Ken Shirriff Offers an Introduction to Reverse Engineering CMOS Chips From Die Shots

Noted reverse engineer Ken Shirriff has penned a guide to figuring out what a CMOS chip does based on nothing more than a high-resolution picture of its die — using, as an example, a vintage Soviet clone of the Motorola MC14516B four-bit counter.

"Although the chip looks like a tangle of lines at first, its large features and simple layout make it possible to understand its circuits," Shirriff says of the die photograph, captured from decapsulated original hardware by Martin Evtimov. "I'll first explain how to recognize the individual transistors. Groups of transistors are connected in standard patterns to form CMOS gates, multiplexers, flip-flops, and other circuits. Once these building blocks are understood, reverse engineering the full chip becomes practical."

Complementary metal-oxide semiconductor (CMOS) devices make up the bulk of processors built and sold today, though there's a big gulf in complexity between the 1970s-era Soviet device under the camera in Shirriff's example and the sort of chip that drives a modern smartphone or tablet. That makes things easier: it's possible to capture details of the circuit with amateur-grade equipment, unlike the tiny single-digit-nanometer feature sizes of leading-edge processors today.

"Regions of the silicon are doped with impurities to change the silicon's electrical properties. This doping also causes regions of the silicon to appear greenish or reddish, depending on how a region is doped," Shirriff writes, adding that the color shift helps with the reverse engineering process. "On top of the silicon, the whitish metal layer is visible, forming the chip's connections. This chip uses metal-gate transistors, an old technology, so the metal layer also forms the gates of the transistors."

Shirriff's guide walks through recognizing transistors and approaches for recognizing the difference between P-type and N-type variants, how to spot NOT, NOR, NAND, and more complex gates built up from transistors, latches and flip-flops, and in how traces are routed in a silicon chip — "using silicon for a 'cross-under,'" he explains, "allowing a signal to pass underneath metal wiring. These cross-unders are avoided unless necessary because silicon has much higher resistance than metal. Moreover, the cross-under requires additional space on the die."

The chip photographed for Shirriff's guide turned out to be a clone of the Motorola MC14516 binary up/down counter. "Although the counter chip is old and simple," Shirriff adds, "later chips use the same principles."

Shirriff's full write-up is available on his blog.

Main article image courtesy of Martin Evtimov.