Finding 1s and 0s with a microscope and computer vision


One day, [Adam] was asked if he would like to take part in a little project. A mad scientist come engineer at [Adam]‘s job had just removed the plastic casing from a IC, and wanted a little help decoding the information on a masked ROM. These ROMs are basically just data etched directly into silicon, so the only way to actually read the data is with some nitric acid and a microscope. [Adam] was more than up for the challenge, but not wanting to count out thousands of 1s and 0s etched into a chip, he figured out a way to let a computer do it with some clever programming and computer vision.

[Adam] has used OpenCV before, but the macro image of the masked ROM had a lot of extraneous information; there were gaps in the columns of bits, and letting a computer do all the work would result in crap data. His solution was to semi-automate the process of counting 1s and 0s by selecting a grid by hand and letting image processing software do the rest of the work.

This work resulted in rompar, a tool to decode the data on de-packaged ROMs. It works very well – [Adam] was able to successfully decode the ROM and netted the machine codes for the object of his reverse engineering.


  1. kmmankad says:

    Just pure badassery.

  2. nigglet says:

    DO it again!

  3. Nico Nimleth says:

    Awesome, I just needed to read the whole article and love it.

  4. ino says:

    That’s awesomeness for you.

  5. Jo says:

    This is the coolest thing.

  6. ejonesss says:

    great way to reverse engineer a rom chip that refuses to let you do a rom dump

  7. mjrippe says:

    Hardcore, man. HARDCORE!

  8. walt says:

    Neat, has this been done before?

  9. Josh Malone says:

    Just…. wow.
    Now I know to make sure to fill my ROMs with semi-random opcodes to confuse REs :)

  10. Greenaum says:

    Reverse Engineers 1, Forward Engineers 0!

  11. bunedoggle says:

    Don’t keep us in suspense, what are you reverse engineering? Are you going to release the code to Yar’s Revenge or what?

  12. Justin Hacker says:

    These types of ROM aren’t used in modern embedded (secure) devices – and so this type of optical rom extraction isn’t so usefl anymore. For more modern devices see and do rom extraction of implanted roms and automated analysis of logic as well.

    • You’d be surprised. Old tech is used in new systems all the time. There’s a wise old saying “If it ain’t broke, don’t fix it!”, which, in my experience of the IT Security industry should be amended to: “If it ain’t *very publicly* broke, don’t fix it!”. :P

      That was a good talk though – I’m a big fan of both Chris & Karsten.

  13. B. Núñez says:

    Simply genius.

  14. MeeToo says:

    Director of APETURE LABS? Probably TESTING some other interesting things ;-D

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Get every new post delivered to your Inbox.

Join 96,598 other followers