I knew I was going to have to cross paths with this eventually. the FPGAs. the Graphics board uses 3 XC2018s. the XC2064 was an iconic FPGA, one of the first ones released, and was heavily documented and reverse engineered. 

the bitstreams are stored in the two XC PROMs in the upper left corner of the graphics card. the FPGAs themselves read out that bitstream, and when its fully read and configured, the FPGA asserts the DONE signal. This will release the board from RESET. 

There are ways to reverse engineer the bitstreams back into logic. Sadly, I had no idea how to do this or had access to that, so I began posting around. 

There was a guy on github which I ran into and he was gracious and invited me to a private github which contains scripts and code that he create to attempt to reverse the bitstream from an XC2018 back into XACT logic. 

However, I did not have XACT and its hard to find out there on the internet. its an old DOS program and it works with these old school chips. Luckily he sent me his copy in private. 

So after running the scripts to try and reverse the bitstreams, i got multiple errors and reported back. He attempted to fix the errors, and i was able to run the scripts successfully and get back xact logic! 

Here is the logic that XACT was able to read from the chip closest to the 8031:

The bottom two chips appeared to have identical logic, and once I did some buzzing out of the circuits, they are probably the interleaving muxes. 

I was thinking COOL!! This is really badass. I can actually see the logic that was in these chips. I was hoping this would help uncover some black magic. Especially since the 8031 chip's UART is configured as an SPI port, and its clocking 8 bits directly into that device1 FPGA. 

I started inspecting things in XACT, like so:

However, if you look closely at the XACT logic diagrams, there are lots of sections that appear "disconnected" and/or doesn't make sense. 

Turns out, there are flaws in the reverse bitstream script. Sadly, those flaws were never fixed. 

Ultimately, I had to abandon the idea of going directly after the FPGA logic to figure out how things are done. Could someone else potentially take this bitstream and then figure out where I failed? Yea probably. Matter of fact, I am hoping so! 

But, I failed at this. So I had to move up a layer. Seeing that the 8031 is connected into the FPGA array and seems to be intermingled with that circuit, I quickly made an assumption that the 8031 is the framebuffer control CPU. So I went after it's ROM instead to figure how to talk to this chip.

If you cannot control the framebuffer? Then again as before, the whole thing is pointless. Since the FPGA black magic didn't work out, I had to do the next best thing and study the AMI/Nortel/TWC ROM. 

Oh well.... another roadblock encountered. I was feeling pretty deflated, losing motivation and getting depressed and thinking I may not be able to crack this.... Well, at this point all I could do was move on!