Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
|
en:reverse-engineering:jtag:start [2013/02/16 08:41] alex [Netlist Extraction] |
en:reverse-engineering:jtag:start [2013/02/16 09:30] alex [Links] |
||
|---|---|---|---|
| Line 13: | Line 13: | ||
| ===== Netlist Extraction ===== | ===== Netlist Extraction ===== | ||
| - | Once a JTAG access port is located on a board, extracting a netlist is relatively straightforward. Well, with the right tools, anyway. The utility of having the netlist depends on the purpose of the board. For some boards, the netlist is of little use. However, some very good deals on boards with very large FPGAs on them pop up from time to time on eBay and other surplus and auction sites. These boards can be used as very powerful FPGA development boards, but without information about the interconnections between the FPGAs, they are quite difficult to use. The folks over at [[http://nsa.unaligned.org/|NSA@home]] used repurposed HD video transform boards loaded with FPGAs to build an MD5 hash cracking machine, and they developed a JTAG reverse-engineering tool called [[http://nsa.unaligned.org/jrev.php|jrev]] to extract the netlist. | + | Once a JTAG access port is located on a board, extracting a netlist is relatively straightforward. Well, with the right tools, anyway. The utility of having the netlist depends on the purpose of the board. For some boards, the netlist is of little use. However, some very good deals on boards with very large FPGAs on them pop up from time to time on eBay and other surplus and auction sites. These boards can be used as very powerful FPGA development boards, but without information about the interconnections between the FPGAs, they are quite difficult to use. When each FPGA is a BGA package with over 1000 pins and the board has 4 or more layers, the process becomes prohibitively tedious to perform manually. The folks over at [[http://nsa.unaligned.org/|NSA@home]] used repurposed HD video transform boards loaded with FPGAs to build an MD5 hash cracking machine, and they developed a JTAG reverse-engineering tool called [[http://nsa.unaligned.org/jrev.php|jrev]] to expedite the prcess of extracting the netlist. |
| The process of netlist extraction is very simple. Turn all the I/O pins to inputs, turn one on, look at all the pins, turn it off, look at all the pins again, and see what changed. Repeat this for every JTAG accessible pin on the board. The jrev tool does this for a parallel port JTAG cable, and the ftjrev tool does this for FTDI based USB jtag cables. However, these tools can only find connections between JTAG enabled pins. | The process of netlist extraction is very simple. Turn all the I/O pins to inputs, turn one on, look at all the pins, turn it off, look at all the pins again, and see what changed. Repeat this for every JTAG accessible pin on the board. The jrev tool does this for a parallel port JTAG cable, and the ftjrev tool does this for FTDI based USB jtag cables. However, these tools can only find connections between JTAG enabled pins. | ||
| - | As the JTAG boundary scan functionality allows for access to the IO pins of the chips, it is possible to probe pins with external signal sources and sinks as well as other JTAG enabled pins. I created an [[http://github.com/alexforencich/ftjrev|ftjrev github repository]] to store the modified ftjrev code as well as the required device definition files. | + | As the JTAG boundary scan functionality allows for access to the IO pins of the chips, it is possible to probe pins with external signal sources and sinks as well as other JTAG enabled pins. I created a [[http://github.com/alexforencich/ftjrev|github repository for ftjrev]] to store the modified code as well as the required device definition files. |
| ===== ftjrev ===== | ===== ftjrev ===== | ||
| Line 136: | Line 136: | ||
| Total boundary scan chain: 8572 | Total boundary scan chain: 8572 | ||
| Clock pass... | Clock pass... | ||
| - | CLOCK: 0[XC5VLX330-FFG1760]:IO_AN14 | ||
| - | CLOCK: 0[XC5VLX330-FFG1760]:IO_J13 | ||
| - | CLOCK: 0[XC5VLX330-FFG1760]:IO_K13 | ||
| - | CLOCK: 1[XC3S1200E-FT256]:IPAD78 | ||
| - | CLOCK: 1[XC3S1200E-FT256]:K2 | ||
| - | CLOCK: 1[XC3S1200E-FT256]:IPAD258 | ||
| - | CLOCK: 1[XC3S1200E-FT256]:L8 | ||
| - | CLOCK: 2[XC5VLX330-FFG1760]:IO_AM13 | ||
| - | CLOCK: 2[XC5VLX330-FFG1760]:IO_J30 | ||
| - | CLOCK: 2[XC5VLX330-FFG1760]:IO_P37 | ||
| Probing outputs, press ctrl+c to stop... | Probing outputs, press ctrl+c to stop... | ||
| </code> | </code> | ||
| Line 158: | Line 148: | ||
| * [[http://www.ledz.co.kr/arm/USB_JTAG_A1/main_USB_JTAG_A1_en.htm|LedZ.co.kr USB JTAG A1 cable]] | * [[http://www.ledz.co.kr/arm/USB_JTAG_A1/main_USB_JTAG_A1_en.htm|LedZ.co.kr USB JTAG A1 cable]] | ||
| * [[http://www.ledz.co.kr/avr/main_jtagisp_en.htm|LedZ.co.kr JTAG cables]] | * [[http://www.ledz.co.kr/avr/main_jtagisp_en.htm|LedZ.co.kr JTAG cables]] | ||
| + | * [[http://dangerousprototypes.com/docs/Bus_Blaster|Bus Blaster JTAG cable]] | ||