
Depackaging the Nintendo 3DS CPU - robin_reala
http://gaasedelen.blogspot.co.uk/2014/03/depackaging-nintendo-3ds-cpu.html
======
captainmuon
This is incredibly awesome work, and I envy students who can actually take a
course in this stuff!

However it makes me realize in what kind of weirdly antagonistic society we
live. In an ideal universe, you could just ask the Nintendo engineers for the
chip layouts, or for the boot ROM. It reminds me of a documentary I saw the
other day where they tested the chicken content of chicken salad. Again, in an
ideal universe, you could just ask the manufacturer. Of course that would be
naive in the real world, since manufacturers and consumers have different
interests. Most of the time we don't notice anything weird about this. A bit
of competition is usually considered a good thing. But every now and then I
have a WTF moment... Why are we working against each other? How much
productivity do we loose through duplication of effort? Are the losses from
this smaller or bigger than the gains from healthy competition? I have no
great answer for that...

Oh and sorry for hijacking the comment area for a rant about the world and so
on ;-).

~~~
dubfan
In an ideal world, nobody would steal chip designs and boot ROMs to create
counterfeit products.

~~~
aspensmonster
In an ideal world, we'd all be living in a post-scarcity economy with Basic
Income and no IP laws and no "currency" to speak of.

In an ideal world. An ideal world sounds really cool! The implementation
details might get a little crazy though.

~~~
aspensmonster
An hour goes by and no one has called me on this? "Basic Income" and "no
'currency' to speak of" seem contradictory. I'd go for no currency rather than
BI now that I think of it. Replicators for everyone!

------
lawl
If you're interested in that kind of stuff I highly reccomend watching Karsten
Nohl's "Reviving smart card analysis" talk from Chaos Communication Camp 2011
[0].

Basically he takes pictures of the circuits on the smart card and then
reverses the logic _from that_. There's even software to assist with that [1].

As a pure software guy I was pretty baffeled when I saw this the first time.

[0]
[https://www.youtube.com/watch?v=fFx6Rn57DrY](https://www.youtube.com/watch?v=fFx6Rn57DrY)

[1] [http://www.degate.org/](http://www.degate.org/)

~~~
amckenna
There was also a great talk at Defcon 21 (last year) walking through a similar
process all the way to using a picture of the ROM and image recognition to
pull binary data. The first half is about building the lab to do this kind of
work so you can skip the first 1/3 - 1/2 if you don't care about that part.

[https://www.youtube.com/watch?v=0Z4aF-
qiziM](https://www.youtube.com/watch?v=0Z4aF-qiziM)

------
nfoz
That page has web buttons that _overlap_ my _scrollbar_.... how is that even a
thing? please make it stop.

~~~
frou_dh
For fuck sake, is it possible to have a HN comments page without complaints
about the design of TFA? Speak to the author if you have a problem with their
site! Don't mumble about it from a distance!

~~~
pyrocat
I think it's useful to point out egregious bad behavior in web
design/implementation. Others can learn from the mistake, or people who
wouldn't necessarily see something wrong with it can learn from the backlash
it generates.

------
Two9A
I seem to recall that imaging the bootloader ROM straight off the silicon was
how the original Gameboy's bootloader was finally pulled out.

I just forget who did it, which is unfortunate.

~~~
coldpie
I spent a fair bit of time trying to find an article or something about this,
but came up empty. I was especially curious to know how you can decode the
program's bits from the silicon.

I found a similar idea here:
[http://members.iinet.net.au/~lantra9jp1/gurudumps1/decap/ind...](http://members.iinet.net.au/~lantra9jp1/gurudumps1/decap/index.html)
The photo in the upper-right looks like it could reasonably be turned into
binary, if you knew what you were looking at.

Anyone have any more info about how this actually works?

~~~
jmpe
Currently on mobile, will update tomorrow.

Start here:

[http://www.visual6502.org/](http://www.visual6502.org/)

Somewhere in that site they detail the step by step process of decapping,
delayering photographing and identifying the logic.

There's also a JavaScript simulator, check it out.

The CCC also had a few lectures about decapping. The most interesting one is
about backside scanning the die to bypass the safety features.

~~~
jmpe
The CCC backside attack is here:

[https://www.youtube.com/watch?v=dtviiOJ-2hI](https://www.youtube.com/watch?v=dtviiOJ-2hI)

It contains lots of info and technical details.

Another one:

[https://www.youtube.com/watch?v=KVmpBPbGPsQ](https://www.youtube.com/watch?v=KVmpBPbGPsQ)

This is what an actual ROM looks like:

[https://docs.google.com/document/d/18IGx18NQY_Q1PJVZ-
bHywao9...](https://docs.google.com/document/d/18IGx18NQY_Q1PJVZ-
bHywao9bhsDoAqoIn1rIm42nwo/edit)

As the last image shows, the ROM table values are extracted by graphics
processing the photo.

It's also possible to dump the ROM by reading it byte by byte, but this
depends on the architecture (not always possible) and is typically done for
mask ROMs that contain data.

~~~
coldpie
Thanks a lot!

------
guiomie
That is one classy lab.

~~~
tiku
the lab has broken down.. #mirror?

~~~
tiku
[http://webcache.googleusercontent.com/search?q=cache:xj_VqrM...](http://webcache.googleusercontent.com/search?q=cache:xj_VqrMIRmAJ:gaasedelen.blogspot.com/2014/03/depackaging-
nintendo-3ds-cpu.html%3FshowComment%3D1395693517906+&cd=2&hl=nl&ct=clnk&gl=nl)

------
rockdiesel
As someone who knows nothing about this stuff, can someone explain to me how
soaking the CPU in sulfuric acid removes the packaging material, but does no
harm to the chip inside?

~~~
samatman
Sulphuric acid is powerful enough to react with polymers, but not to dissolve
silicon.

"does no harm" might be an exaggeration here. It's doubtful you'd have a
functional chip. But the fine structure remains, clearly.

Toss some nitric acid in there, forming aqua regia, and you'll dissolve the
whole chip including any gold.

~~~
azonenberg
> It's doubtful you'd have a functional chip

I have a couple of fully functional examples on my desk that say otherwise. If
you actually want to keep the device usable to the point that you can still
solder it to a board, then you normally preserve most of the package, bond
wires, and leadframe which requires more care during decap. For this
particular specimen we didn't bother because we just wanted the ROM.

Here's an example of a fully functional decapped device soldered back to a
board: [http://i.imgur.com/UebB3FO.jpg](http://i.imgur.com/UebB3FO.jpg)

My lecture notes at [http://security.cs.rpi.edu/courses/hwre-
spring2014/Lecture3_...](http://security.cs.rpi.edu/courses/hwre-
spring2014/Lecture3_Depackaging.pdf) go into more detail on various methods,
chemical and otherwise, for decapping with and without preserving the
leadframe.

------
maaaats
Wow, this is a world I've never seen before.

~~~
jmpe
In you want more:

[http://zeptobars.ru/en/](http://zeptobars.ru/en/)

The nice thing is they decap old/common devices.

------
mattp123
Wait, so are they actually trying to _take a picture_ of the boot ROM used by
the 3DS?

~~~
foldor
It seems that way. This looks similar to what byuu did for SNES games. Some
SNES games have special dedicated chips, and decapping them allows you to
recreate the logic. It's an expensive and very difficult process though, which
is why it's rare to actually see someone attempt it in the open.

~~~
robin_reala
More info on Dr Decapitator’s SNES decapping escapades at Mameworld
(archive.org link as the subsite is dead):
[http://web.archive.org/web/20111115180306/http://decap.mamew...](http://web.archive.org/web/20111115180306/http://decap.mameworld.info/)

------
the_mitsuhiko
It's impressive how Nintendo can continue selling heavily underpowered
processors to gamers and nobody complains.

~~~
ditoax
I never understood this arguement. So Nintendo do not pick the most powerful
CPU/GPU available. Why does that really matter? It is a lot more powerful than
the device before it and it has amazing games on it still.

With a handheld the most important number, to me, is battery life. I still
feel that Nintendo (and Sony) could do more by using a more efficient or lower
power chip and get a couple more hours out of the device.

Then again I do not care that much for graphics so perhaps my opinion is in
the minority. There are several things I would change about the 3DS if I could
but upping the processing power is not one of them.

