Ikos Pegasus reverse engineering
Device overview
- The rack with the power supply can hold up to 7 boards connected via a backplane.
- One main board with:
- SCSI controller
- 8051
- CPLD
- FPGAs
- SDRAM
- 5 auxiliary boards with (each):
- 1 XC95216 CPLD
- 64 XC4036XL FPGAs
- lots of SRAM
- One auxiliary board was destructively reverse engineered, so only 4 are remaining.
Some device photos are here.
Programming the auxiliary boards
Situation
In normal operation, the CPLD receives configuration data from the backplane (originating from the mainboard through the SCSI port) and distributes it to the FPGAs. The CPLD uses JTAG to send data to the FPGAs. The 64 FPGAs on each auxiliary board are arranged to form one big JTAG chain driven by the CPLD.
Because this mode of operation uses a proprietary protocol which is especially hard to reverse engineer since we do not have the original software and SCSI device driver, we are trying to program the boards with a JTAG probe.
CPLD access
The CPLD's JTAG port is accessible on each board with a HE10 connector following the MultiLINX pinout.
Vref | GND | NC | NC | NC | NC | NC | NC | NC |
NC | TDO | NC | X | TDI | TCK | TMS | NC | NC |
Legend: X = missing pin (key), NC = No Connect
We can use urJTAG to access the CPLD, with the BSDL files released by Xilinx to enable boundary scan. For an unknown reason, the Xilinx iMPACT tool fails to recognize the CPLD.
How to use boundary scan with urJTAG
cable xpc_ext bsdl path [path to BSDL files] detect instruction EXTEST shift ir set signal [pin name from BSDL] out 1 shift dr
FPGA JTAG chain topology
All the 64 FPGAs are arranged in a daisy chain for TDI and TDO.
For TCK and TMS, the board is divided into 4 quadrants and these signals are shared within each quadrant.
Connection of the FPGA JTAG chain to the CPLD
TCK and TMS are not directly connected to the CPLD, but go through a column of 74xx244 TTL buffers in the middle of the board. TDI and TDO are directly connected to the CPLD.
Signal | Quadrant | CPLD pin |
TDI | All | 96 |
TDO | All | 92 |
TCK | Q1 | 88 |
TCK | Q2 | TBD |
TCK | Q3 | TBD |
TCK | Q4 | 90 |
TMS | Q1 | 115 |
TMS | Q2 | TBD |
TMS | Q3 | TBD |
TMS | Q4 | TBD |
LEDs
Each auxiliary board has 2 LEDs in the front. They are connected to CPLD pins 58 and 86 in current sink (active low) mode. They can be useful to test your CPLD boundary scan setup.
Design tools
Synthesis
You will need to use Synplify which supports the XC4000 family of FPGAs. There is no Xst support whatsoever.
Place and route
Synplify generates an EDIF netlist which can be fed to the ISE Classics tools for place and route and bitstream generation.
FPGA JTAG programming
TODO
- JTAG tunnelling through the CPLD boundary scan?
- or reprogram the CPLD to re-route JTAG somewhere else?
- does iMPACT support XC4000s?
Interconnect
The reverse engineering of the interconnect can be vastly automated by using techniques such as that of NSA@home.
FPGA to FPGA
TBD
FPGA to SRAM
TBD
FPGA to I/O port
TBD
Board to board
TBD