Open MatthewTingum opened 9 months ago
I found a server produced by another company that does HDT similar to that of SUN Microsystems. They do it on a more modern EPYC processor.
You may already know this, its server-side source code is recently available on the internet.
Interesting. I didn't know that.
I'm a little confused about what
server-side source code
means.
To pedantically describe my view:
You're talking about server side source code. I'm making some assumptions and connecting some dots.
If you're suggesting something like that, I don't care to know. I want to avoid leaks as best I can. The device that got me interested in HDT is either locked down by something at the "HDT 2.0" level or disabled by efuse. I'm hoping to use blind voltage glitching or some other method to re-enable it.
I'm a little confused about what
server-side source code
means.
Below is an diagram for further clarification: AFAIK, HDT "Client" able to check the lock without internet connection. But unlock will require internet connection.
Interesting. From that diagram, it looks like we just talk some HDT protocol at the end of the day. The only thing that locks one out is the lack of knowledge of the protocol. I've seen JTAG password protection but nothing quite like this. If a password was required, one could just sniff it at the raw jtag level. Of course, you'd need a contract to get this far. Glitch your way in and you'd at least have a hash of the password or some knowledge of the key. Unless they've implemented some kind of encryption between the target and the network (which I assume to be Web-Service->Desktop->Probe->Target).
I've been working on more profit-motivated projects so I haven't delved very deep yet (into v1 HDT). This is interesting.
FYI, recently, someone published a paper about HDT+. Unfortunately, it's paywalled, but its references are freely available.
Undocumented Debug Interface HDT of Modern AMD CPUs (Bulat N. Zagartdinov @vairelt, 2024) https://ieeexplore.ieee.org/document/10468135
Neato. Haven't read yet. Anything good or just a regurgitation of things we already know?
I jumped back on this project a few days ago. Would be nice to skip the groundwork.
Nevermind. I purchased the document. It's interesting but ultimately a big nothing. We're doing more interesting work here...
FYI, recently, someone published a paper about HDT+. Unfortunately, it's paywalled, but its references are freely available.
Undocumented Debug Interface HDT of Modern AMD CPUs (Bulat N. Zagartdinov @Vairelt, 2024) https://ieeexplore.ieee.org/document/10468135
What would you like to know about HDT? I learned how to use this processor interface on an Epyc7313 and one of these days I will try to unlock the interface using a glitch attack.
That's my entire infatuation. Unlock HDT via glitching. I don't think there's anything I want to learn.
Or rather anything I don't know already. I can load up the instruction cache with a small program I want to execute on the target processor.. This is good enough for me and possibly the most significant thing one can do with HDT.
The question becomes weather or not this can leveraged on a live system. Can I manipulate a live system such that I can interfere with normal user operations?
@Vairelt If that was your paper, you completely missed the mark.
The question becomes weather or not this can leveraged on a live system. Can I manipulate a live system such that I can interfere with normal user operations?
If you have an HDT client, you can debug the entire working system in an unlocked HDT state. There is also the possibility of debugging the PSP core. Without a client, it is almost impossible.
@Vairelt I went off for no good reason. Sorry :(
Some time ago a PSP virtualization utility was leaked. To my knowledge, Zammis dropped it in a small Xbox One hacking community. Word has it that the utility resurfaced with gigaleak. Several media outlets reference it. I refuse to work on leaks but it's probably out there.
What does debugging entail? If I get HDT access to a machine can I modify registers? Can I manipulate memory? And more importantly, can I do it live?
Debugging on a live system is possible. Debugging of the x86/AMD64 core is carried out by the PDM unit. Here are some supported commands: General Purpose Register Read/Write, Special Register Read/Write, MSR read/write, Write byte/word/double word to memory/IO port, read CPUID.
There are some claims that HDT protocol changed around 2012. A discussion on this board suggests that HDT might have been locked down after 2012. I found a server produced by another company that does HDT similar to that of SUN Microsystems. They do it on a more modern EPYC processor. To me, this suggests that some modern processors are "unlocked". You can still talk HDT without problem. The protocol might have changed though.
Might start here https://patents.justia.com/patent/7665002 I've archived a link of that patent here.