Difference between revisions of "Ikos Pegasus reverse engineering"
From Tmplab
(→Device overview) |
(→Programming the auxiliary boards) |
||
Line 16: | Line 16: | ||
= Programming the auxiliary boards = | = Programming the auxiliary boards = | ||
+ | == Situation == | ||
In normal operation, the CPLD receives configuration data from the backplane (originating from the mainboard through the SCSI port) and distributes it to the FPGAs. The CPLD uses JTAG to send data to the FPGAs. The 64 FPGAs on each auxiliary board are arranged to form one big JTAG chain driven by the CPLD. | In normal operation, the CPLD receives configuration data from the backplane (originating from the mainboard through the SCSI port) and distributes it to the FPGAs. The CPLD uses JTAG to send data to the FPGAs. The 64 FPGAs on each auxiliary board are arranged to form one big JTAG chain driven by the CPLD. | ||
+ | |||
+ | Because this mode of operation uses a proprietary protocol which is especially hard to reverse engineer since we do not have the original software and SCSI device driver, we are trying to program the boards with a JTAG probe. | ||
+ | |||
+ | == CPLD access == | ||
+ | The CPLD's JTAG port is accessible on each board with a HE10 connector following the [http://www.xilinx.com/itp/xilinx4/data/docs/pac/cables8.html MultiLINX] pinout. | ||
+ | |||
+ | {| | ||
+ | |Vref | ||
+ | |GND | ||
+ | |NC | ||
+ | |NC | ||
+ | |NC | ||
+ | |NC | ||
+ | |NC | ||
+ | |NC | ||
+ | |NC | ||
+ | |- | ||
+ | |NC | ||
+ | |TDO | ||
+ | |NC | ||
+ | |X | ||
+ | |TDI | ||
+ | |TCK | ||
+ | |TMS | ||
+ | |NC | ||
+ | |NC | ||
+ | |- | ||
+ | |} | ||
+ | Legend: X = missing pin (key), NC = No Connect |
Revision as of 20:56, 11 August 2010
Device overview
- The rack with the power supply can hold up to 7 boards connected via a backplane.
- One main board with:
- SCSI controller
- 8051
- CPLD
- FPGAs
- SDRAM
- 5 auxiliary boards with (each):
- 1 XC95216 CPLD
- 64 XC4036 FPGAs
- lots of SRAM
- One auxiliary board was destructively reverse engineered, so only 4 are remaining.
Some device photos are here.
Programming the auxiliary boards
Situation
In normal operation, the CPLD receives configuration data from the backplane (originating from the mainboard through the SCSI port) and distributes it to the FPGAs. The CPLD uses JTAG to send data to the FPGAs. The 64 FPGAs on each auxiliary board are arranged to form one big JTAG chain driven by the CPLD.
Because this mode of operation uses a proprietary protocol which is especially hard to reverse engineer since we do not have the original software and SCSI device driver, we are trying to program the boards with a JTAG probe.
CPLD access
The CPLD's JTAG port is accessible on each board with a HE10 connector following the MultiLINX pinout.
Vref | GND | NC | NC | NC | NC | NC | NC | NC |
NC | TDO | NC | X | TDI | TCK | TMS | NC | NC |
Legend: X = missing pin (key), NC = No Connect