Deriving an NCD file from an FPGA bitstream: Methodology, architecture and evaluation

https://doi.org/10.1016/j.micpro.2012.12.003Get rights and content

Abstract

This paper demonstrates a reverse engineering method that takes a bitstream as input and produces an NCD (Native Circuit Description) file for a Xilinx FPGA chip. The work can be divided into two parts: mapping table generation and NCD generation. The mapping tables include the mapping relation among configurable points, configurable options, control bits and control values. An automatic distributed high performance analysis architecture and offset formula theory are developed to quickly generate the test cases, work out the mapping tables and verify their correctness. Based on the tables, we generate an XDL (Xilinx Design Language) file which is equivalent to the NCD file. Our work is the first which can rebuild the NCD file for a bitstream. We also evaluate our method with respect to time consumption and accuracy rate. Benchmarks using real circuits indicate that the accuracy rate on XC5VLX50T is above 88% even in the worst case. Our method is applicable to all series of Xilinx FPGA chips and the accuracy can be guaranteed if the scale of the chip is increased.

Introduction

Reconfigurable computing [1] is playing a more and more important role in various application scenarios. Undoubtedly, as the supporting technology [2], the reconfigurable feature of FPGAs will always be an essential part of reconfigurable computing research. Although FPGAs have been used in many critical fields [3] — such as aerospace, network flow control, image and video processing, and molecular dynamics — the reconfigurable feature of FPGAs is still mainly embodied in the form of modules (such as IP cores [4]) or used for circuit level reconfiguration. The configuration bitstream of an FPGA needs to be regenerated through a synthesizing, translating, mapping, placing and routing process, even if its function has only a tiny change. Because of this constraint, much research about real-time or partial reconfiguration [5], [6] is only theoretical [7].

If there were a tool which allowed researchers to modify the bitstream at bit-level directly without needing EDA tools like ISE, it would significantly reduce the reconfiguration time and make small modifications on the original FPGA circuit much easier. That means we can have more autonomy in FPGA reconfiguration. To the best of our knowledge, although there has already been some good work on how to get the relationship between a bitstream file and actual FPGA fabric configuration, such as FAT [8], Debit [9], and Jbits [10], all current systems have some disadvantages and none can be considered a complete solution of the problem. Ref. [8] presents the FAT, which is a tool for low-level analysis of FPGA architecture and verification of FPGA function design. Ref. [8] builds its own GUI tool called “Pip2BitMapping” to show the placement of FPGA fabric by analysis of the bitstream file. It also develops a method to discover the mapping relation between the bitstream and the actual FPGA circuit configuration. Wrok [9] mainly focuses on giving a third party bitstream generation tools and pays very little attention to the bitstream decompilation work. There are some common problems which will lead to performance bottlenecks and result inaccuracy in both [8], [9]:

  • 1.

    The architecture of the “Pip2BitMapping” or Debit is not distributed or multi-processed, so it is unsuitable for a large modern chip, such as a Virtex-5/6 series chip. The single-threaded structure makes processing time increase exponentially.

  • 2.

    Through experiments, we find that there are lots of redundant data in the bitstream file. Besides, several associated programmable interconnect points (PIPs) and programmable logic points (PLPs) share the same control bit. If these are not considered, the analysis results are wrong or incomplete. Testing the Debit tools (we cannot get the FAT tool), the result is far from perfect.

  • 3.

    Designing a new GUI tool to show the circuit analysis result of the FPGA fabric placement and configuration details might be a cool thing. But it more sensible and efficient if the analysis result can be translated to an NCD format file and use the mature Xilinx FPGA Editor [11] to display the cracked circuit. After testing the Debit tool, we find that the circuit image from the analysis may be similar to the original circuit image in FPGA Editor, but never the same.

  • 4.

    None of the papers give a quantified index of carefully designed benchmarks to demonstrate the correctness and validity of their bitstream analysis methods.

As for the JBits SDK, it is a low-level tool helping to modify the bitstream file at bit-level. JBits is supplied by Xilinx only for the Vertex-II chip and it is no longer updated.

In this work, we settle two problems:

  • 1.

    How to get the mapping relation between the bits in a bitstream file and the actual FPGA configurable point configuration.

  • 2.

    How to convert the bitstream back to an NCD file after the mapping relation has been set up.

For the first problem, we build a distributed architecture with heartbeat packets (HBP) and pipeline technology to accelerate the bitstream mapping table generation process. We have set up a suitable mathematical model and offset formula to ensure the completeness and correctness of the mapping table.

A tool named “Bit2NCD” is built to solve the second problem. The NCD files derived from the bitstream based on our bitstream mapping table and Bit2NCD tool are exactly the same as the original NCD file for some chips. Even in the worst case, the accuracy rate of the result is still above 88%. In the worst case, the result can be improved by refining the mapping table.

Note that, our work does not involve encrypted bitstreams. Though modern FPGA chips support strong cryptographic options to protect the bitstream, the encryption mechanism has not been widely used due to two reasons: First, the encryption mechanism provided by Xilinx FPGA on all chips can be completely broken with moderate effort [12], [13]. Second, the encrypted bitstreams need external storage for the key [14] and its energy overhead is unacceptable in many real systems [15].

It is generally considered that the reverse engineering of an FPGA is non-trivial [16]. The significance of our work is:

  • 1.

    In academic research, our work can propel the development of dynamic reconfigurable computing and evolve hardware [17].

  • 2.

    In engineering, our work gives a way to analyze the bitstream from an FPGA low-level fabric and helps to give the alternate design to improve the corresponding circuit.

  • 3.

    In national defence, our work can help to crack the secrets of an enemy state’s top chip [18].

The rest of our paper is organized as: Section 2 reviews the Xilinx files which are closely related to our work. The details of the mapping table generation process are given in Section 3. Section 4 introduces the process of creating an NCD file after the mapping table is generated. Section 5 evaluates our tools for time consumption and the accuracy of the derived NCD files. A real demo is also used to evaluate our work in Section 5. Section 6 concludes the paper and proposes future work.

Section snippets

Xilinx files overview

The Xilinx tools used to generate a bitstream from a source file (verilog file for example) are xst, ngdbuild, map, par and bitgen in that order. The corresponding file format transition order is .v file, .ngc file, .ngd file, .ncd file and .bit file. In this paper, we focus on NCD, XDL, Xdlrc and Bitstream files. The transition graph between these files is shown in Fig. 1.

Control bit mapping table database construction

In this section, we first introduce the mathematical model for analyzing the mapping table among control bits, control values and configurable options for each configurable point. Then we describe the analysis method in detail for both PIP and PLP type configurable points. After that, we present the offset formula which is used for accelerating and verifying the mapping table. Finally, the distributed architecture for implementing the mapping table generation tools is described.

Bit2NCD construction

In this section, we introduce the Bit2NCD tool which is used to generate an NCD file based on the circuit bitstream. The workflow of the tool is shown in Fig. 11. The major components are:

  • 1.

    Logic Configuration Generator (LCG). The inputs include the bitstream file, mapping tables and offset formula. The output of LCG is the configuration of the corresponding logic configurable point. The results may include multiple values for one element, a problem which later parts of the system must manage.

  • 2.

Performance and evaluation

We evaluate our reverse engineering method using mapping table generation time and overall accuracy rate in this section. The comparison between the Bit2NCD and Debit tools is also given in this section. At the end of this section, we give a contrast between the original NCD and result NCD for a real circuit.

Conclusion

We have demonstrated a complete method for decompiling a bitstream back to an NCD file. The methodology in this paper is suitable for all Xilinx FPGAs, including Spartan-3, Spartan-3E, Virtex-II, Virtex-4, Virtex-5 and later series. Compared with other existing work, our method is more efficient and more accurate. With the help of a distributed mapping table generation mechanism and offset formula, we are able to solve large problems which previous methods cannot handle in acceptable time.

With

Acknowledgments

The initial work of this paper won the first prize of the “Challenge Cup” National Science and Technology Academic Competition in China, and it was further supported by Shanghai Jiao Tong University Innovation Fund for Postgraduates. Special thanks to Sandy Harris for improving the English technical writing.

Zheng Ding (S’09) received the B.S. degree in Harbin Institute of Technology, Harbin, China, in 2007, and the M.S. degree in Computer Science from Shanghai Institute of Computing Technology, Shanghai, China, in 2009. Since 2009, he has been working towards the Ph.D. degree in Computer Science at Shanghai Jiao Tong University, Shanghai, China. His research lies in the fields of high performance computing, especially of FPGA based HPC.

References (22)

  • K. Compton et al.

    Reconfigurable computing: a survey of systems and software

    ACM Computing Surveys

    (2002)
  • S. Donthi, R.L. Haggard, A survey of dynamically reconfigurable fpga devices, in: Proceedings of the 35th Southeastern...
  • T. Todman et al.

    Reconfigurable computing: architectures and design methods

    IEE Proceedings – Computers and Digital Techniques

    (2005)
  • L. Sekanina

    Towards evolvable ip cores for fpgas

  • C. Steiger et al.

    Operating systems for reconfigurable embedded platforms: online scheduling of real-time tasks

    IEEE Transactions on Computers

    (2004)
  • M. Huebner, T. Becker, J. Becker, Real-time lut-based network topologies for dynamic and partial fpga...
  • L. Sekanina et al.

    Evolvable components – from theory to hardware implementations

    Genetic Programming and Evolvable Machines

    (2005)
  • K. Kepa et al.

    Fpga analysis tool: high-level flows for low-level design analysis in reconfigurable computing reconfigurable computing: architectures, tools and applications

  • J.-B. Note et al.

    From the bitstream to the netlist

  • Xilinx, Jbits 3.0 sdk for virtex-ii....
  • Xilinx, Fpga editor guide, 1999....
  • Cited by (45)

    • Towards bidirectional LUT-level detection of hardware Trojans

      2021, Computers and Security
      Citation Excerpt :

      Therefore, previous HT detection methods employed at the gate-level may not be applicable to the LUT-level (Section 2.2). This highlights the need for an analytical method at the LUT-level because the circuit design can be provided as a form of a bitstream, not in an HDL or a gate-level netlist, and currently, a tool for gate-level netlist generation from the bitstream does not exist (LUT-level netlist generation from bitstream is possible (Ding et al., 2013)). Generally, an HT is composed of two parts: trigger and payload (Alkabani and Koushanfar, 2008).

    • Learning Malicious Circuits in FPGA Bitstreams

      2023, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems
    • Fast FPGA Reverse Engineering for Hardware Metering and Fingerprinting

      2023, Proceedings of the IEEE National Aerospace Electronics Conference, NAECON
    View all citing articles on Scopus

    Zheng Ding (S’09) received the B.S. degree in Harbin Institute of Technology, Harbin, China, in 2007, and the M.S. degree in Computer Science from Shanghai Institute of Computing Technology, Shanghai, China, in 2009. Since 2009, he has been working towards the Ph.D. degree in Computer Science at Shanghai Jiao Tong University, Shanghai, China. His research lies in the fields of high performance computing, especially of FPGA based HPC.

    Qiang Wu received the B.S. degree in East China Normal University, Shanghai, in 2009. Since 2009, he has been working towards the M.S. degree in Computer Science Engineering Department at Shanghai Jiao Tong University, Shanghai, China. His research lies in the fields of High Performance Computing and Mobile Internet.

    Yizhong Zhang (S’05-M’09) received the B.S. degree in Computer Science and Technology Department from East China Normal University, Shanghai, in 2010. Since 2010, he has been working towards the Ph.D. degree in Software engineering institute at East China Normal University, Shanghai, China. His research lies in the fields of Hardware and software Co-Design, Distributed systems and HPC.

    Linjie Zhu received the B.S. degree in Computer Science and Technology De- partment of East China Normal University in 2010. He has served as Software Application Engineer in PDF Solutions since 2010.

    View full text