38C3 - Proprietary silicon ICs and dubious marketing claims? Let's fight those with a microscope!

Рет қаралды 13,539

media.ccc.de

Күн бұрын

media.ccc.de/v...
Custom silicon chips are black boxes that hold many secrets, like internal ROMs, security features and audio DSP algorithms. How does one start reverse engineer them? Let's look at the basics of silicon reverse engineering, what gate array chips are, and how some tooling can generate Verilog code automatically from a die shot.
A digital synthesizer from 1986 was completely shrouded in mystery and dubious marketing claims. Being that old, eventually every working unit will break, leaving us with the no info about its inner workings. I could not accept this, so I decided to get into silicon reverse engineering. By dissolving its undocumented custom chips into acid and looking at them through a microscope, I was able to get an understanding of what was going on internally, to be able to preserve it and emulate it in the future.
This is possible because lot of custom silicon chips from that era (80s and 90s) are of the "gate array" type: a grid-like structure that contains thousands of digital logic gates. By looking at them closely we can understand what those gates do, and by following the wiring between them we can reconstruct the entire system. This method allowed people to understand and recreate perfect emulations of arcade games, sound chips, security ICs and more.
In this talk I want to tell my journey into silicon reverse engineering from my perspective of a complete beginner and software guy, and what I learned in the process. I will go through the different kinds of custom chips, how they look under a microscope, their different parts, what can be easily reverse engineered and what can not. Those chips do not only contain logic, but also RAM and ROM parts, and knowing how to identify them can give clues when looking at the logic is too complicated. Sometimes a chip can be completely understood even without knowing that a MOSFET is.
I will also cover the process I used for reverse engineer them, some techniques that worked and some that didn't, and some tools I built to automatically extract mask ROMs and generate Verilog code from die shots.
giulioz
events.ccc.de/...
#38c3 #HardwareMaking
Licensed to the public under creativecommons...

Пікірлер: 16

@der.Schtefan 7 күн бұрын

The 80/90s are the sweet spot where custom ASICs were manufactured and nowadays trivial optical methods were used. Nowadays it's probably easier to reverse engineer things that do "stuff" because even things with analog interfaces just throw a bunch of code at a standard ARM processor that has a millions of transistors idling around, add some DACs, done. The custom stuff is in some code, more or less encrypted (or not), and the dumping is done by hacking encryption, or glitching the IC.

@Waldemar_la_Tendresse 6 күн бұрын

"Idling around"? Please tell this the manufacturer of the infamous "MiniFreak", since they don't seem to be able to get those lazy transistors back to work again to not produce any sound glitches. 🤣

@board8735 7 күн бұрын

Great talk :D

@dabyd64 7 күн бұрын

Great'e talk'e! Loved the italian accent!

@Waldemar_la_Tendresse 6 күн бұрын

And yet it only sounds real when a female voice full of indignation throws a "Mamma mia" at a specific other person. 🤣

@matost2 7 күн бұрын

Great talk and very well presented!

@yxyk-fr 7 күн бұрын

I have a RD1000 and I design digital ICs. So this presentation is doubly yummy !!!

@jean-francoiscaron5706 7 күн бұрын

Very nice talk. My question would have been "what about multi-layer PCBs?" How do you deal with the multiple layers? In the context of the question the 2nd person asked, what about 3D structures?

@lbgstzockt8493 7 күн бұрын

You can sand down the different layers and take pictures, it is about as much work and error-prone as you imagine it to be.

@SimonBuchanNz 7 күн бұрын

This is also a typical issue with any chip, they're at least three layers (ie two metals sandwiching a polysilicate later), it's often very delicate acid washes to remove each layer. For larger structures like PCBs, you can also often use a CT scan, if you happen to have access to one of those.

@SnakebitSTI 6 күн бұрын

Multi-layer PCBs can also be continuity tested to work out what connects to what. Basically, reverse engineering the schematic rather than the exact PCB layout. That is also extremely tedious. Even reverse engineering a 2 layer PCB can be quite tedious. Often to be able to see where all the traces go, you have to remove larger components. Really, you want as much schematic detail as you can get before starting.

@aaronlinell3916 5 күн бұрын

No money option: Carefully sand and document each layer Yes money option: Xray CT machine

@colinofay7237 6 күн бұрын

Extremely interesting thanks

@raldone01 6 күн бұрын

Great talk! Keep it up.

@Waldemar_la_Tendresse 6 күн бұрын

Very good and entertaining talk. But shouldn't the real questions in this context rather be: "When will there be a law, entirely in the spirit of sustainability, that forces companies to transfer intellectual property of a certain age (20 years?) into the public domain?" If such a law existed, a large part of what is described here would simply not have been necessary (no, this is not a ban on doing it anyway) and, if one believes the political discussions regarding growth (please don't!) should therefore result in an additional gain in freed-up resources and thus in growth of the economy in the case that these "resources" are used accordingly.