Finding 1s and 0s with a microscope and computer vision

ROM

One day, [Adam] was asked if he would like to take part in a little project. A mad scientist come engineer at [Adam]‘s job had just removed the plastic casing from a IC, and wanted a little help decoding the information on a masked ROM. These ROMs are basically just data etched directly into silicon, so the only way to actually read the data is with some nitric acid and a microscope. [Adam] was more than up for the challenge, but not wanting to count out thousands of 1s and 0s etched into a chip, he figured out a way to let a computer do it with some clever programming and computer vision.

[Adam] has used OpenCV before, but the macro image of the masked ROM had a lot of extraneous information; there were gaps in the columns of bits, and letting a computer do all the work would result in crap data. His solution was to semi-automate the process of counting 1s and 0s by selecting a grid by hand and letting image processing software do the rest of the work.

This work resulted in rompar, a tool to decode the data on de-packaged ROMs. It works very well – [Adam] was able to successfully decode the ROM and netted the machine codes for the object of his reverse engineering.

Comments

  1. kmmankad says:

    Just pure badassery.

  2. nigglet says:

    DO it again!

  3. Nico Nimleth says:

    Awesome, I just needed to read the whole article and love it.

  4. ino says:

    That’s awesomeness for you.

  5. Jo says:

    This is the coolest thing.

  6. ejonesss says:

    great way to reverse engineer a rom chip that refuses to let you do a rom dump

  7. mjrippe says:

    Hardcore, man. HARDCORE!

  8. walt says:

    Neat, has this been done before?

  9. Josh Malone says:

    Wow.
    Just…. wow.
    Now I know to make sure to fill my ROMs with semi-random opcodes to confuse REs :)

  10. Greenaum says:

    Reverse Engineers 1, Forward Engineers 0!

  11. bunedoggle says:

    Don’t keep us in suspense, what are you reverse engineering? Are you going to release the code to Yar’s Revenge or what?

  12. Justin Hacker says:

    These types of ROM aren’t used in modern embedded (secure) devices – and so this type of optical rom extraction isn’t so usefl anymore. For more modern devices see http://events.ccc.de/camp/2011/Fahrplan/attachments/1888_SRLabs-Reviving_Smart_Card_Analysis.pdf and do rom extraction of implanted roms and automated analysis of logic as well.

    • You’d be surprised. Old tech is used in new systems all the time. There’s a wise old saying “If it ain’t broke, don’t fix it!”, which, in my experience of the IT Security industry should be amended to: “If it ain’t *very publicly* broke, don’t fix it!”. :P

      That was a good talk though – I’m a big fan of both Chris & Karsten.

  13. B. Núñez says:

    Simply genius.

  14. MeeToo says:

    Director of APETURE LABS? Probably TESTING some other interesting things ;-D

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 96,598 other followers