Engineer Documents Undisclosed Features in Microchip VSC8512 Ethernet PHY

Figure 1: Visual representation of the BeyondTrust vulnerability chain

Hardware engineer Andrew Zonenberg published extensive documentation on July 4, 2025, detailing undisclosed features and register interfaces in Microchip's VSC8512 12-port Gigabit Ethernet PHY. The findings emerged from Zonenberg's LATENTRED project, an effort to build an open source 1U managed Ethernet switch from scratch.

The VSC8512 is marketed with publicly available documentation, but Zonenberg discovered that critical configuration capabilities, particularly for SERDES transmit equalization, require access to a "confidential reference manual" protected by non-disclosure agreement. Rather than sign an NDA, Zonenberg reverse-engineered the undocumented interfaces by analyzing Microchip's MIT-licensed MESA driver code and correlating it with IBIS-AMI simulation models.

The research revealed an internal 8051 microcontroller with a command interface accessible through MDIO registers, undocumented register pages for test and configuration functions, and a 36-byte Macro Configuration Bus structure for SERDES tuning. Zonenberg documented specific memory addresses, command opcodes, and bitfield layouts that enable configuration of transmit equalizer taps, slew rate control, and other signal integrity parameters.

The work has immediate practical applications for engineers designing with the VSC8512 who need to optimize signal integrity without vendor support. The documented equalizer settings allowed Zonenberg to achieve fully open eye diagrams on QSGMII links, meeting transmit mask specifications through a combination of cables, connectors, and PCB traces.

Microchip's practice of restricting documentation while publishing open source drivers creates an unusual situation where determined engineers can reconstruct proprietary information through code analysis.

Zonenberg selected the VSC8512 for his open source switch project based on its QSGMII interface and what appeared to be complete public documentation. The 139-page datasheet (VMDS-10396) includes register descriptions and configuration procedures for standard operation.

When attempting to optimize SERDES transmit equalization for the QSGMII interface, Zonenberg discovered the public documentation lacked necessary details. He opened a support case with Microchip, which responded that additional information was available only in a confidential reference manual requiring an NDA.

Unwilling to accept NDA restrictions for an open source project, Zonenberg began analyzing available resources. The Microchip Ethernet Switch API (MESA), published under MIT license on GitHub, contains driver code for the VSC8512 and related devices. The VSC8504 IBIS-AMI model, linked from the product page, provided parameter names and ranges for SERDES configuration.

Cross-referencing the driver code with the IBIS model and public datasheets, Zonenberg identified the internal architecture. The VSC8512 appears to be a derivative of the VSC742x switch ASIC with disabled features, sharing register layouts and silicon bugs. An internal 8051 microcontroller handles configuration through a mailbox interface in the GPIO register page.

The research culminated in documented procedures for reading and writing SERDES configuration through the MCU interface, including the specific memory addresses and command formats required to adjust transmit equalization.

Figure 2: How the authentication bypass vulnerability works

Zonenberg's analysis identified several undocumented register pages beyond the five described in the public datasheet. Page 0x2a30 contains test registers with unknown functions. Page 0x52b5, referred to as "Token Ring" in some code comments, appears to contain additional configuration options accessed through a triplet write sequence.

The MCU interface at register 0x12 in the GPIO page (page 0x0010) supports multiple command formats. Bit 15 initiates command execution and must be polled until clear. Bit 14 selects between indirect pointer mode and command mode. Documented commands include MAC mode selection (0x0, 0x1), MCB read/write operations (0x3, 0x0), microcode patch control (0x4), and memory peek/poke operations (0x6, 0x7).

The SERDES6G configuration buffer resides at MCU address 0x47cf and spans 36 bytes. Specific bitfields control transmit equalizer parameters including ob_post0 (post-cursor tap 0) at addresses 0x47d8-0x47d9, with the value split across byte boundaries. The IBIS model documents parameter ranges: OB_LEV (0-63), OB_PREC (-15 to +15), OB_POST0 (-31 to +31), OB_POST1 (-15 to +15), and slew rate controls.

Testing confirmed the documented procedures work correctly. With the default ob_post0 value of approximately 0x02, the QSGMII eye showed slight closure. Setting ob_post0 to 0x0f produced gross overequalization. A value of 0x04 achieved fully open eyes meeting transmit mask specifications.

Engineers working with the VSC8512 can use the documented procedures to optimize signal integrity without vendor support or NDA access. The ability to tune transmit equalization enables designs with longer trace lengths or lower-quality interconnects than default settings support.

The research methodology demonstrates how open source driver code can serve as de facto documentation. Microchip's decision to publish MESA under MIT license, while restricting formal documentation, creates an accessible path for determined engineers.

The documented MCU interface enables capabilities beyond equalization tuning. Memory peek and poke commands provide access to internal state. The microcode patch mechanism allows firmware modifications. These capabilities support debugging, validation, and potentially custom functionality.

Open source hardware projects benefit from reduced barriers to using commercial components. The LATENTRED project can proceed without NDA encumbrances, and other projects can leverage the documented interfaces.

Figure 3: Privilege escalation from user to SYSTEM level

The reverse-engineered documentation lacks the completeness and accuracy guarantees of official vendor materials. Undocumented registers may have undisclosed side effects or interact with other chip functions in unexpected ways. Silicon revisions could change register layouts without notice.

Microchip's support channels may decline assistance for configurations using undocumented features. Warranty coverage and technical support typically require adherence to documented operating parameters.

The research focused on the D stepping (revision 0x3) of the VSC8512, the only version currently available. Earlier steppings may have different register layouts or require the microcode patches that Zonenberg omitted.

Some documented features remain incompletely understood. The Token Ring page functions are unknown. Several MCU command opcodes have no observed usage in the driver code. The full extent of the 8051's capabilities and memory map remains unexplored.

The VSC8512 integrates 12 Gigabit Ethernet PHY ports with QSGMII or SGMII MAC interfaces. Each PHY handles the physical layer conversion between twisted pair copper (1000BASE-T) and the serial interface to the MAC device. The QSGMII interface multiplexes four ports onto a single 5 Gbps serial link.

Internal SERDES macros handle serialization and clock recovery for the MAC interface. The SERDES6G macros support the higher-speed QSGMII links, while SERDES1G macros handle individual SGMII connections. Each SERDES includes configurable transmit equalization to compensate for channel losses.

The Macro Configuration Bus (MCB) provides access to SERDES registers. Direct MCB access is not available externally. Instead, an internal 8051 microcontroller mediates access through a command interface. Commands read MCB contents into a shadow buffer, allow modification through peek/poke operations, then write the buffer back to one or more SERDES instances.

Technical context (optional): Transmit equalization uses finite impulse response (FIR) filtering to pre-distort the signal, compensating for frequency-dependent losses in the channel. The ob_post0 parameter controls the first post-cursor tap, which adds a delayed inverted copy of the signal to reduce inter-symbol interference. Higher values increase de-emphasis, opening the eye at the receiver but reducing signal amplitude.

The VSC8512 documentation gap illustrates a broader tension in the semiconductor industry between intellectual property protection and customer enablement. Vendors restrict documentation to protect competitive advantages and limit liability, while customers need complete information to optimize designs.

Microchip's approach of publishing open source drivers while restricting formal documentation creates an unusual middle ground. The driver code effectively documents chip behavior for those willing to analyze it, while maintaining formal restrictions that satisfy legal and business requirements.

The reverse engineering methodology applies to other components with incomplete documentation. IBIS models, driver code, reference designs, and related product documentation often contain information not present in primary datasheets. Engineers facing documentation gaps can systematically extract needed details from these secondary sources.

The work contributes to the broader open source hardware ecosystem. Documented interfaces enable community development of drivers, tools, and designs without vendor dependency. The LATENTRED project demonstrates that complex networking hardware can be developed openly despite vendor documentation restrictions.

Confirmed:

• MCU command interface at GPIO page register 0x12
• Command formats for MCB read/write, peek/poke, and mode selection
• SERDES6G configuration buffer at address 0x47cf
• ob_post0 bitfield locations and functional effect on equalization
• Successful signal integrity optimization using documented procedures

Unclear:

• Complete function of test page 0x2a30 registers
• Purpose and operation of Token Ring page 0x52b5
• Full MCU memory map and available commands
• Behavior differences across silicon revisions
• Whether other undocumented capabilities exist

Zonenberg indicated plans to continue documenting the VSC8512 as the LATENTRED project progresses. Additional register functions may be identified through continued driver code analysis and experimentation.

The open source networking hardware community may build on this documentation. Other projects using VSC8512 or related Microchip PHYs could contribute additional findings or corrections.

Microchip's response to the publication remains to be seen. The company could choose to release additional documentation publicly, modify future products to prevent similar analysis, or take no action.

Engineers designing with the VSC8512 should monitor the LATENTRED project blog for updates. The documented procedures provide immediate utility for signal integrity optimization, with potential for expanded capabilities as research continues.

1. Andrew Zonenberg - "Switch project, part 3 - what Microchip doesn't (officially) tell you about the VSC8512" - July 4, 2025 https://serd.es/2025/07/04/Switch-project-pt3.html

2. Microchip VSC8512 Product Page and Datasheet (VMDS-10396) https://www.microchip.com/en-us/product/VSC8512

3. Microchip MESA (Microchip Ethernet Switch API) - GitHub Repository https://github.com/microchip-oss/mesa