Difference between revisions of "Ikos Pegasus reverse engineering"

From Tmplab
(CPLD access)
(Connection of the FPGA JTAG chain to the CPLD)
Line 67: Line 67:
  
 
== Connection of the FPGA JTAG chain to the CPLD ==
 
== Connection of the FPGA JTAG chain to the CPLD ==
 +
TCK and TMS are not directly connected to the CPLD, but go through a column of 74xx244 TTL buffers in the middle of the board. TDI and TDO are directly connected to the CPLD.
 +
 
{|border="1"
 
{|border="1"
 
|'''Signal'''
 
|'''Signal'''
Line 79: Line 81:
 
|All
 
|All
 
|92
 
|92
 +
|-
 +
|TCK
 +
|Q1
 +
|TBD
 +
|-
 +
|TCK
 +
|Q2
 +
|TBD
 +
|-
 +
|TCK
 +
|Q3
 +
|TBD
 +
|-
 +
|TCK
 +
|Q4
 +
|TBD
 +
|-
 +
|TMS
 +
|Q1
 +
|TBD
 +
|-
 +
|TMS
 +
|Q2
 +
|TBD
 +
|-
 +
|TMS
 +
|Q3
 +
|TBD
 +
|-
 +
|TMS
 +
|Q4
 +
|TBD
 
|}
 
|}

Revision as of 21:20, 11 August 2010

Device overview

  • The rack with the power supply can hold up to 7 boards connected via a backplane.
  • One main board with:
    • SCSI controller
    • 8051
    • CPLD
    • FPGAs
    • SDRAM
  • 5 auxiliary boards with (each):
    • 1 XC95216 CPLD
    • 64 XC4036XL FPGAs
    • lots of SRAM
  • One auxiliary board was destructively reverse engineered, so only 4 are remaining.

Some device photos are here.

Programming the auxiliary boards

Situation

In normal operation, the CPLD receives configuration data from the backplane (originating from the mainboard through the SCSI port) and distributes it to the FPGAs. The CPLD uses JTAG to send data to the FPGAs. The 64 FPGAs on each auxiliary board are arranged to form one big JTAG chain driven by the CPLD.

Because this mode of operation uses a proprietary protocol which is especially hard to reverse engineer since we do not have the original software and SCSI device driver, we are trying to program the boards with a JTAG probe.

CPLD access

The CPLD's JTAG port is accessible on each board with a HE10 connector following the MultiLINX pinout.

Vref GND NC NC NC NC NC NC NC
NC TDO NC X TDI TCK TMS NC NC

Legend: X = missing pin (key), NC = No Connect

We can use urJTAG to access the CPLD, with the BSDL files released by Xilinx to enable boundary scan. For an unknown reason, the Xilinx iMPACT tool fails to recognize the CPLD.

How to use boundary scan with urJTAG

 cable xpc_ext
 bsdl path [path to BSDL files]
 detect
 instruction EXTEST
 shift ir
 set signal [pin name from BSDL] out 1
 shift dr

FPGA JTAG chain topology

All the 64 FPGAs are arranged in a daisy chain for TDI and TDO.

For TCK and TMS, the board is divided into 4 quadrants and these signals are shared within each quadrant.

Ikos jtag.png

Connection of the FPGA JTAG chain to the CPLD

TCK and TMS are not directly connected to the CPLD, but go through a column of 74xx244 TTL buffers in the middle of the board. TDI and TDO are directly connected to the CPLD.

Signal Quadrant CPLD pin
TDI All 96
TDO All 92
TCK Q1 TBD
TCK Q2 TBD
TCK Q3 TBD
TCK Q4 TBD
TMS Q1 TBD
TMS Q2 TBD
TMS Q3 TBD
TMS Q4 TBD