One day, [Adam] was asked if he would like to take part in a little project. A mad scientist come engineer at [Adam]’s job had just removed the plastic casing from a IC, and wanted a little help decoding the information on a masked ROM. These ROMs are basically just data etched directly into silicon, so the only way to actually read the data is with some nitric acid and a microscope. [Adam] was more than up for the challenge, but not wanting to count out thousands of 1s and 0s etched into a chip, he figured out a way to let a computer do it with some clever programming and computer vision.
[Adam] has used OpenCV before, but the macro image of the masked ROM had a lot of extraneous information; there were gaps in the columns of bits, and letting a computer do all the work would result in crap data. His solution was to semi-automate the process of counting 1s and 0s by selecting a grid by hand and letting image processing software do the rest of the work.
This work resulted in rompar, a tool to decode the data on de-packaged ROMs. It works very well – [Adam] was able to successfully decode the ROM and netted the machine codes for the object of his reverse engineering.
Just pure badassery.
DO it again!
Awesome, I just needed to read the whole article and love it.
That’s awesomeness for you.
This is the coolest thing.
great way to reverse engineer a rom chip that refuses to let you do a rom dump
Hardcore, man. HARDCORE!
Neat, has this been done before?
Not in an automated fashion, but a few chips in MAME were decapped and split into images, then we crowd sourced the typing effort.
Hey MG!
I’d be interested to see if rompar can cope with your images (and to help with future ones if required.)
Wow.
Just…. wow.
Now I know to make sure to fill my ROMs with semi-random opcodes to confuse REs :)
Reverse Engineers 1, Forward Engineers 0!
Don’t keep us in suspense, what are you reverse engineering? Are you going to release the code to Yar’s Revenge or what?
It’s atmel marc4 code, scroll down to the bottom of the article to see where they do the disassembly.
These types of ROM aren’t used in modern embedded (secure) devices – and so this type of optical rom extraction isn’t so usefl anymore. For more modern devices see http://events.ccc.de/camp/2011/Fahrplan/attachments/1888_SRLabs-Reviving_Smart_Card_Analysis.pdf and do rom extraction of implanted roms and automated analysis of logic as well.
You’d be surprised. Old tech is used in new systems all the time. There’s a wise old saying “If it ain’t broke, don’t fix it!”, which, in my experience of the IT Security industry should be amended to: “If it ain’t *very publicly* broke, don’t fix it!”. :P
That was a good talk though – I’m a big fan of both Chris & Karsten.
Simply genius.
Director of APETURE LABS? Probably TESTING some other interesting things ;-D