How to read contents of a Xilinx ISE bit file

[kody]

Hi,

Is there a way to read contents of a bit file?
Anyway to know what the .bit has been configured for?
Does not work via notepad.


Thanks,
Kody

[langwadt]

what are you trying to do?

if you open a bit file in an edit that can show hex you can see, what part it is for and when it was build that's about it, the rest is just a big blob of binary data only Xilinx understands 

[jancumps]

Dangerous prototypes had a post about this:
http://dangerousprototypes.com/2012/03/12/hacking-the-fpga-bitstream/

I tried to understand the documentation they refer to, but failed

[Hardcorefs]

@Jancumps
You don't want to believe everything you read on  'dangerous prototypes', both of these subject papers  are massive fields in their own rights, it's not a job for a lazy Saturday afternoon…… ( you can see that post was from 2 years ago and I added another reference  to show  'portability'  result in about 9 hours or less!!!!)


Basically one paper outlines a method where you can ' jiggle' and monitor the power-supply of the FPGA to get at the internal  security keys. ( used to protect the FPGA), technically speaking it is NOT hacking the bit file. it is key recovery via power analysis and a massive subject in its own right.


with these keys you can supposedly 'decrypt'  an encrypted 'bit' file  ( there are XILINX encrypted & non-encrypted bit files, easy way to identify if the hardware is using encryption, is to identify if the hardware has the encryption key battery fitted, if not , then it does not house encryption keys in the FPGA RAM area)

*NOTE …. Decryption IS NOT getting access to the schematic or even the gate level data.  Consider it like a password protected ZIP file, all it gives you is access to the unencrypted data of THE bit file.
This allows you to load that BIT file onto  an IDENTICAL clone of the hardware, or even program your clone with the 'stolen' keys, so the CLONE device behaves like the original.
(XILINX encryption keys are meant to prevent CLONERS first and decompilers second)

The second paper
'From the bitstream to the netlist', is a long way from  fully decoding a bitstream, since you would have to model each and every logic cell in the TARGET FPGA to identify what  VHDL produced it.
This would give you a database reference list to compare against the bit file configuration data ( and it would not even cover IP cores).

Disassembly or reverse engineering of the bit file into  schematics/ logic gates is entirely a separate topic and is a closely guarded secret of XILINX.

Since the binary 1:1 mapping of the internal logic switches and routing fabric is a trade secret.

You can actually make a start:

1. Design a SIMPLE gate in XSE
2. compile a bit file
3. compare the bitfile to the SIMPLE gate you designed and its location in the FPGA
4. go back to 1 several hundred thousand (or millions depending on the FPGA )times with different gate designs ( to map each bit/ result to actual results in the file)

try to compare your target bit file with your results by identifying identical bit values to give you the logic gate construction.

HC