How To Reverse Engineer Silicon

A few semesters back, [Jordan] was in an Intro to Hardware Security course at CMU. The final project was open ended, and where some students chose projects like implementing a crypto algorithm or designing something on an FPGA, [Jordan] decided to do something a little more ambitious. He wanted to decapsulate and reverse engineer an IC. No, this isn’t taking a peek at billions of transistors — [Jordan] chose a 74-series Quad XOR for this project — but it does show what goes into reverse engineering silicon, and how even simple chips can be maddeningly confusing.

The first step to reverse engineering a chip is decapsulation, and for this [Jordan] had two options. He could drop acid, or he could attack a ceramic package with an endmill. While hot nitric acid is effective and fun, it is a bit scary, so [Jordan] mounted a few chips in a 3D printed holder wedged in the vice on his mill. By slowly bringing the Z axis down a few thou at a time, he was able to find the tiny 1 mm square bit of silicon embedded in this chip. With the help of a grad student and the cleanroom, this square of sand was imaged with a very nice microscope.

Now that [Jordan] had an image of the silicon itself, he had to reverse engineer the chip. You might think that with less than a dozen transistors in there, designing an XOR out of transistors is something anyone with a bit of Minecraft experience can do. This line of thinking proved to be a trap. Technically, this wasn’t an XOR gate. It was a transmission gate XNOR gate with a big inverter on the output. Logically, it’s the same, but when it comes to silicon fabrication, the transmission gate XNORs aren’t able to sink or source a lot of current. By designing the chip as an XNOR with an inverter, the chip designers were able to design a simple chip that could still meet the spec.

While [Jordan] managed to reverse engineer the chip, this was quite possibly the simplest chip he could reverse engineer. The Quad XOR is just the same silicon repeated four times, anyway. This is the baseline for all efforts to reverse engineer silicon, and there were still a few confusing traps.

Making Solar Cells

We will admit that it is unlikely you have enough gear in your basement to make a solar cell using these steps. However, it is interesting to see how a bare silicon wafer becomes a solar cell. If you’ve seen ICs going through fabrication, you’ll see a lot of similarities, but there are some differences.

The process calls for a silicon wafer, some ovens, spin coaters, photolithography equipment, and a dice saw, among other things. Oh, you probably also need a clean room. Maybe you should just buy your solar cells off the shelf, but it is still interesting to see how they are made.

Modern solar cells have some extra structures to improve their efficiency, but the cells in this video are pretty garden-variety. For example, some experimental cells use multiple layers of active devices, each tuned to absorb a different wavelength of light.

If you really want to make your own, there’s another process where you can start with some copper and wind up with a kind of solar cell that uses a copper-based semiconductor material. But don’t be fooled into thinking that making the silicon variety is totally out of reach to hackers, we’ve seen [Sam Zeloof] pull it off.

Continue reading “Making Solar Cells”

Pull Passwords Out of Silicon

[q3k] got tipped off to a very cool problem in the ongoing Pwn2Win capture-the-flag, and he blew it out of the water by decoding the metal interconnect layers that encode a password in a VLSI IC. And not one to rent someone else’s netlist extraction code, he did it by writing his own.

The problem in the Pwn2Win CTF came in the form of the design files for a hypothetical rocket launch code. The custom IC takes an ASCII string as input, and flips a pin high if it matches. Probably the simplest way to do this in logic is to implement a shift register that’s long enough for the code string’s bits, and then hard-wire some combinatorial logic that only reads true when all of the individual bits are correct.

(No, you don’t want to implement a password-checker this way — it means that you could simply brute-force the password far too easily — but such implementations have been seen in the wild.)

Anyway, back to our story. After reversing the netlist, [q3k] located 320 flip-flops in a chain, suggesting a 40-byte ASCII code string. Working backward in the circuit from the “unlocked” pin to the flip-flops, he found a network of NOR and NAND gates, which were converted into a logic notation and then tossed into Z3 to solve. Some cycles later, he had pulled the password straight out of the silicon!

This looks like a really fun challenge if you’re into logic design or hardware reverse engineering. You don’t have to write your own tools to do this, of course, but [q3k] would say that it was worth it.

Thanks [Victor] for the great tip!
Featured image by David Carron, via Wikipedia.

Friday Hack Chat: Open Source Silicon

This Friday, Hackaday.io will be graced with purveyors of Open Source Silicon. Join us in the Hackaday.io Hack Chat this Friday, April 14 at noon PDT (19:00 UTC) for a conversation with SiFive, an ‘Open’ silicon manufacturer.

This week, we’re sitting down with SiFive, a fabless semiconductor company and makers of the HiFive1, an Open Hardware microcontroller that you can just go out and buy. Late last year, SiFive released the HiFive1, an Arduinofied version of SiFive’s FE310 System on Chip. This SoC is a RISC-V core and one of the first microprocessors that is completely Open Source. It is an affront to Stallmanism, the best hope we have for truly Open hardware, and it’s pretty fast, to boot.

SiFive isn’t only working on Open Hardware microcontrollers — their business plan is pretty much, ‘OSH Park, but for silicon’. If you have a design for a new type of chip, they’ll work with foundries to turn your design into a cute little epoxy impregnated blob. It’s a fascinating business plan, and you’re going to hear all about it this Friday in the Hack Chat.

Here’s How To Take Part:

join-hack-chatOur Hack Chats are live community events on the Hackaday.io Hack Chat group messaging.

Log into Hackaday.io, visit that page, and look for the ‘Join this Project’ Button. Once you’re part of the project, the button will change to ‘Team Messaging’, which takes you directly to the Hack Chat.

You don’t have to wait until Friday; join whenever you want and you can see what the community is talking about.

Upcoming Hack Chats

We’ve got a lot on the table when it comes to our Hack Chats. On April 21st, we’re going to be talking magnets with Nanomagnetics. Making magnets, collecting magnets, playing with magnets, it’ll all be over on the Hack Chat.

Friday Hack Chat: Audio Amplifier Design

Join [Jørgen Kragh Jakobsen], Analog/digital Design Engineer at Merus-Audio, for this week’s Hack Chat.

Every week, we find a few interesting people making the things that make the things that make all the things, sit them down in front of a computer, and get them to spill the beans on how modern manufacturing and technology actually happens. This is the Hack Chat, and it’s happening this Friday, March 31, at noon PDT (20:00 UTC).

Jørgen’s company has developed a line of multi level Class D amplifiers that focus on power reduction to save battery life in mobile application without losing audio quality.

There are a lot of tricks to bring down power consumption, some on core technologies on transistor switching, others based on input level where modulation type and frequency is dynamically changed to fit everything from background audio level to party mode.

Here’s How To Take Part:

join-hack-chatOur Hack Chats are live community events on the Hackaday.io Hack Chat group messaging.

Log into Hackaday.io, visit that page, and look for the ‘Join this Project’ Button. Once you’re part of the project, the button will change to ‘Team Messaging’, which takes you directly to the Hack Chat.

You don’t have to wait until Friday; join whenever you want and you can see what the community is talking about.

Upcoming Hack Chats

We’ve got a lot on the table when it comes to our Hack Chats. On April 7th, our host will be [Samy Kamkar], hacker extraordinaire, to talk reverse engineering.

Friday Hack Chat: ASIC Design

Join [Matt Martin], ASIC designer at Keysight, for this week’s Hack Chat.

Every week, we find a few interesting people making the things that make the things that make all the things, sit them down in front of a computer, and get them to spill the beans on how modern manufacturing and technology actually happens. This is the Hack Chat, and it’s happening this Friday, March 17, at noon PDT (20:00 UTC).

[Matt] has been working at Agilent / Keysight since 2007 as an ASIC designer. The work starts with code that is synthesized into logic gates. After that, [Matt] takes those gates and puts them into silicon. He’s worked with processes from 0.13um to 28nm. Turning code into silicon is still a dark art around here, and if you’ve ever wanted to know how all of this works, this is your chance to find out.

Here’s How To Take Part:

join-hack-chatOur Hack Chats are live community events on the Hackaday.io Hack Chat group messaging.

Log into Hackaday.io, visit that page, and look for the ‘Join this Project’ Button. Once you’re part of the project, the button will change to ‘Team Messaging’, which takes you directly to the Hack Chat.

You don’t have to wait until Friday; join whenever you want and you can see what the community is talking about.

Upcoming Hack Chats

We’ve got a lot on the table when it comes to our Hack Chats. On March 24th, we’re going to argue the merits of tube amplifiers in audio applications. In April, we have [Samy Kamkar], hacker extraordinaire, to talk reverse engineering.

Because I’ve never had the opportunity to do so, and because these Hack Chat announcement posts never get many comments anyway, I’m going to throw this one out there. What would it take to build out a silicon fabrication plant based on technology from 1972? I’m talking about a 10-micrometer process here, something that might be able to clone a 6502. Technology is on our side — a laser printer is cheaper than a few square feet of rubylith — and quartz tube heaters and wire bonding machines can be found on the surplus market. Is it possible to build a silicon fab in your garage without going broke? Leave your thoughts in the comments, and then bring them with you to the Hack Chat this Friday.

Closer Look at Everyone’s Favorite Blinky

Admit it, you love looking at silicon die shots, especially when you have help walking through the functionality of all the different sections. This one’s really easy for a couple of reasons. [electronupdate] pointed his microscope at the die on a WS2812.

The WS2812 is an addressible RGB LED that is often called a Neopixel (a brand name assigned to it by Adafruit). The part is packaged in a 5×5 mm housing with a clear window on the front. This lets you easily see the diodes as they are illuminated, but also makes it easy to get a look at the die for the logic circuit controlling the part.

This die is responsible for reading data as it is shifted in, shifting it out to the next LED in the chain, and setting each of the three diodes accordingly. The funcitonality is simple which makes it a lot easier to figure out what each part of the die contributes to the effort. The diode drivers are a dead giveaway because a bonding wire connected to part of their footprint. It’s quite interesting to hear that the fourth footprint was likely used in testing — sound off in the comments if you can speculate on what those tests included.

We had no trouble spotting logic circuitry. This exploration doesn’t drill down to the gate level like a lot of [Ken Shirriff’s] silicon reverse engineering but the process that [electronupdate] uses is equally fun. He grabs a tiny solar cell and scopes it while the diodes are running to pick up on the PWM pattern used to fade each LED. That’s a neat little trick to keep in your back pocket for use in confirming your theories about clock rate and implementation when reverse engineering someone else’s work.

Continue reading “Closer Look at Everyone’s Favorite Blinky”