Is it common to re-verse engineer an integrated circuit ?

Skybuck Flying · Aug 3, 2005

Hi,

Just a stupid little question.

As an application programmer I am used to the fact that software can be
reversed engineered.

Like executable format back to assembler instructions.

Or java/.net bytecode back to java/C#/whatever code.

Now that IC's can be programmed with HDL's etc I just have to ask the
question:

Is it common for IC's to be reversed engineered ?

For example:

Imaginary steps:
1. Buy a processor in the store

2. Place it under a high resolution scanner
3. Have some cad/cam program look at it and create a cad/cam drawing
4. Have some extra tool convert it back to a netlist.
5. Have some extra tool convert the netlist back to a HDL

The smaller the IC the thougher problably

What about processors have they been reversed engineered ?

Bye,
Skybuck.

Jim Thompson · Aug 3, 2005

On Wed, 3 Aug 2005 05:44:37 +0200, "Skybuck Flying"
<nospam@hotmail.com> wrote:

Hi,

Just a stupid little question.

As an application programmer I am used to the fact that software can be
reversed engineered.

Like executable format back to assembler instructions.

Or java/.net bytecode back to java/C#/whatever code.

Now that IC's can be programmed with HDL's etc I just have to ask the
question:

Is it common for IC's to be reversed engineered ?

[snip]

480)460-2350 | |
| E-mail Address at Website Fax

glen herrmannsfeldt · Aug 3, 2005

Skybuck Flying wrote:

As an application programmer I am used to the fact that software can be
reversed engineered.

(snip)

Now that IC's can be programmed with HDL's etc I just have to ask the
question:

Is it common for IC's to be reversed engineered ?

For example:

Imaginary steps:
1. Buy a processor in the store
2. Place it under a high resolution scanner
3. Have some cad/cam program look at it and create a cad/cam drawing
4. Have some extra tool convert it back to a netlist.
5. Have some extra tool convert the netlist back to a HDL

I don't believe it is common, but it is done. FPGAs are getting
more popular, where the logic is stored in a ROM. The reverse
engineering then is similar to software. There are also
embedded processors with built in ROM.

Getting back to the netlist for modern ASICs is probably not worthwhile,
but there still may be reverse engineering to do. Steps 4 and 5 are
relatively hard, and might violate copyright laws. If you follow
the clean room techniques used by BIOS developers, though, it
is probably legal. After steps 1 to 3 add:

4. Have someone look at the design and describe in detail
the function of each logical block, and the interconnection
between blocks.

5. Write an HDL description with similar logic functions.

There are stories about Russian microprocessors with masks made
directly from scanned images, including the intel logo.

-- glen

Aug 3, 2005

It would be a hell of job on a modern processor. They are built up from
millions of transistors, which are wired together through a layered
structure of interconnections comparable to a multi-layer printed
circuit board (I've seen comments that suggest that six to eight layers
of metallisation aren't unusual).

You can examine this with an electron microscope and (with a
specialisied electron microscope - an electron beam tester) you can
probe the voltages on the surface layers in much the same way as you'd
probe the surface of printed circuit board with an oscilliscope probe.

You can also use an ion beam to cut your way down through the layers,
and deposit tungsten plugs as tests points to monitor voltages on
tracks buried below the surface of the metallisation.

These tools used to be considered useful in checking out what was
actually going on in real devices, but I suspect they now mainly as a
reality check on the simulation software.

As tools for reverse engineering, they'd be horribly slow - I spent a
couple years working on an electron beam tester that was intended to
speed up the process a bit, but we couldn't push the sampling rate
above 25MHz, and had to worry about operating conditions where you
detected less than one electron per sample (on average) which meant
that you had to average over a large number of samples, slowing the
process down even further.

------------
Bill Sloman, Nijmegen

Mike · Aug 3, 2005

"Skybuck Flying" <nospam@hotmail.com> wrote in message
news:dcpefs$gs3$1@news5.zwoll1.ov.home.nl...

Hi,

Just a stupid little question.

As an application programmer I am used to the fact that software can be
reversed engineered.

Like executable format back to assembler instructions.

Or java/.net bytecode back to java/C#/whatever code.

Now that IC's can be programmed with HDL's etc I just have to ask the
question:

Is it common for IC's to be reversed engineered ?

You betcha. http://www.chipworks.com/

For example:

Imaginary steps:
1. Buy a processor in the store
2. Place it under a high resolution scanner
3. Have some cad/cam program look at it and create a cad/cam drawing
4. Have some extra tool convert it back to a netlist.
5. Have some extra tool convert the netlist back to a HDL

You have an active, but very naive imagination.

Check out Figure 10 in this paper:

http://www.fujitsu.com/downloads/MAG/vol39-1/paper04.pdf

That's ten layers of metal. Good luck.

High resolution scanner? What is it resolving with? The masks used during
processing often look nothing like the layers they create, and even with a
confocal microscope I can't see the individual metal lines in a 0.18u
process, much less 0.13u or 90n. We can easily see them with our SEM, but
our SEM can't see through glass, so we have to expose each layer we want to
see. If you're reverse engineering a chip, that's not practical.

So far as I'm aware, there's never been any tool simpler than a human that
could convert a chip into a drawing, netlist, or anything else.

The smaller the IC the thougher problably

Thougher? It's pretty damh thard, thoo.

-- Mike --

Skybuck Flying · Aug 3, 2005

There are stories about Russian microprocessors with masks made
directly from scanned images, including the intel logo.

That's a nice story/myth for myth busters for discovery channel lol.

Except they like to blow stuff up

A processor can be blown up.. but the bang ain't big enough

Bye,
Skybuck.

Skybuck Flying · Aug 3, 2005

"Mike" <mike@nospam.com> wrote in message
news:iTYHe.27776$HV1.11355@fed1read07...

"Skybuck Flying" <nospam@hotmail.com> wrote in message
news:dcpefs$gs3$1@news5.zwoll1.ov.home.nl...
Hi,

Just a stupid little question.

As an application programmer I am used to the fact that software can be
reversed engineered.

Like executable format back to assembler instructions.

Or java/.net bytecode back to java/C#/whatever code.

Now that IC's can be programmed with HDL's etc I just have to ask the
question:

Is it common for IC's to be reversed engineered ?

You betcha. http://www.chipworks.com/

One question:

Is that legal ?

It's probably legal how can otherwise a company like that exist ?

For example when installing microsoft windows it has a license which must be
agreed to,

it says stuff like:

"You may not reverse engineer, decompile, etc"

How come hardware reverse enginering would be legal ? and software reverse
enginering would be illegal ?

Or maybe software reverse enginering isn't legal and microsoft's license
stuff is just not valid in court ? <- yeah probably

For example:

Imaginary steps:
1. Buy a processor in the store
2. Place it under a high resolution scanner
3. Have some cad/cam program look at it and create a cad/cam drawing
4. Have some extra tool convert it back to a netlist.
5. Have some extra tool convert the netlist back to a HDL

You have an active, but very naive imagination.

Check out Figure 10 in this paper:

http://www.fujitsu.com/downloads/MAG/vol39-1/paper04.pdf

That's ten layers of metal. Good luck.

Those smiling japanese faces at the end of the document are funnnnny.

Most of the english text of the document is already chinese/japanse for me

=D

Jan Vorbrüggen · Aug 3, 2005

There are stories about Russian microprocessors with masks made
directly from scanned images, including the intel logo.

Some time ago, I saw a scan of a VAX processor (perhaps an MV II?) that
showed a text similar to "When you steal the best...VAX" in Russian etched
into a bit of empty space. Can't find it at the moment.

Jan

kmaryan@gmail.com · Aug 3, 2005

It can be done, has historically been done, and to a certain extent it
is as you describe it (I vaguely remember seeing a photo in IEEE
Spectrum of a bunch of engineers sitting all over a 20'x20' blow up of
an electron micrograph of a CPU of some sort).

Keep in mind that much "reverse engineering" is however done by way of
functional specifications. It's often not necessary to compltely look
at all the details of a circuit (or any other system) to be able to
duplicate it. Consider something simple like a CMOS NOT gate:
- It has a certain logic function (logic 1 --> 0 and 0 --> 1)
- It has certain input characteristics (lets say the limit for 1 is
2.2V and above and 0 is 0.5V or less, taking some amount of current).
- It has certain output characterisistics (drive current, voltage
levels, etc.)
- There are certain timing characteristics (propagation delay, etc.)

From that, a reasonably skilled engineer can "reverse engineer" the
CMOS NOT gate of company A in a number of different ways, without

necessarilky looking at how company A placed their transistors.

The same goes for a chip. In effect, AMD has "reverse engineered"
certain characteristics of Intel's architecture in the same way, to
make their chips compatible. Both will have a command like an Integer
Addition, that behaves similarly, but was originally defined by intel.

Jim Thompson · Aug 3, 2005

On 3 Aug 2005 08:32:49 -0700, "kmaryan@gmail.com" <kmaryan@gmail.com>
wrote:

[snip]

Keep in mind that much "reverse engineering" is however done by way of
functional specifications. It's often not necessary to compltely look
at all the details of a circuit (or any other system) to be able to
duplicate it.
[snip]

I was hired many years ago by Silicon Systems to "copy" a National
hard-drive controller chip.

I was hired because I was "clean"... and, as is typical with most
projects I take on, I didn't have a prior clue about hard-drive
controller chips and had never seen National's schematics.

I worked strictly from data sheet specifications and my final result
was better performing than National's ;-)

This is typical industry practice, to avoid lawsuits that will result
if the schematics are the same.

...Jim Thompson
--
| James E.Thompson, P.E. | mens |
| Analog Innovations, Inc. | et |
| Analog/Mixed-Signal ASIC's and Discrete Systems | manus |
| Phoenix, Arizona Voice

480)460-2350 | |
| E-mail Address at Website Fax

Spehro Pefhany · Aug 3, 2005

On 3 Aug 2005 08:32:49 -0700, the renowned "kmaryan@gmail.com"
<kmaryan@gmail.com> wrote:

It can be done, has historically been done, and to a certain extent it
is as you describe it (I vaguely remember seeing a photo in IEEE
Spectrum of a bunch of engineers sitting all over a 20'x20' blow up of
an electron micrograph of a CPU of some sort).

Keep in mind that much "reverse engineering" is however done by way of
functional specifications. It's often not necessary to compltely look
at all the details of a circuit (or any other system) to be able to
duplicate it. Consider something simple like a CMOS NOT gate:
- It has a certain logic function (logic 1 --> 0 and 0 --> 1)
- It has certain input characteristics (lets say the limit for 1 is
2.2V and above and 0 is 0.5V or less, taking some amount of current).
- It has certain output characterisistics (drive current, voltage
levels, etc.)
- There are certain timing characteristics (propagation delay, etc.)

From that, a reasonably skilled engineer can "reverse engineer" the
CMOS NOT gate of company A in a number of different ways, without
necessarilky looking at how company A placed their transistors.

The same goes for a chip. In effect, AMD has "reverse engineered"
certain characteristics of Intel's architecture in the same way, to
make their chips compatible. Both will have a command like an Integer
Addition, that behaves similarly, but was originally defined by intel.

I remember one of the guys who founded LT talking about some part (a
voltage reference?). He said something like "we designed it at
(another company), we designed it at Linear". When the same guys, with
the same plus a bit more experience, re-do a design quickly-like,
there will probably be some similarities.

Best regards,
Spehro Pefhany
--
"it's the network..." "The Journey is the reward"
speff@interlog.com Info for manufacturers: http://www.trexon.com
Embedded software/hardware/analog Info for designers: http://www.speff.com

Terje Mathisen · Aug 3, 2005

Jim Thompson wrote:

I was hired because I was "clean"... and, as is typical with most
projects I take on, I didn't have a prior clue about hard-drive
controller chips and had never seen National's schematics.

I worked strictly from data sheet specifications and my final result
was better performing than National's ;-)

That is always fun, isn't it?

One of my first PC programming tasks was to write an implementation of
Kermit, to do file transfers to/from our VAX (which ran Interactive UNIX
under VMS).

I implemented all the optional features, including sliding windows and
large packets, with selectable checksum etc, and the resulting almost
pure Pascal program (with inline asm for serial port interrupt
handlers), turned out to run up to 4 times faster than the pure asm
reference implemention (from Columbia University afair?).

This is typical industry practice, to avoid lawsuits that will result
if the schematics are the same.

I bet your contract included several paragraphs where you decleared your
own virginity in this field, right?

Terje
--
- <Terje.Mathisen@hda.hydro.com>
"almost all programming can be viewed as an exercise in caching"

Jim Thompson · Aug 3, 2005

On Wed, 03 Aug 2005 21:20:14 +0200, Terje Mathisen
<terje.mathisen@hda.hydro.com> wrote:

Jim Thompson wrote:
I was hired because I was "clean"... and, as is typical with most
projects I take on, I didn't have a prior clue about hard-drive
controller chips and had never seen National's schematics.

I worked strictly from data sheet specifications and my final result
was better performing than National's ;-)

[snip]

I bet your contract included several paragraphs where you decleared your
own virginity in this field, right?

Terje

480)460-2350 | |
| E-mail Address at Website Fax

Aug 3, 2005

"What about processors have they been reversed engineered ?"

Yes, but modern processors at 90nm and smaller will need some very
expensive optics (deep UV) to scan them at the necessary resolution in
order to create an equivalent mask set. And then you will need to
exactly duplicate the doping profiles on the transistors inorder that
the 0.1% analog elements remain functional. And then there are the
problems of fuse progamming,... in order to create a part that is a
duplicate of the part being duplicated!

Colonel Forbin · Aug 4, 2005

In article <dcpn83$5d5$1@news4.zwoll1.ov.home.nl>,
Skybuck Flying <nospam@hotmail.com> wrote:

One question:

Is that legal ?

It's probably legal how can otherwise a company like that exist ?

Legality and opportunity are not equivalent. There are lots of firms,
often located in nations with weak enforcement, who make millions on
copyright/patent infringement.

In the former Soviet Union, trade embargoes on computer technology
often led to reverse engineering sponsored by the government with
large capital investment.

For more direct examples: heroin/cocaine cartels, Enron, Tyco, MCI
WorldCom, Columbia HCA.

Modern American business management is often a process of what you
can get away with, not what is "legal."

That said, reverse engineering a modern multilayer ASIC is not a
simple process. Even with gate arrays, there are a variety of
antipiracy features which can be used to make the process much more
difficult.

Like many things, it comes down to the issue of what is practical
and profitable as opposed to what might be possible given infinite
time and resources.

Legality, however, is often a matter of how deep one's pockets are.

As Phil Slackmeyer, Investment Banker, said: "Ethics... a powerful
negotiating tool."

Colonel Forbin · Aug 4, 2005

In article <1123083169.157351.48940@o13g2000cwo.googlegroups.com>,
kmaryan@gmail.com <kmaryan@gmail.com> wrote:

Keep in mind that much "reverse engineering" is however done by way of
functional specifications. It's often not necessary to compltely look
at all the details of a circuit (or any other system) to be able to
duplicate it. Consider something simple like a CMOS NOT gate:
...

And thus was begat Linux...

Jim Thompson · Aug 4, 2005

On Thu, 04 Aug 2005 17:33:41 GMT, forbin@dev.nul (Colonel Forbin)
wrote:

In article <dcpn83$5d5$1@news4.zwoll1.ov.home.nl>,
Skybuck Flying <nospam@hotmail.com> wrote:

One question:

Is that legal ?

It's probably legal how can otherwise a company like that exist ?

Legality and opportunity are not equivalent. There are lots of firms,
often located in nations with weak enforcement, who make millions on
copyright/patent infringement.

[snip]

480)460-2350 | |
| E-mail Address at Website Fax

glen herrmannsfeldt · Aug 4, 2005

Colonel Forbin wrote:

(snip)

Legality and opportunity are not equivalent. There are lots of firms,
often located in nations with weak enforcement, who make millions on
copyright/patent infringement.

In the former Soviet Union, trade embargoes on computer technology
often led to reverse engineering sponsored by the government with
large capital investment.

There is a story that when the russians started making ICs
someone decided that 2.5mm is close to 0.1in, so their DIPs
have the pins spaced 2.5mm apart. Maybe close enough for
one pin spacing, but it is cumulative and the result is that
they don't fit in the socket.

-- glen

Joel Kolstad · Aug 4, 2005

"glen herrmannsfeldt" <gah@ugcs.caltech.edu> wrote in message
news

56dnUtLmZ1eFm_fRVn-jg@comcast.com...

There is a story that when the russians started making ICs
someone decided that 2.5mm is close to 0.1in, so their DIPs
have the pins spaced 2.5mm apart. Maybe close enough for
one pin spacing, but it is cumulative and the result is that
they don't fit in the socket.

I can't tell you how many beginners I've seen build footprints for DB-style
connectors and figure that .1" is close enough (and on their grid) to the true
..109" spacing that they'd just go with it...

(And with enough of a
ham-firsted approach, even a DB-25 can be made to fit in .1"-spaced holes!)

Pooh Bear · Aug 4, 2005

Joel Kolstad wrote:

"glen herrmannsfeldt" <gah@ugcs.caltech.edu> wrote in message
news56dnUtLmZ1eFm_fRVn-jg@comcast.com...
There is a story that when the russians started making ICs
someone decided that 2.5mm is close to 0.1in, so their DIPs
have the pins spaced 2.5mm apart. Maybe close enough for
one pin spacing, but it is cumulative and the result is that
they don't fit in the socket.

I can't tell you how many beginners I've seen build footprints for DB-style
connectors and figure that .1" is close enough (and on their grid) to the true
.109" spacing that they'd just go with it... (And with enough of a
ham-firsted approach, even a DB-25 can be made to fit in .1"-spaced holes!)

Wonderful isn't it ?

Seen the same thing with 0.156" pitch connectors spaced at 0.15". It's ugly !

Graham

Is it common to re-verse engineer an integrated circuit ?

Skybuck Flying

Guest

Jim Thompson

Guest

glen herrmannsfeldt

Guest

Guest

Mike

Guest

Skybuck Flying

Guest

Skybuck Flying

Guest

Jan Vorbrüggen

Guest

kmaryan@gmail.com

Guest

Jim Thompson

Guest

Spehro Pefhany

Guest

Terje Mathisen

Guest

Jim Thompson

Guest

Guest

Colonel Forbin

Guest

Colonel Forbin

Guest

Jim Thompson

Guest

glen herrmannsfeldt

Guest

Joel Kolstad

Guest

Pooh Bear

Guest

Log in

Welcome to EDABoard.com

Sponsor