Sunday, March 17, 2013

William's Special Chip 1 (SC1)

I got wind that some people are working on digitizing
William's Special Chip 1 (SC1, wiki page here). This is purportedly uses NMOS technology and is used in arcade blitting/DMA.  To acquire these images Sean made a computer controlled microscope and was able to take a high resolution picture suitable for beginning to digitize the chip.  (not all parts may be clear enough without delayering).

Here's a sample image from the chip:

This is upper left of the E3001 logo towards the center:

Tracing out polygons onto it:

With the following colors:
  • Yellow: NMOS
  • Blue: metal
  • Red: polysilicon
  • Green: buried contacts
  • Black: contacts

Lets remove the image:

Looks cool but how to read it?  I talked about PMOS a bit before with the Intel 4004, take a look here for some info on NMOS/PMOS.

Now with an idea on what things are, lets remove the irrelevant wires and add component labels:

Its fairly obvious looking at the layout what the two power rails are. Regardless if this was PMOS or NMOS VDD is the side with the resistors and VSS is the side that shorts out he pullups/pulldowns. Typically VSS is 0V and VDD is negative if PMOS or positive if NMOS. Since this is supposed to be an NMOS chip say VDD = V+.

Converting to a schematic:


Inverters are the easiest, lets start with those: R4 and Q7 form an inverter as when IO2 is not driving Q7 R4 pulls up N4 (0 in => 1 out). When IO2 asserts sufficient voltage on Q7 N4 is shorted to ground and the net goes low (1 in => 0 out).  Similarly, R3/Q6 and R2/Q3 are inverters.

The area on the left is a little harder but not too bad.  First, R1 is a pullup for IO1.  If Q1 and Q2 never turned on the output would always be high.
If either Q1 or Q2 turns on R1 is shorted to VSS.  This means R1, Q1, and Q2 form a negative OR to yield:

Q4 and Q5 are still a little harder.  At first it may not be clear if IO3 is an input or output.  For example:
  • Is the input on IO2/IO3 with the output ultimately on IO1?
  • Is IO2 an input for a latch circuit feeding back into U2 that we can sense on IO3?
Lets start with Q4: its top half is being driven by U2 which means that its really only useful to use it as a switch to drive N1.  Q5 is unlikely to be a pass transistor to feed this output back into U2 as the circuit would be unstable / form an oscillator.

On the other hand, note that U3 inverts N4 to turn Q4/Q5 into complimentary transistors.  That is, if one is on the other is off and vice versa.  This means we are muxing the signals IO3 and N2 onto N1.  This leads to:

This  too bad as we are now completely into the digital domain. but we can simplify this further.  First, U4 simply changes which of I0/I1 in mux U5 that we use.  So if we switch I0/I1 U4 drops out.  That leaves us with a function of IO2 that selects the inverse of IO3.  That is if IO2 = 1 and IO3 = 1 then the mux selects the non-inverted I3 to give 1.  If IO2 = 0 and IO3 = 0 then the inverted I3 is selected to give 1.  In other cases we select the compliment of IO3 to yield 0.  This gives us xnor:

Don't think this really simplifies much more so we are done!

Saturday, January 5, 2013

Spoke at EHSM

Talk seemed well received, check it out!  Its a good introduction to the process of going from an IC on a circuit board to determining functionality without going into too much detail.


Tuesday, November 20, 2012

Speaking at EHSM

I'll be doing a talk on general IC RE techniques at EHSM in Berlin later December.  Come by and say hi!  (no I won't be wearing my super-villain outfit)  In other news, work has been busy so not many updates. But a few teasers.

Thanks to help from a friend or two I was able to write a reasonably working camera driver for my MU generation AmScope camera (MD is similar chipset but didn't have obscurified protocol).  Also CNC microscope software has undergone a revamp and is much cleaner and runs on Linux through gstreamer. Having the video widget integrated into the GUI is much more convenient.  I did a proof of concept run but haven't done any "real" imaging runs yet.

Additionally hardware is getting a revamp by adding CNC Z, theta X, and theta Y using picomotors.  If space permits I may add a rotary stage for manual (or possibly CNC) rotation.  This should allow nearly fully automatic imaging (the most time intensive part of imaging right now is leveling the chip).

Finally, I have been learning OpenCV and experimenting with automated techniques.  Needs work but I'm getting better and its been a good learning experience if nothing else.  In short, while Degate is out there I don't really understand how it works and can't improve it (at least the image processing side).  While degate focuses on standard cell matching I'm working with less regular older chips to form polygons.  So, it should form a good compliment to Degate as well as help me contribute as I learn more.

Sunday, July 1, 2012

ST 24C02 sector 17R (clock)

I'm going to post random parts of the ST circuit as I get to them.  For now here is what I'm calling "sector 17" (see wiki page for die location) right half.  I chose it because a quick glance showed some analog components, my guess was clocking related.

Here are the raw images with parts of the Independent/irrelevant left half taken out.

Top metal:

 Top metal removed (using hydrofluoric acid):

M1 removed (using hydrofluoric acid):

 Stripped to active areas (yet more hydrofluoric acid):

Converted using Inkscape with component and supply labels:

P1 and P2 is this circuits I/O.  Supply labels are from tracing from the power pads which I got from the 24C02 datasheet.  Alternatively you could trace from the PCB or recognize that PMOS tends to be larger than NMOS (note 2:1 contact ratio).  I'm not sure why the capacitors are isolated as they are all tied together in parallel.  Maybe some sort of DFM thing?  Unlink the other resistors which were smaller and resembled more of a depletion load design, this resistor (R3) is just a very long and narrowish active area.

Anyway, I then labeled every transistor, resistor, and capacitor so ease schematic capture.  Then I placed them in EESchema in rough layout order and finally wired together from reading the inkscape plot.  This yielded:

And then rearranging to be a little easier to read:

Now lets simplify a little.  We can now see that P2 is an input and P1 is an output.  P2 feeds into a standard CMOS inverter (Q22, Q8) which then feeds into a second CMOS inverter (Q21, Q7) to form a buffer circuit.  Similarly, Q17 and Q3 form an output inverter.  Going back to the buffer, its output feeds into an RC circuit.  Say the circuit starts with the capacitor bank (call it C) drained.  C will slowly charge as P2 is set to logic high and eventually reach a steady logic high condition. 

The next circuit is more interesting.  Lets start by taking a steady state approach to see what it does.  When logic 1 is presented as input we get the following:

An input of 1 turns on the two top NFETs (Q5, Q6) to conduct VSS to output.  The FET next to them (Q19, Q20) are P channel and so is off.  The PFET below (Q18) is switched on  but doesn't have anything to drive since Q19 and Q20 are off.  The circuit is complimentary so switch an input for 0 results in the same thing.  So far we have a really inefficient inverter.

But wait, there's more!  Lets see what happens in between.  Lets treat this as a discrete event simulator where each gate turns on in constant time.  Switching input to 0:

The old transistors are still on because the signal hasn't propagated yet.  Now take another simulation step: 

Now Q5 and Q6 are off and Q19 and Q20 are on.  And..oh dear...  In my computer hardware design class at RPI they showed us a similar circuit and told us that a designer that turns on both the N and the P channel at once is likely to get fired.  Are things so dire?  No.  First, notice that Q18, Q20, Q4, and Q5 are all a little bigger than the others.  Presumably thats so they can take this abuse.  Second, notice that this condition is very temporary.  In the nominal case Q10's gate will get drained a short time later with no new juince coming in and Q20 wins out in the end.  Alternatively, if the input goes back to 1 Q10 keeps the output low while Q5 and Q6 quickly switch back on.

So we have a device that preserves steady state and removes short pulses that swing in the opposite direction.  Such a device is called a Schmitt trigger.  I was able to verify this by finding this paper which had the following diagram:

Which looks exactly like this circuit.

Putting it all together we get the following:

More to come...

According to page 40, their similar ST chip says what I thought was M1 is actually poly (hey, its a learning exercise!).  I'll see if I can run some etch tests to confirm this.  A friend is working on doing a teardown of the EEPROM structure and I came across that while looking through previous work.  They don't go into gory detail though so he'll still do a writeup.

Thanks for the comments on the capacitors!  I'm working on a writeup of the charge pump so there are a lot more to come ;)

Saturday, June 30, 2012

Misc wiki pages

SRAM device teardown:

Capacitor example:

Some other minor equipment info.

Also I'm working on a 24C02.  Browse around for the raw images if you want to take a look. 

Also someone did a nice writeup on doing backside analysis: Functional Integrated Circuit Analysis I have an SWIR rated objective I was hoping to play around with something similar but it turned out to be less trivial than I hoped to remove the IR filter from my lamphouse.  I could buy another (an Olympus LH-50A if someone has one ;) ) but I haven't found one at a price I like.  I could just suspend the bulb but its a pain to align like that.

Sunday, June 10, 2012

Cold nitric acid experiments

70 % vs RFNA

As a sort of control I wanted to see if letting a chip in 70% does anything.  I'm not sure where these pictures went but the answer is no, not really.  I could still read the label on the 70% chip although the pins weren't visible anymore.


H2SO4 is dirt cheap for me to get where as nitric tends to be expensive to the point where I actually distill my RFNA / WFNA.  I was distilling RFNA before but using it sparingly since it took a bit of work.  I've since realized that I can make WFNA much easier as the vacuum distillation is quite quick.  In fact, I did an experiment on some old (for emphasis, it may have decayed making this an unfair comparison) RFNA vs some new WFNA on the same chip which I let sit for 90 minutes cold.  Our prisoner assistant:

Each one was given 5 mL of acid and let sit for 90 minutes covered.  First look:

After washing (WFNA left, RFNA right):

Close up of the WFNA chip:

which even has some undercut (peeling from drying?) where as the RFNA was solid.

It seems that the fresh WFNA did a lot of damage where as the RFNA only did a little damage.  However, much close to when I freshly made the RFNA, I stored some in a polypropylene vial and it was severely eaten overnight where as I haven't noticed any degradation storing WFNA in the same vials.  Note that storing strong oxidizing mixtures in plastic vials isn't probably a good idea but it makes ultrasonically cleaning chips easier with what I have on hand.  I've been meaning to order some small PFA tubes but haven't gotten around to it.  Anyway, I wouldn't say that this is conclusive but my feeling is that at it is likely demonstrating that nitric decomposes significantly over time and should be used fresh.  Next time I make a batch of acid I'll make a batch of each and do a fresh comparison.

WFNA and H2SO4

The next thing I was curious about was that if H2SO4 could be used to enhance nitric acid cold.  I've noticed that nitric rapidly decreases in usefulness on epoxy with decreasing concentration.  My hope is that if I could dehydrate it with something it could prolong its life.  I've tried soaking some chips in cold H2SO4 and haven't seen any effects.  I've read that concentrated H2SO4 should cause the epoxy to swell but for one reason or another I haven't observed that (mines 98%, maybe not dry enough?). 

Our victims subjects:

2 Actel A1020B FPGAs selected for no particular reason other than that I had two of them.  I stripped off the outside pins from both before adding acid.  I added 3 mL WFNA in a PTFE beaker (an eBay seller had a bunch 3 for $5 so I bought a bunch of them) with a watchglass on top to one and 3 mL WFNA + 3 mL 98% H2SO4 to a PTFE beaker with a watchglass on top to the other.  This volume let both chips be completely covered at least at the start.  5 mL may have been a little better  I let them sit overnight, maybe 15 hours total.


The WFNA initially etched very quickly as the solution turned dark after just a few minutes. The next day there was a lot of NO2 trapped:

Letting it air out:

Removing the acid:

Wash in water + ultrasonic clean in acetone:

The chip is only barely etched, maybe about 10% of the height (I didn't weigh them, maybe should have).  The Actel logo is even still a little visible above.  My first thought is that it may have spent most of its acid on the pins but there is exposed copper (after cleaning) at about the same level as the plastic package.


This etched much slower than the WFNA.  In the few minutes after adding the chip where as the WFNA had turned very dark this was only tinted.  Letting it sit overnight had some NO2 but not nearly as much as the WFNA:

Draining the acid off:

A bit odd shaped.  The other side makes it look sorta like a rock:
Maybe this is what the H2SO4 swelling is suppose to look like.  It seems odd though that I wasn't able to observe it until diluting with another acid.  After cleaning it looked like this:

I'd say about 40% removal of the epoxy by height.


 Here are the washed + ultrasonically cleaned chips side by side (WFNA left, WFNA + H2SO4 right):

The WFNA chip turned red again but the other one didn't.  Presumably this is from acid residue and it would stay dark if I washed it more thoroughly.  Overall the WFNA + H2SO4 did pretty good.  It was slower but did well overall.  It had to be cleaned to figure out how far it actually etched (you can still read the Actel logo on it above!).  My guess is that the main reason it did better is because it didn't have to eat through the copper.  Failure analysis books recommend 10% H2SO4 + 90 % RFNA to passivate.  I'd have to do such a comparison to figure out if the excess H2SO4 did anything or if it simply helped by passivating the copper.  However, based on the swelling which I've never seen before, I'm going to guess that it had other beneficial effects.

The only thing that I was a bit hesitant about is that this is a very strong nitrating mixture.  MSDS say that nitric is incompatible with alcohols and acetone.  My experience has been that alcohols should be strongly avoided and that acetone is only a problem at higher temperatures.  However, I tried to mix a drop of each and it reacted violently instantly cold.  So in conclusion: this may be a good way to prolong acid when you are patient but the mixture must be treated with care.

For next time

I'm working on a teardown of a 24C02 EEPROM.  See top metal here:

Thursday, May 24, 2012

Interactive basic logic chip teardown

When I first started I wanted to dissect a basic logic chip but the ones I looked at had funny power transistors and so didn't work well for getting my feet wet.  However, there are plenty that do use more standard MOSFETs and so here's one such chip presented as an interactive quiz.  Each quiz goes increasingly deeper into the chip and ends with explanations so that you can move onto the next level.  Its designed to either test yourself or as a learning exercise.  If you don't know the answers just make a best guess and you should get enough info at the scoring page to move onto the next quiz.  Enjoy!