[duskwuff]

> Could this tool find hardware backdoors?

Only very crude ones. A competently implemented hardwre backdoor would probably be data-dependent. For instance, it might trigger when REP CPUID is called with four specific 64-bit values in R8, R9, R10, and R11 -- and if that were the case, there would be absolutely no way to discover it by searching.

[teeray]

There's also the fascinating variant where a control line charges a capacitor over time to activate backdoor behavior. Triggering it would look like a bunch of nonsense instructions that just so happen to keep that control line energized long enough for the capacitor to cross some activation voltage.

[hellbanner]

No way to discover because of the immense search space? And/Or that if the backdoor was triggered, no way to immediately detect its effects?