All of the boys and all of the girls want to FPGA-me
August 18, 2011 12:10 AM Subscribe
Is there a way to directly download a coded configuration from an FPGA board to a computer?
I need to modify some code on an FPGA (Altera Nios II, Stratix II; I believe the code was written in C?) The only problem is...I don't have the code. Or the knowledge to reverse-engineer it.
I have some idea of how it works now and what I need to change: right now, it downloads three parameters over a UART connection, uses those parameters to solve an equation to generate a frequency and phase table, and gradually feeds the table into a pair of DDS chips. I want to generate the frequency and phase table on a computer, pass that over the UART connection, and then proceed as normal. I don't have any real training in programming or electrical engineering, but I imagine (hope? wish?) that this isn't too big of a change.
The problem is, I don't have the configuration code on the FPGA. As tends to happen in science, it was written by someone (I'm not even really sure who?) years ago, and has gotten passed around until it became part of my project. And I'm not comfortable enough with FPGA programming to try rebuild the configuration from scratch. What would really be helpful for me is to be able to somehow download the configuration program from the FPGA to a computer, mess around with it a bit in the FPGA design software, and then download it back with modifications. I can find plenty on Google about downloading to FPGAs, but nothing about trying to get a configuration off of a chip. Is this even possible? How?
I need to modify some code on an FPGA (Altera Nios II, Stratix II; I believe the code was written in C?) The only problem is...I don't have the code. Or the knowledge to reverse-engineer it.
I have some idea of how it works now and what I need to change: right now, it downloads three parameters over a UART connection, uses those parameters to solve an equation to generate a frequency and phase table, and gradually feeds the table into a pair of DDS chips. I want to generate the frequency and phase table on a computer, pass that over the UART connection, and then proceed as normal. I don't have any real training in programming or electrical engineering, but I imagine (hope? wish?) that this isn't too big of a change.
The problem is, I don't have the configuration code on the FPGA. As tends to happen in science, it was written by someone (I'm not even really sure who?) years ago, and has gotten passed around until it became part of my project. And I'm not comfortable enough with FPGA programming to try rebuild the configuration from scratch. What would really be helpful for me is to be able to somehow download the configuration program from the FPGA to a computer, mess around with it a bit in the FPGA design software, and then download it back with modifications. I can find plenty on Google about downloading to FPGAs, but nothing about trying to get a configuration off of a chip. Is this even possible? How?
yeah, there's 2 (conceptually) distinct things being loaded onto the FPGA. the FPGA configuration itself, which is for all practical purposes not reverse engineerable. then there's the program executed by the FPGA as configured, which is far more amenable to reverse engineering, but that's not saying a lot.
if all you want to do is read data from a UART, perhaps buffer it, and then write it out to the DDS hardware, it'll almost certainly be simpler in the end to just redo (or get someone to redo) the FPGA bitstream to carry out that function and drop the Nios II soft-CPU entirely.
posted by russm at 4:08 AM on August 18, 2011
if all you want to do is read data from a UART, perhaps buffer it, and then write it out to the DDS hardware, it'll almost certainly be simpler in the end to just redo (or get someone to redo) the FPGA bitstream to carry out that function and drop the Nios II soft-CPU entirely.
posted by russm at 4:08 AM on August 18, 2011
Response by poster: Thanks for the clarification, hattifattener and russm--I've really only started on the FPGA stuff about a week ago, so the configuration/program distinction and explanations are very helpful. I sort of suspected this might not be possible, but I have a few other options to look at. Thank you!
posted by kagredon at 8:46 AM on August 18, 2011
posted by kagredon at 8:46 AM on August 18, 2011
FWIW, if you've got a lot of talented engineers and equipment, it could be possible to reverse engineer the FPGA.
posted by pwnguin at 10:27 PM on August 18, 2011
posted by pwnguin at 10:27 PM on August 18, 2011
that recent attack only lets you extract an encrypted config bitstream from a "protected" FPGA, but doesn't help you understand or modify the bitstream's functionality. this potentially allows you to buy a hardware device and clone it (by extracting/decrypting the bitstream and loading it onto another board) but doesn't help kagredon modify the functionality of the board she has.
posted by russm at 2:15 AM on August 19, 2011 [1 favorite]
posted by russm at 2:15 AM on August 19, 2011 [1 favorite]
This thread is closed to new comments.
The data loaded into the FPGA (the "configuration bitstream") is like compiled code, only more so. Its format and meaning are kept secret by the FPGA manufacturer, and its non-reverse-engineerability is actually a selling point to some customers (who are worried that their competitors will reverse-engineer their FPGAs). If this is what you need to do, I think the path of least resistance is to reimplement everything from scratch (or, perhaps, stick another FPGA in between your existing FPGA and the DDSs, and just reimplement the DDS control).
Because you mention Nios and C-language source, it's possible that you don't actually need to change the FPGA configuration bitstream, but only the program that the soft-cpu is executing. That would be possible to do— Nios's instruction format is probably documented somewhere— but it would be fairly difficult. Reverse-engineering and patching machine code, especially on an unfamiliar cpu in an unknown embedded environment, is a pain.
In either case, any useful highlevel parts of the program, like variable names or comments, are long gone.
posted by hattifattener at 1:08 AM on August 18, 2011