cmos reverse engineering
play

CMOS Reverse Engineering Advanced Digital IC Design (ETI135) Vt1 - PowerPoint PPT Presentation

Oct 30, 2022 •154 likes •670 views

Introduction IC Layout Recovery Functional Recovery Case Studies Conclusion CMOS Reverse Engineering Advanced Digital IC Design (ETI135) Vt1 2012 Steffen Malkowsky, Christoph M uller Lund University February 10, 2012 Steffen Malkowsky,

  1. Introduction IC Layout Recovery Functional Recovery Case Studies Conclusion CMOS Reverse Engineering Advanced Digital IC Design (ETI135) Vt1 2012 Steffen Malkowsky, Christoph M¨ uller Lund University February 10, 2012 Steffen Malkowsky, Christoph M¨ uller CMOS Reverse Engineering

  2. Introduction IC Layout Recovery Functional Recovery Case Studies Conclusion Table of Contents Introduction IC Layout Recovery Functional Recovery Case Studies Conclusion Steffen Malkowsky, Christoph M¨ uller CMOS Reverse Engineering

  3. Introduction IC Layout Recovery Functional Recovery Case Studies Conclusion Why should CMOS devices be reverse engineered? ◮ As preliminary for security examinations ◮ Identify patent infringements ◮ Find errors in the manufacturing process ◮ We can - and it’s awesome! ;-) Steffen Malkowsky, Christoph M¨ uller CMOS Reverse Engineering

  4. Introduction Expose the die IC Layout Recovery Deprocessing Functional Recovery Image Acquisition Case Studies Stitching process Conclusion Determine the typ of the package ◮ Different methods according to typ of the package ◮ Cavity packages (metal and ceramic) ◮ Plastic ◮ Some need professional equipment, some can be used at home Steffen Malkowsky, Christoph M¨ uller CMOS Reverse Engineering

  5. Introduction Expose the die IC Layout Recovery Deprocessing Functional Recovery Image Acquisition Case Studies Stitching process Conclusion Open the packages Delidding cavity packages ◮ Grinding away the lid (mainly for ceramic packages) ◮ Cracking the lid seal with a knife ◮ Melting the lid seal and peel up the lid Decapsulating plastic packages ◮ Fuming nitric acid, fuming sulfuric acid or a mixture of both (ca. 90 ◦ ) ◮ Drop chip in heated acid ◮ Cavity etching ◮ Jet etching ◮ Cooking in rosin (colophony) (320 ◦ -360 ◦ ) Steffen Malkowsky, Christoph M¨ uller CMOS Reverse Engineering

  6. Introduction Expose the die IC Layout Recovery Deprocessing Functional Recovery Image Acquisition Case Studies Stitching process Conclusion Examples Images of several decapsulated chips Images from: http://cms.diodenring.de/electronic/microcontroller/83-ic-decapsulation/ http://www.prioritylabs.com/Decapsulation.aspx Steffen Malkowsky, Christoph M¨ uller CMOS Reverse Engineering

  7. Introduction Expose the die IC Layout Recovery Deprocessing Functional Recovery Image Acquisition Case Studies Stitching process Conclusion Methods to expose the layers ◮ Chemical ◮ Wet etching - remove layers with specific chemicals ◮ Dry etching - plasma etching (e.g. reactive ion etching) ◮ Mechanical - polishing Steffen Malkowsky, Christoph M¨ uller CMOS Reverse Engineering

  8. Introduction Expose the die IC Layout Recovery Deprocessing Functional Recovery Image Acquisition Case Studies Stitching process Conclusion Polishing How it works ◮ Fix die on a stamp (must be parallel to the polishing surface!!!) ◮ Use very fine (0.04 µ m) abrasive paper ◮ Check progress regularly to prevent too deep polishing ◮ Can be done manually or with machines ◮ The planarity of the surface must be maintained Steffen Malkowsky, Christoph M¨ uller CMOS Reverse Engineering

  9. Introduction Expose the die IC Layout Recovery Deprocessing Functional Recovery Image Acquisition Case Studies Stitching process Conclusion Polishing Advantages ◮ Material can be removed layer by layer (good for multilayers) ◮ Can be done without machines Disadvantages ◮ Time-consuming ◮ Planarity Steffen Malkowsky, Christoph M¨ uller CMOS Reverse Engineering

  10. Introduction Expose the die IC Layout Recovery Deprocessing Functional Recovery Image Acquisition Case Studies Stitching process Conclusion What happens if planarity is destroyed Skewed polished chip Image from: All Chips Reversed [Sch10a] Steffen Malkowsky, Christoph M¨ uller CMOS Reverse Engineering

  11. Introduction Expose the die IC Layout Recovery Deprocessing Functional Recovery Image Acquisition Case Studies Stitching process Conclusion Image Acquisition Necessary microscope depends on structure size of the die ◮ Optical microscope ◮ Relatively cheap ◮ Smallest possible resolution about 0 . 2 µ m ◮ Confocal microscope ◮ Smallest possible resolution about 0 . 1 µ m ◮ Tremendously higher depth of focus ◮ Colors images of different layers ◮ Electron microscope ◮ Expensive ◮ Smallest possible resolution about 0 . 1 nm Steffen Malkowsky, Christoph M¨ uller CMOS Reverse Engineering

  12. Introduction Expose the die IC Layout Recovery Deprocessing Functional Recovery Image Acquisition Case Studies Stitching process Conclusion Examples Optical microscope vs. Electron microscope Images of a die manufactured in a 130 nm process Images from: The State-of-the-Art in IC Reverse Engineering [TJ09] Steffen Malkowsky, Christoph M¨ uller CMOS Reverse Engineering

  13. Introduction Expose the die IC Layout Recovery Deprocessing Functional Recovery Image Acquisition Case Studies Stitching process Conclusion Examples Confocal microscope Image of a chip made with confocal microscope Image from: Chip Reverse Engineering [NS08] Steffen Malkowsky, Christoph M¨ uller CMOS Reverse Engineering

  14. Introduction Expose the die IC Layout Recovery Deprocessing Functional Recovery Image Acquisition Case Studies Stitching process Conclusion How to continue? ◮ Acquire images of every chip layer ◮ Motorized frames available to semi automate the process ◮ Take overlapping images to simplify the following step ◮ Number of images depending on chip area and needed magnification ◮ Huge dataset Intel 8086, images from the visual 6502 project http://uxul.org/~noname/visual6502/8086/t/bf/5x/ Steffen Malkowsky, Christoph M¨ uller CMOS Reverse Engineering

  15. Introduction Expose the die IC Layout Recovery Deprocessing Functional Recovery Image Acquisition Case Studies Stitching process Conclusion Combination of the images ◮ Problem: combine a bunch of images to a single big one ◮ Problem also well known in panorama photography ◮ Solution: use well optimized panorama stitching tools ◮ Panotools/Hugin ◮ Autostitch ◮ Photoshop ◮ · · · Steffen Malkowsky, Christoph M¨ uller CMOS Reverse Engineering

  16. Introduction Expose the die IC Layout Recovery Deprocessing Functional Recovery Image Acquisition Case Studies Stitching process Conclusion Stitching process ◮ Load images Steffen Malkowsky, Christoph M¨ uller CMOS Reverse Engineering

  17. Introduction Expose the die IC Layout Recovery Deprocessing Functional Recovery Image Acquisition Case Studies Stitching process Conclusion Stitching process ◮ Load images ◮ Find matching points in the overlapping zones ◮ Can be automated, but problems with regular structures e.g. memories. . . Steffen Malkowsky, Christoph M¨ uller CMOS Reverse Engineering

  18. Introduction Expose the die IC Layout Recovery Deprocessing Functional Recovery Image Acquisition Case Studies Stitching process Conclusion Stitching process ◮ Load images ◮ Find matching points in the overlapping zones ◮ Can be automated, but problems with regular structures e.g. memories. . . ◮ Stitch everything together Steffen Malkowsky, Christoph M¨ uller CMOS Reverse Engineering

  19. Introduction Recovery of the Transistor Logic IC Layout Recovery Standard Cell Recognition Functional Recovery Interconnections Case Studies Software Conclusion Non destructive Methods Recovery of the Transistor Logic I Polysilicon Layer P-Well Polysilicon Contact N-Well Die shoot: http://www.degate.org , National Semiconductor SC14421CVF Steffen Malkowsky, Christoph M¨ uller CMOS Reverse Engineering

  20. Introduction Recovery of the Transistor Logic IC Layout Recovery Standard Cell Recognition Functional Recovery Interconnections Case Studies Software Conclusion Non destructive Methods Recovery of the Transistor Logic II Metal Layer 1 VDD Via GND Die shoot: http://www.degate.org , National Semiconductor SC14421CVF Steffen Malkowsky, Christoph M¨ uller CMOS Reverse Engineering

  21. Introduction Recovery of the Transistor Logic IC Layout Recovery Standard Cell Recognition Functional Recovery Interconnections Case Studies Software Conclusion Non destructive Methods Recovery of the Transistor Logic III Metal Layer 2/3 Input A A B Q B A Output Q Input B Die shoot: http://www.degate.org , National Semiconductor SC14421CVF Steffen Malkowsky, Christoph M¨ uller CMOS Reverse Engineering

  22. Introduction Recovery of the Transistor Logic IC Layout Recovery Standard Cell Recognition Functional Recovery Interconnections Case Studies Software Conclusion Non destructive Methods Recovery of the Transistor Logic IV What can we do now? ◮ Enough to recover the circuit diagram of the complete IC ◮ The only way for ”old” digital ICs which have been designed on transistor level ◮ Has been done - MOS 6502 for example. Steffen Malkowsky, Christoph M¨ uller CMOS Reverse Engineering

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Reverse Engineering CS 166 Armen Boursalian 30 Apr 2018 Reverse Engineering Take a

Reverse Engineering CS 166 Armen Boursalian 30 Apr 2018 Reverse Engineering Take a

Reverse Engineering CS 166 Armen Boursalian 30 Apr 2018 Reverse Engineering Take a product, understand how it works Usually limited to certain aspects, not full systems Need to know a little bit about a lot of topics to gain

636 views • 11 slides
Reverse Engineering TCP/ IP Reverse Engineering TCP/ IP Steven Low EAS, Caltech Joint work

Reverse Engineering TCP/ IP Reverse Engineering TCP/ IP Steven Low EAS, Caltech Joint work

Reverse Engineering TCP/ IP Reverse Engineering TCP/ IP Steven Low EAS, Caltech Joint work with: Li J W Li, J. Wang, Pongsajapan, Tan, Tang, M. Wang P j T T M W Outline Background Layering as optimization decomposition L

932 views • 47 slides
Next-Generation Debuggers For Reverse Engineering For Reverse Engineering The ERESI team

Next-Generation Debuggers For Reverse Engineering For Reverse Engineering The ERESI team

Next-Generation Debuggers For Reverse Engineering For Reverse Engineering The ERESI team eresi@asgardlabs.org This presentation is about .. The Embedded ERESI debugger : e2dbg The Embedded ERESI tracer : etrace The ERESI reverse

849 views • 47 slides
CS 166: Information Security Reverse Engineering & Digital Rights Management Prof. Tom

CS 166: Information Security Reverse Engineering & Digital Rights Management Prof. Tom

CS 166: Information Security Reverse Engineering & Digital Rights Management Prof. Tom Austin San Jos State University SRE Software Reverse Engineering Also known as Reverse Code Engineering (RCE) Or simply reversing

1.04k views • 80 slides
EE-612: Lecture 24: CMOS Circuits: Part 1 Mark Lundstrom Electrical and Computer Engineering

EE-612: Lecture 24: CMOS Circuits: Part 1 Mark Lundstrom Electrical and Computer Engineering

EE-612: Lecture 24: CMOS Circuits: Part 1 Mark Lundstrom Electrical and Computer Engineering Purdue University West Lafayette, IN USA Fall 2006 NCN www.nanohub.org Lundstrom EE-612 F06 1 Outline 1) Review 2) CMOS circuits 3) The CMOS

576 views • 46 slides
Reverse Engineering MAC: A Non-Cooperative Game Model Jianwei Huang Information Engineering The

Reverse Engineering MAC: A Non-Cooperative Game Model Jianwei Huang Information Engineering The

Reverse Engineering MAC: A Non-Cooperative Game Model Jianwei Huang Information Engineering The Chinese University of Hong Kong Joint work with J.-W. Lee, A. Tang, M. Chiang and A. R. Canderbank J. Huang (CUHK) Reverse Engineering MAC Nov.

605 views • 38 slides
Reverse Engineering Closed, heterogeneous platforms and the defenders dilemma Looking back at

Reverse Engineering Closed, heterogeneous platforms and the defenders dilemma Looking back at

Reverse Engineering Closed, heterogeneous platforms and the defenders dilemma Looking back at the last 20 years of RE and looking ahead at the next few SSTIC 2018 -- Thomas Dullien (Halvar Flake) Progress in Reverse Engineering 2010

941 views • 64 slides
Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin

Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin

Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin SnT, University of Luxembourg April 25, 2017 PhD Defence Introduction On S-Box Reverse-Engineering On Lightweight Cryptography Conclusion

1.76k views • 137 slides
EE-612: Lecture 26: CMOS Limits Mark Lundstrom Electrical and Computer Engineering Purdue

EE-612: Lecture 26: CMOS Limits Mark Lundstrom Electrical and Computer Engineering Purdue

EE-612: Lecture 26: CMOS Limits Mark Lundstrom Electrical and Computer Engineering Purdue University West Lafayette, IN USA Fall 2006 NCN www.nanohub.org Lundstrom EE-612 F06 1 Outline 1) Review: CMOS Metrics 2) MOSFET limits 3)

569 views • 37 slides
III-V CMOS: the key to sub-10 nm electronics? J. A. del Alamo Microsystems Technology

III-V CMOS: the key to sub-10 nm electronics? J. A. del Alamo Microsystems Technology

III-V CMOS: the key to sub-10 nm electronics? J. A. del Alamo Microsystems Technology Laboratories, MIT 2011 MRS Spring Meeting and Exhibition Symposium P: Interface Engineering for Post-CMOS Emerging Channel Materials April 25-29, 2011

286 views • 24 slides
Reverse engineering basics @KirilsSolovjovs on twitter Mg.sc.comp. Kirils Solovjovs

Reverse engineering basics @KirilsSolovjovs on twitter Mg.sc.comp. Kirils Solovjovs

Reverse engineering basics @KirilsSolovjovs on twitter Mg.sc.comp. Kirils Solovjovs http://kirils.org for more Possible Security Reverse engineering? www.indiamart.com Contents Hardware architecture Processors and machine language

536 views • 25 slides
Understanding human speech recognition: Reverse-engineering the engineering solution using

Understanding human speech recognition: Reverse-engineering the engineering solution using

Cai Wingfield CSLB, Department of Psychology Workshop on Neurocomputation: From Brains to Machines University of Cambridge 25 November 2015 Understanding human speech recognition: Reverse-engineering the engineering solution using EMEG

196 views • 18 slides
Reverse Engineering CAPTCHAs Abram Hindle, Micheal W. Godfrey, Richard C. Holt Software

Reverse Engineering CAPTCHAs Abram Hindle, Micheal W. Godfrey, Richard C. Holt Software

Reverse Engineering CAPTCHAs WCRE 2008 Reverse Engineering CAPTCHAs Abram Hindle, Micheal W. Godfrey, Richard C. Holt Software Architecture Group David R. Cheriton School of Computer Science University of Waterloo Canada

726 views • 57 slides
Reverse engineering AT32UC3As JTAG Introduction Overview LSE Summer Week 2014 TAP

Reverse engineering AT32UC3As JTAG Introduction Overview LSE Summer Week 2014 TAP

Reverse engineering AT32UC3As JTAG Pierre Surply Reverse engineering AT32UC3As JTAG Introduction Overview LSE Summer Week 2014 TAP Controller Scan Chain Pierre Surply Boundary Scan UC3 JTAG EPITA 2016 Reverse engineering Jul

968 views • 72 slides
Reverse Engineering Dr. Vadim Zaytsev aka @grammarware UvA, MSc SE, 9 November 2015 Roadmap

Reverse Engineering Dr. Vadim Zaytsev aka @grammarware UvA, MSc SE, 9 November 2015 Roadmap

Reverse Engineering Dr. Vadim Zaytsev aka @grammarware UvA, MSc SE, 9 November 2015 Roadmap W44 Introduction V.Zaytsev W45 Metaprogramming J.Vinju W46 Reverse Engineering V.Zaytsev W47 Software Analytics M.Bruntink W48 Clone

751 views • 31 slides
Reverse Engineering DSP Code GameCube DSP Analyzing GCN DSP code Pierre Bourdon Conclusion

Reverse Engineering DSP Code GameCube DSP Analyzing GCN DSP code Pierre Bourdon Conclusion

Reverse Engineering DSP Code Pierre Bourdon Introduction DSP Reverse Engineering DSP Code GameCube DSP Analyzing GCN DSP code Pierre Bourdon Conclusion delroth@lse.epita.fr http://lse.epita.fr February 12, 2013 Context Reverse

856 views • 18 slides
OC A&D Forum Ducommuns continued drive to expand organically and through acquisitions,

OC A&D Forum Ducommuns continued drive to expand organically and through acquisitions,

Ducommun Overview OC A&D Forum Ducommuns continued drive to expand organically and through acquisitions, adding capabilities and value including assembly to its product, process and service offering April 5, 2012 Key Overview Objectives

312 views • 30 slides
assembling metals and composites ASTech International Conference MMP 2015 November 25th,

assembling metals and composites ASTech International Conference MMP 2015 November 25th,

Latest achievements in the field of assembling metals and composites ASTech International Conference MMP 2015 November 25th, Deauville WHO WE ARE SME dedicated to materials Anaysis, Contractual Testing, Audit, Innovation Expertise Studies

338 views • 22 slides
Mechanics of Soft Materials Tuesday and Thursday L13, 2:00-3:30 PM What Are Soft Materials?

Mechanics of Soft Materials Tuesday and Thursday L13, 2:00-3:30 PM What Are Soft Materials?

Mechanics of Soft Materials Tuesday and Thursday L13, 2:00-3:30 PM What Are Soft Materials? Rubber Skin Tissue Paper Modulus < 10 MPa Gel Tissue scafold Deformation when subjected to load Type of load Geometry: micro-nano

1.89k views • 28 slides
MEMS : an overview - What ? why ? how ? - Magnetic MEMS Micro-magnets for MEMS -

MEMS : an overview - What ? why ? how ? - Magnetic MEMS Micro-magnets for MEMS -

1/28 MEMS : an overview - What ? why ? how ? - Magnetic MEMS Micro-magnets for MEMS - Candidate Hard Magnetic Materials - Preparation routes -Micro-fabrication -Beyond magnets Nora M. Dempsey Institut Nel, CNRS/UJF, Grenoble,

1.23k views • 83 slides
Ruolo dell'Universit nello sviluppo del trasferimento tecnologico nellarea triestina. We

Ruolo dell'Universit nello sviluppo del trasferimento tecnologico nellarea triestina. We

Ruolo dell'Universit nello sviluppo del trasferimento tecnologico nellarea triestina. We are the Organization and activities of the Innovation Office Tech&people because our aim is to establish a long-term strategic relationships

622 views • 32 slides
High Efficiency photovoltaic power plants: the III-V compound solar cells G. Gabetta Hyperlink

High Efficiency photovoltaic power plants: the III-V compound solar cells G. Gabetta Hyperlink

High Efficiency photovoltaic power plants: the III-V compound solar cells G. Gabetta Hyperlink Contents CESI: who are we? The photovoltaic conversion and the III-V compound semiconductors Solar Cell Manufacturing: MOCVD Solar

670 views • 65 slides
Fiber Reinforced Polymer (FRP) Construction Seminar Ivar Thorson Department of Advanced Robotics

Fiber Reinforced Polymer (FRP) Construction Seminar Ivar Thorson Department of Advanced Robotics

Fiber Reinforced Polymer (FRP) Construction Seminar Ivar Thorson Department of Advanced Robotics Istituto Italiano di Tecnologia August 7, 2012 Ivar Thorson (IIT-ADVR) IIT FRP Construction Seminar August 7, 2012 1 / 48 Seminar Overview

495 views • 48 slides
Innovation Learning Event Wednesday 5 July 2017 1 Introduction Paul Turner Innovation Manager

Innovation Learning Event Wednesday 5 July 2017 1 Introduction Paul Turner Innovation Manager

Innovation Learning Event Wednesday 5 July 2017 1 Introduction Paul Turner Innovation Manager 2 Housekeeping Mobile phones Breaks FIRE Fire alarms Main Q&A at end of day 3 Which of the following took place in Manchester? A. Rolls

1.89k views • 139 slides

More recommend