Programmable Devices
CPLDs, FPGAs, SoC FPGAs, Configuration, and Transceivers
21602 Discussions

Read flash attached to Max II in Parallel Flash Configuration on legacy system

DavidSmoot
Beginner
‎05-27-2025 07:04 AM
1,127 Views

I have a customer requesting that I reverse engineer the firmware on a legacy system so he can program some older blank stock for spares.  

No available source code.  No available schematics. 

The system was designed roughly 2011 or so.  

There appears to be a Altera Max II (EPM2210F256C5N) with a Micron Flash (28F128J3) attached that is used in a Parallel Flash Loader configuration to program two Cyclone III FPGA's on the board (EP3C16F484 and EP3CM484).

I need to be able to either extract the contents of the flash in the parallel flash loader or re-create them.  

I have been able to connect to the CPLD with a Byte Blaster and read back the CPLD contents into .pof file.

I have found the detailed instructions for configuring a setup like this but they all assume the logical path of starting from the FPGA programming files and writing to the flash.  I do not see any instructions on reading back the data from the CPLD attached flash. 

The Parallel Flash Loader IP Core User Guide from this era can be found at https://www.altera.com/en_US/pdfs/literature/ug/archives/ug-pfl-14.1.pdf.

The latest version can be found at https://www.intel.com/content/www/us/en/docs/programmable/683698/23-1-19-1-0/user-guide.html

  1. Is there any way to easily read back the flash chip through the CPLD using Quartus Programmer or other tools?
  2. Is there any way extract a pin map from the .pof file and possibly create a new CPLD project that allows readback of the flash?
  3. Any other ideas that don't involve physical attacks?  Both chips are BGA with buried traces.  I could X-ray the board to find pin mappings I suppose.  
  4. Both FPGA's have Byte Blaster programming ports but I could not read back anything from them directly.  If they were fully and correctly loaded by the CPLD Flash Loader, should I have been able to scrape a pof from each FPGA?  If I could extract a POF, I could possibly re-create the flash image from that.

Any suggestions / help welcome.  I am in Dallas, TX if someone knows the local FAE contact. 

Thanks for your time,

David

 

 

 

 

Labels (1)
0 Kudos

Link Copied

7 Replies
FvM
Honored Contributor II
‎05-27-2025 07:35 AM
1,107 Views

Hi,

sounds like an implementation of Parallel Flash Loader IP,  if so it regularly supports "examine" (readback command) in Quartus programmer which would dump flash content to a .pof file. (Your question 1). There's also an option to read flash with special JTAG tools by using MAX II BSDL functionality.

 

2. No

3. Which chips? You are talking about 1 flash device. If talking about FPGA, what do you want to find out? If you have access to JTAG ports, BSDL allows to trace pin connections.

4. There's no readback of internal volatile FPGA configuration. 

The configuration of your system isn't yet completely clear. 
- JTAG configuration. Your post sounds like each chip (MAXII, bothd FPGAs) has separate JTAG port?

- configuration scheme. PFL IP supports boths PS (passive serial) and FPP (fast passive parallel) configuration. Do you know what is implemented?

0 Kudos
Copy link
DavidSmoot
Beginner
‎05-27-2025 08:39 AM
1,054 Views

Thank you for the quick reply.

I have 3 altera logic devices.  Each has its own labeled byte blaster port.  I have no schematics nor source code so some of this is educated guesses from observable chips.  The two Cyclone FPGA's do not appear to have dedicated serial flashes on the board and when I connect to them with the Byte Blaster, each FPGA is correctly identified by the programmer and the programmer reports no serial flash.

I am not 100% certain, but it appears that the CPLD accesses the Micron Flash somehow to program the the FPGA's.  No idea of the method or even if this is true.

When I connect to the CPLD with the programmer: 

  • It correctly identifies the CPLD
  • Does not automatically identify any attached flash
  • Allows me to scrape a 43kb pof file from the CPLD that I am pretty confident is just the contents of the CPLD and not the attached flash.

I can within the programmer manually choose to add a CFI chip attached to the CPLD.  But when I do so, it disables the examine / readback capability.  

It is entirely possible that it is just a dumb user problem but I have explored the user interface for programmer and googled with no definitive answers. 

Your comment about BSDL is a valid tool but not sure how I could use it to advance my goals.  I suppose it would be possible to brute force bit bang a flash read transaction but that sounds quite difficult. 

Any additional ideas on tools and techniques that might allow me to read back the contents of a CPLD attached flash so that I could clone to spare hardware with the tools and information that I have?  It is not unreasonable to license the IP if it would enable that. 

Thank you,

David

 

0 Kudos
Copy link
DavidSmoot
Beginner
‎05-30-2025 11:06 AM
954 Views

I still am seeking some assistance with this from either other users or Intel employees.  

 

Is there an "official channel" to get answers to questions like this beyond the forums?

 

Is there a directory somewhere to look up who and where my regional FAE is?

Thank you,

David 

0 Kudos
Copy link
WZ2
Employee
‎06-16-2025 08:09 PM
741 Views

Hi David,

Based on your description, I guess you want to read back the contents of the Micron Flash (28F128J3), right? From my point of view, this is quite difficult:

  1. The "Examine" function can be used to read back the MAX II internal program, that is, the contents of the MAX II cfm/ufm.
  2. The PFL IP itself does not have the ability to read back the contents of the flash; possibly the ASMI IP has this ability, but I’m not sure whether MAX II supports this IP.
  3. If it is purely about reading back the flash, the Micron manufacturer might be able to help you better. As far as I know, if you can connect to the flash pins, they can read back the contents of the flash using flash commands.
  4. However, even if you read back the image from the flash, it is, in my opinion, not feasible to reverse-engineer the .sof file from that image, so restoring the internal logic layout is not possible.

Best regards,

WZ


0 Kudos
Copy link
WZ2
Employee
‎06-16-2025 08:10 PM
741 Views

Hi David,

Based on your description, I guess you want to read back the contents of the Micron Flash (28F128J3), right? From my point of view, this is quite difficult:

  1. The "Examine" function can be used to read back the MAX II internal program, that is, the contents of the MAX II cfm/ufm.
  2. The PFL IP itself does not have the ability to read back the contents of the flash; possibly the ASMI IP has this ability, but I’m not sure whether MAX II supports this IP.
  3. If it is purely about reading back the flash, the Micron manufacturer might be able to help you better. As far as I know, if you can connect to the flash pins, they can read back the contents of the flash using flash commands.
  4. However, even if you read back the image from the flash, it is, in my opinion, not feasible to reverse-engineer the .sof file from that image, so restoring the internal logic layout is not possible.

Best regards,

WZ


0 Kudos
Copy link
DavidSmoot
Beginner
‎06-18-2025 05:30 AM
687 Views
In response to WZ2

Thank you.

 

Mostly agree with your conclusions but not what you think I am attempting.  

 

I don't care to reverse engineer the contents of the flash, I just want to be able to acquire them and place them on "blank" boards.  I basically want to be able to take a working board and "clone" it to a blank board and have it behave exactly the same.  To that end, I don't need to understand the flash contents, I just need to be able to duplicate them. 

Had conversation with FAE and he gave me an idea that should work if I can extract / acquire a pin map between CPLD and flash chip.

 

  1. Save off current CPLD image (done)
  2. Write a new CPLD program from scratch that allows me to read and write flash through the JTAG terminal.
  3. Dump contents of flash to PC
  4. Dump flash contents to blank board using same program.
  5. Write back the original CPLD image from step 1 on both board.

That should work but I am currently stumped on a pin map.  X-rayed the board but way to many layers and intersecting traces to get a pin map.  In discussions with customer about cost / feasibility of pulling both CPLD and flash chips from a dead board and using a flying probe or manual labor to determine pin map.  

Any thoughts or criticisms on this approach?

David

 

In response to WZ2
0 Kudos
Copy link
WZ2
Employee
‎06-23-2025 07:46 PM
528 Views

Ah, I see what you mean now. If your goal is simply to recover the binary contents of the flash, I believe the suggestion from the FAE was to use a custom IP in the CPLD to read the data out.

As for me, I would probably lean toward physically removing the flash chip and using a third-party programmer to extract its contents directly. Of course, one would need to pay attention to things like endianness conversion, if applicable.

If the flash is in a BGA package, this could be more challenging — but from what I understand, some flash programmers are capable of handling this, though it may require reballing the device before programming.


0 Kudos
Copy link
Reply

Community support is provided Monday to Friday. Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.