FPGAs Reverse Engineering

21/02/2021

Reverse engineering is used for analysis of an existing system and also helpful for designing and creating copies by identifying component and interrelationships between them.

The reverse engineering in the FPGA is for re-configuration of the netlist inside the FPGA in different ways. Various components of FPGA programming like Xilinx FPGAs, XDL and bitstream. Also there are different tools which can be used for reverse engineering like Debit, BIL, and Bit2ncd, this tools used to extract the bitstream from the external memory to the FPGA and then further utilize it to recover the netlist.

The reverse engineering methods helps to improve the vendor and user awareness of the security issues and also prevent FPGAs from being reverse. There are various approach for FPGA reverse engineering , one is to utilize the bit stream from an external memory to FPGA. Also PROM(Programmable ROM), anti fuse, static RAM(SRAM), flash are variety of memory schemes. Most FPGAs use SRAM due to the low price and re-programmability. But since SRAM is volatile memory because of which FPGA have outside non volatile memory component to store programming code. For reverse engineering bitstream can be extended on the downloading path. Reverse engineering by extracting bitstream by the means of external memory is non invasive which does not damage the FPGAs, therefore this method is used for criminal investigation , military and security industry so that should not damage the targeted hardware.

For reverse engineer bitstream to gatelevel netlist, 1st step to follow is to know the bitstream file structure ,which is usually provided by FPGA vendors. So, bitstream file is divided in four parts: command footnote and boot-up order ,command head, configuration load. If we take look in Xilinx FPGAs, the configuration load is used to determines the configuration point which consist of-lookup table, memory, register, multiplexer and so on. And programmable interconnection point i.e switch box. To reverse bitstream we aims to find the mapping between configuration load of configuration point and between programmable interconnection point.

But, the relationship is not disclosed by FPGA vendors. Because of this, the structure of bitstream file can be used to protect IP. Looking in past decade we can see, some works that reported state that bitstream cannot be reverse-engineered fully, it can be partial also.

Partial bitstream reversal is good to extract the content of some configuration block which consists of lookup table, configurable logical block, etc. If we tried an approach, which proposed to recognize that FPGA system is embedded with illegal Ips by partially reverse engineering the content in LUTs of Xilinx Virtex-II FPGA.

Algorithm and correlation algorithm are used to build link database between bitstream and FPGA contents. The database is base on few of the given bitstream like Xilinx Virtex-II, Virtex-4 LXT and Virtex-5 LXT which is used in FPGAs to produce the required gate-level netlist. But, this approach cannot build complete gate-level netlist reason to it is that it only depends on the active configurable resource information provided by Xilinx design language report generated by using Xilinx EDA tool. If we look in lost static and unused resource information in FPGA it is completely different from the fully reversed information we get. It can be seen that more detailed XDL report is used to enhance the creation of mapping database, in different context XDL, XDLRC file can provide all active and static configurable resource information. But, while reversing the cross-correlation algorithm cannot well correlate all FPGA resources and bitstream file. But the there are different approaches and tools have been developed for reverse engineer FPGA bitstream configuration.