Monday, December 28, 2015

Inside the armv1 Register Bank

Reverse engineering the armv1 chip feels a lot like completing a jig saw puzzle. I start with the more obvious "chunks", and then gradually fill in the gaps that are left. A very big "chunk" on the armv1 chip just crying out to be reverse-engineered is the register bank, and that's where I'll start today before moving on to look at the main data paths.

Architectural descriptions of the armv1 tell us that the chip contains a bank of 25 registers, each 32 bits wide. Of these 25 registers, only 16 are visible to the programmer at a time and are referenced in the instructions as registers number 0 to 15, with register 15 being the Program Counter or PC. The extra registers are there to support the four modes that the processor runs in - supervisor, interrupt, fast interrupt, and user mode. For instance the fast interrupt mode has it's own copy of five of the registers - r10, r11, r12, r13, and  r14.

We also know from the architecture that the register bank has two read buses and one write bus. We also know from my last blog that one of the read buses goes directly to the ALU, and that the output of the ALU goes to the write bus. This is nicely illustrated in the following block diagram:



(Please note that it has recently been noticed that this historical diagram has incorrectly labelled read bus A and read bus B the wrong way around; all other documents name them the other way around. This blog series has therefore been updated to label the buses correctly)

Now that we have a bit more context it's time to zoom into the details on the chip, starting at the lowest level of detail - a single bit. Each of the 32 bits of all 25 registers is the same - a cross-coupled inverter, with three separate select lines. The silicon layout is as follows:

The equivalent circuit is:


What is interesting about this circuit is that the write circuit shorts the output of one of the inverters! The write select transistor and the Write Bus driver transistors are comparatively large, and much larger than the transistors in the inverter, ensuring that they will "win". Once the inverter's output has been overpowered, the cross-coupled inverters will quickly transition to the new state, ensuring that the short condition lasts only a very short time. The 3x select lines per register run vertically, as shown in the chip detail above. Likewise, the 32 bits per register (x3, one for each bus) run horizontally.

Select Line Decoding

The three select lines for each of the 25 register are generated by the decode circuitry above the register bank. The similarities in the decoding between the three select lines, and between the registers is visually very apparent:


I'll start by describing the decode circuitry for Read Bus B, and later show how the decoding for Read Bus A and the Write Bus differ only slightly. There are two steps to the decoding process, first decoding the register number, and then the processor state/mode. Decoding by the register number is via the following circuit:


I've laid out the diagram so such that the horizontal lines match the chip layout. The b3, b2, b1, b0 inputs select the register; the logic to set these values will be reverse-engineered in a later blog. Note that each input to the NAND gate has only one connection (not 2 as shown in the diagram) - it will be connected either to an input bit or its inverse.

The subsequently decoding based on processor state/mode is as follows:


Again, the diagram is laid out so that the horizontal lines match the chip layout. The C NOR input is connected to just one of the 5 horizontal lines that select the processor modes. The output of the AND gate feeds to the register array. Note that the horizontal lines also feed the Read Bus B and Write Select logic.

The settings for the 25x sets of decoders are summarised in the table below:



The decoding for the Read Bus A and Write Select is very similar. The registers selection logic is almost identical, with only the source of the b3..b0 input signals differing, as shown in the table below:


There are only minor differences in the processor state/mode decoding.The updated circuits are shown below:


Note that the write decoding is driven from the phi 2 clock, whereas both sets of read decoding is driven from the phi 1 clock. We'll  need to pick up on the timing-related aspects later.

Finally, r15, the Program Counter, has some slight variations from the above; these need to be investigated later.

Conclusion

We now have a complete breakdown of the register bank and how the three ports - two read, and one write - operate. A little over 6,000 transistors are needed for its implementation. There are very few external signals that control its operation, and these will be clarified later as we continue with the reverse engineering.


3 comments:

  1. ACTIVE & FRESH CC FULLZ WITH BALANCE

    Price $5 per each CC

    DETAILS
    =>CARD TYPE
    =>FIRST NAME & LAST NAME
    =>CC NUMBER
    =>EXPIRY DATE
    =>CVV
    =>FULL ADDRESS (ZIP CODE, CITY/TOWN, STATE)
    =>PHONE NUMBER,DOB,SSN
    =>MOTHER'S MAIDEN NAME
    =>VERIFIED BY VISA
    =>CVV2

    *Time wasters or cheap questioners please stay away
    *You can buy for your specific states too
    *Payment in advance

    Contact Us:
    -->Whatsapp > +923172721122
    -->Email > leads.sellers1212@gmail.com
    -->Telegram > @leadsupplier
    -->ICQ > 752822040

    US FRESH, TESTED & VERIFIED SSN LEADS
    $1 PER EACH

    (INFO)

    First Name | Last Name | SSN | Dob | Address | State | City | Zip | Phone Number | Account Number | Bank NAME | DL Number |

    Home Owner | IP Address | MMN | Income

    *Hope for the long term deal
    *If anyone need leads In bulk, I'll definetly negotiate

    US DUMP TRACK 1 & 2 WTIH PIN CODES ALSO AVAILABLE

    ReplyDelete
  2. SSN FULLZ AVAILABLE

    Fresh & valid spammed USA SSN+Dob Leads with DL available in bulk.

    >>1$ each SSN+DOB
    >>3$ each with SSN+DOB+DL
    >>5$ each for premium fullz (700+ credit score with replacement guarantee)

    Prices are negotiable in bulk order
    Serious buyer contact me no time wasters please
    Bulk order will be preferable

    CONTACT
    Telegram > @leadsupplier
    ICQ > 752822040
    Email > leads.sellers1212@gmail.com

    OTHER STUFF YOU CAN GET

    SSN+DOB Fullz
    CC's with CVV's (vbv & non-vbv)
    USA Photo ID'S (Front & back)

    All type of tutorials available
    (Carding, spamming, hacking, scam page, Cash outs, dumps cash outs)

    SQL Injector
    Premium Accounts (Netflix, Pornhub, etc)
    Paypal Logins
    Bitcoin Cracker
    SMTP Linux Root
    DUMPS with pins track 1 and 2
    WU & Bank transfers
    Socks, rdp's, vpn
    Php mailer
    Server I.P's
    HQ Emails with passwords
    All types of tools & tutorials.. & much more

    Looking for long term business
    For trust full vendor, feel free to contact

    CONTACT
    Telegram > @leadsupplier
    ICQ > 752822040
    Email > leads.sellers1212@gmail.com

    ReplyDelete
  3. ==>Contact 24/7<==
    **Telegram > @leadsupplier
    **ICQ > 752822040
    **Skype > Peeterhacks
    **Wickr me > peeterhacks

    **SSN FULLZ WITH HIGH CREDIT SCORES AVAILABLE**

    >For tax filling/return
    >SSN dob DL all info included
    >For SBA & PUA filling
    >Fresh spammed & Fresh database

    **TOOLS & TUTORIALS AVAILABLE FOR HACKING SPAMMING CARDING CASHOUTS CLONING**

    FRESHLY SPAMMED
    VALID INFO WITH VALID DL EXPIRIES

    *SSN Fullz All info included*
    NAME+SSN+DOB+DL+DL-STATE+ADDRESS
    Employee & Bank details included

    CC & CVV'S ONLY USA AVAILABLE

    SSN+DOB
    SSN+DOB+DL
    High credit fullz 700+
    (bulk order negotiable)
    *Payment in all crypto currencies will be accepted

    ->You can buy few for testing
    ->Invalid info found, will be replaced
    ->Serious buyers contact me for long term business & excellent profit
    ->Genuine & Verified stuff

    TOOLS & TUTORIALS Available For:
    (Carding, spamming, hacking, scripting, scam page, Cash outs, dumps cash outs)

    =>Ethical Hacking Tools & Tutorials
    =>Kali linux
    =>Facebook & Google hacking
    =>Bitcoin Hacking
    =>Bitcoin Flasher
    =>SQL Injector
    =>Bitcoin flasher
    =>Viruses
    =>Keylogger & Keystroke Logger
    =>Logins Premium (Netflix, coinbase, FedEx, PayPal, Amazon, Banks etc)
    =>Bulk SMS Sender
    =>Bitcoin Cracker
    =>SMTP Linux Root
    =>DUMPS track 1 and 2 with & without pin
    =>Smtp's, Safe Socks, rdp's, VPN, Viruses
    =>Cpanel
    =>PHP mailer
    =>Server I.P's & Proxies
    =>HQ Emails Combo (Gmail, yahoo, Hotmail, MSN, AOL, etc)

    ->Serious buyers are always welcome
    ->Big discount in bulk order
    ->Discounted Offers will give time to time
    ->Hope we do a great business together

    ==>Contact 24/7<==
    **Telegram > @leadsupplier
    **ICQ > 752822040
    **Skype > Peeterhacks
    **Wickr me > peeterhacks

    ReplyDelete