Recently, I was tricked talked into examining the die
of an integrated circuit (IC)- the YM2151, a single-chip FM synthesizer. I
like these old Yamaha chips, so I don't really mind doing it, but it's
definitely a long term project that I expect to take months. However, one
doesn't need to RE a significant portion of an IC to understand the basics
of RE. Information about a chip's operation can be gleamed by examining
small units, and predicting their relation to each other.
Information on doing IC reverse-engineering is still kind of limited, although projects like siliconpr0n and whatever Ken Shirrif is working on at any given time are changing that. Since I am learning how to RE ICs, I decided to document how I decoded a small ROM in the YM2151 that I suspect is being used as part of the control state machine. This small ROM demonstrates the basics of REing ICs, including:
Before we can examine an IC die, we have to actually digitally capture an image of the die. I will not be discussing this in detail, but getting a die image typically involves:
I really don't have access to the equipment to do this even at a small scale, but luckily this work was done previously in the case of YM2151 (20x magnification). I defer to Travis Goodspeed's article in section 9 of POC||GTFO #4) if interested in doing decap yourself.
The YM2151 uses an NMOS process. The NMOS logic family uses n-type metal oxide semiconductor field-effect transistors (MOSFETs) to create digital logic gates. MOSFETs are four- terminal devices that either permit or prevent current from flowing between two of the terminals, called the drain and source, depending on the voltage of the third terminal, called the gate, relative to either the drain or source. The fourth terminal, called the body, is negligible for now.
The below picture shows two different types of MOSFETS: n-type depletion and n-type enhancement mode. On each MOSFET, the center terminal attached to the left column is the gate input. The source and drain are the bottom and top terminals, respectively. Each MOSFET has the source connected to a fourth terminal, which in turn connects to an arrow pointing inward to the right column, indicating n-type MOSFETs. Put simply, the arrow direction corresponds to device polarity at a specific area within the MOSFET. The source-body connection is a side effect of the MOSFET symbol I used, and we can ignore it. A segmented right column represents enhancement mode, and a solid right column represents depletion mode.
A MOSFET is a symmetrical device, so drain and source can be labeled arbitrarily. However, according to Sedra and Smith, drain is by convention always at a higher voltage than source.
"n-type" refers to the properties of the silicon that carries current through a MOSFET. For the purposes of this blog post, I need not go into its properties.
In hand-calculations, a MOSFET has at least three modes of operation. I'm not interested in doing simulation in this blog post (maybe in the future I will!), but for completeness, the regions are:
Both enchancement mode and depletion mode MOSFETs are used in the NMOS logic family. Depletion-mode MOSFETs conduct current even when the gate and source is at the same voltage; the gate must have a lower voltage than the source for cutoff to occur. They are commonly, but not exclusively, used as pullup resistors, operating in the linear region and always on.
On the other hand, enhancement-mode MOSFETs are used to implement logic gates by either allowing current to pass or not. They operate in cutoff and saturation. The gate must be at a higher voltage than the source to conduct current. Voltage drop tends to be negligible in the enhancement-mode MOSFETs; see ratioed logic in the previous link for more information.
With the above two paragraphs in mind, here is an exercise: How would you implement an NMOS NOR gate (hint: MOSFETs in parallel)? NAND gate (hint: MOSFETs in series)? Inverter (NOT) (hint: Look carefully at my MOSFET image)? Notice how gates with inverters are easiest to implement? I wonder if that's a reason active-low inputs and outputs are so common in these chips?
How does one detect an NMOS chip? To be honest, I was told ahead of time that the YM2151 uses an NMOS process. The year that this chip was first produced (1984-5) is also a hint. Howvever, when compared to CMOS die of a similar-era Yamaha chip, I notice a few differences:
Right now, the above list probably isn't all that meaningful :P. I'll discuss what I mean in the next section. As you may expect, my method of analysis only works for ICs made with an NMOS process. However, this is still useful for preserving many old chips where fully emulating their behavior is desired (YM2151) or even required (security chips) to preserve hardware.
I decided to digitize (or vectorize) a ROM at the top of the chip, approximately one third of the length longways.
ICs- well, not cutting-edge ones anyway- tend to be made by applying planar layers of conducting and semiconductor material. Therefore, it tends to be safe to represent each layer of material as a 2d layer in a vector image, not worrying about layer depth or wells that would be apparent in a 3d cutaway. Each layer can thus be inferred and by examining intersections and outlines left over during decap.
I can tell the above is a ROM from the equal-width strips of metal (remember, metal tends to be consistently colored) and the circular "holes" distributed throughout the metal strips. These "holes" are properly referred to as "vias". Vias are drilled holes, forming a connection with any layer that intersects at their location.
Additionally, there exist buried contacts that directly connect (typically? always?) the poly and active layers. A metal layer can be placed on top of a buried contact without creating a connection. Buried contacts can frequently be identified by a light square outline where poly and active intersect, but this is not guaranteed. Sometimes buried contacts must be inferred from context. The takeaway here is: vias and buried contacts form two additional logical layers that need to be vectorized.
Buried contacts are different from MOSFET gates b/c a MOSFET gate is not a direct connection. A gate has a layer of insulating oxide separating the polysilicon and the active layer/wells underneath. However, it tends to be obvious from context and visual inspection which type of connection exists, even without having a 3d cutaway view which would show the differences.
Not all ICs have the same number of layers or the same layer material type, but in the case of NMOS, it's safe to divide an IC die into at least three layers:
With the above out of the way, let's digitize the metal layer and vias of the ROM. Please note that in some images that I may miss a section :P. I correct it in a later step unless otherwise noted.
| Layer | Color |
| Metal | Yellow |
| Polysilicon | Red |
| Active | Blue |
| Via | Green |
| Buried Contact | Pink |
The image has become a bit crowded after digitizing the metal and via layers, so for the time being I will disable them.
Let's start looking for transistors. I personally like to start with pullups, becausepullups have a very distinctive shape on an NMOS die, and the power rail can also be inferred. As mentioned before, NMOS pullups are depletion-mode MOSFETs, and they have very large gate widths to create a current path even without an applied gate voltage. Additionally, to provide the pullup effect, there exists a connection to the active layer on the source side of the MOSFET that looks like a hook.
Pullup MOSFETs thus tend to look like "rectangles with a hook", with slightly more emphasis on the hook to create the source-to-gate connection. We can now safely vectorize the pullups, and immediate polysilicon traces emanating from the pullups.
In our depletion mode pullups, the active layer consisting of source and drain runs through the center of the wide gate. We can trace out the active layer completely now, but I deliberately stopped short. The crossing of two layers near the pullups at the bottom is signficant.
Notice that each strip of the metal layer connecting at the top of the ROM terminates in a via. The via connects to a layer below, either active or poly, that runs across the length of the ROM. This layer abruptly terminates after crossing the active layer that directly connects to the pullup's source. There was a transistor formed due to that crossing during fabrication! We can safely assume them to be enhancement mode transistors used as switches due to the gate size.
Our unknown layer must be poly because they form the gate of a transistor. Furthermore, Because the metal at the top of the ROM attaches directly to the gate of a transistor for each input, the top of the ROM must be our input. By process of elimination, the output of our ROM is on the right.
Now I decided to take a break from the poly and vectorize the buried contacts. The buried contacts in this section are all visible as squares at poly and active crossings. Since a pullup must have a buried contact to connect the gate and source, let's start with the pullups. Can you find the outline of the other buried contacts before scrolling to the second image?
Now, I finish the active layer, which by process of elimination is going to be the remaining unvectorized traces. These form a number of enhancement- mode MOSFET switches distributed through the ROM matrix. Anywhere the poly crosses the active layer is a transitor!
With the active layer (minus my mistake) digitized, the ROM has been fully vectorized. I re-enable the metal and via layers to show the final result. Additionally, I vectorized a few more sections all all layers, only one of which is relevant to the ROM.
The thick metal trace below the ROM which connects to the active layer of the ROM matrix (at the source terminals of the enhancement mode MOSFETs immediately attached to depletion mode pullups), is in fact a ground trace. From experience, I can expect the active columns running through the ROM matrix to be connected to ground. I will explore why in the next section.
I am arbitrarily labeling the leftmost and bottommost bus lines the LSBs of the input and output, respectively. Thus, bit positions increase as one travels from left to right and bottom to top of the ROM matrix.
Initially, I had intermediate images of my progress creating the schematic. Unfortunately, for various formatting reasons (repeated transistor numbers, inconsistent resolution), the intermediate images didn't turn out how I liked, so I removed them.
I created the schematic in a manner very similar to how I vectorized starting with the pullups, then adding the inputs and their corresponding MOSFET switch connections. Then I added the ROM outputs. Next, I added the remaining wires that run down the ROM matrix columnwise, which attach to the source of the switch enhancement mode MOSFETs and pullup depletion-mode MOSFETs respectively. I finished schematic capture by adding the additional switch transistors that exist anywhere the active layer crosses poly within the matrix.
For each trio of column wires, the leftmost wire is the ROM input, the middle wire is the active layer running across each row of the ROM matrix, and the rightmost wire is attached to its corresponding pullup.
I made a mistake when drawing the above schematic. By convention, the source should be at a lower voltage than the drain, but for the transistors within the ROM matrix, I accidentally swapped source and drain. In an IC, this does not matter, as a MOSFET is symmetric and swapping source and drain does not affect device operation (for our intents and purposes). However, without this disclaimer, I'm sure I will confuse people. Perhaps the drain and source distinction is best ignored for this schematic.
With the above schematic, we can gleam some interesting information about how the ROM works. I assume the ROM inputs are either always a valid 1 or 0, because I am assuming that this ROM is driven by internal control logic.
If any given bus input is 0, the input will not turn on the switch transistors at the bottom of the ROM, placed immediately before pullups. This means that the pullups are not actively driven low, and the source terminal of the pullups remains at a high logic value. The logical high is propogated to all transistors whose gates are connected to the pullup source; these transistors are on. All transistors whose gates are attached to the bus input are in cutoff and have no effect on circuit operation.
Notice that the metal corresponding to each bit output is attached to all transistors in a row in parallel. This means that if any of the transistors in a given row are on, the entire metal row, and consequently the output, is pulled low as well. This is also called wired-AND.
In a similar manner, if any given bus input is 1, the input will turn on the switch transistor and the logical level at the pullup source will be driven low. All transistors whose gates are attached to the pullup source terminal will be in cutoff and will not drive the metal strips low. However, because the bus input is logical high, any transistors whose gate is attached to the bus input will drive its corresponding bit output low.
We now have enough information to devise boolean expressions and a truth table for the entire ROM!
| Bus Line+Value | Output Bits Driven Low |
| I0 High | O1, O6, O7 |
| I0 Low | O0, O5, O8, O9 |
| I1 High | O0, O3, O6, O7 |
| I1 Low | O1, O4, O5, O8, O9 |
| I2 High | O2, O5 |
| I2 Low | O0, O1, O3, O4, O6, O7, O8, O9 |
| I3 High | O1, O2, O3, O6, O7 |
| I3 Low | O0, O4, O5, O8, O9 |
| I4 High | O6 |
| I4 Low | O0 |
| Bus Line | Boolean Expression |
| O0 | ~(~I0 | I1 | ~I2 | ~I3 | ~I4) |
| O1 | ~(I0 | ~I1 | ~I2 | I3) |
| O2 | ~(I2 | I3) |
| O3 | ~(I1 | ~I2 | I3) |
| O4 | ~(~I1 | ~I2 | ~I3) |
| O5 | ~(~I0 | ~I1 | I2 | ~I3) |
| O6 | ~(I0 | I1 | ~I2 | I3 | I4) |
| O7 | ~(I0 | I1 | ~I2 | I3) |
| O8 | ~(I0 | ~I1 | ~I2 | ~I3) |
| O9 | ~(I0 | ~I1 | ~I2 | ~I3) |
| Input Bus | Output Bus |
| 0b0_0000 | 0b00_0000_0100 |
| 0b0_0001 | 0b00_0000_0100 |
| 0b0_0010 | 0b00_0000_0100 |
| 0b0_0011 | 0b00_0000_0100 |
| 0b0_0100 | 0b00_1100_1000 |
| 0b0_0101 | 0b00_0000_1000 |
| 0b0_0110 | 0b00_0000_0010 |
| 0b0_0111 | 0b00_0000_0000 |
| 0b0_1000 | 0b00_0000_0000 |
| 0b0_1001 | 0b00_0000_0000 |
| 0b0_1010 | 0b00_0000_0000 |
| 0b0_1011 | 0b00_0010_0000 |
| 0b0_1100 | 0b00_0000_0000 |
| 0b0_1101 | 0b00_0000_0000 |
| 0b0_1110 | 0b11_0001_0000 |
| 0b0_1111 | 0b00_0001_0000 |
| 0b1_0000 | 0b00_0000_0100 |
| 0b1_0001 | 0b00_0000_0100 |
| 0b1_0010 | 0b00_0000_0100 |
| 0b1_0011 | 0b00_0000_0100 |
| 0b1_0100 | 0b00_1000_1000 |
| 0b1_0101 | 0b00_0000_1000 |
| 0b1_0110 | 0b00_0000_0010 |
| 0b1_0111 | 0b00_0000_0000 |
| 0b1_1000 | 0b00_0000_0000 |
| 0b1_1001 | 0b00_0000_0000 |
| 0b1_1010 | 0b00_0000_0000 |
| 0b1_1011 | 0b00_0010_0000 |
| 0b1_1100 | 0b00_0000_0000 |
| 0b1_1101 | 0b00_0000_0001 |
| 0b1_1110 | 0b11_0001_0000 |
| 0b1_1111 | 0b00_0001_0000 |
As we can see, a number of inputs result in zero state outputs, and the MSB only changes the output of two ROM entries depending on whether its set or not. Perhaps a number of these states are illegal and just given a default output? I wonder what this ROM is used for? When I figure it out, I'll make an edit to this page!
As readers can probably see by now, digitizing and REing old ICs is completely doable, if tedious. Personally, I would say it's more mechanical than reversing a binary with IDA or radare2, once you know what to look for. However, like REing a binary, it does take a long time to fully RE an IC.
There are tools to automate the schematic capture process of an IC, and aid in analysis as well. Olivier Galibert's dietools are one example that I hope to discuss in future posts.
As of writing this post (October 12, 2016), my work in vectorizing and schematic capture of the YM2151 can be found here.
Back in 2011, I discovered that the MAME project was decapping ICs to defeat security/protection circuits on old arcade boards that prevented them from being emulated properly. The me in 2011 thought this was the most fascinating thing, the "last bastion" of proper accurate emulation. I never thought I would have the skill set required to do IC analysis.
Even up until summer 2016, I said that I wouldn't do IC reverse engineering, despite preservation of old technology being important to me. I felt it was beyond my comprehension, and that I would not be able to learn how to identify features in a reasonable amount of time. With help from others, I was wrong, and I'm glad that I was. If you're on the fence about learning a new technical subject, don't hesitate. We're all smart, and filled with doubt. Others will be willing to help!
I would like to thank members of siliconpr0n for looking over this post, especially Olivier Galibert for correcting a few mistakes. Additionally, I'd like to thank Digi-Key for their extremely useful Scheme-it schematic program, which I used to create the schematics (including the nice arrow!).
Last Updated: 2016-10-12
