[Ken Shirriff] has seen the insides of more integrated circuits than most people have seen bellybuttons. (This is an exaggeration.) But the point is, where we see a crazy jumble of circuitry, [Ken] sees a riddle to be solved, and he’s got a method that guides him through the madness.
In his talk at the 2016 Hackaday SuperConference, [Ken] stepped the audience through a number of famous chips, showing how he approaches them and how you could do the same if you wanted to, or needed to. Reading an IC from a photo is not for the faint of heart, but with a little perseverance, it can give you the keys to the kingdom. We’re stoked that [Ken] shared his methods with us, and gave us some deeper insight into a handful of classic silicon, from the Z80 processor to the 555 timer and LM7805 voltage regulator, and beyond.
Dive In: The Z80
[Ken] wastes no time and dives straight into a die shot of the Z80 8-bit CPU. He starts out by labeling the landing pads that connect to external pins by cross-referencing them with the datasheet. That tells you a lot — you know what the pins have to do, so it makes guessing use for each clusters of transistors a lot easier.
When you see a bunch of repeated tiny circuits, you’re probably looking at memory. Since the Z80 has sixteen registers in its CPU, [Ken] goes looking for sixteen repeating blocks of storage, and finds ’em (lower-left). Since they’re connected up to the address lines on the pin-pads, he’s doubly-confirming his hunch. The other side of the registers heads off to a data bus, another giveaway.
The command decoder turns out to be a programmable logic array (PLA) that takes a bit pattern in across horizontal wires, matches it, and then sends a logic high down a vertical line that leads to the Arithmetic-Logic Unit (ALU). Particular to the Z80, [Ken] notes that although it takes eight-bit instructions, it’s only four bits wide. It turns out the CPU memory-speed constrained, so they saved space (and money) by using a four-bit ALU. Sneaky!
Once he’s figured out the broad outlines of the chip, it’s time to dig down into the transistors. After a brief intro to designing logic circuits out of transistors, he takes us into the actual fabric of the IC. As if things weren’t confusing enough with simple logic gates like NAND and NOR, it turns out that the designers of the Z80 used a few “crazy gates” that efficiently compute particular operations that they needed.
The ALU is the heart of a chip, and it’s highly optimized. For instance, the Z80’s ALU is “totally different” from the 6502. An adder is not just an adder. And it’s here in the ALU that you’ll find crazy gates and chip-specific implementations. Figuring out how all that works is the next level up for budding chip-reading detectives. [Ken] has a lot more on the Z80 on his website.
Clever Calculators and Forgotten Memories
The Sinclair Scientific Calculator from 1974 was a small marvel: it took a TI chip from a simple calculator “that could barely multiply” and added on logs and trig functions. How did Sinclair do it? [Ken] wanted to find out — we still hold this as one of our most favorite hacks.
Starting off again with the pinout, [Ken] finds his way to the instruction ROM. He built a software simulator for what he found, and got to reverse-engineering. Again, if you’re into clever space-saving algorithms, head on over to his website.
In 1970, RAM storage was incredibly expensive. Intel came out with “shift-register” memory, and indeed, it’s just a 512-bit-long shift register. How does random access work in this context? You wait until your bit comes around like you would on a baggage carousel — leading to slow and random random-access times. Cool. But we can also see why they went out of favor.
Analog ICs: the 555 timer, the LM741, and the LM7805
Have you ever used a 555 timer? Want to see how it works? First, you’ll have to understand the implementation details of the bipolar-junction transistors (BJTs). Although BJTs are laid-out in many more different topologies than their FET cousins, analog circuits are often smaller and easier to get your head around. [Ken] gives you a good head start, and then starts off reversing two iconic chips: the 555 timer and the LM741 op-amp.
The 741 IC is dominated by an in-silicon capacitor, which really is a silly idea, but since “engineers are lazy” and this means that they have one less piece to lay out, it turned out to be worth its weight in gold and the LM741 sold bazillions. On the other hand, it’s got current mirrors spread around everywhere, which are used to replace resistors in silicon. And it’s got some strange transistors, one of which has six (!) collectors because the designers needed six current mirrors in one place.
Finally, [Ken] takes apart the LM7805 voltage regulator. The output transistor is (not surprisingly) about half of the IC die — the 7805 needs to push some current. The coolest part of the chip is a variable resistor that sets the output voltage. It’s a simple trick that makes the difference between an LM7812 and an LM7805 no more than the value of the resistor inside, leveraging the same design for different operating voltages.
How Does He Do It?
[Ken] uses a metallurgical microscope that shines its light from above, rather than through the sample. He got his for a few hundred dollars on eBay. He then takes multiple images from different locations all around the chip, with significant overlap, and lets the Hugin software stitch it all back together for him.
“The experts” decap their chips using boiling sulfuric or nitric acid. [Ken] doesn’t need a Superfund site, so he often leaves the die photos to someone else. Sites like zeptobars.com, visual6502, and siliconpr0n have a ton of chips that are just waiting for you to start decoding, with no chemistry degree needed.
For chips that aren’t in epoxy, [Ken] opens them by himself either by hitting them with a chisel or cutting open with a saw. He’s just now started up on the 8008 CPU. Between this talk and the resources on [Ken]’s website, you’ve got a good head start. All that’s left to do is the good, hard, fun work of puzzling out a few ICs on your own.