------------------------- 1 | .org 0x7c00 2 | .patch 0xc40 3 | .entry 1 4 | 5 | # pac_sign(ptr: rax, ctx: rcx) -> signed_ptr: rax 6 | # Compute the PAC signature using a single round SipHash algorithm and embed it in the high 16 bits of a ptr 7 | # --> weaker version with a reduced number of uops to demonstrate PACMAM gadget 1 exploitability 8 | # declare variables 9 | let [key] := tmp0 10 | let [ptr] := rax 11 | let [ctx] := rcx 12 | 13 | let [v0] := tmp1 14 | let [v1] := tmp2 15 | let [v2] := tmp3 16 | let [v3] := tmp4 17 | 18 | let [pac] := tmp5 19 | 20 | # --- initialize --- 21 | # static key for now 22 | [key] := ZEROEXT_MACRO(0x1122334455667788) 23 | 24 | # v0 = 0x736f6d6570736575 ^ key; 25 | [v0] := ZEROEXT_DSZ64(0x6575) 26 | [v0] := XOR_DSZ64([v0], [key]) 27 | # v1 = 0x646f72616e646f6d ^ ctx; 28 | [v1] := ZEROEXT_DSZ64(0x6f6d) 29 | [v1] := XOR_DSZ64([v1], [ctx]) 30 | # v2 = 0x6c7967656e657261 ^ key; 31 | [v2] := ZEROEXT_DSZ64(0x7261) 32 | [v2] := XOR_DSZ64([v2], [key]) 33 | # v3 = 0x7465646279746573 ^ ctx; 34 | [v3] := ZEROEXT_DSZ64(0x6573) 35 | [v3] := XOR_DSZ64([v3], [ctx]) 36 | 37 | # --- update --- 38 | # v3 ^= ptr; 39 | [v3] := XOR_DSZ64([v3], [ptr]) 40 | 41 | # v0 += v1; 42 | [v0] := ADD_DSZ64([v0], [v1]) 43 | # v2 += v3; 44 | [v2] := ADD_DSZ64([v2], [v3]) 45 | # v1 = RotateLeft<13>(v1); 46 | [v1] := ROL_DSZ64([v1], 0xd) 47 | # v3 = RotateLeft<16>(v3); 48 | [v3] := ROL_DSZ64([v3], 0x10) 49 | # v1 ^= v0; 50 | [v1] := XOR_DSZ64([v1], [v0]) 51 | # v3 ^= v2; 52 | [v3] := XOR_DSZ64([v3], [v2]) 53 | 54 | # v2 = RotateLeft<32>(v2); 55 | [v2] := ROL_DSZ64([v2], 0x20) 56 | 57 | [pac] := XOR_DSZ64([v0], [v1]) 58 | [pac] := XOR_DSZ64([pac], [v2]) 59 | [pac] := XOR_DSZ64([pac], [v3]) 60 | 61 | # pac = ((v0 ^ v1) ^ (v2 ^ v3)) << 48; 62 | [pac] := SHL_DSZ64([pac], 0x30) 63 | 64 | # sign ptr 65 | [ptr] := XOR_DSZ64([pac], [ptr]) 66 | -------------------------------------------------------------------------------- /bios/ucode_patches/pac_verify.h: -------------------------------------------------------------------------------- 1 | unsigned long addr = 0x7d00; 2 | unsigned long hook_address = 0x0a78; 3 | unsigned long hook_entry = 0x02; 4 | unsigned long ucode_patch[][4] = { 5 | // U7d00: tmp0:= ZEROEXT_DSZ64(0x1122); tmp0:= SHL_DSZ64(tmp0, 0x10); tmp0:= OR_DSZ64(tmp0, 0x3344) 6 | {0x804822470008, 0x406410030230, 0x4041444f0270, 0x300000c0}, 7 | // U7d04: tmp0:= SHL_DSZ64(tmp0, 0x10); tmp0:= OR_DSZ64(tmp0, 0x5566); tmp0:= SHL_DSZ64(tmp0, 0x10) 8 | {0x406410030230, 0x4041665702b0, 0x406410030230, 0x300000c0}, 9 | // U7d08: tmp0:= OR_DSZ64(tmp0, 0x7788); tmp6 := ZEROEXT_DSZ64(0xffff); tmp6 := SHL_DSZ64(tmp6, 0x30) 10 | {0x8041885f02f0, 0x8048ff7f600f, 0xc06430036236, 0x300000c0}, 11 | // U7d0c: tmp7 := NOTAND_DSZ64(tmp6, rax); tmp1 := ZEROEXT_DSZ64(0x6575); tmp1 := XOR_DSZ64(tmp1, tmp0) 12 | {0x4700037836, 0x80487517100b, 0x404600031c31, 0x300000c0}, 13 | // U7d10: tmp2 := ZEROEXT_DSZ64(0x6f6d); tmp2 := XOR_DSZ64(tmp2, rcx); tmp3 := ZEROEXT_DSZ64(0x7261) 14 | {0x80486d3f200b, 0x404600032872, 0xc048614b300b, 0x300000c0}, 15 | // U7d14: tmp3 := XOR_DSZ64(tmp3, tmp0); tmp4 := ZEROEXT_DSZ64(0x6573); tmp4 := XOR_DSZ64(tmp4, rcx) 16 | {0x404600033c33, 0x40487317400b, 0x404600034874, 0x300000c0}, 17 | // U7d18: tmp4 := XOR_DSZ64(tmp4, tmp7); tmp1 := ADD_DSZ64(tmp1, tmp2); tmp3 := ADD_DSZ64(tmp3, tmp4) 18 | {0xc04600034df4, 0x4000031cb1, 0xc04000033d33, 0x300000c0}, 19 | // U7d1c: tmp2 := ROL_DSZ64(tmp2, 0xd); tmp4 := ROL_DSZ64(tmp4, 0x10); tmp2 := XOR_DSZ64(tmp2, tmp1) 20 | {0x6c0d032232, 0xc06c10034234, 0x4600032c72, 0x300000c0}, 21 | // U7d20: tmp4 := XOR_DSZ64(tmp4, tmp3); tmp1 := ROL_DSZ64(tmp1, 0x20); tmp3 := ADD_DSZ64(tmp3, tmp2) 22 | {0x804600034cf4, 0x6c20031231, 0x4000033cb3, 0x300000c0}, 23 | // U7d24: tmp1 := ADD_DSZ64(tmp1, tmp4); tmp2 := ROL_DSZ64(tmp2, 0x11); tmp4 := ROL_DSZ64(tmp4, 0x15) 24 | {0xc04000031d31, 0x806c11032232, 0xc06c15034234, 0x300000c0}, 25 | // U7d28: tmp2 := XOR_DSZ64(tmp2, tmp3); tmp4 := XOR_DSZ64(tmp4, tmp1); tmp3 := ROL_DSZ64(tmp3, 0x20) 26 | {0x804600032cf2, 0x4600034c74, 0x6c20033233, 0x300000c0}, 27 | // U7d2c: tmp1 := XOR_DSZ64(tmp1, tmp7); tmp3 := XOR_DSZ64(tmp3, 0xff); tmp1 := ADD_DSZ64(tmp1, tmp2) 28 | {0xc04600031df1, 0x46ff033233, 0x4000031cb1, 0x300000c0}, 29 | // U7d30: tmp3 := ADD_DSZ64(tmp3, tmp4); tmp2 := ROL_DSZ64(tmp2, 0xd); tmp4 := ROL_DSZ64(tmp4, 0x10) 30 | {0xc04000033d33, 0x6c0d032232, 0xc06c10034234, 0x300000c0}, 31 | // U7d34: tmp2 := XOR_DSZ64(tmp2, tmp1); tmp4 := XOR_DSZ64(tmp4, tmp3); tmp1 := ROL_DSZ64(tmp1, 0x20) 32 | {0x4600032c72, 0x804600034cf4, 0x6c20031231, 0x300000c0}, 33 | // U7d38: tmp3 := ADD_DSZ64(tmp3, tmp2); tmp1 := ADD_DSZ64(tmp1, tmp4); tmp2 := ROL_DSZ64(tmp2, 0x11) 34 | {0x4000033cb3, 0xc04000031d31, 0x806c11032232, 0x300000c0}, 35 | // U7d3c: tmp4 := ROL_DSZ64(tmp4, 0x15); tmp2 := XOR_DSZ64(tmp2, tmp3); tmp4 := XOR_DSZ64(tmp4, tmp1) 36 | {0xc06c15034234, 0x804600032cf2, 0x4600034c74, 0x300000c0}, 37 | // U7d40: tmp3 := ROL_DSZ64(tmp3, 0x20); tmp5 := XOR_DSZ64(tmp1, tmp2); tmp5 := XOR_DSZ64(tmp5, tmp3) 38 | {0x6c20033233, 0x804600035cb1, 0x804600035cf5, 0x300000c0}, 39 | // U7d44: tmp5 := XOR_DSZ64(tmp5, tmp4); tmp5 := SHL_DSZ64(tmp5, 0x30); rax := XOR_DSZ64(tmp5, rax) SEQW LFNCEWAIT, UEND0 40 | {0x4600035d35, 0xc06430035235, 0x404600020835, 0x130000f2}, 41 | }; 42 | -------------------------------------------------------------------------------- /bios/ucode_patches/pac_verify.u: -------------------------------------------------------------------------------- 1 | .org 0x7d00 2 | .patch 0xa78 3 | .entry 2 4 | 5 | # pac_auth(signed_ptr: rax, ctx: rcx) -> ptr: rax 6 | # Verify the PAC signature matches given a signed pointer and a context 7 | # declare variables 8 | let [key] := tmp0 9 | let [ptr] := rax 10 | let [ctx] := rcx 11 | 12 | let [v0] := tmp1 13 | let [v1] := tmp2 14 | let [v2] := tmp3 15 | let [v3] := tmp4 16 | let [mask] := tmp6 17 | let [low_ptr] := tmp7 18 | 19 | let [pac] := tmp5 20 | 21 | # --- initialize --- 22 | # static key for now 23 | [key] := ZEROEXT_MACRO(0x1122334455667788) 24 | 25 | [mask] := ZEROEXT_DSZ64(0xffff) 26 | [mask] := SHL_DSZ64([mask], 0x30) 27 | [low_ptr] := NOTAND_DSZ64([mask], [ptr]) 28 | 29 | # v0 = 0x736f6d6570736575 ^ key; 30 | [v0] := ZEROEXT_DSZ64(0x6575) 31 | [v0] := XOR_DSZ64([v0], [key]) 32 | # v1 = 0x646f72616e646f6d ^ ctx; 33 | [v1] := ZEROEXT_DSZ64(0x6f6d) 34 | [v1] := XOR_DSZ64([v1], [ctx]) 35 | # v2 = 0x6c7967656e657261 ^ key; 36 | [v2] := ZEROEXT_DSZ64(0x7261) 37 | [v2] := XOR_DSZ64([v2], [key]) 38 | # v3 = 0x7465646279746573 ^ ctx; 39 | [v3] := ZEROEXT_DSZ64(0x6573) 40 | [v3] := XOR_DSZ64([v3], [ctx]) 41 | 42 | # --- update --- 43 | # v3 ^= ptr; 44 | [v3] := XOR_DSZ64([v3], [low_ptr]) 45 | 46 | # v0 += v1; 47 | [v0] := ADD_DSZ64([v0], [v1]) 48 | # v2 += v3; 49 | [v2] := ADD_DSZ64([v2], [v3]) 50 | # v1 = RotateLeft<13>(v1); 51 | [v1] := ROL_DSZ64([v1], 0xd) 52 | # v3 = RotateLeft<16>(v3); 53 | [v3] := ROL_DSZ64([v3], 0x10) 54 | # v1 ^= v0; 55 | [v1] := XOR_DSZ64([v1], [v0]) 56 | # v3 ^= v2; 57 | [v3] := XOR_DSZ64([v3], [v2]) 58 | 59 | # v0 = RotateLeft<32>(v0); 60 | [v0] := ROL_DSZ64([v0], 0x20) 61 | 62 | # v2 += v1; 63 | [v2] := ADD_DSZ64([v2], [v1]) 64 | # v0 += v3; 65 | [v0] := ADD_DSZ64([v0], [v3]) 66 | # v1 = RotateLeft<17>(v1); 67 | [v1] := ROL_DSZ64([v1], 0x11) 68 | # v3 = RotateLeft<21>(v3); 69 | [v3] := ROL_DSZ64([v3], 0x15) 70 | # v1 ^= v2; 71 | [v1] := XOR_DSZ64([v1], [v2]) 72 | # v3 ^= v0; 73 | [v3] := XOR_DSZ64([v3], [v0]) 74 | 75 | # v2 = RotateLeft<32>(v2); 76 | [v2] := ROL_DSZ64([v2], 0x20) 77 | 78 | # v0 ^= ptr; 79 | [v0] := XOR_DSZ64([v0], [low_ptr]) 80 | 81 | # --- finalize --- 82 | # v2 ^= 0xFF; 83 | [v2] := XOR_DSZ64([v2], 0xff) 84 | 85 | # v0 += v1; 86 | [v0] := ADD_DSZ64([v0], [v1]) 87 | # v2 += v3; 88 | [v2] := ADD_DSZ64([v2], [v3]) 89 | # v1 = RotateLeft<13>(v1); 90 | [v1] := ROL_DSZ64([v1], 0xd) 91 | # v3 = RotateLeft<16>(v3); 92 | [v3] := ROL_DSZ64([v3], 0x10) 93 | # v1 ^= v0; 94 | [v1] := XOR_DSZ64([v1], [v0]) 95 | # v3 ^= v2; 96 | [v3] := XOR_DSZ64([v3], [v2]) 97 | 98 | # v0 = RotateLeft<32>(v0); 99 | [v0] := ROL_DSZ64([v0], 0x20) 100 | 101 | # v2 += v1; 102 | [v2] := ADD_DSZ64([v2], [v1]) 103 | # v0 += v3; 104 | [v0] := ADD_DSZ64([v0], [v3]) 105 | # v1 = RotateLeft<17>(v1); 106 | [v1] := ROL_DSZ64([v1], 0x11) 107 | # v3 = RotateLeft<21>(v3); 108 | [v3] := ROL_DSZ64([v3], 0x15) 109 | # v1 ^= v2; 110 | [v1] := XOR_DSZ64([v1], [v2]) 111 | # v3 ^= v0; 112 | [v3] := XOR_DSZ64([v3], [v0]) 113 | 114 | # v2 = RotateLeft<32>(v2); 115 | [v2] := ROL_DSZ64([v2], 0x20) 116 | 117 | [pac] := XOR_DSZ64([v0], [v1]) 118 | [pac] := XOR_DSZ64([pac], [v2]) 119 | [pac] := XOR_DSZ64([pac], [v3]) 120 | 121 | # return ((v0 ^ v1) ^ (v2 ^ v3)) << 48; 122 | [pac] := SHL_DSZ64([pac], 0x30) 123 | 124 | # auth ptr 125 | [ptr] := XOR_DSZ64([pac], [ptr]) 126 | -------------------------------------------------------------------------------- /bios/ucode_patches/pac_verify_weak.h: -------------------------------------------------------------------------------- 1 | unsigned long addr = 0x7d00; 2 | unsigned long hook_address = 0x0a78; 3 | unsigned long hook_entry = 0x02; 4 | unsigned long ucode_patch[][4] = { 5 | // U7d00: tmp0:= ZEROEXT_DSZ64(0x1122); tmp0:= SHL_DSZ64(tmp0, 0x10); tmp0:= OR_DSZ64(tmp0, 0x3344) 6 | {0x804822470008, 0x406410030230, 0x4041444f0270, 0x300000c0}, 7 | // U7d04: tmp0:= SHL_DSZ64(tmp0, 0x10); tmp0:= OR_DSZ64(tmp0, 0x5566); tmp0:= SHL_DSZ64(tmp0, 0x10) 8 | {0x406410030230, 0x4041665702b0, 0x406410030230, 0x300000c0}, 9 | // U7d08: tmp0:= OR_DSZ64(tmp0, 0x7788); tmp6 := ZEROEXT_DSZ64(0xffff); tmp6 := SHL_DSZ64(tmp6, 0x30) 10 | {0x8041885f02f0, 0x8048ff7f600f, 0xc06430036236, 0x300000c0}, 11 | // U7d0c: tmp7 := NOTAND_DSZ64(tmp6, rax); tmp1 := ZEROEXT_DSZ64(0x6575); tmp1 := XOR_DSZ64(tmp1, tmp0) 12 | {0x4700037836, 0x80487517100b, 0x404600031c31, 0x300000c0}, 13 | // U7d10: tmp2 := ZEROEXT_DSZ64(0x6f6d); tmp2 := XOR_DSZ64(tmp2, rcx); tmp3 := ZEROEXT_DSZ64(0x7261) 14 | {0x80486d3f200b, 0x404600032872, 0xc048614b300b, 0x300000c0}, 15 | // U7d14: tmp3 := XOR_DSZ64(tmp3, tmp0); tmp4 := ZEROEXT_DSZ64(0x6573); tmp4 := XOR_DSZ64(tmp4, rcx) 16 | {0x404600033c33, 0x40487317400b, 0x404600034874, 0x300000c0}, 17 | // U7d18: tmp4 := XOR_DSZ64(tmp4, tmp7); tmp1 := ADD_DSZ64(tmp1, tmp2); tmp3 := ADD_DSZ64(tmp3, tmp4) 18 | {0xc04600034df4, 0x4000031cb1, 0xc04000033d33, 0x300000c0}, 19 | // U7d1c: tmp2 := ROL_DSZ64(tmp2, 0xd); tmp4 := ROL_DSZ64(tmp4, 0x10); tmp2 := XOR_DSZ64(tmp2, tmp1) 20 | {0x6c0d032232, 0xc06c10034234, 0x4600032c72, 0x300000c0}, 21 | // U7d20: tmp4 := XOR_DSZ64(tmp4, tmp3); tmp3 := ROL_DSZ64(tmp3, 0x20); tmp5 := XOR_DSZ64(tmp1, tmp2) 22 | {0x804600034cf4, 0x6c20033233, 0x804600035cb1, 0x300000c0}, 23 | // U7d24: tmp5 := XOR_DSZ64(tmp5, tmp3); tmp5 := XOR_DSZ64(tmp5, tmp4); tmp5 := SHL_DSZ64(tmp5, 0x30) 24 | {0x804600035cf5, 0x4600035d35, 0xc06430035235, 0x300000c0}, 25 | // U7d28: rax := XOR_DSZ64(tmp5, rax); NOP; NOP SEQW LFNCEWAIT, UEND0 26 | {0x404600020835, 0x0, 0x0, 0x130000f2}, 27 | }; 28 | -------------------------------------------------------------------------------- /bios/ucode_patches/pac_verify_weak.u: -------------------------------------------------------------------------------- 1 | .org 0x7d00 2 | .patch 0xa78 3 | .entry 2 4 | 5 | # pac_auth(signed_ptr: rax, ctx: rcx) -> ptr: rax 6 | # Verify the PAC signature matches given a signed pointer and a context 7 | # --> weaker version with a reduced number of uops to demonstrate PACMAM gadget 1 exploitability 8 | # declare variables 9 | let [key] := tmp0 10 | let [ptr] := rax 11 | let [ctx] := rcx 12 | 13 | let [v0] := tmp1 14 | let [v1] := tmp2 15 | let [v2] := tmp3 16 | let [v3] := tmp4 17 | let [mask] := tmp6 18 | let [low_ptr] := tmp7 19 | 20 | let [pac] := tmp5 21 | 22 | # --- initialize --- 23 | # static key for now 24 | [key] := ZEROEXT_MACRO(0x1122334455667788) 25 | 26 | [mask] := ZEROEXT_DSZ64(0xffff) 27 | [mask] := SHL_DSZ64([mask], 0x30) 28 | [low_ptr] := NOTAND_DSZ64([mask], [ptr]) 29 | 30 | # v0 = 0x736f6d6570736575 ^ key; 31 | [v0] := ZEROEXT_DSZ64(0x6575) 32 | [v0] := XOR_DSZ64([v0], [key]) 33 | # v1 = 0x646f72616e646f6d ^ ctx; 34 | [v1] := ZEROEXT_DSZ64(0x6f6d) 35 | [v1] := XOR_DSZ64([v1], [ctx]) 36 | # v2 = 0x6c7967656e657261 ^ key; 37 | [v2] := ZEROEXT_DSZ64(0x7261) 38 | [v2] := XOR_DSZ64([v2], [key]) 39 | # v3 = 0x7465646279746573 ^ ctx; 40 | [v3] := ZEROEXT_DSZ64(0x6573) 41 | [v3] := XOR_DSZ64([v3], [ctx]) 42 | 43 | # --- update --- 44 | # v3 ^= ptr; 45 | [v3] := XOR_DSZ64([v3], [low_ptr]) 46 | 47 | # v0 += v1; 48 | [v0] := ADD_DSZ64([v0], [v1]) 49 | # v2 += v3; 50 | [v2] := ADD_DSZ64([v2], [v3]) 51 | # v1 = RotateLeft<13>(v1); 52 | [v1] := ROL_DSZ64([v1], 0xd) 53 | # v3 = RotateLeft<16>(v3); 54 | [v3] := ROL_DSZ64([v3], 0x10) 55 | # v1 ^= v0; 56 | [v1] := XOR_DSZ64([v1], [v0]) 57 | # v3 ^= v2; 58 | [v3] := XOR_DSZ64([v3], [v2]) 59 | 60 | # v2 = RotateLeft<32>(v2); 61 | [v2] := ROL_DSZ64([v2], 0x20) 62 | 63 | [pac] := XOR_DSZ64([v0], [v1]) 64 | [pac] := XOR_DSZ64([pac], [v2]) 65 | [pac] := XOR_DSZ64([pac], [v3]) 66 | 67 | # return ((v0 ^ v1) ^ (v2 ^ v3)) << 48; 68 | [pac] := SHL_DSZ64([pac], 0x30) 69 | 70 | # auth ptr 71 | [ptr] := XOR_DSZ64([pac], [ptr]) 72 | -------------------------------------------------------------------------------- /bios/ucode_patches/time_access_hook.h: -------------------------------------------------------------------------------- 1 | unsigned long addr = 0x7da0; 2 | unsigned long ucode_patch[][4] = { 3 | // U7da0: tmp2:= ZEROEXT_DSZ64(0x40); LBSYNC(0x0); rax:= MOVEFROMCREG_DSZ64( , 0x2d7) !m1,m2 4 | {0x404840032008, 0xcfef00000008, 0x3062d70a0200, 0x300000c0}, 5 | // U7da4: tmp1:= LDPPHYSTICKLE_DSZ64_ASZ64_SC1(tmp0); tmp0:= ADD_DSZ64(tmp0, 0x40); tmp2:= SUB_DSZ64(0x1, tmp2) 6 | {0xce6500031030, 0x804040030230, 0x804501032c88, 0x300000c0}, 7 | // U7da8: UJMPCC_DIRECT_NOTTAKEN_CONDNZ(tmp2, U7da4); rbx:= MOVEFROMCREG_DSZ64( , 0x2d7) !m1,m2; unk_256() !m1 SEQW LFNCEWAIT, UEND0 8 | {0x8151a47402f2, 0xf062d70a3200, 0x125600000000, 0x130000f2}, 9 | }; 10 | -------------------------------------------------------------------------------- /bios/ucode_patches/time_access_hook.u: -------------------------------------------------------------------------------- 1 | .org 0x7da0 2 | # def time_access(tmp0: addr) 3 | 4 | tmp2:= ZEROEXT_DSZ64(0x40) 5 | LBSYNC(0x0) 6 | rax:= MOVEFROMCREG_DSZ64( , 0x2d7) !m1,m2 7 | 8 | 9 | tmp1:= LDPPHYSTICKLE_DSZ64_ASZ64_SC1(tmp0) 10 | tmp0:= ADD_DSZ64(tmp0, 0x40) 11 | tmp2:= SUB_DSZ64(0x1, tmp2) 12 | UJMPCC_DIRECT_NOTTAKEN_CONDNZ(tmp2, ) 13 | 14 | rbx:= MOVEFROMCREG_DSZ64( , 0x2d7) !m1,m2 -------------------------------------------------------------------------------- /bios/ucode_patches/trace_and_resume.h: -------------------------------------------------------------------------------- 1 | unsigned long addr = 0x7dd0; 2 | unsigned long ucode_patch[][4] = { 3 | // U7dd0: STADSTGBUF_DSZ64_ASZ16_SC1(0xba40, , r10) !m2; STADSTGBUF_DSZ64_ASZ16_SC1(0xba80, , r11) !m2; STADSTGBUF_DSZ64_ASZ16_SC1(0xbac0, , r12) !m2 4 | {0xee7d406aa00d, 0x6e7d806ab00d, 0xae7dc06ac00d, 0x300000c0}, 5 | // U7dd4: STADSTGBUF_DSZ64_ASZ16_SC1(0xbb00, , r13) !m2; r10:= ZEROEXT_DSZ32(0x00000000); r12:= MOVEFROMCREG_DSZ64( , 0x38c) 6 | {0x6e7d006ed00d, 0x80080002a008, 0x628c0ec200, 0x300000c0}, 7 | // U7dd8: MOVETOCREG_DSZ64(r10, 0x38c) !m2; r13:= ZEROEXT_DSZ32(0x00000303); r13:= SHL_DSZ32(r13, 0x00000008) 8 | {0xe0428c0c022a, 0x8030ed008, 0xc0240802d22d, 0x300000c0}, 9 | // U7ddc: MOVETOCREG_DSZ64(r13, 0x6a1) !m2; MOVETOCREG_DSZ64(r10, 0x6a0) !m2; MOVETOCREG_DSZ64(r10, 0x6a4) !m2 10 | {0x6042a118022d, 0xa042a018022a, 0xe042a418022a, 0x300000c0}, 11 | // U7de0: MOVETOCREG_DSZ64(r10, 0x6a4) !m2; MOVETOCREG_DSZ64(r10, 0x6a1) !m2; MOVETOCREG_DSZ64(r12, 0x38c) !m2 12 | {0xe042a418022a, 0xe042a118022a, 0x20428c0c022c, 0x300000c0}, 13 | // U7de4: r10:= MOVEFROMCREG_DSZ64( , 0x2d7) !m1,m2; STADSTGBUF_DSZ64_ASZ16_SC1(0xba00, , r10) !m2; r10 := LDSTGBUF_DSZ64_ASZ16_SC1(0xba40) !m2 14 | {0x3062d70aa200, 0xae7d006aa00d, 0x6e75406aa00d, 0x300000c0}, 15 | // U7de8: r11 := LDSTGBUF_DSZ64_ASZ16_SC1(0xba80) !m2; r12 := LDSTGBUF_DSZ64_ASZ16_SC1(0xbac0) !m2; r13 := LDSTGBUF_DSZ64_ASZ16_SC1(0xbb00) !m2 16 | {0xee75806ab00d, 0x2e75c06ac00d, 0xee75006ed00d, 0x300000c0}, 17 | // U7dec: NOP; unk_256() !m1; NOP SEQW LFNCEWAIT, UEND0 18 | {0x0, 0x125600000000, 0x0, 0x130000f2}, 19 | }; 20 | -------------------------------------------------------------------------------- /bios/ucode_patches/trace_and_resume.u: -------------------------------------------------------------------------------- 1 | .org 0x7dd0 2 | 3 | # 1) save all the registers to restore them 4 | # NOTICE: assume no one else uses [0xba00, 0xbb00] in the staging buffer 5 | 6 | STADSTGBUF_DSZ64_ASZ16_SC1(0xba40, , r10) !m2 7 | STADSTGBUF_DSZ64_ASZ16_SC1(0xba80, , r11) !m2 8 | STADSTGBUF_DSZ64_ASZ16_SC1(0xbac0, , r12) !m2 9 | STADSTGBUF_DSZ64_ASZ16_SC1(0xbb00, , r13) !m2 10 | 11 | # 2) remove the hook in the match&patch assuming it is at 0 12 | 13 | r10:= ZEROEXT_DSZ32(0x00000000) 14 | 15 | # pause frontend 16 | r12:= MOVEFROMCREG_DSZ64( , 0x38c) 17 | MOVETOCREG_DSZ64(r10, 0x38c) !m2 18 | 19 | # write match&patch at location 0 with the value of 0 20 | 21 | r13:= ZEROEXT_DSZ32(0x00000303) 22 | r13:= SHL_DSZ32(r13, 0x00000008) 23 | 24 | MOVETOCREG_DSZ64(r13, 0x6a1) !m2 25 | MOVETOCREG_DSZ64(r10, 0x6a0) !m2 26 | 27 | MOVETOCREG_DSZ64(r10, 0x6a4) !m2 28 | MOVETOCREG_DSZ64(r10, 0x6a4) !m2 29 | 30 | MOVETOCREG_DSZ64(r10, 0x6a1) !m2 31 | 32 | # restore frontend 33 | MOVETOCREG_DSZ64(r12, 0x38c) !m2 34 | 35 | # # increment tracing location 36 | # r10 := LDSTGBUF_DSZ64_ASZ16_SC1(0xba00) !m2 37 | # r10 := ADD_DSZ64(r10, 0x1) 38 | # STADSTGBUF_DSZ64_ASZ16_SC1(0xba00, , r10) !m2 39 | 40 | # write clock value to tracing location 41 | r10:= MOVEFROMCREG_DSZ64( , 0x2d7) !m1,m2 42 | STADSTGBUF_DSZ64_ASZ16_SC1(0xba00, , r10) !m2 43 | 44 | # 3) restore r1 regs 45 | r10 := LDSTGBUF_DSZ64_ASZ16_SC1(0xba40) !m2 46 | r11 := LDSTGBUF_DSZ64_ASZ16_SC1(0xba80) !m2 47 | r12 := LDSTGBUF_DSZ64_ASZ16_SC1(0xbac0) !m2 48 | r13 := LDSTGBUF_DSZ64_ASZ16_SC1(0xbb00) !m2 49 | # 4) finally continue execution, this will have the GOTO addr injected from the C code 50 | NOP -------------------------------------------------------------------------------- /bios/ucode_patches/ucode_patch.h: -------------------------------------------------------------------------------- 1 | unsigned long addr = 0x7c00; 2 | unsigned long ucode_patch[][4] = { 3 | // U7c00: rax:= ZEROEXT_DSZ32(0x00001337), rbx:= ZEROEXT_DSZ32(0x00001337), rcx:= ZEROEXT_DSZ32(0x00001337), SEQ_NOP 4 | {0x4008374e0008, 0x8008374e3008, 0x8374e1008, 0x300000c0}, 5 | // U7c04: rdx:= ZEROEXT_DSZ32(0x00001337), unk_256() !m1, NOP, SEQ_END 6 | {0xc008374e2008, 0x125600000000, 0x0, 0x130000f2}, 7 | }; 8 | -------------------------------------------------------------------------------- /bios/ucode_patches/ucode_patch.u: -------------------------------------------------------------------------------- 1 | .org 0x7c00 2 | 3 | rax:= ZEROEXT_DSZ32(0x00001337) 4 | rbx:= ZEROEXT_DSZ32(0x00001337) 5 | rcx:= ZEROEXT_DSZ32(0x00001337) 6 | rdx:= ZEROEXT_DSZ32(0x00001337) 7 | -------------------------------------------------------------------------------- /ghidra-processor-module/.gitattributes: -------------------------------------------------------------------------------- 1 | * linguist-vendored 2 | *.xml linguist-vendored=false -------------------------------------------------------------------------------- /ghidra-processor-module/.gitignore: -------------------------------------------------------------------------------- 1 | ### Eclipse ### 2 | 3 | .metadata 4 | bin/ 5 | tmp/ 6 | *.tmp 7 | *.bak 8 | *.swp 9 | *~.nib 10 | local.properties 11 | .settings/ 12 | .loadpath 13 | .recommenders 14 | 15 | # External tool builders 16 | .externalToolBuilders/ 17 | 18 | # Locally stored "Eclipse launch configurations" 19 | *.launch 20 | 21 | # PyDev specific (Python IDE for Eclipse) 22 | *.pydevproject 23 | 24 | # CDT-specific (C/C++ Development Tooling) 25 | .cproject 26 | 27 | # CDT- autotools 28 | .autotools 29 | 30 | # Java annotation processor (APT) 31 | .factorypath 32 | 33 | # PDT-specific (PHP Development Tools) 34 | .buildpath 35 | 36 | # sbteclipse plugin 37 | .target 38 | 39 | # Tern plugin 40 | .tern-project 41 | 42 | # TeXlipse plugin 43 | .texlipse 44 | 45 | # STS (Spring Tool Suite) 46 | .springBeans 47 | 48 | # Code Recommenders 49 | .recommenders/ 50 | 51 | # Annotation Processing 52 | .apt_generated/ 53 | 54 | # Scala IDE specific (Scala & Java development for Eclipse) 55 | .cache-main 56 | .scala_dependencies 57 | .worksheet 58 | 59 | ### Eclipse Patch ### 60 | # Eclipse Core 61 | .project 62 | 63 | # JDT-specific (Eclipse Java Development Tools) 64 | .classpath 65 | 66 | # Annotation Processing 67 | .apt_generated 68 | 69 | .sts4-cache/ 70 | 71 | ### Java ### 72 | # Compiled class file 73 | *.class 74 | 75 | # Log file 76 | *.log 77 | 78 | # BlueJ files 79 | *.ctxt 80 | 81 | # Mobile Tools for Java (J2ME) 82 | .mtj.tmp/ 83 | 84 | # Package Files # 85 | *.jar 86 | *.war 87 | *.nar 88 | *.ear 89 | *.zip 90 | *.tar.gz 91 | *.rar 92 | 93 | # virtual machine crash logs, see http://www.java.com/en/download/help/error_hotspot.xml 94 | hs_err_pid* 95 | 96 | ### Linux ### 97 | *~ 98 | 99 | # temporary files which can be created if a process still has a handle open of a deleted file 100 | .fuse_hidden* 101 | 102 | # KDE directory preferences 103 | .directory 104 | 105 | # Linux trash folder which might appear on any partition or disk 106 | .Trash-* 107 | 108 | # .nfs files are created when an open file is removed but is still being accessed 109 | .nfs* 110 | 111 | ### OSX ### 112 | # General 113 | .DS_Store 114 | .AppleDouble 115 | .LSOverride 116 | 117 | # Icon must end with two \r 118 | Icon 119 | 120 | # Thumbnails 121 | ._* 122 | 123 | # Files that might appear in the root of a volume 124 | .DocumentRevisions-V100 125 | .fseventsd 126 | .Spotlight-V100 127 | .TemporaryItems 128 | .Trashes 129 | .VolumeIcon.icns 130 | .com.apple.timemachine.donotpresent 131 | 132 | # Directories potentially created on remote AFP share 133 | .AppleDB 134 | .AppleDesktop 135 | Network Trash Folder 136 | Temporary Items 137 | .apdisk 138 | 139 | ### Windows ### 140 | # Windows thumbnail cache files 141 | Thumbs.db 142 | ehthumbs.db 143 | ehthumbs_vista.db 144 | 145 | # Dump file 146 | *.stackdump 147 | 148 | # Folder config file 149 | [Dd]esktop.ini 150 | 151 | # Recycle Bin used on file shares 152 | $RECYCLE.BIN/ 153 | 154 | # Windows Installer files 155 | *.cab 156 | *.msi 157 | *.msix 158 | *.msm 159 | *.msp 160 | 161 | # Windows shortcuts 162 | *.lnk 163 | 164 | ### Gradle ### 165 | .gradle 166 | build/ 167 | 168 | # Ignore Gradle GUI config 169 | gradle-app.setting 170 | 171 | # Avoid ignoring Gradle wrapper jar file (.jar files are usually ignored) 172 | !gradle-wrapper.jar 173 | 174 | # Cache of project 175 | .gradletasknamecache 176 | 177 | # # Work around https://youtrack.jetbrains.com/issue/IDEA-116898 178 | # gradle/wrapper/gradle-wrapper.properties 179 | 180 | ### Gradle Patch ### 181 | **/build/ 182 | 183 | # Ghidra stuffs 184 | .antProperties.xml 185 | *.sla 186 | 187 | data/testing/*_fw.bin 188 | data/testing/*_fw.h -------------------------------------------------------------------------------- /ghidra-processor-module/LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2021 Pietro Borrello 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /ghidra-processor-module/Module.manifest: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pietroborrello/CustomProcessingUnit/4237524fe7545c66e42dd986113f220662c06f6a/ghidra-processor-module/Module.manifest -------------------------------------------------------------------------------- /ghidra-processor-module/README.md: -------------------------------------------------------------------------------- 1 | # Intel Atom Microcode - Ghidra Processor Module 2 | 3 | [![DOI](https://zenodo.org/badge/376316556.svg)](https://zenodo.org/badge/latestdoi/376316556) 4 | 5 | Ghidra Processor Module to disassemble and decompile the x86 Intel Atom microcode provided in [chip-red-pill/uCodeDisasm](https://github.com/chip-red-pill/uCodeDisasm). 6 | 7 | 8 | 9 | ## Install and Run 10 | This module has been tested on Ghidra from `9.2` to `10.1.5`. 11 | 12 | 1. Clone this repo in `/Ghidra/Processors/` 13 | 2. `git clone https://github.com/chip-red-pill/uCodeDisasm` and copy `lib/txt2ghidra.py` from this repo to the `uCodeDisasm` folder. 14 | 3. run `./txt2ghidra.py ../ucode/`, that will produce a `glm.ucode` binary file (or what specified by the `-o ` option). `../ucode/` must be the folder that contains the dumps `ms_array0.txt, ms_array1.txt, ms_array0.txt` 15 | 4. Run Ghidra and load `glm.ucode` selecting `x86ucode` as Language for the binary as shown in the screenshot: 16 | 17 | 18 | 19 | 20 | 21 | ## Details 22 | 23 | From [chip-red-pill/uCodeDisasm](https://github.com/chip-red-pill/uCodeDisasm): 24 | > The microcode of the Intel Atom CPUs consists from two large chunks of data – Microcode Triads and Sequence Words. These data are kept in the ROM area of a functional block inside CPU core that is called Microcode Sequencer (MS). 25 | 26 | We encourage to read the `uCodeDisasm` readme and source code to understand ucode internals mechanisms. 27 | 28 | ### Addressing 29 | 30 | The `txt2ghidra.py` simply packs together Microcode Triads and Sequence words into 16-bytes ucode instructions that will be analyzed by our Ghidra Processor Module. During the process it additionally transforms and inserts metadata into the instructions to make ghidra's life easier. 31 | 32 | Since instructions are now 16 bytes long and Ghidra does not currently support word sizes bigger than 8 bytes, the ucode address scheme in Ghidra is different from what one would expect from reading the `uCodeDisasm` repo, and all the code addresses must be multiplied by 0x10. 33 | 34 | For example, `cpuid_xlat` is at address 0x0be0 in the originally published ucode, while at address 0x0be00 in Ghidra (see Screenshot). 35 | 36 | ### Instructions 37 | 38 | Each ghidra instruction will be composed by a microcode instruction and possibly by a sequence word, that either influences control flow after the instruction execution (`eflow`), or sets up some of synchronization before execution (or both). 39 | 40 | ### Functions 41 | 42 | `chip-red-pill/uCodeDisasm` already identified and named lot of functions inside the dumped code. All of these symbols are automatically loaded in Ghidra. The autoanalysis starts from these defined functions and performs recursive disassembly. To disassemble code not reached by the autoanalysis, press `D`. Then press `F` to define function starting from the address under the cursor, that will be analysed and decompiled. 43 | 44 | ### ucode patches 45 | The decompiler supports decrypted ucode patches. To generate an ucode blob with a patch applied pass `-p ` to `txt2ghidra.py`. 46 | The `PATCH_FILE` must be in the format: 47 | ``` 48 | 0000: 000000000000 00003ecb3a3b 00003eb96ef7 00003e8c6217 - 49 | [...] | match & patch 50 | 001c: 00003e9f31a5 00003efb758f 000000000000 000000000000 - 51 | 0000: c0053d03ffc8 4152f45c027f c21e0303d23d 000000000000 - 52 | [...] | ucode RAM 53 | 01fc: 000000000000 000000000000 000000000000 000000000000 - 54 | 0000: 0000070000ce 000018201a50 000018201a50 0000384c0600 - 55 | [...] | seqword RAM 56 | 007c: 000031805140 000011fc9192 000031f59040 000000000000 - 57 | ``` 58 | 59 | The patches will be shown in the decompilers as conditionals statements under the condition `if (PATCH_ENABLED() != 0) { [...] }` to show both the patch and the original instructions. 60 | 61 | ## Open Problems 62 | 63 | Most of the instructions' semantics is correctly defined, and decompilation should generally work. 64 | There are a few remaining open problems to tackle. PR and issues to discuss them are welcomed. 65 | 66 | - We identify function calls as instructions doing `saveuip + jmp` (usually combining instructions and sequence words), but this may not always be true. 67 | - How do function calls take parameters and return values? Seems a mix of temporary registers, but not always the same registers. 68 | - There is still unclear semantics on some operations (uflow uret parameters meaning, segment selectors packing, ...) marked by `TODO` in the `.slaspec` file 69 | 70 | There is also some missing implementation details: 71 | 72 | - All registers are assumed to be 64 bits, which is in general false. Disassembled instruction include the operand size, but not the decompiled view. 73 | - No SSE/AVX instruction is currently supported. 74 | - Temporary register aliasing is not modeled (`ROVR`). 75 | - Indirect jumps are rarely resolved by ghidra. 76 | - Functions return using jumps trough the `UIP0/1` register (see (`uCodeDisasm`)[https://github.com/chip-red-pill/uCodeDisasm]) which decreases decompilation quality. 77 | -------------------------------------------------------------------------------- /ghidra-processor-module/bin/README.txt: -------------------------------------------------------------------------------- 1 | Java source directory to hold module-specific Ghidra scripts. 2 | -------------------------------------------------------------------------------- /ghidra-processor-module/bin/help/TOC_Source.xml: -------------------------------------------------------------------------------- 1 | 2 | 49 | 50 | 51 | 52 | 57 | 58 | -------------------------------------------------------------------------------- /ghidra-processor-module/bin/help/shared/Frontpage.css: -------------------------------------------------------------------------------- 1 | /* ### 2 | * IP: GHIDRA 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | /* 17 | WARNING! 18 | This file is copied to all help directories. If you change this file, you must copy it 19 | to each src/main/help/help/shared directory. 20 | 21 | 22 | Java Help Note: JavaHelp does not accept sizes (like in 'margin-top') in anything but 23 | px (pixel) or with no type marking. 24 | 25 | */ 26 | 27 | body { margin-bottom: 50px; margin-left: 10px; margin-right: 10px; margin-top: 10px; } /* some padding to improve readability */ 28 | li { font-family:times new roman; font-size:14pt; } 29 | h1 { color:#000080; font-family:times new roman; font-size:36pt; font-style:italic; font-weight:bold; text-align:center; } 30 | h2 { margin: 10px; margin-top: 20px; color:#984c4c; font-family:times new roman; font-size:18pt; font-weight:bold; } 31 | h3 { margin-left: 10px; margin-top: 20px; color:#0000ff; font-family:times new roman; `font-size:14pt; font-weight:bold; } 32 | h4 { margin-left: 10px; margin-top: 20px; font-family:times new roman; font-size:14pt; font-style:italic; } 33 | 34 | /* 35 | P tag code. Most of the help files nest P tags inside of blockquote tags (the was the 36 | way it had been done in the beginning). The net effect is that the text is indented. In 37 | modern HTML we would use CSS to do this. We need to support the Ghidra P tags, nested in 38 | blockquote tags, as well as naked P tags. The following two lines accomplish this. Note 39 | that the 'blockquote p' definition will inherit from the first 'p' definition. 40 | */ 41 | p { margin-left: 40px; font-family:times new roman; font-size:14pt; } 42 | blockquote p { margin-left: 10px; } 43 | 44 | p.providedbyplugin { color:#7f7f7f; margin-left: 10px; font-size:14pt; margin-top:100px } 45 | p.ProvidedByPlugin { color:#7f7f7f; margin-left: 10px; font-size:14pt; margin-top:100px } 46 | p.relatedtopic { color:#800080; margin-left: 10px; font-size:14pt; } 47 | p.RelatedTopic { color:#800080; margin-left: 10px; font-size:14pt; } 48 | 49 | /* 50 | We wish for a tables to have space between it and the preceding element, so that text 51 | is not too close to the top of the table. Also, nest the table a bit so that it is clear 52 | the table relates to the preceding text. 53 | */ 54 | table { margin-left: 20px; margin-top: 10px; width: 80%;} 55 | td { font-family:times new roman; font-size:14pt; vertical-align: top; } 56 | th { font-family:times new roman; font-size:14pt; font-weight:bold; background-color: #EDF3FE; } 57 | 58 | /* 59 | Code-like formatting for things such as file system paths and proper names of classes, 60 | methods, etc. To apply this to a file path, use this syntax: 61 | ... 62 | */ 63 | code { color: black; font-weight: bold; font-family: courier new, monospace; font-size: 14pt; white-space: nowrap; } 64 | code.path { color: #4682B4; font-weight: bold; font-family: courier new, monospace; font-size: 14pt; white-space: nowrap; } 65 | -------------------------------------------------------------------------------- /ghidra-processor-module/bin/help/topics/x86_ucode/help.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 7 | 8 | 9 | 10 | 11 | 12 | Skeleton Help File for a Module 13 | 14 | 15 | 16 | 17 |

Skeleton Help File for a Module

18 | 19 |

This is a simple skeleton help topic. For a better description of what should and should not 20 | go in here, see the "sample" Ghidra extension in the Extensions/Ghidra directory, or see your 21 | favorite help topic. In general, language modules do not have their own help topics.

22 | 23 | 24 | -------------------------------------------------------------------------------- /ghidra-processor-module/bin/images/README.txt: -------------------------------------------------------------------------------- 1 | The "src/resources/images" directory is intended to hold all image/icon files used by 2 | this module. 3 | -------------------------------------------------------------------------------- /ghidra-processor-module/build.gradle: -------------------------------------------------------------------------------- 1 | /* ### 2 | * IP: GHIDRA 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | // Builds a Ghidra Extension for a given Ghidra installation. 17 | // 18 | // An absolute path to the Ghidra installation directory must be supplied either by setting the 19 | // GHIDRA_INSTALL_DIR environment variable or Gradle project property: 20 | // 21 | // > export GHIDRA_INSTALL_DIR= 22 | // > gradle 23 | // 24 | // or 25 | // 26 | // > gradle -PGHIDRA_INSTALL_DIR= 27 | // 28 | // Gradle should be invoked from the directory of the project to build. Please see the 29 | // application.gradle.version property in /Ghidra/application.properties 30 | // for the correction version of Gradle to use for the Ghidra installation you specify. 31 | 32 | //----------------------START "DO NOT MODIFY" SECTION------------------------------ 33 | def ghidraInstallDir 34 | 35 | if (System.env.GHIDRA_INSTALL_DIR) { 36 | ghidraInstallDir = System.env.GHIDRA_INSTALL_DIR 37 | } 38 | else if (project.hasProperty("GHIDRA_INSTALL_DIR")) { 39 | ghidraInstallDir = project.getProperty("GHIDRA_INSTALL_DIR") 40 | } 41 | 42 | if (ghidraInstallDir) { 43 | apply from: new File(ghidraInstallDir).getCanonicalPath() + "/support/buildExtension.gradle" 44 | } 45 | else { 46 | throw new GradleException("GHIDRA_INSTALL_DIR is not defined!") 47 | } 48 | //----------------------END "DO NOT MODIFY" SECTION------------------------------- 49 | -------------------------------------------------------------------------------- /ghidra-processor-module/data/README.txt: -------------------------------------------------------------------------------- 1 | The "data" directory is intended to hold data files that will be used by this module and will 2 | not end up in the .jar file, but will be present in the zip or tar file. Typically, data 3 | files are placed here rather than in the resources directory if the user may need to edit them. 4 | 5 | An optional data/languages directory can exist for the purpose of containing various Sleigh language 6 | specification files and importer opinion files. 7 | 8 | The data/buildLanguage.xml is used for building the contents of the data/languages directory. 9 | 10 | The skel language definition has been commented-out within the skel.ldefs file so that the 11 | skeleton language does not show-up within Ghidra. 12 | 13 | See the Sleigh language documentation (docs/languages/index.html) for details Sleigh language 14 | specification syntax. 15 | -------------------------------------------------------------------------------- /ghidra-processor-module/data/buildLanguage.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | -------------------------------------------------------------------------------- /ghidra-processor-module/data/languages/x86ucode.cspec: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | 126 | 127 | 128 | 129 | 130 | 131 | 132 | 133 | 134 | 135 | 136 | 137 | 138 | 139 | 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | 152 | 153 | 154 | 155 | 156 | 157 | 158 | 159 | 160 | 161 | 162 | 163 | 164 | 165 | 166 | 167 | 168 | -------------------------------------------------------------------------------- /ghidra-processor-module/data/languages/x86ucode.ldefs: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 14 | x86 GLM ucode 15 | 16 | 17 | 18 | -------------------------------------------------------------------------------- /ghidra-processor-module/data/sleighArgs.txt: -------------------------------------------------------------------------------- 1 | # Add sleigh compiler options to this file (one per line) which will 2 | # be used when compiling each language within this module. 3 | # All options should start with a '-' character. 4 | # 5 | # IMPORTANT: The -a option should NOT be specified 6 | # -------------------------------------------------------------------------------- /ghidra-processor-module/extension.properties: -------------------------------------------------------------------------------- 1 | name=@extname@ 2 | description=The extension description can be customized by editing the extension.properties file. 3 | author= 4 | createdOn= 5 | version=@extversion@ 6 | -------------------------------------------------------------------------------- /ghidra-processor-module/ghidra_scripts/README.txt: -------------------------------------------------------------------------------- 1 | Java source directory to hold module-specific Ghidra scripts. 2 | -------------------------------------------------------------------------------- /ghidra-processor-module/images/Screenshot1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pietroborrello/CustomProcessingUnit/4237524fe7545c66e42dd986113f220662c06f6a/ghidra-processor-module/images/Screenshot1.png -------------------------------------------------------------------------------- /ghidra-processor-module/images/Screenshot2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pietroborrello/CustomProcessingUnit/4237524fe7545c66e42dd986113f220662c06f6a/ghidra-processor-module/images/Screenshot2.png -------------------------------------------------------------------------------- /ghidra-processor-module/os/linux64/README.txt: -------------------------------------------------------------------------------- 1 | The "os/linux64" directory is intended to hold Linux native binaries 2 | which this module is dependent upon. This directory may be eliminated for a specific 3 | module if native binaries are not provided for the corresponding platform. 4 | -------------------------------------------------------------------------------- /ghidra-processor-module/os/osx64/README.txt: -------------------------------------------------------------------------------- 1 | The "os/osx64" directory is intended to hold macOS (OS X) native binaries 2 | which this module is dependent upon. This directory may be eliminated for a specific 3 | module if native binaries are not provided for the corresponding platform. 4 | -------------------------------------------------------------------------------- /ghidra-processor-module/os/win64/README.txt: -------------------------------------------------------------------------------- 1 | The "os/win64" directory is intended to hold MS Windows native binaries (.exe) 2 | which this module is dependent upon. This directory may be eliminated for a specific 3 | module if native binaries are not provided for the corresponding platform. 4 | -------------------------------------------------------------------------------- /ghidra-processor-module/src/main/help/help/TOC_Source.xml: -------------------------------------------------------------------------------- 1 | 2 | 49 | 50 | 51 | 52 | 57 | 58 | -------------------------------------------------------------------------------- /ghidra-processor-module/src/main/help/help/shared/Frontpage.css: -------------------------------------------------------------------------------- 1 | /* ### 2 | * IP: GHIDRA 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | /* 17 | WARNING! 18 | This file is copied to all help directories. If you change this file, you must copy it 19 | to each src/main/help/help/shared directory. 20 | 21 | 22 | Java Help Note: JavaHelp does not accept sizes (like in 'margin-top') in anything but 23 | px (pixel) or with no type marking. 24 | 25 | */ 26 | 27 | body { margin-bottom: 50px; margin-left: 10px; margin-right: 10px; margin-top: 10px; } /* some padding to improve readability */ 28 | li { font-family:times new roman; font-size:14pt; } 29 | h1 { color:#000080; font-family:times new roman; font-size:36pt; font-style:italic; font-weight:bold; text-align:center; } 30 | h2 { margin: 10px; margin-top: 20px; color:#984c4c; font-family:times new roman; font-size:18pt; font-weight:bold; } 31 | h3 { margin-left: 10px; margin-top: 20px; color:#0000ff; font-family:times new roman; `font-size:14pt; font-weight:bold; } 32 | h4 { margin-left: 10px; margin-top: 20px; font-family:times new roman; font-size:14pt; font-style:italic; } 33 | 34 | /* 35 | P tag code. Most of the help files nest P tags inside of blockquote tags (the was the 36 | way it had been done in the beginning). The net effect is that the text is indented. In 37 | modern HTML we would use CSS to do this. We need to support the Ghidra P tags, nested in 38 | blockquote tags, as well as naked P tags. The following two lines accomplish this. Note 39 | that the 'blockquote p' definition will inherit from the first 'p' definition. 40 | */ 41 | p { margin-left: 40px; font-family:times new roman; font-size:14pt; } 42 | blockquote p { margin-left: 10px; } 43 | 44 | p.providedbyplugin { color:#7f7f7f; margin-left: 10px; font-size:14pt; margin-top:100px } 45 | p.ProvidedByPlugin { color:#7f7f7f; margin-left: 10px; font-size:14pt; margin-top:100px } 46 | p.relatedtopic { color:#800080; margin-left: 10px; font-size:14pt; } 47 | p.RelatedTopic { color:#800080; margin-left: 10px; font-size:14pt; } 48 | 49 | /* 50 | We wish for a tables to have space between it and the preceding element, so that text 51 | is not too close to the top of the table. Also, nest the table a bit so that it is clear 52 | the table relates to the preceding text. 53 | */ 54 | table { margin-left: 20px; margin-top: 10px; width: 80%;} 55 | td { font-family:times new roman; font-size:14pt; vertical-align: top; } 56 | th { font-family:times new roman; font-size:14pt; font-weight:bold; background-color: #EDF3FE; } 57 | 58 | /* 59 | Code-like formatting for things such as file system paths and proper names of classes, 60 | methods, etc. To apply this to a file path, use this syntax: 61 | ... 62 | */ 63 | code { color: black; font-weight: bold; font-family: courier new, monospace; font-size: 14pt; white-space: nowrap; } 64 | code.path { color: #4682B4; font-weight: bold; font-family: courier new, monospace; font-size: 14pt; white-space: nowrap; } 65 | -------------------------------------------------------------------------------- /ghidra-processor-module/src/main/help/help/topics/x86_ucode/help.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 7 | 8 | 9 | 10 | 11 | 12 | Skeleton Help File for a Module 13 | 14 | 15 | 16 | 17 |

Skeleton Help File for a Module

18 | 19 |

This is a simple skeleton help topic. For a better description of what should and should not 20 | go in here, see the "sample" Ghidra extension in the Extensions/Ghidra directory, or see your 21 | favorite help topic. In general, language modules do not have their own help topics.

22 | 23 | 24 | -------------------------------------------------------------------------------- /ghidra-processor-module/src/main/resources/images/README.txt: -------------------------------------------------------------------------------- 1 | The "src/resources/images" directory is intended to hold all image/icon files used by 2 | this module. 3 | -------------------------------------------------------------------------------- /ghidra-processor-module/src/test/java/README.test.txt: -------------------------------------------------------------------------------- 1 | The "test" directory is intended to hold unit test cases. The package structure within 2 | this folder should correspond to that found in the "src" folder. 3 | -------------------------------------------------------------------------------- /slides.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pietroborrello/CustomProcessingUnit/4237524fe7545c66e42dd986113f220662c06f6a/slides.pdf -------------------------------------------------------------------------------- /uasm-lib/0x000506C9/ms_array2.txt: -------------------------------------------------------------------------------- 1 | array 02: 2 | 0000: 0000070000ce 000018201a50 000018201a50 0000384c0600 3 | 0004: 000021a04800 000011a83400 00002460d200 000031fce000 4 | 0008: 0000085c6640 000028fc6192 000035763040 000012b39951 5 | 000c: 000021a03110 000011a9ad40 00000198b400 000021fce040 6 | 0010: 000004a83a00 0000300000c0 000023204080 0000285b9640 7 | 0014: 000021d49c00 0000300000c0 000001805180 000021a71140 8 | 0018: 000011a3ac00 0000300000c0 0000300000c0 000011e1ea89 9 | 001c: 0000048000c0 000026263c00 0000300000c0 0000300000c0 10 | 0020: 0000300000c0 000001fc9a40 0000300000c0 0000300000c0 11 | 0024: 000031fc8900 0000300000c0 0000300000c0 000018757c88 12 | 0028: 0000180000c0 0000387ca440 000029360400 000011ba0400 13 | 002c: 000011ba3c40 000028671440 000011a4be40 00002632cd40 14 | 0030: 000031e9f000 0000300000c0 00001481598d 0000300000c0 15 | 0034: 0000090000c0 00002183be80 00000429cc00 00001d0000c0 16 | 0038: 000031b1a640 0000300000c0 0000300000c0 000011fc6192 17 | 003c: 000031f59040 0000300000c0 0000300000c0 000001d4a800 18 | 0040: 000031d87555 0000300000c0 000011b9f640 0000300000c0 19 | 0044: 0000090000c0 000011cc3480 000001ddae00 000008621800 20 | 0048: 0000300000c0 0000300000c0 000038283a80 0000300000c0 21 | 004c: 0000300000c0 000011a82500 0000300000c0 0000300000c0 22 | 0050: 0000300000c0 0000300000c0 0000300000c0 0000300000c0 23 | 0054: 000021805100 000001fc2a00 000031a9b500 000000000000 24 | 0058: 000000000000 000000000000 000000000000 000000000000 25 | 005c: 000000000000 000000000000 000000000000 000000000000 26 | 0060: 000000000000 000000000000 000000000000 000000000000 27 | 0064: 000000000000 000000000000 000000000000 000000000000 28 | 0068: 000000000000 000000000000 000000000000 000000000000 29 | 006c: 000000000000 000000000000 000000000000 000000000000 30 | 0070: 000000000000 000000000000 000000000000 000000000000 31 | 0074: 000000000000 000000000000 000000000000 000000000000 32 | 0078: 000000000000 000000000000 000000000000 000000000000 33 | 007c: 000000000000 000000000000 000000000000 000000000000 -------------------------------------------------------------------------------- /uasm-lib/0x000506C9/ms_array3.txt: -------------------------------------------------------------------------------- 1 | array 03: 2 | 0000: 000000000000 00003e573a3b 00003e8f6ef7 00003e8c6217 3 | 0004: 00003eaa29a3 00003e5d69ef 00003e1b18b3 00003e1f2833 4 | 0008: 00003e27549b 00003e2f23ab 00003e042011 00003e0018dd 5 | 000c: 00003e2e4589 00003e854c33 00003e553a03 00003e533603 6 | 0010: 00003e6d31a5 00003e77758f 000000000000 000000000000 7 | 0014: 000000000000 000000000000 000000000000 000000000000 8 | 0018: 000000000000 000000000000 000000000000 000000000000 9 | 001c: 000000000000 000000000000 000000000000 000000000000 -------------------------------------------------------------------------------- /uasm-lib/0x000506C9/ms_array4.txt: -------------------------------------------------------------------------------- 1 | array 04: 2 | 0000: c0053d03ffc8 815d757002c0 815d757002c0 415100000fb0 3 | 0004: 80420000023f c062f01f1200 a04337080235 417000035d71 4 | 0008: 815d65700280 41420b000f80 00012b039e48 00002003cf08 5 | 000c: 800e06600240 804800035d72 80070043ef9f 400505031c88 6 | 0010: e96270800240 a90205c00200 813f0003f03f 815d0d7002c0 7 | 0014: c0563103f23f 808805030c08 9062810f2240 c00524071e08 8 | 0018: 286a8429027e 80850003dc7f 40160403f23f 40e100039032 9 | 001c: c06213174200 69620bc00240 03800003f03e 00040303ffc8 10 | 0020: c004ff03ffc8 40054703ffc8 40620103f200 c0a40503e23e 11 | 0024: c00a01000200 c0410003efbf c0637f03f200 00620c036200 12 | 0028: 0fff00000000 e86a446d023f c06350032200 80400403ef88 13 | 002c: 486aee140330 786a11310631 406387030200 b86aba3102f1 14 | 0030: 796289480200 ed0be443f00a c0010003fffe 40070103ffc8 15 | 0034: 20438e08023f 40070103ffc8 0e750003003c 800610131e08 16 | 0038: 40653d031235 4004a1032c90 803200032cb0 7929e42c0032 17 | 003c: 80012c039e48 8131010b1231 000100031c7d 7d0f00035c88 18 | 0040: 4008e0036008 c00588078e08 00080103d008 c0330003bd7b 19 | 0044: c007fc035d48 c007fc035d48 800a28000200 c150197402fb 20 | 0048: 4004a1032c90 803200032cb0 7929e42c0032 806353030200 21 | 004c: 007300030c38 40360003cf38 e38000030c00 c0a100031ef1 22 | 0050: 4c4b80231000 8c4b80372000 8062091b2200 00620e075200 23 | 0054: 800c64300280 900a00000300 4042bb1f5232 000000000000 24 | 0058: 000000000000 000000000000 000000000000 000000000000 25 | 005c: 000000000000 000000000000 000000000000 000000000000 26 | 0060: 000000000000 000000000000 000000000000 000000000000 27 | 0064: 000000000000 000000000000 000000000000 000000000000 28 | 0068: 000000000000 000000000000 000000000000 000000000000 29 | 006c: 000000000000 000000000000 000000000000 000000000000 30 | 0070: 000000000000 000000000000 000000000000 000000000000 31 | 0074: 000000000000 000000000000 000000000000 000000000000 32 | 0078: 000000000000 000000000000 000000000000 000000000000 33 | 007c: 000000000000 000000000000 000000000000 000000000000 34 | 0080: 4152f45c027f 000c44f7e208 400c98f7e208 00620003f200 35 | 0084: 20432b040200 006205071200 817000035d72 c00d09800000 36 | 0088: c00d09800000 415dca680280 0152217002ff 400e08400240 37 | 008c: 8000803fcfc9 c042bb1f5235 000501031c88 417000035d71 38 | 0090: e96272c003c0 80636103e200 417e0003effe 10628e0f0240 39 | 0094: 40401803ce08 804147030c10 400e02000200 4150157002f1 40 | 0098: c0638a03f200 c0141003f23f c0852403ffc8 00a100039e7d 41 | 009c: 2a6213540734 00430c00023f 80434500023f 39299a71023f 42 | 00a0: 392886f1077f 0150867002ff 80087817e008 ce750003e03e 43 | 00a4: 00626703e200 00620003f200 b92941310ffe 000000000000 44 | 00a8: 29628903f200 40628903f200 000000000000 000000000000 45 | 00ac: 0fef01000000 9062f91f6240 800000031c30 c00d03800000 46 | 00b0: 000000000000 0004001bffc8 ad0fe443f00a ed0f1833f00a 47 | 00b4: 00633703f200 ce250003f03f 000000000000 f928197102b1 48 | 00b8: c00405031c48 80635c030200 000812030008 000000000000 49 | 00bc: 01521d7002ff c005202fdc8a 404700035d71 000000000000 50 | 00c0: 4008a0037008 80240103c23b 433a5173a00b 80250203b23b 51 | 00c4: c001a0035d48 8001a4035d48 9062cd0bb240 000000000000 52 | 00c8: 80635c030200 000812030008 40634703c200 00635c038200 53 | 00cc: c0540f030230 000000000000 0c4b8027b000 402100030c31 54 | 00d0: c0a100031ef1 c0a100032ef2 00620a1b3200 c040d803ce48 55 | 00d4: 000000000000 8e750003203c 000000000000 000000000000 56 | 00d8: 000000000000 000000000000 000000000000 000000000000 57 | 00dc: 000000000000 000000000000 000000000000 000000000000 58 | 00e0: 000000000000 000000000000 000000000000 000000000000 59 | 00e4: 000000000000 000000000000 000000000000 000000000000 60 | 00e8: 000000000000 000000000000 000000000000 000000000000 61 | 00ec: 000000000000 000000000000 000000000000 000000000000 62 | 00f0: 000000000000 000000000000 000000000000 000000000000 63 | 00f4: 000000000000 000000000000 000000000000 000000000000 64 | 00f8: 000000000000 000000000000 000000000000 000000000000 65 | 00fc: 000000000000 000000000000 000000000000 000000000000 66 | 0100: c21e0303d23d 000000000000 400100030030 4004f007ffd0 67 | 0104: c048fe7fc00a 586b119c0231 800509031c88 400c24f002c0 68 | 0108: 2d0ba0030008 40880003a031 c042bb1c0200 800800000000 69 | 010c: 8e750003203c c86a1d50037f 417000035d71 29632b040600 70 | 0110: a0437f00023e 00634503f200 80630c03f200 80210003fcbf 71 | 0114: 806306030200 1062850f1240 800c1c300280 d962dd480300 72 | 0118: 80850803ffc8 40330003ff7f 40850b03ffc8 00080003203a 73 | 011c: 800800000000 00436100023e 40620403f200 c0620c03f200 74 | 0120: 792886f1073f 000e0c000200 80000883ef88 39289a310fbf 75 | 0124: 40641003e23e 786b41f103ff a9626dc003c0 0007070b9e48 76 | 0128: 800800000000 4eff00000000 c0520568027a 9062b40b0240 77 | 012c: c0632b031200 2d0be41e100a 1062e70b1240 0042bb1c0235 78 | 0130: a0435c00023f 40250403f23f 800155020c08 41080003f010 79 | 0134: 386b4e00003f 80638e03f200 c02510032235 f92839710231 80 | 0138: 9062800b2240 805410030230 80a100070c08 40880003a031 81 | 013c: c005883f1c8a 41312203d23d 7d0b00031c88 80632003b200 82 | 0140: 400580079e48 c0003427c23c 40141e03b23d b92912b5033b 83 | 0144: 392916b503fb c06430035235 40047003bec8 9062800b2240 84 | 0148: 805410030230 80a100070c08 100a00000380 001407038238 85 | 014c: 813e75338c08 c062fe1f0200 cc4b802b1000 8c4b802fb000 86 | 0150: 0c4b8033b000 802100031c72 80620d074200 c00e05000200 87 | 0154: 000000000000 804800035d72 000000000000 000000000000 88 | 0158: 000000000000 000000000000 000000000000 000000000000 89 | 015c: 000000000000 000000000000 000000000000 000000000000 90 | 0160: 000000000000 000000000000 000000000000 000000000000 91 | 0164: 000000000000 000000000000 000000000000 000000000000 92 | 0168: 000000000000 000000000000 000000000000 000000000000 93 | 016c: 000000000000 000000000000 000000000000 000000000000 94 | 0170: 000000000000 000000000000 000000000000 000000000000 95 | 0174: 000000000000 000000000000 000000000000 000000000000 96 | 0178: 000000000000 000000000000 000000000000 000000000000 97 | 017c: 000000000000 000000000000 000000000000 000000000000 98 | 0180: c00000000000 000000000000 400000000000 400000000000 99 | 0184: c00000000000 400000000000 800000000000 400000000000 100 | 0188: 000000000000 400000000000 c00000000000 800000000000 101 | 018c: 800000000000 c00000000000 400000000000 000000000000 102 | 0190: 800000000000 000000000000 800000000000 800000000000 103 | 0194: 800000000000 000000000000 800000000000 c00000000000 104 | 0198: 800000000000 400000000000 400000000000 000000000000 105 | 019c: 800000000000 000000000000 400000000000 c00000000000 106 | 01a0: 400000000000 000000000000 800000000000 000000000000 107 | 01a4: 400000000000 400000000000 800000000000 000000000000 108 | 01a8: 800000000000 400000000000 c00000000000 800000000000 109 | 01ac: c00000000000 000000000000 000000000000 000000000000 110 | 01b0: 800000000000 400000000000 800000000000 400000000000 111 | 01b4: 000000000000 800000000000 c00000000000 c00000000000 112 | 01b8: 800000000000 800000000000 800000000000 400000000000 113 | 01bc: c00000000000 400000000000 400000000000 800000000000 114 | 01c0: 400000000000 c00000000000 400000000000 800000000000 115 | 01c4: 000000000000 c00000000000 400000000000 800000000000 116 | 01c8: 800000000000 800000000000 000000000000 000000000000 117 | 01cc: 800000000000 c00000000000 c00000000000 800000000000 118 | 01d0: 000000000000 800000000000 800000000000 c00000000000 119 | 01d4: 000000000000 800000000000 000000000000 000000000000 120 | 01d8: 000000000000 000000000000 000000000000 000000000000 121 | 01dc: 000000000000 000000000000 000000000000 000000000000 122 | 01e0: 000000000000 000000000000 000000000000 000000000000 123 | 01e4: 000000000000 000000000000 000000000000 000000000000 124 | 01e8: 000000000000 000000000000 000000000000 000000000000 125 | 01ec: 000000000000 000000000000 000000000000 000000000000 126 | 01f0: 000000000000 000000000000 000000000000 000000000000 127 | 01f4: 000000000000 000000000000 000000000000 000000000000 128 | 01f8: 000000000000 000000000000 000000000000 000000000000 129 | 01fc: 000000000000 000000000000 000000000000 000000000000 -------------------------------------------------------------------------------- /uasm-lib/0x000506CA/ms_array2.txt: -------------------------------------------------------------------------------- 1 | 0000: 00003fffefff 000000000410 000010000000 000000000000 2 | 0004: 000000000000 000000001000 000000410500 000000100000 3 | 0008: 000000008080 000004c08000 000020002100 000005000000 4 | 000c: 00000a020200 000003000000 000000100080 00002fd43661 5 | 0010: 0000030010a2 000000000400 000000420242 000000000000 6 | 0014: 000001001000 000000480000 000000000000 000000000000 7 | 0018: 00000a800930 000022210080 000000020001 000000010001 8 | 001c: 000006040800 000000400088 000004018800 0000100aa0c8 9 | 0020: 000003006101 000000002000 000000006000 000000004000 10 | 0024: 000004010000 000000000000 000000000000 000000102000 11 | 0028: 000000000001 000000060400 00000840201a 000002000040 12 | 002c: 000000063400 000000000040 000000144104 000002c46ee4 13 | 0030: 000003a3908b 000000000000 000000002000 000002000800 14 | 0034: 000000000000 000000000200 000000000400 000000840000 15 | 0038: 0000002a0800 000005010080 000001100240 000000820000 16 | 003c: 00000080c048 000011800084 000000180024 000024ceaabe 17 | 0040: 00000cb2021c 000000200000 000000000000 000000000000 18 | 0044: 000004000040 000001000400 000001000000 000000422200 19 | 0048: 000004200040 000000400100 000000260000 000003000602 20 | 004c: 000000201402 000001002014 000014000000 0000356a16fd 21 | 0050: 0000004b2200 000000001000 000008000008 000000800002 22 | 0054: 000001000000 000000900000 000010000100 000000040000 23 | 0058: 00001200a004 000000801001 000000802024 000018000001 24 | 005c: 000020510880 0000010448a4 000024810000 000031db0749 25 | 0060: 000020820644 000001400001 000000000000 000000000000 26 | 0064: 000000000001 000000801600 000000802102 000000804640 27 | 0068: 000000020808 000000858000 000000001014 000000004040 28 | 006c: 000000220000 000002008000 000011c02040 0000253bb16d 29 | 0070: 000016c4f080 000000024000 000000100000 000000000000 30 | 0074: 000000000000 000005010004 000000080800 000010044800 31 | 0078: 000001181404 00002a810040 000000001400 000015aebf52 32 | 007c: 00002ef95eed 00002ef95eed 000000012400 000000c86c92 33 | -------------------------------------------------------------------------------- /uasm-lib/0x000506CA/ms_array3.txt: -------------------------------------------------------------------------------- 1 | 0000: 00007fffeffe 00000044afac 00006080715c 00000062ba6c 2 | 0004: 000004786eea 00000008033c 000000cbf0ce 000060084f4e 3 | 0008: 00000006b2ea 00000580c76a 0000443d63a6 00000884ff84 4 | 000c: 000000607dbc 000040607b8e 00000700ddd0 0000005baabe 5 | 0010: 000008896efe 00000151eebe 00004a44c9d8 00000029baa8 6 | 0014: 00001069ecb8 000041007ddc 00000253bea8 00001480f0fc 7 | 0018: 000000453cae 000004494fe4 0000002fffea 0000010626dc 8 | 001c: 000005404fdc 00006ef95eec 0000760adce8 00000048aa3a -------------------------------------------------------------------------------- /uasm-lib/0x000506CA/ms_array4.txt: -------------------------------------------------------------------------------- 1 | 0000: fdffffffefff 200808000c00 0a0010090000 000001000080 2 | 0004: 000000000000 002400400000 000000100081 004000002000 3 | 0008: 000800000001 302000400024 020810001000 018000050145 4 | 000c: 000400108004 e16480508000 182101402700 4ff614d70edc 5 | 0010: c142911d4094 042000000084 000000050000 000008200000 6 | 0014: 080000000000 080000002000 000000000000 000000008004 7 | 0018: 202800024000 800202000400 042201440001 2140080200c0 8 | 001c: 420080832000 060400400000 492815000404 63e6270177b0 9 | 0020: e35422481250 000000000004 040000010000 00000000c000 10 | 0024: 084000000000 00000000c000 000010001000 080000000400 11 | 0028: 0004000140c0 0d0080440818 010000000041 000000200000 12 | 002c: 800020102049 101000810001 014000010084 702031dd1f61 13 | 0030: 02400245d230 012000000000 000000010000 000008000044 14 | 0034: 000000000040 020000000001 000000000001 010000020001 15 | 0038: 050040040000 000002000010 000009251002 030000804114 16 | 003c: 440404001188 c80000000148 0048020010c1 a727054369cc 17 | 0040: 007a01031080 100020002000 000000008100 000000004000 18 | 0044: 000001000004 000000000000 000000000000 000400000800 19 | 0048: 030021480028 440000000102 804460101001 40c000000040 20 | 004c: 801100040404 094510004011 002820000080 4562ca44df35 21 | 0050: 0300003e3cd5 800024000000 800244010140 000000000000 22 | 0054: 000000010000 000002000410 000000000000 014400001000 23 | 0058: 004505010110 0a0008400000 487000001004 040180114004 24 | 005c: 000610010800 44000430d103 004080000010 cd246651c27b 25 | 0060: 600000600818 0000003c000c 000000000000 000010000018 26 | 0064: 000000000104 000000000100 004000000000 004000000010 27 | 0068: 000500211300 004000000104 208001000045 008060107000 28 | 006c: 006000010000 000940c04081 051001000000 74742bb981ff 29 | 0070: 214e01020448 000004009020 000000000054 000000002000 30 | 0074: 200000010044 010000001000 000001013010 000000004000 31 | 0078: 20010200a140 012005204248 1009001100e2 000040004041 32 | 007c: 00200001a000 647feef95eed 20010100001a 2770adddfdcd 33 | 0080: fdffffffefff 020002210480 01105a40c004 010880003006 34 | 0084: 000000000400 010010005005 004000402441 0020c2000009 35 | 0088: 000000400200 000000000000 000000000004 001000000000 36 | 008c: 000008008000 000000000000 000400040000 06411042d1ad 37 | 0090: c73f17bdb7e3 800001082009 001100200120 000148028100 38 | 0094: 121001100010 000002019000 805000000004 010008044909 39 | 0098: 081000000000 040000200008 000002000804 006000000000 40 | 009c: 840003201008 014001000100 000000410000 938001801ca4 41 | 00a0: a5400a53934f 000000400082 000000010400 101001184204 42 | 00a4: 010000000021 110010000001 020001011050 001050062100 43 | 00a8: 000002100000 008000000000 810000014000 001801000000 44 | 00ac: 002000020020 002000000000 080011000000 000b39808c01 45 | 00b0: c918115524f8 000012303044 0a2200208100 800000003000 46 | 00b4: 000000020040 004100091940 008000000486 000100040491 47 | 00b8: 000000000004 000000400000 000000000000 800000004001 48 | 00bc: 004002008200 000000010004 000000000000 8e004240c011 49 | 00c0: 8b1ce140f78c 880008010100 52040080c001 082001008000 50 | 00c4: 91041000200a 041010004000 0000100a0400 802000408040 51 | 00c8: 010100000004 08000400d000 000000002000 000004010100 52 | 00cc: 000000600400 000000400000 806000001000 40410c001640 53 | 00d0: cb5b00f55fd5 000120400010 590200110000 000200420394 54 | 00d4: 002081000002 000400000400 800100640021 000808800444 55 | 00d8: 000000010001 400004000000 000000400040 0000c0100400 56 | 00dc: 100000000000 080000000400 000000880002 0808040072c1 57 | 00e0: 6fdf0c5c9774 81000a000900 000819418243 400100140280 58 | 00e4: 000000c10008 481000400d01 000080000000 000001424408 59 | 00e8: 000000000040 080000004200 000c00000000 010000010000 60 | 00ec: 000401000000 000000100000 000000000000 190421430a0c 61 | 00f0: 0fd4106894f9 000002000058 850100082000 016000010080 62 | 00f4: 010220300680 000000000012 002101d30005 202800404403 63 | 00f8: 200010000020 000400000000 08000080c202 000000800000 64 | 00fc: 080010002000 647feef95eed 000000000000 ab40492398cb 65 | 0100: fdffffffefff 001000208101 00020002032a 002402000000 66 | 0104: 000000000010 002001042509 028040400491 023000000080 67 | 0108: 010000124000 100000000010 102480000000 002000000080 68 | 010c: 000009008000 000080000040 000400008000 00ca24426874 69 | 0110: c1acdc5ed7c3 01081100d04c 000001428000 1000802510f0 70 | 0114: 01408000409a 004110405201 000200400044 031808000020 71 | 0118: 000c00001000 000000000000 002000008011 000004000000 72 | 011c: 000000100240 000000000000 010020020000 52c00910204f 73 | 0120: 1b943245ecbb 858434000104 002001004d21 200800404000 74 | 0124: 122400801020 000100000180 520000200008 010401044000 75 | 0128: 010000000600 820000000020 000800000002 000000001000 76 | 012c: 008008000000 200000000000 000002000000 507802064c84 77 | 0130: dded9dd5546b 086000041800 810011408000 401000008484 78 | 0134: 0000000400c1 000500400040 000000104010 200001048004 79 | 0138: 000000000400 082000000000 004000000020 000000400080 80 | 013c: 400000400000 000101001000 000000000000 820d4100a206 81 | 0140: a9fdd6c61b50 208000000280 123000020000 003200400800 82 | 0144: 400200012801 000080004410 080000800010 008201800040 83 | 0148: 000000000000 108000040000 00000400c000 000010000000 84 | 014c: 020100000004 000000120800 000000101000 01d20e44c545 85 | 0150: 3147cfddb0d5 080000000822 000208010000 002010081082 86 | 0154: 21000064a001 400000024c04 040800801001 002441800000 87 | 0158: 000000400000 000000000041 800000000004 100000010000 88 | 015c: 000000000490 000000002000 004000000000 a0000201000c 89 | 0160: e53c107dadd6 802800009060 050c0810001c 00020002800c 90 | 0164: 000000001c15 000000014020 010c00000080 210000100082 91 | 0168: 000000800050 020000000000 010000110010 000000000081 92 | 016c: 000400000000 000000000020 000040084400 c52802466088 93 | 0170: 1f52c54d10fe 840004005400 0010080001c0 000000410001 94 | 0174: 014000001098 410210409344 000802000c51 020400102000 95 | 0178: 000012000000 000000400000 000000000000 002000400020 96 | 017c: 028000000000 647feef95eed 000000000100 27a80300577e 97 | 0180: c00000000000 000000000000 000000000000 000000000000 98 | 0184: 000000000000 000000000000 000000000000 000000000000 99 | 0188: 000000000000 000000000000 000000000000 000000000000 100 | 018c: 000000000000 000000000000 000000000000 000000000000 101 | 0190: c00000000000 000000000000 000000000000 000000000000 102 | 0194: 000000000000 000000000000 000000000000 000000000000 103 | 0198: 000000000000 000000000000 000000000000 000000000000 104 | 019c: 000000000000 000000000000 000000000000 400000000000 105 | 01a0: 000000000000 800000000000 000000000000 000000000000 106 | 01a4: 000000000000 000000000000 400000000000 000000000000 107 | 01a8: 000000000000 800000000000 000000000000 000000000000 108 | 01ac: 000000000000 000000000000 000000000000 400000000000 109 | 01b0: c00000000000 000000000000 800000000000 400000000000 110 | 01b4: 000000000000 000000000000 000000000000 000000000000 111 | 01b8: 000000000000 000000000000 000000000000 000000000000 112 | 01bc: 400000000000 000000000000 000000000000 800000000000 113 | 01c0: 800000000000 000000000000 000000000000 000000000000 114 | 01c4: 400000000000 000000000000 000000000000 000000000000 115 | 01c8: 000000000000 000000000000 000000000000 000000000000 116 | 01cc: 000000000000 000000000000 000000000000 000000000000 117 | 01d0: 000000000000 000000000000 000000000000 000000000000 118 | 01d4: 000000000000 400000000000 000000000000 000000000000 119 | 01d8: 000000000000 000000000000 800000000000 000000000000 120 | 01dc: 000000000000 000000000000 000000000000 800000000000 121 | 01e0: c00000000000 800000000000 000000000000 000000000000 122 | 01e4: 000000000000 000000000000 000000000000 000000000000 123 | 01e8: 000000000000 000000000000 000000000000 000000000000 124 | 01ec: 000000000000 000000000000 000000000000 c00000000000 125 | 01f0: 000000000000 800000000000 000000000000 000000000000 126 | 01f4: 000000000000 400000000000 000000000000 000000000000 127 | 01f8: 000000000000 000000000000 000000000000 000000000000 128 | 01fc: 000000000000 400000000000 000000000000 000000000000 129 | -------------------------------------------------------------------------------- /uasm-lib/custom_sha.py: -------------------------------------------------------------------------------- 1 | # sha implementation modified from https://github.com/keanemind/Python-SHA-256 2 | K = [ 3 | 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5, 4 | 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174, 5 | 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da, 6 | 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967, 7 | 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, 8 | 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070, 9 | 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3, 10 | 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2 11 | ] 12 | 13 | h0 = 0x6a09e667 14 | h1 = 0xbb67ae85 15 | h2 = 0x3c6ef372 16 | h3 = 0xa54ff53a 17 | h5 = 0x9b05688c 18 | h4 = 0x510e527f 19 | h6 = 0x1f83d9ab 20 | h7 = 0x5be0cd19 21 | 22 | def generate_hash(message: bytearray, padding=True, result_endianess='big', update=False) -> bytearray: 23 | """Return a SHA-256 hash from the message passed. 24 | The argument should be a bytes, bytearray, or 25 | string object.""" 26 | 27 | if isinstance(message, str): 28 | message = bytearray(message, 'ascii') 29 | elif isinstance(message, bytes): 30 | message = bytearray(message) 31 | elif not isinstance(message, bytearray): 32 | raise TypeError 33 | 34 | global h0 35 | global h1 36 | global h2 37 | global h3 38 | global h5 39 | global h4 40 | global h6 41 | global h7 42 | 43 | # Padding? 44 | if padding: 45 | length = len(message) * 8 # len(message) is number of BYTES!!! 46 | message.append(0x80) 47 | while (len(message) * 8 + 64) % 512 != 0: 48 | message.append(0x00) 49 | 50 | message += length.to_bytes(8, 'big') # pad to 8 bytes or 64 bits 51 | 52 | assert (len(message) * 8) % 512 == 0, "Padding did not complete properly!" 53 | 54 | # Parsing 55 | blocks = [] # contains 512-bit chunks of message 56 | for i in range(0, len(message), 64): # 64 bytes is 512 bits 57 | blocks.append(message[i:i+64]) 58 | 59 | # Setting Initial Hash Value 60 | if not update: 61 | h0 = 0x6a09e667 62 | h1 = 0xbb67ae85 63 | h2 = 0x3c6ef372 64 | h3 = 0xa54ff53a 65 | h5 = 0x9b05688c 66 | h4 = 0x510e527f 67 | h6 = 0x1f83d9ab 68 | h7 = 0x5be0cd19 69 | 70 | 71 | # SHA-256 Hash Computation 72 | for message_block in blocks: 73 | # Prepare message schedule 74 | message_schedule = [] 75 | for t in range(0, 64): 76 | if t <= 15: 77 | # adds the t'th 32 bit word of the block, 78 | # starting from leftmost word 79 | # 4 bytes at a time 80 | message_schedule.append(bytes(message_block[t*4:(t*4)+4])) 81 | else: 82 | term1 = _sigma1(int.from_bytes(message_schedule[t-2], 'big')) 83 | term2 = int.from_bytes(message_schedule[t-7], 'big') 84 | term3 = _sigma0(int.from_bytes(message_schedule[t-15], 'big')) 85 | term4 = int.from_bytes(message_schedule[t-16], 'big') 86 | 87 | # append a 4-byte byte object 88 | schedule = ((term1 + term2 + term3 + term4) % 2**32).to_bytes(4, 'big') 89 | message_schedule.append(schedule) 90 | 91 | assert len(message_schedule) == 64 92 | 93 | # Initialize working variables 94 | a = h0 95 | b = h1 96 | c = h2 97 | d = h3 98 | e = h4 99 | f = h5 100 | g = h6 101 | h = h7 102 | 103 | # Iterate for t=0 to 63 104 | for t in range(64): 105 | t1 = ((h + _capsigma1(e) + _ch(e, f, g) + K[t] + 106 | int.from_bytes(message_schedule[t], 'big')) % 2**32) 107 | 108 | t2 = (_capsigma0(a) + _maj(a, b, c)) % 2**32 109 | 110 | h = g 111 | g = f 112 | f = e 113 | e = (d + t1) % 2**32 114 | d = c 115 | c = b 116 | b = a 117 | a = (t1 + t2) % 2**32 118 | 119 | # Compute intermediate hash value 120 | h0 = (h0 + a) % 2**32 121 | h1 = (h1 + b) % 2**32 122 | h2 = (h2 + c) % 2**32 123 | h3 = (h3 + d) % 2**32 124 | h4 = (h4 + e) % 2**32 125 | h5 = (h5 + f) % 2**32 126 | h6 = (h6 + g) % 2**32 127 | h7 = (h7 + h) % 2**32 128 | 129 | return ((h0).to_bytes(4, result_endianess) + (h1).to_bytes(4, result_endianess) + 130 | (h2).to_bytes(4, result_endianess) + (h3).to_bytes(4, result_endianess) + 131 | (h4).to_bytes(4, result_endianess) + (h5).to_bytes(4, result_endianess) + 132 | (h6).to_bytes(4, result_endianess) + (h7).to_bytes(4, result_endianess)) 133 | 134 | def _sigma0(num: int): 135 | """As defined in the specification.""" 136 | num = (_rotate_right(num, 7) ^ 137 | _rotate_right(num, 18) ^ 138 | (num >> 3)) 139 | return num 140 | 141 | def _sigma1(num: int): 142 | """As defined in the specification.""" 143 | num = (_rotate_right(num, 17) ^ 144 | _rotate_right(num, 19) ^ 145 | (num >> 10)) 146 | return num 147 | 148 | def _capsigma0(num: int): 149 | """As defined in the specification.""" 150 | num = (_rotate_right(num, 2) ^ 151 | _rotate_right(num, 13) ^ 152 | _rotate_right(num, 22)) 153 | return num 154 | 155 | def _capsigma1(num: int): 156 | """As defined in the specification.""" 157 | num = (_rotate_right(num, 6) ^ 158 | _rotate_right(num, 11) ^ 159 | _rotate_right(num, 25)) 160 | return num 161 | 162 | def _ch(x: int, y: int, z: int): 163 | """As defined in the specification.""" 164 | return (x & y) ^ (~x & z) 165 | 166 | def _maj(x: int, y: int, z: int): 167 | """As defined in the specification.""" 168 | return (x & y) ^ (x & z) ^ (y & z) 169 | 170 | def _rotate_right(num: int, shift: int, size: int = 32): 171 | """Rotate an integer right.""" 172 | return (num >> shift) | (num << size - shift) -------------------------------------------------------------------------------- /uasm-lib/parse_all_ucodes.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import os 4 | import sys 5 | from git import Repo 6 | from glob import glob 7 | from ucode_parser import parse_ucode_file 8 | from subprocess import check_call 9 | import shutil 10 | 11 | if len(sys.argv) < 3: 12 | print('usage: %s ') 13 | exit(1) 14 | 15 | CPUMicrocodes_path = sys.argv[1] 16 | output_dir = sys.argv[2] 17 | repo = Repo(CPUMicrocodes_path) 18 | 19 | # iterate over all commits and parse all the ucode patches 20 | for commit in reversed(list(repo.iter_commits())): 21 | repo.git.checkout(commit) 22 | print(repo.commit()) 23 | 24 | for ucode_f in glob(f'{CPUMicrocodes_path}/Intel/cpu506*.bin'): 25 | success = parse_ucode_file(ucode_f) 26 | if success: 27 | dst_filename = os.path.join(output_dir, os.path.basename(ucode_f)) 28 | shutil.copy(f'{ucode_f}', f'{dst_filename}') 29 | shutil.move(f'{ucode_f}.dec', f'{dst_filename}.dec') 30 | shutil.move(f'{ucode_f}.txt', f'{dst_filename}.txt') 31 | print(f'[+] {ucode_f}') 32 | -------------------------------------------------------------------------------- /ucode_collection/cpu506C2_plat01_ver0000000E_2017-06-06_PRD_C7BCD215.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pietroborrello/CustomProcessingUnit/4237524fe7545c66e42dd986113f220662c06f6a/ucode_collection/cpu506C2_plat01_ver0000000E_2017-06-06_PRD_C7BCD215.bin -------------------------------------------------------------------------------- /ucode_collection/cpu506C2_plat01_ver0000000E_2017-06-06_PRD_C7BCD215.bin.dec: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pietroborrello/CustomProcessingUnit/4237524fe7545c66e42dd986113f220662c06f6a/ucode_collection/cpu506C2_plat01_ver0000000E_2017-06-06_PRD_C7BCD215.bin.dec -------------------------------------------------------------------------------- /ucode_collection/cpu506C2_plat01_ver00000014_2018-05-11_PRD_BD3490B6.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pietroborrello/CustomProcessingUnit/4237524fe7545c66e42dd986113f220662c06f6a/ucode_collection/cpu506C2_plat01_ver00000014_2018-05-11_PRD_BD3490B6.bin -------------------------------------------------------------------------------- /ucode_collection/cpu506C2_plat01_ver00000014_2018-05-11_PRD_BD3490B6.bin.dec: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pietroborrello/CustomProcessingUnit/4237524fe7545c66e42dd986113f220662c06f6a/ucode_collection/cpu506C2_plat01_ver00000014_2018-05-11_PRD_BD3490B6.bin.dec -------------------------------------------------------------------------------- /ucode_collection/cpu506C8_plat01_ver00000010_2016-03-04_PRD_DE6EBB18.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pietroborrello/CustomProcessingUnit/4237524fe7545c66e42dd986113f220662c06f6a/ucode_collection/cpu506C8_plat01_ver00000010_2016-03-04_PRD_DE6EBB18.bin -------------------------------------------------------------------------------- /ucode_collection/cpu506C8_plat01_ver00000010_2016-03-04_PRD_DE6EBB18.bin.dec: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pietroborrello/CustomProcessingUnit/4237524fe7545c66e42dd986113f220662c06f6a/ucode_collection/cpu506C8_plat01_ver00000010_2016-03-04_PRD_DE6EBB18.bin.dec -------------------------------------------------------------------------------- /ucode_collection/cpu506C9_plat03_ver0000002E_2017-11-22_PRD_2798C414.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pietroborrello/CustomProcessingUnit/4237524fe7545c66e42dd986113f220662c06f6a/ucode_collection/cpu506C9_plat03_ver0000002E_2017-11-22_PRD_2798C414.bin -------------------------------------------------------------------------------- /ucode_collection/cpu506C9_plat03_ver0000002E_2017-11-22_PRD_2798C414.bin.dec: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pietroborrello/CustomProcessingUnit/4237524fe7545c66e42dd986113f220662c06f6a/ucode_collection/cpu506C9_plat03_ver0000002E_2017-11-22_PRD_2798C414.bin.dec -------------------------------------------------------------------------------- /ucode_collection/cpu506C9_plat03_ver00000032_2018-05-11_PRD_2F66EBE0.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pietroborrello/CustomProcessingUnit/4237524fe7545c66e42dd986113f220662c06f6a/ucode_collection/cpu506C9_plat03_ver00000032_2018-05-11_PRD_2F66EBE0.bin -------------------------------------------------------------------------------- /ucode_collection/cpu506C9_plat03_ver00000032_2018-05-11_PRD_2F66EBE0.bin.dec: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pietroborrello/CustomProcessingUnit/4237524fe7545c66e42dd986113f220662c06f6a/ucode_collection/cpu506C9_plat03_ver00000032_2018-05-11_PRD_2F66EBE0.bin.dec -------------------------------------------------------------------------------- /ucode_collection/cpu506C9_plat03_ver00000036_2018-09-14_PRD_98CF60E7.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pietroborrello/CustomProcessingUnit/4237524fe7545c66e42dd986113f220662c06f6a/ucode_collection/cpu506C9_plat03_ver00000036_2018-09-14_PRD_98CF60E7.bin -------------------------------------------------------------------------------- /ucode_collection/cpu506C9_plat03_ver00000036_2018-09-14_PRD_98CF60E7.bin.dec: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pietroborrello/CustomProcessingUnit/4237524fe7545c66e42dd986113f220662c06f6a/ucode_collection/cpu506C9_plat03_ver00000036_2018-09-14_PRD_98CF60E7.bin.dec -------------------------------------------------------------------------------- /ucode_collection/cpu506C9_plat03_ver00000038_2019-01-15_PRD_99AA67D7.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pietroborrello/CustomProcessingUnit/4237524fe7545c66e42dd986113f220662c06f6a/ucode_collection/cpu506C9_plat03_ver00000038_2019-01-15_PRD_99AA67D7.bin -------------------------------------------------------------------------------- /ucode_collection/cpu506C9_plat03_ver00000038_2019-01-15_PRD_99AA67D7.bin.dec: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pietroborrello/CustomProcessingUnit/4237524fe7545c66e42dd986113f220662c06f6a/ucode_collection/cpu506C9_plat03_ver00000038_2019-01-15_PRD_99AA67D7.bin.dec -------------------------------------------------------------------------------- /ucode_collection/cpu506C9_plat03_ver0000003C_2019-07-22_PRD_5BBF33D5.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pietroborrello/CustomProcessingUnit/4237524fe7545c66e42dd986113f220662c06f6a/ucode_collection/cpu506C9_plat03_ver0000003C_2019-07-22_PRD_5BBF33D5.bin -------------------------------------------------------------------------------- /ucode_collection/cpu506C9_plat03_ver0000003C_2019-07-22_PRD_5BBF33D5.bin.dec: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pietroborrello/CustomProcessingUnit/4237524fe7545c66e42dd986113f220662c06f6a/ucode_collection/cpu506C9_plat03_ver0000003C_2019-07-22_PRD_5BBF33D5.bin.dec -------------------------------------------------------------------------------- /ucode_collection/cpu506C9_plat03_ver00000040_2020-02-27_PRD_2FC3D618.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pietroborrello/CustomProcessingUnit/4237524fe7545c66e42dd986113f220662c06f6a/ucode_collection/cpu506C9_plat03_ver00000040_2020-02-27_PRD_2FC3D618.bin -------------------------------------------------------------------------------- /ucode_collection/cpu506C9_plat03_ver00000040_2020-02-27_PRD_2FC3D618.bin.dec: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pietroborrello/CustomProcessingUnit/4237524fe7545c66e42dd986113f220662c06f6a/ucode_collection/cpu506C9_plat03_ver00000040_2020-02-27_PRD_2FC3D618.bin.dec -------------------------------------------------------------------------------- /ucode_collection/cpu506C9_plat03_ver00000044_2020-10-23_PRD_4682D493.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pietroborrello/CustomProcessingUnit/4237524fe7545c66e42dd986113f220662c06f6a/ucode_collection/cpu506C9_plat03_ver00000044_2020-10-23_PRD_4682D493.bin -------------------------------------------------------------------------------- /ucode_collection/cpu506C9_plat03_ver00000044_2020-10-23_PRD_4682D493.bin.dec: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pietroborrello/CustomProcessingUnit/4237524fe7545c66e42dd986113f220662c06f6a/ucode_collection/cpu506C9_plat03_ver00000044_2020-10-23_PRD_4682D493.bin.dec -------------------------------------------------------------------------------- /ucode_collection/cpu506C9_plat03_ver00000046_2021-05-10_PRD_EF971B58.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pietroborrello/CustomProcessingUnit/4237524fe7545c66e42dd986113f220662c06f6a/ucode_collection/cpu506C9_plat03_ver00000046_2021-05-10_PRD_EF971B58.bin -------------------------------------------------------------------------------- /ucode_collection/cpu506C9_plat03_ver00000046_2021-05-10_PRD_EF971B58.bin.dec: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pietroborrello/CustomProcessingUnit/4237524fe7545c66e42dd986113f220662c06f6a/ucode_collection/cpu506C9_plat03_ver00000046_2021-05-10_PRD_EF971B58.bin.dec -------------------------------------------------------------------------------- /ucode_collection/cpu506CA_plat03_ver00000008_2017-11-22_PRD_32F41375.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pietroborrello/CustomProcessingUnit/4237524fe7545c66e42dd986113f220662c06f6a/ucode_collection/cpu506CA_plat03_ver00000008_2017-11-22_PRD_32F41375.bin -------------------------------------------------------------------------------- /ucode_collection/cpu506CA_plat03_ver00000008_2017-11-22_PRD_32F41375.bin.dec: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pietroborrello/CustomProcessingUnit/4237524fe7545c66e42dd986113f220662c06f6a/ucode_collection/cpu506CA_plat03_ver00000008_2017-11-22_PRD_32F41375.bin.dec -------------------------------------------------------------------------------- /ucode_collection/cpu506CA_plat03_ver0000000C_2018-05-11_PRD_ACEA9DD5.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pietroborrello/CustomProcessingUnit/4237524fe7545c66e42dd986113f220662c06f6a/ucode_collection/cpu506CA_plat03_ver0000000C_2018-05-11_PRD_ACEA9DD5.bin -------------------------------------------------------------------------------- /ucode_collection/cpu506CA_plat03_ver0000000C_2018-05-11_PRD_ACEA9DD5.bin.dec: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pietroborrello/CustomProcessingUnit/4237524fe7545c66e42dd986113f220662c06f6a/ucode_collection/cpu506CA_plat03_ver0000000C_2018-05-11_PRD_ACEA9DD5.bin.dec -------------------------------------------------------------------------------- /ucode_collection/cpu506CA_plat03_ver00000010_2018-09-20_PRD_C2DD4FDC.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pietroborrello/CustomProcessingUnit/4237524fe7545c66e42dd986113f220662c06f6a/ucode_collection/cpu506CA_plat03_ver00000010_2018-09-20_PRD_C2DD4FDC.bin -------------------------------------------------------------------------------- /ucode_collection/cpu506CA_plat03_ver00000010_2018-09-20_PRD_C2DD4FDC.bin.dec: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pietroborrello/CustomProcessingUnit/4237524fe7545c66e42dd986113f220662c06f6a/ucode_collection/cpu506CA_plat03_ver00000010_2018-09-20_PRD_C2DD4FDC.bin.dec -------------------------------------------------------------------------------- /ucode_collection/cpu506CA_plat03_ver00000016_2019-03-01_PRD_A1AC5A6B.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pietroborrello/CustomProcessingUnit/4237524fe7545c66e42dd986113f220662c06f6a/ucode_collection/cpu506CA_plat03_ver00000016_2019-03-01_PRD_A1AC5A6B.bin -------------------------------------------------------------------------------- /ucode_collection/cpu506CA_plat03_ver00000016_2019-03-01_PRD_A1AC5A6B.bin.dec: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pietroborrello/CustomProcessingUnit/4237524fe7545c66e42dd986113f220662c06f6a/ucode_collection/cpu506CA_plat03_ver00000016_2019-03-01_PRD_A1AC5A6B.bin.dec -------------------------------------------------------------------------------- /ucode_collection/cpu506CA_plat03_ver0000001A_2019-07-22_PRD_71479BDE.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pietroborrello/CustomProcessingUnit/4237524fe7545c66e42dd986113f220662c06f6a/ucode_collection/cpu506CA_plat03_ver0000001A_2019-07-22_PRD_71479BDE.bin -------------------------------------------------------------------------------- /ucode_collection/cpu506CA_plat03_ver0000001A_2019-07-22_PRD_71479BDE.bin.dec: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pietroborrello/CustomProcessingUnit/4237524fe7545c66e42dd986113f220662c06f6a/ucode_collection/cpu506CA_plat03_ver0000001A_2019-07-22_PRD_71479BDE.bin.dec -------------------------------------------------------------------------------- /ucode_collection/cpu506CA_plat03_ver0000001C_2019-08-12_PRD_D83D9090.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pietroborrello/CustomProcessingUnit/4237524fe7545c66e42dd986113f220662c06f6a/ucode_collection/cpu506CA_plat03_ver0000001C_2019-08-12_PRD_D83D9090.bin -------------------------------------------------------------------------------- /ucode_collection/cpu506CA_plat03_ver0000001C_2019-08-12_PRD_D83D9090.bin.dec: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pietroborrello/CustomProcessingUnit/4237524fe7545c66e42dd986113f220662c06f6a/ucode_collection/cpu506CA_plat03_ver0000001C_2019-08-12_PRD_D83D9090.bin.dec -------------------------------------------------------------------------------- /ucode_collection/cpu506CA_plat03_ver0000001E_2020-02-27_PRD_F8A4D999.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pietroborrello/CustomProcessingUnit/4237524fe7545c66e42dd986113f220662c06f6a/ucode_collection/cpu506CA_plat03_ver0000001E_2020-02-27_PRD_F8A4D999.bin -------------------------------------------------------------------------------- /ucode_collection/cpu506CA_plat03_ver0000001E_2020-02-27_PRD_F8A4D999.bin.dec: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pietroborrello/CustomProcessingUnit/4237524fe7545c66e42dd986113f220662c06f6a/ucode_collection/cpu506CA_plat03_ver0000001E_2020-02-27_PRD_F8A4D999.bin.dec -------------------------------------------------------------------------------- /ucode_collection/cpu506CA_plat03_ver00000020_2020-10-23_PRD_C4E546D7.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pietroborrello/CustomProcessingUnit/4237524fe7545c66e42dd986113f220662c06f6a/ucode_collection/cpu506CA_plat03_ver00000020_2020-10-23_PRD_C4E546D7.bin -------------------------------------------------------------------------------- /ucode_collection/cpu506CA_plat03_ver00000020_2020-10-23_PRD_C4E546D7.bin.dec: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pietroborrello/CustomProcessingUnit/4237524fe7545c66e42dd986113f220662c06f6a/ucode_collection/cpu506CA_plat03_ver00000020_2020-10-23_PRD_C4E546D7.bin.dec -------------------------------------------------------------------------------- /ucode_collection/cpu506CA_plat03_ver00000024_2021-05-10_PRD_AB75708E.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pietroborrello/CustomProcessingUnit/4237524fe7545c66e42dd986113f220662c06f6a/ucode_collection/cpu506CA_plat03_ver00000024_2021-05-10_PRD_AB75708E.bin -------------------------------------------------------------------------------- /ucode_collection/cpu506CA_plat03_ver00000024_2021-05-10_PRD_AB75708E.bin.dec: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pietroborrello/CustomProcessingUnit/4237524fe7545c66e42dd986113f220662c06f6a/ucode_collection/cpu506CA_plat03_ver00000024_2021-05-10_PRD_AB75708E.bin.dec -------------------------------------------------------------------------------- /ucode_collection/cpu506F0_plat01_ver00000010_2016-06-07_PRD_4ED9573A.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pietroborrello/CustomProcessingUnit/4237524fe7545c66e42dd986113f220662c06f6a/ucode_collection/cpu506F0_plat01_ver00000010_2016-06-07_PRD_4ED9573A.bin -------------------------------------------------------------------------------- /ucode_collection/cpu506F0_plat01_ver00000010_2016-06-07_PRD_4ED9573A.bin.dec: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pietroborrello/CustomProcessingUnit/4237524fe7545c66e42dd986113f220662c06f6a/ucode_collection/cpu506F0_plat01_ver00000010_2016-06-07_PRD_4ED9573A.bin.dec -------------------------------------------------------------------------------- /ucode_collection/cpu506F1_plat01_ver00000020_2017-11-22_PRD_1B275D2A.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pietroborrello/CustomProcessingUnit/4237524fe7545c66e42dd986113f220662c06f6a/ucode_collection/cpu506F1_plat01_ver00000020_2017-11-22_PRD_1B275D2A.bin -------------------------------------------------------------------------------- /ucode_collection/cpu506F1_plat01_ver00000020_2017-11-22_PRD_1B275D2A.bin.dec: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pietroborrello/CustomProcessingUnit/4237524fe7545c66e42dd986113f220662c06f6a/ucode_collection/cpu506F1_plat01_ver00000020_2017-11-22_PRD_1B275D2A.bin.dec -------------------------------------------------------------------------------- /ucode_collection/cpu506F1_plat01_ver00000024_2018-05-11_PRD_A1B0E19C.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pietroborrello/CustomProcessingUnit/4237524fe7545c66e42dd986113f220662c06f6a/ucode_collection/cpu506F1_plat01_ver00000024_2018-05-11_PRD_A1B0E19C.bin -------------------------------------------------------------------------------- /ucode_collection/cpu506F1_plat01_ver00000024_2018-05-11_PRD_A1B0E19C.bin.dec: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pietroborrello/CustomProcessingUnit/4237524fe7545c66e42dd986113f220662c06f6a/ucode_collection/cpu506F1_plat01_ver00000024_2018-05-11_PRD_A1B0E19C.bin.dec -------------------------------------------------------------------------------- /ucode_collection/cpu506F1_plat01_ver0000002A_2019-02-11_PRD_40664937.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pietroborrello/CustomProcessingUnit/4237524fe7545c66e42dd986113f220662c06f6a/ucode_collection/cpu506F1_plat01_ver0000002A_2019-02-11_PRD_40664937.bin -------------------------------------------------------------------------------- /ucode_collection/cpu506F1_plat01_ver0000002A_2019-02-11_PRD_40664937.bin.dec: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pietroborrello/CustomProcessingUnit/4237524fe7545c66e42dd986113f220662c06f6a/ucode_collection/cpu506F1_plat01_ver0000002A_2019-02-11_PRD_40664937.bin.dec -------------------------------------------------------------------------------- /ucode_collection/cpu506F1_plat01_ver0000002E_2019-03-21_PRD_4F7008D6.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pietroborrello/CustomProcessingUnit/4237524fe7545c66e42dd986113f220662c06f6a/ucode_collection/cpu506F1_plat01_ver0000002E_2019-03-21_PRD_4F7008D6.bin -------------------------------------------------------------------------------- /ucode_collection/cpu506F1_plat01_ver0000002E_2019-03-21_PRD_4F7008D6.bin.dec: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pietroborrello/CustomProcessingUnit/4237524fe7545c66e42dd986113f220662c06f6a/ucode_collection/cpu506F1_plat01_ver0000002E_2019-03-21_PRD_4F7008D6.bin.dec -------------------------------------------------------------------------------- /ucode_collection/cpu506F1_plat01_ver00000032_2020-03-07_PRD_6538E5EA.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pietroborrello/CustomProcessingUnit/4237524fe7545c66e42dd986113f220662c06f6a/ucode_collection/cpu506F1_plat01_ver00000032_2020-03-07_PRD_6538E5EA.bin -------------------------------------------------------------------------------- /ucode_collection/cpu506F1_plat01_ver00000032_2020-03-07_PRD_6538E5EA.bin.dec: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pietroborrello/CustomProcessingUnit/4237524fe7545c66e42dd986113f220662c06f6a/ucode_collection/cpu506F1_plat01_ver00000032_2020-03-07_PRD_6538E5EA.bin.dec -------------------------------------------------------------------------------- /ucode_collection/cpu506F1_plat01_ver00000034_2020-10-23_PRD_1E364CDF.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pietroborrello/CustomProcessingUnit/4237524fe7545c66e42dd986113f220662c06f6a/ucode_collection/cpu506F1_plat01_ver00000034_2020-10-23_PRD_1E364CDF.bin -------------------------------------------------------------------------------- /ucode_collection/cpu506F1_plat01_ver00000034_2020-10-23_PRD_1E364CDF.bin.dec: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pietroborrello/CustomProcessingUnit/4237524fe7545c66e42dd986113f220662c06f6a/ucode_collection/cpu506F1_plat01_ver00000034_2020-10-23_PRD_1E364CDF.bin.dec -------------------------------------------------------------------------------- /ucode_collection/cpu506F1_plat01_ver00000036_2021-05-10_PRD_60ADB6C8.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pietroborrello/CustomProcessingUnit/4237524fe7545c66e42dd986113f220662c06f6a/ucode_collection/cpu506F1_plat01_ver00000036_2021-05-10_PRD_60ADB6C8.bin -------------------------------------------------------------------------------- /ucode_collection/cpu506F1_plat01_ver00000036_2021-05-10_PRD_60ADB6C8.bin.dec: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pietroborrello/CustomProcessingUnit/4237524fe7545c66e42dd986113f220662c06f6a/ucode_collection/cpu506F1_plat01_ver00000036_2021-05-10_PRD_60ADB6C8.bin.dec -------------------------------------------------------------------------------- /ucode_collection/m_03_506ca_00000022.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pietroborrello/CustomProcessingUnit/4237524fe7545c66e42dd986113f220662c06f6a/ucode_collection/m_03_506ca_00000022.bin -------------------------------------------------------------------------------- /ucode_collection/m_03_506ca_00000022.bin.dec: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pietroborrello/CustomProcessingUnit/4237524fe7545c66e42dd986113f220662c06f6a/ucode_collection/m_03_506ca_00000022.bin.dec --------------------------------------------------------------------------------