🧟 🛶 🍄 We consider individual bits in the microcircuit picture: how to act when the architecture is unknown 🧚🏻 🎅🏽 👩🏾‍🤝‍👩🏻

Introduction

I'm just getting started on the journey into Integrated Circuit Reverse Engineering (ICRE), but I was already completely overwhelmed with a passion for the industry. In addition to the computer and electrical aspects of ICRE, an extensive knowledge of physics and chemistry is required to work in this area. At first, the chemical constituent frightened me, since I hardly knew chemistry. Not to mention how dangerous it is to work with products required for opening (decapsulation) and layer-by-layer preparation of chips.

Believe me, I prepared for about 2 years before actually investing in a lab. I didn’t want to move on to the first experiment until I had acquired all the equipment needed to operate safely and had taken the necessary precautions. The first rule of chemistry is well known: in all situations except abnormal, at each step you need to know what to do next. However, I am a person so carried away that if I see a goal, nothing can make me turn from the path towards it.

Preparation

The first thing I needed to do was to sort out a whole range of very expensive things and solvents that I needed to buy. Here is a list of the equipment and consumables that I bought.

Why did I need a metallurgical microscope and not a stereomicroscope or a composite microscope? Because most microscopes have illumination from below, and the light is reflected from the XY plate, and you can't work with ICs like that, since they are not double-sided. The layers of the crystal under consideration must be properly illuminated so that the light is properly reflected in the direction from top to bottom. Metallurgical microscopes use what is called EPI illumination, a unique type of illumination also referred to as epifluorescence . The solution allows not only to illuminate the IC object / sample; moreover, the microscope objective collects light reflected from the sample surface.

. , – . , – , . , , , , .

, CH340G Arduino Nano v3, , , , . , , , , , . , , – , .

Arduino , , . , , , . , , ATmega328P, , - , , , , -.

Disassembled into layers Atmega328P — Atmega328P

, (SiO₂ / ), , , .

: , : siliconpr0n.

- .

, , - , ? . (MROM) , . . :

TI TMS5200NL ROM vs. SiliconPr0n CBM 65CE02 ROM — TI TMS5200NL CBM 65CE02 SiliconPr0n

, , . n- , , p-, .

, - . 1 != 1 . , , - «», , , . , . - : , , «» «»[1] [2] , , . «», , , – , , . , , , .

Transistor Model in NAND Flash — NAND Flash

, ( , ) ( ), , .

, , -, . , , . , . , , . - , . , .

- . , , , () . , , , , .

, ( ) , . Extracting ROM Constants, , . , , , 1 . , NOR ( , ) , , , .

. 16- MUX 4 , . , , HIGH, . ( ) , LOW.

: CH340G , , .

Arduino Nano, CH340G . 200°C . , .

CH340 soldered to Arduino Nano (chips are not marked) — CH340, Arduino Nano ( )

, , . , .

, . ( H₂SO₄) 20 98% 100- . , , .

170°C, 150°C, , . , H₂SO₄ . , . , , . , , .

, – , :

1. , . .

2. (SO₂), , , . , . , , . , (HNO₃), (NO₂) HNO₃ .

– ? ; , , SOP-16, 1,50 . .

, – ; , . .

: , SO₂, , , . , , – ((C₂H₄)ₙ), . , , H₂SO₄ SO₂, CO₂ H₂O. : 6H₂SO₄ + (C₂H₄)ₙ → 6SO₂ + 2CO₂ + 8H₂O. 337°C, . (S), (O) (H₂O), (SO₂); S + O₂ → SO₂, (SO₃), (V₂O₅), 2SO₂ + O₂ + V₂O₅ ⇌ 2SO₃. , SO₃ + H₂O → H₂SO₄. , , , , (II) (CuSO₄) (HBr) .

, H₂SO₄ , .

, . , .

Silicon crystal extracted from the epoxy shell — ,

, , (C₃H₆O). , , , , . ? , .

, , , , .

CH340G Shot Through Lens with 5x Magnification Lens — CH340G, ,

, , ; , , . , , - , - . , , . , .

A higher resolution picture is available here: https://siliconpr0n.org/map/wch/ch340/mz_20x/ — : https://siliconpr0n.org/map/wch/ch340/mz_20x/

50- , , . , 14 , , 14 . 16:1. , 16 .

14 – , 14- , . , 4 , 8 , 16 32 . , , , , .

. -, . 10 , 6 , 6 4 . , , 4 2⁴ = 16 , . 6 , 64 , 16 x 14 . 10 .

, . – , , , .

, . , . (HCl), (HF) , . , , HCl , HF – .

: . HCl, HF , , , , . HCl , , HF . , . , . , … , HF . , , . HF , HF . , , , .

, , ? , : (Al) 6061 / (Cu). , , Al, Cu. , , .

Cu, HCl, HF Cu , , , . Cu HF. , HCl Cu, , , (H₂O₂), Cu ( ), pKa ( ) . pkA . 1:1 (HOCl) (H₂O). Cu , HOCl, (II), . , (CuCl₂).

H₂O₂ (aq.) + HCl (aq.) → H₂O + HOCl (aq.)

2HOCl + Cu → Cu(HOCl)₂

: , HCl, , , , . [1] [2] .

, CH340, Al, (SiO₂) . HF. HF 40°C, , Whink. 3%, , . 15 , , . Al, SiO₂.

SiO₂ + 4HF → SiF₄ + 2H₂O

, , . :

, . siliconpr0n. , .

, , , . , , . , , , .

rompar, . , , . , Gimp, . : , .

, . 14 , 16 , , 224 . – , , -, 64 . , , , 1,7 .

rompar 3 ; , .

➜ python3 rompar.py image1-50x-ROM.jpg 16 1 Changing edit mode to GRID Changing edit mode to GRID Image is 11694x4318; 3 channels process_image time 0.18801593780517578 read_data: computing grid line redraw time: 6.4373016357421875e-06 grid circle redraw time: 1.1920928955078125e-05 render_image time: 0.22574210166931152

16x1? – . , , , 14 , . , -, - , .

(GUI), , , , . , CV Options -> Pixel Threshold. , :

Enlarged image of bits in the infrared spectrum

, , 0000001, 01110101. , 1, 0. , . Display -> Base Image -> Original. , ctrl+click 1, 16 . , . :

, . . cmd+click , :

, , , Edit -> Mode -> Data Edit Mode. ctrl+click , . ‘1’, ‘0’. , , , , , Data -> Export Data as Text. , , Github.

, , . , zorrom bitviewer. , , zorrom, , . README Zorrom, “, , (.txt) - . .bin , .., , ”. API, , ; , , , , .

, zorrom – , . , WCH, 14- . , , , , « », bitviewer. , – 16- . -, 14- , , , bin-, .

, , , , bin-. - , . , , . , , .

Metal layer (left), Substrate layer (right) — (), ()

. 64 16 x 14 ; , – 2k. , 10 . 0 0. , . , 4 6 . , 16:1. , , , , 14 , .

bitviewer . , , bitviewer , .

, , 32 , , 16 , . – .

, - , . Byte view (hex). , , 1) , , 2) . , - , , .

- , Export Options. , , , , , . , , , : 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15. , , , : Reverse output bit order Address run right-to-left. .

05C0: FE 73 FF DB EF ... .s...t...t.b.|.j 05D0: FE 50 C6 5F D6 ... .P._._.Q...P.... 05E0: DD 74 DF F8 ED ... .t...&.m...S.p.. 05F0: FF 6D ED 00 FF ... .m...y...|.....> 0600: FF 7A FF 6A ED ... .z.j.<.g.Z.X.s.. 0610: D9 74 CE 65 ED ... .t.e...W.p...[.. 0620: E6 F0 F5 5B F0 ... ...[.W.W.W.W....

- . , … , /. , . , bitviewer ; Select all, . , Invert Sel.

, , , .

0770: 10 03 10 09 ... .............U.. 0780: 10 53 10 00 ... .S...B...2...... 0790: 10 30 10 00 ... .0...-..3...3... 07A0: 33 F3 10 00 ... 3...3...3...3... 07B0: 2F A4 10 00 ... /.....(.....+... 07C0: 10 23 29 08 ... .#)...../.. .'/. 07D0: 10 02 10 03 ... ..../.....+..P.S 07E0: 2F A4 10 72 ... /..r.e/..i.r/..n 07F0: 10 6D 2F A4 ... .i/..t.a+.. .l..