Intel’s first product was not a processor, but a memory chip: the 31011 RAM chip, released in April 1969. This chip held just 64 bits of data (equivalent to 8 letters or 16 digits) and had the steep price tag of $99.50.2 The chip’s capacity was way too small to replace core memory, the dominant storage technology at the time, which stored bits in tiny magnetized ferrite cores. However, the 3101 performed at high speed due to its special Schottky transistors, making it useful in minicomputers where CPU registers required fast storage. The overthrow of core memory would require a different technology—MOS DRAM chips—and the 3101 remained in use in the 1980s.3
This article looks inside the 3101 chip and explains how it works. I received two 3101 chips from Evan Wasserman and used a microscope to take photos of the tiny silicon die inside.4 Around the outside of the die, sixteen black bond wires connect pads on the die to the chip’s external pins. The die itself consists of silicon circuitry connected by a metal layer on top, which appears golden in the photo. The thick metal lines through the middle of the chip power the chip.
Ken Shirriff has written an article on reverse engineering the 76477 “Space Invaders” sound effect chip:
Remember the old video game Space Invaders? Some of its sound effects were provided by a chip called the 76477 Complex Sound Generation chip. While the sound effects1 produced by this 1978 chip seem primitive today, it was used in many video games, pinball games. But what’s inside this chip and how does it work internally? By reverse-engineering the chip from die photos, we can find out. (Photos courtesy of Sean Riddle.) In this article, I explain how the analog circuits of this chip works and show how the hundreds of transistors on the silicon die form the circuits of this complex chip.
The 74181 ALU (arithmetic/logic unit) chip powered many of the minicomputers of the 1970s: it provided fast 4-bit arithmetic and logic functions, and could be combined to handle larger words, making it a key part of many CPUs. But if you look at the chip more closely, there are a few mysteries. It implements addition, subtraction, and the Boolean functions you’d expect, but why does it provide several bizarre functions such as “A plus (A and not B)”? And if you look at the circuit diagram (below), why does it look like a random pile of gates rather than being built from standard full adder circuits. In this article, I explain that the 74181’s set of functions isn’t arbitrary but has a logical explanation. And I show how the 74181 implements carry lookahead for high speed, resulting in its complex gate structure.
The revolutionary Intel 8008 microprocessor is 45 years old today (March 13, 2017), so I figured it’s time for a blog post on reverse-engineering its internal circuits. One of the interesting things about old computers is how they implemented things in unexpected ways, and the 8008 is no exception. Compared to modern architectures, one unusual feature of the 8008 is it had an on-chip stack for subroutine calls, rather than storing the stack in RAM. And instead of using normal binary counters for the stack, the 8008 saved a few gates by using shift-register counters that generated pseudo-random values. In this article, I reverse-engineer these circuits from die photos and explain how they work.
Johan Kanflo’s OpenDPS project, a free firmware replacement for the DPS5005:
This write up of the OpenDPS project is divided into three parts. Part one (this one) covers reverse engineering the stock firmware and could be of interest for those looking at reverse engineering STM32 devices in general. Part two covers the design of OpenDPS, the name given to the open DPS5005 firmware. Part three covers the upgrade process of stock DPS:es and connecting these to the world. If you only want to upgrade your DPS you may skip directly to part three.
Ken Shirriff has written an article on reverse engineering the ALU of the 8008 microprocessor:
A computer’s arithmetic-logic unit (ALU) is the heart of the processor, performing arithmetic and logic operations on data. If you’ve studied digital logic, you’ve probably learned how to combine simple binary adder circuits to build an ALU. However, the 8008’s ALU uses clever logic circuits that can perform multiple operations efficiently. And unlike most 1970’s microprocessors, the 8008 uses a complex carry-lookahead circuit to increase its performance.
The 8008 was Intel’s first 8-bit microprocessor, introduced 45 years ago.1 While primitive by today’s standards, the 8008 is historically important because it essentially started the microprocessor revolution and is the ancestor of the x86 processor family that are probably using right now.2 I recently took some die photos of the 8008, which I described earlier. In this article, I reverse-engineer the 8008’s ALU circuits from these die photos and explain how the ALU functions.
We have most recently seen [Ken] at work explaining his decapping and reverse engineering process at the Hackaday SuperCon followed soon after by his work on the 8008. That chip is crazy with complexity and a die-ogling noob (like several of us on the Hackaday crew) stands no chance of doing more than simply following along with what he explains. This time around, the 74181 is just right for the curious but not obsessed. Don’t believe me? The 8008 had around 3,500 transistors while the friendly 74181 hosts just 170. We like those odds!
A quick crash course in visually recognizing transistors will have you off to the races. [Ken] also provides reference for more complex devices. But where he really saves the day is in his schematic analysis. See, the traditional ‘textbook’ logic designs have been made faster in this chip and going through his explanation will get you back on track to follow the method behind the die’s madness.
[Ken] took his own photograph of the die. You can see the donor chip above which had its ceramic enclosure shattered with a brisk tap from a sharp chisel.
[Ken Shirriff] has seen the insides of more integrated circuits than most people have seen bellybuttons. (This is an exaggeration.) But the point is, where we see a crazy jumble of circuitry, [Ken] sees a riddle to be solved, and he’s got a method that guides him through the madness.
In his talk at the 2016 Hackaday SuperConference, [Ken] stepped the audience through a number of famous chips, showing how he approaches them and how you could do the same if you wanted to, or needed to. Reading an IC from a photo is not for the faint of heart, but with a little perseverance, it can give you the keys to the kingdom. We’re stoked that [Ken] shared his methods with us, and gave us some deeper insight into a handful of classic silicon, from the Z80 processor to the 555 timer and LM7805 voltage regulator, and beyond.
Dive In: The Z80
[Ken] wastes no time and dives straight into a die shot of the Z80 8-bit CPU. He starts out by labeling the landing pads that connect to external pins by cross-referencing them with the datasheet. That tells you a lot — you know what the pins have to do, so it makes guessing use for each clusters of transistors a lot easier.
When you see a bunch of repeated tiny circuits, you’re probably looking at memory. Since the Z80 has sixteen registers in its CPU, [Ken] goes looking for sixteen repeating blocks of storage, and finds ’em (lower-left). Since they’re connected up to the address lines on the pin-pads, he’s doubly-confirming his hunch. The other side of the registers heads off to a data bus, another giveaway.
The command decoder turns out to be a programmable logic array (PLA) that takes a bit pattern in across horizontal wires, matches it, and then sends a logic high down a vertical line that leads to the Arithmetic-Logic Unit (ALU). Particular to the Z80, [Ken] notes that although it takes eight-bit instructions, it’s only four bits wide. It turns out the CPU memory-speed constrained, so they saved space (and money) by using a four-bit ALU. Sneaky!
Once he’s figured out the broad outlines of the chip, it’s time to dig down into the transistors. After a brief intro to designing logic circuits out of transistors, he takes us into the actual fabric of the IC. As if things weren’t confusing enough with simple logic gates like NAND and NOR, it turns out that the designers of the Z80 used a few “crazy gates” that efficiently compute particular operations that they needed.
The ALU is the heart of a chip, and it’s highly optimized. For instance, the Z80’s ALU is “totally different” from the 6502. An adder is not just an adder. And it’s here in the ALU that you’ll find crazy gates and chip-specific implementations. Figuring out how all that works is the next level up for budding chip-reading detectives. [Ken] has a lot more on the Z80 on his website.
Clever Calculators and Forgotten Memories
The Sinclair Scientific Calculator from 1974 was a small marvel: it took a TI chip from a simple calculator “that could barely multiply” and added on logs and trig functions. How did Sinclair do it? [Ken] wanted to find out — we still hold this as one of our most favorite hacks.
Starting off again with the pinout, [Ken] finds his way to the instruction ROM. He built a software simulator for what he found, and got to reverse-engineering. Again, if you’re into clever space-saving algorithms, head on over to his website.
In 1970, RAM storage was incredibly expensive. Intel came out with “shift-register” memory, and indeed, it’s just a 512-bit-long shift register. How does random access work in this context? You wait until your bit comes around like you would on a baggage carousel — leading to slow and random random-access times. Cool. But we can also see why they went out of favor.
Analog ICs: the 555 timer, the LM741, and the LM7805
Have you ever used a 555 timer? Want to see how it works? First, you’ll have to understand the implementation details of the bipolar-junction transistors (BJTs). Although BJTs are laid-out in many more different topologies than their FET cousins, analog circuits are often smaller and easier to get your head around. [Ken] gives you a good head start, and then starts off reversing two iconic chips: the 555 timer and the LM741 op-amp.
The 741 IC is dominated by an in-silicon capacitor, which really is a silly idea, but since “engineers are lazy” and this means that they have one less piece to lay out, it turned out to be worth its weight in gold and the LM741 sold bazillions. On the other hand, it’s got current mirrors spread around everywhere, which are used to replace resistors in silicon. And it’s got some strange transistors, one of which has six (!) collectors because the designers needed six current mirrors in one place.
Finally, [Ken] takes apart the LM7805 voltage regulator. The output transistor is (not surprisingly) about half of the IC die — the 7805 needs to push some current. The coolest part of the chip is a variable resistor that sets the output voltage. It’s a simple trick that makes the difference between an LM7812 and an LM7805 no more than the value of the resistor inside, leveraging the same design for different operating voltages.
How Does He Do It?
[Ken] uses a metallurgical microscope that shines its light from above, rather than through the sample. He got his for a few hundred dollars on eBay. He then takes multiple images from different locations all around the chip, with significant overlap, and lets the Hugin software stitch it all back together for him.
“The experts” decap their chips using boiling sulfuric or nitric acid. [Ken] doesn’t need a Superfund site, so he often leaves the die photos to someone else. Sites like zeptobars.com, visual6502, and siliconpr0n have a ton of chips that are just waiting for you to start decoding, with no chemistry degree needed.
For chips that aren’t in epoxy, [Ken] opens them by himself either by hitting them with a chisel or cutting open with a saw. He’s just now started up on the 8008 CPU. Between this talk and the resources on [Ken]’s website, you’ve got a good head start. All that’s left to do is the good, hard, fun work of puzzling out a few ICs on your own.
People who have incredible competence in a wide range of fields are rare, and it can appear deceptively simple when they present their work. [Chris Gerlinksy]’s talk on breaking the encryption used on satellite and cable pay TV set-top boxes was like that. (Download the slides, as PDF.) The end result of his work is that he gets to watch anything on pay TV, but getting to watch free wrestling matches is hardly the point of an epic hack like this.
The talk spans hardware reverse engineering of the set-top box itself, chip decapping, visual ROM recovery, software reverse analysis, chip glitching, creation of custom glitching hardware, several levels of crypto, and a lot of very educated guessing. Along the way, you’ll learn everything there is to know about how broadcast streams are encrypted and delivered. Watch this talk now.
Some of the coolest bits:
Reading out the masked ROM from looking at it with a microscope never fails to amaze us.
A custom chip-glitcher rig was built, and is shown in a few iterations, finally ending up in a “fancy” project box. But it’s the kind of thing you could build at home: a microcontroller controlling a switch on a breadboard.
The encoder chip stores its memory in RAM: [Chris] uses a beautiful home-brew method of desoldering the power pins, connecting them up to a battery, and desoldering the chip from the board for further analysis.
The chip runs entirely in RAM, forcing [Chris] to re-glitch the chip and insert his payload code every time it resets. And it resets a lot, because the designers added reset vectors between the bytes of the desired keys. Very sneaky.
All of this was done by sacrificing only one truckload of set-top boxes.
Our jaw dropped repeatedly during this presentation. Go watch it now.