The reverse engineering process

From VisualChips

(Difference between revisions)
Jump to: navigation, search
m (Resources: link to the Educational Resources page)
m (Resources: update broken links)
 
(3 intermediate revisions not shown)
Line 2: Line 2:
To help explain which state each of our projects is at, here's a description of the steps we follow:
To help explain which state each of our projects is at, here's a description of the steps we follow:
-
* get a chip, or more than one, which we can depackage
+
* Get a chip, usually just one of a particular kind but sometimes more
-
* depackage it
+
* Depackage the chip
-
* take many photographs through a microscope of the metal layer
+
** Chips with a metal lid or a ceramic sandwich [http://en.wikipedia.org/wiki/Dual_in-line_package package] are preferable since these have no plastic in contact with the die.
-
* stitch into a single large image, correcting for distortions and overlaps
+
** Chips packaged in plastic must be treated with very hot, very nasty acids which we do at a local laboratory with proper equipment
-
* capture the polygons - at least for metal, usually also for contact cuts - into a data file
+
* Photograph the exposed surface of the chip through a microscope
-
* usually, deprocess the chip to expose the lower silicon layers
+
** Many separate photographs must be taken to cover the surface at high enough resolution
-
* photograph, stitch and capture
+
* Stitch the photographs into a single large image
-
* convert the data files into a description we can simulate
+
** Alignment data is used to correct individual photographs for optical distortions
-
* investigate the behaviour of the chip by simulation
+
* Usually, de-layer the chip to reveal hidden or obscured lower features
-
* investigate the layout and logic design
+
* Photograph and stitch each layer image
-
* write up our results on this wiki
+
* Align all layer images to each other
 +
* Create polygon models of each part of the chip based on the aligned images
 +
* Convert the polygon data into a description we can simulate
 +
* Investigate the behaviour of the chip by simulation
 +
* Investigate the layout and logic design
 +
* Write up our results on this wiki
== Microphotography ==
== Microphotography ==
-
The very best results come from the professional reverse engineering labs, who can for example polish the die before photography. By repeated polishing and photography it's possible to image successive layers without careful chemistry.
+
Based on our own work and advice from several professionals in the field
-
 
+
* A 20x objective is great, while 100x is overkill and difficult to work with
-
We've collected this advice from people experienced in the field
+
** 10x is sometimes adequate for chips with 4 um to 6 um feature sizes, but its better to shoot at higher magnification and downsample the result.
-
* A 20x objective is great and 100x is overkill and difficult.
+
* Useful whole-chip images are typically 6000 to 10000 pixels on a side
-
** 10x might be adequate to get connectivity but not great for exact geometry.
+
-
* Useful whole-chip images would be 6000 or 10000 pixel on a side.
+
* Use an X-Y table to ensure no rotation between the successive images
* Use an X-Y table to ensure no rotation between the successive images
-
* Try to get the chip dead level so it's all in the same focal plane
+
** A position readout is not needed, and position information from the microscope is not used to stitch images
-
* Use same (manual) exposure and zoom for all images
+
* Try to get the chip dead level so its entire surface is in the focal plane
-
* Use manual white balance
+
** A tip-tilt stage with micrometer drive is essential for this, unless you are very patient
-
* Save RAW format if possible, save at highest quality
+
* Use a manual fixed exposure, zoom, and white balance for all images
 +
** Microscopes with a variable zoom are not helpful and could waste a lot of your time later on
 +
* Save images in RAW format if possible at the highest quality
* Aim for at least 200 pixels of overlap between adjacent images
* Aim for at least 200 pixels of overlap between adjacent images
 +
 +
== De-layering ==
 +
 +
Stripping away individual layers of a chip to reveal the parts and features below can be one of the most difficult and even hazardous procedures owing to the chemicals involved and their byproducts.
 +
* Some labs may use repeated mechanical or chemical-mechanical polishing and photography to image successive layers
 +
** This is more common for modern devices, especially those that have been planarized during manufacture
 +
** It may be riskier and costlier for the older chips we study which have only a single metal layer and whos surfaces are very irregular
 +
* Plasma etching and various chemicals can be used to remove all the material of a particular layer at once
== Resources ==
== Resources ==
Labs:
Labs:
-
* [http://www.rawscience.co.uk/decapsulation-examination.asp Raw Science] a lab in the UK who deprocessed and photographed the Spectrum ULA
+
* [https://www.rawscience.co.uk/reverse-enginering/decapsulation.aspx Raw Science] a lab in the UK who deprocessed and photographed the Spectrum ULA
* [http://www.3gforensics.co.uk/content.php/203 3g forensics] a lab in the UK who deprocessed the Tube ULA
* [http://www.3gforensics.co.uk/content.php/203 3g forensics] a lab in the UK who deprocessed the Tube ULA
-
* [http://mefas.com/failure.html] MEFAS, a failure analysis lab mentioned in [http://www.atariage.com/forums/topic/136706-internal-antic-and-gtia-schematics/page__view__findpost__p__1651531?s=de4cd5a79909d3bcb06b0384e3039745 this posting] by Henry of reactivemicro.com on AtariAge forums
+
* [https://www.eag.com/services/engineering/failure-analysis/ EAG] formerly MEFAS, a failure analysis lab in Irvine California, mentioned in [http://www.atariage.com/forums/topic/136706-internal-antic-and-gtia-schematics/page__view__findpost__p__1651531?s=de4cd5a79909d3bcb06b0384e3039745 this posting] by Henry of reactivemicro.com on AtariAge forums
Papers and websites:
Papers and websites:
-
* [http://visual6502.org/downloads.html] Visual6502's PDF's relating to Greg James' presentation at SIGGRAPH 2010
+
* [http://visual6502.org/downloads.html] Visual6502's PDFs relating to Greg James' presentation at SIGGRAPH 2010
* [http://www.degate.org/ Degate], GPL software to recover netlist from layout, especially of cell-based designs
* [http://www.degate.org/ Degate], GPL software to recover netlist from layout, especially of cell-based designs
* [http://www.usenix.org/events/sec08/tech/nohl.html Reverse-Engineering a Cryptographic RFID Tag] Usenix paper by Nohl, Evans, Starbug and Plötz
* [http://www.usenix.org/events/sec08/tech/nohl.html Reverse-Engineering a Cryptographic RFID Tag] Usenix paper by Nohl, Evans, Starbug and Plötz
* [http://www.pmonta.com/calculators/hp-35/ Reverse-engineering the HP-35] website by Peter Monta
* [http://www.pmonta.com/calculators/hp-35/ Reverse-engineering the HP-35] website by Peter Monta
* [http://guru.mameworld.info/decap/index.html The Decapping Project] website on ROM dumping for MAME
* [http://guru.mameworld.info/decap/index.html The Decapping Project] website on ROM dumping for MAME
 +
* [http://siliconpr0n.wikispaces.com/ Silicon Pr0n] "A Reverse Engineering Wiki"
Mailing lists, blogs and forum postings:
Mailing lists, blogs and forum postings:

Latest revision as of 08:33, 12 July 2018

Contents

Overview

To help explain which state each of our projects is at, here's a description of the steps we follow:

  • Get a chip, usually just one of a particular kind but sometimes more
  • Depackage the chip
    • Chips with a metal lid or a ceramic sandwich package are preferable since these have no plastic in contact with the die.
    • Chips packaged in plastic must be treated with very hot, very nasty acids which we do at a local laboratory with proper equipment
  • Photograph the exposed surface of the chip through a microscope
    • Many separate photographs must be taken to cover the surface at high enough resolution
  • Stitch the photographs into a single large image
    • Alignment data is used to correct individual photographs for optical distortions
  • Usually, de-layer the chip to reveal hidden or obscured lower features
  • Photograph and stitch each layer image
  • Align all layer images to each other
  • Create polygon models of each part of the chip based on the aligned images
  • Convert the polygon data into a description we can simulate
  • Investigate the behaviour of the chip by simulation
  • Investigate the layout and logic design
  • Write up our results on this wiki

Microphotography

Based on our own work and advice from several professionals in the field

  • A 20x objective is great, while 100x is overkill and difficult to work with
    • 10x is sometimes adequate for chips with 4 um to 6 um feature sizes, but its better to shoot at higher magnification and downsample the result.
  • Useful whole-chip images are typically 6000 to 10000 pixels on a side
  • Use an X-Y table to ensure no rotation between the successive images
    • A position readout is not needed, and position information from the microscope is not used to stitch images
  • Try to get the chip dead level so its entire surface is in the focal plane
    • A tip-tilt stage with micrometer drive is essential for this, unless you are very patient
  • Use a manual fixed exposure, zoom, and white balance for all images
    • Microscopes with a variable zoom are not helpful and could waste a lot of your time later on
  • Save images in RAW format if possible at the highest quality
  • Aim for at least 200 pixels of overlap between adjacent images

De-layering

Stripping away individual layers of a chip to reveal the parts and features below can be one of the most difficult and even hazardous procedures owing to the chemicals involved and their byproducts.

  • Some labs may use repeated mechanical or chemical-mechanical polishing and photography to image successive layers
    • This is more common for modern devices, especially those that have been planarized during manufacture
    • It may be riskier and costlier for the older chips we study which have only a single metal layer and whos surfaces are very irregular
  • Plasma etching and various chemicals can be used to remove all the material of a particular layer at once

Resources

Labs:

  • Raw Science a lab in the UK who deprocessed and photographed the Spectrum ULA
  • 3g forensics a lab in the UK who deprocessed the Tube ULA
  • EAG formerly MEFAS, a failure analysis lab in Irvine California, mentioned in this posting by Henry of reactivemicro.com on AtariAge forums

Papers and websites:

Mailing lists, blogs and forum postings:

See also our Educational Resources page

Personal tools