It looks like you're having connection troubles. Reconnect now.
01/25/2022 20:15:41
34c3-talk-9237 Latest text of pad 34c3-talk-9237 Saved Jan 25, 2022 |
Hallo Du!
Bevor du loslegst den Talk zu transkribieren, sieh dir bitte noch einmal unseren Style Guide an: https://wiki.c3subtitles.de/de:styleguide. Solltest du Fragen haben, dann kannst du uns gerne direkt fragen oder unter https://webirc.hackint.org/#irc://hackint.org/#subtitles oder https://rocket.events.ccc.de/channel/subtitles erreichen.
Bitte vergiss nicht deinen Fortschritt im Fortschrittsbalken auf der Seite des Talks einzutragen.
Vielen Dank für dein Engagement!
Hey you!
Prior to transcribing, please look at your style guide: https://wiki.c3subtitles.de/en:styleguide. If you have some questions you can either ask us personally or write us at https://webirc.hackint.org/#irc://hackint.org/#subtitles or https://rocket.events.ccc.de/channel/subtitles .
Please don't forget to mark your progress in the progress bar at the talk's website.
Thank you very much for your commitment!
======================================================================
The next talk is being a... but he is talking about how to reverse engineer fpgas. He did it by himself and he will tell you how he did it and how especially reverse engineer the celling seven series, antillas ice forty series. He knows much more about this than me. So please give me little omelas, and here's my tears I talk about in stock. I'm going to explain to you what is a fpga arest work, what does it do? What does etc stand for? And of course, I will tell you stories on how I revel in the... and show some pictures and so on. What this talk isn't about. The tag is not about how to use estate. I actually cannot use them. I never ran very lock of each deal and this as not about high level synthesis, maybe quick story, why I decided to reverse engineer it as far a series for years ago, I wanted to build a small cpu and at the problem that chip design and building ships is far to expensive to the next simplest would be an effa did not want to learn very h del. So I decided to sit down and document bitstream format and the internal, they ar an f stands for field programmable gate array. What means feels programmable. In the sense, it means that the device is in place programmable, so to say, in a live circuit, we can just reconfigure the device. The gate part is fg simulates or implement logic gates, and the array of logic gates, programmable logic. I will tell you how far g works and so forth. We have to get down to logic one or one. We have four operators operators. Yeah.
With not gate with the... and care with the orage and with the exclusive ragas on the bottom, you can see the truth tables when we have, for example, at the ragatz, we got zero in the orbot. When we ate one, we get one. And so next thing, a gene to get logic gate into kids hear is, is more example of one bit for to implement addition as it uses to expensive orgas to and gates. This one is free equity arges. Okay. There's several implementations of them line. We could see him that we can generate a true table depend on, and the input states and what we get on the outputted can combine several logic gates into one table. I did the work for the full beer here and we have other inputs were to outputs. And if we, for example, get on a one on the zero, and we have to carry that to one. We know the result will be zero and the carry out will be on. The nice part about is we don't have to trade through logic, and we just kind of implemented or logic and the look up table is the smallest part in a pga? This thing implements the logic gates. However, we need more than one table of course. So let's sum out a c here is a slice in the seven years. Siling the are look up tables with six inputs each. They are followed by a special care unit because implementing addition where fluor tabs would take up to many resources, and because we needed quite often, it is far cheaper for the manufacturers to include caring. And then on the outputs, we have flipflops, because sometimes we need to synchronize the state. We need to store one bit of information pack together. One look up table one part of the carriage in and in case of the seven years to fly plus into what's called a lot. Ic cell logic sensme slide and two slices are non group together, combined with a switchbox and interconnect into a tie. You can see we have trading times, and that's all we implement logic, and that's how we wired the logic, some out of it more can see that several of those times a gro
up together into columns and with some, a little bit more one column with the seven sears contains fife details and one cocktail in the middle. This is rather small. The is... it only has one hundred e six colors which recurs to nine falls, a free handrails, the collum standard group together into regions, this particular device, six of them. That's the basic fpga fabric, but we're still missing something. We still can communicate with the outer word of the chip for some for that we need something like a bridge or at the borders we have to ities, but are there more in those two till types? Of course, sometimes logic is not enough. Maybe we need memory. Of course, I could implement the memory and logic, but that's expensive to sort of vendor gave us small units called local. Here are the columns loram in that particular device. Each small rectangle contains killabits of memory and there are one hundred and four to your tee blocks of ram in disease. Sometimes memories also not enough. Sometimes we need processing power in implementing arthi functions like mortification with also use of lots and lots of resources, not lots of logic. So emanage dipti, this pm sense for digital signal that case, it's just the small additional unit combined with the multiplication units. Okay. Really know a lot of basic make up of fpgas, but how do we configure it? How does each look up? Table nows its values to the flip lips now, the initial state? And how is everything routed for that with the bit stream problem of the bit stream, it is undocumented. Yeah. And it confused to switch boxes, looked at diers, provides the initial state. This thing decides which switched to turn off and on the goal of revere engineer as the bit stream documented years ago, erener this farting. Quick summary. The fate fpga is a very, very small, one is optimized for low power, can somethin. It only has between free and eighty four and soon falls in six, one at look up tables with o
nly four inputs. Even the block ram looks a mall by this very beginner friendly. And it's the... the picture the manufacturer gives us. It shows that program logic blocks contain pontin eight look up tabors and that the whole fabric is surrounded with the ities, but we don't know anything about to interconnect and we don't even know how many times on many roles and how many columns there are a look at the controller logic block, or in that case, the latch excel, we can see there is only one fi flop, and it can be bypassed. You can just... both the... and the flip flop, and we only for input special about the routing in the ice. Four team is directional. So you have more than one source at each while you can is put in the right or wrong configuration cutouts in the device itself. Not the thing they provide us with eight globally, relative signers. They get related to every single time we can choose out of those aids for interconnect between the times mainly cause this flyers that spend over four times and waterlines horisontal and vertically, and of course everything tile is connected with its surrounding neighbors. That's it. Challenges with reverse engineering, the ice, forty fpga. Well, we had no knowledge about internal layout. I had no schematic. I had no idea how many wires the... where to go, which boxes are other switch boxes connect to the controller, logic blocks, and even the bitstream comments for commanding the efactor crc bit stream where only partially documented and out challenge, of course, is noting the talocan to the bite of cadence, but I will show you more details of that later. So how do the fpga... well, I took to a close look that the vendors gave me, especially in the mid stream generator. The bit stream generated seem to contain several strings hirate to the name use wiring. You kept comparing the bit names, but they were behind the debolt. I could not preach, they have commented it out and the compiler didn't opt
imize it out. That's why it was easy for me to document and riverstone dispater fpga, because I only had to replace one single chump instruction in the venda tour name of everything bitter use and a shorter option of its function. Oroton story about how it is tools was written it and look through some functions in it. You could see where the copy, cased, everything together, if you have one function and it's a combination of printers and see out a co pi and paste data together, an over thing. I noticed the bitstream contained and an seriocomic re dance chick. But there was not a sin upcard that related to dysfunction, namely expertise or the whole binary. If you implement the sacred ends a check, you normally need a faure. So I just ran numerosity, m generate and took, and the found out they generated a bitstream in asking. So at some point, I found a chin string of ones and zeros in asia and degenerated, that part only for don't know what happened in the program. I don't want to know what to these decisions with the signing seven series. I reality deciding seven series, two years ago challenge, because the siling series, the seven series, it is really, really... he high performance device, one up tabor uses up after memory of one s detail in this four team, and even the smallest seven series fpga as my look up tamers that are fought him speaker, and the biggest one has more than one point. Two million look up tabors, this maps to around one holliday thousand ties or resources in the seven series contain. And lo, the procom has fiti kelabit of data, as I mentioned before, have to central clock line. By the way. It's just the bottel most part of the seven t twenty later, I will tell more now, I will tell you more about the sing seventy. Twenty is the particularly, was I decided to realize internet because it contained a nine processor curse that could reprogram the agm and interface with it really relate the fart about combining an interco
nnect with the memory system of those processors and use that. But then again, I didn't want to learn varilight. So I decided to rough as engineered series I... I had to state up my whole operations because, for example, as I mentioned for the friend which boxes, each switch books contains two hundred and the free thousand, seven hard farto connection states. That's a lot. They also connect through one hungrily wares to neighboring tiles and ro one huner and seventeen to them whole operations surely go very big. And of course, the whole divine contains more and freemind wires and they are for it two million or modern for two million configurations of them. I had to find out what they do. We challenges with the siren series yet the complex design. But with this one, I was not able to get any depok information at the tor chain was much more complex than the letters. One chaos not de compiling there. For me, I'm only a c and it was written much nice. Another thing bought it, me, I would show you shores that there is a small part where the pattern of the bitmap you can extract outer bitstream doesn't match the rest. And this part as a later found out for the aero correction power, small challenge is mapping the tie locations to the bitmap cardin. That's now, I would show you a very small section of the bitmap I can generate of the bit stream. Okay. First looked at this, I was like, fuck. This thing seemed like in salotto me, but I already... and you already can see some patterns in there. We, for example, can see that there are bigger tanks most probably. These are the configuration data for the look up tables. Nice. Now we only have to find out what the other columns that look like. Noise though for the switch boxes mapping them to, I think wires. It was hard about mapping the ties to bitmap. I have another picture. So we can see the six efa pixels map to one tied. This part, this part be at apartthe middle part. I was positive.
Of course, the small, regular flock of pixel of weekend I hear, and here, and how to had to be used for the clock interconnect with in the middle. We can see her to clock. We know that went to first time on the attests, but that's all I got first to work with about the allconnect ing co that we can see there. That thing was a challenge, but I had an idea, small pasta, it counted the number bits to were set in each role. If this number was one, I start information about, the middle part was able to find out. This thing was using having cut or single collection dealer detection extended having calls would love to show you more. But right now, I had a problem with my heart disk and my out book, and that's kind of where my talk early ends, I think what kinda the seven series with the revelator chain. We get the in tencent and you can extract it program automatically. You get informations on the tile cordinates, you get the names of the wires, but we don't get the information in the mid stream. But with the knowledge of where the time sits in the bid stream, we can correlate the data. I created several ultimate towards florida. I would have left to show something about reblog.
I'm sorry, implications of my work at it there, because I can create a net list. I'm able to cross compile it, different architectures, which they... we can copy extract and reverse engineer ip course that are otherwise impede. Traber is starting projects, another project as done with plier together to create a second target files. Open sauce touching. I'm very sorry that my talk got dischord. Any questions? Very.
Short in, so have questions for my ts. Please come to the microphone is one, two, three and four, and we can take questions from the is at or by vita as well. Yeah, we have a question here at microphone. One. I love what you.
Where you pressure not to what happened to your loft? What happened? It was something about expert and meet, and I'm tagging it. I can't... and my windows wanna try to repair can a hard.
Happened, one or before the whole thing started. My second question. Have you worked on the ellen spot on six series? No. I never cared about the spartan ones. And about the series. I only want to roast seen series because of the cortex processor in its... okay. Thank you.
Thank you and yucatec on this middle point of the pta, because you have this black part there and this white part, is it the ar correction go for half of the bt and the other half of the peace? Or how does that work exactly with having called you normally mixed parity bits into the data? But of course, filing doesn't want that. So they put in a middle and these perimiter ardour having co for one room. I can show you later details when I get them out of my heart disk, they have everything in details with more dates, things.
Thank you. Micron three police.
I was somewhat puzzled for your remarks regarding your inability to decompile, the java who would share. You mentioned earlier, because usually I show up and the sil, but codes and jam stuff is the easiest prey in that regard. How come that might be, but I always come a bit for different direction because I thought everything to myself, I had no idea how to take a cave with the lettuce. I created two tours for that col elimination. One for example, patched every single camp instruction in the binary, so I could get the program flow, anotherone, replaced everything, e al colle breakpoint. I didn't hook the structured exception and learning from windows and replaced every upcard as wells executed in that way. I could reuse dot by two thirds, which was easy to decompile with a. There's lots of automated software for that give in on. Again, I never used... I alteril my own software. Maybe that's one of the reasons.
Then we have a question from the I chat to what architectures to fpgas use you mentioned or ones, but it wasn't the fpga itself.
No is don't use architectures like cpus of the building blocks, like the control of logic block, like block ram disputes the outies. And that's the architecture marooning.
I'm wondering whether you have tried to extract some of the device database from the via or some information or that you skip that for legal reasons. I don't know.
I thought about doing that, but the batteries, I think are more than ten gig, if us and was like, no, fuck it. Okay. I think we battani... so basically we shared... they do the same way also for extell files, which contains some of the device information. I think that's quite similar to what intel is doing, or those who listen to the intarsia.
I have low need for that information because I could get out of like ten twin. The example project just threw into the car kayro later, some more details about that.
Unece.
A higher, impressive work. Thank you. Okay, so let's be a presentation for beetel. Impressive. My question was almost the same. So you didn't look at gtx or high speed ip was because it was to complicated, I guess.
No, I didn't have... oh, kaykay, I have all the hot way in my mind. Okay. Thank you. I will escalate uses.
One and please.
Do you do any work in working? Did you do any work in and all that is? Sure. A sure. I know I have some information about the row drivers, how even comes together, but you bet I was also part of the slide I... which have pictures of the schematics where I consume in and some out. But yeah, fuck up happened.
Microphone to.
Talk, my question is regarding re programming the... a fabric from the amcotts course. Did you have a look at that? Is it also possible with your work or... it is about another thing that interests me more then seventy twin tem, talking about the two times that can re program re program and of course, read out. Yeah. Wouldnt. We a problem with aging at worst pidfile, one thing about and a fpga, but their isolated... you don't even need to power up the ga part, but you need to pour off the arm party because it's the arm part that obviously is prioritized. And that configures.
I can just give your... but stream then and that you generated using your tools. I.
I have a very, very, very, very prove concert plan or small gates, and with the als placing a thank you, mike refinan place.
What about the timing information for so vast engineered that I started extracting the timing information, but I want to finish up more of the... I started with that, but I have the tool already waiting, and that would be one of the exports of tax. So sometime in the future we can expect to with time, would talk to... because I don't have a real motivation and the veteran for fun. If I could create something great out of state, us interests the community, or I would love to do that. But until now or anyone.
And microphone to please.
Did you look at some other epica, the outer scale boss, or maybe.
I started looking at the to finish up the seven series, and I don't have a working are scale. I just want to hold the my hands on reverse engineering it. You can understand that. And the other part of the question that you look at, other vendors may be microfilter present. I first considered before I decided through e unties forty, but the crap.
Yes, I really want to reverse engineer the infests next, because then I kind of readily all big free endo super things.
And.
Have a question concerning the place and route to do what is the basic approach you take to reduce all the combinations of block placing right now? It's just the proof of concept. There is no red using anything. And I really want to get into a what were called the reduced or the binary decision diagrams.
Okay, thank you to please.
Thank you for the questions you're living me. I do. We have and tried out to get the bridges between the fpga and the adcorp working for implementor access from the a to the police started working and the just resign another title. I can show you more to the later if you... a time.
Thank you on the three. How does the vta applied bitstream in what it in were you are or something? How does it... or... or there are several ways with the... in one, because it has an arm cortex processor, so it has a small bootloader. You can put the whole thing on a steve cart and decortin. Of course, you could use the a or you can connect on the external lesbia device, or many possibilities were. Thanks. And we have a question of microphone for.
Hi, thank you for your talk request. Could you present the whole presentation in the south organized section later? Maybe I would love to cool things.
And then the one of them.
Yes, I had a question. During your studies, did you discover pga back doors made by nsa and friends? No.
I for ways to detect them, but I found ways to detect them. Okay. I'd love to took about ufo to you about that.
And I wanted to say something else about this family, sexting family you've been working with, which integrate to any pga ncb. I think that interim of cyber security, it is absolutely not a good idea to mix in the senshi and a pa and a cpu, because I care, like in say, can easily appload a few bites of card norinco. I would tell you later about that because I'm working on a proof of concept for a provable, an temporize. Okay. A belated to talk about that. Which later? Thank you. We have a question at hatis lacking.
To get a free and open source fpga tool chain with were storm for the... is the place in a tool. I gave key for my findings and together with some other guys. They create the place and draw tool, and I just provided them with the information with documentation, basically help.
That access that question microphone too, please.
Yes, things you said that you don't do a very lock and vhdl. What do you use as input for your design tools? The example project of the vendors, then I drank around the gates to get some different pacing and routing aircalin. You have to block design. I... I also had to be my out of presentation. Okay. Things number one can please.
Hello between siling forces you to use the exit for us between the programmable logic and on course. Did you figure out if there's another way to connect these parts? What do you mean they do for me to use the baster also? You re also have six for gpos. Oh yes. To get outside of device a, don't know between the army to... and.
Into fabric.
Okay,.
Italso later.
I think they will be a session later or microphone to please. Could you explain your way of provost engineering the api? Did you create a bitstream and observe behavior and not run it.
I never ran the bitstream I created, I only one try it, a small bitstream I created by myself. So what id to do, if you did not run the non arafat? I tried to recreate the same, that list information that I got out of the tortie only by looking at the.
Bit stream and microphone too again,.
Can you talk about tiles like the parties I oils? Is that somehow different from rivers engineering, the logic tile sertainly? Yes. You get d wer u got the information is almost a no extent have to look at... I have to look at the schematic information look white in tons, which as I used where they go, then I have to create another image where the switch is not used, then I can take the difference between the time and then... okay. One dia, do the vendors provide some sort of schematics of the pillow blocks or is that we for information with sidings, you know almost everything about to devise things.
And another question in the irc chat.
When where with the latest session take place, where do you want it to take place? I'm not that good with talks. I see noticed I am more conversation guys. Maybe I just come to the front after this talk and you can figure out a bar or if there is some free space. It's a big space, actually. Are there any more questions? Doesn't seem like that. So give a webber plat as lesser.
