Well, we broke down the FBIN file into some sections and validated that the section identifiers were correct by locating the size following the section identifiers. I’m assuming at this point that the section sizes are part of section headers, and I don’t know how long the headers are. Thats all about to change.

I’ve found the FPGA code that is executed on the Xilinx chip on the SD14 and it is possible to reverse engineer it to both a layout and an Verilog file. Let me explain this first milestone in my hack of the Sigma SD14

First off, we’ll examine the largest BINS section in the FBIN file. I’ll work again with the broken down s14v101.fbin file as generated in my previous post. This is the section that we want:

13:	0×001e4508		1983752	0×00076e40	486976

Lets look at the first few bytes as hex and text, and then I’ll explain some things. the first few bytes are:

42 49 4E 53 24 00 00 00 00 FF 30 00 00 00 00 00 BINS$....ÿ0.....
20 00 00 00 04 00 00 00 00 00 00 00 76 B7 80 AC  ...........v·.-
00 00 00 00 00 09 0F F0 0F F0 0F F0 0F F0 00 00 .....   .ð.ð.ð.ð..
01 61 00 08 73 64 37 2E 6E 63 64 00 62 00 0B 33 .a..sd7.ncd.b..3
73 32 30 30 74 71 31 34 34 00 63 00 0B 32 30 30 s200tq144.c..200
36 2F 31 31 2F 30 32 00 64 00 09 31 38 3A 30 35 6/11/02.d.      18:05
3A 30 37 00 65 00 01 FF 88 FF FF FF FF AA 99 55 :07.e..ÿ.ÿÿÿÿª.U
66 30 00 80 01 00 00 00 07 30 01 60 01 00 00 00 f0.......0.`.... 

The green values are the hexadecimal, and the blue values are the strings. Now, we can see the BINS tag starts things off, and checking the size…wait a minute! the size is wrong! What? Well, then, what comes next? To find out, we had better figure out whatever sd7.ncd is. SD7?? Yup. there is more than one reference to the SD7 in the overall firmware file

Lets see if we can find anything else in that string that will help us. How about 3S200. Hm, the Xilinx chip is a XC3S200. Jackpot! A quick google confirms. NCD files are Xilinx design files. That gets us somewhere. I have the feeling that this is the file that the FPGA loads as the design. Another quick google turns up a page on FPGA-Faq.com that is entitled “Tell me about bit files.” Bit files are the FPGA’s firmware file, quoting from FPGA-Faq.com:

The Xilinx .bit format is pretty simple.  It uses keys and lengths to
divide the file.

Here is an example.  Below is a hex dump from the beginning of a .bit file:

00000000:  00 09 0f f0 0f f0 0f f0 0f f0 00 00 01 61 00 0a  *………….a..*

00000010:  78 66 6f 72 6d 2e 6e 63 64 00 62 00 0c 76 31 30  *xform.ncd.b..v10*

00000020:  30 30 65 66 67 38 36 30 00 63 00 0b 32 30 30 31  *00efg860.c..2001*

00000030:  2f 30 38 2f 31 30 00 64 00 09 30 36 3a 35 35 3a  */08/10.d..06:55:*

00000040:  30 34 00 65 00 0c 28 18 ff ff ff ff aa 99 55 66  *04.e..(…….Uf*

Oh, this looks just like the section that was found in the SD14 firmware file! Reading more at FPGA-FAQ.com, we see that there should be an “a”, “b”, “c”, “d”, and “e” sections, and sure enough, our “a” identifier is at offset 0X076e72 in s14v101.fbin. You can easily find the rest of the sections yourself.

We just found the FPGA code that runs on the Sigma SD14!

Googling turns up a bunch of info for these Xilinx Bin files. Here is a program to decode the headers. Here is some info on how this can be converted into a C header file. Good thing Sigma is cheap and didn’t use the more advanced 3A FPGA or we’d have to deal with this crap.

The greatest piece of info I found however was this brilliant site on a debit utility to turn a BIN file into a netlist. For those of you who don’t know, a netlist is the list of circuit elements that make up the circuit. In this case, it takes the bin file and generates a list of logic gates for the circuit. This will also give a visual representation of the circuit, and even contains information on how to convert this back into verilog. Verilog is very easy to simulate (I’d imagine that a Xilinx bin file is as well)

Next steps: Convert the SD14 Xilinx bin file into a netlist, generate a graphical representation of the circuit, and convert it back to verilog.

Categories: SD14 Firmware Hacking