04:09 <Wanda[cis]> have fully reverse engineered XC5200 bitstream again, this time using XACT; the two databases are a perfect match except for two pieces of test functionality (one is only exposed in XACT, the other only in ISE)

04:10 <Wanda[cis]> I was going to do XC4000* as first XACT target, but changed my mind midway because XC5200 has much less annoying interconnect structure; will resume XC4000 work next

04:56 <whitequark[cis]> nice

10:01 <mupuf> Wanda[cis] just couldn't take the risk of leaving any bitstream feature left un-reversed, could she? So she had to make sure the legacy legacy synthesis tool agreed with the legacy synthesis tool :D

10:01 <whitequark[cis]> xact is less of a legacy tool and more of a heirloom tool

10:02 <whitequark[cis]> national monument synthesis tool

10:02 <mupuf> ha ha

10:02 <Wanda[cis]> mupuf: I do take verification seriously

10:02 <mupuf> More seriously, I get it: you want to cross-validate the two reverse engineering workflows

10:03 <Wanda[cis]> which... well, I suppose you've seen already

10:03 <mupuf> but still... some may say that reversing one bitstream was already mission impossible and you decided to do it twice :D

10:04 <whitequark[cis]> reversing bitstreams is relatively easy

10:04 <Wanda[cis]> the cross-validation is useful, yes

10:04 <whitequark[cis]> i thought it was hard and then i just did it (Project Bureau)

10:04 <mupuf> Ha ha, I seem to remember Wanda[cis] telling me more than a decade ago that it was extremely tricky. That's why it seems a little funny to me

10:04 <whitequark[cis]> i think the hardest part was that the placer was buggy and didn't expose some features correctly, probably because someone forgot a pair of {}

10:05 <Wanda[cis]> though tbh I did this mainly because I knew there were extra test bits in XACT that I wanted to get

10:05 <Wanda[cis]> mupuf: a decade ago?

10:05 <Wanda[cis]> I have absolutely no memory of this conversation

10:05 <whitequark[cis]> see, the key part that was missing a decade ago is not being quite dead inside yet

10:05 <whitequark[cis]> i find that this really helps with reverse engineering anything

10:06 <Wanda[cis]> I mean

10:06 <whitequark[cis]> the less of a soul you have remaining, the easier it is to replace it with the soul of some other engineer you temporarily borrow from the void

10:06 <Wanda[cis]> tbh a decade ago I didn't find reversing bitstreams all that hard

10:06 <Wanda[cis]> I did get a fair bit into cyclone II reversing, even

10:06 <Wanda[cis]> (it just happened to be what I had on hand)

10:06 <mupuf> whitequark[cis]: Yeah, pretty sure it was before you started working on security stuff

10:07 <whitequark[cis]> i worked on security stuff?

10:07 <whitequark[cis]> that's news to me

10:07 <Wanda[cis]> the reason I gave up was because of "ok, I reverse the whole bitstream, what then"

10:07 <mupuf> err, sorry, I meant Wanda[cis]

10:07 <mupuf> the other w lady ;)

10:07 <Wanda[cis]> the perspective of having to write a whole-ass open source toolchain after a big reversing project was too much for me back then

10:07 <mupuf> right, without a P&R toolchain, it is indeed a little useless

10:07 <Wanda[cis]> of course

10:08 <whitequark[cis]> i've tried manually constructing SOP terms with Project Bureau, there is even a tool to do that

10:08 <whitequark[cis]> it is tedious

10:08 <mupuf> I may be misquoting you then, that might have been what you meant

10:08 <Wanda[cis]> as Catherine pointed out, these days I am dead enough to no longer be intimidated by that

10:08 <whitequark[cis]> simply develop the rest of the toolchain

10:09 <Wanda[cis]> and also, well, we actually have an open source toolchain these days

10:09 <mupuf> Says the lady who was making bit-perfect C models of NV01 and NV03 :D

10:12 <mupuf> Wanda[cis]: I think what has always been fascinating me with your work was always your resolution and complete lack of fear of failure or wasting time. And you've prevailed over and over and over again. It's been sooooooo inspiring

10:13 <mupuf> I wish I had been following whitequark[cis] earlier too, for the same reasons!

10:15 <whitequark[cis]> heh. i'm glad it's inspiring

10:16 <Wanda[cis]> me too

10:16 <Wanda[cis]> I don't really hear that often

10:16 <mupuf> That is sad...

10:17 <Wanda[cis]> as for fear of failure

10:17 <Wanda[cis]> there are actually bits I am and have been concerned about

10:18 <Wanda[cis]> I just... don't really let that stop me

10:18 <mupuf> Who knows, maybe one day I'll be back in Warsaw for one reason or another and we could meet up again. I have a big hug in reserve for you :D

10:18 <Wanda[cis]> timing info, for one

10:18 <Wanda[cis]> though I'm much less concerned about that now after spending a night with Cat looking into this

10:19 <Wanda[cis]> but fundamentally. ISE can generate bitstreams and do timing analysis for FPGAs I'm interested in.

10:20 <mupuf> Sounds like a good starting point!

10:20 <Wanda[cis]> this means I can, at the very least, replicate whatever it's doing given enough RE violence applied to it

10:20 <mupuf> Do you know how the binning process works at the factory?

10:20 <Wanda[cis]> it's just a matter of effort

10:20 <Wanda[cis]> not really

10:21 <Wanda[cis]> I've been wondering about the details a lot

10:21 <Wanda[cis]> in the end, I came to a simple conclusion

10:22 <mupuf> It could just be a static allocation based on the location on the wafer... or they may have some carefully-crafted gateware to do the binning for them. I would vote for the later, of course

10:22 <Wanda[cis]> we cannot know the exact details of binning process, and measuring actual devices cannot possibly cover a large enough sample

10:22 <Wanda[cis]> so the only way is to basically replicate ISE's timing data and algorithms

10:23 <mupuf> yeah, the best you could achieve is akin to overclocking for a single chip... but this time with a toolchain making sure timings are actually proper and not just "happen to work"

10:24 <mupuf> In other words, that's pretty niche and with real chances of getting it very wrong

10:25 <Wanda[cis]> not worth the effort

10:25 <Wanda[cis]> (effort of devloping a methodology of characterizing a chip of given FPGA family)

10:25 <mupuf> +1

13:14 <micko> Hi. Understand that focus is on Xilinx devices, but there is part of code for Lattice, is it a plan to try to do full RE and replace prjtrellis and icestorm ?

13:14 <micko> Also what is the plan for chipdb integration with nextpnr, making a new crate for exporting bba data and making sure it is up to date with nexpnr or using some python-rust bridge on nextpnr import script side ?

13:19 <Wanda[cis]> prjcombine was never meant to be xilinx-specific, correct

13:20 <Wanda[cis]> I consider one of its main goals to be exploration of highly automated and widely applicable techniques for FPGA reversing

13:22 <Wanda[cis]> I looked at Lattice at one point and some bits ended up in the repo (there's also some half-finished code on a branch that extracts p&r database in the prjcombine format, but I ended up not really liking the approach I chose there and kinda abandoned it; I'll probably rewrite it to something more like the XACT extractor at some point)

13:24 <micko> Got it. Thanks a lot. No hurry there. Had look to other series of Lattice FPGA when I was doing XO2 and XO3 and there are certain patterns that could be reused.

13:25 <Wanda[cis]> I don't have any immediate plans for further targets beyond Xilinx at this point; Lattice would be easy to support because of toolchain similarities to ISE, but if anything I'd like to test out some approaches on targets that are not very Xilinx/ISE-like

13:25 <Wanda[cis]> either quartus or icecube comes to mind

13:26 <Wanda[cis]> as for nextpnr

13:26 <Wanda[cis]> there are no plans of any sort

13:27 <Wanda[cis]> there's a story here, which you have actually been witness to

13:28 <Wanda[cis]> of a previous xilinx reversing project of mine a few years ago, where Edmund demanded a demo for some rich asshole who'll definitely give us lots of money if he sees Spartan 6 with DDR2 or whatever

13:29 <Wanda[cis]> the rush job I did back then to get all this working, and the complete failure afterwards, has basically completely destroyed all my desire to reverse FPGAs.

13:30 <Wanda[cis]> took a few years until I could look at xilinx again

13:31 <micko> Yeah, remember that. Anyway I just made a PR for one arch and soon starting on work on another (all in public this time), so at least there are some things that would be cleaned up and improved in himbaechel API extensions as needed by more strange architectures

13:32 <Wanda[cis]> so no. I am not going to do anything about writing a production toolchain until I consider this project actually mature enough to support it.

13:32 <Wanda[cis]> and given exactly how the last attempt failed

13:32 <micko> Understand

13:32 <Wanda[cis]> the main part of "mature enough" is having timing information

13:33 <Wanda[cis]> (the other part is some in-hardware verification, but that part I'd actually compromise on)

13:35 <Wanda[cis]> basically prjcombine is going slow and not looking for a quick blinky, by design

13:36 <micko> That is perfectly fine, I am happy there is work going on there. I have multiple arch projects RE that are pending due to lack of time mostly

13:37 <Wanda[cis]> (if anything, the first actual bitstreams I emit will be testcases for manual verification of some messy I/O and clock bits; I'll either do manual P&R or write some quick debug-grade P&R tool)