Famous reverse engineer Ken Shirriff has penned a information to determining what a CMOS chip does primarily based on nothing greater than a high-resolution image of its die — utilizing, for instance, a classic Soviet clone of the Motorola MC14516B four-bit counter.
“Though the chip appears to be like like a tangle of traces at first, its giant options and easy format make it attainable to grasp its circuits,” Shirriff says of the die {photograph}, captured from decapsulated authentic {hardware} by Martin Evtimov. “I will first clarify acknowledge the person transistors. Teams of transistors are related in customary patterns to kind CMOS gates, multiplexers, flip-flops, and different circuits. As soon as these constructing blocks are understood, reverse engineering the total chip turns into sensible.”
If you happen to’ve ever puzzled how a die shot might be decoded, Ken Shirriff’s information is an ideal place to begin. (📷: Ken Shirriff/Martin Evtimov))
Complementary metal-oxide semiconductor (CMOS) gadgets make up the majority of processors constructed and bought at the moment, although there is a huge gulf in complexity between the Seventies-era Soviet gadget below the digital camera in Shirriff’s instance and the form of chip that drives a contemporary smartphone or pill. That makes issues simpler: it is attainable to seize particulars of the circuit with amateur-grade gear, not like the tiny single-digit-nanometer characteristic sizes of modern processors at the moment.
“Areas of the silicon are doped with impurities to alter the silicon’s electrical properties. This doping additionally causes areas of the silicon to look greenish or reddish, relying on how a area is doped,” Shirriff writes, including that the colour shift helps with the reverse engineering course of. “On high of the silicon, the whitish steel layer is seen, forming the chip’s connections. This chip makes use of metal-gate transistors, an previous expertise, so the steel layer additionally varieties the gates of the transistors.”
Shirriff ends the information with a full labeling of the purposeful elements in a Soviet four-bit counter chip. (📷: Ken Shirriff/Martin Evtimov)
Shirriff’s information walks by way of recognizing transistors and approaches for recognizing the distinction between P-type and N-type variants, spot NOT, NOR, NAND, and extra advanced gates constructed up from transistors, latches and flip-flops, and in how traces are routed in a silicon chip — “utilizing silicon for a ‘cross-under,'” he explains, “permitting a sign to cross beneath steel wiring. These cross-unders are averted except vital as a result of silicon has a lot greater resistance than steel. Furthermore, the cross-under requires extra house on the die.”
The chip photographed for Shirriff’s information turned out to be a clone of the Motorola MC14516 binary up/down counter. “Though the counter chip is previous and easy,” Shirriff provides, “later chips use the identical ideas.”
Shirriff’s full write-up is accessible on his weblog.
Most important article picture courtesy of Martin Evtimov.