Tool for removing content protection from vhdl and verilog files.
Xilinx, and other fpga tool suppliers use several kinds of content protection in their products.
In older versions of ISE Xilinx used their own scheme. The contents of the file was either only compressed, or compressed and encrypted with a fixed key.
These files start with a magic string: XlxV.
A method used by several manufacturers: Verilog Protected Envelope. This is standardized in IEEE P1735.
These files can be recognized by presence of the string: pragma protect begin_protected.
The private keys needed to decrypt are found by reverse engineering fpga toolchains.
If you find a file which can not yet be decoded by xlxunprotect.py, please open an issue here on github.
Currently keys for Xilinx, mentor and altera have been found.
python xlxunprotect.py filelist
files will be output to stdout with content protection removed.
Here is an overview of how many of various kinds of protected files i found in my ISE directory.
| occurence | protection type |
|---|---|
| 824 | XILINX-XDB 0.1 STUB 0.1 ASCII.XILINX-XDM V1.6e |
| 30 | XlxV32DM ( in XILINX-XDB 0.1 STUB 0.1 ASCII.XILINX-XDM V1.6 ) |
| 17 | XlxV35EB |
| 4 | XlxV36EB |
| 3816 | XlxV37EB |
| 64 | XlxV38EB |
| 5351 | XlxV50EB |
| 15 | XlxV60EB |
| 74 | XlxV61EB |
| 34132 | XlxV64EB |
| 6664 | XlxV65EB |
| 189 | XlxVHYEB |
| 0 | XlxVc1EB |
| 0 | XlxVHLEB |
| 3517 | `pragma protect |
These have many different file extensions, but the most interesting:
| occurence | file |
|---|---|
| 17747 | protected .v or .vhd |
| 22517 | unprotected .v or .vhd |
The private keys for the vhdl content protection are stored in .pem files in the /opt/Xilinx/14.7/ISE_DS/ISE/data directory.
These private keys can be decrypted, for instance using openssl:
openssl rsa -passin pass:<longhexkey> -in xilinx.pem -out decrypted.pem
The filenames of the keys are: xilinx_2048_pvt.pem, xilinx_3072_pvt.pem, xilinx_2013_09.pem, xilinx_2014_03.pem.
The key for the first three is:
6e0380d8f8b58ae296366baab0a421fec94f87c6b6f6dc10id48625a6428f1b3464b27c0379304d09d157b3869bdcb2dc1a19c4d299027a9fc04bf09abc13f2
The key for the 2014 key is:
f8b58ae26ea380d82a1421fei6366ba1c94fh7c69d4h625ab6564c1a642hf1b33g9304d0464227c0i4157b38c1a19c4d6ibdcb242i9027aiabc13fb
The key for the 2015 key is:
6ea380d8f8b58ae22a1421feabc13fb
in 2016 Xilinx switched to using binary keys, you can no longer use the openssl commandline to decrypt these.
the 2017.1 key is: hex:08 0f 07 05 6b 09 0a c1 08 0e f5 05 0c 01 0e 0a 07 ae 05 ba
The encrypted certificates have become a bit more difficult to extract from the libisl_iostreams library,
I now found them by piecing together the chunks of base64 like text until they matched up to be a valid certificate.
When installing a xilinx product, the installer will download many .xz archives. These are password protected, with the password:
www.Trebuchet.com
Since 2016.1, the password is: www.theonion_saidnasser.com
The password is now stored in the file data/idata.dat, in idata.xml, in the property named archivePasswd.
The .dat file is encrypted with this password:
Error, There was an unexpected error, code 00345~. See AR:342674 @ http://www.xilinx.com
You can find this by decompiling xinstaller, and look in IDataManager.java.
Previously this tool was published
Another tool decrypting begin_protect sections: hdl_decrypt
- Aldec protectip
- Synplify encryptP1735.pl - on pastebin
- Xilinx Encryption Tool
- Cadence ncprotect
TODO +===
Find keys for the following:
- fixed AES-256 key named:
CDS_DATA_KEYfor Cadence Design Systems, tool:ncprotect - fixed AES-128 key named: Model Technology tool:
DEV - rsa key named:
VCS001 - rsa key named:
ALDEC08_001for Aldec, tool:protectip, Riviera PRO - rsa key named:
SYNP05_001for Synplicity - rsa key named:
SNPS-VCS-RSA-1for Synopsys - rsa key named:
cds_rsa_keyfor Cadence Design Systems - rsa key named:
MGC-PREC-RSAfor Mentor Graphics Corporation - rsa key named:
ALDEC15_001for Aldec