Ken Shirriff Explains His Techniques For Reverse Engineering Silicon

When it comes to reverse engineering silicon, there’s no better person to ask than Ken Shirriff. He’s the expert at teasing the meaning out of layers of polysilicon and metal. He’s reverse engineered the ubiquitous 555 timer, he’s taken a look at the inside of old-school audio chips, and he’s found butterflies in his op-amp. Where there’s a crazy jumble of microscopic wires and layers of silicon, Ken’s there, ready to do the teardown.

For this year’s talk at the Hackaday Superconference, Ken walked everyone through the techniques for reverse engineering silicon. Surprisingly, this isn’t as hard as it sounds. Yes, you’ll still need to drop acid to get to the guts of an IC (of course, you could always find a 555 stuck in a metal can, but then you can’t say ‘dropping acid’), but even the most complex devices on the planet are still made of a few basic components. You’ve got n-doped silicon, p-doped silicon, and some metal. That’s it, and if you know what you’re looking for — like Ken does — you have all the tools you need to figure out how these integrated circuits are made.

Continue reading “Ken Shirriff Explains His Techniques For Reverse Engineering Silicon”

Lessons in Disposable Design from a Cheap Blinky Ball

Planned obsolescence, as annoying as it is when you’re its victim, still has to be admired. You can’t help but stand in awe of the designer who somehow managed to optimize a product to live one day longer than its warranty period. Seriously, why is it always the next day?

The design of products that are never intended to live long enough to go obsolete must be similarly challenging, and [electronupdate] did a teardown of a cheap LED blinky toy to see what’s involved. You’ve no doubt seen these seizure-triggering silicone balls before, mostly at checkout counters and the like where they’re sold at prices many hundreds of times what it took to make them. This particular device, which seems representative of the species, has two bright LEDs, a small controller chip, a trio of button cells for power, and a springy switch to activate it. All this is mounted to a cheap scrap of phenolic resin PCB, with the controller chip and one of the LEDs covered by a blob of clear epoxy.

This teardown one-ups most others, as [electronupdate] disrobes the chip and points a microscope at the die; the video below shows just how few transistors are employed and proposes a likely circuit. Everything about this ball just oozes cheapness, and it’s likely these things cost essentially nothing to build. Which makes sense for something destined for the landfill within a week or so.

Yes, this annoying blinky-thing is low-end garbage, but there are still design lessons to be learned from it. Anything that’s built for a broad market has to be built to a price point, and understanding those constraints is important to understanding how planned obsolescence works.

Continue reading “Lessons in Disposable Design from a Cheap Blinky Ball”

Cracking the Case of Capcom’s CPS2 Security

We love a good deep-dive on a specialized piece of technology, the more obscure the better. You’re getting a sneak peek into a world that, by rights, you were never meant to know even existed. A handful of people developed the system, and as far as they knew, nobody would ever come through to analyze and investigate it to find out how it all went together. But they didn’t anticipate the tenacity of a curious hacker with time on their hands.

[Eduardo Cruz] has done a phenomenal job of documenting one such system, the anti-piracy mechanisms present in the Capcom CPS2 arcade board. He recently wrote in to tell us he’s posted his third and final entry on the system, this time focusing on figuring out what a mysterious six pin header on the CPS2 board did. Hearing from others that fiddling with this header occasionally caused the CPS2 board to automatically delete the game, he knew it must be something important. Hackaday Protip: If there’s a self-destruct mechanism attached to it, that’s probably the cool part.

He followed the traces from the header connector, identified on the silkscreen as C9, back to a custom Capcom IC labeled DL-1827. After decapping the DL-1827 and putting it under the microscope, [Eduardo] made a pretty surprising discovery: it wasn’t actually doing anything with the signals from the header at all. Once the chip is powered up, it simply acts as a pass-through for those signals, which are redirected to another chip: the DL-1525.

[Eduardo] notes that this deliberate attempt at obfuscating which chips are actually connected to different headers on the board is a classic trick that companies like Capcom would use to try to make it harder to hack into their boards. Once he figured out DL-1525 was what he was really after, he was able to use the information he gleaned from his earlier work to piece together the puzzle.

This particular CPS2 hacking journey only started last March, but [Eduardo] has been investigating the copy protection systems on arcade boards since 2014.

[Thanks to Arduino Enigma for the tip.]

Fail of the Week: The Semiconductor Lapping Machine That Can’t Lap Straight

It seemed like a good idea to build a semiconductor lapping machine from an old hard drive. But there’s just something a little off about [electronupdate]’s build, and we think the Hackaday community might be able to pitch in to help.

For those not into the anatomy and physiology of semiconductors, getting a look at the inside of the chip can reveal valuable information needed to reverse engineer a device, or it can just scratch the itch of curiosity. Lapping (the gentle grinding away of material) is one way to see the layers that make up the silicon die that lies beneath the epoxy. Hard drives designed to spin at 7200 rpm or more hardly seem a suitable spinning surface for a gentle lapping, but [electronupdate] just wanted the platter for its ultra-smooth, ultra-flat surface.

He removed the heads and replaced the original motor with a gear motor and controller to spin the platter at less than 5 rpm. A small holder for the decapped die was fashioned, and pinched between the platter hub and an idler. It gently rotates the die against the abrasive-covered platter as it slowly revolves. But the die wasn’t abrading evenly. He tried a number of different fixtures for the die, but never got to the degree of precision needed to see through the die layer by layer. We wonder if the weight of the die fixture is deflecting the platter a bit?

Failure is a great way to learn, if you can actually figure out where you went wrong. We look to the Hackaday community for some insight. Check out the video below and sound off in the comments if you’ve got any ideas.

Continue reading “Fail of the Week: The Semiconductor Lapping Machine That Can’t Lap Straight”

Fake Ram: Identifying a Counterfeit Chip

[Robert Baruch‏] had something strange on his hands. He had carefully decapped 74LS189 16×4 static RAM, only to find that it wasn’t a RAM at all. The silicon die inside the plastic package even had analog elements, which is not what one would expect to find in an SRAM. But what was it? A quick tweet brought in the cavalry, in the form of chip analysis expert [Ken Shirriff].

[Ken] immediately realized the part [Robert] had uncovered wasn’t a 74 series chip at all. The power and ground pins were in the wrong places. Even the transistors were small CMOS devices, where a 74 series part would use larger bipolar transistors. The most glaring difference between the mystery device and a real LS819 was the analog elements. The mystery chip had a resistor network, arranged as an R-2R ladder. This configuration is often used as a simple Digital to Analog Converter (DAC).

Further analysis of the part revealed that the DAC was driven by a mask ROM that was itself indexed using a linear feedback shift register. [Ken] used all this information to plot out the analog signal the chip would generate. It turned out to be a rather sorry looking sine wave.

The mystery part didn’t look like any function generator or audio chip of the era. [Ken] had to think about what sort of commodity part would use lookup tables to generate an audio waveform. The answer was as close as his telephone — a DTMF “touch tone” generator, specifically a knockoff of a Mostek MK5085.

Most investigators would have stopped there. Not [Ken] though. He delved into the construction and function of the DTMF generator. You can find the full analysis on his site. This isn’t [Ken’s] first rodeo with decapped chips. He’s previously examined the Intel 8008 and presented a talk on silicon reverse engineering at the 2016 Hackaday Superconference. [Robert] has also shown us how to pop the top of classic ceramic integrated circuits.

 

What Lies Within: SMT Inductor Teardown

Ever wonder what’s inside a surface-mount inductor? Wonder no more as you watch this SMT inductor teardown video.

“Teardown” isn’t really accurate here, at least by the standard of [electronupdate]’s other component teardowns, like his looks inside LED light bulbs and das blinkenlights. “Rubdown” is more like it here, because what starts out as a rather solid looking SMT component needs to be ground down bit by bit to reveal the inner ferrite and copper goodness. [electronupdate] embedded the R30 SMT inductor in epoxy and hand lapped the whole thing until the windings were visible. Of course, just peeking inside is never enough, so he set upon an analysis of the inductor’s innards. Using a little careful macro photography and some simple image analysis, he verified the component’s data sheet claims; as an aside, is anyone else surprised that a tiny SMT component can handle 30 amps?

Looking for more practical applications for decapping components? How about iPhone brain surgery?

Continue reading “What Lies Within: SMT Inductor Teardown”

Project 54/74 Maps out Logic ICs

Integrated circuits are a fundamental part of almost all modern electronics, yet they closely resemble the proverbial “black box” – we may understand the inputs and outputs, but how many of us truly understand what goes on inside? Over the years, the process of decapping ICs has become popular – the removal of the package to enable peeping eyes to glimpse the mysteries inside. It’s an art that requires mastery of chemistry, microscopy and photography on top of the usual physics skills needed to understand electronics. Done properly, it allows an astute mind to reverse engineer the workings of the silicon inside.

There are many out there publishing images of chips they’ve decapped, but [Robert Baruch] wants more. Namely, [Robert] seeks to create a database of die images of all 5400 and 7400 series logic chips – the eponymous Project 54/74.

These chips are the basic building blocks of digital logic – NAND gates, inverters, shift registers, decade counters and more. You can build a CPU with this stuff. These days, you may not be using these chips as often in a production context, but those of you with EE degrees will likely have toyed around a few of these in your early logic classes.

There’s only a handful of images up so far, but they’re of excellent quality, and they’re also annotated. This is a great aid if you’re trying to get to grips with the vagaries of chip design. [Robert] is putting in the hard yards to image as many variations of every chip as possible. There’s also the possibility of comparing the same chip for differences between manufacturers. We particularly like this project, as all too often manufacturing techniques and technologies are lost and forgotten as the march of progress continues on. It looks like it’s going to become a great resource for those looking to learn more about integrated circuit design and manufacture!