11:46 <braincode> Hello folks, I'm recently minted in CPLD adventures, so please bear that in mind, not an expert ;)

11:46 <braincode> I'm currently on a trip to reading out a Xilinx XC95288XL CPLD (https://github.com/GlasgowEmbedded/glasgow/pull/285) I bought on Aliexpress: https://www.aliexpress.com/item/1005001502267945.html... this board comes pre-loaded with a simple binary counting example on the external LEDs of the board.

11:46 <braincode> We managed to dump the bitstream via JTAG with my Glasgow, here's a hexdump of the contents:

11:46 <braincode> https://hardbin.com/ipfs/QmXgR7ATaofiz2JSpthEDxuLWsqsfGuyEFwhdL6HKdwVQi/#EbgNPNpwGzN2NpRamjAra9ur5p1VS58VBMjnrwkTwUxy

11:46 <braincode> So given that .bit file, how hard it is nowadays to elucidate the individual gates/blocks from it and/or overall functionality?

11:56 <whitequark> note that this .bit file is a Glasgow-specific format

11:56 <whitequark> you probably want to convert it to JED if you want anyone else to be able to make sense of it

11:56 <whitequark> (it's just a dump of data from the internal flash the way it's laid out there)

12:02 <whitequark> `glasgow tool program-xc9500xl`

12:02 <whitequark> except... it doesn't currently do bit-to-jed conversion, oops

12:03 <braincode> Hehehe

12:05 <vup> braincode: anuejn and I played around with fuzzing ISE for the xc95{x,}xxXL a bit, I think most of the macrocell configuration would be pretty easy to figure out, but we got a bit stuck with the switch matrix, as we did not figure out a nice way to fuzz it yet

12:05 <vup> https://github.com/anuejn/XC9500

12:08 <vup> This contains some basics about the format: https://github.com/anuejn/XC9500/blob/new_fuzzers/bitstream/CURRENT_IDEAS.md

12:08 <vup> but reading this back now it could be rewritten to be a lot easier to understand :)

12:12 <braincode> Oh, wow, so much to read/learn, thanks! … that's fuzzing though, which I presume it's very useful when there's IP readout security, but if the CPLD allows reading, is fuzzing still needed to reconstruct and understand the logic implemented?

12:12 <vup> well the fuzzing is to understand the bitstream format

12:14 <vup> it does not fuzz a specific bitstream to figure out its operation, but rather generates a big number of bitstreams and tries to figure out the meaning of the single bits by comparing them

12:16 <braincode> Fascinating, thanks for explaining!

12:22 <braincode> I thought that fuzzing on CPLDs was just to bruteforce the I/O of an application so that one explores all the combinatorial space given a set of input/output pins… which I always thought it could be intractable in almost all cases.

12:28 <vup> yeah fuzzing the IOs of a CPLD to reverse engineer the bitstream / configuration sounds very tricky indeed

12:52 <whitequark> vup: check out how i fuzz the matrix in prjbureau

12:53 <whitequark> except for the devices where the matrix is sparse, i generally get every single bit

13:33 <vup> whitequark: interesting, I think I had a similar idea previously (atleast the first two stages), but I never actually implemented it fully