Lattice Drops EULA Clause Forbidding FPGA Bitstream Reverse Engineering

Yesterday we reported that Lattice Semiconductor had inserted a clause that restricted the reverse engineering of bitstreams produced by their FPGA toolchains. Although not explicitly stated, it’s assumed that this was directed toward several projects over the past five years that have created fully open source toolchains by reverse engineering the bitstream protocols of the Lattice ICE40 and ECP5 FPGA architectures. Late yesterday Lattice made an announcement reversing course.

To the open source community, thank-you for pointing out a new bitstream usage restriction in the Lattice Propel license. We are excited about the community’s engagement with Lattice devices and our intent is to not hinder the creation of innovative open source FPGA tools.

It’s refreshing then to see this announcement from Lattice Semiconductor. Even more so is the unexpected turn of speed with which they have done so, within a couple of days of it being discovered by the open-source community. We report depressingly often on boneheaded legal moves from corporations intent on curbing open source uses of their products. This announcement from Lattice removes what was an admonition opposing open source toolchains, can we hope that the company will continue yesterday’s gesture and build a more lasting relationship with the open source community?

The underlying point to this story is that in the world of electronics there has long been an understanding that hardware hackers drive product innovation which will later lead to more sales. Texas Instruments would for years supply samples of exotic semiconductors to impecunious students for one example, and maybe you have a base-model Rigol oscilloscope with a tacitly-approved software hack that gives it an extra 50MHz of bandwidth for another.

We can only congratulate Lattice on their recognition that open source use of their products is beneficial for them, and wish that some of the other companies triggering similar stories would see the world in the same way. Try interacting more with your open source fans; they know and love your hardware more than the average user and embracing that could mean a windfall for you down the road.

Lattice Semiconductor Targets Bitstream Reverse Engineering In Latest Propel SDK License

The topic of reverse engineering is highly contentious at best when it comes to software and hardware development. Ever since the configuration protocol (bitstream) for Lattice Semiconductor’s iCE40 FPGAs was published in 2015 through reverse engineering efforts, there has been a silent war between proponents of open bitstream protocols and FPGA manufacturers, with the Lattice ECP5’s bitstream format having been largely reverse-engineered at this point.

Update: About eight hours after this article was published, Lattice Semiconductor issued a statement retracting the EULA language that banned bitstream reverse engineering.

Most recently, it appears that Lattice has fired a fresh shot across the bow of the open source projects. A recently discovered addition to the Propel SDK, which contains tools to program and debug Lattice devices, specifically references bitstream reverse engineering. When logged in with an account on the company’s website the user must agree to the Lattice Propel License Agreement for Lattice Propel 1.0 prior to download. That document includes the following language:

In particular, no right is granted hereunder […] (3) for reverse engineering a bitstream format or other signaling protocol of any Lattice Semiconductor Corporation programmable logic device.

For the uninitiated, this ‘bitstream’ is a binary format that is used by an FPGA to configure its logic elements (LEs), telling it what circuits should be formed inside the FPGA. This bitstream is specific to each particular model of FPGA, and contains detailed information about the internal architecture and functionality of the chip. This also explains the secrecy around said bitstream format: by publishing the specifications of it, one reveals a lot of details about the inner workings that competitors of Lattice (Xilinx, Intel, Microchip, etc.) could use to their advantage.

A bitstream is very different from the binary code produced by a compiler for something like a Cortex-M microcontroller. Having a fixed ISA (e.g. ARMv7a, Thumb/Thumb2) hides the microcontroller implementation details. If these ISAs didn’t exist and instead one would directly program this underlying implementation of the processor, it would also reveal many details of the implementation that ARM would be unhappy to share.

Clauses prohibiting reverse engineering can be found in other parts of Lattice’s terms, such as the legal notices section of their website:

You may use any software provided on this website provided that you agree to be bound by the terms and conditions of the software license agreement(s) accompanying such software. You may not modify, reverse engineer, or disassemble any of the software, except as expressly permitted by the terms of the license agreement for such software.

And the Lattice Diamond IDE license (presented when a logged in account attempts to download the software) references underlying algorithms and interface techniques:

2.9. Restrictions: You may not (and may not allow anyone else to): […] (b) decompile, reverse engineer, or otherwise attempt to derive the source code for any Licensed Product or any underlying algorithms, user interface techniques, or other ideas embodied in a Licensed Product;

But it appears that the Propel license is the first time the company has specifically referenced bitstreams.

Legal Matters

This all leads us back to what ultimately matters in a Court of Law: is reverse-engineering legal? The answer to which is muddy at best. In US law, reverse-engineering has a ‘fair use’ exception when it comes to interoperability. This is what enabled the development of non-IBM BIOSes for the first non-IBM PCs, and allowed the Samba project to reimplement the proprietary SMB network sharing protocol.

At issue with FPGAs is that of protocol interoperability: the bitstream is the protocol that the FPGA chip understands. This bitstream can be plain text, or could be encrypted, which would be desirable in the case of high-security applications. Obviously, by having access to the bitstream specification, a user would gain the freedom to create their own tools to interact with the (purchased) hardware.

Essentially, what it comes down to is that this bitstream protocol is not protected by either copyright or patent law. The only part that is truly off-limits is the software and associated documentation as written by the FPGA manufacturers, which are heavily protected by copyright law and NDAs. This means that (clean-room) reverse-engineering is fair game, making it a popular target for universities, as this 2018 paper on reverse-engineering mostly Xilinx FPGAs demonstrates.

A familiar use of the reverse engineered bitstream is the open source community’s efforts to build FPGA tools that do not require the use of proprietary software. This facilitates things like build automation and toolchain portability. The tools are already mature enough to produce valid bitstreams and there are numerous examples of hardware products, such as ICEBreaker, Fomu, OrangeCrab, and even the 2019 Hackaday Superconference Badge, all built around Lattice FPGAs that recommend the use of the open source toolchains.

The Old EULA Issue

The fun thing about an end-user license agreement (EULA) is that one can write anything in it that one desires, and since nobody reads those darn things anyway, you’re practically guaranteed to find someone who violates part of the EULA. The less fun part for the EULA creator is that a EULA carries little weight unless backed up by national (or local) law.

To circle back to the original issue of the new phrasing in the Lattice Propel SDK license (EULA). One may note that it doesn’t say anything about reverse-engineering Lattice products being illegal, just that one is not allowed to use these (Propel) tools for said reverse-engineering. One is still free to use other tools, basically.

The core question here is whether one can outlaw the use of software tools for a specific purpose. That’s a much tougher question to answer. There is some precedent there when one considers that for example certain encryption tools cannot be exported legally from the US to certain countries, though it should be noted there again that this is due to government laws.

Saying that ‘you cannot use these tools we made for reverse-engineering our products’ does to my knowledge not have any precedence at this point in time. It would, however, be fascinating to see whether Lattice Semiconductor is willing to test this new EULA phrasing in a Court of Law.

Mithro Runs Down Open Source FPGA Toolchains

Tim [Mithro] Ansell has a lot to tell you about the current state of open FPGA tooling: 115 slides in 25 minutes if you’re counting. His SymbiFlow project aims to be the GCC of FPGA toolchains: cross-platform, multi-platform, completely free, and all-encompassing. That means that it’s an umbrella framework for all of the work that everyone else is doing, from work on synthesis and verification tools, to placing and routing, to vendor-specific chip libraries. His talk catches you up with the state of the art at the end of 2019, and it’s embedded below. Spoiler alert: SymbiFlow has the big Xilinx 7-series FPGAs in its crosshairs, and is closing in. SymbiFlow is that close to getting a networked Linux system on the FPGA fabric in a Xilinx 7 today, completely independent of any vendor tools.

But let’s step back a sec for a little background. When you code for an FPGA, words you type get turned into a bitstream of ones and zeroes that flip perhaps a few million switches inside the chip. Going from a higher-level language to a bitstream is a lot like compiling normal programming languages, except with the twist that the resulting computational logic doesn’t map straight into a machine language, but rather into lower-level physical hardware on the FPGA. So “compilation” for FPGAs involves two steps: synthesis and place-and-routing. Synthesis takes the higher-level language that you write and turns it into a set of networks and timing requirements that represent the same logic, and can work across chip families. Yosys is the open-source synthesis tool of choice here.

Continue reading “Mithro Runs Down Open Source FPGA Toolchains”

A 60 GHz Phased Array

Our friend [Hunter Scott] gave a talk at a past Supercon about phased array antennas. He mentioned he was looking for collaborators to create an antenna with the SiBeam SB9210 chip. This is a specialized chip for WirelessHD, a more or less failed video streaming protocol, and it’s essentially an entire 60 GHz phased array on a chip with both transmit and receive capabilities. For $15, it seems like quite the bargain, and [Hunter] still wants to put the device to work.

The downside is that Lattice bought SiBeam and killed this chip — not surprising considering WirelessHD never really took off. However, [Hunter] says the chip was in some old smart TVs and laptops. If you can find replacement boards for those devices on the surplus market, you can get the chip and the supporting circuitry for a song.

Continue reading “A 60 GHz Phased Array”

A Scratch-built RISC-V CPU In An FPGA

“RISC architecture is going to change everything”, which is why [SHAOS] is building this cool RISC-V DIY retro-style computer.

The project took inspiration from another hacker’s work in building a RISC-V emulator; shared in the Hackaday FPGA chat. He took it a bit further and got it going on an UPDuino v2.0 board which features a iCE40 FPGA from Lattice.

The board passes all the tests for the RISC-V subset he’s aiming for and even run some Zephry RTOS examples. He’s done a really good job of documenting how he got the code to run as well as many of the experiments he’s run so far. All the project files for ICEcube2 software are posted. It’s not the only RISC-V CPU we’ve seen in an FPGA, but the code is actually very clear and worth a read if you’re into such things.

We think anyone interested in duplicating his work could do so somewhat easily and start playing around with this increasingly popular architecture. Or at least get some LED’s blinking in an arcane but meaningful way. Video after the break.

Continue reading “A Scratch-built RISC-V CPU In An FPGA”

Symbiflow Open Source FPGA Toolchain

Anyone who’s ever had the pleasure of programming FPGAs knows that it’s a land of proprietary tools that almost require marriage level commitment to a specific platform to be effective. Symbiflow hopes to solve this by becoming the GCC of FPGAs.

Rather than a tool built around a specific chip or architecture, Symbiflow will provide a more universal interface.  Users can program in Verilog; architecture definitions define how the code will be compiled for the right chip. They are currently targeting the popular Xilinx 7-series, the very affordable iCE40 series from lattice, and the ECP5 FPGAs also from Lattice.

If you’re headed to Hackaday Supercon this year, [Timothy Ansell] will be giving a talk on how Symbiflow is making this process much more approachable and much less proprietary.  Overall we’re very excited about a common interface, especially as the price of FPGAs keep dropping into micro controller territory while also increasing in capability.

(Speaking of Supercon, and maybe this is a spoiler, the badge would not have been possible without Symbiflow, Project Trellis, Yosys, and NextPNR.)

RISC-V CPU Gets A Peripheral

One of the ways people use FPGAs is to have part of the FPGA fabric hold a CPU. That makes sense because CPUs are good at some jobs that are hard to do with an FPGA, and vice versa. Now that the RISC-V architecture is available it makes sense that it can be used as an FPGA-based CPU. [Clifford Wolf] created PicoSOC — a RISC-V CPU made to work as a SOC or System on Chip with a Lattice 8K evaluation board. [Mattvenn] ported that over to a TinyFPGA board that also contains a Lattice FPGA and shows an example of interfacing it with a WS2812 intelligent LED peripheral. You can see a video about the project, below.

True to the open source nature of the RISC-V, the project uses the open source Icestorm toolchain which we’ve talked about many times before. [Matt] thoughtfully provided the firmware precompiled so you don’t have to install gcc for the RISC-V unless you want to write you own software. Which, of course, you will.

Continue reading “RISC-V CPU Gets A Peripheral”