I'm probably going to attempt a distructive test on a PLD to determine its function. I'm wondering if anyone has tried this, and with what success? I found this: "An important architectural feature that is found on virtually all PLDs is not shown on logic diagrams. This feature is the security fuse. Normally, the fuse pattern programmed into a PLD can, like a PROM, be read and displayed or copied by programming hardware. Devices with a security fuse, however, provide the ability to disable this read function. This allows the design to be somewhat secure from attempts to copy or reverse engineer it. In reality, it's relatively easy to shave the top off of a bipolar PLD and examine the programmed fuses with a microscope. For bipolar PLDs, then, would be copiers are merely inconvenienced. Erasable CMOS PLDs are considerably more secure, since it's very difficult, if not impossible, to determine their function from examination." From http://www.ee.cooper.edu/courses/course_pages/past_courses/EE151/PLD1/ Anyone here ever "shave" a chip for examination? I have access to a video microscope at the university. I also have a DV camcorder with DV in, so I could take the pictures, post them, and then beg for more help. ;) Any suggestions? I would be shaving the top off of some 16R8/4 chips. Would heating them to around 250-300F for a while help? Shaving the tops down while hot? I have access to 48 micron resolution digital x-ray equipment, but no microfocus x-ray tubes at the moment, so I don't think I would get good enough resolution by X-raying the chips. I could try just for fun, These old PALs just might have large enough internals. Here is a shot of a PCMCIA card, about 50% full resolution. If I did some gemoetric magnification and used a different LUT, I might be able to see something, but I seriously doubt it. http://www.cmosxray.com/X-rays/newX-rays/4x4/4x4x-rays%20extra/board.JPG Now I'm a little more curious about the x-rays. I think I;ll go rip apart a 286 motherboard for a PAL and do some tests this weekend. :) I eventually want to rewrite all of the equations for speed, but getting a 100% copy of the OEM work was the goal. Grant
Microscope examination of a PLD
Started by ●January 22, 2005
Reply by ●January 22, 20052005-01-22
logjam wrote:> Any suggestions? I would be shaving the top off of some 16R8/4 chips. > Would heating them to around 250-300F for a while help? Shaving the > tops down while hot? I have access to 48 micron resolution digital > x-ray equipment, but no microfocus x-ray tubes at the moment, so I > don't think I would get good enough resolution by X-raying the chips. > I could try just for fun, These old PALs just might have large enough > internals.I never tried it, however it might be possible to determine the location of the fuse by a focused UV laser that is scanned over an identical part. Scan the laser and read out until the fuse is gone. Rene -- Ing.Buero R.Tschaggelar - http://www.ibrtses.com & commercial newsgroups - http://www.talkto.net
Reply by ●January 22, 20052005-01-22
logjam wrote:> I'm probably going to attempt a distructive test on a PLD to determine > its function. I'm wondering if anyone has tried this, and with what > success?I hope you have more than one :)> > I found this: > > "An important architectural feature that is found on virtually all PLDs > is not shown on logic diagrams. This feature is the security fuse. > Normally, the fuse pattern programmed into a PLD can, like a PROM, be > read and displayed or copied by programming hardware. Devices with a > security fuse, however, provide the ability to disable this read > function. This allows the design to be somewhat secure from attempts to > copy or reverse engineer it. > > In reality, it's relatively easy to shave the top off of a bipolar PLD > and examine the programmed fuses with a microscope. For bipolar PLDs, > then, would be copiers are merely inconvenienced. Erasable CMOS PLDs > are considerably more secure, since it's very difficult, if not > impossible, to determine their function from examination." > > From > http://www.ee.cooper.edu/courses/course_pages/past_courses/EE151/PLD1/ > > Anyone here ever "shave" a chip for examination? I have access to a > video microscope at the university. I also have a DV camcorder with DV > in, so I could take the pictures, post them, and then beg for more > help. ;) > > Any suggestions? I would be shaving the top off of some 16R8/4 chips. > Would heating them to around 250-300F for a while help? Shaving the > tops down while hot? I have access to 48 micron resolution digital > x-ray equipment, but no microfocus x-ray tubes at the moment, so I > don't think I would get good enough resolution by X-raying the chips. > I could try just for fun, These old PALs just might have large enough > internals. > > Here is a shot of a PCMCIA card, about 50% full resolution. If I did > some gemoetric magnification and used a different LUT, I might be able > to see something, but I seriously doubt it. > http://www.cmosxray.com/X-rays/newX-rays/4x4/4x4x-rays%20extra/board.JPG > > Now I'm a little more curious about the x-rays. I think I;ll go rip > apart a 286 motherboard for a PAL and do some tests this weekend. :) > > I eventually want to rewrite all of the equations for speed, but > getting a 100% copy of the OEM work was the goal.If that is the goal, why not simply reverse engineer the logic ? 16R8/4 devices are not complex, and if you also have the product circuit diagram [or application circuits of the devices], you can greatly reduce the vector-search complexity. All you need is pencil, paper, text editor, and a PLD programmer that can run test vectors (most can). -jg
Reply by ●January 22, 20052005-01-22
"logjam" <grant@cmosxray.com> writes:> Anyone here ever "shave" a chip for examination?Two friends and I read a bipolar PROM optically. It was interesting to view it under the microscope. I'd heard that there was a long-term problem with regrowth of the fuses, but we were actually able to see it. Also, Peter Monta optically extracted the contents of three 2560-bit PMOS masked ROM chips circa 1973, in order to run the code on my simulator: http://www.pmonta.com/calculators/hp-35/
Reply by ●January 22, 20052005-01-22
How would you suggest I split my chips? I plucked 5 off of an AST motherboard and put two in the toaster oven for an hour at 300. Who knows why I did that. ;) Even if I can learn the logic, it would still be fun to see if I can see it. :) This stupid project has forced me to learn a ton of stuff in the past few days. Thats what I love, learning new useless things. ;) Can you suggest an innexpensive PAL programmer that can run a test vector?
Reply by ●January 23, 20052005-01-23
I shaved an IC down with my dremel tool, ripped all the legs off, then chipped away at the remaining material, decided to shave a little more off, and finally hit the silicon, with the dremel, and further chipped on it until the IC broke in half. I didn't have a good light source, but at 400x I thought I could see some traces. Is there a substance that will break down the IC potting material but not the electronics? I noticed that the back of the silicon was coated with metal. Next I might try comming in from the back, carving around the back plane, and lifting the guy out. Forget that x-ray stuff. My in-head math was off by a few decimal places. ;)
Reply by ●January 23, 20052005-01-23
Tradationally people use fuming nitric acid to remove the encapsulation.I wouldnt recomment it though without some serious protection as fuming nitric acid is highly toxic and will strip flesh to the bone in seconds.
Reply by ●January 23, 20052005-01-23
On 23 Jan 2005 02:26:32 -0800, "logjam" <grant@cmosxray.com> wrote:>Is there a substance that will break down the IC potting material but >not the electronics? I noticed that the back of the silicon was coated >with metal. Next I might try comming in from the back, carving around >the back plane, and lifting the guy out. Forget that x-ray stuff. My >in-head math was off by a few decimal places. ;)Try searching Google - fuming nitric acid is commonly used I believe. Be careful with it though...
Reply by ●January 23, 20052005-01-23
I know I have access to 20% nitric acid, possibly stronger if I sweet talk the metallurgy lab guy. We use it for etching polished metals to look at the microstructure. So I will try this on monday: -Shave PLD about 1/8" -place flat on a hot plate, around 130*C -Drip nitric acid on it until the silicon is visible I'll be doing this in a lab with full negative pressure fume hood and a face shield. Not a range top stove and exhaust vent. ;) If that doesn't work I guess there are companies who do it for $50. There are also manufactures of these decapping machines. I might try sweet talking them into helping out a poor student. ;) Here is a link I found on decapping the little buggers: http://www.mrlaser.com/Brodsky9-1.pdf If all else fails, I'm getting a 100MHz 18 channel 128k+ sample logic analyzer...so... ;) Grant
Reply by ●January 23, 20052005-01-23
logjam wrote:> So I will try this on monday: > -Shave PLD about 1/8" > -place flat on a hot plate, around 130*C > -Drip nitric acid on it until the silicon is visible...> If all else fails, I'm getting a 100MHz 18 channel 128k+ sample logic > analyzer...so... ;)Well, even if you get a visual reading of the bits, I would still want to verify it by frobbing pins. However, rather than a logic analyzer, why not simply hook it fully up to an FPGA? There are plenty < $500 boards out there that would be up for the job. That would give you all the functionality of the LA with the additional ability to incrementally build up and verify the reengineered model, all within the same framework. Just an idea, Tommy
