The reverse engineering process

From VisualChips

(Difference between revisions)
Jump to: navigation, search
m (Protected "The reverse engineering process" ([edit=autoconfirmed] (indefinite) [move=autoconfirmed] (indefinite)))
(add notes on microphotography and resources)
Line 1: Line 1:
-
For each chip, we follow these steps (see [http://visual6502.org/downloads.html the PDFs] for details):
+
== The Process ==
 +
To help explain which state each of our projects is at, here's a description of the steps we follow:
* get a chip, or more than one, which we can depackage
* get a chip, or more than one, which we can depackage
* depackage it
* depackage it
Line 12: Line 13:
* investigate the layout and logic design
* investigate the layout and logic design
* write up our results on this wiki
* write up our results on this wiki
 +
 +
== Microphotography ==
 +
 +
The very best results come from the professional reverse engineering labs, who can for example polish the die before photography. By repeated polishing and photography it's possible to image successive layers without careful chemistry.
 +
 +
We've collected this advice from people experienced in the field
 +
* A 20x objective is great and 100x is overkill and difficult.
 +
** 10x might be adequate to get connectivity but not great for exact geometry.
 +
* Useful whole-chip images would be 6000 or 10000 pixel on a side.
 +
* Use an X-Y table to ensure no rotation between the successive images
 +
* Try to get the chip dead level so it's all in the same focal plane
 +
* Use same (manual) exposure and zoom for all images
 +
* Use manual white balance
 +
* Save RAW format if possible, save at highest quality
 +
* Aim for at least 200 pixels of overlap between adjacent images
 +
 +
== Resources ==
 +
Labs:
 +
* [http://www.rawscience.co.uk/decapsulation-examination.asp Raw Science] a lab in the UK who deprocessed and photographed the Spectrum ULA
 +
* [http://www.3gforensics.co.uk/content.php/203 3g forensics] a lab in the UK who deprocessed the Tube ULA
 +
* [http://mefas.com/failure.html] MEFAS, a failure analysis lab mentioned in [http://www.atariage.com/forums/topic/136706-internal-antic-and-gtia-schematics/page__view__findpost__p__1651531?s=de4cd5a79909d3bcb06b0384e3039745 this posting] by Henry of reactivemicro.com on AtariAge forums
 +
 +
Papers and websites:
 +
* [http://visual6502.org/downloads.html] Visual6502's PDF's relating to Greg James' presentation at SIGGRAPH 2010
 +
* [http://www.degate.org/ Degate], GPL software to recover netlist from layout, especially of cell-based designs
 +
* [http://www.usenix.org/events/sec08/tech/nohl.html Reverse-Engineering a Cryptographic RFID Tag] Usenix paper by Nohl, Evans, Starbug and Plötz
 +
* [http://www.pmonta.com/calculators/hp-35/ Reverse-engineering the HP-35] website by Peter Monta
 +
* [http://guru.mameworld.info/decap/index.html The Decapping Project] website on ROM dumping for MAME
 +
 +
Mailing lists, blogs and forum postings:
 +
* [http://lists.cloud9.co.uk/pipermail/bbc-micro/2010-October/009437.html Reversing the Tube ULA (destructively)] post and thread on the BBC-Micro mailing list. Also found [http://mdfs.net/Archive/BBCMicro/2010/10/29/182154.htm here]
 +
* [http://lists.cloud9.co.uk/pipermail/bbc-micro/2010-October/009443.html post] containing Christian Sattler's advice on photography
 +
* [http://decap.mameworld.info/ The Decapping Project WIP Page: A Blog About Decapping For MAME]

Revision as of 11:48, 30 January 2011

The Process

To help explain which state each of our projects is at, here's a description of the steps we follow:

  • get a chip, or more than one, which we can depackage
  • depackage it
  • take many photographs through a microscope of the metal layer
  • stitch into a single large image, correcting for distortions and overlaps
  • capture the polygons - at least for metal, usually also for contact cuts - into a data file
  • usually, deprocess the chip to expose the lower silicon layers
  • photograph, stitch and capture
  • convert the data files into a description we can simulate
  • investigate the behaviour of the chip by simulation
  • investigate the layout and logic design
  • write up our results on this wiki

Microphotography

The very best results come from the professional reverse engineering labs, who can for example polish the die before photography. By repeated polishing and photography it's possible to image successive layers without careful chemistry.

We've collected this advice from people experienced in the field

  • A 20x objective is great and 100x is overkill and difficult.
    • 10x might be adequate to get connectivity but not great for exact geometry.
  • Useful whole-chip images would be 6000 or 10000 pixel on a side.
  • Use an X-Y table to ensure no rotation between the successive images
  • Try to get the chip dead level so it's all in the same focal plane
  • Use same (manual) exposure and zoom for all images
  • Use manual white balance
  • Save RAW format if possible, save at highest quality
  • Aim for at least 200 pixels of overlap between adjacent images

Resources

Labs:

  • Raw Science a lab in the UK who deprocessed and photographed the Spectrum ULA
  • 3g forensics a lab in the UK who deprocessed the Tube ULA
  • [1] MEFAS, a failure analysis lab mentioned in this posting by Henry of reactivemicro.com on AtariAge forums

Papers and websites:

Mailing lists, blogs and forum postings:

Personal tools