Author Topic: Xilinx XC3S1200 Bitstream - Microblaze pack extraction  (Read 1296 times)

0 Members and 1 Guest are viewing this topic.

Offline FrancTopic starter

  • Regular Contributor
  • *
  • Posts: 64
  • Country: br
Xilinx XC3S1200 Bitstream - Microblaze pack extraction
« on: May 15, 2022, 08:09:30 pm »
Hey all!!
I'm from MCU world and beginner in FPGA's. Its really new to me.

I'm doing analysis in one old PCB and stopped in this task - Microblaze (or Picoblaze) firmware.
In embedded WinCE 6.0 of my PCB I can see that App expects some data replies from FPGA XC3S1200 and I think there is some CPU inside the bitstream.

My question is (please), anyone knows how to extract the scripts of Microblaze from this bitstream attached?
Is it possible?

Cheers!!!  :clap:
 

Offline Bassman59

  • Super Contributor
  • ***
  • Posts: 2501
  • Country: us
  • Yes, I do this for a living
Re: Xilinx XC3S1200 Bitstream - Microblaze pack extraction
« Reply #1 on: May 15, 2022, 09:37:27 pm »
My question is (please), anyone knows how to extract the scripts of Microblaze from this bitstream attached?
Is it possible?


It is not possible to recover the design from the bitstream.
 
The following users thanked this post: Franc

Offline Foxxz

  • Regular Contributor
  • *
  • Posts: 125
  • Country: us
Re: Xilinx XC3S1200 Bitstream - Microblaze pack extraction
« Reply #2 on: May 15, 2022, 10:25:02 pm »
There are people who have been working to reverse engineer bitstreams but pulling out the compiled code (I assume thats what you mean from "scripts") its running I couldn't say if thats been done. That compiled code may live on your main CPU, flash, or filesystem somewhere. Its possible the bitstream and the code that runs on the softcore are separate.

But we're assuming the FPGA is running a softcore. You don't need that to communicate to a CPU. It could be using an AXI, serial, or other interface.
 
The following users thanked this post: Franc

Offline kmike

  • Regular Contributor
  • *
  • Posts: 59
  • Country: de
Re: Xilinx XC3S1200 Bitstream - Microblaze pack extraction
« Reply #3 on: May 16, 2022, 04:08:24 pm »
Hi,

what is this attached file? How did you get it (dumped a flash, or...)?
It does not look like a bitstream or a binary dump from a configuration flash to me (atleast this header "FPGA" is strange).

It is possible to recover the contents of the BRAM from a bitstream, but that would require a valid dump.

Regards,
mike
 
The following users thanked this post: Franc

Offline FrancTopic starter

  • Regular Contributor
  • *
  • Posts: 64
  • Country: br
Re: Xilinx XC3S1200 Bitstream - Microblaze pack extraction
« Reply #4 on: May 16, 2022, 05:50:15 pm »
Dear Kmike!

I found this binary in software update pack of my PCB. In the update pack, I can see this file called fpga.bin.
Also I can see one Coldfire next to it, maybe its Coldfire boots the FPGA bitstream?

BRAM, oh interesting, how I can find it? Can I share the software update to you?  :phew:

Cheers!! :-+
 

Offline laugensalm

  • Regular Contributor
  • *
  • Posts: 129
  • Country: ch
Re: Xilinx XC3S1200 Bitstream - Microblaze pack extraction
« Reply #5 on: May 18, 2022, 08:42:23 am »
My question is (please), anyone knows how to extract the scripts of Microblaze from this bitstream attached?
Is it possible?


It is not possible to recover the design from the bitstream.

Depends on what you mean by 'design', you'll never get out something readable, rather a quite unreadable huge net list when decompiled into source.  I can't comment on the tools though. Also, not sure of the status on the Spartan3 family these days, Xilinx used to be good at eliminating web sources for reverse engineering.
However, BRAM images are extracted quite easily, there might be a few sources left on the web concerning the reverse process of data2mem (the BMM file procedure) file. Figuring out the mapping can be fun, you need to know what to look for (i.e. opcodes of the architecture).

In most cases, decompiling is not worth it, unless there's some scrambling present that prevents you from doing black box analysis (i.e. just see what it does). For practising though: good luck :-)
 
The following users thanked this post: Franc

Offline kmike

  • Regular Contributor
  • *
  • Posts: 59
  • Country: de
Re: Xilinx XC3S1200 Bitstream - Microblaze pack extraction
« Reply #6 on: May 18, 2022, 09:59:39 am »
After some some work with your "Fpga.bin" file, I got the BRAM blocks extracted, but they are all empty (0x00).

I do not think there is a Microblaze or a Picoblaze in this design, as both would need BRAM blocks for code.
 
The following users thanked this post: Franc

Offline FrancTopic starter

  • Regular Contributor
  • *
  • Posts: 64
  • Country: br
Re: Xilinx XC3S1200 Bitstream - Microblaze pack extraction
« Reply #7 on: May 18, 2022, 01:04:03 pm »
Dear laugensalm...Thank so much for your help!  :-+
I still searching what happens in FPGA that decode some data comes from one crypted dump (external memory) , its small and looks no much complex but I have no idea as I'm beginner.  BMM, let me check whats it. Thanks again.


 

Offline FrancTopic starter

  • Regular Contributor
  • *
  • Posts: 64
  • Country: br
Re: Xilinx XC3S1200 Bitstream - Microblaze pack extraction
« Reply #8 on: May 18, 2022, 01:20:21 pm »
Dear kmike, wow! thank so much!  8)
So BRAM is blank, interesting!! Is possible the BRAM be stored outside of bitstream? 
I can't see the this data decoding without one CPU (as its crypted), that was my thought for they using one Microblaze.
 
There is way to debug this bitstream? Any tool?

Cheers!!!
 

Offline kmike

  • Regular Contributor
  • *
  • Posts: 59
  • Country: de
Re: Xilinx XC3S1200 Bitstream - Microblaze pack extraction
« Reply #9 on: May 18, 2022, 04:31:39 pm »
BRAM is block RAM inside the FPGA.

Picoblaze can only run from BRAM.
Microblaze could theoretically run from an external memory, although I never had to try. It is easier to just use a small bootloader in BRAM, and do everything else from there.

You do not need a CPU inside the FPGA for crypto operations. (You dont need a CPU in an FPGA for a lot of tasks :-) )

Like laugensalm already mentioned, you can only do a black box analysis, no way you can get HDL back from the bitstream.
 
The following users thanked this post: Franc

Offline FrancTopic starter

  • Regular Contributor
  • *
  • Posts: 64
  • Country: br
Re: Xilinx XC3S1200 Bitstream - Microblaze pack extraction
« Reply #10 on: May 18, 2022, 10:16:32 pm »
I see Kmike!! It was very useful.

What is 'Black Box' in FPGA? I can only insert inputs and check the outputs? What tool I can use to do it?

Cheers!!
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf