Disclaimer

All information is provided for educational purposes only. Follow these instructions at your own risk. Neither the authors nor their employer are responsible for any direct or consequential damage or loss arising from any person or organization acting or failing to act on the basis of information contained in this page.

Content

Description
Usage
Research Team
License

Description

The microcode patch parser for Atom Goldmont is a tool making the textual representation of the microcode patch data. The patch itself represents binary data processed by a special routine in microcode ROM. The address of the routine for Goldmont in MS ROM is U1ea6. We called the routine patch_runs_load_loop. If you study the routine you will see that the microcode patch is simply a sequence of calls to a fixed set of other routines in MS ROM, each identified by its numeric ID. This ID starts each sequence of the calls in the patch and after 4-bytes ID there placed the binary arguments for the called routine. The patch processing routines start from address U226c in MS ROM with step 4 uops (one uops tetrad), so the the routine identified by ID 0 is at U226c, by ID 1 is placed at U2270. The number of arguments varies for each routine. The calls sequence (and the ucode patch itself) ends with special call ID - 0.

We identified the base set of the patch processing routines, reverse engineered the purpose of each those routines and the number of their arguments and in our tool generate the text representation of the calls to routines: write the text description of the routine's operation and its arguments from the patch. For routines processing microoperations patching MS ROM (sent to MS Patch RAM) we perform their disassembling in-place so in the resulted text file you can see the uops in the text form. The parser tool imports our ucode disassembler for Goldmont so it must be accessible from Python import paths. Also, in the verbose mode the tool saves pcode patch data in binary form (firmware for P-unit, a power management controller for CPU) which is also contained in the microcode patch.

Our ucode patch parser script supports special verbose mode which can be specified by "-v" option. In this verbose mode the tool accumulates all the microcode related data (the values for Match/Patch registers, Sequence Words and uops) and forms three text files (ms_array2/3/4) which can be used by ucode disassembler to make the full ucode listing corresponding to the ucode patch (you can simply replace the files read from MS LDAT in runtime and use these new in disassembler).

Please note that you must run the parser for decoded patch data (by our Micrcode Decryptor) and not for original which is encrypted.

Usage

glm_ucode_patch_parser.py
Usage: glm_ucode_patch_parser <decoded_patch_path> [-v]

Example:

glm_ucode_patch_parser.py cpu506C9_plat03_ver00000038_2019-01-15_PRD_99AA67D7.bin.dec -v
File [cpu506C9_plat03_ver00000038_2019-01-15_PRD_99AA67D7.bin.dec] processed

Research Team

Mark Ermolov (@_markel___)

Maxim Goryachy (@h0t_max)

Dmitry Sklyarov (@_Dmit)

License

Copyright (c) 2021 Mark Ermolov, Dmitry Sklyarov at Positive Technologies and Maxim Goryachy (Independent Researcher)

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.