Reading Silicon: How to Reverse Engineer Integrated Circuits

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] [Music] hello and welcome back everyone um I am very excited to announce our next speaker uh Ken Sheriff um he is he writes a popular blog blog right oh come on reverse-engineering everything from chargers to micro processors he created the IR remote library for Arduino and has written about Bitcoin mining on a 1960s punch-card computer um he can was a farmer formerly a programmer at Google and is currently restoring a Xerox Alto please join join me in welcoming Ken to the stage hi everyone thank you for coming out here so you've probably wondered you know what's happening inside integrated circuits what's inside those little packages maybe you've looked at Dai photos and thought no this makes no sense so I'm here to introduce you to the bizarre hobby of reverse engineering old chips so I'll start with the z80 any z80 fans out there alright awesome so this 8-bit CPU here's a dye photo I got from Zug towbars let's see if this laser pointer works so when you look at this chip at first you may think this is just like a crazy jumble of circuitry what's going on here well there's some ways you can figure out what's going on on these little squares around the outside those are the pads that connect with external pins you'll notice that a lot of them have these green squiggly things those are driver transistors for the outputs you can notice some big pads here for ground and power and so once you figured that out that gives you a bunch of landmarks that you can use to look at the data sheet and then you can label all the pins and this gives you a huge amount of information about what the chip is doing so you can see up at the top of the control pins so that lets you know that the circuitry up there is the control circuitry you've got address pins around here you follow those pin and you discover the address bus runs along here it may show move this over in right so I can see you guys over there data pins you can follow them to the data bus which runs through here connects to these blocks here connects to this block up here so already even at this level we can figure out a lot of what's going on in the circuit there's a few regular blocks amid the chaos here here and here and those we can look at in more detail first block is the register file and whenever you see a bunch of repeating patterns like this each of one of these little blocks is one bit of storage and so this is the Saudis internal registers if you count down there's sixteen blocks so it's a 16-bit register pair so each column is a separate register over here we know the address lines are connected so we can figure that this must be the program counter and the incrementing circuit for the program counter and then the data bus is connected over here to read out the registers if you go into a little more detail there's some interesting things I found there's secret registers WZ these are used internally even though they're invisible to the programmer for internal storage another thing is this gating has a couple instructions that will swap the data in registers and it turns out that it's actually not moving the data between registers instead it swaps the control lines at the top so it's much faster than actually moving data between registers so just one of these optimizations that you find inside a chip the next thing that you see in a lot of microprocessor is from this era is called the PLA for instruction decoding and that's this block up here the way this works is the data bus we figured out comes in here the destruction register holds the instruction the bits of the instruction flow back and forth across here each transistor will match a bit in the instruction so what you end up with is you know something like say zero zero one indicates a load that will generate a control line coming out other other things will match all the different instructions so this is where the matching between the instruction set and what actually happens in the chip happens and so instruction sets get designed so that it's easy to get from a bit pattern into what's happening on the third interesting block is the ALU and this is where things actually happened in the chip the addition subtraction bit operations most chips use a bit slice so they'll have for an 8-bit processor eight stacks of circuitry one handling each bit of the of the data now the bizarre thing I found in the z80 is that you can see there's only four slices here the z80 is an 8-bit chip but it only has four bits of of ALU how does that work well it turns out that the performance of the z80 the designers realized it was limited by memory speed so they had enough time that could run everything through the ALU twice so they saved space by putting a 4-bit ALU into an 8-bit chip so you know from this level we can figure out a lot about the chip but to learn more we have to dive down into the transistor level so I'll give you the quick description of MOS transistors you know for our purposes we can consider it basically a switch and when the gate is put on we'll connect the source and drain when the gate is off the disconnected in on the silicon we have a silicon layer which is basically insulator parts of it get diffused with impurities such as boron to become conducting semiconductor there's a poly silicon gate on top separated by a small insulating layer when the gate is on due to semiconductor magic it makes this part conduct and when the gate is off this is not conducting and they're disconnected couple interesting things this thin oxide layer is why MOS transistors or static sensitive if you you know shuffle your feet across the carpet and touch the chip the charge in the gate has nowhere to go and it'll just blow a hole right through the oxide layer and destroy the chip in the early days the gate was made out of metal so you'd have metal oxide and semiconductor so that was your MOS transistor ever since about 1970 they've used poly silicon so it's really a POS transistor but they don't use that word so so this is the listen you know once you have the transistors you can connect them up to form some gates take two transistors you have a NAND gate if both your inputs are one the gates conduct it pulls the output to ground you get to zero I'm pretty straightforward and if you have a zero input the transistor stops conducting and this resistor will pull the output high and so it's very very easy to implement and navigate with with MOS transistors when you look at a chip it's a lot more complicated than that we can zoom way in on the z80 chip and we get something like this at first it looks you know just bizarre but if you stare at it long enough it'll start to make sense here is here's what's on the chip photo and then here's what it actually means you can see this green region is conduct doped silicon we have these these things that look like metal on top that's the metal layer of the chip that connects stuff up provides five volts and ground to the the gate inputs or poly silicon coming down wherever poly silicon crosses silicon it turns into a transistor so you see that you have your two transistors for the NAND gate here and then the pull-up resistor is actually implemented with a transistor because resistors are just awful on ICS so if you you know stare at these diet these chip photos long enough and closely enough you can figure out all the transistors figure out the circuitry it's a little tedious it's easier if someone like the visual 6502 team goes in and has people who digitize all these all these things into polygons and then it's much easier to extract the transistors and the circuitry so it's not all Amanda gates though it's just as easy to build an or gate by putting the transistors in parallel now if any transistor is turned on the output is grounded if all inputs are 0 then it gets pulled high so that seems straightforward enough but the designers of the Lissie 80 they wanted to optimize things so they've made a whole bunch of crazy gates here's one of the gates in the ALU it's a little hard to fall of the diagram but transistors 1 2 & 3 connect to this yellow metal strip then a4 if 4 & 5 one of those conduct connects the middle strip to the output so that gives you this circuitry and then 6 7 & 8 or transistors in series and so that gives you a second part of the gate so when you put this all together you end up with a single gate on the chip is logically 5 different gates so it makes things very efficient you know these two gates are actually you don't require any circuitry they're just you know made by wiring the two parts together so this is one of the ways that made the this gate II you know much more compact I won't try to explain what this is actually doing other than it takes ALU inputs B and C and then computes the right operation all with this one this one gate so al use are really interesting because every chip does things differently you might think you just take an adder you take AB gates and you get the logic you want but but it's all highly optimized you know because it's repeated four or eight four or eight times they try to squeeze out every bit of circuitry they can and the 6502 does things totally differently so I've written you know more information on the z80 and al use if you want that fair so that's is a gating now I'll move on to an interesting calculator the Sinclair scientific the idea there was Texas instance made this cheap calculator chip in the 1970s it had 320 words and instructions in it they could barely fit four functions into that addition subtraction multiplication division Sinclair took the same chip and then reprogrammed it to be a scientific calculator with logs and logs trig inverse trig and the mystery is how can you take a chip that can barely multiply and make it into a scientific calculator so I decided to find out so thanks to John Rick Master I got this dye photo of the calculator chip I'm you can see a lot of the same features that showed up in the z80 you know hands around the outside ALU up here in the corner decoding PL a regular register grid idols essence and things you don't see in the z80 such as 7-segment display drivers but the most interesting thing for us is instruction ROM here in the middle which holds the code that the calculator runs if you zoom way in on it you can actually see the individual bits on the chip in the metal layer and so by looking at this very carefully as able to pull out the the code that the calculator is running then is also able to reverse-engineer the instructions that it's using and so I built a simulator for the calculator so you know this simulator you can try it out online if you want it runs the exact code of the calculator I then you know reverse engineer the algorithms that worked and discovered you know how they managed to cram all this into a such a small chip and they discover there were two tricks the first trick is that because they use scientific notation and they used RP n input they're able to save a whole lot of code on the chip and then they use that extra space to put in these really really compact but really slow and inaccurate algorithms for the for the scientific functions so for instance for trig functions they do repeated rotations by 1/1000 for the degree until you get to the angle you want because it's a decimal calculator dividing by a thousand is just a trivial shift you do a shift and then add and subtract you just repeat that as necessary and you can get your sine cosine inverse operations one side effect of this is that the bigger the angle you put in the slower the calculator because just has to keep going until it gets to the angle similarly for logs they used an algorithm with powers of 0.99 on a decimal machine that's really easy to you just shift two digits to divide by 100 and then you subtract and repeat as necessary so that solved the mystery of how they managed to get scientific calculator out of a regular calculator they sold a whole pile of these even though it was super inaccurate it's kind of sad that HP went to like so much I work to give their algorithms totally accurate and this it's like most of the you can probably get three digits of accuracy and people bought this by the young millions next I'd like to move on to a forgotten bit of computer storage history back in 1970 Ram storage was super expensive so Intel had something called shift register memory this is a board from the datapoint 2200 which some people call the first personal computer although it says say the Xerox also is first but anyway each one of these chips holds 512 bits or in modern units that's a little less than half a tweet so it's a shift register which means you put the bits in and then eventually they come out the other side I cut one of these open to see what's inside took a die photo and here's what here's what's inside the chip your bits come in they go through these shift register stages and eventually they come up the top here where you can read them out at that point you can either write a new bit or the old bit cancer cure it around so if you're reading your data sequentially this isn't too bad but if you're doing it you want to access something out of sequence you have to wait until the bit you want comes all the way through kind of like waiting for the baggage carrousel so you can wait up to half a millisecond for your data if you're unlucky so needless to say you know once RAM chips dropped in price Intel stopped making these and we can zoom in way closer to see the actual actual logic again we have the metal layer we have poly silicon and then underneath the silicon layer I'm on the right I have an interpretation of it each bit is stored in an inverter there's two clock phases in the first clock phase it gets passed from the first inverter to the second inverter and the second clock phase it gets passed on to the next inverter so basically your bits just slowly flow through the chip until you get them so now I'd like to move on to analog chips anyone here ever used a 555 timer yeah I figured to be pretty much all of you so this is this is one that I cut open before I get into the details of that I should talk a little bit about bipolar chips transistors you know the NPN and PNP transistors that get used you're probably familiar with how NPN transistors you got a layer of n layer a P layer of n the basis connected in the middle but the thing is when you look at ICS it's nothing like that just totally different here are some real bipolar transistors from ICS often you have your emitter in the middle sometimes it's like a right angle sometimes you've got two emitters sometimes you've got six collectors and you can't even find the base it just gets really strange when you look inside an IC so to explain what's going on a little more here's a dye photo of an NPN transistor and then here's the cross-section now as you can see it's much more complex than the MOS transistor which is why the world has mostly moved off bipolar transistors if if you look down from the emitter you can see the NP and layers are stacked vertically but the connections are very different to figure out what's happening in a dye photo the emitter usually has this multiple circles the base you can see this faint outline here of the of the P layer and then the collector is off to the side somewhere now you might think that the PNP transistor you just switch everything around but it turns out they have a totally different structure it's more of a circle structure here you can see the P the end the P so you do have the PNP layers but physically the mitr is this little bot in the middle surrounded by the base and then the collector is off to the side wrapping the whole thing and then the base connection goes way underneath and comes up the other side here it's so far our way that they actually run another wire you know through the middle of their transistor to help the layout so now that you know what to look at here's a dye photo I took of the 555 timer you can see the circular PNP transistors and you can see tiny rectangular NPN transistors the bond wires around the outside three giant transistors to provide the high current output and then these three pale stripes in the middle these are the three transistors that sorry three resistors that make up the voltage divider for the 555 timer that set the upper and lower oscillation limits so you can see that resistors are kind of in conveniently large when you're building a chip so up here we have one of the comparators here we have another comparator over here is a flip-flop so I made an interactive chip viewer that map's everything on the chip to the schematic you can click on something it tells you what it does and where it is in the schematic so you can try that out to get more details of how the chip works next I wanted to talk about the 741 op amp this op amp came out in the 1960s on 1968 it was hugely popular they sold hundreds of millions of them I'm going to explain a little about why it was so popular here here's the die photo I took again you can pick up the transistors there's this giant resistor you know this big squiggle here that's all one resistor and then this big thing in the middle that's a capacitor and the reason the capacitor is important is it previous op amps you had to put an external capacitor to keep it from oscillating Dave fuller the designer of the 741 he said you know engineers are lazy if we put the capacitor inside the chip and the engineers don't have to add this extra capacitor they'll love it and so that's what he did put the capacitor inside the chip it became hugely popular so we can look now at more of the functional parts of the chip the inputs go into the loop or we're losing a little off the top differential an old amplifier there this does the first stage of the op amp the gain stage provides more amplification than the output stage you can see these giant transistors that provide the high current output so another thing that made the 741 popular is this short circuit protection they added previous op amps if you shorted the output the chip would burn up and be destroyed they added this protection circuitry that would detect the overload and shut down the chip before it self-destructed and this was another thing that made it very popular so one thing that's important to understand in analog circuits sigh the chip is the current mirror data sheets will show these symbols for a current source you know the first time I saw a current source I'm like current source this is like a battery on this chip where is the current coming from and it turns out that what it is is since resistors are so awful and chips what they'll do is they'll have a single resistor to generate the set the how much current they want for the whole chip and they can use this circuit called a current mirror which basically clones that current so you can get as many occurrences you need just from the one resistor and it's much more compact and much more accurate to use this current mirror circuit rather than resistors it's kind of interesting because when you're building something on a PCB you think of resistors is basically free and transistors are kind of expensive but inside an integrated circuit that's the other way around your transistors are pretty much free and it's your resistors that are expensive so to see how important current mirrors are this big reason this is the one huge resistor to control most of the currents in the 741 and then there's four different current mirrors that are making copies of that current another interesting thing is the inside ICS you find these really bizarre transistors there's this one which has six collectors this isn't something you can buy at Fry's but it's easy to do inside an integrated circuit the point of that was they wanted to have six different six copies of the current coming out of their current mirror so they just make a a transistor with six collectors and there you go or if you want two big currents and one small current you may hit a transistor that has two big collectors and one small collector and there you go so it's just you know some of the bizarre things you find when you look at an integrated circuit final chip I want to look at was the 7805 voltage regulator I'm sure probably all of you have used a voltage regulator in in one way either on an Arduino or is a discrete component so I cut this one open and I don't know if you've ever opened a chocolate bar and you discover it's like mostly packaging and there's just a small chocolate bar inside it's kind of the same here to this tiny dye inside this huge package so you can see the bond wires that connect the the dye to the pins the output has two wires for reasons I'll get to in just a moment so I took Dai photos of this chip and you can see on the right this huge transistor this is the output transistor that provides the 1 amp output because it has so much current they need to have a big transistor one thing with the big current is you end up having some voltage drop in the wire the wire from the output here to the output pin so by using a second wire to sense the voltage on the output pin and they can make sure it's more accurate and account for that voltage drop so some interesting things in this chip up at the top you can see another one of these giant snaking resistors and this one provides startup current to get the chip going you can see another big capacitor here to keep it from oscillating these six transistors form a form a current mirror and then over here you have a bandgap regulator which sounds really scary but it's basically just a transistor circuit that is temperature compensated so you can get a stable voltage even if you you know even if the temperature of your chip changes and then there's this big resistor here that's kind of interesting if we oh that's not good but so anyway with this with this resistor does is it it's a voltage divider so that they can have a whole line of different chips from anywhere from like 5 volts to 28 volts with the same chip all they have to do is change the contact between between the metal layer and the resistor to change the value of the voltage divider and that changes the output voltage so it's just a cute trick they do so they can get a whole line of chips from from one single design so where do these where do these photos come from well I use what's called a metallurgical microscope if you use a normal microscope the light shines from below which works well if you're dealing with cells but not so good if you're dealing with something ok click a chip so what the metallurgical microscope does is it has this big goofy light here it shines down through the lens so you end up with this intense light source from above which lets you see the features of a chip really well if you want to look at the chip you can use a regular microscope and kind of shine the flashlight from above and you know you can see a lot of it but works a whole lot better with you know the specialized microscope you can spend tons of money on microscopes but I got this one on eBay for a couple hundred dollars was let's have the microscope I take a whole bunch of pictures of a chip and then I tile these together using a program called Hugin it's got a little bit of a learning curve my first attempt I ended up with this sort of Picasso style cubist chip the one secret is make sure you have a way more overlap between successive images than you think you need because that overlap is what lets it tie the the photos together so once I got that straightened out you know here's a die photo I took of the this is a Motorola interface chip this chip was used in the Apple one among other places and then the others won't go into that Dom so now how do you get to the the die now if you're unlucky you know most chips come in epoxy and the way to get through epoxy is you boil the chip in sulfuric and nitric acid to dissolve the epoxy so this is what the experts like Zepto bars and visual 6502 do you know I I stay away from boiling nitric acid because you know I don't want to end up with a Superfund site at home so the easiest way is you let somebody else take the pictures and you can just download them so Zepto bar is visual 6502 and silicon pron these are three sites that have you know hundreds of died photos if you want to try reverse engineering a chip you can download images from there most of these images nobody has ever tried to analyze them so you just find something easy download it and you'll see what you can figure out from it October's so yep Tavares is this guy mikhail in russia who's done a whole bunch of chips your visual 6502 if you haven't seen their 6502 simulator you should really need to you really need to check that out and then this is John McMaster site so yeah these are all very interesting the way I like to deal with chips is just get chips that aren't made of epoxy and then life is easy so you can get analog chips in metal cans they're cheap to get on eBay and then you can just cut it open with a hacksaw or with a jewelers saw and see what's inside other chips come with a metal lid that you can just tap with a chisel and it will pop off and that makes life a whole lot easier so I've been looking at old micro processors and one thing I found was there aren't any good pictures of 8008 out there so I got in 8008 on ebay it was all scratched up so I could get it cheap since it came in a ceramic package I could just tap it with a chisel and the top popped right off so no there's a lot of a lot of options if you don't want to deal with boiling acid so my my current project is analyzing the 8008 I took this dye photo last week so I'm just starting on the analysis but you know based on what I said about the z80 you can see a lot of similar features you can see the pads around the outside you can see the driver transistors the power and ground connections I don't know if you can see it from the back but these regular blocks those are those are internal registers you can see the data lines running along the top to the instruction register and then this this block in the middle is the PLA that does the instruction decoding over here you can see eight columns that form the 8-bit ALU so hopefully at this point you can you can start to understand you know what's going on inside chips you know I hope some of you will you know you know download or photograph some chips and start reverse-engineering them because it's a it's a really interesting hobby and a great way to find out what's going on inside chips so thank you very much [Music] [Music] [Music] [Music] [Music]

Info

Channel: HACKADAY

Views: 318,151

Rating: 4.9324403 out of 5

Keywords: Hackaday SuperConference, Ken Shirriff, Decapping, IC, Integrated Circuits, Reverse Engineering

Id: aHx-XUA6f9g

Channel Id: undefined

Length: 31min 51sec (1911 seconds)

Published: Tue Dec 27 2016