xilinx bootrom dumping

so basically you can dump the zynq bootrom from a zynq chip. long story short from other people's work, an initial glitching vector led to the discovery of a hidden UART-based boot mode which can be abused to make the bootrom dump itself. see this post and this and this for details

unfortunately it's a bit annoying to get the necessary pins available to manipulate. i have a digilent cora and arty board and neither of them actually pin out everything, which is really annoying. fortunately if you've been keeping up with xilinx shit, there was in the past a huge flood of these buttcoin¹ mining control boards on aliexpress and similar sites which contain a zynq 7010 (at the time, pretty significantly below cost -- was a cheap way to get normally expensive fpgas)

specifically the EBAZ4205, which has schematics available here: https://github.com/xjtuecho/EBAZ4205

luckily, this board is really conveniently laid out, probably completely stolen from some sort of secret xilinx reference design that you only get if you are a Real Customer, so on all the bootmode pins there are actually pairs of pads for pull up or pull down, and all you need to do is swap the resistors to the adjacent pad to switch the mode. and the uart pins needed (MIO 48/49) also have accessible pads near the chip

pin mappings to resistors/pads

• BOOT_MODE[0] / MIO[5]: R2577 (1) and R2584 (0, default)
• BOOT_MODE[2] / MIO[4]: R2578 (1, default) and R2585 (0)
• BOOT_MODE[1] / MIO[3]: R2579 (1) and R2586 (0, default)
• TxD / MIO48: R2447
• RxD / MIO49: R2448

procedure

• move R2584 -> R2577
• move R2578 -> R2585
• move R2579 -> R2586
• connect UART to TxD/RxD
• check if it prints XLNX-ZYNQ

diagram

code

use the code here (you may need to make some modifications) to execute the bootrom self-dump, and then use jtag (jean tag) to read out the code from the start of ram²

that should be it. enjoy yr bootrom