Sunday, November 8, 2015

Configuring the Cyclone V FPGA SoC Boot loader on a DE0-Nano-SoC board

Understanding the boot loader on a computer system is probably the most important aspect of security. Most computer systems have multiple boot loaders that run in sequence immediately after a power reset is applied to the processor on the computer system.  This applies to embedded, desktop, and server systems.

So I picked up a couple of Altera FPGA SoC boards a few weeks ago and immediately pulled up all of the documentation that I could find on the Cyclone V SoC.  The Cyclone V SoC has an FPGA and a Hard Processor System (HPS) woven into a single processor package.  The HPS is a dual core ARM Cortex A9. Building everything from scratch is the best way to figure out how the system works.

The boot sequence on a Cyclone V HPS works like this:

The On-chip ROM (for which source code is not provided) loads the preloader (1st stage bootloader). The preloader then loads U-boot. U-boot then loads the kernel and root file system.

There are two well thought out options for the preloader according to the Cyclone V boot guide.  The two options are licensed differently depending on how you build the source code.  One is licensed under a BSD license and the other under GPL v2 with U-Boot.

Building a pre-loader image for the DE0-Nano-SoC board was straightforward.  Altera provides the bsp-editor utility for customizing the preloader configuration and generating the BSP HPS preloader source code, after which, make is used to build the sources using the Mentor ARM cross toolchain.
The preloader settings directory can be found on the DE0-Nano-SoC CD in the DE0_NANO_SOC_GHRD subdirectory.


The preloader load address can be set via the bsp-editor so that the on chip ROM either loads the preloader from an absolute zero address on the sdcard or from a fat partition with id equal to a2 on the sdcard.  These are the options for booting from the sdcard.

After the sources are generated and the preloader image is built using the Makefile, U-boot must be compiled. An Altera port of U-Boot is available on github for the Cyclone V FPGA SoC. U-Boot is built using the Linaro ARM cross toolchain.

There's quite a bit you can do with the Cyclone V FPGA SoC boot configuration.  FPGA images can be loaded from U-boot.  The jumpers on the board can be configured to boot from the on-board serial flash (QSPI), bare metal applications can be loaded from the preloader, the FPGA can be configured from serial flash, and the list goes on.  The HPS SoC Boot Guide for the Cyclone V SoC  is a valuable reference and contains all of the boot configuration information.



Wednesday, October 28, 2015

Altera Cyclone V FPGA SoC - the Possibilities are endless

Altera FPGA SoC and Camera
Altera FPGA ARM Powered® SoC and Camera - the Possibilities are endless

Altera's new Cyclone V FPGA SoC - An Integrated ARM® Cortex®-A9 MPCoreTM Processor System and Cyclone V FPGA.

The DE0-Nano-SoC development board was released by Terasic in the summer of 2015 and includes the lateset Cyclone V FPGA SoC.  The board comes with a wealth of features including an analog to digital converter (LTC2308) and has an Arduino expansion header. 


There are an adequate number of programmable logic elements on the FPGA - 40K along with 5 fractional PLLs and 2460 Kbits of embedded memory.  The ARM® Cortex®-A9 MPCore Dual Core processor (HPS) runs at 925Mhz and the board has 1GB of DDR3 SDRAM.   The board also includes an on board ethernet PHY, USB OTG and Micro-AB connectors, a micro SD card slot, accelerometer, and built-in USB Blaster II.

Altera Quartus II 15.0 Web Edition and Altera SoC Embedded Design Suite with ARM DS-5 AE run seamlessly on X86 64 Fedora 21.  The board supports OpenCL so you can easily program the FPGA from Linux user space running on the HPS. Finally, writing a newly compiled bitstream to the FPGA from Quartus II running on an attached Linux host was also seamless.



Monday, August 17, 2015

The "Three Fives" Discrete 555 Timer Kit

I picked up a "Three Fives" Discrete Timer Kit this weekend.  As it turns out the kit was well worth the money.  The "Three Fives" Discrete Timer Kit is a transistor-scale replica of the NE555 timer IC.  The printed circuit board (PCB) is high-quality and soldering the transistors and resistors was alot of fun. Thanks to  Eric Schlaepfer and Evil Mad Scientist Labs for this high quality circuit kit.

The size of the board makes it easy to measure what's going on inside the circuit.  Just connect the probes from an oscilloscope to any of the solder or test points on the board.

A photo of the board that I built is below. I also wired a sample test circuit for blinking a pink LED and then connected a scope to the board so that I could look at the square wave.


Here is the sample test circuit that is wired on the breadboard. Substitute resistor and capacitor values where applicable.

http://www.555-timer-circuits.com/flashing-led.html



Wednesday, April 15, 2015

Vim for assembly, programming, and system admin

Computer pioneer, Bill Joy, created the Vi text editor.  Vi has made its way onto nearly every UNIX and Linux computer and is used by kernel developers, system administrators, programmers, and users.  The learning curve is steep; however, the ability to run circles around 95% of UNIX programmers, administrators, and the like can easily be achieved.  One hour per day for five to six years digging through kernel source code with ctags will allow you to become proficient with the editor. If you are already a C programmer and can work from the terminal quickly, then picking up Vi should be easy for you.  My notes below describe how to setup VIM, a fork of Vi that includes features such as color syntax highlighting.

Thanks to this guy for creating an awesome Vi cheat sheet for programmers. He has also created a Vi emulator Plugin for Microsoft Word.

 Vim is especially useful for reading assembly and bootloader code.when a VGA connection is not available.
! Spin Lock - Solaris 2.6 C4.2
.seg "text"
.global set_byte ! make the name visible outside the .o file
.global clear_byte !
.global spin_lock !
!
set_byte:
retl
ldstub [%o0],%o0 ! delay slot for retl
!
clear_byte:
set 0x0,%o1
swap [%o0],%o1
retl
nop ! delay slot for retl
!
!
spin_lock:
busy_loop:
ldstub [%o0],%o1
tst %o1
bne busy_loop
nop ! delay slot for branch
!
retl
nop ! delay slot for branch


For the non-programmer, having Vi handy on a terminal means easily modifying any readable file on a UNIX system from the terminal - including log files and tcpdump log file snippets.  Quickly setting up snort config files, copying public and private keys between files on servers, configuring build systems, and modifying /etc/hosts and resolv.conf can easily be done with Vim. 

Running make tags from the top level Linux kernel source tree will build the ctags file over the Linux kernel source. Alternatively; man ctags will show you how to recursively run ctags over your source code.
Nerd Tree and Taglist are two useful plugins that can be downloaded from vim.org.  
Once NERD tree and Taglist are placed in ~/.vim/plugin/, the following lines in your .vimrc will allow you to use 

<ctrl-n> and <ctrl-m> to toggle the file explorer and visual tag list.
nmap <silent> <c-n> :NERDTreeToggle<CR>
nnoremap <silent> <c-m> :TlistToggle<CR>

Also, if you need a status line:
set statusline=\ %{HasPaste()}%F%m%r%h\ %w\ \ CWD:\ %r%{CurDir()}%h\ \ \ Line:\ %l/%L:%c
function! CurDir()
let curdir = substitute(getcwd(), '/Users/myhomedir/', "~/", "g")
return curdir
endfunction

function! HasPaste()
if &paste
return 'PASTE MODE  '
else
return "
endif
endfunction

Vim should be good to go at this point. cd back into your source code directory and begin work.  Finally, man vim will tell you more about how to use the editor.

Enter g?g? in command mode on the current line of text.and Vim will perform a rot13 encryption of the text.

And here's that rot13 encryption algorithm in sparc assembler (courtesy of colorado.edu)
.section ".text"
.align 4
.global main
.type main,#function
.proc 020
main:
save %sp, -112, %sp ! save the stack!
mov 0, %o0 ! stdin
readbyte:
sub %fp, 1, %o1 ! 1 byte below frame pointer
mov 3, %g1
!call read
mov 1, %o2 ! 1 byte
ldub [%fp-1], %l1 ! pull the byte into %l1
cmp %o0, 0
be done ! byte was EOF, jump to done
and %l1, 32, %l2
xor %l2, 0xff, %l3 ! invert %l2, store as a temp
and %l1, %l3, %l1
cmp %l1, 0x41
bl skip ! note lack of trailing nop.
cmp %l1, 0x5A ! the instructions trailing
bg skip ! these branches affect nothing
mov 26, %o1 ! if the branch isn't taken.
sub %l1, 0x41, %l1 ! add 'A'
add %l1, 13, %l1
call .rem ! (modulus) call is unconditional
mov %l1, %o0 ! so final arg can be set afterwards
add %o0, 0x41, %l1
skip: or %l1, %l2, %l1 stb %l1, [%fp-1] ! return the byte to memory
mov 1, %o0 ! setup syscal args
sub %fp, 1, %o1
mov 4, %g4
! call write
mov 1, %o2
ba readbyte ! return to beginning
mov 0, %o0 ! stdin (see beginning)
done: ret ! return
restore ! fix stack before return completes

In conjunction with Vi, od and/or hexdump (if installed) can be used for examining binaries on different flavors of UNIX.

Thursday, January 29, 2015

Customizing a Linux distribution for an ARM® Cortex®-A9 based SBC

We will be pulling Yocto 1.7.1 (Dizzy branch) from Freescale source and building a BSP for the i.MX 6 RIoTboard. The final image will consist of the following components

  • U-Boot version 2014.10 from the Freescale git repositories.
  • Linux kernel version 3.17.4 from the Freescale git repositories.
  • ext3 root filesystem with selected packages

Camas Lilies at Sunrise

The image will be built from the custom distribution (bsecdist) and custom image (bsec-image) defined in the last post. bsec-image is derived from core-image-minimal. The configuration changes below will add support for package tests to the baec-image. In addition, the profiling tools and static development libraries and header files will be added to the image. Finally, several standard userspace packages will be added to baec-image; namely, bison, flex, and and gunning. Last, several configuration directives will be added to the local configuration file so that source code archives, package versions, and accompanying license files are stored and cached in a local directory for future builds and compliance purposes.