Giulio Zausa's MMO-CHIP Makes Reverse Engineering Old Silicon Chips a Multiplayer Game

Software engineer Giulio Zausa has designed a tool that aims to make it possible to go from a die-shot of a silicon chip to a working Verilog implementation "in an hour:" the Multiplayer CMOS Standard Cell Chips Reverse Engineering Tool, or MMO-CHIP for short.

"Reverse engineering old custom chips from microscope pictures is cool, but oh so painfully slow," Zausa explains of the problem his tool sets out to solve. "Last time I did this I spent two weeks waking up, annotating wires in Inkscape, going to bed, and then dreaming about more wires. So I decided to bite the bullet and finally build some better tooling, to keep future me more sane as well. MMO-CHIP [is] an open source silicon reverse engineering tool I built for helping preserve and emulating custom undocumented chips, like the DSPs [Digital Signal Processors] used in old synthesizers. It's web based and allows collaborative annotation, it handles giant pictures effortlessly and integrates a lot of features specifically designed for digitizing silicon, including some computer vision techniques. It's even able to infer the logical formula of complex logic gates, just from a few scribbles!"

Normally, a silicon chip is a black box - quite literally in many cases. For simpler chips, reverse engineering may take the form of walking through every possible input and noting down the corresponding output; for more complex chips, a different approach is required. By de-encapsulating the chip, known as "decapping," you can peer through a microscope at how the components are laid out and thus have a better idea of how everything works - and in some cases, as with chips compatible with Andrew "bunnie" Huang's IRIS infrared inspection system, you don't even need to strip the chip.

Once you've got a photo of the die — known as a "die shot" — though, the hard work begins. To properly reverse engineer the chip you need to identify its components and trace how they are connected, which is typically a laborious manual process. MMO-CHIP aims to simplify things: import your high-resolution die shot into the browser-based tool and it allows you to trace and annotate much faster than general-purpose drawing tools like Inkscape. From the overall die shot, the user can then zoom in to individual cells — and the software can infer transistors, gates, and logic. To speed things still further, there's an optional machine learning component to automatically detect traces and vias to save manual tracing.

But where does the "MMO" come in? Simple: using MMO-CHIP, reverse engineering silicon can be a multiplayer game. More than one person can access the application at once, and each can work on a separate section of the chip — allowing many hands to make light work of the annotation and tracing process. "You can just give a link to someone," Zausa explains, "and have them collaborate on your chip and draw wires and annotate cells for you. And it's really fast: I spent a lot of time making sure that the UI [User Interface] actually responds quickly enough."

Zausa's presentation on MMO-CHIP from the 24th Gulaschprogrammiernacht hackers' conference this week is embedded above, while source code is available on GitHub under an unspecified open source license.