Lattice Semiconductor Targets Bitstream Reverse Engineering In Latest Propel SDK License

The topic of reverse engineering is highly contentious at best when it comes to software and hardware development. Ever since the configuration protocol (bitstream) for Lattice Semiconductor’s iCE40 FPGAs was published in 2015 through reverse engineering efforts, there has been a silent war between proponents of open bitstream protocols and FPGA manufacturers, with the Lattice ECP5’s bitstream format having been largely reverse-engineered at this point.

Update: About eight hours after this article was published, Lattice Semiconductor issued a statement retracting the EULA language that banned bitstream reverse engineering. Please check out Hackaday’s article about this reversal.

Most recently, it appears that Lattice has fired a fresh shot across the bow of the open source projects. A recently discovered addition to the Propel SDK, which contains tools to program and debug Lattice devices, specifically references bitstream reverse engineering. When logged in with an account on the company’s website the user must agree to the Lattice Propel License Agreement for Lattice Propel 1.0 prior to download. That document includes the following language:

In particular, no right is granted hereunder […] (3) for reverse engineering a bitstream format or other signaling protocol of any Lattice Semiconductor Corporation programmable logic device.

For the uninitiated, this ‘bitstream’ is a binary format that is used by an FPGA to configure its logic elements (LEs), telling it what circuits should be formed inside the FPGA. This bitstream is specific to each particular model of FPGA, and contains detailed information about the internal architecture and functionality of the chip. This also explains the secrecy around said bitstream format: by publishing the specifications of it, one reveals a lot of details about the inner workings that competitors of Lattice (Xilinx, Intel, Microchip, etc.) could use to their advantage.

A bitstream is very different from the binary code produced by a compiler for something like a Cortex-M microcontroller. Having a fixed ISA (e.g. ARMv7a, Thumb/Thumb2) hides the microcontroller implementation details. If these ISAs didn’t exist and instead one would directly program this underlying implementation of the processor, it would also reveal many details of the implementation that ARM would be unhappy to share.

Clauses prohibiting reverse engineering can be found in other parts of Lattice’s terms, such as the legal notices section of their website:

You may use any software provided on this website provided that you agree to be bound by the terms and conditions of the software license agreement(s) accompanying such software. You may not modify, reverse engineer, or disassemble any of the software, except as expressly permitted by the terms of the license agreement for such software.

And the Lattice Diamond IDE license (presented when a logged in account attempts to download the software) references underlying algorithms and interface techniques:

2.9. Restrictions: You may not (and may not allow anyone else to): […] (b) decompile, reverse engineer, or otherwise attempt to derive the source code for any Licensed Product or any underlying algorithms, user interface techniques, or other ideas embodied in a Licensed Product;

But it appears that the Propel license is the first time the company has specifically referenced bitstreams.

Legal Matters

This all leads us back to what ultimately matters in a Court of Law: is reverse-engineering legal? The answer to which is muddy at best. In US law, reverse-engineering has a ‘fair use’ exception when it comes to interoperability. This is what enabled the development of non-IBM BIOSes for the first non-IBM PCs, and allowed the Samba project to reimplement the proprietary SMB network sharing protocol.

At issue with FPGAs is that of protocol interoperability: the bitstream is the protocol that the FPGA chip understands. This bitstream can be plain text, or could be encrypted, which would be desirable in the case of high-security applications. Obviously, by having access to the bitstream specification, a user would gain the freedom to create their own tools to interact with the (purchased) hardware.

Essentially, what it comes down to is that this bitstream protocol is not protected by either copyright or patent law. The only part that is truly off-limits is the software and associated documentation as written by the FPGA manufacturers, which are heavily protected by copyright law and NDAs. This means that (clean-room) reverse-engineering is fair game, making it a popular target for universities, as this 2018 paper on reverse-engineering mostly Xilinx FPGAs demonstrates.

A familiar use of the reverse engineered bitstream is the open source community’s efforts to build FPGA tools that do not require the use of proprietary software. This facilitates things like build automation and toolchain portability. The tools are already mature enough to produce valid bitstreams and there are numerous examples of hardware products, such as ICEBreaker, Fomu, OrangeCrab, and even the 2019 Hackaday Superconference Badge, all built around Lattice FPGAs that recommend the use of the open source toolchains.

The Old EULA Issue

The fun thing about an end-user license agreement (EULA) is that one can write anything in it that one desires, and since nobody reads those darn things anyway, you’re practically guaranteed to find someone who violates part of the EULA. The less fun part for the EULA creator is that a EULA carries little weight unless backed up by national (or local) law.

To circle back to the original issue of the new phrasing in the Lattice Propel SDK license (EULA). One may note that it doesn’t say anything about reverse-engineering Lattice products being illegal, just that one is not allowed to use these (Propel) tools for said reverse-engineering. One is still free to use other tools, basically.

The core question here is whether one can outlaw the use of software tools for a specific purpose. That’s a much tougher question to answer. There is some precedent there when one considers that for example certain encryption tools cannot be exported legally from the US to certain countries, though it should be noted there again that this is due to government laws.

Saying that ‘you cannot use these tools we made for reverse-engineering our products’ does to my knowledge not have any precedence at this point in time. It would, however, be fascinating to see whether Lattice Semiconductor is willing to test this new EULA phrasing in a Court of Law.

42 thoughts on “Lattice Semiconductor Targets Bitstream Reverse Engineering In Latest Propel SDK License

  1. I just wonder who here is an IP layer to have the knowledge to comment correctly. It is their product – if you do not like the conditions attached – use other FPGAs. In another post somewhere here it was about breaking into I think Xilinx encrypted bitsteams. So it seems to be legal then to break into your credit card passwords then and make them known to the world???

    1. No, the previous article was about exposing a *flaw* in Xilinx’s encryption scheme. You can’t possibly be suggesting it shouldn’t be legal to tell the world “hey, this encryption scheme isn’t actually secure.” And since there’s no way for Xilinx to actually mitigate it, there’s literally no advantage to hiding the information.

      And as for the “use other FPGAs” comment, the main problem is that none of the FPGA vendors have reasonably-documented bitstreams. It’s fairly ridiculous. It’s not even a “you’re trying to steal their IP” thing. You can’t easily update block RAMs inside Xilinx bitstreams for instance, unless they’re part of a full-on embedded system.

      The problem is that the main FPGA vendors just don’t care about anyone other than their major users, and their major users aren’t trying to do creative stuff with the FPGAs so the tools are just godawful.

    2. These are such bad takes lol. Why are you comparing it to a private person’s credit card info? And why are people so complacent with the old “if you don’t like the EULA, just don’t use the product” cop-out? First, the EULA is never transparent or understandable enough for somebody who isn’t both a whole team of engineers and a team of lawyers. Second, all the other products do the same shenanigans in a cartel-like manner. Third, we should hold these huge vampiric companies more accountable. We can reform intellectual property to be more equitable, make everybody more money, and accelerate new ideas. It’s win-win-win to take away the strange idea-hording rights these companies enjoy. We can do better than this.

  2. This is just so, so dumb.

    Open designs for small cores aren’t theory anymore. The path from “company that makes products that contain MCUs” to “company that makes custom MCUs for its products” is an easy walk for any well-resourced company and getting easier by the day. Lattice has built its whole business on being the halfway point along that path. Every new open IP block and every new fab that opens threatens to shove them further into irrelevance.

    The way to survive is to embrace the future you’re actually getting, not the one you wanted ten years ago. Open up your tools, help the community *that has already done a ton of work to support your products* finish the job, and become the platform of choice for researchers and the parts of industry that demand transparency or the ability to fix deep issues themselves.

    And hey, maybe save a few bucks on development along the way.

    Just a colossal waste of an opportunity.

    1. It seems like this secret squirrel business about proprietary secrets is all kinda backwards anyway. Say what you want about US patent law and its many flaws, but isn’t this what it’s *supposed* to be for? Seems better than just trying to hide everything behind a smoke screen. Unless they are all infringing on each others’ patents and that’s the real reason they want to keep things secret…

    2. What really doesn’t make any sense is, well… it’s Lattice. They’re not exactly ground breaking. I mean, they license synthesis tools from others, their place and route stuff isn’t exactly impressive, and the hardware’s… okay. FPGAs aren’t any easy fab space to break into: if someone’s gonna rip off a company’s IP, it ain’t gonna be Lattice.

  3. I’m not a lawyer. But as far as I know, “no licence is required”… In the EU, reverse engineering is ALWAYS allowed (even when prohibited by an EULA) provided you’re trying to make something compatible, and not a competing product.

    1. IANAL, either, but: That’s not actually universally true. There’s European law that e.g. prohibits circumventing a copy-protection scheme, making reverse-engineering of a HDMI unscrambler illegal, for example, if the manufacturer intends (and that can be as easy as _declaring_) it as a copy-protection scheme.

      1. French ratification of the EUCD directive led to amendments allowing reversing copy protection for interoperability purposes. Otherwise a manufacturer would use copy protection to obtain monopolies over their data format, not allowing competitors to read their format. Same clarification happened in Portugal. I have heard about hackers moving to Portugal for that particular protection of the law.

        1. To where in Portugal can / should / must I send money that makes me actual owner of the silicon that I have?

          Same question again, now with preamble:
          You are being strangled by your supplier[1][2].
          To where in Portugal should you invest money that will make you actual owner of the silicon you have?

          [1] Strangling snakes attract as their prey exhales.
          [2] You made it possible by voting / buying / choosing “cheap”

    1. I agree! It’s important to discuss this as it arises, because it’s as far as I know the first “public” reaction of Lattice to the successful reverse-engineering work on their ECP5 line (the ICE40 is a bit special within Lattice’s portfolio in multiple ways, not the least of which are a low complexity and the fact that it’s an acquired design, and designed to be a least-end device, i.e. with practically no chance of any IP reuse in their other product lines).

      And while my understanding so far has been that Lattice watched the Yosys/arachnePnr/project Icestorm work with a well-intending, but forced-to-hold-still attitude, this is definitely a business decision to draw a line, at least at the programming step. (Notice that the article explains that Propel is not the synthesizer or place’n’route, which people out there are already confusing.)

      Thanks, Maya Posch!

  4. >Saying that ‘you cannot use these tools we made for reverse-engineering our products’ does to my knowledge not have any precedence at this point in time.

    That having no precedence would be surprising to me for multiple reasons:

    1. it’s pretty common that software vendors restrict what you’re allowed to do with a given license of their product – e.g. noncommercial/education licenses of Windows, Matlab, or CAD software. I’m sure we’ve talked about that in the past; and the fact that these seem to hold up in court is an indication that disallowing usage for specific purposes can, at least according to some US / state laws, be implemented by an EULA.
    2. I’d find it very surprising if in the EULAs to things like console game development kits, there was nothing to stop people from legally reverse-engineering e.g. GPUs.

  5. I used to always use Lattice Semiconductor CPLDs and FPGAs, but the move to subscription licensing for ISPlever Classic (rather than a free license) has put me off. Shame as their CPLDs were great little parts. This news just further cements a negative view.

    1. Only just found out about that. Yikes! I don’t own enough of their old parts to pay them close to $600/year.
      Meanwhile everyone else have their older design software free and they don’t require renewing licenses either.

      1. I desgined and built a few Altera designs a while ago. Supported in the free version.

        Then I didn’t work with FPGAs for a while and…. now I can’t reprogram my own designs from a while back because the old chips have been taken out of the free version. Bah.

    2. I’d just renewed my (free)ISPLever license about 6 weeks ago, wasn’t aware there were any plans to go subscription for it.
      I wonder if something as simple as rolling back the clock in 10 months time will keep it running. (Not much of a hassle as I run it in a VM anyway).
      If they want $600 a year they’d better fix that crash happy constraint editor first.

    3. Yup, me too. I have been using these CPLD’s since about 1988 or thereabouts (I forget but it’s a long time ago). Just recently I asked for that free license, again and was asked to pay a $5XX fee. Ha! I’m just a retro-hobbiest. I did get an extension until Sept/2020.

  6. Should be plenty of people here remembering what happened when Blockbuster basically went “Put up with our crappy terms and high fees or go elsewhere”

    1. yeah… not the best comparison. At the same time, Tivo became a thing, Youtube and Netflix did. I’d not paint the demise of Blockbuster as such monocausal thing.

      Also, Blockbuster is an explicitly end-consumer service provider with emphasis on comfort. Lattice sells logic devices and mostly caters towards *really* high-volume customers, where switching over to a different supplier can usually mean a complete redesign of your product.

      So, can’t compare these things at all, in my humble opinion.

      1. Because Lattice has absolutely no competitors and consumers got given tivos, HTPCs etc for free and cashback for their old VCRs/DVD players etc, that make this a total non comparison.

  7. In 2018 the FPGA/CPLD market share was about (I’ve rounded up to keep the numbers simple)
    51% Xilinx
    36% Intel(Altera)
    7% Microchip (Microsemi)
    6% Lattice
    2% others
    In 2017 the FPGA/CPLD market share was about
    50% Xilinx
    37% Intel(Altera)
    6% Microchip (Microsemi)
    5% Lattice
    1% others
    In 2016 the FPGA/CPLD market share was about
    53% Xilinx
    36% Intel(Altera)
    7% Microsemi
    3% Lattice
    1% QuickLogic
    1% others
    In 2015 the FPGA/CPLD market share was about
    53% Xilinx
    36% Intel(Altera)
    8% Microsemi
    3% Lattice
    1% QuickLogic
    1% others

    The question in my mind would be did “Project IceStorm” help increase Lattice’s market share ?
    (2015-03-22: First public release of IceStorm and short YouTube video)
    And if successful will this current strategy of Lattice Semiconductor Corporation backfire and to decrease their market share ? It may take two or three years to see the effect, but it could end up being a really long term bad decision by the company.

      1. As long as its the best open and free toolchain better to use it than the others. All FPGA’s seem to come with pay us subscription to be allowed to program them with our tools, no peeking! rules. All this EULA garbage seems to be denying you the use of their software to create opensource, nothing in there on by purchasing this chip we now own your mind you must use only our tools. So using somebody else’s work to reverse eng the tools should be perfectly fine even in nations this would actually be enforced (but I ain’t no IP lawyer, the scummiest of folk ‘cept maybe the political types – just look at that recent calculator article!).

        If there exists a more open options I’d go for it from now on. But I don’t know of one.

  8. “This also explains the secrecy around said bitstream format: by publishing the specifications of it, one reveals a lot of details about the inner workings that competitors of Lattice (Xilinx, Intel, Microchip, etc.) could use to their advantage.”

    Not really. Company I use to work for had a lab that consisted of buying the competition and taking it apart. All the names mentioned have the resources to reverse-engineer, license or not. Using? Now that’s a different matter.

    1. I don’t think it’s a particularly new or industry specific practice either, I used to know someone who reverse engineered mostly Heinz products in the 1960s, by various empirical and analytical methods. Though I could never figure if their food scientists or marketers were the more interested “Heinz cheap out on X” etc. Even in the 60s though they had some solid NCIS type skills in there, they could tell where they got their flour from etc.

  9. The fun part is that the EULA isn’t worth the bits it was written with. Manufacturers have avoided testing them in court, because they know it’ll be the end of vague threats. The even better part is that the EULA applies to the software and when you’re dealing with reverse engineered bitstreams you do not need them. You only need the hardware.

    I’m not sure what they’re trying to achieve, other than looking like desperate idiots who don’t understand when a ship has sailed, but overlook other propositions. Don’t fight the community at large, embrace them.

  10. There is long history of bitstream reverse engineering. NeoCAD reverse engineered Xilinx FPGAs in the early 90s and was ultimately bought by them. The software became the basis for Xilinx Foundation tools (replacing Xilinx XACT), which later became ISE. NeoCAD targeted other vendor’s FPGAs as well, in particular AT&T’s Orca chips. These were bought by Lattice, became ECP3 / ECP5 / Mach. Anyway, you can still see the NeoCAD copyright notice in Diamond during builds. Diamond and ISE have nearly the same build process.

  11. Brings back a memory of a company that made Logic Analyzers some 20+ years ago.
    They used a fairly simple FPGA (or cpld) back then but still managed to put complex triggering algorithms by calculating a new bitstream on the fly and uploading the new variant into the FPGA each time a trigger setting was changed. This also had better timing compared with putting registers in the FPGA and setting bits in those registers to change triggering.

    I’m not sure what exactly happened, but I think they had to cancel the whole product line after that particular FPGA went out of production. Using another FPGA with closed bitstream format would have forced them to use the “regiser” way, and would have made the product too expensive, or the timing to slow. They may have switched to a simpler triggering scheme for the “next version” of their Logic Analyzer.

  12. Subtleties of language are important.
    Having a right granted (we’re ok with you doing that), or not having a right granted (we haven’t mentioned it so we don’t really care) or having a right explicitly not granted (we’re not ok with you doing this) are all different to being prohibited and again different to whether people choose to do it.
    For example:
    Do you have a right granted by any entity to drive you car faster than the speedlimit?
    Do you not have a right granted to drive faster than the speedlimit by anyone?
    Do you have a right to drive faster than the speedlimit not granted by anyone?
    Are you prohibited from driving faster than the speedlimit?
    Do you choose to drive faster than the speedlimit?

    1. Like politicians, their lawyers will always try to sneak that back in at some point. The only sure way that won’t happen again is when they are bought out by a “better” company and their management are gutted.

      1. Nah! Vice-versa. If the law dept did something, but got overruled by the engineers, that’s a strictly good sign that the right people are wearing the trousers at Lattice.

        They’ve been tacitly approving of the IceStorm work all along, and it’s nice to see them call off their attack dogs so quickly.

  13. I have my doubts about how much they are concerned about community efforts exposing internal architecture to competitors
    Major competitors who already have knowledge of the general architecture of modern FPGAs and CPLDs plus massive resources to decap and even probe these chips know all of the ins and outs within months of getting a pre production sample out of the back door of a factory
    I believe this is to prevent a competing IDE that sells competing cores from cropping up and that would be where the ELUA is really enforceable

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.