md5 hardware bruteforcer IP core
Verilog C Shell
Switch branches/tags
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.


md5 hardware bruteforcer IP core

(c) Yann Sionneau <>
(c) Guillaume Rose <>

we use the pancham MD5 IP core made by Swapnajit Mittra <>
we plan on changing the MD5 IP core, since this one limits the design speed to 38 MHz which is slow.
however a md5 hash is computed each 68 clock rising edge, which is pretty fast (in particular compared to implentations in software using modern CPU).

Update (07-2010): The design can run at 50MHz on a spartan 3E 500K gate.

Synthesis : 

It has been synthetized successfully for Spartan-3A XC3S400A and on Spartan-3AN XC3S700AN
on the AVNET Spartan-3A fpga dev board and the Xilinx Spartan-3AN Starter Kit respectively.
usart output works and shows the cleartext password when bruteforcing reveals a md5 hash collision.

HOW-TO Synthetize ?

	1°) Install ISE Webpack from xilinx website (free of charge)
	2°) type in your terminal : $source /path/to/xilinx/dir/
	3°) go to md5-hbf base directory
	4°) type ./
	5°) drink some (a lot of) coffee, cause you'll have to wait 'till the synthesis is done.

Simulation : 

it has been tested using iverilog (vvp) and gtkwave

More information : 

This design compares a given md5 hash with the hash of all alpha numeric strings of length equal to 8.
At the moment the hash is hardcoded in the verilog design code.

Actually, 64 characters are tested for each byte of the 8-byte string.
Those characters are : a to z, A to Z, 0 to 9, '!' and '.'
They can be easily changed by editing the file named "", each line corresponds to the hexadecimal representation of an ascii character.
Those characters are put in blockram to access them quickly and easily inside the FPGA chip.