Fail Of The Week: The Semiconductor Lapping Machine That Can’t Lap Straight

It seemed like a good idea to build a semiconductor lapping machine from an old hard drive. But there’s just something a little off about [electronupdate]’s build, and we think the Hackaday community might be able to pitch in to help.

For those not into the anatomy and physiology of semiconductors, getting a look at the inside of the chip can reveal valuable information needed to reverse engineer a device, or it can just scratch the itch of curiosity. Lapping (the gentle grinding away of material) is one way to see the layers that make up the silicon die that lies beneath the epoxy. Hard drives designed to spin at 7200 rpm or more hardly seem a suitable spinning surface for a gentle lapping, but [electronupdate] just wanted the platter for its ultra-smooth, ultra-flat surface.

He removed the heads and replaced the original motor with a gear motor and controller to spin the platter at less than 5 rpm. A small holder for the decapped die was fashioned, and pinched between the platter hub and an idler. It gently rotates the die against the abrasive-covered platter as it slowly revolves. But the die wasn’t abrading evenly. He tried a number of different fixtures for the die, but never got to the degree of precision needed to see through the die layer by layer. We wonder if the weight of the die fixture is deflecting the platter a bit?

Failure is a great way to learn, if you can actually figure out where you went wrong. We look to the Hackaday community for some insight. Check out the video below and sound off in the comments if you’ve got any ideas.

Continue reading “Fail Of The Week: The Semiconductor Lapping Machine That Can’t Lap Straight”

Custom Chips As A Service

Ages ago, making a custom circuit board was hard. Either you had to go buy some traces at Radio Shack, or you spent a boatload of money talking to a board house. Now, PCBs are so cheap, I’m considering tiling my bathroom with them. Today, making a custom chip is horrifically expensive. You can theoretically make a transistor at home, but anything more demands quartz tube heaters and hydrofluoric acid. Custom ASICs are just out of reach for the home hacker, unless you’re siphoning money off of some crypto Ponzi scheme.

Now things may be changing. Costs are coming down, the software toolchain is getting there, and Onchip, the makers of an Open Source 32-bit microcontroller are now working on what can only be called a, ‘OSH Park for silicon’. They’re calling it Itsy-Chipsy, and it’s promising to bring you your own chip for as low as $100.

The inspiration for this business plan comes from services like MOSIS that allows university classes to design their own chips on multi-project wafers. This aggregates multiple chips onto one wafer, bringing the cost of a prototype down from tens of thousands of dollars to about five thousand dollars, or somewhere around a thousand dollars a chip.

Itsy-Chipsy is taking this batch processing one step further. This is a platform that combines multiple projects on one die. That thousand dollar chip is now sixteen different projects, tied together with regulators, current sources, clocks, and process monitors. Using a 2 mm by 2 mm chip size, Itsy-Chipsy gives chip designers 350 μm of silicon using a 180 nm CMOS process. That’s enough for a basic 32-bit RISC-V microprocessor in a QFN or DIP 40 for just one hundred dollars.

This project is a contender for The Hackaday Prize — the Prize ends in November and we’d be amazed to see results by then. The Onchip team is talking to foundries, though, and it looks like there’s interest for this model in the industry. We’d guess that the best case scenario is a crowdfunding campaign for an OSH Park-like chip fab sometime in 2019. Whenever it comes, this is something we’re eagerly awaiting.

How To Reverse Engineer Silicon

A few semesters back, [Jordan] was in an Intro to Hardware Security course at CMU. The final project was open ended, and where some students chose projects like implementing a crypto algorithm or designing something on an FPGA, [Jordan] decided to do something a little more ambitious. He wanted to decapsulate and reverse engineer an IC. No, this isn’t taking a peek at billions of transistors — [Jordan] chose a 74-series Quad XOR for this project — but it does show what goes into reverse engineering silicon, and how even simple chips can be maddeningly confusing.

The first step to reverse engineering a chip is decapsulation, and for this [Jordan] had two options. He could drop acid, or he could attack a ceramic package with an endmill. While hot nitric acid is effective and fun, it is a bit scary, so [Jordan] mounted a few chips in a 3D printed holder wedged in the vice on his mill. By slowly bringing the Z axis down a few thou at a time, he was able to find the tiny 1 mm square bit of silicon embedded in this chip. With the help of a grad student and the cleanroom, this square of sand was imaged with a very nice microscope.

Now that [Jordan] had an image of the silicon itself, he had to reverse engineer the chip. You might think that with less than a dozen transistors in there, designing an XOR out of transistors is something anyone with a bit of Minecraft experience can do. This line of thinking proved to be a trap. Technically, this wasn’t an XOR gate. It was a transmission gate XNOR gate with a big inverter on the output. Logically, it’s the same, but when it comes to silicon fabrication, the transmission gate XNORs aren’t able to sink or source a lot of current. By designing the chip as an XNOR with an inverter, the chip designers were able to design a simple chip that could still meet the spec.

While [Jordan] managed to reverse engineer the chip, this was quite possibly the simplest chip he could reverse engineer. The Quad XOR is just the same silicon repeated four times, anyway. This is the baseline for all efforts to reverse engineer silicon, and there were still a few confusing traps.

Making Solar Cells

We will admit that it is unlikely you have enough gear in your basement to make a solar cell using these steps. However, it is interesting to see how a bare silicon wafer becomes a solar cell. If you’ve seen ICs going through fabrication, you’ll see a lot of similarities, but there are some differences.

The process calls for a silicon wafer, some ovens, spin coaters, photolithography equipment, and a dice saw, among other things. Oh, you probably also need a clean room. Maybe you should just buy your solar cells off the shelf, but it is still interesting to see how they are made.

Modern solar cells have some extra structures to improve their efficiency, but the cells in this video are pretty garden-variety. For example, some experimental cells use multiple layers of active devices, each tuned to absorb a different wavelength of light.

If you really want to make your own, there’s another process where you can start with some copper and wind up with a kind of solar cell that uses a copper-based semiconductor material. But don’t be fooled into thinking that making the silicon variety is totally out of reach to hackers, we’ve seen [Sam Zeloof] pull it off.

Continue reading “Making Solar Cells”

Pull Passwords Out Of Silicon

[q3k] got tipped off to a very cool problem in the ongoing Pwn2Win capture-the-flag, and he blew it out of the water by decoding the metal interconnect layers that encode a password in a VLSI IC. And not one to rent someone else’s netlist extraction code, he did it by writing his own.

The problem in the Pwn2Win CTF came in the form of the design files for a hypothetical rocket launch code. The custom IC takes an ASCII string as input, and flips a pin high if it matches. Probably the simplest way to do this in logic is to implement a shift register that’s long enough for the code string’s bits, and then hard-wire some combinatorial logic that only reads true when all of the individual bits are correct.

(No, you don’t want to implement a password-checker this way — it means that you could simply brute-force the password far too easily — but such implementations have been seen in the wild.)

Anyway, back to our story. After reversing the netlist, [q3k] located 320 flip-flops in a chain, suggesting a 40-byte ASCII code string. Working backward in the circuit from the “unlocked” pin to the flip-flops, he found a network of NOR and NAND gates, which were converted into a logic notation and then tossed into Z3 to solve. Some cycles later, he had pulled the password straight out of the silicon!

This looks like a really fun challenge if you’re into logic design or hardware reverse engineering. You don’t have to write your own tools to do this, of course, but [q3k] would say that it was worth it.

Thanks [Victor] for the great tip!
Featured image by David Carron, via Wikipedia.

Friday Hack Chat: Open Source Silicon

This Friday, Hackaday.io will be graced with purveyors of Open Source Silicon. Join us in the Hackaday.io Hack Chat this Friday, April 14 at noon PDT (19:00 UTC) for a conversation with SiFive, an ‘Open’ silicon manufacturer.

This week, we’re sitting down with SiFive, a fabless semiconductor company and makers of the HiFive1, an Open Hardware microcontroller that you can just go out and buy. Late last year, SiFive released the HiFive1, an Arduinofied version of SiFive’s FE310 System on Chip. This SoC is a RISC-V core and one of the first microprocessors that is completely Open Source. It is an affront to Stallmanism, the best hope we have for truly Open hardware, and it’s pretty fast, to boot.

SiFive isn’t only working on Open Hardware microcontrollers — their business plan is pretty much, ‘OSH Park, but for silicon’. If you have a design for a new type of chip, they’ll work with foundries to turn your design into a cute little epoxy impregnated blob. It’s a fascinating business plan, and you’re going to hear all about it this Friday in the Hack Chat.

Here’s How To Take Part:

join-hack-chatOur Hack Chats are live community events on the Hackaday.io Hack Chat group messaging.

Log into Hackaday.io, visit that page, and look for the ‘Join this Project’ Button. Once you’re part of the project, the button will change to ‘Team Messaging’, which takes you directly to the Hack Chat.

You don’t have to wait until Friday; join whenever you want and you can see what the community is talking about.

Upcoming Hack Chats

We’ve got a lot on the table when it comes to our Hack Chats. On April 21st, we’re going to be talking magnets with Nanomagnetics. Making magnets, collecting magnets, playing with magnets, it’ll all be over on the Hack Chat.

Friday Hack Chat: Audio Amplifier Design

Join [Jørgen Kragh Jakobsen], Analog/digital Design Engineer at Merus-Audio, for this week’s Hack Chat.

Every week, we find a few interesting people making the things that make the things that make all the things, sit them down in front of a computer, and get them to spill the beans on how modern manufacturing and technology actually happens. This is the Hack Chat, and it’s happening this Friday, March 31, at noon PDT (20:00 UTC).

Jørgen’s company has developed a line of multi level Class D amplifiers that focus on power reduction to save battery life in mobile application without losing audio quality.

There are a lot of tricks to bring down power consumption, some on core technologies on transistor switching, others based on input level where modulation type and frequency is dynamically changed to fit everything from background audio level to party mode.

Here’s How To Take Part:

join-hack-chatOur Hack Chats are live community events on the Hackaday.io Hack Chat group messaging.

Log into Hackaday.io, visit that page, and look for the ‘Join this Project’ Button. Once you’re part of the project, the button will change to ‘Team Messaging’, which takes you directly to the Hack Chat.

You don’t have to wait until Friday; join whenever you want and you can see what the community is talking about.

Upcoming Hack Chats

We’ve got a lot on the table when it comes to our Hack Chats. On April 7th, our host will be [Samy Kamkar], hacker extraordinaire, to talk reverse engineering.