Xilinx Platform Cable USB protocol specifications and/or open-source firmware replacement

Do you have a question? Post it now! No Registration Necessary

Threaded View
Hi everybody,

I recently bought a Xilinx Spartan-3E evaluation board, which comes with an
integrated Platform Cable USB. Looking for a Linux compatible solution to
program the FPGA, I found out that Impact requires the binary kernel driver
Jungo and is thus not an option.

As Xilinx decided to classify the cable USB protocol specifications as
"highly confidential", I started to reverse engineer the programmer to see
if I could write an open-source host software.

The programmer is made of a USB microcontroller (Cypress EZ-USB) and a CPLD.
After trying to understand the protocol from USB traces only without
success, I decided to disassemble the microcontroller firmware. The code
gave me more information regarding the protocol, but some USB commands are
forwarded to the CPLD through register read/write operations and/or general
purpose I/Os.

Not being able to understand the protocol, I thought I would write a
replacement firmware which would not require a kernel driver. I'm looking
for people interested in the project (or for people who have managed to
understand the Xilinx USB protocol :-)). I can take care of the Cypress
EZ-USB microcontroller, but needs someone with CPLD programming experience
to write a replacement for the Xilinx CPLD firmware.

Laurent Pinchart


Re: Xilinx Platform Cable USB protocol specifications and/or open-source firmware replacement
I too had the same thought.  For a while.

A platform USB cable from the Xilinx store costs $150.  Given the time
to reverse engineer the protocol and design a board, and ...

And let's not forget that Xilinx owns the USB Vendor ID for the device,
so one can't re-use it without their permission.

You can't make one that's iMPACT compatable; might as well buy one of
the Digilent $38 versions.


Re: Xilinx Platform Cable USB protocol specifications and/or open-source firmware replacement
Quoted text here. Click to load it

I came accross the Digilent JTAG-USB programming cable, but haven't been to
find its protocol specifications. I asked Digilent for more information,
but my e-mail seems to have been discarded. Do you know if the cable
protocol is available somewhere ? Or will I have to reverse engineer it as
well ?

Laurent Pinchart


Re: Xilinx Platform Cable USB protocol specifications and/or open-source firmware replacement
not directly available. RE needed


Re: Xilinx Platform Cable USB protocol specifications and/or open-source firmware replacement
Quoted text here. Click to load it

Has anyone started working on that ?

Laurent Pinchart


Re: Xilinx Platform Cable USB protocol specifications and/or open-source firmware replacement
Quoted text here. Click to load it

I came accross the Digilent JTAG-USB programming cable, but haven't been to
find its protocol specifications. I asked Digilent for more information,
but my e-mail seems to have been discarded. Do you know if the cable
protocol is available somewhere ? Or will I have to reverse engineer it as
well ?

Laurent Pinchart


Re: Xilinx Platform Cable USB protocol specifications and/or open-source firmware replacement
And you're surprized that they're not giving away their design?

Not to rain on your parade, but the typical FPGA engineer has spent a
hundred bucks or so on the part, a grand or two on the PCB, and 1/2 a
man-year on the code.  $38 for a JTAG dongle is down in the noise.

If it's hobby use you're after, you can stretch the JTAG signals off of
your card to another target.

There is an open-JTAG effort on SourceForge.  You might want to check
it out.


Re: Xilinx Platform Cable USB protocol specifications and/or open-source firmware replacement
Hi,

Quoted text here. Click to load it

Who's talking about their design ? I'm not trying to create a cheap clone,
but to drive the programmer using free software. I don't mind paying $38
(or even $150) for a good USB JTAG dongle, as long as I can use it.

Quoted text here. Click to load it

I've checked that out, but it only support parallel port bit-banging
adapters.

I want to buy a USB JTAG programmer that I can actually use with free
softwares. Why is there none available ?

Laurent Pinchart


Re: Xilinx Platform Cable USB protocol specifications and/or open-source firmware replacement
Quoted text here. Click to load it

I reread the thread and didn't see this asked.  Why aren't you just
using our iMPACT software.  Linux is one of the supported OSes after all.

You do have to compile the drivers into your Kernel as explained here:
http://www.xilinx.com/xlnx/xil_ans_display.jsp?iLanguageID=1&getPagePath22%648

and the iMPACT software is included in the free WebPack download.

Ed McGettigan
--
Xilinx Inc.

Re: Xilinx Platform Cable USB protocol specifications and/or open-source firmware replacement
Hi Ed,

Quoted text here. Click to load it
http://www.xilinx.com/xlnx/xil_ans_display.jsp?iLanguageID=1&getPagePath22%648
Quoted text here. Click to load it

Because iMPACT requires the Jungo binary driver, which has serious security
issues.

Linux offers a user-space USB library called libusb (available for win32 as
well) which would let iMPACT access the Platform Cable USB without using a
binary kernel driver.

As I can't modify iMPACT to get rid of the Jungo dependency, I went the
other way and tried to write a simple command line software to drive the
cable. Unfortunately, the USB protocol seems to be classified top secret,
and reverse engineering the EZUSB firmware didn't give me enough
information. That's why I asked for more information on here.

Laurent Pinchart


Re: Xilinx Platform Cable USB protocol specifications and/or open-source firmware replacement
Quoted text here. Click to load it

I've never heard of any Linux security issue with the Jungo drivers
and a quick Google search produced nothing indicating any problems. There
was a single discussion on freshmeat.net in the windriver project, but there
was no conclusive or specific issue mentioned and no other net sources.

Based on the first comment on the freshmeat.net site by "omerz" it appears
that you could put superuser/root permissions on the driver that theoretically
could be misused, but if don't leave it as root then you get just normal
user permissions.

It seems like you want to go to whole lot of effort to redo work that
already exists and ships for free.  If so, then I guess everyone needs
a hobby to work on.

If you could cite a single instance of Linux box being "owned" through a
Jungo USB/Parallel driver exploit I would be interested in seeing the
reference.

Ed McGettigan
--
Xilinx Inc.

Re: Xilinx Platform Cable USB protocol specifications and/or open-source firmware replacement
Quoted text here. Click to load it

The security problem is more like : "I don't want foreign closed-source
code running in kernel-mode on my machine".

And linux is "supported" well ... I never managed to make the usb cable
work on linux (not a redhat) ...


    Sylvain

Re: Xilinx Platform Cable USB protocol specifications and/or open-source firmware replacement
Quoted text here. Click to load it

That's not the only issue. The main problem is that the Jungo driver is a
security hole by design: it gives applications access to PCI cards from
user space without any security check, making it possible for any user to
read from and write to any memory location. The people who designed such a
piece of crap should be banned from using computers for the rest of their
life. Mind you, Jungo is not the only company who makes money from creating
security holes. Macrovision, with its copy protection systems (SafeDisc for
instance) introduced similar problems: the copy protection system loads a
Windows kernel drivers which can be used by any application to read from or
write to kernel memory. I could also mentionned the recent problems with
the Sony copy protection on audio CDs...

But Sylvain is right: even if the security hole in the Jungo products wasn't
so wide, I don't want closed-source code running in kernel mode. Running
untrusted user-space applications is one thing, running untrusted
kernel-mode code is another.

Quoted text here. Click to load it

I've managed to scan the JTAG chain once with iMPACT, but it never worked
again. The CPLD version is misread nearly each time, making iMPACT insist
on updating the CPLD (and that takes a *lot* of time, as each JTAG bit
toggling operation is implemented as a separate USB command).

Laurent Pinchart


Re: Xilinx Platform Cable USB protocol specifications and/or open-source firmware replacement
Quoted text here. Click to load it

Can you please cite a reference that documents this issue in detail? And
as I originally requested is there any known exploit that takes advantage
of this, again I need a cite.   I looked and I can't find anything other
than comments that are 4+ years old at this time.

If there is truly an issue here I will look into it further as my group
is one of licensees of Jungo drivers, but so far all I've seen is FUD for
"closed source" code.

Ed McGettigan
--
Xilinx Inc.

Re: Xilinx Platform Cable USB protocol specifications and/or open-source firmware replacement
Quoted text here. Click to load it

Sure.  Give me access to a PCI bus master (say the IDE) device, and I
can splat whatever data it contains (say a binary I compiled) into whatever
portion of memory (say kernel address space) I want it to go.

Oh, you need a "cite"...  Well, if you're in the "know" and understand
the implications, the following should make you cringe:

http://www.cansecwest.com/speakers.html#duflot


Quoted text here. Click to load it

If I get userland access to poke into I/O or device memory, I will take
over your machine.

--
 [100~Plax]sb16i0A2172656B63616820636420726568746F6E61207473754A[dZ1!=b]salax

Re: Xilinx Platform Cable USB protocol specifications and/or open-source firmware replacement
Quoted text here. Click to load it

That's exactly the point. WinDriver gives access to PCI devices from
userspace. Any PCI bus master can then be used to modify system memory.
There are many more ways to gain root privileges once you can access device
and/or system memory. Loïc Duflot published a very interesting paper
describing how to gain root access (and doing much more) using the AGP
aperture and SMM:

http://www.ssi.gouv.fr/fr/sciences/fichiers/lti/sstic2006-duflot-papier.pdf

Quoted text here. Click to load it

How do you expect people to trust a closed-source driver which main purpose
is to enable userspace applications to access devices directly ? Especially
when there are safe open source multiplatform alternatives (libusb).

Quoted text here. Click to load it

Laurent Pinchart


Re: Xilinx Platform Cable USB protocol specifications and/or open-source firmware replacement
Quoted text here. Click to load it

At first I thought that I could take a shot at this, download the WinDriver
SDK and see if I could quickly figure out how the WinDriver API works.
However, I didn't have to do that since they have some nice sample programs
included in the WinDriver distribution:

-----------------------------------------------------------------------------

(This is all run as my normal user, not as root user.)

Quoted text here. Click to load it
files.txt  isapnp_scan  pci_diag  pci_dump  pci_scan  usb_diag  wddebug
wddebug_gui  wdreg
Quoted text here. Click to load it

PCI diagnostic utility.
Application accesses hardware using WinDriver
and a Kernel PlugIn driver (KP_PCI).

PCI main menu
--------------
1. Scan PCI bus
2. Find and open a PCI device
99. Exit
Enter option: 2
Enter vendor ID (to cancel press 'x'): 0x1002
Enter device ID (to cancel press 'x'): 0x5960

Found 1 matching device [ Vendor ID 0x1002, Device ID 0x5960 ]:

 1. Vendor ID: 0x1002, Device ID: 0x5960
    Location: Bus 0x1, Slot 0x0, Function 0x0
    Memory range [BAR 0]: base 0xE8000000, size 0x8000000
    I/O range [BAR 1]: base 0x2000, size 0x100
    Memory range [BAR 2]: base 0xF8400000, size 0x10000
    Interrupt: IRQ 10


PCI main menu
--------------
1. Scan PCI bus
2. Find and open a PCI device
3. Read/write memory and IO addresses on the device
4. Read/write the PCI configuration space
5. Enable/disable the device's interrupts
6. Register/unregister plug-and-play and power management events
99. Exit
Enter option: 3

Read/write the device's memory and IO ranges
---------------------------------------------
1. Change active address space for read/write (currently: BAR 0)
2. Change active read/write mode (currently: 32 bit)
3. Toggle active transfer type (currently: non-block transfers)
4. Read from active address space
5. Write to active address space
99. Exit menu

Enter option: 5
Enter offset to write to (to cancel press 'x'): 0x0
Enter data to write (max value: 0xFFFFFFFF) or 'x' to cancel: 0xffffffff
Wrote 0xFFFFFFFF to offset 0x0 in BAR 0

-----------------------------------------------------------------------------


At this point my upper left pixel turned white. I also managed to crash the PCI
bus (and the computer of course) by playing around with this program and reading
from the wrong address...

It seems that there are some ways around this according to comments posted at
http://freshmeat.net/projects/windriver /, but I'm not sure how you would go about
implementing that.

I wonder if the same problem will appear on the Windows version of WinDriver?
I don't really have time to test it myself at the moment though.

(And yes, I also think it would be much nicer if the Xilinx tools did not depend
on 3rd party kernel modules if it could be avoided.)

/Andreas

Re: Xilinx Platform Cable USB protocol specifications and/or open-source firmware replacement
Hi Ed,

Quoted text here. Click to load it

it's good to see that Xilinx monitors this group- and the JTAG topic.

When talking about JTAG and using it to configure FPGAs or CPLDs and
programming PROMs, you are probably right: Impact is your friend. It
will do what you want and there is no need to use any open source
solution or program something on your own.

BUT: Often my world does not look like this. I have setups that are
mixed with chips from other manufacturers. I want to access all of them.
I want to do some tests, toggle a few pins, see what happens. And now
the pain begins, as I cannot. I cannot just write my own JTAG software,
because I cannot access the Xilinx cable.

Of course Xilinx is right from a revenue perspective. All these "odd"
setups do not generate any revenue for Xilinx. So why should Xilinx
support these applications? Because engineers do not want to use two
different cables: One for the Xilinx flow, one for the more advanced
problems. It is obvious from a technical perspective, that everything
that is required is already there.  So why should I buy another cable,
just to be able to talk to the JTAG chain? This just does not make any
sense.

OK, still I understand that Xilinx is not really motivated to do so.
Probably, the documentation of the cable API will lead to a support
night-mare. But again, there are solutions to it. Why not do it the
other way around (and keep your driver dongled with Impact)? This is
what I would really like to see:
- Create a properly documented API to talk to the driver.
- Make Impact use this API.
- Publish this API.
- Allow vendors to integrate their JTAG cables/ solutions with Impact.

This solution would probably make a lot of developers and vendors of
development boards very happy. Including me.


Best regards, Felix

--
Dipl.-Ing. Felix Bertram
http://www.bertram-family.com/felix

Re: Xilinx Platform Cable USB protocol specifications and/or open-source firmware replacement
Quoted text here. Click to load it

The iMPACT software works with other devices in the chain by allowing you to
specify a BSDL file for the device when it doesn't recognize it.  The iMPACT
software also allows you to generate arbitrary JTAG sequences in order to do
anything that you want to do.  If you want to generate a program to improve
your ability to do this then run iMPACT in batch/command line mode and have
your program control iMPACT.

I would also suggest using a product like Universal Scan
(http://www.universalscan.com /)
I've not used it personally, but I did have a conversation with the principal
developer
a few years ago and it seems like a nice light weight tool to do exactly what you
want to do.  I think that it might be Windows only though.

Or, if the pins that you want to toggle are from a Xilinx device, then I would
suggest using ChipScope Pro with a VIO (Virtual I/O) core attached to the pins
for
an even simpler product and it includes FPGA configuration capabilities.
ChipScope Pro
does work on Linux.

Ed McGettigan
--
Xilinx Inc.

Re: Xilinx Platform Cable USB protocol specifications and/or open-source firmware replacement
Hi Ed,

thank you for your reply and setup suggestions. Unfortunately this only
partly addresses my wishes. Just two (and a half) examples:

1) Think about a development board, that connects to a host PC via USB
or Ethernet. It would be nice, if a vendor could supply a driver, and
integrate the board with Impact. To do so, Impact would need to be able
to talk to third party JTAG drivers. As board vendors cannot do this,
every vendor is forced to provide his own configuration tool- which is
really not the way things should look like.

2) When talking about pin toggling: I am not talking about a few toggle
events, which I could do with a GUI. I am looking for an environment,
where I can program complex toggle sequences. While I am happy to do the
development of the required JTAG library myself, I would need to be able
to access the JTAG cable easily. It would be nice to use the existing
Xilinx cable- unfortunately the API is not disclosed.

3) Now think about a reason to combine both of the above setups without
switching cable hardware, setting jumpers and changing flying leads...

Ed, I do understand that this kind of applications is not your primary
interest. Still, it does not always help here to try and teach the
engineer to do it a different way, as there are probably good reasons,
why the engineer wanted to do so. While a technology leader will
definitely need to do some evangelism, it is sometimes a nice marketing
approach to listen to the customer (even if it is a smaller one).


Best regards, Felix

--
Dipl.-Ing. Felix Bertram
http://www.bertram-family.com/felix

We've slightly trimmed the long signature. Click to see the full one.

Site Timeline