Yann Sionneau's stories

Some news again !

We received a nice little package here at MiNET, 2 Xilinx FPGA development boards !

• An Avnet Spartan-3A Evaluation Kit ( http://www.xilinx.com/products/devkits/aes_sp3a_eval400_avnet.htm )
• A Xilinx Spartan-3AN Starter Kit ( http://www.xilinx.com/products/devkits/HW-SPAR3AN-SK-UNI-G.htm )

A quick porting full of excitment and a test allow me to say that IT WORKS !

The MD5-hbf project works as well on this development board as on the first one (Avnet sp3Aeval).

The ported design even runs at 25 MHz, which is better than in previous tests where the frequency was 16 MHz only ! :)

"It was predictible" you would say, and you would be right ! Indeed i didn't take a big risk with this test, the Spartan-3A being very similar to the Spartan-3AN and my design doesn't use any external peripheral other than the quartz and the RS-232 link !

Nevertheless, on the Avnet Spartan-3A Evaluation Kit the USB-UART bridging between the computer and the FPGA is done by a CY8C24894-24LFXI Cypress microcontroller, whereas the Xilinx Spartan-3AN Starter Kit uses an ICL 3232E component to do the TTL<->RS-232 signal conversion.

However, the RS-232 serial link works well anyway on both boards which make me think that my usart.v module isn't that buggy since it works on 2 boards at the moment with 2 different RS-232 drivers.

News of the 4ed32520 commit : It is now possible to synthetize md5-hbf inside a shell console, without starting the huge enormous and buggy ISE Webpack GUI.

Upcoming in the md5-hbf project : a conditional compilation system which will allow to synthetize easily choosing which development board is the target, using DCM ( Digital Clock Manager ) to cope with different oscillators frequency on the different boards.

Another article about my md5-hbf project on which is improving again a little more !

The 2.0 version is out, and it's now possible to SHOW the string that generates the md5 collision over a serial console.

Indeed, before we could only show the result while doing simulations. On real FPGA we could only see that the bruteforcer had found the answer looking at a LED that switches on, which made it impossible to use it on real cases to crack real passwords because we couldn't get the result out from the FPGA. Now it is done ;)

If the result is found too early, you may not be able to open a serial console soon enough (minicom for example under linux, or HyperTerminal under Microsoft Windows) and you may miss the printing of the result, don't panic !

You just have to briefly push the "PUSH_C" button of the board, which will reset the finite state machine which job is to send byte per byte the result over the serial usart line. You will then see the result again in your console. However the result will be sent several times, because the pressing of the button is check at the 16 MHz frequency and there is no tempo nor debouncer which would avoid electric contact bouncing of the button. All of this will come in a future release ;)

Anyway, there is a trick to be SURE to see the result without using the "PUSH_C" button. You just have to put the bitstream (top.bit file) inside the serial flash memory of the board, instead of directly sending it using SPI.

In order to do this, type in the command "astriaekipro -p /dev/ttyACM0 -b top.bit -w" in the directory containing top.bit.

astriaekipro is a free software you can download at http://sourceforge.net/projects/fpgalibre/

Then, once the bitstream is written inside the on-board serial flash memory, the design will be loaded in the FPGA each time the board will be switched on and each time you will reset the FPGA (using the blue push button).

So you just have to launch minicom on /dev/ttyACM0 with the speed 115200 8N1, and press the blue push button and wait for the result to show off inside the serial console :)

Enjoy !

• the github repository : http://github.com/fallen/md5-hbf

ps : the 2.1 version is out too, it fixes the reversed printing problem. The result is now printed in the proper order :) That's easier to read it ;)

ps2 : Binary versions (top.bit) of the taged bersions of md5-hbf are now available in the "binary/" directory of the git repository.

After several modifications, md5-hbf (md5 hardware bruteforcer) design's simulation works perfectly !

A fsm (finite state machine) is used to generate input vectors that will be hashed by the "pancham" md5 IP core implemented by Swapnajit Mittra. The bruteforcer starts hashing from "00000000" and ends with "........" using all alphanumeric (figures, lower case and upper case caracters) combinations.

Anyway, the character base which is used has 64 symbols !

The list of those caracters (encoded in hexa) is kept inside BlockRAM (the ram.data file) in order to optimize access time (just one clock tick).

The MD5 hardware bruteforcer has been synthetized using Xilinx tools (ISE Webpack, Xst ...) with Spartan-3A XC3S400A as target on the Spartan-3A development board from AVnet.

The clock used has a 16 MHz frequency and it took 2 min 25 sec to crack the password "00021111", which means it tested 50 millions of md5 hashes, which makes it as fast as 350 787 md5 hashes/seconds !

Future improvements are scheduled : put 2 md5 IP cores together in order to divide the cracking time by 2, add a RS232 serial line to show the password in cleartext ( it is now DONE : see this article).

Hello !

It has been a while since my last post ... i stopped writing on my blog for several reasons, some personal, but mainly because of a huge lack of time !

Recently (since mid-june 2009) i have started playing around with HDL (Hardware Description Language) languages, there are mainly 2 HDL languages : VHDL and Verilog.

These languages allow you to describe the internal behaviour of electronic chips called FPGA (Field Programmable Gate Array).

I then bought a cheap FPGA development board in order to study how FPGA development works ! (a little bit of electronic cannot hurt , can it ?!)

After some little meaningless and useless beginning projects, here I am with a friend (Guillaume Rose aka MrFreeze) developing a small project a little less meaningless : a md5 hardware bruteforcer on an FPGA chip !

A project which does the same thing already exists and works well as you can see on Youtube it's pretty impressive :

• http://www.youtube.com/watch?v=zEwWvVP_RU0
• http://www.youtube.com/watch?v=CAOTLZzBIGw

Why doing that if it has already been done ? For the fun ! I found it cool and i wanted to do the same :)

I will post from time to time news about this project on my blog :)

Meanwhile, here is my github address for this project : http://github.com/fallen/md5-hbf

Have fun !