The reverse engineering process

From VisualChips

Overview

To help explain which state each of our projects is at, here's a description of the steps we follow:

• get a chip, or more than one, which we can depackage
• depackage it
• take many photographs through a microscope of the metal layer
• stitch into a single large image, correcting for distortions and overlaps
• capture the polygons - at least for metal, usually also for contact cuts - into a data file
• usually, deprocess the chip to expose the lower silicon layers
• photograph, stitch and capture
• convert the data files into a description we can simulate
• investigate the behaviour of the chip by simulation
• investigate the layout and logic design
• write up our results on this wiki

Microphotography

The very best results come from the professional reverse engineering labs, who can for example polish the die before photography. By repeated polishing and photography it's possible to image successive layers without careful chemistry.

We've collected this advice from people experienced in the field

• A 20x objective is great and 100x is overkill and difficult.
  • 10x might be adequate to get connectivity but not great for exact geometry.
• Useful whole-chip images would be 6000 or 10000 pixel on a side.
• Use an X-Y table to ensure no rotation between the successive images
• Try to get the chip dead level so it's all in the same focal plane
• Use same (manual) exposure and zoom for all images
• Use manual white balance
• Save RAW format if possible, save at highest quality
• Aim for at least 200 pixels of overlap between adjacent images

Resources

Labs:

• Raw Science a lab in the UK who deprocessed and photographed the Spectrum ULA
• 3g forensics a lab in the UK who deprocessed the Tube ULA
• [1] MEFAS, a failure analysis lab mentioned in this posting by Henry of reactivemicro.com on AtariAge forums

Papers and websites:

• [2] Visual6502's PDF's relating to Greg James' presentation at SIGGRAPH 2010
• Degate, GPL software to recover netlist from layout, especially of cell-based designs
• Reverse-Engineering a Cryptographic RFID Tag Usenix paper by Nohl, Evans, Starbug and Plötz
• Reverse-engineering the HP-35 website by Peter Monta
• The Decapping Project website on ROM dumping for MAME

Mailing lists, blogs and forum postings:

• Reversing the Tube ULA (destructively) post and thread on the BBC-Micro mailing list. Also found here
• post containing Christian Sattler's advice on photography
• The Decapping Project WIP Page: A Blog About Decapping For MAME