Different Techniques of FPGA Reverse Engineering using the bitstream.
FPGA reverse engineering using the bitstream, this article will give detail about the Xilinx design flow, tools and information about the file generated during compilation. Also this article will explain about several reverse engineering tools by the means of Xilinx products.
Xilinx FPGA Design
Xilinx support 2 integrated development software packages ,ISE and Vivado for FPGA design, simulation and configuration . The ISE design suite supports the Spartan-6 and Virtex-6 devices. In Recent years, Xilinx has recommended the Vivado design suite which was newly design with 7th series of Virtex-7, Kintex-7, and Artix-7.
Diagram of the Xilinx ISE design flow is show in fig, 1st the register transfer level(RTL), design (Verilog, HDL file) is converted to Xilinx internal netlist(NGD-file) using ‘ngd’ build. Then it move towards technological mapping for NGD file to circuit using ‘map’. Then by using ‘par’ command places circuit primitives on the actual FPGA chip and connects each primitive in order to generate the placed and routed(P&R’d) NCD fill. The fully placed and routed primitives of NCD file are then compiled into the bitstream (BIT file) using -bitgen. After this BIT file is converted to the MCS file and then it is saved in the PROM. So in final stage the stored bitstream that is MCS file in the PROM is downloaded to the FPGA to used it for purpose of programming when the FPGA board has power on.
So this how Xilinix ISE design work , so there are different tools that is used for Reverse engineering .Some of them are 1)Bit 2nd 2)BIL(Bitstream Interpretation Library) 3)Debit etc.
- BIL(Bit stream Interpretation)
The BIL was developed after the debit tool, it was developed to improve the correlation method of the Debit tool. BIL use the XDLRC(The XDLRC is a text document which has details about Xilinx FPGA chip architecture that can used to get information about the XDL file.) leading to more accurate reverse engineering. BIL separates the configuration data into tiles, tiles are the smallest units of the FPGA, it used to obtained the PIP data(Programmable Interconnect Points). Tiles of the same type have similar configurations, so that it will make easy to separated safely and quickly, because the bitstream mapping table is not there, so it must be known through the XDLRC to separate the configuration data. Using the XDLRC file, which is known to have the FPGA architecture, the correlation between tiles can be easily find out using XDLRC file . The Debit tool has drawback that it cannot reverse all the PIP information of the FPGA as it use the XDL file as a reverse source. In opposite to that, the BIL tool can completely reverse the PIP information using the XDLRC as a reverse source. The BIL tool was released to interpret and used for analysis of the FPGA and reverse the bitstream, below Figure shows the conceptual diagram of the BIL flow. The analysis tool has several function 1st is basic data generation function, which creates an address format that processes the configuration memory of a specific device that has to be structured and then create a list that describes the name and ID of the device. It also has a functions which can easily compress XDLRC and helps in creating a table that has information about the all tile addresses in compressed XDLRC. The XDLRC compression function used to deletes redundant data and also compresses large amounts of data without losing the data while converting into binary form.
