The topic of reverse engineering is highly contentious at best when it comes to software and hardware development. Ever since the configuration protocol (bitstream) for Lattice Semiconductor’s iCE40 FPGAs was published in 2015 through reverse engineering efforts, there has been a silent war between proponents of open bitstream protocols and FPGA manufacturers, with the Lattice ECP5’s bitstream format having been largely reverse-engineered at this point.
Update: About eight hours after this article was published, Lattice Semiconductor issued a statement retracting the EULA language that banned bitstream reverse engineering. Please check out Hackaday’s article about this reversal.
Most recently, it appears that Lattice has fired a fresh shot across the bow of the open source projects. A recently discovered addition to the Propel SDK, which contains tools to program and debug Lattice devices, specifically references bitstream reverse engineering. When logged in with an account on the company’s website the user must agree to the Lattice Propel License Agreement for Lattice Propel 1.0 prior to download. That document includes the following language:
In particular, no right is granted hereunder […] (3) for reverse engineering a bitstream format or other signaling protocol of any Lattice Semiconductor Corporation programmable logic device.
For the uninitiated, this ‘bitstream’ is a binary format that is used by an FPGA to configure its logic elements (LEs), telling it what circuits should be formed inside the FPGA. This bitstream is specific to each particular model of FPGA, and contains detailed information about the internal architecture and functionality of the chip. This also explains the secrecy around said bitstream format: by publishing the specifications of it, one reveals a lot of details about the inner workings that competitors of Lattice (Xilinx, Intel, Microchip, etc.) could use to their advantage.
A bitstream is very different from the binary code produced by a compiler for something like a Cortex-M microcontroller. Having a fixed ISA (e.g. ARMv7a, Thumb/Thumb2) hides the microcontroller implementation details. If these ISAs didn’t exist and instead one would directly program this underlying implementation of the processor, it would also reveal many details of the implementation that ARM would be unhappy to share.
Clauses prohibiting reverse engineering can be found in other parts of Lattice’s terms, such as the legal notices section of their website:
You may use any software provided on this website provided that you agree to be bound by the terms and conditions of the software license agreement(s) accompanying such software. You may not modify, reverse engineer, or disassemble any of the software, except as expressly permitted by the terms of the license agreement for such software.
And the Lattice Diamond IDE license (presented when a logged in account attempts to download the software) references underlying algorithms and interface techniques:
2.9. Restrictions: You may not (and may not allow anyone else to): […] (b) decompile, reverse engineer, or otherwise attempt to derive the source code for any Licensed Product or any underlying algorithms, user interface techniques, or other ideas embodied in a Licensed Product;
But it appears that the Propel license is the first time the company has specifically referenced bitstreams.
This all leads us back to what ultimately matters in a Court of Law: is reverse-engineering legal? The answer to which is muddy at best. In US law, reverse-engineering has a ‘fair use’ exception when it comes to interoperability. This is what enabled the development of non-IBM BIOSes for the first non-IBM PCs, and allowed the Samba project to reimplement the proprietary SMB network sharing protocol.
At issue with FPGAs is that of protocol interoperability: the bitstream is the protocol that the FPGA chip understands. This bitstream can be plain text, or could be encrypted, which would be desirable in the case of high-security applications. Obviously, by having access to the bitstream specification, a user would gain the freedom to create their own tools to interact with the (purchased) hardware.
Essentially, what it comes down to is that this bitstream protocol is not protected by either copyright or patent law. The only part that is truly off-limits is the software and associated documentation as written by the FPGA manufacturers, which are heavily protected by copyright law and NDAs. This means that (clean-room) reverse-engineering is fair game, making it a popular target for universities, as this 2018 paper on reverse-engineering mostly Xilinx FPGAs demonstrates.
A familiar use of the reverse engineered bitstream is the open source community’s efforts to build FPGA tools that do not require the use of proprietary software. This facilitates things like build automation and toolchain portability. The tools are already mature enough to produce valid bitstreams and there are numerous examples of hardware products, such as ICEBreaker, Fomu, OrangeCrab, and even the 2019 Hackaday Superconference Badge, all built around Lattice FPGAs that recommend the use of the open source toolchains.
The Old EULA Issue
The fun thing about an end-user license agreement (EULA) is that one can write anything in it that one desires, and since nobody reads those darn things anyway, you’re practically guaranteed to find someone who violates part of the EULA. The less fun part for the EULA creator is that a EULA carries little weight unless backed up by national (or local) law.
To circle back to the original issue of the new phrasing in the Lattice Propel SDK license (EULA). One may note that it doesn’t say anything about reverse-engineering Lattice products being illegal, just that one is not allowed to use these (Propel) tools for said reverse-engineering. One is still free to use other tools, basically.
The core question here is whether one can outlaw the use of software tools for a specific purpose. That’s a much tougher question to answer. There is some precedent there when one considers that for example certain encryption tools cannot be exported legally from the US to certain countries, though it should be noted there again that this is due to government laws.
Saying that ‘you cannot use these tools we made for reverse-engineering our products’ does to my knowledge not have any precedence at this point in time. It would, however, be fascinating to see whether Lattice Semiconductor is willing to test this new EULA phrasing in a Court of Law.