Reading Silicon: How to Reverse Engineer Integrated Circuits

Hello and welcome back everyone. I am very excited to announce our next speaker. Ken Sheriff. He is. He writes a popular blog. rto.com. About

reverse

engineer

ing everything from chargers to microprocessors. um and he's written about mining Bitcoin on a 1960s punch card computer um uh he Ken was a former programmer at Google um and he's currently refurbishing a Xerox Alto please join me uh join me in welcoming you to Ken on stage hello everyone, thanks for coming out here um, so you've probably wondered, you know what happens inside

integrated

circuits

, you know what's inside those little packages.

Maybe you looked at the photos and thought you knew this doesn't make sense, so I'm here to introduce you to what you already know is strange.

reverse

engineer

ing old chips hobby so I'll start with the z80 um any z80 fans out there okay awesome so this 8 bit CPU um here's a pic I got from zepto bars um let's see if this laser pointer works so when you look at this chip at first you might think it's like a crazy jumble of

circuits

what's going on here um well there are a few ways you can figure out what's going on um these little squares around the outside those they're the pads that connect to the external pins um You'll notice that a lot of them have these green wavy things.

Those are driver transistors for the outputs. You'll notice some big pads here for ground and power, and once you've figured that out, that will give you a bunch of reference points that you can use to look at the datasheet and then you can label all the pins and this gives you a lot of of information about what the chip is doing so you can see at the top of the control pins so you know which The circuits above are the control circuits. You have steering pins over here. You follow those pins and discover that the address bus goes through here.

I should move this. I'm not sure I can see them there. pins, you can follow them to the data bus that goes through here, it connects to these blocks here, it connects to this block up here, so even at this level we can find out a lot of what's happening in the circuit, there are some blocks regular. Amidst the chaos here and here and those we can see in more detail, the first block is the log file and whenever you see a bunch of repeating patterns like this, each of these little blocks is a bit of storage, so so this is the internal registers of z8, if you count backwards, there are 16 blocks, so it is a pair of 16-bit registers, so each column is a separate register.

Here we know that the address lines are connected, so we can calculate what should be the program counter and the incremental circuit. for the program counter and then the data bus connects here to read the registers. If you go into a little more detail, I found some interesting things. There are secret records. These are used internally even though they are invisible. the programmer, um, for the internal storage, um, another thing is that the Z has a couple of instructions that will swap the data in the registers and it turns out that it doesn't actually move the data between registers, but rather it swaps the control lines in the top, so it's much faster. instead of moving data between registers, so just one of these optimizations that are inside a chip, the next thing you see on a lot of microprocessors of this era is called pla to decode instructions, that's this block up here, the path. this works is the data that we discovered comes here um the instruction register contains the instruction um the instruction bits flow back and forth here each transistor will match one bit in the instruction so what you end up with is you know something like let's say 001 indicates a load that will generate a control line that goes out, other things will match all the different instructions, so this is where the matching happens between the instruction set and what is actually happening on the chip, so the instruction sets are They design so that, um it's easy to go from a bit pattern to what's happening um the third interesting block is the ALU um this is where things actually happen on the chip the addition and subtraction bid operations um most of the chips um use a portion of bits so that for an 8-bit processor they have eight stacks of circuits one that handles each bit of the data now the strange thing I found in the z80 is that you can see that there are only four segments here the Z8 is a 8 bit chip but it only has four ALU bits, how does that work?

Turns out the performance of the z80 the designers realized was limited by memory speed, so they had enough time to run everything through the ALU twice, so they saved space by putting in a 4-bit ALU . on an 8 bit chip, so you know, from this level we can discover a lot about the chip, but to learn more we have to dive into the transistor level, so I'll give you a quick overview of most transistors, you know . For our purposes we can think of it as basically a switch when the gate is on it will connect the source and drain when the gate is off they are disconnected.

In

silicon

we have a layer of

silicon

that is basically an insulator and parts of it diffuse. with impurities like boron to become conductive um semiconductor um there is a polysilicon gate on the top separated by a small insulating layer um when the gate is on um due to the magic of the semiconductor it makes it partially conductive and when the gate is off this is non conductive and they are disconnected, a couple of interesting things, this thin layer of oxide is the reason why MOS transistors are sensitive to static, if you know, shuffle across the carbet and touch the chip, the charge at the door it has nowhere to go and will just explode. pierce the oxide layer and destroy the chip.

In the early days the gate was made of metal so you would have metal oxide and semiconductor so that was your MOS transistor since about 1970 they have used polysilicon so it's really a POS transistor but they don't use that word so which this is the um, you know, once you have the transistors, you can connect them together to form some gates. Take two transistors and you have a ground gate if both inputs are one. the gates lead, take the output to ground and you get a zero. I'm pretty simple and if you have zero input, the transistor stops conducting and this resistor will pull up the output, so it's very, very easy to implement in Landgate with MOS Transistors.

When you look at a chip, it's much more complicated than that. We can get very close to the z80 chip. And we get something like this. It seems strange at first, but if you look at it long enough. It's going to start to make sense, here it is, you know, this is what's in the photo of the chip and then this is what it actually means, you can see this green region is conductive doped silicon, we've got these things that look like metal on the back. top, that's the metal. The chip layer that connects things provides 5 volts and ground to the gate.

The inputs are polysilicon that descend wherever the polysilicon intersects the silicon. It becomes a transistor, so you can see you have your two transistors for the ground gate here and then the pull-up resistor is actually implemented with a transistor because resistors are just horrible in ICs, so If you know how to look at these photos of these chips long enough and close enough, you'll be able to figure out all the transistors, figure out the circuits, um, it's a little tedious. um it's easier if someone like the 6502 visual team comes in and has people digitize all this stuff into polygons and then it's a lot easier to extract the transistors and the circuits um so it's not all Land Gates, although um it's the same easy. build a Norgate by putting the transistors in parallel now if any transistor is on its output is connected to ground if all the inputs are zero then it goes high so it seems pretty simple but the designers of the z80 wanted to streamline things. they made a bunch of crazy gates um here's one of the gates in the ALU um it's a little hard to follow the diagram but um transistors 1, two and three connect to this yellow metal strip um then a four if four and five one of those The conduit connects the metal strip to the output to give you this circuit and then six, seven and eight are transistors in series and that gives you a second part of the gate, so when you put all this together you end up with a A single gate on the chip logically has five different gates, so it makes things very efficient.

You know, these two doors don't actually require any circuitry, they are simply built by connecting the two parts together, so this is one of the ways they were made. the, the, um, you know, much more compact. I won't try to explain what this is actually doing, other than it takes Al's B and C inputs and then calculates the correct operation, all with this gate, so they're really interesting too. because every chip does things differently, you might think you just take an adder, you take adgates and you get the logic you want, but everything is highly optimized, you know, because it repeats four or eight, four or eight times, they try to squeeze every bit of circuits, they can um, the 6502 does things totally differently, um, so I've written, you know, more information about the zat and also if you want that, um, that's the zat um, now I'll move on to an interesting calculator, the scientific sinair.

The idea was that Texas Instruments made this cheap calculator chip in the 1970s. It had 320 words of instructions. barely four functions could fit into that addition, subtraction, multiplication, division. Sinclair took the same chip and then reprogrammed it to be a scientific calculator with anti logs inverse trigonometry and the mystery is how can you take a chip that can barely multiply and turn it into a scientific calculator, so I decided to find out. Thanks to John Rickmas, I got this photo of the calculator chip um, you can see a lot of the same features that appeared in the z80, you know, the pins around the outside, um ALU, here in the corner, uh, decoding the pla um, the normal registration grid, it also has some things that you don't see.

On the z80 we see seven-segment display drivers, but what's most interesting to us is the instruction ROM here in the middle, which contains the code that runs the calculator. If you get really close you can see the individual bits on the chip on the metal layer and by looking at this very carefully I was able to extract the code that the calculator is running. Then I was also able to reverse engineer the instructions it's using, so I built a Simulator for the calculator, so you know this simulator. You can try it online if you want. Run the exact calculator code.

So you know I reverse engineered the algorithms that worked and figured out you know how they managed to cram all this in. on such a small chip and I discovered that there were two tricks. The first trick is that because they used scientific notation and the rpn input used, they can save a lot of code on the chip and then use that extra space to put these really compact but really slow and inaccurate algorithms for the scientific functions, so For example, for trigonometric functions, they make repeated rotations by 11,000 degrees until you reach the angle you want, because it is a decimal calculator. dividing by a th is just a trivial change, you make a change, then you add and subtract, you just repeat that as needed and you can get your inverse cosine s operations.

A side effect of this is that the larger the angle you put in, the slower the calculator because it simply has to continue until it reaches the angle um similarly for the records they used an algorithm with powers of 0 N9 on a decimal machine which is also Very easy: you simply shift two digits to divide by 100 and then subtract and repeat as necessary to solve the mystery of how they managed to get a scientific calculator out of a normal calculator. They sold a lot of these. Although it was super inaccurate. It's a little sad that HP liked so much work. get your algorithms totally accurate and then this is like most of the time you could probably get three digits of accuracy and people bought this by the millions, you know.

Next, I'd like to move on to a forgotten chunk of the computer's storage history. Back. In 1970, RAM storage was very expensive, so Intel had something called shift register memory. This is a 2200 data point board that some people call the first personal computer, although they say the Xerox Alto is the first, but anyway each of these. The chips contain 512 bits or in modern units, that's a little less than half a tweet. So it's a shift register, which means you put the bits in and they eventually come out the other side. I cut one of these to see what's inside. um took a photo of the die and this is what's inside the chip um your bits go in, they go through these shift register stages andeventually they go up to the top here where you can read them at that point you can write a new bit or the old bit can circulate so if you are

reading

your data sequentially this isn't so bad but if you are doing that you want to access something out of sequence, you have to wait until the bit you want arrives completely. via something like waiting for the baggage car carousel, so you can wait up to half a millisecond to receive your data if you're unlucky, so needless to say, you know, once RAM chips dropped in price , Intel stopped making them, we can get closer. closer to see the actual logic um again we have the metal layer, we have polysilicon and then under the silicon layer um on the right I have an interpretation of it um each bit is stored in an inverter um there are two clock phases in the first one clock phase goes from the first inverter to the second inverter and the second clock phase goes to the next inverter so basically your bits slowly flow through the chip until you get them so now I would like let's move on to the analog chips anyone here ever used a 555 timer, yeah, I thought that would be almost all of you, so this is one I opened up before I get into the details, I should talk a little. a little bit about bipolar chips, uh, bipolar transistors, you already know the npn and PNP transistors that are used, you're probably familiar with how npn transistors work.

You have a layer of n layers of P, a layer of n, the Bas is connected in the middle, but the thing is when you look at the ic's it's nothing like that just totally different um here are some real bipolar transistors of ic's um often you have your emitter in the middle sometimes it's like a right angle sometimes you have two emitters sometimes you have six collectors and you can't even find the base, it gets really strange when you look inside an IC so, to explain a little more what's happening, here's a photo of an npn transistor and then here's the cross section, you know.

You can see that it is much more complex than the MO transistor, which is why the world has mainly moved away from bipolar transistors. If you look down from the emitter, you can see that the npn layers are stacked vertically, but the connections are very different. See what's happening in a photo d, the emitter usually has multiple circles at the base, you can see this faint outline here of the P layer, then the collector is off to the side somewhere, now you might think it's a PNP transistor , it just changes everything. around, but it turns out that they have a totally different structure, it's more of a circular structure, here you can see the P, the N, the P, so you have the p and p layers, but physically the middle is this little dot in the middle surrounded. through the base and then the collector is on one side wrapping around everything and then the base connection goes way underneath and comes out the other side.

Here it's so far away that they actually run another wire, you know, through the middle of their transistor to help with the design, now that you know what to look at, here's a photo I took of the 555 timer. You can see the circular PNP transistors. You can see small rectangular npn transistors. Bond cables around the outside. Three giant transistors. to provide the high current output um and then these three pale stripes in the middle these are the three transistors, sorry, three resistors that form the voltage divider for the 555 timer that sets the upper and lower swing limits so you can see those resistors are a little uncomfortably large when you're building a chip so up here we have one of the comparators here we have another comparator here it's a flipflop so I made an interactive chip viewer that maps everything on the chip to the scheme. you can click on something that tells you what it does and where it is on the schematic so you can try it out to get more details of how the chip works.

Next, I want to talk about the 741 op amp in which this op amp came out. in the 1960s, in 1968, it was very popular, they sold hundreds of millions of them, I'm going to explain a little about why it was so popular, here is the photo of the die that I took again, you can make out the transistors, there is a giant resistance. you know this big doodle here that's all a resistor and then this big thing in the middle that's a capacitor and the reason the capacitor is important is that in previous op amps you had to put an external capacitor to keep it from oscillating um Dave Figer, the designer of the 741 said: you know, the engineers are lazy if we put the capacitor inside the chip and the engineers don't have to add this extra capacitor, they will love it and that's what he did, he put the capacitor inside the chip and he It came back huge. popular, so now we can see more functional parts of the chip.

Inputs are going to or we are losing a little bit of the upper spread. An amplifier. This makes the first stage of the operational amplifier. The gain stage provides more amplification. and then in the output stage you can see these giant transistors that provide high current output, so another thing that made the 741 popular is this short circuit protection. They added earlier op amps, if you cut the output the chip would burn up and be destroyed. They added this protection circuit that would detect the overload and shut down the chip before it self-destructed and this was another thing that made it very popular, so one thing that is important to understand in analog circuits inside a chip is the current mirror. .

It will show these symbols for a current source and you know, the first time I saw a current source, I thought the current source is there like a battery on this chip where the current comes from and it turns out that what it is is because the resistors are so horrible on chips that what they will do is have a single resistor to source, set how much current they want for the entire chip, then they can use this circuit called a current mirror which basically clones that current so you can get the most possible current. as many currents as you need just from one resistor and it is much more compact and much more accurate to use this current mirror circuit instead of resistors.

It's kind of interesting because when you build something on a PCB you think that the resistors are basically free and the transistors are a little expensive, but inside an

integrated

circuit it's the other way around: your transistors are practically free and it's your resistors that are expensive, so which to see how important the current mirrors are, um, this big resolution, this is the only huge resistor to control the most. of the currents in the 741, then there are four different current mirrors that are making copies of that current. Another interesting thing is that inside integrated circuits you find these really strange transistors.

There is this one that has six collectors. This is not something you can buy. on chips, but it's easy to do inside an integrated circuit. The point is that they wanted to have six different copies of the current coming out of their current mirror, so they just make a transistor with six collectors and that's it, or if you want. two large currents and one small current, you make a transistor that has two large collectors and one small collector and there you have it, so you know some of the strange things you find when you look at an integrated circuit, the final chip I wanted to look at was the regulator voltage 7805.

I'm sure all of you have probably used a voltage regulator in some way, either on an Arduino or as a discrete component, so I opened this one up and I don't know if you ever have. You open a chocolate bar and find out that it's mainly like a packaging and there's only a small chocolate bar inside, it's pretty much the same here, just this little D inside this huge package, um, so you can see the connection cables that connect the D with the pins. um, the output has two wires, um, for reasons I'll explain in a moment, so I took the photos of this chip and you can see on the right this huge transistor, this is the output transistor that provides the 1 amp output, um.

Because it has so much current, they need to have a large transistor. One thing with large current is that you end up having a voltage drop across the wire, the wire from the output here to the output pin, so you use a second wire to sense. the voltage on the output pin, they can make sure it's more accurate and account for that voltage drop, so some interesting things on this chip, at the top, you can see another one of these giant serpentine resistors, this one provides current to start up the chip, you can see another large capacitor here to keep it from oscillating.

These six transistors form a current mirror and then here you have a Gap Band Regulator which sounds really scary, but it's basically just a transistor circuit that it is. temperature compensated so you can get a stable voltage even if you know even if your chip temperature changes and then there's this big resistor here which is kind of interesting if it's not good but anyway with this what this resistor does is It is a voltage divider so you can have a full line of different chips from 5 volts up to 28 volts with the same chip. All they have to do is change the contact between the metal layer and the resistance to change. the value of the voltage divider and that changes the output voltage, so it's a nice trick they do to be able to get a complete line of chips in one design, so where do these photos come from?

Well, I use what is called a metallurgical microscope. If you use a regular microscope, the light shines from below, which works well for cells, but not so well for something opaque like a chip. So what the metallurgical microscope does is it has this big Goofy light here that shines through the lens, so you end up with this intense light source from above that allows you to see the features of a chip very well. If you want to look at a chip, you can use a regular microscope. You just shine a flashlight from above and you know you can see a lot, but it works much better with the specialized microscope.

You can spend tons of money on microscopes, but you know I bought this one on eBay for a couple. one hundred dollars um once I have the microscope I take a bunch of pictures of a chip and then I stitch them together using a program called hugan um it has a bit of a learning curve. On my first try I ended up with this kind of Picasso-esque cubis chip, um, the SEC secret is to make sure you have a lot more overlap between successive images than you think you need because that overlap is what allows you to stitch the photos together, so once I sorted it out, you know, here's a photo I took of um, this is an m Rolla interface chip um, this chip was used in the Apple One, among other places, and then maybe no, we won't get into it. on that, so now, how do you get there?

Now if you're unlucky you know that most chips come in epoxy and the way to get through the epoxy is to boil the chip in sulfuric and nitric acid to dissolve the epoxy so this is what the experts like um zobar and visual 6502. Do you know? I stay away from boiling nitric acid because you know I don't want to end up with a super fun site at home, so the easiest way is to let someone else take the photos and then you can download them. so zobar is visual 6502 and silicon gambas these are three sites that have, you know, hundreds of photos, if you want to try reverse engineering on a chip, you can download images from there, most of these images, no one has tried to analyze them, so That you already know. just find something easy, download it and you know, see what you can discover from it, um zto bars um, so yeah, zpp bars is this um guy m in Russia who's made a bunch of chips um, visual 6502 yeah you haven't seen his Simulator 6502 um you really need to, you really need to check it out and then um this is John McMaster's side um so yeah these are all very interesting um the way I like to deal with chips is simply getting chips that are not made of epoxy. and then life is easy so you can get analog chips in metal cans, they are cheap to get on eBay and then you can just cut them out with a hacksaw or a jeweler's saw and see what's inside, other chips come. with a metal cap that you can just hit with a chisel and it will come off and that makes life so much easier.

I've been looking at old microprocessors and one thing I found was that there are no good pictures of the 808 out there so I bought an 808 on eBay it was all scratched up so I was able to get it cheap since it came in a ceramic package I was able to hit it with a chisel and the top came off, so you know there are a lot of There are a lot of options if you don't want to deal with boiling acid, so my current project is analyzing the 808. I took this photo last week, so I'm just starting with the analysis, but you know, based on what?

I said about the z80, you can see a lot of similar features, you can see the pads on the outside, you can see the driver transistors, the power and ground connections, I don't know if you can see it from the back, but know these. regular blocks those are internal registers um you can see the linesof data running along the top of the instruction register and then this block in the middle is the pla that decodes the instruction um here you can see eight columns that make up the 8 bit ALU so I hope at this point you can start to understand, you know what happens inside the chips, you know, I hope some of you know, you know, download, download or photograph some chips and start reverse engineering them, because it's a You know it's a hobby really interesting and a great way to find out what happens inside the chips, so thank you very much n B o a.