Enthusiasts successfully extracted and disassembled the microcode of an Intel 80386 processor, which was considered a "black box" due to a lack of documentation. A binary image of the microcode was recreated using AI from high-resolution photographs of the die, and the logic was deciphered using on-die wiring. The micro-ops structure, fields, execution order, and end-of-instruction markers were gradually determined. The project's findings are published on GitHub as public domain.
It was discovered that in the 80386 CPU, every instruction is executed entirely through microcode, while in the 8086 and modern processors, some instructions are processed directly. Furthermore, unlike in the 8086 processors, the microcode in the 80386 does not directly implement algorithms, but primarily configures hardware accelerators (multiplier, divider, fast shifter, PTU (Protection Test Unit)).
The study also uncovered a potential security issue in the handling of the IO permission bitmap: when accessing 4-byte ports, only the permission bits for the first 3 bytes were checked, and access to the 4th byte was not checked, which theoretically allowed access to hardware registers that should not be accessible.
Based on published microcode, an open-source z386 CPU was developed, implemented in SystemVerilog and running on an FPGA. Instead of implementing each instruction as a separate RTL (Register-Transfer Layer), the z386 implements hardware structures controlled by the original microcode. The performance of the resulting implementation matches that of a fast 386 PC (~70 MHz). The z386 successfully ran DOS 6/7, DOS/4GW, DOS/32A, and games such as Doom and Cannon Fodder.
Source: opennet.ru
