FPGAs are somewhat the IPv6 of integrated circuits — they’ve been around longer than you might think, they let you do awesome things that people are intrigued by initially, but they’ve never really broke out of their niches until rather recently. There’s still a bit of a myth and mystery surrounding them, and as with any technology that has grown vastly in complexity over the years, it’s sometimes best to go back to its very beginning in order to understand it. Well, who’d be better at taking an extra close look at a chip than [Ken Shirriff], so in his latest endeavor, he reverse engineered the very first FPGA known to the world: the Xilinx XC2064.
If you ever wished for a breadboard-friendly FPGA, the XC2064 can scratch that itch, although with its modest 64 configurable logic blocks, there isn’t all that much else it can do — certainly not compared to even the smallest and cheapest of its modern successors. And that’s the beauty of this chip as a reverse engineering target, there’s nothing else than the core essence of an FPGA. After introducing the general concepts of FPGAs, [Ken] (who isn’t known to be too shy to decap a chip in order to look inside) continued in known manner with die pictures in order to map the internal components’ schematics to the actual silicon and to make sense of it all. His ultimate goal: to fully understand and dissect the XC2064’s bitstream.
Longtime followers of [Ken Shirriff’s] work are accustomed to say asking “Where does he get such wonderful toys?”. This time around he’s laid bare the guidance computer from a Titan missile. To be specific, this is the computer that would have been found in the Titan II, an intercontinental ballistic missile that you may remember as a key part of the plot of the classic film WarGames. Yeah, those siloed nukes.
Amazingly these computers were composed of all digital logic, no centralized controller chip in this baby. That explains the need for the seven circuit boards which host a legion of logic chips, all slotting into a backplane.
But it’s not the logic that’s mind-blowing, it’s the memory. Those dark rectangles on almost every board in the image at the top of the article are impressively-dense patches of magnetic core memory. That fanout is one of two core memory modules that are found in this computer. With twelve plates per module (each hosting two bits) plus a parity bit on an additional plate, words were composed of 25-bits and the computer’s two memory modules could store a total of 16k words.
This is 1970’s tech and it’s incredible to think that when connected to the accelerometers and gyros that made up the IMU this could use dead reckoning to travel to the other side of the globe. As always, [Ken] has done an incredible job of walking through all parts of the hardware during his teardown. He even includes the contextual elements of his analysis by sharing details of this moment in history near the end of his article.
When it comes to reverse engineering silicon, there’s no better person to ask than Ken Shirriff. He’s the expert at teasing the meaning out of layers of polysilicon and metal. He’s reverse engineered the ubiquitous 555 timer, he’s taken a look at the inside of old-school audio chips, and he’s found butterflies in his op-amp. Where there’s a crazy jumble of microscopic wires and layers of silicon, Ken’s there, ready to do the teardown.
For this year’s talk at the Hackaday Superconference, Ken walked everyone through the techniques for reverse engineering silicon. Surprisingly, this isn’t as hard as it sounds. Yes, you’ll still need to drop acid to get to the guts of an IC (of course, you could always find a 555 stuck in a metal can, but then you can’t say ‘dropping acid’), but even the most complex devices on the planet are still made of a few basic components. You’ve got n-doped silicon, p-doped silicon, and some metal. That’s it, and if you know what you’re looking for — like Ken does — you have all the tools you need to figure out how these integrated circuits are made.
Reverse engineering silicon is a dark art, and when you’re just starting off it’s best to stick to the lesser incantations, curses, and hexes. Hackaday caught up with Ken Shirriff at last year’s Supercon for a chat about the chip decapping and reverse engineering scene. His suggestion is to start with an old friend: the 555 timer.
Ken is well-known for his work photographing the silicon die at the heart of an Integrated Circuit (IC) and mapping out the structures to create a schematic of the circuit. We’re looking forward to Ken’s talk in just a few weeks at the Hackaday Superconference. Get a taste of it in the interview video below.
In 1976, Texas Instruments came out with the TL084, a four JFET op-amp IC each with similar circuitry to Fairchild’s very popular single op-amp 741. But even though the 741 has been covered in detailed, when [Ken Shirriff] focused his microscope on a TL084, he found some very interesting things.
To avoid using acid to get at the die, he instead found a ceramic packaged TL084 and pried off the cover. The first things he saw were four stabilizing capacitors, by far the largest structures on the die and visible to the naked eye.
When he peered into his microscope he next saw butterfly shapes which turned out to be pairs of input JFETs. The wide strips are the gates and the narrower strip surrounded by each gate is the source. The drain is the narrow strip surrounding each gate. Why arrange four JFETs like this? It’s possible to have temperature gradients in the IC, one side being hotter than the other. These gradients can affect the JFET’s characteristics, unbalancing the inputs. Look closely at the way the JFETs are connected and you’ll see that the top-left one is connected to the bottom-right one, and similarly for the other two. This diagonal cross-connecting cancels out any negative effects.
[Ken’s] analysis in his article doesn’t stop there though. Not only does he talk more about these JFETs but he goes over the rest of the die too. It’s well worth the read, as is his write-up about the 741 which we’ve also covered.
Lately, [Ken Shirriff] has been on some of the most incredible hardware adventures. In his most recent undertaking we find [Ken] elbow-deep in the core memory of a 50-year-old machine, the IBM 1401. The computer wasn’t shut down before mains power was cut, and it has refused to boot ever since. The culprit is in the core memory support circuitry, and thanks to [Ken’s] wonderful storytelling we can travel along with him to repair an IBM 1401.
From a hardware standpoint core memory makes us giddy. It’s a grid of wires with ferrite toroids at every intersection. Bits can be set or cleared based on how electricity is applied to the intersecting wires. [Al Williams] walked through some of the core memory history last year and we enjoyed hearing [Pamela Liou] recount the story of how textile workers consulted on the fabrication of core memory for the Apollo missions during her OHWS Talk in October. But giddiness aside, core memory has pretty much gone the way of the dodo having been displaced by technologies that take up exponentially less space.
We chuckle at [Ken’s] mention of the core memory capacity for the IBM 1401. It has 4000 characters of memory built-in (with another 12,000 in an expansion box) and he goes on to detail that these are 6-bit characters on a machine that operates in decimal and not binary (hence 4k instead of the base-2 friendly 4096).
You may remember his work a few years back to repair core memory on the same model. The Museum has two 1401’s, which turned out to be a huge help in trouble-shooting this. After tracing out the control lines, the repair team began swapping cards between the working and non-working machines. They were able to bring it back online — establishing one of the green inductors was bad — only to be struck with a second fault in the power supply.
Get this, [Ken] comments that “the whole computer is pre-silicon”. When working through the PSU, some suspect transistors were replaced with germanium power transistors. Those may have been a red-herring, as a penciled-in fuse on the original schematics turned out to be the linchpin of the PSU repair. Buried deep in the assembly, replacing the designed-to-fail part let the ancient beast awake once more.
Machines of this quality were heavily documented, and the schematics make this type of trouble-shooting a lot more manageable. But it’s still as much an art as it is skill. Make sure to give [Ken’s] article a read, and look around at the other repair jobs he’s documented — keeping these machines in service is becoming wizard-level work and we love being able to follow along.
[Ken Shirriff] has seen the insides of more integrated circuits than most people have seen bellybuttons. (This is an exaggeration.) But the point is, where we see a crazy jumble of circuitry, [Ken] sees a riddle to be solved, and he’s got a method that guides him through the madness.
In his talk at the 2016 Hackaday SuperConference, [Ken] stepped the audience through a number of famous chips, showing how he approaches them and how you could do the same if you wanted to, or needed to. Reading an IC from a photo is not for the faint of heart, but with a little perseverance, it can give you the keys to the kingdom. We’re stoked that [Ken] shared his methods with us, and gave us some deeper insight into a handful of classic silicon, from the Z80 processor to the 555 timer and LM7805 voltage regulator, and beyond.