Silicon Pr0n

User Tools

Site Tools

Trace: epoxy_acid laser microscope forgery
rom:mask

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
rom:mask [2016/02/04 15:07] – [Bandai Tamagotchi metal ROM] mcmasterrom:mask [2018/02/12 20:18] (current) mcmaster
Line 69: Line 69:
 Above original caption: "Configuration and layout of MOS NAND ROM with programming using implants. This type of memory offers high level of security protection against optical reading." Copyright 2005 Sergei P. Skorobogatov, used with permission Above original caption: "Configuration and layout of MOS NAND ROM with programming using implants. This type of memory offers high level of security protection against optical reading." Copyright 2005 Sergei P. Skorobogatov, used with permission
  
-Implant ROMs essentially work by starting with a mask that has a grid of normal, working transistor.  Then some of them undergo additional bombardment to change the voltage threshold.  In the above examples the voltage threshold was raised such that the transistor is off regardless of the gate voltage applied.  This is different than a depletion transistor where the transistor is normally on and turns off when biased.+Implant ROMs essentially work by starting with a mask that has a grid of normal, working transistors.  Then some of them undergo additional bombardment to change the voltage threshold.  In the above examples the voltage threshold was raised such that the transistor is off regardless of the gate voltage applied.  This is different than a depletion transistor where the transistor is normally on and turns off when biased.
  
-These can be read optically but requires some technique.  See [[:delayer:dash|this page]] for information on staining with Dash etch Other mixtures may also give results but this is the most industry standard.  Alternatively, I've noticed that the implanted areas have sunken epitaxial areas that can be seen by oblique illumination.  It may be possible to read an implanted mask ROM by exploiting this height difference by using oblique illumination, confocal microscope, scanning probeetc.+ 
 +==== Reading out ==== 
 + 
 +These can be tricky to read out, even on old chips, since they are not readily visible under a microscope. 
 + 
 + 
 +=== Electronic === 
 + 
 +Try to find a test mode, glitch, etc by studying the die circuitry.  Several chips such as the N64 CIC have been dumped this way. 
 + 
 + 
 +=== Optical === 
 + 
 +Generally this level of doping is not visible to the naked eye.  However, I've noticed that the implanted areas have sunken epitaxial areas that can be seen by oblique illumination.  It may be possible to read an implanted mask ROM by exploiting this height difference by using oblique illumination, confocal microscope, etc. 
 + 
 + 
 +=== Staining === 
 + 
 +This is the generally preferred method to read these out.  See [[:delayer:dash|this page]] for information on staining with Dash etch.  Other mixtures may also give results but this is the most industry standard. 
 + 
 + 
 +=== Scanning capacitance microscopy (SCM) === 
 + 
 +AFM like technique that measures capacitance change by doping.  This is believed to work for ROMs, although we currently don't have any solid data on this. 
 + 
 + 
 +=== Scanning Microwave Impedance Microscopy === 
 + 
 +https://www.chipworks.com/about-chipworks/overview/blog/scanning-microwave-impedance-microscopy-smim 
 + 
 +This is believed to work for ROMsalthough we currently don't have any solid data on this. 
 + 
 + 
 +=== Energy-dispersive X-ray spectroscopy (EDS) === 
 + 
 +Discussed this with someone and they think the dopants are too low concentration to be detected.  It would be nice to get someone to actually do a scan and prove this.
  
  
Line 95: Line 130:
 Above: unstained active area Above: unstained active area
  
-{{:mcmaster:nintendo:6102:stain.jpg|}}+{{:mcmaster:nintendo:6102:stain.jpg?300|}}
  
 Above: stained active area Above: stained active area
Line 147: Line 182:
 Very unusual diagonal pattern Very unusual diagonal pattern
  
-===== Bandai Tamagotchi metal ROM =====+===== Bandai Tamagotchi metal NOR ROM =====
  
 {{:digshadow:bandai:tamagotchi_v1:rom_mz.jpg?300|}} {{:digshadow:bandai:tamagotchi_v1:rom_mz.jpg?300|}}
  
  
-===== HK HK628 active NAND ROM =====+===== HK HK628 active metal gate NAND ROM =====
  
-{{:mcmaster:hk:hk628:rom_mz.jpg|}}+{{:mcmaster:hk:hk628:rom_mz.jpg?300|}}
  
-{{:mcmaster:hk:hk628:rom_dlyr1.jpg|}}+{{:mcmaster:hk:hk628:rom_dlyr1.jpg?300|}}
  
  
-====== Automated decoding ======+===== Intel 80486DX ===== 
 + 
 +{{:mcmaster:intel:80486dx:microcode_mz.jpg?300|}} 
 + 
 +====== Decoding ====== 
 + 
 +I've created the [[https://github.com/SiliconAnalysis/|SiliconAnalysis github group]] towards unifying misc tools into a recommended toolchain. At a high level flow looks like this: 
 +  * Use a tool to generate a spatially equivalent 2D array of 1's and 0's 
 +    * Use rompar as an individual 
 +    * Use djangoMonkeys to crowdsource 
 +    * Both of these tools can produce CV training data 
 +  * Feed into the zorrom library to decode into a binary 
 +    * Knows how to order bits 
  
 ===== rompar by Adam Laurie ===== ===== rompar by Adam Laurie =====
 +
 +{{:adam_laurie:rompar:rompar.png?300|}}
  
 [[http://oamajormal.blogspot.co.uk/2013/01/fun-with-masked-roms.html|http://oamajormal.blogspot.co.uk/2013/01/fun-with-masked-roms.html]] [[http://oamajormal.blogspot.co.uk/2013/01/fun-with-masked-roms.html|http://oamajormal.blogspot.co.uk/2013/01/fun-with-masked-roms.html]]
Line 167: Line 217:
 Code is not yet released at the time of this writing but looks to be a good tool to try out.  Good article highlighting some of the problems optically reading mask ROMs and how they get around it. Code is not yet released at the time of this writing but looks to be a good tool to try out.  Good article highlighting some of the problems optically reading mask ROMs and how they get around it.
  
-===== Idea bucket =====+Video: https://www.youtube.com/watch?v=vbIJ-eVQkaw 
 + 
 + 
 +===== djangoMonkeys ====
 + 
 +https://github.com/andrew-gardner/django-monkeys 
 + 
 + 
 +===== typingMonkeys ===== 
 + 
 +Original MAME mask ROM crowdsourcing project. Written in PHP, deprecated in favor of djangoMonkeys
  
-I heard a rumor that I'm told is false that the MAME project crowd sourced ROM decoding by putting some sort of captcha on login screens.  Thus every time people log in they have to digitize a small part of the ROM and over time the whole ROM is digitized. 
  
 ===== Misc ===== ===== Misc =====
Line 180: Line 239:
     * Horizontal projection profile, possibly using color differences. Very sensitive to angle though, so might not be practical     * Horizontal projection profile, possibly using color differences. Very sensitive to angle though, so might not be practical
     * Signal based: above design has additional images on top of base. Filter out signals from repeating pattern and analyse remainder     * Signal based: above design has additional images on top of base. Filter out signals from repeating pattern and analyse remainder
 +
 +===== Tool1 =====
 +
 +An unnamed tool. I (mcmaster) have a copy of it but was requested not to post binaries and/or screenshots. However, some general feedback:
 +  * Their tool works by thresholding with misc tools to help see this
 +  * Bits are selected by drawing a box on the center of where the bits go. Then you tell it how many in rows/cols
 +  * Has pan and zoom, which made it much easier to use than rompar for the large dataset I was working with
 +  * Author says that in their experience bits are always on the same grid pitch, even if there are gaps
 +  * Distributed as Windows executable
 +
  
 ====== References ====== ====== References ======
rom/mask.1454598423.txt.gz · Last modified: 2016/02/04 15:07 by mcmaster