Comment by fleventynine
14 hours ago
I wonder how good LLM agents are at reverse engineering FPGA bitstreams...
I want a robust open-source ecosystem where anyone can take my hardware projects and modify them without needing to deal with licensing friction.
The difficult part is the place and route algorithm, not the bitstream. The proprietary ones already take quite a long time to solve: I regularly have 12-24h runs. Perhaps an open source one could do better? But it's not quite as straightforward as reverse engineering a proprietary bitstream.
That's why nextpnr exists :)
https://github.com/YosysHQ/nextpnr
As someone actively working on nextpnr support for a fairly new FPGA architecture, it really is amazing that we have something like that in the open source world.
YosysHQ are one of my favorite companies to exist.
Nextpnr and Project X-Ray are amazing projects. Reverse engineering the physical map of, say, a 7-series FPGA is no small feat. However, I wonder if they'll ever be able to really compete with Vivado without getting access to the characterization models for timing. I would love to switch over, but the Fmax of my project routed with nextpnr is less than half of what I get with Vivado.
When I first started doing chip design my boss paid more for tools per year than he paid me ... now days open source tool chains are leaping ahead ... I don't need a boss (or VCs) in order to design chips
Somewhere in reverse-engineering-land is the desire to figure out undocumented hardware blocks. I’m not disagreeing about PNR here.
I have to admit that I haven't looked too closely into this but my understanding is that place & route is essentially an NP hard optimization problem. Would it be possible to translate this into a SAT problem and solve it with a state of the art SAT solver?
It's surely possible but if it's, for example, 10% slower, that easily eats into execution time and that directly translates into a sense of "maybe it's just worth it to pay the license fee for this year" after just a few 20h place and route runs.
Of course, if it were faster, that would be a huge win for the open source implementation.
For reverse engineering, you still need access to the FPGA tools provided by the vendor, to see what changes in the bitstream when you change the design.
If the bitstream is encrypted, you will not see the changes, so the only way is to reverse engineer the Vivado executables.
You do not need only the bitstream, but you also need a huge amount of timing parameters. In theory, they could be obtained by fuzzing, but that would require a huge amount of executions of the Vivado tools. So again the most plausible method is to reverse engineer the Vivado executables, to get the timing parameter database.
In some countries that should be legal, as such reverse engineering might become the only way to use the AMD FPGAs that one buys legally.