Replacing Obsolete Processors

Printable version of slides presented at ECC 2016 © Copyright IME & mems AG

Replacing Obsolete Processors Louis Kramer and Christa Zimmerli


Note

• All slides with black background are auxiliary-slides added after the presentation at the Embedded Computing Conference 2016.

• Auxiliary-slides allow you to understand the originally presented slides without a speaker.



https://www.google.ch/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwj6xMqcpfXMAhULsBQKHWGeBIUQjRwIBw&url=https://commons.wikimedia.org/wiki/File:Airplane_Landing_in_Toronto.JPG&bvm=bv.122676328,d.d24&psig=AFQjCNGjIvqllliGrX43VN2UxjDelnGu2w&ust=1464266013476169






Industry

request

request

Master studies project

Aim: Transfer of Know How

Context and collaboration


Context and collaboration

• MEMS AG as well as the Institute for microelectronics occasional receive inquiries for a chip replacement, mostly due to the fact, that devices like microcontrollers used and manufactured decades ago, today happen to be obsolete.

• In order to gain know-how we set up a collaboration with the HTZ (Hightech Zentrum Aargau) as a partner to transfer know-how.



Task: Reverse engineer µP

Why?

Avoid reverse engineering of processor software


Task: Reverse engineer µP

• Replacing the system with the obsolete component completely, will lead to high investments and skills in assembler interpreting.

• The purpose of this project is to find an efficient way to increase chip replacement techniques in order to avoid reverse engineering processor software.

• Finally replace the obsolete component by reengineering the device on a FPGA or ASIC.



Use case

Obsolete Device

Motorola, MC68000, 32-bit CISC

Open Core IP

ao68000

Destination Platform

Altera, Cyclone V, FPGA


PCB

CPU

Bus

Memory I/O


Use case

• In order to gain knowledge about the reengineer process we searched a use case.

• As the Motorola, MC68000 microprocessor is not yet obsolete and information is still available, we choose it as a use case.

• Avoiding to start from zero, in this project the open core IP ao68000 was adapted.

• The destination platform for the reverse engineering task is an Altera Cyclone V FPGA.



Issue 1: Interface Timing MC68000 Worst case 35 ns Best case 3 ns

Cyclone V Worst case 7 ns Best case 3.5 ns

Delta 28 ns



Issue 1: Interface Timing

• As a modern FPGA is build in faster chip technology, the I/O timings are not equal.

• Dissimilar clock to output timings can lead to setup-time violations, when new technology tries to communicate with old chip technology like RAM’s.

• As some analog outputs were implemented with I/O’s and a filter, relying on the specified clock to output timing, the correct I/O timing has to be reproduced by the FPGA.



ao68000

memory

registers

bus

control

WISHBONE

bus

Issue II: Interface Architecture

alu

registers

decoder condition

microcode branch

micro

code

Dn and An

registers

Interrupt inupt

Reset output

Blocked output


Issue II: Interface Architecture

• Open core IP’s like the ao68000 are designed to communicate with on-chip peripherals.

• The original bus-interface is replaced by a on-chip bus, which is not suitable to communicate with external peripherals and additionally violates the pin-out compatibility.



Implementation: Options

Adapted

opencore

Opencore Custom

interface

RAM,PROM,

I/O

FPGA Physical


Implementation: Options

• To meet the architecture issues, two implementation options are possible.

• Option one adapts the open core, by replacing the used WISHBONE interface with the original asynchronous bus interface of the MC68000.

• Option two maintains the open core and communicates through a custom interface to external peripherals.



Implementation: Our solution

MC68000

asynchronous

bus interface

Wishbone

interface

ao68000

Specification

Wishbone

interconnection

architecture

MC68000

User’s manual

MC68000

Instruction set


Implementation: Our solution

• As the documentation of the open core is humble and the code is illegible, we went with option number two.

• To meet the pin and timing compatibility information from the ao68000, the WISHBONE interface, the MC68000 user’s manual and the MC68000 instruction set was necessary.



Simulation

0003C 4E71 NOP # No operation

0003D 203C 1234 5678 MOVE.D0 # Move 12345678 into D0

00040 5680 ADD.D0 # Add 3 to D0

00041 5380 SUB.D0 # Subtract 1 from D0


Simulation

• To verify the design, some assembler code was written, to run on the core.

• Running the simulation led to the experience that by using open core’s, we have to deal with simplifications made by the previous designer.



Experiences with using the existing opencore

Simplifications


16 bit 16 bit 16 bit

16 bit 16 bit 16 bit 16 bit 16 bit

Longest possible instruction:

5x16 bit

Simplification I: Fetch

MC68000

ao68000


Simplification I: Fetch

• In order to avoid a mechanism which checks if more data has to be loaded to execute an instruction, the instruction fetch register in the open core was increased to five times 16 bit.

• Five times 16 bit correlates with the longest possible instruction.

• As a result of this simplification, the timing of the instructions are slightly different compared to the original processor.



Simplification II: Data bus

16 bit

32 bit

MC68000

ao68000

Pipeline distortion

F F D

F

E

F D

F

E

F D


Simplification II: Data bus

• As the MC68000 is a 32 bit architecture microprocessor and the WISHBONE interfaces allows a 32 bit data bus width, the bus is implemented in 32 bit.

• The actual bus width is 16 bit as there were limitations given by the packaging of the MC68000. Cascading the core with a custom interface which is only capable of 16 bit means, that for every instruction fetch cycle requested by the processor, two read cycle have to be performed.

• The aftermath is that the pipeline gets distorted by an additional fetch respectively read cycle and the instruction cycle times are not consistent with the datasheet specifications.



Conclusion

Reverse engineering

Complex task

Datasheet

Interpretation vs. Reality

Risk

Possibly unknown workaround and missing expert knowledge in 3rd party IP


Conclusion

• Regardless of the age of the technology which we wanted to reverse engineer, the architecture is still highly complex to reproduce accurately.

• As datasheets are meant to serve the software engineer and the PCB designer, the information about the architecture is not covered. This enables a certain degree of interpretation when trying to reproduce a microprocessor.

• When using a third party IP like the ao68000 it is highly possible that some workarounds were introduced in the design. These may work for the specified application but are obstructive when a different use is intended.



Gained expertise of opencore IP Achieved

Gained timing experience on FPGA

Achieved

Understood «old» microprocessor IP

Achieved

Positive results


Positive results

• Through this project we were able to gain expertise in using open cores and understanding the intended scope of application of those.

• We successfully showed, how the pin-out timing can be solved, when dealing with a mix of modern and old chip technology.

• The research made throughout the project refreshed the expertise on old microprocessor architectures and helped to regain know-how within this matter.



Institute of Microelectronics

CH-5210 Windisch

Louis Kramer Scientific assistant

MSE Student [email protected]

Matter engineering for metering systems

CH-5413 Birmenstorf AG

Christa Zimmerli Development engineer

MSc FHNW [email protected]

mailto:[email protected]

mailto:[email protected]


Thank you! Questions?

Replacing Obsolete Processors

Documents