Visual6502wiki/The reverse engineering process

From NESdev Wiki
Revision as of 05:33, 10 February 2022 by Lidnariq (talk | contribs) (copy wikitext from archive.org)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

Overview

To help explain which state each of our projects is at, here's a description of the steps we follow:

  • Get a chip, usually just one of a particular kind but sometimes more
  • Depackage the chip
    • Chips with a metal lid or a ceramic sandwich package are preferable since these have no plastic in contact with the die.
    • Chips packaged in plastic must be treated with very hot, very nasty acids which we do at a local laboratory with proper equipment
  • Photograph the exposed surface of the chip through a microscope
    • Many separate photographs must be taken to cover the surface at high enough resolution
  • Stitch the photographs into a single large image
    • Alignment data is used to correct individual photographs for optical distortions
  • Usually, de-layer the chip to reveal hidden or obscured lower features
  • Photograph and stitch each layer image
  • Align all layer images to each other
  • Create polygon models of each part of the chip based on the aligned images
  • Convert the polygon data into a description we can simulate
  • Investigate the behaviour of the chip by simulation
  • Investigate the layout and logic design
  • Write up our results on this wiki

Microphotography

Based on our own work and advice from several professionals in the field

  • A 20x objective is great, while 100x is overkill and difficult to work with
    • 10x is sometimes adequate for chips with 4 um to 6 um feature sizes, but its better to shoot at higher magnification and downsample the result.
  • Useful whole-chip images are typically 6000 to 10000 pixels on a side
  • Use an X-Y table to ensure no rotation between the successive images
    • A position readout is not needed, and position information from the microscope is not used to stitch images
  • Try to get the chip dead level so its entire surface is in the focal plane
    • A tip-tilt stage with micrometer drive is essential for this, unless you are very patient
  • Use a manual fixed exposure, zoom, and white balance for all images
    • Microscopes with a variable zoom are not helpful and could waste a lot of your time later on
  • Save images in RAW format if possible at the highest quality
  • Aim for at least 200 pixels of overlap between adjacent images

De-layering

Stripping away individual layers of a chip to reveal the parts and features below can be one of the most difficult and even hazardous procedures owing to the chemicals involved and their byproducts.

  • Some labs may use repeated mechanical or chemical-mechanical polishing and photography to image successive layers
    • This is more common for modern devices, especially those that have been planarized during manufacture
    • It may be riskier and costlier for the older chips we study which have only a single metal layer and whos surfaces are very irregular
  • Plasma etching and various chemicals can be used to remove all the material of a particular layer at once

Resources

Labs:

  • Raw Science a lab in the UK who deprocessed and photographed the Spectrum ULA
  • 3g forensics a lab in the UK who deprocessed the Tube ULA
  • [1] MEFAS, a failure analysis lab mentioned in this posting by Henry of reactivemicro.com on AtariAge forums

Papers and websites:

Mailing lists, blogs and forum postings:

See also our Educational Resources page