In the post I will cover:

Configuring an ASRock H370M-ITX/ac to allow DCI DbC debugging

Using Intel System Studio and System Debugger to single-step a Coffee Lake-S i7-8700 CPU

Debugging an example exploitable UEFI application on hardware

USB DCI DbC Debugging (JTAG over USB3)

TL;DR, if you have a newer CPU & chipset you can purchase a $15 off-the-shelf cable and single-step your hardware threads. The cable is a USB 3.0 debugging cable; and is similar to an ethernet crossover cable in the sense that the internal wiring is crossed. Be careful with this cable as unsupported machines will have undefined behavior due to the electronics of USB.

Newer Intel CPUs support debugging over USB3 via a proprietary Direct Connection Interface (DCI) with the use of off-the-shelf hardware. This applies to some 6th-generation CPU and chipset combinations, and most 7th-generation and newer setups. I have not found the specific CPU/chipsec combinations but my educated guess from the Core series is as follows:

Kaby Lake / Intel 100 or 200 series SunrisePoint

Coffee Lake-S / Intel Z370, H370, H310, or B360

Kaby Lake R / 6th-gen Intel Core

Whiskey Lake-U (8565U, 8265U, 8145U)

Coffee Lake-S / H370, H310, B360

These combinations should support "DCI USB 3.x Debug Class" debugging. This means you only need the inexpensive debug cable linked above. Note that if debug-cable debugging is not support then a proprietary interposing device is required via a purchase from Intel.

From the documentation I've read, the USB3 hardware on a supported machine decodes DCI commands, forwards them to an appropriate hardware module on the target CPU that translates them to JTAG sequences. Intel provides a free-to-use, renewably-licenced, Intel System Studio and System Debugger software along with a DCI implementation called OpenDCI. This debugging environment is built with Eclipse and supported on macOS, Linux, and Windows. I've only found OpenDCI support for DbC-compatible targets on the Windows version.

You will need a Windows 10 install and Intel System Studio if you are following along.

Enable DCI on the ASRock H370M-ITX/ac

TL;DR you will need to enable and disable undocumented settings within UEFI by flipping several bits in a UEFI variable.

If you are doing casual research on DCI you will find several references to using a BIOS version with DCI enabled or using a UEFI debug build. I am sure they will be very helpful but it is not possible to acquire this in a general sense. However, we can still follow guidance on "modding" our UEFI to enable DCI. I found eiselekd’s DCI-enable guidance extremely helpful.

Use chipsec to dump your SPI contents to disk. e.g., chipsec_util spi dump rom.bin Open rom.bin with UEFITool and extract GUID 899407D7-99FE-43D8-9A21-79EC328CAC21 (the Setup UEFI variable). Use IFRExtractor to print a textual representation of the variable options.

The variables settings required for the H370M-ITX/ac are as follows, tested on version 3.10 and 4.00 UEFI releases:

Enable/Disable IED (Intel Enhanced Debug) : offset 0x960, set to enabled 0x1

: offset 0x960, set to enabled 0x1 CPU Run Control : offset 0x663, set to enabled 0x1

: offset 0x663, set to enabled 0x1 CPU Run Control Lock : offset 0x664, set to disabled 0x0

: offset 0x664, set to disabled 0x0 Platform Debug COnnect : offset 0x114F, set to 0x03 to enable DCI DbC

: offset 0x114F, set to 0x03 to enable DCI DbC xDCI Support : offset 0xABD, set to enabled 0x1

To modify and save these offsets follow the guidance above to use the UEFI Shell and RU.efi application by James Wang.

You can confirm that DCI is enabled by reading the USB3 device class label when you connect the debug cable into your host and target machines. The host should have Intel System Studio installed and the target is the H370M-ITC/ac. The host USB driver will read " Intel USB Native Debug Class Devices " if DCI is enabled. If there is an error you will see " Port Reset Failed ". An easy way to view the detailed USB device information is with USB Tree View. Chipsec will also report if DCI is enabled but I found that DbC-specific availability is not reported; so use the USB device driver selection in Windows to confirm the UEFI options are set correctly.

Single-stepping the i7-8700

To recap the requirements and setup:

You have a host machine running Windows 10 with Intel System Studio installed

The host machine and target i7-8700/H370M-ITX/ac are connected via a USB3 DbC cabled

The host machine shows a connected "Intel USB Native Debug Class Device" USB device

Interrupt the target machine's boot such that you enter UEFI Setup (press F2). This is not required but it will help while following along with the address space and other layout details. I have not figured out how to halt the CPU on reset with DCI and DbC.

In Intel System Studio you should open System Debugger and configure your target connection to use " 8th Gen Intel Core Processors (Coffee Lake-S) _ Intel H370 Chipset Intel H310 Chipset Intel B360 Chipset for Consumer (Cannon Lake PCH) " using the connection method: " Intel(R) DCI USB 3.x Debug Class "

Upon success you will see status output similar to the following:

22:02:20 [INFO ] TCA - IPConnection: Open Connection, configuration: CFL_CNP_OpenDCI_DBC_Only_ReferenceSettings. 22:02:57 [INFO ] Starting DAL ... 22:02:57 [DAL ] The system cannot find the batch label specified - SetScriptPath 22:02:58 [DAL ] Registering MasterFrame... 22:03:00 [DAL ] Using Intel DAL 1.1905.602.100 22:03:00 [DAL ] Using python.exe 2.7.15 (64bit), .NET 2.0.50727.8940, Python.NET 2.0.19, pyreadline 2.1.1 22:03:02 [DAL ] Note: The 'coregroupsactive' control variable has been set to 'GPC' 22:03:10 [DAL ] Using CFL_CNP_OpenDCI_DBC_Only_ReferenceSettings 22:03:10 [DAL ] >>? DAL startup completed 22:03:10 [INFO ] Connection Manager: Status change: CONNECTED Connection: 8th Gen Intel Core Processors (Coffee Lake-S) _ Intel H370 Chipset Intel H310 Chipset Intel B360 Chipset for Consumer (Cannon Lake PCH) Target: 8th Gen Intel Core Processors (Coffee Lake-S) / Intel H370 Chipset, Intel H310 Chipset, Intel B360 Chipset for Consumer (Cannon Lake PCH) Connection Method: Intel(R) DCI USB 3.x Debug Class

And output similar to the following screen captures: