Reverse engineering the die of a ULN2003 transistor array

uln2003-die-reverse-engineering

We’re no strangers to looking at uncapped silicon. This time around it’s not just a show and tell, as one transistor form a ULN2003 chip is reverse engineered.

The photo above is just one slice from a picture of the chip after having its plastic housing remove (decapped). It might be a stretch to call this reverse engineering. It’s more of a tutorial on how to take a functional schematic and figure out how each component is placed on a photograph of a chip die. Datasheets usually include these schematics so that engineers know what to expect from the hardware. But knowing what a resistor or transistor looks like on the die is another story altogether.

The problem is that you can’t just look at a two dimensional image like the one above. These semiconducting elements are manufactured in three dimensions. The article illustrates where the N and P type materials are located on the transistor using a high-res photo and a reference diagram.

If you want to photograph your own chip dies there are a few ways to decap them at home.

Extracting secured firmware from Freescale Zigbee radios

decapped_MC13224

[Travis Goodspeed] recently tore down the Freescale MC13224 wireless radio chip in an effort to demonstrate how the device’s firmware could be read, even when locked down in “secure” mode. While you might not recognize the Freescale MC13224 radio by name alone, you are certainly familiar with some of its practical applications. Found in the QuahogCon and Ninja Party badges among other consumer goods, the popular Zigbee radio turned out to be a fairly easy conquest.

[Travis] first used acid to decap one of the microcontrollers to see what was going on under the plastic casing. Inside, he discovered a discrete flash memory chip, which he removed and repackaged using a wedge wire bonder. He was easily able to extract the firmware, however decapping and repackaging a flash chip isn’t necessarily the most user-friendly process.

After digging further, he discovered that holding one of the chip’s pins low during boot would allow him to run custom code that recovers the firmware image once the pin is pulled high once again. This far more practical means of firmware recovery can be easily facilitated via a circuit board revision, as [Travis] mentions in his blog.