38C3 - Proprietary silicon ICs and dubious marketing claims? Let's fight those with a microscope!

https://media.ccc.de/v/38c3-proprieta... Custom silicon chips are black boxes that hold many secrets, like internal ROMs, security features and audio DSP algorithms. How does one start reverse engineer them? Let's look at the basics of silicon reverse engineering, what gate array chips are, and how some tooling can generate Verilog code automatically from a die shot. A digital synthesizer from 1986 was completely shrouded in mystery and dubious marketing claims. Being that old, eventually every working unit will break, leaving us with the no info about its inner workings. I could not accept this, so I decided to get into silicon reverse engineering. By dissolving its undocumented custom chips into acid and looking at them through a microscope, I was able to get an understanding of what was going on internally, to be able to preserve it and emulate it in the future. This is possible because lot of custom silicon chips from that era (80s and 90s) are of the "gate array" type: a grid-like structure that contains thousands of digital logic gates. By looking at them closely we can understand what those gates do, and by following the wiring between them we can reconstruct the entire system. This method allowed people to understand and recreate perfect emulations of arcade games, sound chips, security ICs and more. In this talk I want to tell my journey into silicon reverse engineering from my perspective of a complete beginner and software guy, and what I learned in the process. I will go through the different kinds of custom chips, how they look under a microscope, their different parts, what can be easily reverse engineered and what can not. Those chips do not only contain logic, but also RAM and ROM parts, and knowing how to identify them can give clues when looking at the logic is too complicated. Sometimes a chip can be completely understood even without knowing that a MOSFET is. I will also cover the process I used for reverse engineer them, some techniques that worked and some that didn't, and some tools I built to automatically extract mask ROMs and generate Verilog code from die shots. giulioz https://events.ccc.de/congress/2024/h... #38c3 #HardwareMaking Licensed to the public under http://creativecommons.org/licenses/b...