Many of us think of FPGAs as some new cutting edge technology, but the fact of the matter is that they’ve been around for quite some time. They’ve just traditionally been used in hardware that’s too expensive for us lowly hackers. A case in point is the Cisco HWIC-3G-CDMA WAN card. A decade ago these would have been part of a router valued in the tens of thousands of dollars, but today they can be had for less than $10 USD on eBay. At that price, [Tom Verbeure] thought it would be worth finding out if they could be repurposed as generic FPGA experimentation devices.
So as not to keep you in suspense, the short answer is a resounding yes. In the end, all [Tom] had to do was figure out what voltages the HWIC-3G-CDMA was expecting on the edge connector, and solder a 2×5 connector onto the helpfully labeled JTAG header. Once powered up and connected to the computer, Intel’s Quartus Programmer software immediately picked up the board’s Cyclone II EP2C35F484C8 chip. The blinking LEDs seen in the video after the break serve as proof that these bargain bin gadgets are ripe for hacking.
Unfortunately, there’s a catch. After studying the rest of the components on the board, [Tom] eventually came to the conclusion that the HWIC-3G-CDMA has no means of actually storing the FPGA’s bitstream. Presumably it was provided by the router itself during startup. If you just want to keep the board tethered to your computer for experimenting, that’s not really a big deal. But if you want to use it in some kind of project, you’ll need to include a microcontroller capable of pushing the roughly 1 MB bitstream into the FPGA to kick things off.
By now most of us have used a Raspberry Pi at some level or another. As a headless server it’s a great tool because of its price point, and as an interface to the outside world the GPIO pins are incredibly easy to access with a simple Python script. For anyone looking for guidance on using this device at a higher level, though, [Arun] recently created a how-to for using some of the Pi’s available communications protocols.
Intended to be a do-everything “poor man’s hardware hacking tool” as [Arun] claims, his instruction manual details all the ways that a Raspberry Pi can communicate with other devices using SPI and I2C, two of the most common methods of interacting with other hardware beyond simple relays. If you need to go deeper, the Pi can also be used as a full JTAG interface or SWD programmer for ARM chips. Naturally, UART serial is baked in. What more do you need?
As either a tool to keep in your toolbox for all the times you need to communicate with various pieces of hardware, or as a primer for understanding more intricate ways of using a Raspberry Pi to communicate with things like sensors or other computers, this is a great write-up. We also have more information about SPI if you’re curious as to how the protocol works.
When Pano Logic went out of business in 2012, their line of unique FPGA-based thin clients suddenly became a burden that IT departments didn’t want anything to do with. New and used units flooded the second-hand market, and for a while you could pick these interesting gadgets up for not much more than the cost of shipping. Thanks to considerable interest from the hacking community the prices for these boxes have climbed a bit on eBay, but they’re still a great way to get your feet wet with FPGA hacking.
Especially now, as Pano Logic fanatic [Skip Hansen] has figured out how to flash a new firmware on them without having to crack open the case and break out the JTAG or SPI programmer. For the seasoned hardware hacker that might not seem like a big deal, but if you’re new to the game or just more interested in the software side of the equation, this trick makes things considerably more accessible. Having an external programmer is still a good idea if things go south, but if you’re just looking to flash some demos and see what the hardware is capable of this is a huge quality of life improvement.
Even if you aren’t interested in fiddling with the orphaned products of a defunct Bay Area startup, the write-up is a fascinating look at practical software reverse engineering. As it turns out, [Skip] didn’t create this new firmware update tool from scratch. He actually opened up the official Linux update utility from Pano Logic in Ghidra and was able to figure out where the firmware image actually lived inside the program. He then wrote his own tool in C which will patch the update tool with a user-supplied firmware image.
After patching, all you need to do is follow the official update procedure, which Pano Logic helpfully documented in the YouTube video after the break. [Skip] mentions he didn’t find any clear license information in the official software he was fiddling with, and of course with the company out of business it’s not too likely anyone is going to come knocking down his door anyway. Still, he says the downloads for the Pano Logic updater are still floating around on the tubes out there for you to find, so he’s not distributing anyone’s code but his own in this project.
Got $4,000 to spend? Even if you don’t, keep reading — especially if you develop with FPGAs. Exostiv’s FPGA debugging setup costs around $4K although if you are in need of debugging a complex FPGA design and your time has any value, that might not be very expensive. Then again, most of us have a lot of trouble justifying a $4,000 piece of test gear. But we wanted to think about what Exostiv is doing and why we don’t see more of it. Traditionally, debugging FPGAs meant using JTAG and possibly some custom blocks that act like a logic analyzer and chew up real estate on your device. Exostiv also uses some of your device, but instead of building a JTAG-communicating logic analyzer it… well, here’s what their website says:
EXOSTIV IP uses the MGTs (Multi-Gigabit Transceivers) to flow captured data out of the FPGA to an external memory. EXOSTIV IP supports repeating captures of up to 32,768 internal nodes simultaneously at the FPGA’s speed of operation (16 data sets x 2,048 bits).
EXOSTIV IP provides dynamic multiplexer controls to capture even more data sets without the need to recompile. Dynamic ON/OFF controls of data sets let you select the data set and preserve the MGT’s bandwidth for when deeper captures of a reduced set of data is required.
In a nutshell, this means they use high-speed communications to send raw data to a box that has memory and connects back to a PC. That means they can store more data, have more data come out of the chip over a certain time frame, and do sophisticated processing. You can see a video about the device below, and there are more detailed videos on their channel, as well.
Our own [Brian Benchoff] asked this same question just six months ago in a similar headline. At that time, the answer was no. Or kind of no. Some exploits existed but with some preconditions that limited the impact of the bugs found in Intel Management Engine (IME). But 2017 is an unforgiving year for the blue teams, as lot of serious bugs have been found throughout the year in virtually every fields of computing. Researchers from Positive Technologies report that they found a flaw that allows them to execute unsigned code on computers running the IME. The cherry on top of the cake is that they are able to do it via a USB port acting as a JTAG port. Does this mean the zombie apocalypse is coming?
Before the Skylake CPU line, released in 2015, the JTAG interface was only accessible by connecting a special device to the ITP-XDP port found on the motherboard, inside a computer’s chassis. Starting with the Skylake CPU, Intel replaced the ITP-XDP interface and allowed developers and engineers to access the debugging utility via common USB 3.0 ports, accessible from the device’s exterior, through a new a new technology called Direct Connect Interface (DCI). Basically the DCI provides access to CPU/PCH JTAG via USB 3.0. So the researchers manage to debug the IME processor itself via USB DCI, which is pretty awesome, but USB DCI is turned off by default, like one of the researchers states, which is pretty good news for the ordinary user. So don’t worry too much just yet.
The Teensy is a powerful ARM-based development board with loads of features that can do fun stuff with USB as well. Like many dev boards, it uses a less powerful processor as an interface. Teensy designer [Paul Stoffregen] added a debug header to allow direct SWD JTAG access to the main chip, but the interface microcontroller has to be silenced for that to work, and the code to do so is still in progress.
Impatient, [Erich Styger] documents the changes he made to add support for the J-Link SWD protocol by removing the offending NXP Kinetis KL02Z that serves as the as the onboard interface and bootloader that helps the Arduino IDE talk to the K64F which is the main chip. After the KL02Z was removed, [Erich] populated the debug headers and then wired up the Segger J-Link to the board and tested it out with Eclipse, GDB, and standard SWD debug tools.
The end result is a Cortex M4F board that can work with standard tools at a third of the price of the Kinetis’ development board. [Paul Stoffregen] confirms that the debugging functionality will be added to the bootloader code soon but until then, a hardware hack is a working, if brutal, approach to debugging on the platform.
Wouldn’t it be great if there were just one standard for attaching to, programming, and debugging hardware? If you could just plug in and everything would just work? Dream on, dreamer! But of course we hobbyists aren’t the only people to suffer from multiple standards. Industry has the same problems, writ large. In response to the proliferation of smart devices — microcontrollers, sensors, and their friends — on any given PCB makes it difficult to test them all, much less their function as a system.
The Joint Test Action Group (JTAG) got together in the mid-80s to make automated testing of circuit boards a standardized process. A JTAG port can be found on almost any piece of consumer electronics with enough brains to warrant it, and it’s also a tremendously useful entry point for debugging your own work and hacking into other’s. You’re going to need to use JTAG someday.
Implemented right, it’s a very cool system that lets you test any compliant IC on the board all from a single connector. It’s mostly used by hackers for its ability to run and halt individual processors, and put them in debugging modes, inspecting their memory states, etc. Essentially every microcontroller responds to JTAG commands, and it’s an incredibly widespread and powerful standard. A victory for rationality and standardization!
The connector pinout was, of course, left up to the manufacturer. The horror!
In principle, JTAG uses five signal lines. They form a chain starting at the debugger, where one device’s output is the next device’s input, until the result is returned back to the debugger.
Test Data In (TDI) is the input from the debugger
Test Data Out (TDO) is the return end of the chain
Test Clock (TCK) clocks this data along synchronously, similarly to SPI
Test Mode Select (TMS) lets the devices know that they’re being debugged — it’s a global chip select
Test Reset (TRST) is an optional signal that resets all devices in the chain