die

52 Articles

Yes, You Can Reverse Engineer This 74181

January 7, 2017 by 21 Comments

[Ken Shirriff] is the gift that keeps on giving this new year. His latest is a reverse engineering of the 74181 Arithmetic Logic Unit (ALU). The great news is that the die image and complexity are both optimized for you to succeed at doing your own reverse engineering.

74181-openedWe have most recently seen [Ken] at work explaining his decapping and reverse engineering process at the Hackaday SuperCon followed soon after by his work on the 8008. That chip is crazy with complexity and a die-ogling noob (like several of us on the Hackaday crew) stands no chance of doing more than simply following along with what he explains. This time around, the 74181 is just right for the curious but not obsessed. Don’t believe me? The 8008 had around 3,500 transistors while the friendly 74181 hosts just 170. We like those odds!

A quick crash course in visually recognizing transistors will have you off to the races. [Ken] also provides reference for more complex devices. But where he really saves the day is in his schematic analysis. See, the traditional ‘textbook’ logic designs have been made faster in this chip and going through his explanation will get you back on track to follow the method behind the die’s madness.

[Ken] took his own photograph of the die. You can see the donor chip above which had its ceramic enclosure shattered with a brisk tap from a sharp chisel.

8008 Exposed

December 31, 2016 by 17 Comments

[Ken Shirriff] is no stranger to Hackaday. His latest blog post is just the kind of thing we expect from him: a tear down of the venerable 8008 CPU. We suspect [Ken’s] earlier post on early CPUs pointed out the lack of a good 8008 die photo. Of course, he wasn’t satisfied to just snap the picture. He also does an analysis of the different constructs on the die.

Ever wonder why the 8008 ALU is laid out in a triangle shape? In all fairness, you probably haven’t, but you might after you look at the photomicrograph of the die. [Ken] explains why.

Continue reading “8008 Exposed”

Decapsulation Reveals Fake Chips

September 12, 2016 by 37 Comments

A while back, [heypete] needed to get a GPS timing receiver talking to a Raspberry Pi. The receiver only spoke RS-232, and the Pi is TTL level serial. [Pete] picked up a few RS-232 to TTL conversion boards from an online vendor in China. These boards were supposedly based on the Max3232, a wonderchip that converts the TTL serial to the positive and negative voltages of RS-232 serial. The converters worked fine for a few weeks, before failing, passing a bunch of current, and overheating.

On Mouser and Digikey, the Max3232 costs about $1.80 in quantity one, and shipping is extra. You can pick up a ‘Max3232 converter board’ from the usual online marketplaces for seventy five cents with free shipping. Of course the Chinese version is fake. [Pete] had some nitric acid, and decided to compare the die of the real and fake Max3232s.

After desoldering two fake chips from their respective converter boards, and acquiring a legitimate chip straight from Maxim, [Pete] took a look at the chips under the microscope. The laser markings on the fakes are inconsistent, but there was something interesting to be found in the date code markings. It took two to four weeks for the fake chips to be etched with a date code, assembled into a converter board, shipped across the planet, put into [Pete]’s project, run for a little bit, and fail spectacularly. That’s an astonishing display of manufacturing, logistics, and shipping times. Update: The date codes on the fakes had 2013 laser etched on the plastic package, and 2009 on the die. The real chips had a date code just a few weeks before [Pete] decapped them — a remarkably short life but they gave in to a good cause.

Following the Zeptobars and CCC (PDF) guides to dropping acid, [Pete] turned his problem into solution and took a look at the dies under a microscope. The legitimate die was significantly larger, and the fake dies were identical. The official die used gold bond wires, but the fake ones didn’t.

Unfortunately, [Pete] isn’t an expert in VLSI, chip design, failure analysis, or making semiconductors out of sand. Anything that should be obvious to the layman is not, and [Pete] has no idea why these chips would work for a week, then overheat and fail. If anyone has an idea, hit [Pete] up and drop a note in the comments.

Dirt Cheap Dirty Decapping

May 11, 2016 by 20 Comments

Those tiny black rectangles of epoxy aren’t black boxes anymore. Decapsulating ICs is becoming somewhat common, and if you’re reverse engineering a chip-on-board epoxy blob, or just figuring out if the chip you bought is the chip you wanted, you’ll need to drop some acid. Usually this means finding someone with the knowhow to decap a chip, or having enough confidence in yourself to mess around with fuming nitric acid. Now Dangerous Prototypes has a better solution – Dirty Decapsulation. Send your chip to Dangerous Prototypes, and they’ll melt away the epoxy and take a few pictures of the die hidden inside your chip.

dirty-decappingDirty Decapsulation is Dangerous Prototype’s addition to their array of hacker services including cheap, crappy PCBs and SLA printing service. Dirty Decapsulation follows in the tradition of these other services; it’s not the best you can possibly get, but you’re not paying thousands of dollars for the job.

Right now, Dirty Decapsulation will take a chip, strip off the epoxy, and take a few pictures. These pictures are stitched together, producing a medium quality image of the die. No, you can’t see individual gates, and you can’t see different layers of metal and silicon. If you want that, you’ll need some nitric or a few thousand dollars. Dirty Decapsulation is just to verify the chip’s identity and give a rough idea of the layout of the die.

Hackaday Links Column Banner

Hackaday Links: Summer, 2015

June 21, 2015 by 26 Comments

[Elia] was experimenting with LNAs and RTL-SDR dongles. If you’re receiving very weak signals with one of these software defined radio dongles, you generally need an LNA to boost the signal. You can power an LNA though one of these dongles. You’ll need to remove a few diodes, and that means no ESD protection, and you might push the current consumption above the 500mA a USB port provides. It does, however, work.

We’ve seen people open up ICs with nitric acid, and look inside them with x-rays. How about a simpler approach? [steelcityelectronics] opened up a big power transistor with nothing but a file. The die is actually very small – just 1.8×1.8mm, and the emitter bond wire doesn’t even look like it’ll handle 10A.

Gigantic Connect Four. That’s what the Lansing Makers Network built for a Ann Arbor Maker Faire this year. It’s your standard Connect Four game, scaled up to eight feet tall and eight feet wide. The disks are foam insulation with magnets; an extension rod (with a magnet at the end) allows anyone to push the disks down the slots.

[Richard Sloan] of esp8266.com fame has a buddy running a Kickstarter right now. It’s a lanyard with a phone charger cable inside.

Facebook is well-known for the scientific literacy of its members. Here’s a perpetual motion machine. Comment gold here, people.

Here’s some Hackaday Prize business: We’re giving away stuff to people who use Atmel, Freescale, Microchip, and TI parts in their projects. This means we need to know you’re using these parts in your projects. Here’s how you let us know. Also, participate in the community voting rounds. Here are the video instructions on how to do that.

Automated Die Testing

April 6, 2015 by 22 Comments

Are the contents of a Crown Royal bag fair? No, they never are. What about dice? In a quest for good randomness, [Apo] designed and built an automated die tester. Not only does it shake the die up, it captures images so real, actual statistics can be done on each individual die.

The setup is a n acrylic box made with BoxMaker attached to a 3D printed adapter for a stepper motor shaft. Randomizing the die happens exactly like you think it would: a stepper shakes the box, and a camera underneath takes a picture. With a bit of computer vision, this image can be translated into a number, ready for the statistics package of your choice.

There were only 559 rolls before the 3D printed mess of duck tape fell apart, but a test of the distribution revealed this die to have a 92% probability that it is fair. That’s not good.

Creating a cheating die is much more interesting, and to find out if he could do it, [Apo] stuck a die in an oven at 100° C for a few minutes. Surprisingly, the fairness of the die got better, suggesting it’s possible to correct an un-fair die. Putting it back in the oven after that threw the fairness out of the window but there was still no visual difference between this modified die and the original stock die.

Digging Deep Into How The 8085 Processor’s Registers Were Designed

March 5, 2013 by 14 Comments

Hardware design enthusiasts should already be salivating just looking at this image. But [Ken Shirriff’s] write-up on how the 8085 processor’s registers were designed will put you in silicon reverse-engineering heaven. He manages to get to the bottom of the tricks the designers used to make register access as efficient as possible, like routing some through the ALU on their path elsewhere.

We’re certainly not experts in studying dies like the one seen above. Luckily [Ken] does a great job of zooming in on important parts, then dissecting how they work by representing the silicone image as a functional flow chart. One of the parts which we found most interesting is the WZ temporary registers. These are a set of internal registers that are not accessible to the programmer. They’re only used internally by the chip. They act as temporary storage for multiple operand functions, and also hold register addresses for a handful of instructions (JMP, CALL, RST, etc.).

If you’re more interested in how images of these chips are attained you should do some searching on Hackaday. Just last week we featured one such project in a links post.

[via Reddit]