# Open Source T&M for Hardware RE

Andrew D. Zonenberg
Principal Security Consultant, IOActive

@azonenberg@ioc.exchange





#### The Problem

- Digital interfaces are getting faster
  - Probing is getting harder and more expensive
- Protocol stacks are growing in complexity
  - Need more decodes to understand behavior
  - Need extensibility for emerging or proprietary protocols
- Closed source implementations are problematic
  - \$\$\$\$
  - Hard to extend, modify, etc. RE needs adaptability





# The Solution: Open T&M Platform

- Distant descendent of internal tooling for my Ph.D
- Now released as open source
  - Used internally at IOA, but not "our" project
  - They paid for my travel so get credit on the slides ©
- Industry adoption and support is growing
- Healthy, growing community userbase



#### **Probing Suite**

- Excellent cost / performance ratio
- Vendor independent interface
- All models so far are solder-in for extended probing
  - Optimized for RE use case of many long captures
  - Handheld browser versions may come eventually



#### **Probing Suite**

- Designs are on GitHub now for early adopters to DIY
- Working on plans for production runs later this year



#### **AKL-PT5**

https://github.com/azonenberg/starshipraider/tree/master/boards/probes/akl-pt5

- 7.5 GHz -3 dB BW (w/ cable de-embedded)
- 500Ω 10:1 DC coupled transmission line probe
- Suitable for decodes of PCIe gen3, USB3, 10Gbase-R











#### **AKL-AV1**

https://github.com/azonenberg/starshipraider/tree/master/boards/probes/akl-av1

- 1.75 GHz 10:1 high impedance voltage probe
- 5MΩ || 350 fF input
- Great for weak, loading-sensitive signals



IOActive, Inc. Copyright ©2023. All Rights Reserved.





#### **AKL-AD4**

https://github.com/azonenberg/starshipraider/tree/master/boards/probes/akl-ad4

- >8 GHz low impedance active diff probe
- Resistive input, 500Ω to ground from each leg
- Two PT5 style inputs feeding a differential amplifier











#### **AKL-PR1**

- 10MΩ || 9.5 pF passive R-C divider probe
- Low cost, high density probing for low data rates
- Works with cheap scopes that only have 1MΩ inputs
- Early stage WIP (~200 MHz), working on more BW



#### **Software Stack**

- libscopehal: instrument driver abstraction
- libscopeprotocols: Decodes / math blocks
- glscopeclient: Mature GTK based GUI
- ngscopeclient: Next-gen all-Vulkan GUI (WIP)
- Industry-friendly 3-clause BSD license



# Supported scopes (partial list)

- Digilent Analog Discovery family
- PicoScope 3000/6000 series
- R&S RTO6 series (also RTP? Same SW platform)
- Tek MSO 4/5/6 series
- Teledyne LeCroy MAUI platform
- Siglent SDS2000/5000/6000 series
- ThunderScope (not yet released)



## Filter graph model

- If you've used GNU Radio this should be familiar
- Chain source/sinks and processing blocks
- Multithreaded, GPU accelerated execution







PCIeDataLink 2(RX) ▼ Protocol: PCleLinkTraining\_1(TX) Type Link Num FTS Rates ▼ Data Format Timestamp Hex ➤ 23:46:45.7270140416 TS1 Unassigned Unassigned 143 2.5G 5G None Addr Flags Requester Completer Tag First Last Status Count Length Data Timestamp Seq TC Type ► 23:46:45.7274313810 TS2 Unassigned Unassigned 143 2.5G 5G None 23:46:45.7279821247 0 0 Completion 00:0.0 0.0:00 UR ▶ 23:46:45.7274325970 TS1 Unassigned Unassigned 143 2.5G 5G None 23:46:45.7279826527 ..00 00:0.0 UR ► 23:46:45.7274329170 2.5G 5G Unassigned 143 None 23:46:45.7279841646 0000 06 11 83 34 2.5G 5G ▶ 23:46:45.7274336210 TS1 0 None 23:46:45.7279847646 0000 06 11 83 34 ► 23:46:45.7274343890 TS2 0 2.5G 5G None 23:46:45.7279854126 0000 00 00 00 00 23:46:45.7274365169 2.5G 5G SpeedChange None 23:46:45.7279860126 0000 01 30 03 0c ▶ 23:46:45.7274378609 TS2 2.5G 5G SpeedChange None 23:46:45.7279866526 0000 04 00 00 00 ► 23:46:45.7274421287 TS1 0 255 2.5G 5G None 23:46:45.7279884126 0 Completion ...00 00:0.0 00:0.0 UR ► 23:46:45.7278606520 TS2 0 2.5G 5G None 23:46:45.7279889406 ..00 00:0.0 00:0.0 UR 23:46:45.7279903726 ..00 00:0.0 0.0:00 23:46:45.7279909006 00:0.0 0.0:00 UR Completion 23:46:45.7279922525 Completion ...00 00:0.0 00:0.0 23:46:45.7279927806 0.0:00 00:0.0 23:46:45.7279941325 00:0.0 ..00 00:0.0 UR 23:46:45.7279946605 00:0.0 0.0:0.0 UR 23:46:45.7279960125 15 0 Completion ...00 00:0.0 0.0:0.0 UR 23:46:45.7279965405 16 0 Completion 00:0.0 UR 22-46-45 7270079025

Completion

Completion

Completion

16 0 Completion

15 0

...00

...00

...00

00:0.0

00:0.0

00:0.0

0.0:0.0

00:0.0

0.0:00

00:0.0

00:0.0

00:0.0

0.0:0.0

0.0:0.0

00:0.0

UR

UR

UR

23:46:45.7279922525

23:46:45.7279927806

23:46:45.7279941325

23:46:45.7279946605

23:46:45.7279960125

23:46:45.7279965405

22-46-45 7270079025

16 0 Completion

00:0.0

00:0.0

23:46:45.7279965405

22-46-45 7270079025



# Supported protocols (partial list)

- 10baseT / 100baseTX
- 1000baseX
- 10Gbase-R
- 8b/10b
- 64b/66b
- CAN
- DDR 1/3 cmd bus
- 12C
- I2C EEPROM
- Intel eSPI

- \*MII
- MIL-STD-1553
- MIPI D-PHY, DSI
- PCle gen 1/2/3 (4/5?)
- [Q]SPI
- Serial flash
- UART
- USB LS/FS/HS
- And more (150+)



## **DSP / SI capabilities**

- Eye pattern
- FIR filters
- FFT / spectrogram
- Jitter decomposition / spectrum
- S-parameter cascade / de-embed (no AFR... yet)
- Time domain S-param channel emulation / de-embed





#### PCIe protocol decode + SI





#### PCIe protocol decode







## **Extensibility**

- Decodes and drivers are single C++ classes
  - Can be in main codebase or a plugin
- New decodes can layer on / fork any existing one
- Recent real-world examples:
  - Proprietary framing over 64b/66b
  - Proprietary upper layer over SATA link layer
  - Custom firmware speaking I2C
  - 1-Wire with slightly out of spec timing
  - SPA on PCIe device w/ TLP trigger



# Multi instrument capability

- Can interface with more than scopes!
  - Multimeters
  - Power supplies
  - RF signal generators
  - Function generators
  - (WIP) VNAs
- Can connect to multiple scopes simultaneously
  - Cross trigger cascade w/ calibrated delay



## Multi scope case study

- 10 Gbps retimer with I2C management interface
  - 5 OOM difference in data rates!
- Some management commands cause dropouts
- We want to study this in more detail



## Multi scope case study

- Obvious option: fast scope w/ 2G points of memory
  - But where do you find this?
  - My SDA is 128M points. Even LabMaster is only 1.5G
- Better option: Fast scope and slow scope
  - Teledyne LeCroy SDA 816Zi (2 MS @ 40 Gsps)
  - PicoScope 6824E (20 MS @ 312.5 Msps)
  - "Only" 2 OOM diff in sample rates for this demo
  - 312 Msps is overkill for I2C, could go much slower











#### **Questions?**

https://github.com/glscopeclient/scopehal-apps/

