I research security of Intel platforms. I don't work for Intel
Joined September 2014
- Tweets 1,600
- Following 131
- Followers 12,133
- Likes 2,241
298 Photos and videos
Pinned Tweet
19 May 2020
Finally, the casket is opened: we ( @h0t_max and @_Dmit) have extracted Intel x86 microcode! One more Intel "top secret" information gets revealed...
github.com/chip-red-pill/glm…
19
371
966
Mark Ermolov retweeted
BTW I still keep updating the VMX capabilities table at pulsedbg.com/vmx.html
Check out new features for Panther Lake CPUs.
3
6
852
Jun 9
It seems Intel moved from Foxton microcontroller to Tensilica Xtensa for p-unit firmware (pcode) in newest server CPU (Sapphire Rapids and Emerald Rapids used in Eagle Stream platform)...
4
22
1,243
May 6
I found the description of Intel Core CPUs hardware straps and the way to override them using JTAG (without any physical rework)
7
32
318
21,154
May 6
Next are the most interesting:
EAR - CPU bringup stall in PCU fw
PHYSICAL_DEBUG_ENABLED - sets CONSET in DFX AGG
CFG_UNLOCK - activates NOA (Node Observation Architecture) bus in DFX Green
SAFE_MODE_BOOT - disables active state power management
16
1,887
May 1
In the era of AI, Intel will find it very difficult to hide its secrets...
4
4
33
5,677
Apr 25
What a huge field to research: rdmsr microcode for desktop CPUs speculates that CREGPLA (data struct describing each MSR, hardcoded in HW and obtained via MSR2CR uop) entry is valid!
Below is a fragment of CNL microcode simulation via Archsim tool for rdmsr instruction:
1
7
57
5,153
🔥 Read the new article by our researcher Timofey Duditsky.
The write-up dives into the AMD Platform Configuration Blobs mechanism, shows how it works, and reveals the vulnerability CVE-2025-54502.
swarm.ptsecurity.com/slowbur…
12
30
3,616
Mark Ermolov retweeted
Apr 14
AMD has published Security Bulletin AMD-SB-7054 with my vulnerability CVE-2025-54502. There has been no feedback on my research (as well as my mention), so I will publish my work as it is and as soon as possible.
3
7
54
7,035
Apr 3
Metal Unlock JTAG password for one of very old Atoms...
2
11
113
13,813
Mar 31
Intel SGX has fallen! Its most important key is in our hands: we extracted the Global Wrapping Key from an instance of the Intel Gemini Lake platform
34
354
1,984
221,497
Mar 31
This is made possible by executing arbitrary microcode on the DFX-locked system. And although this was a truly challenging task, we were able to do it after researching in details the interaction between PMC and PUNIT
1
4
233
20,994
Mar 31
Yes, Intel has declared this first SGX implementation as obsolete and unsupported, but its fundamental break means that the HW Root of Trust approach is not unshakable. The full white paper is coming...
3
13
345
19,969
Since I completely forgot to post on X this thing I've done last year, I might as well quote someone else's post that mentions it :)
Thanks @_markel___ , your work actually helped a ton!
13 Dec 2025
Hardware glitching masters have taken on Intel's microarchitecture - very, very cool! I'm so glad our work is contributing to research that was previously unimaginable. Research into hardware attacks on Intel processors has enormous potential...
download.vusec.net/papers/mi…
1
13
1,779
Mar 21
I'm amazed at Intel's ability to downplay the severity of published vulnerabilities.
They described CVE-2018-3640 (Rogue System Register Read) as simply an ASLR bypass, but this vulnerability in fact allows the CPU internal CRBUS to be read (at least for Goldmont/Plus uarch)
1
13
76
8,675
Mar 21
Using this vulnerability for the rdpmc instruction, we were able to read the SGX SVN Key - the first derived key from the Root Provisioning Key and Global Wrapping Key for
Gemini Lake platform that's stored at 0x2205 and 0x2206 of the internal control registers
2
34
1,683
Mar 13
The reason why Intel will continue to dominate on the server market is that server power efficiency is not determined by compute efficiency, but rather by the balance between idle power consumption and wake-up speed, which is something Intel excels at...
9
10
124
13,771
24 Dec 2025
It confirms our previous assumptions (speculative micro-instruction execution), introduces a whole new class of spectre attacks (uspectre) and shows that a number of recent TE vulnerabilities (such as Rogue System Register Read) actually originate in the microcode...
1
2
25
2,139
13 Dec 2025
Hardware glitching masters have taken on Intel's microarchitecture - very, very cool! I'm so glad our work is contributing to research that was previously unimaginable. Research into hardware attacks on Intel processors has enormous potential...
download.vusec.net/papers/mi…
1
36
170
25,317
5 Dec 2025
Finally, I was able to reliably answer the question of whether C6SRAM (holds CPU core context in C6 power state) is connected in any way to L2: no, it is an independent SRAM
1
1
10
1,255
5 Dec 2025
In the screen below, after shutting down L2 via PCU (reducing its voltage to 0), the L2 Machine Check bank (CR 0x385) immediately shows an error, but C6SRAM (Staging Buffer in our paper for udbgrd/wr) is still working...
1
5
954