
How to "open" a microchip and what's inside? - networked
http://zeptobars.ru/en/read/how-to-open-microchip-asic-what-inside
======
networked
I've got to add that this is pretty much how Intel's x86 processors were
reverse engineered [1] for use in Soviet IBM PC clones like Poisk [2]. Most
resources on the Web talk about clones of CPUs up to and including the 80286
but I am told there was at least one successful attempt at cloning an earlier
version of the 80386. The smaller sub-1 µm process used by Intel for later
80386 and 80486 units proved too much, however.

[1] <http://www.cpu-world.com/info/exUSSR-chips.html>

[2] <http://www.oldcomputermuseum.com/poisk.html>

~~~
BarsMonster
I am the one who have done all these chip photos.

I am still looking to find soviet 286 (КР1847ВМ286), but it seems it is
extremely rare. If anyone have one - contact me ASAP :-)

Just to be fair - I didn't find that soviet "clones" were clones - layout was
changed significantly. Centralized planning demanded 100% compatible chips to
make near-100% compatible computers, that's the root of all evils.

~~~
terminus
Thanks for all the work. That was an amazing read.

I've always wondered how people map chip-die photos into something like this:
[http://chip-architect.com/news/2007_02_19_Various_Images.htm...](http://chip-
architect.com/news/2007_02_19_Various_Images.html)

or this: [http://chip-
architect.com/news/2003_09_21_Detailed_Architect...](http://chip-
architect.com/news/2003_09_21_Detailed_Architecture_of_AMDs_64bit_Core.html)

I can see how figuring out the cache and the internal buses might be doable,
but the rest... Any insights?

~~~
raphman
Maybe interesting:

[http://www.righto.com/2013/01/a-small-part-of-6502-chip-
expl...](http://www.righto.com/2013/01/a-small-part-of-6502-chip-
explained.html)

<http://www.visual6502.org/>

------
dhx
These images would be a fantastic resource on Wikimedia Commons (for use in
Wikipedia articles). The licensing (Creative Commons Attribution 3.0 Unported
License) is compatible as per [1] and [2].

I've got things started with the 74HC595 die photo at [3] and [4].

[1] <http://zeptobars.ru/en/contacts>

[2] [https://commons.wikimedia.org/wiki/Commons:Licensing#Well-
kn...](https://commons.wikimedia.org/wiki/Commons:Licensing#Well-
known_licenses)

[3] <http://commons.wikimedia.org/wiki/File:74HC595-HD.jpg>

[4] <https://en.wikipedia.org/wiki/7400_series>

------
StringyBob
Can't let a post like this go by without name-checking a couple of other
sites:

Visual 6502 for taking such photos and then emulating, or should I say
simulating, the cpu from the images - in JavaScript: <http://visual6502.org/>

Chipworks for commercial silicon analysis of big modern system on chips
(source of some photos of recent apple silicon):
[http://www.chipworks.com/blog/technologyblog/2013/01/21/the-...](http://www.chipworks.com/blog/technologyblog/2013/01/21/the-
straight-dopant-scm-at-chipworks-2/)

------
tripzilch
So if I get this correctly from the other comments, reversing a current-day
modern CPU chip is much, much harder?

Is it at all possible? On what kind of budget?

Say there's a number hidden on a modern CPU chip, a cryptographic key. That's
one of the things "Trusted Computing" architecture uses, right? Is there _any_
way to retrieve that key? With a really large budget? Or is it truly
impossible, tamperproof beyond any macroscopic objects, not accessible without
destroying the data itself?

Because if that is so, that'd be disgusting, and I understand one of Richard
Stallman's paranoid precautions quite a bit better--afaik the netbook he uses
has one of the few brands of chips whose design is "open". Of course if it's
tiny enough, you still don't know if what's _in_ it is exactly what the design
says should be in it (like running binaries instead of compiling from source),
but I suppose that is the best one can do.

It's crazy then, that with our drive for faster and faster computers, at some
point, we may lock ourselves out.

~~~
smalley
Absolutely possible, people reverse engineer parts of our chips and I'm pretty
sure a well supplied failure analysis lab could do some of the work as well.

It's certainly doable to reverse engineer out a cryptographic key from a chip,
but most of the people who could afford to do this wouldn't really need to do
so. Secure elements are typically substantially more protected than standard
logic. The structures can be designed in a manner to be very difficult to
access without damaging them rendering them unreadable.

Such a cryptographic key would likely be scattered in pieces around the chip,
delivered through winding busses below enough critical logic connections and
power rails so that the chip wouldn't be as vulnerable to a focused ion beam
attack or infrared analysis. This makes it difficult to observe without
destroying enough of the chip that live examination would not be possible.
There are also tricks that would be used to mitigate the risk of differential
power attacks etc.

The bigger threats to secure elements are sloppy design with DFT/DFM (Design
For Test) features. Most complex chips have at a minimum a mechanism of
connecting a large number of the designs flops to what's like a huge shift
register. If you knew enough of the design you could try to locate the output
of a block which has access to the secure value, scan in a vector that makes
it easy to recover the value (e.g. an XOR element you can force to XOR with
0's) and scan it out.

There are also other DFT feature like on-die logic analyzers, micro-breakpoint
engines, code signing overrides etc. Virtually all of these features are
physically disabled prior to volume manufacturing. If a company was sloppy
this could expose things that shouldn't be exposed.

There are other attacks as well though. If you could compromise the signing
keys for the microcode delivered to a processor like a modern x86 processor
you could change the behavior of instructions. With custom microcode you could
catch and override basically any instruction (for example you could change
where a LOAD instruction stores data or make ADD do jmp etc). You could
definitely use something like that in a malicious manner.

~~~
yk
What is a "focused ion beam attack"? ( Is it as cool as it sounds?)

~~~
cnvogel
What's a focused ion beam?

Ions are charged atoms. In Vacuum you take a small inlet of gas (only very
little), or heat up a small piece of solid until it evaborates, depending on
what type of atom you want to use. Then ionize it (e.g. having a white glowing
hot piece of wire in the vincinity) then accelerate it. With electrodes and
coils (like, e.g. used in old CRT TVs/monitors) you can form have a narrow,
focused beam you can move around. This all has to be done in vacuum, because
the beams will stop in (dense) air immediately.

This is your "cannon" with which you can very precisely aim and shoot at a
target.

Where is this done?

The microscopes used for the very delicate structures in modern microchips are
normally electron microscope (not using light but electrons for imaging). They
operate in a vacuum which is very handy, because in that vacuum the focused
ion beams can operate.

If you want to buy, ask your dealer for a "Focused Ion Beam Workstation", e.g.
<http://www.photonics.com/Article.aspx?AID=50359>. Have 100k€ - 1M€ to spend.
;-)

What to do?

So you have your chip in your electron microscope, and you know that buried
below some other structure is a signal hidden from plain view (maybe on
purpose on a secure chip, but maybe you are debugging your own design and it
just happens that this is where you suspect the answer to why the chip is not
operating as required).

So you set your ion-beam to "heavy noble gas, e.g. Xeon" and shoot particles
to drill a small hole until you have a trench down to the interesting signal.
But that trench is not wide enough to allow your (huge!) probe needle to
contact. You you switch to "deposit metal" and, with much less impact velocity
for your particles, like with a small brush, you put in a conductive trace
from within the trench to some part on the (still intact) silicon-dioxide
protective layer on top of the chip. This is where you put your probe needle
that can then access the buried signal.

------
xradionut
I was having flashbacks to my days and nights spent testing wafers at a
semiconductor fab. Spend a shift using a misaligned microscope and walk
outside and see THREE moons. But I have mad soldering skills from building
probe cards.

------
qwertzlcoatl
Silicon Zoo has some awesome pictures of interesting artwork found on
microchips.

<http://micro.magnet.fsu.edu/creatures/index.html>

------
contingencies
Even though the details may already be well known, someone with some stock
could consider sending these guys a 'clipper chip' in celebration of its
defeat. <http://en.wikipedia.org/wiki/Clipper_chip>

------
Frencil
Amazing how the insides of these chips are composed of similar looking traces
and microcomponents to the PCBs that house them on a larger order of
magnitude.

------
BarsMonster
FYI, I've just switched image hosting to OVH CDN, let me know if images are
not loading for you. Thanks.

~~~
PanMan
Which OVH cdn? Did you rent servers, or do they have a cdn service I don't
know?

~~~
BarsMonster
They have CDN service in beta test - <http://www.ovh.com/fr/cdn/>

------
XorNot
It seems like you could avoid the heating needs as much by using hydrogen
peroxide with the sulfuric to make Piranha solution, which is a great and
voracious organic compound eater.

~~~
BarsMonster
Initially I was trying that, but 98% sulfuric acid and 40% hydrogen peroxide
needed like 3 days to etch plastic (with like 10 fresh "mixes"). Now I can try
that with higher concentrations, would be great if It could lower temperature.

~~~
pbhjpbhj
How did you heat it up, microwave?

~~~
BarsMonster
No, I use hot-plate and IR thermometer to control temperature.

------
frdgr
Beautiful!! Someone should make large posters out of this.

The process gives it an artsy mechanical feel, as if we could see the sign of
time and efforts these little things put in computations.

~~~
chiph
Intel used to make posters available (back in the Pentium-II days) and they
were really cool. I used to have one that I had to leave behind at a previous
job.

In the current copyright environment, I'm not sure they could be made
available. Which stinks, as just looking at them & trying to figure out what
the sections did (ALU, cache, registers, etc) is sort of inspiring.

Intel, AMD, Freescale, etc. should partner up with art.com or someone else who
can print out large posters (and ship them wrinkle-free) Maybe donate any
profits to a engineering-for-teens program of some kind.

------
mtdev
More of the same here: <http://microblog.routed.net/category/icf/> . Third
post contains similar instructions on de-encapsulation.

------
INTPenis
What do all the things inside do? Are they like miniature boards with dozens
of tiny connections?

~~~
ableal
Basically, yes. Those are silicon chips, with alternate layers of glass (SiO2)
and metal deposited on top. The metal layers connect transistors that were
built in the silicon chip proper in the first steps of fabrication.

They are called _integrated_ circuits because, instead of using a board to
connect many pieces of silicon, a single piece of silicon has the whole
circuit. More at the usual place,
<http://en.wikipedia.org/wiki/Integrated_circuit>

------
vxNsr
Incredibly cool! Thanks for sharing

------
theoretick
Beautiful. I think I just found my new desktop background.

------
pg1
Pretty cool. Thanks for sharing.

------
rsingla
These are just gorgeous.

------
LAMike
It looked like maps from GTA

