When it comes to reverse engineering silicon, there’s no better person to ask than Ken Shirriff. He’s the expert at teasing the meaning out of layers of polysilicon and metal. He’s reverse engineered the ubiquitous 555 timer, he’s taken a look at the inside of old-school audio chips, and he’s found butterflies in his op-amp. Where there’s a crazy jumble of microscopic wires and layers of silicon, Ken’s there, ready to do the teardown.
For this year’s talk at the Hackaday Superconference, Ken walked everyone through the techniques for reverse engineering silicon. Surprisingly, this isn’t as hard as it sounds. Yes, you’ll still need to drop acid to get to the guts of an IC (of course, you could always find a 555 stuck in a metal can, but then you can’t say ‘dropping acid’), but even the most complex devices on the planet are still made of a few basic components. You’ve got n-doped silicon, p-doped silicon, and some metal. That’s it, and if you know what you’re looking for — like Ken does — you have all the tools you need to figure out how these integrated circuits are made.
Reverse engineering silicon is a dark art, and when you’re just starting off it’s best to stick to the lesser incantations, curses, and hexes. Hackaday caught up with Ken Shirriff at last year’s Supercon for a chat about the chip decapping and reverse engineering scene. His suggestion is to start with an old friend: the 555 timer.
Ken is well-known for his work photographing the silicon die at the heart of an Integrated Circuit (IC) and mapping out the structures to create a schematic of the circuit. We’re looking forward to Ken’s talk in just a few weeks at the Hackaday Superconference. Get a taste of it in the interview video below.
The IBM 1401 is a classic computer which IBM marketed throughout the 1960s, late enough for it to have used transistors rather than vacuum tubes, which is probably a good thing for this story. For small businesses, it was often used as their main data processing machine along with the 1403 printer. For larger businesses with mainframes, the 1401 was used to handle the slower peripherals such as that 1403 printer as well as card readers.
Broken germanium transistor
The Computer History Museum in Mountain View, CA has two working 1401s as well as at least one 1403 printer, and recently whenever the printer printed out a line, the computer would report a “print check” error. [Ken Shirriff] was among those who found and fixed the problem and he wrote up a detailed blog entry which takes us from the first test done to narrow down the problem, through IBM’s original logic diagrams, until finally yanking out the suspect board and finding the culprit, a germanium transistor which likely failed due to corrosion and an emitter wire that doesn’t look solidly connected. How do they know that? In the typical [Ken]-and-company style which we love, they opened up the transistor and looked at it under a microscope. We get the feeling that if they could have dug even deeper then they would have.
Most of us have been there. You build a device but realize you need two or more voltages. You could hook up multiple power supplies but that can be inconvenient and just not elegant. Alternatively, you can do something in the device itself to create the extra voltages starting with just one. When [Ken Shirriff] decapped an 8087 coprocessor to begin exploring it, he found it had that very problem. It needed: +5 V, a ground, and an additional -5 V.
His exploration starts with a smoking gun. After decapping the chip and counting out all the bond wires going to the various pads, he saw there was one too many. It wasn’t hard to see that the extra wire went to the chip’s substrate itself. This was for providing a negative bias to the substrate, something done in some high-performance chips to get increased speed, a more predictable transistor threshold voltage, and to reduce leakage current. Examining where the bond wire went to in the circuitry he found the two charge pump circuits shown in the banner image. Those worked in alternating fashion to supply a -5 V bias to the substrate, or rather around -3 V when you take into account voltage drops. Of course, he also explains the circuits and dives in deeper, including showing how the oscillations are provided to make the charge pumps work.
In 1976, Texas Instruments came out with the TL084, a four JFET op-amp IC each with similar circuitry to Fairchild’s very popular single op-amp 741. But even though the 741 has been covered in detailed, when [Ken Shirriff] focused his microscope on a TL084, he found some very interesting things.
To avoid using acid to get at the die, he instead found a ceramic packaged TL084 and pried off the cover. The first things he saw were four stabilizing capacitors, by far the largest structures on the die and visible to the naked eye.
When he peered into his microscope he next saw butterfly shapes which turned out to be pairs of input JFETs. The wide strips are the gates and the narrower strip surrounded by each gate is the source. The drain is the narrow strip surrounding each gate. Why arrange four JFETs like this? It’s possible to have temperature gradients in the IC, one side being hotter than the other. These gradients can affect the JFET’s characteristics, unbalancing the inputs. Look closely at the way the JFETs are connected and you’ll see that the top-left one is connected to the bottom-right one, and similarly for the other two. This diagonal cross-connecting cancels out any negative effects.
[Ken’s] analysis in his article doesn’t stop there though. Not only does he talk more about these JFETs but he goes over the rest of the die too. It’s well worth the read, as is his write-up about the 741 which we’ve also covered.
It must be everyone’s birthday today because [Ken Shirriff] has come out with a gift for us. He’s done another pass at reverse engineering the 76477 Space Invaders sound chip from the 1970s and found it’s full of integrated injection logic (I2L), making it a double treat: we get to explore the more of this chip which made sounds for so many of our favorite games, and we explore a type of logic which was to be the successor to TTL until CMOS came along.
I2L gate
This article has a similar shape to his last one, first introducing I2L, followed by showing us what it looks like on the die, and then covering the different functional elements which make heavy use of it. The first of these is the noise generator made up of a section of shift registers and a ring oscillator. That’s followed by a noise filter which doesn’t use I2L but does use current mirrors. And lastly, he talks about the mixer which mixes output from the noise generator and elements covered in his previous article, the voltage-controlled oscillator, and the super-low frequency oscillator. Oddly enough, and as he points out, it isn’t an analog mixer. Instead, it just ANDs together the various inputs.
[Ken’s] no stranger to putting dies under the microscope. Check out our coverage of his talk at the 2016 Hackaday SuperConference where he shows us the guts of such favorites as the Z80 and the 555 timer IC.
Lately, [Ken Shirriff] has been on some of the most incredible hardware adventures. In his most recent undertaking we find [Ken] elbow-deep in the core memory of a 50-year-old machine, the IBM 1401. The computer wasn’t shut down before mains power was cut, and it has refused to boot ever since. The culprit is in the core memory support circuitry, and thanks to [Ken’s] wonderful storytelling we can travel along with him to repair an IBM 1401.
From a hardware standpoint core memory makes us giddy. It’s a grid of wires with ferrite toroids at every intersection. Bits can be set or cleared based on how electricity is applied to the intersecting wires. [Al Williams] walked through some of the core memory history last year and we enjoyed hearing [Pamela Liou] recount the story of how textile workers consulted on the fabrication of core memory for the Apollo missions during her OHWS Talk in October. But giddiness aside, core memory has pretty much gone the way of the dodo having been displaced by technologies that take up exponentially less space.
Bad inductor (green housing has been dissolved away)
We chuckle at [Ken’s] mention of the core memory capacity for the IBM 1401. It has 4000 characters of memory built-in (with another 12,000 in an expansion box) and he goes on to detail that these are 6-bit characters on a machine that operates in decimal and not binary (hence 4k instead of the base-2 friendly 4096).
You may remember his work a few years back to repair core memory on the same model. The Museum has two 1401’s, which turned out to be a huge help in trouble-shooting this. After tracing out the control lines, the repair team began swapping cards between the working and non-working machines. They were able to bring it back online — establishing one of the green inductors was bad — only to be struck with a second fault in the power supply.
Get this, [Ken] comments that “the whole computer is pre-silicon”. When working through the PSU, some suspect transistors were replaced with germanium power transistors. Those may have been a red-herring, as a penciled-in fuse on the original schematics turned out to be the linchpin of the PSU repair. Buried deep in the assembly, replacing the designed-to-fail part let the ancient beast awake once more.
Machines of this quality were heavily documented, and the schematics make this type of trouble-shooting a lot more manageable. But it’s still as much an art as it is skill. Make sure to give [Ken’s] article a read, and look around at the other repair jobs he’s documented — keeping these machines in service is becoming wizard-level work and we love being able to follow along.
