Scribd
Upload
193 views29 pages

Reverse Engineering the XC2064 FPGA

The document summarizes the reverse engineering of the Xilinx XC2064, one of the first FPGAs. It describes how the author analyzed die photos, documentation, and example bitstreams to understand how the FPGA worked at the transistor level. Key findings include that the FPGA is built from pass transistors, multiplexers, SRAM cells, inverters and a few complex gates. It also maps how the bitstream configures the CLB logic blocks and routing switches laid out in a grid on the die. The author has generated example configuration code and aims to develop a full bitstream parser.

Uploaded by

xxxx xxxx
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
193 views29 pages

Reverse Engineering the XC2064 FPGA

The document summarizes the reverse engineering of the Xilinx XC2064, one of the first FPGAs. It describes how the author analyzed die photos, documentation, and example bitstreams to understand how the FPGA worked at the transistor level. Key findings include that the FPGA is built from pass transistors, multiplexers, SRAM cells, inverters and a few complex gates. It also maps how the bitstream configures the CLB logic blocks and routing switches laid out in a grid on the die. The author has generated example configuration code and aims to develop a full bitstream parser.

Uploaded by

xxxx xxxx
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Reverse engineering the first FPGA:

Inside the XC2064

Ken Shirriff
[Link]@[Link]
Field-Programmable Gate Array
● Arbitrary digital logic in a chip
● Can do anything from logic analyzer to HDMI converter
to microprocessor
● Programmed in e.g. Verilog
– Bitstream (secret format) generated and loaded into the chip
● Invented by Xilinx in 1985:
– XC2064
● 64 logic blocks vs millions today
– Replace TTL glue logic chips
● Equivalent to 1000-1500 gates
Why reverse engineer an FPGA?
● Figure out undocumented bitstream
– Build open-source tools
– Interpret bitstreams in products

● Curiosity: How is an FPGA is implemented?


How does an FPGA work?

Xilinx patent 4,642,487


CLB: Configurable Logic Block

[Link]
LUT: Lookup Table
● Arbitrary logic function
● 8 bit truth table
– Stored in SRAM
Programming an FPGA
● Static RAM cells
● Each cell controls something
XC2064: 8x8 grid of CLBs
XACT
● DOS-based FPGA design tool, $12 000
Reverse engineering with XACT
● Generate configs, changing features incrementally
● Examine bitstream to find meanings of bits

● Not regular. Bits scattered in file. Strange encoding.


● 71x160 bits, 8x18 blocks for CLBs
XC2064 chip layout

● CLB and routing


combined
● Layout == bitstream
● Loaded row at a time
● Buffers: extra bits

Power Buffer Row select Bit shift I/O [Link]


NMOS transistors
● Switch
– Closed by gate

Doped
silicon

Gate
Vias
Routing points

● Controlled by SRAM
● Pass transistors for switch points H
● Can map bits to switches
● Overlapping transistors
20-point matrix switch
Input routing
● Use 5 bits instead of 8
● Two multiplexer levels
● Mux is just pass transistors
A
B
ABCD
C
D
selected
E
F EFGH
G
H
D/H
C/G
B/F
A/E
Trouble with the metal layers
● Two layers of metal
– Top: mostly horizontal
– Bottom: vertical

● Layers blur together in


die photos

[Link]
Sharper die photos
Etch oxide and metal layers
Electron microscope
Tools: GIMP
● Trace out
connections
– Trial-and-error
– Not Polychip

● Lots of layers
● Need better
system
CMOS inverter
● 0 turns PMOS on: pulls output high
● 1 turns NMOS on: pulls output low

Out

In

+ Gnd
LUT multiplexers
● Program truth table into SRAM
● E.g. A xor B xor C
0
1
1
0
out
1
0
0 B’C’
BC’
1 B’C
BC
A’, A
LUT implementation

SRAM
bit
MUX

SRAM
bit

Inverter
(buffer)
Complex gates
● Part of input routing
● 7-input NAND gate?
Complex gates
● Inverter + muxes

GND

Inverter

Mux

Pass
transistors
Latch / Flip Flop
CLB cell
Routing
switches

Matrix LUTs
switches

Vertical:
interconnect
power
SRAM data
Horizontal:
interconnect
ground
SRAM row select
SRAM Input
Inverters mux Flip flop
Conclusion
● FPGA built from pass transistors, muxes,
SRAM, inverters, a few gates
● Bitstream makes sense looking at die layout
– Highly-optimized, dense layout

● Made spreadsheet defining CLB bits


Status
● Program to generate CLB from bitstream

– Annoying file format and special cases


– Almost handles I/O pins (irregularities, more routing)
– Need graph algorithm to process routing
● [Link]/shirriff/xc2064
● Thanks to John!
– [Link]/map/xilinx/xc2064
– [Link]/JohnDMcMaster/project2064

You might also like