Debug Mode Lurking Inside AMD Chips

Looks like some hardware enthusiasts have worked out a method to enable debug mode within AMD processors. The original site isn’t loading for us, but the text has been mirrored in this comment. Getting the chip into debug mode requires access passwords on four control registers. We’ve read through the writeup and it means very little to us but we didn’t pull out a datasheet to help make sense of the registers being manipulated. It shouldn’t be hard to find an old AMD system to try this out on. We’d love to hear about anything you do with this debug system.

[via Slashdot]

50 thoughts on “Debug Mode Lurking Inside AMD Chips

    1. heh, Ah’ll stick ta mah texan born pc ‘muscle’ thanks, yall kin keep yer yankee intel crap ah’d rather run mah phenom955be an’ be a little slower at multitaskin, than pay out $$$ fer some yankee intel crapbox. all may pc parts’re made in the good ol’ south an’ ah like it that way.

  1. Ok, before we get into a flame war… It all boils down to personal preference.

    Anyway. Interesting article, not sure how a casual computer programmer/tinkerer would use the debug mode. If I had to guess I would say AMD probably included it for checking of the chips at ship time.

  2. I wonder if this will be used to lead to faster cracking on DRM’d things. I could easily imagine this becoming a WILDLY popular method to hack.

    For example:

    I know that some encrypted thing which is deleted from memory ends with 0xdeadbeef. Now all I have to do is set the debug point to trip on 0xdeadbeef, which should let the whole decryption routine run, then grab all the bits I want out of memory!

    And if this is a seeeecret debug mode, does that mean that it won’t look like the processor is in debug mode when it happens? Thus further serving as a function to break DRM?

    This is very cool! Looking forward to where it leads.

  3. @xorpunk Since this is on the CPU die doing an exhaustive test of all possible passwords would be trivial and incredibly fast. The only information which needed to “leak” was the existence of a password and what register it needed to be in and some approximate information about its effects.

    … granted all three of those condition would require some people in the know to have leaked *some* info, you have to remember they probably have to give this information to people like Microsoft for kernel debugging in addition to any contractor willing to sign a super-strict NDA. Eventually someone was bound to let the little bit needed out.

    But for example, this hack was someone just waiting for what the *name* of the registers he already knew about were. There are a ton of debugging features on this chip which are known, but it’s completely unknown what the names and exact functions of these are. That’ll be up to the CPU hackers!

    Can’t wait to see this implemented in GDB or something similar

  4. say i want a six-core desktop cpu, 3ghz or higher.. i can go the $800 route (Intel)
    real tough decision here. so they have half the L3 cache and are 45nm as opposed to 32nm.
    Thermal design power 125w vs 130w. code name Thuban vs. Gulftown. 6x512kb l2 cache as opposed to 6x256kb or nonexistent l2 cache.
    $200-$229 vs $879-$1K. i could build a decent computer for that price difference. $650, that’s more than i spent on mine, and i bought a spare processor just in case i cooked the first one. AMD all the way.
    if AMD had a slogan, it would be FTW.. like E A sports, “get in the game”
    it would be like: A M D, “For the Win”

  5. Wow, some people are really trying to hard to make this devolve into an all out Intel vs. AMD thread.

    I don’t see why someone finding the ‘debug’ registers is drawing so much attention. I could be missing something or misintepretting a bunch of stuff, but back in the days of the Pentium Pro, there were debug capabilities built into the processor and Machine Check Architecture. Over the years, I would expect features to grow in both Intel and AMD processors. From my perspective, someone just read a datasheet/whitepaper/appnote/user manual/user guider/etc. and just rediscovered something that was already known. I’ll keep an eye on the original page (when up) to see if my interprettation is way off.

  6. The actual magic value has been known for a long time, he just figured out what one of the coded MSRs is actually useful for. I could see break on access within a page being useful but I can do the same thing with page flags. Stop talking about amd vs intel, kiddies.

  7. What’s this useful for, and why would AMD password-protect it? Would it allow you to re-enable high-end features that were disabled to down-spec a processor, or something? Does AMD even do that? What do they have to gain by hiding debugging features that would presumably allow developers to write better-optimized code for their architectures?

  8. @lan: still though either someone spent a long time brute forcing, or an employee leaked it. I doubt anyone chip-hacked an athlon at this level.

    All these undocumented MSRs(the ones with names) look useless. You can’t use the bebug ones for any current RCE or self-debug DRM(even in ring0). They might work for kernel devs to some capacity.

    It’s sad no one has even bothered investigating the unknown ones after all these years. There might be a CPUID that can be mapped ^^

  9. @jeditalian

    Yep, but that 6 Core AMD CPU performs like a low end Intel Quad core… So you really aren’t gaining anything at all…

    Simply put:

    If you want the absolute best performance, go Intel, if you just want to brag about having 6 cores in your PC while barely using 4 of those cores, go AMD.

    You get what you pay for… The same goes with ATI and their video cards.

  10. I love CPU easter eggs. If you have K8, query this:

    mov eax,8FFFFFFFh
    cpuid

    If you’re lucky, registers eax, ebx, ecx and edx should return “IT’S HAMMER TIME”. Some of the earlier families (K6 I believe) might return other strings.

  11. So much trolling :) Those pics were RIGHT after Intel incorporated thermal throttling in their cpus, while AMD took a while longer. The thing is that the first Intel Pentium 4 cpu’s were so bad that they would throttle after 5 minutes into a game quartering the frame-rate WITH NO WAY TO TURN OF THERMAL THROTTLING!
    But ah well, trolls will be trolls, investment fallacy and all that…

  12. Chuckt you do see that the newest cpu in that video was a Pentium 4 Northwood? It’s REALLY old, AMD has long ago fixed the problems they had with their thermal diodes. I had a fan fail once on a Athlon XP T-Bred and the application failed after a new fan it ran just fine. Also tried running one with a cpu cooler on at all and it just crashed mid-boot and would power up again and crash when it reach a too high temp…

  13. @m1ndtr1p
    so are you saying that if i want a quad-core AMD i should buy a 6 core? i have no use for the extra cores anyway, i would be fine with a dual-core, have a single core from 2005-6 and if i were really going to spend around 200 on a cpu i would get the http://www.newegg.com/Product/Product.aspx?Item=N82E16819103727 because if the extra cores aren’t going to be taken advantage of, why would go for 6 at 3.2 when i can have 4 at 3.4, which is 1ghz faster than the 1 core i’m currently working with.
    anyway, i choose whatever’s cheapest, because i don’t make over $1k/week like some people. if non-celeron intel chips were more affordable than an equally/lesser rated non-sempron AMD cpu then i would go intel.
    i do prefer the feel of any computer with intel inside, with the exception of celeron, but as far as recent cpu’s my experience has only been sempron, turion, celeron, dual-core pentiums, and i3 370m. sempron/celeron=h8 and the one turion i dealt with= fail. dual-core pentium desktop built the same time as mine=better. the pentium and i3 370m laptops were awesome, sempron laptop blew donkeyballs and celeron just blows no matter what.
    and i still haven’t figured out this debug shit. is this something i do inside or outside of windows/linux? in or out of a motherboard? just skimming over that page i have no idea what’s going on. “If you own a 64-bit AMD processor, please DO check and report any differences.” that’s what i want to do, but there don’t seem to be any instructions for dummies.

  14. I saw this on Slashdot.
    From the comments there, apparently you have to enable it at the OS level, i.e. in-kernel.

    For Linux, that’d be trivial (write and load a kernel module), but I don’t know if you can do that on Windows. (Probably.)

    As for what it’s good for: probably not much. Apparently it’s for debugging the CPU/microcode itself, not what’s running on it.

  15. @jeditalian

    Use whatever you need, I was merely speaking in terms of pure performance… If a dual core is all you need then that’s what you should get. But as it stands, not many applications are able to fully use 6 cores, hell most have a hard time fully using 4, gaming is the same thing, while some game do take advantage of 4 cores, the majority of the time they’re only 25%-50% stressed so you’re really only using 2 cores max even though it shows all 4 cores being used…

    As far as pure speed (IE: Ghz) is concerned, you can’t compare Intel’s clocks speed to AMD’s as they’re both different architectures, it would take a 3.4 Ghz AMD CPU to compete with a 2.6 – 2.8 Ghz Intel CPU using the same amount of cores (on average, depending on the processor obviously)… But like I said, if a dual core is more then enough for whatever you use your PC for, a quad core or 6 core CPU would be way overkill.

  16. Can we get back on track?

    Anyways if I understand correctly it is a feature included in their chip but is not part of the standard x86 arcitecture. Therefore I conclude the reason they have not made it open as they would be creating a new processor arcitecture and standard x86 operating systems couldnt access it, so they put it in thinking one day someone will crack it and use the added function. But I see no use.

  17. That makes sense. Options that are nonstandard are unsupported. If it’s password protected, then they don’t have to worry about people asking questions and trying to support it when its original purpose is in house only that the engineers used.

  18. to add
    there may have been more debug features like this during the prototype stage in developing the chip
    with the final revision with just a few of these features to debug it and make sure that it works correctly before they ship it out.
    It works good then start mass producing.
    There is no need to debug it any further.
    They are selling you a CPU to use to process software and not to debug the chip.

  19. I saw a (TED talk I think it was) video and it was explained that ALL chips/CPU’s basically have debug stuff, it’s the only way to test them really, but some companies try various ways to disable it before shipping but it’s always there, and yes also in final released versions since it’s in the design and on the die and you can’t wish that away nor do you want to, it’s part of the whole process of making and designing chips.

  20. The question I’d like answered: What is the use to be able to debug the chip?

    Please forgive me, I’m the kind of hacker who makes simple products work like much more expensive ones, not deep hardware as this is.

  21. @Avaviel: I doubt very much these debug facilities will be able to unlock performance features in the chip… although, you never know, as some of the debug features are undocumented. For the moment we can only assume that the feature is most likely used for in-house verification purposes, possibly a way to diagnose design problems, internal monitoring subsystems, and so on.

  22. STFU with the Intel vs AMD stuff, fucking n00bs.

    On-topic: I don’t see how this might be useful to us. I mean, why would I want to debug the silicon/microcode? But it might be really useful for people trying to find vulnerabilities in these CPUs or people reverse-engineering them – say Intel.

  23. @t&p that would make sense but in that case this would be useless and I would think it would cost a significant amount of money to incorporate this in so why would they not just remove this? Unless they left it in to see what would be wrong with a returned chip because it apparently didn’t work. Either way unless it aids in development of new software or hardware we probably should forget about it

  24. This seems like a clear-cut way to defeat personal encryption on a hardware level (as others have suggested). I wonder if there’s any way to tell if it’s being used already?

    Mike

  25. as for the video- i used to have an athlon xp 2600+, one of those fragile, exposed-die deals. i booted it up using my finger as the heat sink once. you really should try it, gives you superpowers!
    actually, i did this AFTER breaking the die and BEFORE making it into a keychain. if the die isn’t chipped, i don’t know if you will get the sparks and burnt flesh effect, the rectangle fingerprint tattoo, or the superpowers. it didn’t cook the mobo though.

  26. @Will
    In the post the dude talks about how the 4th debug option is “dangerous” so I guess it can miss your chip up or brick it in the firmware or something. These commands were left in at the last minute for testing the final version. Programmers do this too in many types of software. It is to debug the chip only. These debug commands would not be great to test software. They are nothing more then just hacks to make sure the product works. It was “passworded” not because it gives info about AMD’s intellectual property, but that you don’t use it because that is not really the function of the chip and you could mess it up. It was just a last minute test.

  27. Cool that these things are still being discovered. I think that the value of this will wind up being purely academic, ie: no major value in the real world, but I don’t really know much about processors or debugging. Still, these kinds of articles make interesting reading.

    As far as the debate on which hardware is better, such arguments are purely academic, and childish. Intel chips are better at some things, AMD chips are better at some things. Same with ATI & Nvidia GPU’s.. You can continue that argument with PC vs. Mac, XBOX vs. PS3, iPhone vs. Android vs. Blackberry.. hell, any consumer product will fall into this category. The simple sad fact that almost everyone seems to miss, is that you already know which product is better, but it’s not necessarily better for everyone. Every end user has his or her own specific needs or wants, and the different products fill those different roles.

    Anyone remember the Cyrix line of CPU’s? Enough said.

  28. @Moxion69 If I remember correctly Cyrix was bought (?) by via which continues to produce x86 CPUs.

    Could this possibly be used to change the microcode of the CPU?

    HAD can you guys do a follow up on this once more information becomes available.

    Anyone know of features like this for Intel CPUs?

  29. A CPU debug mode might be needed to debug CPU microcode. So I think it will be possible to execute microcode stepwise and read respectively change the stati of internal calculation units while CPU debug mode is enabled. AMD would not keep those internals secret if there is no possibility to misuse them. I am quite sure you can enter ring 0 in debug mode, even if you are not a priviledged user. You could even stop the CPU and change microcode on the flight if you know what you are doing. But don’t expect an easy hack. You will need a lot of knowledge about the internals of the CPU. Without a complete manual hacking the CPU debug mode will be a very complex task. Get a microcode manual first (if there is any in the wild).

  30. @t&p thats why I said unless it aids in the development it is useless to us. and i missed the 4th option is dangerous, but it probably will just reset the chip to full factory condition(i wonder what that would do anyways) or, as you said, brick it.

    @Moxion69 i see no academic use even. so the hip has some debug feature. we have absolutley no use or that. well, unless it could aid in hardware problems of the motherboard it is installed on(which is unlikely lol im just coming up with stuff on the go that this could be used for)

Leave a Reply to Kit ScuzzCancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.