FPGA

384 Articles

Researchers Break FPGA Encryption Using FPGA Encryption

April 23, 2020 by 18 Comments

FPGAs are awesome — they can be essentially configured into becoming any computing device you want. Simply load your selected bitstream into the device on boot, and it behaves like a different piece of hardware. With great power comes great responsibility.

You might try to hack a given FPGA system by getting between the EEPROM that stores the bitstream and the FPGA during bootup, but FPGA manufacturers are a step ahead of you. Xilinx 7 series FPGAs have an onboard encryption and signing engine, and facilities for storing a secret key. Once the security bit is set, bitstreams coming in have to be encrypted to protect from eavesdropping, and HMAC-signed to assure that they are authentic. You can’t simply read the bitstream in transit or inject your own.

Researchers at Ruhr University Bochum and Max Planck Institute for Cybersecurity and Privacy in Germany have figured out a way to use the FPGA’s own encryption engine against itself to break both of these security guarantees for the entire mainstream 7-series. The attack abuses a MultiBoot function that allows you to specify an address to begin execution after reboot. The researchers send 32 bits of the encoded payload as a MultiBoot address, the FPGA decrypts it and stores it in a register, and then resets because their command wasn’t correctly HMAC signed. But because the WBSTAR register is meant to be readable on boot after reset, the payload is still there in its decrypted form. Repeat for every 32 bits in the bitstream, and you’re done.

Pulling off this attack requires physical access to the FPGA’s debug pins and up to 12 hours, so you only have to worry about particularly dedicated adversaries, but the results are catastrophic — if you can reconfigure an FPGA, you can make it do essentially anything. Security-sensitive folks, we have three words of consolation for you: “restrict physical access”.

What does this mean for Hackaday? If you’re looking at a piece of hardware with a hardened Xilinx 7-series FPGA in it, you’ll be able to use it, although it’s horribly awkward for debugging due to the multi-hour encryption procedure. Anyone know of a good side-channel bootloader for these chips? On the other hand, if you’re just looking to dig secrets out from the bitstream, this is a one-time cost.

This hack is probably only tangentially relevant to the Symbiflow team’s effort to reverse-engineer an open-source toolchain for this series of FPGAs. They are using unencrypted bitstreams for all of their research, naturally, and are almost done anyway. Still, it widens the range of applicability just a little bit, and we’re all for that.

[Banner image is a Numato Lab Neso, and comes totally unlocked naturally.]

An FPGA And A Few Components Can Make A Radio

April 18, 2020 by 18 Comments

There was a time when making a radio receiver involved significant work, much winding of coils, and tricky alignment of circuitry. The advent of Software Defined Radio (SDR) has moved a lot of this into the domain of software, but there is of course another field in which a radio can be created via code. [Alberto Garlassi] has created a radio receiver for the AM and HF bands with a Lattice MachXO2 FPGA and minimal external components.

He describes it as an SDR, which given that it’s created from Verilog, is a term that could be applied to it. But instead of using an SDR topology of ADC and digital signal processing, it implements a surprisingly traditional direct conversion receiver.

It has a quadrature AM demodulator which has a passing similarity to an SDR with I and Q phased signals, but that’s where the similarity ends. Frequency selection is via an oscillator controlled from a serial port, and there is even a PWM amplifier on board that can drive a speaker. The result can be seen in the video below, and as you can hear the direct conversion with quadrature demodulator approach makes for a very effective AM receiver.

If this is a little much but you still fancy a radio with minimal components, you should have a look at the Silicon Labs range of receiver chips.

Continue reading “An FPGA And A Few Components Can Make A Radio”

An RF Engineer’s FPGA Learning Journey

March 12, 2020 by 3 Comments

[KF5N] admits he’s not a digital design engineer; he’s more into the analog RF side of things. But he’s recently taken on a project to communicate between a Ubuntu box and an Intel MAX10 FPGA. He did a presentation at a recent ham radio convention about what he’d learned and how you could get started.

The video talks a lot about the Intel (used to be Altera). However, the nearly 40 minute video after the break isn’t a step-by-step tutorial so even if you are interested in other devices, you’ll probably enjoy watching it. If you’ve programmed even one FPGA, this video likely won’t hold your interest — you aren’t the target audience. However, at about 00:31 he does recommend some books and some very inexpensive FPGA boards, so it’s not a total wash.

[KF5N] talks about what an FPGA is and how it’s different from a microcontroller. He also recommends Cornell’s [Bruce Land’s] course materials. He wasn’t a big fan of the online courses he tried. Of course, since he’s using an Intel chip, he also recommended the Intel courses. A lot of the video covers how to save on getting a development board. The Cornell class calls for a $250 board that is pretty powerful. That’s also pretty expensive, so he recommends a lighter version for about $85.

He also talks about the toolchain and his project to interface to his Linux box. He wound up with an SPI interface that ran up to 30 MHz. He also talks about using Julia to build a driver to talk to the interface on the PC side.

We didn’t notice him mentioning our own FPGA bootcamp, although he did mention projects on Hackaday.io. If you want to see a similar video but with open source tools, [David Williams] did a talk at Superconference that gives the same kind of overview but with Yosys and other related tools.

Continue reading “An RF Engineer’s FPGA Learning Journey”

Java On GPUs And FPGAs

March 11, 2020 by 48 Comments

There was a time when running a program on an array of processors meant that you worked in some high-powered lab somewhere. Now your computer probably has plenty of processors hiding in its GPU and if you have an FPGA, you have everything you need to make something custom. The idea behind TornadoVM is to modify OpenJDK and GraalVM to support running some Java code on parallel architectures supported by OpenCL. The system can utilize multi-core CPUs, GPUs (NVIDIA and AMD), Intel integrated GPUs, and Intel FPGAs.

If you want to try your hand at accelerated Java, there are some docker containers to get you started fast. There’ are also quite a few examples, such as a computer vision application.

Continue reading “Java On GPUs And FPGAs”

Mithro Runs Down Open Source FPGA Toolchains

March 6, 2020 by 28 Comments

Tim [Mithro] Ansell has a lot to tell you about the current state of open FPGA tooling: 115 slides in 25 minutes if you’re counting. His SymbiFlow project aims to be the GCC of FPGA toolchains: cross-platform, multi-platform, completely free, and all-encompassing. That means that it’s an umbrella framework for all of the work that everyone else is doing, from work on synthesis and verification tools, to placing and routing, to vendor-specific chip libraries. His talk catches you up with the state of the art at the end of 2019, and it’s embedded below. Spoiler alert: SymbiFlow has the big Xilinx 7-series FPGAs in its crosshairs, and is closing in. SymbiFlow is that close to getting a networked Linux system on the FPGA fabric in a Xilinx 7 today, completely independent of any vendor tools.

But let’s step back a sec for a little background. When you code for an FPGA, words you type get turned into a bitstream of ones and zeroes that flip perhaps a few million switches inside the chip. Going from a higher-level language to a bitstream is a lot like compiling normal programming languages, except with the twist that the resulting computational logic doesn’t map straight into a machine language, but rather into lower-level physical hardware on the FPGA. So “compilation” for FPGAs involves two steps: synthesis and place-and-routing. Synthesis takes the higher-level language that you write and turns it into a set of networks and timing requirements that represent the same logic, and can work across chip families. Yosys is the open-source synthesis tool of choice here.

Continue reading “Mithro Runs Down Open Source FPGA Toolchains”

Watch Linux Boot On Your Hackaday Superconference Badge

February 29, 2020 by 4 Comments

Last year’s Hackaday Superconference badge was an electronic tour de force, packing an ECP5 FPGA shoehorned into a Game Boy-like form factor and shipping with a RISC-V core installed that together gave an almost infinite badge hacking potential. It did not however run Linux, and that’s something [Greg Davill] has addressed, as he’s not only running Linux on his badge, but also a framebuffer that allows him to use the badge screen as the Linux terminal screen. Finally you can watch Linux boot on your Superconference badge itself, rather than over its serial port.

He’s achieved this by changing essentially everything: from the new VexRiscv CPU core, to new video drivers and a VGA terminal courtesy of Frank Buss, now part of the LiteVideo project. It’s not quite a fully fledged Linux powerhouse yet, but you can find it in a GitHub repository should you have a mind to try it yourself. Paging back through his Twitter feed reveals the effort he’s put into this work over the last few months, and shows that it’s been no easy task.

For those keeping score at home, this is an open hardware design, running an open CPU core, with community-designed open-source peripherals, compiled by an open-source toolchain, running an open-source operating system. And it’s simply a fantastic demo for the badge, showing off how flexible the entire system is. One of the best parts of writing for Hackaday is that our community is capable of a huge breadth of amazing pieces of work, and this is an exemplar of that energy. We can’t wait to see what Greg and any other readers tempted to try it will come up with.

If you’d like to refresh your memory over the 2019 Supercon badge, here’s our write-up at the time.

Machine Inside Of A Chip: How Sprite_TM Built The FPGA Game Boy Badge

February 19, 2020 by 12 Comments

Kids of the 1990’s would call you a liar if you told them that within thirty years you’d go to a conference and be handed a Super Nintendo Entertainment System to wear around your neck. But that’s what happened with the badge Jeroen Domburg, aka [Sprite_TM], designed for the 2019 Hackaday Superconference. It’s built in the Game Boy form factor, complete with a cartridge slot, beautiful screen, and the familiar button layout. But there’s so much more here, like the HDMI port on the bottom and the ability to completely reconfigure the device by dropping a binary file onto it over USB.

Of course what makes this possible is the FPGA at the heart of the design. The story of how the badge was developed is shared in great detail during Sprite’s Supercon talk. The timeline, the hardware choices, and the oopses along the way make for a great story. But what you really don’t want to miss is how he built the machine inside of the FPGA — the collection of Verilog code known as “gateware” that brings together the System-on-a-Chip (SoC). From his delight at being able to spawn more processor cores by changing a single variable, to the fascinating SNES-inspired graphics subsystem, the inside story shared below is even more interesting than the physical device itself.

Continue reading “Machine Inside Of A Chip: How Sprite_TM Built The FPGA Game Boy Badge”