Many of will have marveled at the feats of reverse engineering achieved by decapping integrated circuits and decoding their secrets by examining the raw silicon die. Few of us will have a go for ourselves, but that doesn’t stop the process being a fascinating one. Fortunately [Ryan Cornateanu] is on hand with a step-by-step description of his journey into the art of decapping, as he takes on what might seem an unlikely subject in the form of the CH340 USB to serial chip you’ll find on an Arduino Nano board.
Starting with hot sulphuric acid is probably not everyone’s idea of a day at the bench, but having used it to strip the epoxy from the CH340, he’s able to take a look under the microscope. This is no ordinary microscope but a metallurgists instrument designed to light the top of the sample from one side with polarised light. This allows him to identify an area of mask ROM and zoom in on the transistors that make each individual bit.
At this point the chemistry moves into the downright scary as he reaches for the hydrofluoric acid and has to use a PTFE container because HF is notorious for its voracious reactivity. This allows him to take away the interconnects and look at the transistor layer. He can then with a bit of computer vision processing help extract a bit layer map, which with some experimentation and guesswork can be manipulated into a firmware dump. Even then it’s not done, because he takes us into the world of disassembly of what is an unknown architecture. Definitely worth a read for the armchair chip enthusiast.
FPGAs are somewhat the IPv6 of integrated circuits — they’ve been around longer than you might think, they let you do awesome things that people are intrigued by initially, but they’ve never really broke out of their niches until rather recently. There’s still a bit of a myth and mystery surrounding them, and as with any technology that has grown vastly in complexity over the years, it’s sometimes best to go back to its very beginning in order to understand it. Well, who’d be better at taking an extra close look at a chip than [Ken Shirriff], so in his latest endeavor, he reverse engineered the very first FPGA known to the world: the Xilinx XC2064.
If you ever wished for a breadboard-friendly FPGA, the XC2064 can scratch that itch, although with its modest 64 configurable logic blocks, there isn’t all that much else it can do — certainly not compared to even the smallest and cheapest of its modern successors. And that’s the beauty of this chip as a reverse engineering target, there’s nothing else than the core essence of an FPGA. After introducing the general concepts of FPGAs, [Ken] (who isn’t known to be too shy to decap a chip in order to look inside) continued in known manner with die pictures in order to map the internal components’ schematics to the actual silicon and to make sense of it all. His ultimate goal: to fully understand and dissect the XC2064’s bitstream.
We always look forward to a new blog post by [Ken Shirriff] and this latest one didn’t cure us of that. His topic this time? Comparing two Game Boy audio chips. People have noticed before that the Game Boy Color sounds very different than a classic Game Boy, and he wanted to find out why. If you know his work, you won’t be surprised to find out the comparison included stripping the die out of the IC packaging.
[Ken’s] explanation of how transistors, resistors, and capacitors appear on the die are helpfully illustrated with photomicrographs. He points out how resistors are notoriously hard to build accurately on a production IC. Many differences can affect the absolute value, so designs try not to count on exact values or, if they do, resort to things like laser trimming or other tricks.
Capacitors, however, are different. The exact value of a capacitor may be hard to guess beforehand, but the ratio of two or more capacitor values on the same chip will be very precise. This is because the dielectric — the oxide layer of the chip — will be very uniform and the photographic process controls the planar area of the capacitor plates with great precision.
We’ve decapsulated chips before, and we have to say that if you are just starting to look at chips at the die level, these big chips with bipolar transistors are much easier to deal with than the fine and dense geometries you’d find even in something like a CPU from the 1980s.
There can be few of us who haven’t gazed with fascination upon the work of IC decappers, whether they are showing us classic devices from the early years of mass semiconductor manufacture, or reverse-engineering the latest and greatest. But so often their work appears to require some hardcore scientific equipment or particularly dangerous chemicals. We’ve never thought we might be able to join the fun. [Generic Human] is out to change all that, by decapping chips using commonly available chemicals and easy to apply techniques. In particular, we discover through their work that rosin — the same rosin whose smell you will be familiar with from soldering flux — can be used to dissolve IC packaging.
Of course, ICs that dissolved easily in the face of soldering wouldn’t meet commercial success, so an experiment with flux meets little success. Pure rosin, however, appears to be an effective decapping agent. [Generic Human] shows us a motherboard voltage regulator boiled in the stuff. When the rosin is removed with acetone, there among the debris is the silicon die, reminding us just how tiny these things are. We’re sure you’ll all be anxious to try it for yourselves, now, so take a while to look at the video below showing their CCC Congress talk.
The master of chip decapping is of course [Ken Shirriff], whose work we’ve featured many times. Our editor [Mike Szczys] interviewed him last year, and it’s well worth a look.
If you are a regular searcher for exotic parts among the virtual pages of semiconductor supplies catalogs, you will have probably noticed that for a given function it is most often the part bearing the Analog Devices logo that is the most interesting. It may have more functionality, perhaps it will be of a higher specification, and it will certainly have a much higher price. [Zeptobars] has decapped and analyzed an AD chip that holds all three of those honors, the AD9361 SDR transceiver.
It’s placed under a slightly inflammatory title, “when microchips are more profitable than drugs“, but does make a good job of answering why a semiconductor device at the very cutting edge of what is possible at the time of release can be so expensive. The AD9361 is an all-in-one SDR transceiver with an astonishing bandwidth, and as such was a particularly special device when it reached the market in 2013. We see some particularly fine examples of on-chip inductors and PLL circuitry that must have consumed a significant design effort to preserve both bandwidth and noise characteristics. This is an item of physical beauty at a microscopic scale as well as one of technical achievement.
The financial analysis puts Analog Devices’s gross profit at about $103 of the $275 retail purchase price of an AD9361. The biggest slice at $105 goes to the distributor, and surprisingly the R&D and manufacturing costs are not as large as you might expect. How accurate these figures are is anybody’s guess, but they are derived from an R&D figure in the published financial report, so there is some credence to be given to them.
Integrated circuits are a fundamental part of almost all modern electronics, yet they closely resemble the proverbial “black box” – we may understand the inputs and outputs, but how many of us truly understand what goes on inside? Over the years, the process of decapping ICs has become popular – the removal of the package to enable peeping eyes to glimpse the mysteries inside. It’s an art that requires mastery of chemistry, microscopy and photography on top of the usual physics skills needed to understand electronics. Done properly, it allows an astute mind to reverse engineer the workings of the silicon inside.
These chips are the basic building blocks of digital logic – NAND gates, inverters, shift registers, decade counters and more. You can build a CPU with this stuff. These days, you may not be using these chips as often in a production context, but those of you with EE degrees will likely have toyed around a few of these in your early logic classes.
There’s only a handful of images up so far, but they’re of excellent quality, and they’re also annotated. This is a great aid if you’re trying to get to grips with the vagaries of chip design. [Robert] is putting in the hard yards to image as many variations of every chip as possible. There’s also the possibility of comparing the same chip for differences between manufacturers. We particularly like this project, as all too often manufacturing techniques and technologies are lost and forgotten as the march of progress continues on. It looks like it’s going to become a great resource for those looking to learn more about integrated circuit design and manufacture!
People who have incredible competence in a wide range of fields are rare, and it can appear deceptively simple when they present their work. [Chris Gerlinksy]’s talk on breaking the encryption used on satellite and cable pay TV set-top boxes was like that. (Download the slides, as PDF.) The end result of his work is that he gets to watch anything on pay TV, but getting to watch free wrestling matches is hardly the point of an epic hack like this.
The talk spans hardware reverse engineering of the set-top box itself, chip decapping, visual ROM recovery, software reverse analysis, chip glitching, creation of custom glitching hardware, several levels of crypto, and a lot of very educated guessing. Along the way, you’ll learn everything there is to know about how broadcast streams are encrypted and delivered. Watch this talk now.
Some of the coolest bits:
Reading out the masked ROM from looking at it with a microscope never fails to amaze us.
A custom chip-glitcher rig was built, and is shown in a few iterations, finally ending up in a “fancy” project box. But it’s the kind of thing you could build at home: a microcontroller controlling a switch on a breadboard.
The encoder chip stores its memory in RAM: [Chris] uses a beautiful home-brew method of desoldering the power pins, connecting them up to a battery, and desoldering the chip from the board for further analysis.
The chip runs entirely in RAM, forcing [Chris] to re-glitch the chip and insert his payload code every time it resets. And it resets a lot, because the designers added reset vectors between the bytes of the desired keys. Very sneaky.
All of this was done by sacrificing only one truckload of set-top boxes.
Our jaw dropped repeatedly during this presentation. Go watch it now.