New Ways to Reverse Engineering a Chip

Tekmos frequently finds itself creating a new chip to replace one that has been discontinued. Traditionally, we studied the data sheet and measured the chip performance on our tester, and then designed a replacement part. This method works, but has one flaw in it. You can only verify what you test. We test everything that we can think of, but if we overlook a situation, then that case might not work. This results in an errata for the part, and possibly a product revision.

Microprocessors are more difficult than most chips because they have almost unlimited numbers of initial conditions, and many events are asynchronous. Just adding two 16-bit numbers with carry creates 8 billion combinations, and it is not practical to test them all. Asynchronous interrupts can occur at any time during the execution of any opcode, providing another large set of events of which we can only test a few.

To get around simulation limitations, we frequently build FPGA-based emulators for our designs, and run them in customer systems to detect rare combinations. This is a good approach, but is limited by whatever code is running.

Over the past several years, a new technology for netlist extraction has developed making it much easier to extract a design from an existing chip. This technology was originally developed to meet the needs of patent attorneys who were examining existing parts looking for patent violations. In this technology, a chip is imaged using a scanning electron microscope (SEM). The top layer is removed, and the chip is re-imaged. The process is repeated until all the chip layers have been individually imaged. Specialty software converts the images into a GDS data base of the chip. Additional software extracts the individual transistors and resistors, and produces a spice netlist. This netlist is further processed to produce a Verilog netlist at the gate level.

This netlist becomes the starting point for our work. The first thing that we check for is to make sure that the netlist does not contain opens or shorts. If we find one, we go back to the images to see what is going on. Removing the layers is an art more than a science, and it is possible that the part can be damaged in the process, resulting in errors in the netlist.

Next, we have to evaluate the design. We have better design tools today that those that existed when many of these circuits were originally made. We use these tools to find possible race conditions or process sensitivities that may have existed in the original parts. Better tools, combined with improvements in modern process parameter controls, means that we can produce a functionally identical part with superior AC and DC characteristics.

For example, many older parts were offered in a 70ºC commercial temperature range and an 85ºC industrial temperature range. Usually, a 70ºC part would stop working at 85ºC, which is not a lot of margin. With a more robust design combined with tighter process controls, we frequently exceed even the military 125ºC temperature specifications.

Because of the benefits in producing an exact duplicate, Tekmos has switched over to netlist extraction as the preferred technology for recreating obsolete parts.