Sad news in the tech world this week as Intel co-founder Gordon Moore passed away in Hawaii at the age of 94. Along with Robert Noyce in 1968, Moore founded NM Electronics, the company that would later go on to become Intel Corporation and give the world the first commercially available microprocessor, the 4004, in 1971. The four-bit microprocessor would be joined a few years later by the 8008 and 8080, chips that paved the way for the PC revolution to come. Surprisingly, Moore was not an electrical engineer but a chemist, earning his Ph.D. from the California Institute of Technology in 1954 before his postdoctoral research at the prestigious Applied Physics Lab at Johns Hopkins. He briefly worked alongside Nobel laureate and transistor co-inventor William Shockley before jumping ship with Noyce and others to found Fairchild Semiconductor, which is where he made the observation that integrated circuit component density doubled roughly every two years. This calculation would go on to be known as “Moore’s Law.”
There are very few legal ways of obtaining ROM files for video games, and Nintendo’s lawyers are extremely keen on at least reminding you of the fact that you need to own the game cart before obtaining the ROM. With cart in hand, though, most will grab a cart reader to download the game files. While this is a tried-and-true method, for GameBoy games this extra piece of hardware isn’t strictly required. [Travis Goodspeed] is here to show us a method of obtaining ROM files from photographs of the game itself.
Of course, the chips inside the game cart will need to be decapped in order to obtain the pictures, and the pictures will need to be of high quality in order to grab the information. [Travis] is more than capable of this task in his home lab, but some work is still required after this step.
The individual bits in the Game Boy cartridges are created by metal vias on the chip, which are extremely small, but still visible under a microscope. He also has a CAD program that he developed to take this visual information and extract the data from it, which creates a ROM file that’s just as good as any obtained with a cart reader.
This might end up being slightly more work especially if you have to decap the chips and take the photographs yourself, but it’s nonetheless a clever way of obtaining ROM files due to this quirk of Game Boy technology. Encoding data into physical hardware like this is also an excellent way of ensuring that it doesn’t degrade over time. Here are some other methods for long-term data storage.
[Robo] over at Tiny Transistor Labs has a fascinating look at what’s inside these modern, ultra low-power devices that consume absolutely minuscule amounts of current. Crank up the magnification, and go take a look at the dies on these two similar (but internally very different) devices.
The first unit is the Texas Instruments LPV801, a single-channel op-amp that might not be very fast, but makes up for it by consuming only a few hundred nanoamps. Inside, [Robo] points out all the elements of the design, explaining how a part like this would be laser-trimmed to ensure it performs within specifications.
The second part is the Texas Instruments LPV821 which uses a wee bit more power, but makes up for it with a few extra features like zero-drift and EMI hardening. Peeking inside this device reveals the different manufacturing process this part used, and [Robo] points out things like the apparent lack of fuses for precise trimming of the part during the manufacturing process.
Seeing these structures up close isn’t an everyday thing for most of us, so take the opportunity to check out [Robo]’s photos. Tiny Transistor Labs definitely takes the “tiny” part of their name seriously, as we’ve seen with their 555 timer, recreated with discrete transistors, all crammed into a package that’s even the same basic size as the original.
Many of will have marveled at the feats of reverse engineering achieved by decapping integrated circuits and decoding their secrets by examining the raw silicon die. Few of us will have a go for ourselves, but that doesn’t stop the process being a fascinating one. Fortunately [Ryan Cornateanu] is on hand with a step-by-step description of his journey into the art of decapping, as he takes on what might seem an unlikely subject in the form of the CH340 USB to serial chip you’ll find on an Arduino Nano board.
Starting with hot sulphuric acid is probably not everyone’s idea of a day at the bench, but having used it to strip the epoxy from the CH340, he’s able to take a look under the microscope. This is no ordinary microscope but a metallurgists instrument designed to light the top of the sample from one side with polarised light. This allows him to identify an area of mask ROM and zoom in on the transistors that make each individual bit.
At this point the chemistry moves into the downright scary as he reaches for the hydrofluoric acid and has to use a PTFE container because HF is notorious for its voracious reactivity. This allows him to take away the interconnects and look at the transistor layer. He can then with a bit of computer vision processing help extract a bit layer map, which with some experimentation and guesswork can be manipulated into a firmware dump. Even then it’s not done, because he takes us into the world of disassembly of what is an unknown architecture. Definitely worth a read for the armchair chip enthusiast.
If you’re thirsty for more, of course we have to direct you towards the work of [Ken Shirriff].
We treat them like black boxes, which they oftentimes are, but what lies beneath the inscrutable packages of electronic components is another world that begs exploration. But the sensitive and fragile silicon guts of these devices can be hard to get to, requiring destructive methods that, in the hands of a novice, more often than not lead to the demise of the good stuff inside.
To help us sort through the process of getting inside components, John McMaster will stop by the Hack Chat. You’ll probably recognize John’s work from Twitter and YouTube, or perhaps from his SiliconPr0n.org website, home to beauty shots of some of the chips he has decapped. John is also big in the reverse engineering community, organizing the Mountain View Reverse Engineering meetup, a group that meets regularly to discuss the secret world of components. Join us as we talk to John about some of the methods and materials used to get a look inside this world.
Our Hack Chats are live community events in the Hackaday.io Hack Chat group messaging. This week we’ll be sitting down on Wednesday, March 10 at 12:00 PM Pacific time. If time zones have you tied up, we have a handy time zone converter.
Click that speech bubble to the right, and you’ll be taken directly to the Hack Chat group on Hackaday.io. You don’t have to wait until Wednesday; join whenever you want and you can see what the community is talking about.
Continue reading “Decapping Components Hack Chat With John McMaster”
Decapsulating ICs used to be an exotic technique. (I should know, I did that professionally for one of the big IC vendors back in the 1980s.) These days, more and more people are learning to take apart ICs for a variety of reasons. If you are interested in doing it yourself, [Juan Carlos Jimenez] has a post you should read about using acid to remove epoxy from ICs.
[Juan Carlos] used several different techniques with varying degrees of success. Keep in mind, that using nitric acid is generally pretty nasty. You need safety equipment and be sure to plan for bad things to happen. Have eyewash ready because once you splash acid in your eye, it is too late to get that together.
FPGAs are somewhat the IPv6 of integrated circuits — they’ve been around longer than you might think, they let you do awesome things that people are intrigued by initially, but they’ve never really broke out of their niches until rather recently. There’s still a bit of a myth and mystery surrounding them, and as with any technology that has grown vastly in complexity over the years, it’s sometimes best to go back to its very beginning in order to understand it. Well, who’d be better at taking an extra close look at a chip than [Ken Shirriff], so in his latest endeavor, he reverse engineered the very first FPGA known to the world: the Xilinx XC2064.
If you ever wished for a breadboard-friendly FPGA, the XC2064 can scratch that itch, although with its modest 64 configurable logic blocks, there isn’t all that much else it can do — certainly not compared to even the smallest and cheapest of its modern successors. And that’s the beauty of this chip as a reverse engineering target, there’s nothing else than the core essence of an FPGA. After introducing the general concepts of FPGAs, [Ken] (who isn’t known to be too shy to decap a chip in order to look inside) continued in known manner with die pictures in order to map the internal components’ schematics to the actual silicon and to make sense of it all. His ultimate goal: to fully understand and dissect the XC2064’s bitstream.
Of course, reverse engineering FPGA bitstreams isn’t new, and with little doubt, building a toolchain based on its results helped to put Lattice on the map in the maker community (which they didn’t seem to value at first, but still soon enough). We probably won’t see the same happening for Xilinx, but who knows what [Ken]’s up to next, and what others will make of this.