Today we are taking you one step deeper into a microchip than we usually go. We look at transistors and the logic functions they compose, which helps us understand custom ASICs now found in some secured processors.
To reverse-engineer the secret functionality of an ASIC, we identify logic blocks, map out the wiring between the blocks, and reconstruct the circuit diagram. Today, we’ll only be looking at the first step: reading logic. And we start with the easiest example of a logic function: the inverter:
To read logic, you first have to find the transistors and decide where Vcc (+) and ground (-) are located. Transistors are easy to spot. They will always look very similar to those two transistors marked in the picture: A rectangle shape with a line in the middle. Vcc is always next to the larger transistors (PMOS) and ground is closer to the smaller ones (NMOS).
Once you identified the transistors, you draw a small circuit diagram that shows how they are connected to each other. In the example, the inputs of the two transistors are connected and so are their outputs on the left side. From this circuit diagram you can read that whatever you assert at the input, the output will be forced to the opposite state — an inverter.
Every gate will follow these basic principles, but vary in the number and constellation of transistors. A 2-NOR gate (Y = !(A|B) ), for instance, is composed of 4 transistors in this setup:
Once you figured out a gate, you can recognize every occurrence of that function on the whole chip because the exact same shape is always used for the same function. Generally, you only need to read a few dozens gates at most to generate a map of functions across whole chip. Get a head start on reading logic and check out the logic gate collection at The Silicon Zoo.
Here is a challenge for you to try (open in GIMP or Photoshop and toggle between the different layers):
It’s about the hardest function found on most chips with a total of 34 transistors, 3 inputs, 2 outputs, and time-variant behavior. The solution will be posted next week.
[...] that reverse engineered the crypto in MiFare RFID chips. In his first post, he starts out with the basics of identifying logic cells. By studying the specific layout of the transistors you can reproduce the actual logic functions of [...]
this is excellent!
Here is my stab at the solution. Warning possible spoiler.
http://www.flickr.com/photos/jeriellsworth/2856054068/
You guys may also be interested in my home chip lab I’ve built and made some working active devices.
-Jer
[...] Reverse-Engineering Custom Logic (Part 1) – [Link] [...]
[...] solución se publicará Flylogic Engineering’s Analytical Blog en la próxima [...]
Hi Jer,
The home chip lab looks really cool, I would love to create a chip at home if nothing else my kids would think I am a miracle worked
Any more details on how one might go about setting up a home chip lab?
Thanks
Jay
echo -en “{my answer}” | openssl sha1
a7211260c11f3d4aeddb1fd3749199680cfb826f
I’m working on an article for make magazine. I’ll be giving it to them in 30-60 days.
I’m experimenting to see if I can substitute the compress nitrogen now.
-Jer
Probably a D Flip-flop.
Cool can’t wait for the make mag article, I will be looking for it
Thanks
what about ppl who dont buy mags? anything on the net?
i cant see a transistor in the images
can some one trace out the p n material blobs for me?
also why does the top transistor have a ‘o’ on it? it looks the same to me :S i feel your not telling me something important that i need to know to get this or am i just retarded? the above images look nothing like the ones at http://en.wikipedia.org/wiki/Bipolar_junction_transistor
HeBD,
the transistors do actually look pretty much like the schematic on Wikipedia.
All modern chips are built from PMOS and NMOS transistors (PMOS being the ones with the ‘o’). Short of dying the chip, you can distinguish PMOS and NMOS only by their sizes: PMOS are typically larger since they have less drive than NMOS of similar size
HeBD,
To further add to Karstens reply, possibly look at the Wkipedia article on FET’s.
[...] slower than alternatives such as CMOS, which combines PMOS and NMOS transistors as illustrated in this post. It’s beautiful to see how none of the inefficiencies we see in modern chips are found on the [...]
yes thanks. i found the FET page last night after the 4004 post actually and it almost all makes sense now
only thing is the ones with the ‘o’ are the + ones. is the ‘o’ to show the switching sense is inverted?
thanks for your responses
hi,
i want to know if it is possible to read locked pic micro controller? if yes how to do that any help?