Electronics > FPGA

Reverse engineering Anlogic AL3_10 FPGA

<< < (18/19) > >>

pcprogrammer:
Getting the trigger signals right is a bit of a pain in the bum. |O

By the looks of it I have the rising edge part working as intended, but the falling edge is wrong. As written before the way it is done is not how I would do it, and that makes it more difficult to grasp the logic behind it.

It involves quite a bit of signals that are combined together making up detects and enables for the rising and the falling edge, and with the aid of simulation I was able to determine that it uses "less then or equal to" against the set level for both the current and the previous sample, and based on the trigger edge setting it uses one of the signals to decide on being triggered.

So a bit more investigating is needed to find why the falling edge is not working as expected.

pcprogrammer:
Not exactly like the original but in simulation it looks like it works for both the rising and the falling edge.

Next up is the part to read the samples with the MCU, and then run a test on the actual scope.

Not sure if I'm going to tackle the I2C part in the making it more readable. The journey was to see if it was possible to reverse engineer a FPGA and that has been confirmed.

pcprogrammer:
Bit of a downer :-//

I finished of the translation and compiled it with the Tang Dynasty IDE. Had to fix a small issue with loading a register from two sources, but that was easy to solve. Without the I2C part in it the number of used bits is about 55% of the original :)

But dammit it did not work on the scope.

Tried using timing constraints and it failed to reach the 200MHz timing :palm: The crude reverse engineered code did though, so a bit of a mystery as to why this one fails.

Will play a bit more with the simulator to see if it reacts as expected and if so try to improve the code a bit.

I did find another missing thing. The software writes to command 0x28 to select between sampling via memory or direct reading the samples, but there is nothing in the FPGA for supporting command 0x28 :-DD

pcprogrammer:
Decided it is time to move on to other projects. 8)

The more readable version I distilled from the crude version compiles with timing problems and does not work on the scope, but in simulation the response seems to be correct. Since it is a crap design I don't feel the urge to continue on it.

With the crude version of the design, generated with the tool I wrote for it, it is proven that it is possible to get a somewhat working design from a given bit stream. Renamed most of the nets, and the ones left are for reading the data with the MCU and for the I2C part of the design.

Granted it is not perfect, and there are still issues when compiling it back into a bit stream due to compiler version, timing constraints and differences in place and route.

Conclusion is that it requires a lot of patience, skill and persistence to get a thing like this done. It was fun and I learned a lot from it about the working of FPGA's and simulation.

I uploaded the latest results to the repository https://github.com/pecostm32/Anlogic_AL3-10_Analyzing

tv84:

--- Quote from: pcprogrammer on November 19, 2022, 12:08:06 pm ---Decided it is time to move on to other projects. 8)

The more readable version I distilled from the crude version compiles with timing problems and does not work on the scope, but in simulation the response seems to be correct. Since it is a crap design I don't feel the urge to continue on it.

With the crude version of the design, generated with the tool I wrote for it, it is proven that it is possible to get a somewhat working design from a given bit stream. Renamed most of the nets, and the ones left are for reading the data with the MCU and for the I2C part of the design.

Granted it is not perfect, and there are still issues when compiling it back into a bit stream due to compiler version, timing constraints and differences in place and route.

Conclusion is that it requires a lot of patience, skill and persistence to get a thing like this done. It was fun and I learned a lot from it about the working of FPGA's and simulation.

I uploaded the latest results to the repository https://github.com/pecostm32/Anlogic_AL3-10_Analyzing

--- End quote ---

First of all: my deepest RESPECT for what you accomplished here.  :clap: :clap:

It's mind-blowing the level of knowlege, wit and resilience you showed! Doing all this quest alone is quite a feat.  :palm:

I had surfed your MCU software investigations but I had never seen this FPGA reversing thread, until today. Just to be able to follow your descriptions requires a unique ammount of knowledge (that I unfortunately only have a small part) but, nonetheless, provides a perfect sense of a reverse process goes along and how a reverser's mind work.

Love the iteration, bug catching, optimization, head banging, adaptation, accomplishment satisfaction, return to start...

Very well done. This is pure reversing and looks amazing in one's curriculum!  :popcorn: 

I hope to see (one day) you finish the work with the official HYPER-CRAP design and tools... (I know, from experience, that such an endeaveour is never finished, in one's mind, if we don't proper close it...  :D)

Navigation

[0] Message Index

[#] Next page

[*] Previous page

There was an error while thanking
Thanking...
Go to full version
Powered by SMFPacks Advanced Attachments Uploader Mod