Some thoughts on the GE FAUNC ICS-1650 and the closed source policy of GE
Hello dear readers, hopefully you have had a properly festive of some sort by now in the year, and are ready to spend some (mildly) intoxicated time reading about technical issues!
The topic of todays probe is the GE ICS-1650 card. It’s a lovely card used for signal processing, and software defined radio. I obtained a few of these through both eBay and my employer and have been attempting to get the software kit to use them. GE has been both helpful, and not helpful in the same breath. Some arrived without equipment numbers on them (from my employer). This means that GE is unlikely to supply the needed SDK/HDK elements for me to used them (even though there were obtained through legitimate channels, but are missing the equipment number sticker).
As such, I’ve decided to undertake analysis of this card as a “research project”. In order words, it’s a shame to see two perfectly good Virtex-5 FPGAs go to waste because of some political/corporate fecal spray of policy. When examining the cards, the first thing of note is a small jumper labeled J10 (to the lower right of the big silver heat sink). This port, is undocumented, unlabeled, and unknown, BUT looks a LOT like a JTAG interface, to me. See figure 1., below.
As it turns out, that is indeed the case. I’d like to give Joe Grand a shout out here for his amazing work on the JTAGulator (click the link and buy one if you like – you’ll have to allow the pop-up), as it makes identifying provisioning interfaces a walk in the park – with a rocket sled!
The revealed information is that the interface looks entirely unlike a normal JTAG interface for Xilinx (security through obscurity?), but is easy enough to deduce if you know how to JTAGulate.
Once we have this information in hand, we can start to explore the JTAG bus and see what pops up. The JTAG bus contained two (2) chips as enumerated. This was the case on BOTH the TDO and TDO2 lines. (Again, a little odd that there were two TDOs, but not insurmountable. Initially, I had thought that they split the JTAG bus into two with a selector line to speak to the two FPGAs on the card, but this turned out to not be the case from what I can tell right now.)
The chips identified on the bus are:
1 Xilinx C2A6E093h (0101 0010111010011010 00001001001 1b) 2 Xilinx 52E9A093h (1100 0010101001101110 00001001001 1b)
C2A6E093 - Xilinx Virtex-5 LX50T 52E9A093 - Xilinx Virtex-5 SX95T
Yowza! Looks like we’ve got the two major players on the JTAG bus ready to go!
- You only need to supply 12v of clean DC power to the board via the P3 jumper.
- Almost any generic JTAG interface will work for accessing the bus in a rudimentary way.
- You will want to solder male (or female, we don’t judge here) header to the power jumper (P3 and P2) in order to make your life easier.
- For a treat, power the board while in sample mode and watch the pins go crazy ;-). I use: Top JTAG Probe for this. It’s an amazing tool for $100. I highly recommend it for the low-budget hardware hacker.
Xilinx Virtex-5 User’s Guide
Xilinx Virtex-5 PCIe Implementation Guide
Xilinx Virtex-5 Pinout and Packaging Guide