Reset Vector: The First Order After Power
Yesterday we watched the Xbox One fall below software, where voltage attacked the first security path before the polite operating systems existed.
Today we go deeper.
Not to the kernel.
Not to the bootloader.
We go to the first order the CPU receives after reset:
the reset vector.
The reset vector is where the processor starts fetching instructions after reset.
It is the machine’s first political address.
I. The First Instruction Is Not At The Beginning
Civilian intuition says:
“The CPU starts at address zero.”
Sometimes, on some architectures, that instinct is close enough.
On x86 PC systems, it is wrong in a historically beautiful way.
Modern Intel 64 and IA-32 documentation describes the reset state with:
| Register state after reset | Value |
|---|---|
| CS selector | 0xf000 |
| CS base | 0xffff0000 |
| EIP | 0x0000fff0 |
| resulting physical address | 0xfffffff0 |
The arithmetic is the whole ritual:
CS base 0xffff0000
EIP 0x0000fff0
----------------------
physical 0xfffffff0That address is 16 bytes below 4 GiB.
The CPU wakes up at the edge of the address space like a dictator entering through the roof.
There is not enough room there for a full operating system.
There is barely enough room for a jump.
II. The Palace Has A Trapdoor
The reset vector usually does not contain the real firmware body.
It contains a tiny instruction sequence, commonly a jump into firmware code elsewhere in the ROM image.
Conceptually:
.code16
reset_vector:
ljmp $0xf000, $firmware_entryThis is not a literal universal listing from every firmware image.
It is the shape of the idea:
the reset vector is a doorway,
not the whole palace.
The first instruction says:
“Go over there. The bureaucracy is larger than sixteen bytes.”
III. But The Firmware Is In SPI Flash
The CPU does not contain your motherboard firmware.
On modern PC systems, firmware commonly lives in SPI flash, the same physical archive discussed in flashrom.
So how does a CPU fetch from 0xfffffff0 if the code is sitting in a serial flash chip near the chipset?
The platform maps it.
The chipset / PCH decodes the CPU’s early memory fetch and routes it to the firmware flash.
flowchart LR
RESET["CPU reset"]
VECTOR["fetch at 0xfffffff0"]
PCH["chipset / PCH<br/>address decode"]
SPI["SPI flash<br/>firmware image"]
JUMP["reset stub<br/>jump into firmware"]
RESET --> VECTOR --> PCH --> SPI --> JUMP
This is why flashrom matters.
The first visible software instruction can live in the same chip you later dump with:
flashrom -p internal -r firmware.romIf permissions allow.
If the descriptor allows.
If the platform ministry permits the citizen to read the archive.
IV. The Reset Vector Is A Map, Not A Bootloader
The reset vector is not:
- the bootloader
- the kernel
- the UEFI shell
- GRUB
- systemd
- the login prompt
- your desktop environment’s opinion about rounded corners
It is earlier.
It is the first architectural fetch after reset.
The rough x86 PC chain looks like this:
flowchart TB
POWER["power rails stabilize"]
RESET["reset released"]
CPU["CPU architectural reset state"]
VECTOR["reset vector<br/>0xfffffff0"]
FW["firmware entry<br/>UEFI or coreboot path"]
MEMORY["memory initialization"]
DEVICES["chipset and device discovery"]
BOOT["boot manager / payload"]
OS["operating system kernel"]
POWER --> RESET --> CPU --> VECTOR --> FW --> MEMORY --> DEVICES --> BOOT --> OS
This diagram is polite.
Real platforms are not polite.
There may be an embedded controller awake earlier.
There may be a management engine or security processor running before the host CPU is released.
There may be board straps, power sequencing, microcode, fuses, measured boot, Boot Guard, TPM measurements, and firmware volumes.
The reset vector is where the host CPU enters the public record.
It is not necessarily the first thing on the board with a pulse.
V. Real Mode: The Antique Costume
On x86, the CPU begins in a legacy-compatible state often described as real-address mode.
This is why firmware begins life with one foot in 1978 and one foot in a machine that can virtualize Kubernetes for people who hate themselves.
At reset:
- paging is not enabled
- protected mode is not enabled
- long mode is not enabled
- normal DRAM may not be initialized
- caches and chipset state need careful setup
- the stack is not your friend yet
Firmware must build civilization in stages.
UEFI has phases.
coreboot has stages.
Everyone has rituals.
| Stage idea | What must happen |
|---|---|
| reset stub | get out of the tiny reset-vector doorway |
| early firmware | establish a minimal execution environment |
| memory init | make DRAM usable |
| chipset setup | configure platform plumbing |
| payload / boot manager | choose what loads next |
| OS handoff | transfer control to the kernel path |
Before memory initialization, the machine is not a computer.
It is a rumor with registers.
VI. Multiprocessor Reality
Modern systems have many cores.
They do not all wake up and immediately start writing manifestos.
On x86 PC systems, one logical processor becomes the bootstrap processor. The others are application processors that are brought up later through defined startup mechanisms.
The first firmware path is therefore not democracy.
It is monarchy.
One core starts.
The others wait.
Later, the operating system pretends this was consensus.
reset:
one bootstrap processor begins firmware execution
later:
firmware and OS arrange startup of the other processorsThis is why boot code is so careful.
Early boot has no room for committee behavior.
VII. Architecture Differences
The reset-vector idea exists across architectures, but the exact address and mechanism vary.
| Architecture family | Reset entry idea |
|---|---|
| x86 / x86-64 PC | architectural fetch near top of 32-bit address space at 0xfffffff0 |
| 8086 | reset fetch near top of 1 MiB at 0xffff0 |
| ARM microcontrollers | vector table often starts with initial stack pointer and reset handler address |
| RISC-V systems | reset vector is platform / implementation specific |
| PowerPC / Power ISA systems | fixed reset exception vectors defined by architecture/platform |
This is why portable operating systems do not begin at “main.”
They begin with architecture-specific entry code, linker scripts, memory maps, exception tables, firmware contracts, and profanity.
main() is a privilege earned later.
VIII. Why Attackers Care
Attackers love early boot because every later layer depends on it.
If you control the path before the OS:
- the kernel may never know
- disk encryption may be measured into a lie
- hypervisors can be placed under the real OS
- secure boot policy can be bypassed if the root is compromised
- persistence can survive normal reinstall rituals
This is why we spent days on Intel ME, AMD PSP, TPM, Pluton, and console boot chains.
They all orbit the same political truth:
whoever speaks first writes the law.
IX. The Real Story (Suppressed)
Officially, reset vector means the fixed address where execution begins after reset.
Suppressed expansion:
Regime Entry Signal To Establish Tyranny.
Intel chose 0xfffffff0 because it is sixteen bytes before the end of the old 32-bit map, which is exactly enough space for firmware to say:
“Not here. Go to the real office.”
The first firmware engineer proposed starting at zero.
The Ministry rejected this.
Zero is for peasants, null pointers, and C programmers discovering humility.
The Supreme Leader begins at the top.
X. The Lesson
The reset vector is small.
That is why it matters.
It proves that every huge system begins with an absurdly tiny command:
fetch here,
jump there,
build the world.
Before your kernel scheduler,
before your filesystem,
before your login prompt,
before the browser tab consuming six gigabytes to show a newsletter popup,
there is a fixed address and a first instruction.
The decree:
- the OS does not start the machine
- firmware begins before the bootloader
- the reset vector is the host CPU’s first public instruction address
- modern platforms may have other controllers alive even earlier
- the first code path defines the trust chain for everything after it
Tomorrow we give memory a dictator:
the MMU.
— Kim Jong Rails, Supreme Leader of the Republic of Derails