Home Hardware Hacking Some thoughts on the GE FAUNC ICS-1650 and the closed source policy of GE

Some thoughts on the GE FAUNC ICS-1650 and the closed source policy of GE

Posted on Posted in Hardware Hacking, Uncategorized 2 Comments

Hello dear readers, hopefully you have had a properly festive of some sort by now in the year, and are ready to spend some (mildly) intoxicated time reading about technical issues!

The Problem

The topic of todays probe is the GE ICS-1650 card.  It’s a lovely card used for signal processing, and software defined radio.  I obtained a few of these through both eBay and my employer and have been attempting to get the software kit to use them.  GE has been both helpful, and not helpful in the same breath.  Some arrived without equipment numbers on them (from my employer).  This means that GE is unlikely to supply the needed SDK/HDK elements for me to used them (even though there were obtained through legitimate channels, but are missing the equipment number sticker).

As such, I’ve decided to undertake analysis of this card as a “research project”.  In order words, it’s a shame to see two perfectly good Virtex-5 FPGAs go to waste because of some political/corporate fecal spray of policy.  When examining the cards, the first thing of note is a small jumper labeled J10 (to the lower right of the big silver heat sink).  This port, is undocumented, unlabeled, and unknown, BUT looks a LOT like a JTAG interface, to me.  See figure 1., below.

ICS-1650 Board Top
Figure 1. GE ICS-1650 Board (Top)

The Solution

As it turns out, that is indeed the case.  I’d like to give Joe Grand a shout out here for his amazing work on the JTAGulator (click the link and buy one if you like – you’ll have to allow the pop-up), as it makes identifying provisioning interfaces a walk in the park – with a rocket sled!

The revealed information is that the interface looks entirely unlike a normal JTAG interface for Xilinx (security through obscurity?), but is easy enough to deduce if you know how to JTAGulate.

JTAG Pinout GE FAUNC ICS-1650
Figure 2. GE ICS-1650 JTAG pinout on J10.
The colors are the standard (except the vRef line) Dupont cable colors for your added pleasure and sanity…

Once we have this information in hand, we can start to explore the JTAG bus and see what pops up.  The JTAG bus contained two (2) chips as enumerated.  This was the case on BOTH the TDO and TDO2 lines.  (Again, a little odd that there were two TDOs, but not insurmountable.  Initially, I had thought that they split the JTAG bus into two with a selector line to speak to the two FPGAs on the card, but this turned out to not be the case from what I can tell right now.)
The chips identified on the bus are:

1 Xilinx C2A6E093h (0101 0010111010011010 00001001001 1b)
2 Xilinx 52E9A093h (1100 0010101001101110 00001001001 1b)
These part numbers correspond to:
C2A6E093 - Xilinx Virtex-5 LX50T
52E9A093 - Xilinx Virtex-5 SX95T

Yowza!  Looks like we’ve got the two major players on the JTAG bus ready to go!

A few quick notes on the attachment and powering of the board on the bench:
  1. You only need to supply 12v of clean DC power to the board via the P3 jumper.
  2. Almost any generic JTAG interface will work for accessing the bus in a rudimentary way.
  3. You will want to solder male (or female, we don’t judge here) header to the power jumper (P3 and P2) in order to make your life easier.
  4. For a treat, power the board while in sample mode and watch the pins go crazy ;-).  I use: Top JTAG Probe for this.  It’s an amazing tool for $100.  I highly recommend it for the low-budget hardware hacker.

 

Figure 4. The ICS-1650 board powered with JTAG successfully attached. (The JLINK is a legitimate educational purchase, I do educational content development, too. Remember, those darn kids will be the ones blazing new trails someday... )
Figure 3. The ICS-1650 board powered with JTAG successfully attached.
(The JLINK is a legitimate educational purchase, I do educational content development, too. Remember, those darn kids will be the ones blazing new trails someday… )
For completeness sake, I’m also attaching a photo of the back of the board.  The only really interesting thing on the rear of the board is the Intel Strataflash chip.  (PDF of the data sheet here.)
ICS-1650 Board Level Back 005
Figure 4. GE FAUNC ICS-1650 Board (Bottom)
Additionally, some reference material for those interested in hacking along with me on this:
Xilinx Virtex-5 User’s Guide
Xilinx Virtex-5 PCIe Implementation Guide
Xilinx Virtex-5 Pinout and Packaging Guide
Please note that you may need to register for access to some of these documents.  Xilinx is not an evil-empire type company from all the indicators I’ve seen.  They’ll keep your name on a list of folks who download documents, but I seriously doubt they’re using it for anything other than sending you newsletters.  (For my dear and paranoid friends out there…)
I would also encourage GE to release information on these to the public.  They are essentially obsolete for the military purposes they were originally intended for (largely due to the fact that they are no longer produced by GE and can’t be replaced easily), but they are extremely useful boards to the SDR community, and hardware prototyping engineers.  How about you help innovation along, instead of stifling it?
Thanks to @solardiz for the information, and I hope you can move further with what I’ve figured out here! Sorry about the blog fiasco at Google, this site should resolve that problem.  My intent is to figure out how to fully reprogram these units and use them from everything from accelerating crypto/cracking to using the advanced signal processing capability to process SDR (Software Defined Radio) elements in real-time.
Until next time, Phorkus.
mm
About

Phorkus is just this guy...

2 Comments on “Some thoughts on the GE FAUNC ICS-1650 and the closed source policy of GE

  1. Nice try.
    I just bought the board from ebay.
    I am looking forward to futher development.
    We can discuss off-line about some ideas I did before to learn more about the pins.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

*