Many of will have marveled at the feats of reverse engineering achieved by decapping integrated circuits and decoding their secrets by examining the raw silicon die. Few of us will have a go for ourselves, but that doesn’t stop the process being a fascinating one. Fortunately [Ryan Cornateanu] is on hand with a step-by-step description of his journey into the art of decapping, as he takes on what might seem an unlikely subject in the form of the CH340 USB to serial chip you’ll find on an Arduino Nano board.
Starting with hot sulphuric acid is probably not everyone’s idea of a day at the bench, but having used it to strip the epoxy from the CH340, he’s able to take a look under the microscope. This is no ordinary microscope but a metallurgists instrument designed to light the top of the sample from one side with polarised light. This allows him to identify an area of mask ROM and zoom in on the transistors that make each individual bit.
At this point the chemistry moves into the downright scary as he reaches for the hydrofluoric acid and has to use a PTFE container because HF is notorious for its voracious reactivity. This allows him to take away the interconnects and look at the transistor layer. He can then with a bit of computer vision processing help extract a bit layer map, which with some experimentation and guesswork can be manipulated into a firmware dump. Even then it’s not done, because he takes us into the world of disassembly of what is an unknown architecture. Definitely worth a read for the armchair chip enthusiast.
If you’re thirsty for more, of course we have to direct you towards the work of [Ken Shirriff].
Join us on Wednesday, March 10 at noon Pacific for the Decapping Components Hack Chat with John McMaster!
We treat them like black boxes, which they oftentimes are, but what lies beneath the inscrutable packages of electronic components is another world that begs exploration. But the sensitive and fragile silicon guts of these devices can be hard to get to, requiring destructive methods that, in the hands of a novice, more often than not lead to the demise of the good stuff inside.
To help us sort through the process of getting inside components, John McMaster will stop by the Hack Chat. You’ll probably recognize John’s work from Twitter and YouTube, or perhaps from his SiliconPr0n.org website, home to beauty shots of some of the chips he has decapped. John is also big in the reverse engineering community, organizing the Mountain View Reverse Engineering meetup, a group that meets regularly to discuss the secret world of components. Join us as we talk to John about some of the methods and materials used to get a look inside this world.
Our Hack Chats are live community events in the Hackaday.io Hack Chat group messaging. This week we’ll be sitting down on Wednesday, March 10 at 12:00 PM Pacific time. If time zones have you tied up, we have a handy time zone converter.
Click that speech bubble to the right, and you’ll be taken directly to the Hack Chat group on Hackaday.io. You don’t have to wait until Wednesday; join whenever you want and you can see what the community is talking about.
Continue reading “Decapping Components Hack Chat With John McMaster”
Decapsulating ICs used to be an exotic technique. (I should know, I did that professionally for one of the big IC vendors back in the 1980s.) These days, more and more people are learning to take apart ICs for a variety of reasons. If you are interested in doing it yourself, [Juan Carlos Jimenez] has a post you should read about using acid to remove epoxy from ICs.
[Juan Carlos] used several different techniques with varying degrees of success. Keep in mind, that using nitric acid is generally pretty nasty. You need safety equipment and be sure to plan for bad things to happen. Have eyewash ready because once you splash acid in your eye, it is too late to get that together.
Continue reading “Learn IC Decapping”
FPGAs are somewhat the IPv6 of integrated circuits — they’ve been around longer than you might think, they let you do awesome things that people are intrigued by initially, but they’ve never really broke out of their niches until rather recently. There’s still a bit of a myth and mystery surrounding them, and as with any technology that has grown vastly in complexity over the years, it’s sometimes best to go back to its very beginning in order to understand it. Well, who’d be better at taking an extra close look at a chip than [Ken Shirriff], so in his latest endeavor, he reverse engineered the very first FPGA known to the world: the Xilinx XC2064.
If you ever wished for a breadboard-friendly FPGA, the XC2064 can scratch that itch, although with its modest 64 configurable logic blocks, there isn’t all that much else it can do — certainly not compared to even the smallest and cheapest of its modern successors. And that’s the beauty of this chip as a reverse engineering target, there’s nothing else than the core essence of an FPGA. After introducing the general concepts of FPGAs, [Ken] (who isn’t known to be too shy to decap a chip in order to look inside) continued in known manner with die pictures in order to map the internal components’ schematics to the actual silicon and to make sense of it all. His ultimate goal: to fully understand and dissect the XC2064’s bitstream.
Of course, reverse engineering FPGA bitstreams isn’t new, and with little doubt, building a toolchain based on its results helped to put Lattice on the map in the maker community (which they didn’t seem to value at first, but still soon enough). We probably won’t see the same happening for Xilinx, but who knows what [Ken]’s up to next, and what others will make of this.
When you buy a chip, how can you be sure you’re getting what you paid for? After all, it’s just a black fleck of plastic with some leads sticking out of it, and a few laser-etched markings on it that attest to what lies within. All of that’s straightforward to fake, of course, and it’s pretty easy to tell if you’ve got a defective chip once you try it out in a circuit.
But what about off-brand chips? Those chips might be functionally similar, but still off-spec in some critical way. That was the case for [Kevin Darrah] which led to his forensic analysis of potentially counterfeit MCU chips. [Kevin] noticed that one of his ATMega328 projects was consuming way too much power in deep sleep mode — about two orders of magnitude too much. The first video below shows his initial investigation and characterization of the problem, including removal of the questionable chip from the dev board it was on and putting it onto a breakout board that should draw less than a microamp in deep sleep. Showing that it drew 100 μA instead sealed the deal — something was up with the chip.
[Kevin] then sent the potentially bogus chip off to a lab for a full forensic analysis, because of course there are companies that do this for a living. The second video below shows the external inspection, which revealed nothing conclusive, followed by an X-ray analysis. That revealed enough weirdness to warrant destructive testing, which showed the sorry truth — the die in the suspect unit was vastly different from the Atmel chip’s die.
It’s hard to say that this chip is a counterfeit; after all, Atmel may have some sort of contract with another foundry to produce MCUs. But it’s clearly an issue to keep in mind when buying bargain-basement chips, especially ones that test functionally almost-sorta in-spec. Caveat emptor.
Counterfeit parts are depressingly common, and are a subject we’ve touched on many times before. If you’d like to know more, start with a guide.
Continue reading “Deep-Sleep Problems Lead To Forensic Investigation Of Troublesome Chip”
Like pretty much every other big conference, the Chaos Communication Conference is going virtual this year. What was supposed to be 37C3 has been rebranded as rC3, the remote Chaos Experience. It’s understandable, as a 17,000 person live event would have not only been illegal but a bit irresponsible in the current environment. The event appears to be a hybrid of small local events hosted in hackerspaces linked with streamed talks and a program of workshops and “online togetherness.” rC3 is slated to run in the week between Christmas and New Year, and it seems like a great way to wrap up 2020.
Speaking of remote conferences, don’t forget about our own Remoticon. While it won’t be quite the same as everyone getting together in sunny — historically, at least — Pasadena for a weekend of actual togetherness, it’s still going to be a great time. The event runs November 6 to 8; we’ve had a sneak peek at the list of proposed workshops and there’s some really cool stuff. Prepare to be dazzled, and make sure you keep up on the Remoticon announcements — you really don’t want to miss this.
Continue reading “Hackaday Links: September 13, 2020”
You’d think that the 8086 microprocessor, a 40-year-old chip with a mere 29,000 transistors on board that kicked off the 16-bit PC revolution, would have no more tales left to tell. But as [Ken Shirriff] discovered, reverse engineering the chip from die photos reveals some hidden depths.
The focus of [Ken]’s exploration of the venerable chip is the charge pump, a circuit that he explains was used to provide a bias voltage across the substrate of the chip. Early chips generally took this -5 volt bias voltage from a pin, which meant designers had to provide a bipolar power supply. To reduce the engineering effort needed to incorporate the 8086 into designs, Intel opted for an on-board charge pump to generate the bias voltage. The circuit consists of a ring oscillator made from a trio of inverters, a pair of transistors, and some diodes to act as check valves. By alternately charging a capacitor and switching its polarity relative to the substrate, the needed -5 volt bias is created.
Given the circuit required, it was pretty easy for [Ken] to locate it on the die. The charge pump takes up a relatively huge amount of die space, which speaks to the engineering decisions Intel made when deciding to include it. [Ken] drills down to a very low level on the circuit, with fascinating details on how the MOSFETs were constructed, and why eight transistors were used instead of two diodes. As usual, his die photos are top quality, as are his explanations of what’s going on down inside the silicon.
If you’re somehow just stumbling upon [Ken]’s body of work, you’re in for a real treat. To get you started, you’ll want to check out how he found pi baked into the silicon of the 8087 coprocessor, or perhaps his die-level exploration of different Game Boy audio chips.