Saturday, January 5, 2013

Spoke at EHSM

Talk seemed well received, check it out!  Its a good introduction to the process of going from an IC on a circuit board to determining functionality without going into too much detail.

Slides: http://siliconpr0n.org/uv/epoxy_to_schematic.pdf

http://media.freitagsrunde.org/mirror/ehsm/2012/ehsm-2012-13-siliconpron-dump.m4v.torrent

Tuesday, November 20, 2012

Speaking at EHSM


I'll be doing a talk on general IC RE techniques at EHSM in Berlin later December.  Come by and say hi!  (no I won't be wearing my super-villain outfit)  In other news, work has been busy so not many updates. But a few teasers.


Thanks to help from a friend or two I was able to write a reasonably working camera driver for my MU generation AmScope camera (MD is similar chipset but didn't have obscurified protocol).  Also CNC microscope software has undergone a revamp and is much cleaner and runs on Linux through gstreamer. Having the video widget integrated into the GUI is much more convenient.  I did a proof of concept run but haven't done any "real" imaging runs yet.


Additionally hardware is getting a revamp by adding CNC Z, theta X, and theta Y using picomotors.  If space permits I may add a rotary stage for manual (or possibly CNC) rotation.  This should allow nearly fully automatic imaging (the most time intensive part of imaging right now is leveling the chip).


Finally, I have been learning OpenCV and experimenting with automated techniques.  Needs work but I'm getting better and its been a good learning experience if nothing else.  In short, while Degate is out there I don't really understand how it works and can't improve it (at least the image processing side).  While degate focuses on standard cell matching I'm working with less regular older chips to form polygons.  So, it should form a good compliment to Degate as well as help me contribute as I learn more.

Sunday, July 1, 2012

ST 24C02 sector 17R (clock)

I'm going to post random parts of the ST circuit as I get to them.  For now here is what I'm calling "sector 17" (see wiki page for die location) right half.  I chose it because a quick glance showed some analog components, my guess was clocking related.

Here are the raw images with parts of the Independent/irrelevant left half taken out.

Top metal:


 Top metal removed (using hydrofluoric acid):


M1 removed (using hydrofluoric acid):


 Stripped to active areas (yet more hydrofluoric acid):




Converted using Inkscape with component and supply labels:


P1 and P2 is this circuits I/O.  Supply labels are from tracing from the power pads which I got from the 24C02 datasheet.  Alternatively you could trace from the PCB or recognize that PMOS tends to be larger than NMOS (note 2:1 contact ratio).  I'm not sure why the capacitors are isolated as they are all tied together in parallel.  Maybe some sort of DFM thing?  Unlink the other resistors which were smaller and resembled more of a depletion load design, this resistor (R3) is just a very long and narrowish active area.

Anyway, I then labeled every transistor, resistor, and capacitor so ease schematic capture.  Then I placed them in EESchema in rough layout order and finally wired together from reading the inkscape plot.  This yielded:



And then rearranging to be a little easier to read:

Now lets simplify a little.  We can now see that P2 is an input and P1 is an output.  P2 feeds into a standard CMOS inverter (Q22, Q8) which then feeds into a second CMOS inverter (Q21, Q7) to form a buffer circuit.  Similarly, Q17 and Q3 form an output inverter.  Going back to the buffer, its output feeds into an RC circuit.  Say the circuit starts with the capacitor bank (call it C) drained.  C will slowly charge as P2 is set to logic high and eventually reach a steady logic high condition. 

The next circuit is more interesting.  Lets start by taking a steady state approach to see what it does.  When logic 1 is presented as input we get the following:



An input of 1 turns on the two top NFETs (Q5, Q6) to conduct VSS to output.  The FET next to them (Q19, Q20) are P channel and so is off.  The PFET below (Q18) is switched on  but doesn't have anything to drive since Q19 and Q20 are off.  The circuit is complimentary so switch an input for 0 results in the same thing.  So far we have a really inefficient inverter.

But wait, there's more!  Lets see what happens in between.  Lets treat this as a discrete event simulator where each gate turns on in constant time.  Switching input to 0:

The old transistors are still on because the signal hasn't propagated yet.  Now take another simulation step: 



Now Q5 and Q6 are off and Q19 and Q20 are on.  And..oh dear...  In my computer hardware design class at RPI they showed us a similar circuit and told us that a designer that turns on both the N and the P channel at once is likely to get fired.  Are things so dire?  No.  First, notice that Q18, Q20, Q4, and Q5 are all a little bigger than the others.  Presumably thats so they can take this abuse.  Second, notice that this condition is very temporary.  In the nominal case Q10's gate will get drained a short time later with no new juince coming in and Q20 wins out in the end.  Alternatively, if the input goes back to 1 Q10 keeps the output low while Q5 and Q6 quickly switch back on.

So we have a device that preserves steady state and removes short pulses that swing in the opposite direction.  Such a device is called a Schmitt trigger.  I was able to verify this by finding this paper which had the following diagram:


Which looks exactly like this circuit.

Putting it all together we get the following:


More to come...

EDIT:
According to http://smithsonianchips.si.edu/ice/cd/STR98/EEPROM.PDF page 40, their similar ST chip says what I thought was M1 is actually poly (hey, its a learning exercise!).  I'll see if I can run some etch tests to confirm this.  A friend is working on doing a teardown of the EEPROM structure and I came across that while looking through previous work.  They don't go into gory detail though so he'll still do a writeup.

Thanks for the comments on the capacitors!  I'm working on a writeup of the charge pump so there are a lot more to come ;)

Saturday, June 30, 2012

Misc wiki pages

SRAM device teardown: http://siliconpr0n.org/wiki/doku.php?id=memory:sram

Capacitor example: http://siliconpr0n.org/wiki/doku.php?id=capacitor

Some other minor equipment info.

Also I'm working on a 24C02.  Browse around http://siliconpr0n.org/map/st/24c02/ for the raw images if you want to take a look. 

Also someone did a nice writeup on doing backside analysis: Functional Integrated Circuit Analysis I have an SWIR rated objective I was hoping to play around with something similar but it turned out to be less trivial than I hoped to remove the IR filter from my lamphouse.  I could buy another (an Olympus LH-50A if someone has one ;) ) but I haven't found one at a price I like.  I could just suspend the bulb but its a pain to align like that.

Sunday, June 10, 2012

Cold nitric acid experiments

70 % vs RFNA

As a sort of control I wanted to see if letting a chip in 70% does anything.  I'm not sure where these pictures went but the answer is no, not really.  I could still read the label on the 70% chip although the pins weren't visible anymore.

WFNA vs RFNA

H2SO4 is dirt cheap for me to get where as nitric tends to be expensive to the point where I actually distill my RFNA / WFNA.  I was distilling RFNA before but using it sparingly since it took a bit of work.  I've since realized that I can make WFNA much easier as the vacuum distillation is quite quick.  In fact, I did an experiment on some old (for emphasis, it may have decayed making this an unfair comparison) RFNA vs some new WFNA on the same chip which I let sit for 90 minutes cold.  Our prisoner assistant:


Each one was given 5 mL of acid and let sit for 90 minutes covered.  First look:


After washing (WFNA left, RFNA right):





Close up of the WFNA chip:


which even has some undercut (peeling from drying?) where as the RFNA was solid.

It seems that the fresh WFNA did a lot of damage where as the RFNA only did a little damage.  However, much close to when I freshly made the RFNA, I stored some in a polypropylene vial and it was severely eaten overnight where as I haven't noticed any degradation storing WFNA in the same vials.  Note that storing strong oxidizing mixtures in plastic vials isn't probably a good idea but it makes ultrasonically cleaning chips easier with what I have on hand.  I've been meaning to order some small PFA tubes but haven't gotten around to it.  Anyway, I wouldn't say that this is conclusive but my feeling is that at it is likely demonstrating that nitric decomposes significantly over time and should be used fresh.  Next time I make a batch of acid I'll make a batch of each and do a fresh comparison.

WFNA and H2SO4


The next thing I was curious about was that if H2SO4 could be used to enhance nitric acid cold.  I've noticed that nitric rapidly decreases in usefulness on epoxy with decreasing concentration.  My hope is that if I could dehydrate it with something it could prolong its life.  I've tried soaking some chips in cold H2SO4 and haven't seen any effects.  I've read that concentrated H2SO4 should cause the epoxy to swell but for one reason or another I haven't observed that (mines 98%, maybe not dry enough?). 

Our victims subjects:


2 Actel A1020B FPGAs selected for no particular reason other than that I had two of them.  I stripped off the outside pins from both before adding acid.  I added 3 mL WFNA in a PTFE beaker (an eBay seller had a bunch 3 for $5 so I bought a bunch of them) with a watchglass on top to one and 3 mL WFNA + 3 mL 98% H2SO4 to a PTFE beaker with a watchglass on top to the other.  This volume let both chips be completely covered at least at the start.  5 mL may have been a little better  I let them sit overnight, maybe 15 hours total.

WFNA

The WFNA initially etched very quickly as the solution turned dark after just a few minutes. The next day there was a lot of NO2 trapped:



Letting it air out:






Removing the acid:


Wash in water + ultrasonic clean in acetone:


The chip is only barely etched, maybe about 10% of the height (I didn't weigh them, maybe should have).  The Actel logo is even still a little visible above.  My first thought is that it may have spent most of its acid on the pins but there is exposed copper (after cleaning) at about the same level as the plastic package.

WFNA + H2SO4

This etched much slower than the WFNA.  In the few minutes after adding the chip where as the WFNA had turned very dark this was only tinted.  Letting it sit overnight had some NO2 but not nearly as much as the WFNA:


Draining the acid off:

A bit odd shaped.  The other side makes it look sorta like a rock:
Maybe this is what the H2SO4 swelling is suppose to look like.  It seems odd though that I wasn't able to observe it until diluting with another acid.  After cleaning it looked like this:


I'd say about 40% removal of the epoxy by height.

Conclusions

 Here are the washed + ultrasonically cleaned chips side by side (WFNA left, WFNA + H2SO4 right):


The WFNA chip turned red again but the other one didn't.  Presumably this is from acid residue and it would stay dark if I washed it more thoroughly.  Overall the WFNA + H2SO4 did pretty good.  It was slower but did well overall.  It had to be cleaned to figure out how far it actually etched (you can still read the Actel logo on it above!).  My guess is that the main reason it did better is because it didn't have to eat through the copper.  Failure analysis books recommend 10% H2SO4 + 90 % RFNA to passivate.  I'd have to do such a comparison to figure out if the excess H2SO4 did anything or if it simply helped by passivating the copper.  However, based on the swelling which I've never seen before, I'm going to guess that it had other beneficial effects.

The only thing that I was a bit hesitant about is that this is a very strong nitrating mixture.  MSDS say that nitric is incompatible with alcohols and acetone.  My experience has been that alcohols should be strongly avoided and that acetone is only a problem at higher temperatures.  However, I tried to mix a drop of each and it reacted violently instantly cold.  So in conclusion: this may be a good way to prolong acid when you are patient but the mixture must be treated with care.

For next time

I'm working on a teardown of a 24C02 EEPROM.  See top metal here: http://siliconpr0n.org/map/st/24c02__ns50xu/

Thursday, May 24, 2012

Interactive basic logic chip teardown


http://siliconpr0n.org/wiki/doku.php?id=quiz:metal_gate_cmos

When I first started I wanted to dissect a basic logic chip but the ones I looked at had funny power transistors and so didn't work well for getting my feet wet.  However, there are plenty that do use more standard MOSFETs and so here's one such chip presented as an interactive quiz.  Each quiz goes increasingly deeper into the chip and ends with explanations so that you can move onto the next level.  Its designed to either test yourself or as a learning exercise.  If you don't know the answers just make a best guess and you should get enough info at the scoring page to move onto the next quiz.  Enjoy!

Sunday, March 4, 2012

SiDoku #1

Flylogic gave a brief tutorial and a logic chip at http://www.flylogic.net/blog/?p=32 I have been messing with a standard cell based chip recently and this is one of the more complicated cells from it. In their spirit, here is a similar challenge.

Top metal (M1 and M2 visible):
Delayered:

Active area:

The two delayered images are "identical" but have different artifacts. I gave both since its what I used and it helps a little to piece things together. If you are the first to solve it and are interested I'll see if I can post at least a top metal photograph of a chip of your choosing. Get the chip to me somehow or if its something relatively common I might have it hoarded somewhere. Solving this means 1) giving a high level description of the functionality of the device and 2) A gate level schematic (ie with and gates etc where possible instead of transistors) with pins labeled to the M2 contacts

Hint: the two bridged contacts on the top metal (M2) are part of the cell and can assumed to be connected.

I'll release the solution in a week or two if no-one gets it. Some more resources to help including an inverter from the same chip: http://siliconpr0n.org/wiki/doku.php?id=cmos:start There are also some instructions on how to load these images into Inkscape at http://siliconpr0n.org/wiki/doku.php?id=tutorial:digitizing_with_inkscape