I'm incredibly pleased to announce that the microcode for the Intel 80386 has been decoded.
-
The results were then just laboriously hand-checked by eye over weeks.
electroly, specifically - thank you for your help.
One of my early experiments in OpenCV produced an unintentional piece of Microcode Art I'm still fond of.
This was a result of attempting auto-segmentation using incrementing hue on the various segments. Needless to say, a lovely disaster.
-
There was previously a reference to AI, but don't panic. No rainforests were burned down. What we used were old-fashioned, brainless convolutional neural networks trained on consumer video cards - an idea Smartest Blob came up with and that I re-used for my extraction of the NEC V20 microcode.
@gloriouscow I really wish we could get folks using terms like neutral net and regression analysis again to contrast against generative/LLM offal. There are legitimate and powerful tools in this field, but they've been pumped in together with asbestos...
-
@gloriouscow I really wish we could get folks using terms like neutral net and regression analysis again to contrast against generative/LLM offal. There are legitimate and powerful tools in this field, but they've been pumped in together with asbestos...
@wcbdata i've already suggested he swap out 'AI' for 'neural networks', should see that change here in a bit.
-
There was previously a reference to AI, but don't panic. No rainforests were burned down. What we used were old-fashioned, brainless convolutional neural networks trained on consumer video cards - an idea Smartest Blob came up with and that I re-used for my extraction of the NEC V20 microcode.
@gloriouscow oh is microcode self-similar enough and also abundant enough to be useful for this? (Or is like one guy writing all the microcode for everything?) fascinating
-
@wcbdata i've already suggested he swap out 'AI' for 'neural networks', should see that change here in a bit.
@gloriouscow Love it! I miss that stuff - I worked with some brilliant statisticians and mathematicians back in the day...
-
@gloriouscow oh is microcode self-similar enough and also abundant enough to be useful for this? (Or is like one guy writing all the microcode for everything?) fascinating
@thomasfuchs The technique for extracting bits (is this a bit or not a bit) is the same, and the same technique of training a CNN to classify "bit" or "not bit" is essentially Hot Dog / Not Hot Dog, something CNNs are very good at, even when things are blurry (in fact, intentionally blurring your training data makes the CNN better)
Silicon Valley: Not Hotdog (Season 4 Episode 4 Clip) | HBO
Just demo it. New episodes of Silicon Valley premiere Sunday nights at 10PM. #HBO #SiliconValleyHBOSubscribe to HBO on YouTube: https://goo.gl/wtFYd7From Mi...
YouTube (www.youtube.com)
-
@thomasfuchs The technique for extracting bits (is this a bit or not a bit) is the same, and the same technique of training a CNN to classify "bit" or "not bit" is essentially Hot Dog / Not Hot Dog, something CNNs are very good at, even when things are blurry (in fact, intentionally blurring your training data makes the CNN better)
Silicon Valley: Not Hotdog (Season 4 Episode 4 Clip) | HBO
Just demo it. New episodes of Silicon Valley premiere Sunday nights at 10PM. #HBO #SiliconValleyHBOSubscribe to HBO on YouTube: https://goo.gl/wtFYd7From Mi...
YouTube (www.youtube.com)
@thomasfuchs Once you have the bits in a two-dimensional bitmap, you have to extract them into words, figure out the fields within each word, a process that on the 80386 was probably actually harder than getting the bits out in the first place.
We used a lot of Python scripts to permute the bits in different ways and see if various patterns emerged that would delineate field lines.
For the 8088 and V20 we were very fortunate as the lawsuits between intel and NEC ended up with the publication in the public record of the microcode word layout for both chips. No such luck with the 386!
-
@thomasfuchs Once you have the bits in a two-dimensional bitmap, you have to extract them into words, figure out the fields within each word, a process that on the 80386 was probably actually harder than getting the bits out in the first place.
We used a lot of Python scripts to permute the bits in different ways and see if various patterns emerged that would delineate field lines.
For the 8088 and V20 we were very fortunate as the lawsuits between intel and NEC ended up with the publication in the public record of the microcode word layout for both chips. No such luck with the 386!
@thomasfuchs The same CNN process was used to extract the multi-level microcode for the 8087 - the process of decoding that is still on-going.
That chip is insane and @kenshirriff is about our only hope for ever decoding how it works. It has microcode, but there is far less separation between discrete logic and the microcode engine than on conventional CPUs. It's like the roots have grown into all the plumbing, and requites laborious circuit-tracing to understand what the much of the microcode even does.
You can see the extracted 8087 microcode here. No mistakes were ever found or reported:
oh, i actually see someone's opened two issues. i must have missed the email lol
-
S stefano@mastodon.bsd.cafe shared this topic
-
One of my early experiments in OpenCV produced an unintentional piece of Microcode Art I'm still fond of.
This was a result of attempting auto-segmentation using incrementing hue on the various segments. Needless to say, a lovely disaster.
Just an addendum - we'd love to do the same for the 80286, to complete the early Intel trifecta.
The main reason that the 386 was done first is that Intel used an implant ROM on the 286 for some reason we can't fathom.
An implant ROM uses invisible doping to create the microcode bit gates. You can take pictures of it under a microscope all you want, you can't read shit.
-
Just an addendum - we'd love to do the same for the 80286, to complete the early Intel trifecta.
The main reason that the 386 was done first is that Intel used an implant ROM on the 286 for some reason we can't fathom.
An implant ROM uses invisible doping to create the microcode bit gates. You can take pictures of it under a microscope all you want, you can't read shit.
Here's a high-magnification view of the 286 microcode implant ROM done by the talented @infosecdj , whom you should follow if you love sexy silicon photographs.
He laboriously removed the metal layer above this to hopefully reveal the bits below.
Can you see 0's and 1's here? I can't. I can't even train a neural network because you have to feed it some pre-classified bits and I can't classify anything here.
-
Here's a high-magnification view of the 286 microcode implant ROM done by the talented @infosecdj , whom you should follow if you love sexy silicon photographs.
He laboriously removed the metal layer above this to hopefully reveal the bits below.
Can you see 0's and 1's here? I can't. I can't even train a neural network because you have to feed it some pre-classified bits and I can't classify anything here.
There is a way to extract the contents of an implant ROM. The doping that creates the gates means that you can etch the silicon in a way that the doped areas will stand out.
The acids involved in this process are some of the nastiest chemicals on the planet. Stuff like hydrofluoric acid.
Oh, you spilled it on yourself? no big deal. It's just going to dissolve your bones.
-
There is a way to extract the contents of an implant ROM. The doping that creates the gates means that you can etch the silicon in a way that the doped areas will stand out.
The acids involved in this process are some of the nastiest chemicals on the planet. Stuff like hydrofluoric acid.
Oh, you spilled it on yourself? no big deal. It's just going to dissolve your bones.
There are companies that would do this for us. They would also charge us six figures to do so. We're just hobbyists. We ain't got that sort of money. Nobody's gonna drop that kind of cash just so that future generations can run Commander Keen slightly more accurately.
There are only a handful of people on the planet that are set up to do this as a hobby, and unfortunately most of them are retired from the art.
If you know anyone who can do implant ROM staining and is willing to be compensated for their time, effort, and materials, please get in touch. We have hundreds of 286's (seriously). We are willing to send them anywhere on the globe.
-
There is a way to extract the contents of an implant ROM. The doping that creates the gates means that you can etch the silicon in a way that the doped areas will stand out.
The acids involved in this process are some of the nastiest chemicals on the planet. Stuff like hydrofluoric acid.
Oh, you spilled it on yourself? no big deal. It's just going to dissolve your bones.
@gloriouscow it'll turn any calcium in your cells to calcium fluoride which is insoluble, so all your cells stop working long before your bones start fizzing.
I've worked with it, had a solution of it, nitric and solvent blow up on the other side of a fume hood sash, and now swear off it entirely.
Give me nice safe Hg instead. That I can work with.
-
There are companies that would do this for us. They would also charge us six figures to do so. We're just hobbyists. We ain't got that sort of money. Nobody's gonna drop that kind of cash just so that future generations can run Commander Keen slightly more accurately.
There are only a handful of people on the planet that are set up to do this as a hobby, and unfortunately most of them are retired from the art.
If you know anyone who can do implant ROM staining and is willing to be compensated for their time, effort, and materials, please get in touch. We have hundreds of 286's (seriously). We are willing to send them anywhere on the globe.
I do wonder, if my technological forte – optical coherence tomography – is in any way sensitive to the implantation doping.
What are the structure sizes?
-
I do wonder, if my technological forte – optical coherence tomography – is in any way sensitive to the implantation doping.
What are the structure sizes?
@datenwolf Oh hey, I get OCT done on my retinas yearly.
Structure size - that's a very good question, maybe @infosecdj could answer more confidently.
The original 286 was a 1.5µm process, but this is a later 80C286.
-
There are companies that would do this for us. They would also charge us six figures to do so. We're just hobbyists. We ain't got that sort of money. Nobody's gonna drop that kind of cash just so that future generations can run Commander Keen slightly more accurately.
There are only a handful of people on the planet that are set up to do this as a hobby, and unfortunately most of them are retired from the art.
If you know anyone who can do implant ROM staining and is willing to be compensated for their time, effort, and materials, please get in touch. We have hundreds of 286's (seriously). We are willing to send them anywhere on the globe.
The next best bet is that there is some sort of trigger that will cause the chip to dump its microcode out on its address pins. @kenshirriff found that it should be possible to convince an 8087 to do so - something I still need to verify now that FPGAs no longer scare me.
This logic may only be found in bondout versions of the 286. Who knows. It would take someone staring at the high resolution 286 photos for hundreds of hours to determine if such a mechanism even exists.
If you're up for it:
-
There is a way to extract the contents of an implant ROM. The doping that creates the gates means that you can etch the silicon in a way that the doped areas will stand out.
The acids involved in this process are some of the nastiest chemicals on the planet. Stuff like hydrofluoric acid.
Oh, you spilled it on yourself? no big deal. It's just going to dissolve your bones.
@gloriouscow At least HF is not illegal to own, haha! For now.
-
The next best bet is that there is some sort of trigger that will cause the chip to dump its microcode out on its address pins. @kenshirriff found that it should be possible to convince an 8087 to do so - something I still need to verify now that FPGAs no longer scare me.
This logic may only be found in bondout versions of the 286. Who knows. It would take someone staring at the high resolution 286 photos for hundreds of hours to determine if such a mechanism even exists.
If you're up for it:
@gloriouscow @kenshirriff is it not possible for the silicon to be probed directly after it's opened up for die photos? Like attach probe wires with a wire bonding machine. Maybe the microcode section could be cut out from the rest of the die if the rest interferes with the signals.
-
@gloriouscow @kenshirriff is it not possible for the silicon to be probed directly after it's opened up for die photos? Like attach probe wires with a wire bonding machine. Maybe the microcode section could be cut out from the rest of the die if the rest interferes with the signals.
Like, theoretically possible with modern technology in a laboratory environment? Yes.
Doable by a hobbyist in their garage? Not so much.
The tiny little gold wires used to bond the die to the package legs look like the trunks of redwood trees at full magnification. The only place to reasonably attach a wire is on one of the pads that were constructed for them.
-
Like, theoretically possible with modern technology in a laboratory environment? Yes.
Doable by a hobbyist in their garage? Not so much.
The tiny little gold wires used to bond the die to the package legs look like the trunks of redwood trees at full magnification. The only place to reasonably attach a wire is on one of the pads that were constructed for them.
@ask Further complicating matters is that once you've decapped a chip like this unless you have some sort of professional-grade clean-room filtration setup you've pretty much destroyed it because of all the microscopic schmutz floating in your average air that will get in and start bridging microscopic traces everywhere.
