Document modern HDT

[MatthewTingum]

There are some claims that HDT protocol changed around 2012. A discussion on this board suggests that HDT might have been locked down after 2012. I found a server produced by another company that does HDT similar to that of SUN Microsystems. They do it on a more modern EPYC processor. To me, this suggests that some modern processors are "unlocked". You can still talk HDT without problem. The protocol might have changed though.

Might start here https://patents.justia.com/patent/7665002 I've archived a link of that patent here.

[Necrosys]

I found a server produced by another company that does HDT similar to that of SUN Microsystems. They do it on a more modern EPYC processor.

You may already know this, its server-side source code is recently available on the internet.

[MatthewTingum]

Interesting. I didn't know that.

I'm a little confused about what

server-side source code

means.

To pedantically describe my view:

• I'm talking about a server that can speak HDT to an EPYC processor through JTAG / HDT
  • I've gotten my hands on the (modern) binaries that do the talking but it seems like they're missing something
  • I haven't looked at the binary in depth but it I don't really see where it's doing anything other than making sure the CPU is ready for HDT commands.

You're talking about server side source code. I'm making some assumptions and connecting some dots.

• The device that I know to be able to speak modern HDT can speak HDT but it must be connected to the internet (speculation)
  • They're primarily doing this as a way to switch to the subscription model
  • More profits!
• This maybe makes it a little more difficult for an HDT probe to end up in the "wrong" hands
• AMD controls certs required for HDT
  • You "couldn't" do this at home unless you spent a large amount of money on a contract

If you're suggesting something like that, I don't care to know. I want to avoid leaks as best I can. The device that got me interested in HDT is either locked down by something at the "HDT 2.0" level or disabled by efuse. I'm hoping to use blind voltage glitching or some other method to re-enable it.

[Necrosys]

I'm a little confused about what

server-side source code

means.

Below is an diagram for further clarification: AFAIK, HDT "Client" able to check the lock without internet connection. But unlock will require internet connection.

[MatthewTingum]

Interesting. From that diagram, it looks like we just talk some HDT protocol at the end of the day. The only thing that locks one out is the lack of knowledge of the protocol. I've seen JTAG password protection but nothing quite like this. If a password was required, one could just sniff it at the raw jtag level. Of course, you'd need a contract to get this far. Glitch your way in and you'd at least have a hash of the password or some knowledge of the key. Unless they've implemented some kind of encryption between the target and the network (which I assume to be Web-Service->Desktop->Probe->Target).

I've been working on more profit-motivated projects so I haven't delved very deep yet (into v1 HDT). This is interesting.

[Necrosys]

FYI, recently, someone published a paper about HDT+. Unfortunately, it's paywalled, but its references are freely available.

Undocumented Debug Interface HDT of Modern AMD CPUs (Bulat N. Zagartdinov @vairelt, 2024) https://ieeexplore.ieee.org/document/10468135

[MatthewTingum]

Neato. Haven't read yet. Anything good or just a regurgitation of things we already know?

[MatthewTingum]

I jumped back on this project a few days ago. Would be nice to skip the groundwork.

[MatthewTingum]

Nevermind. I purchased the document. It's interesting but ultimately a big nothing. We're doing more interesting work here...

[Vairelt]

FYI, recently, someone published a paper about HDT+. Unfortunately, it's paywalled, but its references are freely available.

Undocumented Debug Interface HDT of Modern AMD CPUs (Bulat N. Zagartdinov @Vairelt, 2024) https://ieeexplore.ieee.org/document/10468135

HDT+.pdf

What would you like to know about HDT? I learned how to use this processor interface on an Epyc7313 and one of these days I will try to unlock the interface using a glitch attack.

[MatthewTingum]

That's my entire infatuation. Unlock HDT via glitching. I don't think there's anything I want to learn.

[MatthewTingum]

Or rather anything I don't know already. I can load up the instruction cache with a small program I want to execute on the target processor.. This is good enough for me and possibly the most significant thing one can do with HDT.

[MatthewTingum]

The question becomes weather or not this can leveraged on a live system. Can I manipulate a live system such that I can interfere with normal user operations?

[MatthewTingum]

@Vairelt If that was your paper, you completely missed the mark.

[Vairelt]

The question becomes weather or not this can leveraged on a live system. Can I manipulate a live system such that I can interfere with normal user operations?

If you have an HDT client, you can debug the entire working system in an unlocked HDT state. There is also the possibility of debugging the PSP core. Without a client, it is almost impossible.

[MatthewTingum]

@Vairelt I went off for no good reason. Sorry :(

Some time ago a PSP virtualization utility was leaked. To my knowledge, Zammis dropped it in a small Xbox One hacking community. Word has it that the utility resurfaced with gigaleak. Several media outlets reference it. I refuse to work on leaks but it's probably out there.

[MatthewTingum]

What does debugging entail? If I get HDT access to a machine can I modify registers? Can I manipulate memory? And more importantly, can I do it live?

[Vairelt]

Debugging on a live system is possible. Debugging of the x86/AMD64 core is carried out by the PDM unit. Here are some supported commands: General Purpose Register Read/Write, Special Register Read/Write, MSR read/write, Write byte/word/double word to memory/IO port, read CPUID.