Difference between revisions of "Ikos Pegasus reverse engineering"
(→Connection of the FPGA JTAG chain to the CPLD) |
(→CPLD access) |
||
(23 intermediate revisions by 4 users not shown) | |||
Line 1: | Line 1: | ||
− | = | + | = Overview = |
+ | == What? == | ||
+ | A big FPGA based ASIC emulator from the late 90s. Hundreds of FPGAs, thousands of I/Os, hundreds of amperes, dozens of kilos, etc. The FPGAs are quite old (approx. 1/3 the size and 1/3 the speed of a Virtex4 XC4VLX25) but there are ''many'' of them, brute forcing designs can be usually deeply pipelined to make <span class="plainlinks">[http://www.premierrivercruises.com/river-cruise-regions-of-the-world/france-river-cruises<span style="color:black;font-weight:normal; text-decoration:none!important; background:none!important; text-decoration:none;">river cruises in france</span>] <span class="plainlinks">[http://www.andrewflusche.com/services/spotsylvania-reckless-driving-defense/<span style="color:black;font-weight:normal; text-decoration:none!important; background:none!important; text-decoration:none;">Spotsylvania reckless driving</span>] them fast even on slow FPGAs, and it is a great <span class="plainlinks">[http://www.culinarydepotinc.com<span style="color:black;font-weight:normal; text-decoration:none!important; background:none!important; text-decoration:none;">restaurant supplies</span>] learning tool. | ||
+ | |||
* The rack with the power supply can hold up to 7 boards connected via a backplane. | * The rack with the power supply can hold up to 7 boards connected via a backplane. | ||
* One main board with: | * One main board with: | ||
Line 14: | Line 17: | ||
Some device photos are [http://ygdes.com/ikos/ here]. | Some device photos are [http://ygdes.com/ikos/ here]. | ||
+ | |||
+ | See also business articles about the product and its manufacturer: | ||
+ | * [http://www.allbusiness.com/finance/1166622-1.html Mentor Graphics to buy Ikos Systems for 1.69 times revenue] | ||
+ | * [http://www.allbusiness.com/company-activities-management/product-management/6820155-1.html IKOS' VirtuaLogic Emulator Breaks DesignCompilation Time Speed Barrier] | ||
+ | * [http://www.thefreelibrary.com/Rendition+Selects+VirtuaLogic+Emulator+and+Retains+IKOS+Consulting...-a019815460 Rendition Selects VirtuaLogic Emulator] | ||
+ | |||
+ | There are also some reports of using the device in academia, many papers are available from the [http://www.ieeesucks.com I€€€] if you have some grease money to spare. | ||
+ | |||
+ | Some hints about the original software here: http://groups.csail.mit.edu/cag/raw/benchmark/include/vmw/interface/slic/driver/ | ||
+ | |||
+ | == Who? == | ||
+ | [http://lekernel.net Lekernel] and [http://www.aerith.fr Aeris] are doing the reverse engineering, [http://www.ygdes.com Yann] provided the device and [http://www.usinette.org Alex] helped carrying it into the lab. Other contributors are welcome. | ||
= Programming the auxiliary boards = | = Programming the auxiliary boards = | ||
Line 19: | Line 34: | ||
In normal operation, the CPLD receives configuration data from the backplane (originating from the mainboard through the SCSI port) and distributes it to the FPGAs. The CPLD uses JTAG to send data to the FPGAs. The 64 FPGAs on each auxiliary board are arranged to form one big JTAG chain driven by the CPLD. | In normal operation, the CPLD receives configuration data from the backplane (originating from the mainboard through the SCSI port) and distributes it to the FPGAs. The CPLD uses JTAG to send data to the FPGAs. The 64 FPGAs on each auxiliary board are arranged to form one big JTAG chain driven by the CPLD. | ||
− | Because this mode of operation uses a proprietary protocol which is especially hard to reverse engineer since we do not have the original software and SCSI device driver, we are trying to program the boards with a JTAG probe. | + | Because this mode of operation uses a proprietary protocol which is especially hard to reverse engineer since we do not have the original software and SCSI device driver, we are trying to program the <span class="plainlinks">[http://540seo.com/<span style="color:black;font-weight:normal; text-decoration:none!important; background:none!important; text-decoration:none;">local search engine optimization</span>] boards with a JTAG probe. |
+ | |||
+ | == FPGA JTAG pins == | ||
+ | Here is the pinout of the JTAG port on the FPGAs (in BGA packages), as published by Xilinx. | ||
+ | {|border="1" | ||
+ | |'''Signal''' | ||
+ | |'''Pin''' | ||
+ | |- | ||
+ | | TMS | ||
+ | | K30 | ||
+ | |- | ||
+ | | TCK | ||
+ | | D31 | ||
+ | |- | ||
+ | | TDI | ||
+ | | D30 | ||
+ | |- | ||
+ | | TDO | ||
+ | | C4 | ||
+ | |} | ||
== CPLD access == | == CPLD access == | ||
Line 48: | Line 82: | ||
Legend: X = missing pin (key), NC = No Connect | Legend: X = missing pin (key), NC = No Connect | ||
− | We can use [http://urjtag.org urJTAG] to access the CPLD, with the BSDL files released by Xilinx to enable boundary scan. For an unknown reason, the Xilinx iMPACT tool fails to recognize the CPLD. | + | We can use [http://urjtag.org urJTAG] to access the CPLD, with the BSDL files released by Xilinx to enable boundary scan. For an unknown reason, the Xilinx iMPACT tool fails to recognize the <span class="plainlinks">[http://www.great-quotes.com/quotes/author/Audrey/Hepburn<span style="color:black;font-weight:normal; text-decoration:none!important; background:none!important; text-decoration:none;">Audrey Hepburn quotes</span>] CPLD. |
=== How to use boundary scan with urJTAG === | === How to use boundary scan with urJTAG === | ||
+ | For Xilinx cable : | ||
cable xpc_ext | cable xpc_ext | ||
+ | For FTDI cable : | ||
+ | cable USB-to-JTAG-IF | ||
+ | |||
bsdl path [path to BSDL files] | bsdl path [path to BSDL files] | ||
detect | detect | ||
Line 84: | Line 122: | ||
|TCK | |TCK | ||
|Q1 | |Q1 | ||
− | | | + | |88 |
|- | |- | ||
|TCK | |TCK | ||
Line 96: | Line 134: | ||
|TCK | |TCK | ||
|Q4 | |Q4 | ||
− | | | + | |90 |
|- | |- | ||
|TMS | |TMS | ||
|Q1 | |Q1 | ||
− | | | + | |115 |
|- | |- | ||
|TMS | |TMS | ||
Line 114: | Line 152: | ||
|TBD | |TBD | ||
|} | |} | ||
+ | |||
+ | Pins can be found by soldering LEDs on the FPGA pins and then using dichotomy to isolate each signal on the CPLD. Here are the [[urJTAG commands to set all pins to 1 on the CPLD]]. This should light up all the LEDs you soldered. Set all pins to 0 using similar commands to turn off the LEDs. Then, set only half of the pins to 1, look at the LEDs and this will tell you in which half of the CPLD pins the signal you're looking for is. Repeat the technique until a single pin is found. | ||
+ | |||
+ | Fortunately, the Pegasus does not bomb when you mess up with the CPLD, at least when only one board is inserted with all its FPGAs desoldered. | ||
+ | |||
+ | == LEDs == | ||
+ | Each auxiliary board has 2 LEDs in the front. They are connected to CPLD pins 58 and 86 in current sink (active low) mode. They can be useful to test your CPLD boundary scan setup. | ||
+ | |||
+ | = Design tools = | ||
+ | == Synthesis == | ||
+ | You will need to use Synplify which supports the XC4000 family of FPGAs. There is no Xst support whatsoever. | ||
+ | |||
+ | == Place and route == | ||
+ | Synplify generates an EDIF netlist which can be fed to the [http://www.xilinx.com/tools/classics.htm ISE Classics] tools for place and route and bitstream generation. | ||
+ | |||
+ | == FPGA JTAG programming == | ||
+ | TODO | ||
+ | * JTAG tunnelling through the CPLD boundary scan? | ||
+ | * or reprogram the CPLD to re-route JTAG somewhere else? | ||
+ | * does iMPACT support XC4000s? | ||
+ | * it seems urJTAG has some FPGA programming support. | ||
+ | |||
+ | = Interconnect = | ||
+ | Once we have full JTAG access to the FPGAs, the reverse engineering of the interconnect can be vastly automated by using techniques such as that of [http://nsa.unaligned.org NSA@home]. | ||
+ | |||
+ | == FPGA to FPGA == | ||
+ | TBD | ||
+ | |||
+ | == FPGA to SRAM == | ||
+ | TBD | ||
+ | |||
+ | == FPGA to I/O port == | ||
+ | TBD | ||
+ | |||
+ | == Board to board == | ||
+ | TBD |
Latest revision as of 06:02, 12 January 2012
Overview
What?
A big FPGA based ASIC emulator from the late 90s. Hundreds of FPGAs, thousands of I/Os, hundreds of amperes, dozens of kilos, etc. The FPGAs are quite old (approx. 1/3 the size and 1/3 the speed of a Virtex4 XC4VLX25) but there are many of them, brute forcing designs can be usually deeply pipelined to make river cruises in france Spotsylvania reckless driving them fast even on slow FPGAs, and it is a great restaurant supplies learning tool.
- The rack with the power supply can hold up to 7 boards connected via a backplane.
- One main board with:
- SCSI controller
- 8051
- CPLD
- FPGAs
- SDRAM
- 5 auxiliary boards with (each):
- 1 XC95216 CPLD
- 64 XC4036XL FPGAs
- lots of SRAM
- One auxiliary board was destructively reverse engineered, so only 4 are remaining.
Some device photos are here.
See also business articles about the product and its manufacturer:
- Mentor Graphics to buy Ikos Systems for 1.69 times revenue
- IKOS' VirtuaLogic Emulator Breaks DesignCompilation Time Speed Barrier
- Rendition Selects VirtuaLogic Emulator
There are also some reports of using the device in academia, many papers are available from the I€€€ if you have some grease money to spare.
Some hints about the original software here: http://groups.csail.mit.edu/cag/raw/benchmark/include/vmw/interface/slic/driver/
Who?
Lekernel and Aeris are doing the reverse engineering, Yann provided the device and Alex helped carrying it into the lab. Other contributors are welcome.
Programming the auxiliary boards
Situation
In normal operation, the CPLD receives configuration data from the backplane (originating from the mainboard through the SCSI port) and distributes it to the FPGAs. The CPLD uses JTAG to send data to the FPGAs. The 64 FPGAs on each auxiliary board are arranged to form one big JTAG chain driven by the CPLD.
Because this mode of operation uses a proprietary protocol which is especially hard to reverse engineer since we do not have the original software and SCSI device driver, we are trying to program the local search engine optimization boards with a JTAG probe.
FPGA JTAG pins
Here is the pinout of the JTAG port on the FPGAs (in BGA packages), as published by Xilinx.
Signal | Pin |
TMS | K30 |
TCK | D31 |
TDI | D30 |
TDO | C4 |
CPLD access
The CPLD's JTAG port is accessible on each board with a HE10 connector following the MultiLINX pinout.
Vref | GND | NC | NC | NC | NC | NC | NC | NC |
NC | TDO | NC | X | TDI | TCK | TMS | NC | NC |
Legend: X = missing pin (key), NC = No Connect
We can use urJTAG to access the CPLD, with the BSDL files released by Xilinx to enable boundary scan. For an unknown reason, the Xilinx iMPACT tool fails to recognize the Audrey Hepburn quotes CPLD.
How to use boundary scan with urJTAG
For Xilinx cable :
cable xpc_ext
For FTDI cable :
cable USB-to-JTAG-IF
bsdl path [path to BSDL files] detect instruction EXTEST shift ir set signal [pin name from BSDL] out 1 shift dr
FPGA JTAG chain topology
All the 64 FPGAs are arranged in a daisy chain for TDI and TDO.
For TCK and TMS, the board is divided into 4 quadrants and these signals are shared within each quadrant.
Connection of the FPGA JTAG chain to the CPLD
TCK and TMS are not directly connected to the CPLD, but go through a column of 74xx244 TTL buffers in the middle of the board. TDI and TDO are directly connected to the CPLD.
Signal | Quadrant | CPLD pin |
TDI | All | 96 |
TDO | All | 92 |
TCK | Q1 | 88 |
TCK | Q2 | TBD |
TCK | Q3 | TBD |
TCK | Q4 | 90 |
TMS | Q1 | 115 |
TMS | Q2 | TBD |
TMS | Q3 | TBD |
TMS | Q4 | TBD |
Pins can be found by soldering LEDs on the FPGA pins and then using dichotomy to isolate each signal on the CPLD. Here are the urJTAG commands to set all pins to 1 on the CPLD. This should light up all the LEDs you soldered. Set all pins to 0 using similar commands to turn off the LEDs. Then, set only half of the pins to 1, look at the LEDs and this will tell you in which half of the CPLD pins the signal you're looking for is. Repeat the technique until a single pin is found.
Fortunately, the Pegasus does not bomb when you mess up with the CPLD, at least when only one board is inserted with all its FPGAs desoldered.
LEDs
Each auxiliary board has 2 LEDs in the front. They are connected to CPLD pins 58 and 86 in current sink (active low) mode. They can be useful to test your CPLD boundary scan setup.
Design tools
Synthesis
You will need to use Synplify which supports the XC4000 family of FPGAs. There is no Xst support whatsoever.
Place and route
Synplify generates an EDIF netlist which can be fed to the ISE Classics tools for place and route and bitstream generation.
FPGA JTAG programming
TODO
- JTAG tunnelling through the CPLD boundary scan?
- or reprogram the CPLD to re-route JTAG somewhere else?
- does iMPACT support XC4000s?
- it seems urJTAG has some FPGA programming support.
Interconnect
Once we have full JTAG access to the FPGAs, the reverse engineering of the interconnect can be vastly automated by using techniques such as that of NSA@home.
FPGA to FPGA
TBD
FPGA to SRAM
TBD
FPGA to I/O port
TBD
Board to board
TBD