80386 Microcode Disassembled

The blog post "80386 Microcode Disassembled" recounts the monumental effort to reverse engineer and understand the internal microcode of the iconic Intel 80386 processor. This ambitious project, far more complex than its 8086 predecessor, involved a collaborative team transforming high-resolution die images into a comprehensive microcode disassembly, shedding light on the CPU's intricate operation.

• The project began with a high-resolution image of the 80386 microcode ROM (94720 bits), provided by Ken Shirriff, presenting a significant challenge due to its size and lack of existing documentation.
• A team, including GloriousCow and Smartest Blob, utilized image processing, AI, and human-aided automation to extract and cross-check the binary microcode blob from the silicon image.
• The disassembly process involved intricate pattern recognition to identify micro-operations (μ-ops), their order, and field divisions, aided by tracing logic on the 80386 die and correlating microcode segments with hardware accelerators.
• Key findings include 215 microcode entry points (compared to 60 for the 8086), confirming that all 80386 instructions are microcoded, unlike the 8086 and modern CPUs.
• A small "unused?" microcode routine was identified, resembling a page fault handler but with a mysterious CR2 register setting.
• A potential security flaw was discovered concerning 4-byte IO permission bitmap checks, where a partial bypass might occur at the edge of the permitted IO-port space, a bug possibly unnoticed for over 40 years.
• The complete microcode disassembly is publicly available on GitHub.

This detailed account underscores the dedication required to demystify complex legacy hardware, offering unprecedented insight into the 80386's architecture. The discovery of potential long-standing bugs further illustrates the value of such deep technical exploration, even decades after a chip's release.