怎么在我的比特流中攻击BRAM

顺便说一句，这不是一个开源设计。



以下为原文

BTW, this is NOT an open source design.

这些都不可能发生......
（我不为Xilinx工作或代表，但是......）我怀疑Xilinx会向任何人发布任何源代码 - 维护问题是一场噩梦。
同样，我怀疑你会得到很多支持来修改比特流，而逆向工程可能比你想象的要困难 - 特别是因为比特流中有CRC校验。
你最好的选择是“找到另一种方式”。
在CPU和FPGA之间创建一些通信路径，并在配置FPGA后修改BRAM数据。
你可以用2或3个引脚和一个串行协议来做到这一点。
您也可以通过JTAG端口执行此操作;
如果您的FPGA已经通过JTAG编程，则连接已经存在。
在大多数FPGA系列中，您可以配置JTAG链接以在FPGA结构中实现用户寄存器 - 然后您可以通过此JTAG寄存器进行读写操作。
Avrum



以下为原文

None of these is likely to happen...
 
(I don't work for or speak for Xilinx, but...) I doubt Xilinx will release any source code to anyone - the maintenance issue is a nightmare. Similarly, I doubt you will get a lot of support for modifying the bitstream, and reverse engineering it might be quite difficult than you think - particularly since there are CRC checks in the bitstream.
 
Your best bet is to "find another way". Create some communication path between your CPU and your FPGA and modify the BRAM data after the FPGA has been configured. You could probably do this with as little as 2 or 3 pins and a serial protocol.
 
You might also be able to do this through the JTAG port; if your FPGA is already being programmed via JTAG, the connections are already there. In most families of FPGAs you can configure the JTAG chaint to have a user register implemented in the fabric of the FPGA - you can then do reads and writes through this JTAG register.
 
Avrum
 
 

谢谢Avrum，
我当地的FAE目前正在寻找可用于代替data2mem的脚本。
如果他提出了什么，我会用它。
我不是太有希望了。
为什么逆向工程比特流很难？
我知道以前做过。
后来被Xilinx收购的Neocad对整个比特流（早期部件）进行了逆向工程，并制作了自己的工具。
我只想改变块ram初始化，这应该比较容易。
块rams应该很容易在比特流中定位。
Data2mem允许选择的明文攻击。
我可以自动化一个进程，该进程使用data2mem来更改每个块ram中的每个位，并比较前后比特流。
CRC对基本了解代数的攻击者没有安全性，并且也很容易在比特流中定位。
我实际上认为，破解比特流的工作量要比将源代码修改为多路复用器的FPGA源代码要少一个数量级，这可以写入块内存。
其中一些工作在200MHz以上并且已经使用两个端口。
我还考虑过使用JTAG（或ICAP），但是基于比比特流黑客更多的工作而拒绝它。
还有其他考虑因素（我不会在公共论坛中讨论）使我不想更改现有的FPGA源代码。
我确实认为比特流黑客是解决这个问题的好方法。
问候，
艾伦



以下为原文

Thanks Avrum,
 
My local FAE is currently looking for scripts that could be used in place of data2mem.  If he comes up with something, I'll use it.  I'm not too hopeful though.
 
Why is reverse engineering the bitstream hard?  I know it has been done before.  Neocad, who were later bought by Xilinx, reverse engineered the entire bitstream (of earlier generation parts) and made their own tools.  I only want to alter block ram initialisation, which should be easy in comparison.
 
The block rams should be simple to locate in the bitstream.  Data2mem allows a chosen plaintext attack.  I can automate a process which uses data2mem to change each bit in each block ram, and compares the before and after bitstreams.
 
A CRC provides no security against an attacker who has a basic understanding of algebra, and should also be easy to locate in the bitstream.
 
I actually think it's about an order of magnitude less work to hack the bitstream than to modify the FPGA source code to mux in an extra port that can write into the block rams.  Some of these work at over 200MHz and already use both ports.
 
I had also considered the use of JTAG (or ICAP), but rejected it on the basis of being more work than bitstream hacking.
 
There are other considerations (that I won't discuss in a public forum) that make me not want to change the existing FPGA source code.  I really do think that bitstream hacking is a good solution for this problem.
 
Regards,
Allan

https://github.com/florianbenz/bil



以下为原文

https://github.com/florianbenz/bil
 

谢谢你的链接！
它只做Virtex 5，但它是一个开始。



以下为原文

Thanks for the link!  It only does Virtex 5, but it's a start.

从阅读你的帖子，我不知道你的实际问题是什么。
只是你的解决方案是破解比特流？
我完全理解在设计中找到BRAM非常简单，因为DATA2MEM使用它来修改bistream。
当您可以访问已实现的设计时，我发布了一些TCL脚本来实现非嵌入式设计。
我也知道Xilinx提供了一些比特流转储工具，让您可以看到设计内容，包括BRAM内容。
它们没有提供一种方法来走向公开可用的另一个方向;
我可以看到工厂可以访问这些工具。
我的第一个是你无法访问设计;
你表示攻击比特流为存储器写入端口添加多路复用器与攻击比特流以放入新的BRAM数据的工作量相同。
这里的关键是“黑客”，它告诉我你没有任何来源，你在做什么？
将写端口添加到BRAM（BTW）200MHz不是问题。
是的NeoCAD做了一些逆向工程，我认为这些设计显然不那么复杂（我在博尔德工作了30多年，所以我知道其中涉及的一些）。
祝你好运，坚定的工程师可以做很多精彩的工作。
TomT ...



以下为原文

From reading your posts, I cannot tell what your actual problem is.  Just your solution is hacking the bitstream?  I completely understand that finding the BRAM in is pretty straight forward in a design as DATA2MEM uses this to modify the bistream.  I published some TCL scripts to do just that for a NON-Embedded design when you have access to the implemented design.  I also know Xilinx provides some bitstream dumping tools to give you visibility to the contents of the design including the BRAM contents.  They don't provide a way to go the other direction that is publically available; I could see the factory having access to such tools.
 
My first though is you don't have access to the design; you indicated that hacking the bitstream to add the mux for the memory write port is the same level of effort of hacking the bitstream to put in new BRAM data.  The key here is "hacking" which tells me you don't have any source for what you are doing?  200MHz is not a problem to add a write port to the BRAM, BTW.
 
Yes NeoCAD did some reverse engineering on what I would consider significantly less complex designs (I have worked in Boulder for 30+ years so I know some of those involved).  I wish you luck, a determined engineer can do a lot of amazing focused work.
 
TomT...

你好汤姆，
如果我使用“黑客”这个词，我知道有人会错误的想法。
我可以访问所有源代码。
我写了这个项目的很大一部分（至少几百kLOC），所以我很清楚它的作用以及修改它需要做些什么。
在典型的流水线> 200MHz设计中，添加多路复用器以创建额外的写端口将非常简单。
但是这个设计不能流水线，因为我不想进入公共论坛。
块ram地址设置为时钟位于关键路径上。
您能否提供指向已发布的TCL脚本的链接？
谢谢，
艾伦



以下为原文

Hi Tom,
 
I knew someone would get the wrong idea if I used the word "hacking".
 
I have access to all the source code.  I wrote a significant fraction of this project (at least a few hundred kLOC), so I have a good understanding of what it does and what it takes to modify it.
 
In a typical pipelined > 200MHz design, adding a mux to create an extra write port would be simple.  But this design can't be pipelined, for reasons I don't want to go into in a public forum.  The block ram address setup to clock is on the critical path.
 
Can you please provide pointers to your published TCL scripts?
 
Thanks,
Allan