IC逆向工程藝術--闡述IC逆向工程最先進的技術
從事IC設計將近40年,主要的工作內涵,就是IC逆向工程。
無意間看到這一篇文章,句句中肯,如魚得水般,愛不釋手。
第一天邊讀邊整理GOOGLE的翻譯。
第二天開始修正與潤飾,提高它的可讀性與正確性。
能夠以ART來命題,可以想像它的境界,確實有它的一套。
Abstract 序言
This paper gives an overview of the place of reverse engi-neering (RE) in the semiconductor industry, and the techniques used to obtain information from semiconductor products.
本文闡述了逆向工程(RE)在半導體工業中地位的全貌,以及如何從半導體產品中擷取重要資訊所採用的技術。
The continuous drive of Moores law to increase the integration level of silicon chips has presented major challenges to the reverse engineer,obsolescing simple teardowns, and demanding the adoption of new and more sophisticated technology to analyse chips. Hardware encryption embedded in chips adds a whole other level of difficulty to IC analysis.
在摩爾定律所預言矽芯片集成度每年倍增的持續驅動下,逆向工程師面臨了重大挑戰,簡單的拆卸模式已經過時,逆向工程被要求採用更新和更複雜的技術,來分析芯片。嶄新的硬件加密技術被嵌入到芯片中,更讓IC逆向分析困難度提升到另一種境界。
This paper covers product teardowns, and discusses the techniques used for system-level analysis, both hardware and software; circuit extraction,taking the chip down to the transistor level, and working back up through the interconnects to create schematics; and process analysis, looking at how a chip is made, and what it is made of. Examples are also given of each type of RE. The paper concludes with a case study of the analysis of an IC with embedded encryption hardware.
本文會談到產品的拆卸技術,並且討論被用在系統層級的分析技術,包括硬件和軟件;電路提取,從取下晶片,一層一層剝除,直到露出電晶體,並回過頭追蹤每一層與層之間的連線,最終產生線路圖。在這同時,透過製程分析,看到芯片如何製造,以及芯片組合成份。本文還藉由許多範例,闡述了各種類型的逆向工程技術。最後本文以嵌入式加密硬件IC的逆向分析的案例研究做為結束。
Introduction導論
One of the most basic business requirements is the need to know what the competition is doing. If a company wants to get into a new area of business, the simplest thing to do is buy an existing product and take it apart to see what is inside it. Having done that, we know the parts list involved, and the technological challenges to be faced in manufacturing the new version.
企業最基本的業務需求之一,是需要知道競爭對手在做什麼。如果一個公司想進入一個新的業務領域,最簡單的做法,就是購買一個現有的產品,並把它分解開,看看裡面有什麼。完成這些步驟之後,我們可以獲悉內部的所有零件清單,以及在製造新版本時所面對的技術性的挑戰。
Reverse engineering (RE) can cover objects from as large as aircraft down to the smallest microchip, and the motivations have varied from the paranoia of the Cold War, through commercial piracy, to competitive intelligence, product verification, and courts of patent law.
逆向工程(RE)所涵蓋的內容,從大到飛機、小到最小的微芯片都有。從冷戰時期的偏執所導致的行為動機,也因為透過RE所涵蓋的商業行為的盜取,到競爭情報,產品驗證和專利法庭等等,產生了微妙變化。
If we look back over the last few decades, reverse engineers around the world have had a significant inuence on the dissemination of technology in the electronics industry.
如果我們回顧過去幾十年,世界各地的逆向工程師,對於電子工業中,技術的傳播,都有過重要影響。
RE is now a recognised part of the competitive intelligence field, and is commonly used to benchmark products and support patent licensing activities. A side area is the need to RE archaic parts that have gone out of service, and need replacing in long-lived equipment such as military systems, nuclear reactors, airliners, and ships.
RE現在是競爭情報領域公認的一部分,通常被用在標竿產品的研發,和支援專利授權的各項行動上。RE也被用在另一種需求,已經停產老舊產品的更新。在諸如軍用系統,核反應系統,飛機和船舶等長壽命設備中,需要進行更換時,也會用到RE逆向工程。
A fact of life these days is that simple teardowns of products are just not good enough any more. Advances in semiconductor technology,namely the massive integration of billions of individual devices and masses of functions into single components, have forced RE to evolve into a spe-cialised niche of the engineering profession.
在最近的日子大家所看到的事實是,簡單的拆卸產品不再能滿足目前的需求。半導體技術的進步,已經將數十億個元件和大量功能,大規模集成到單個組件中,它迫使RE逆向工程發展成為,工程專業特定利基的領域。
RE in the Semiconductor Industry RE在半導體工業
The question most often asked about reverse engineering is"is it le-gal?" The short answer is { yes! In the case of semiconductors, RE is protected in the US by the Semiconductor Chip Protection Act, which allows it \for the purpose of teaching, analyzing, or evaluating the concepts or techniques embodied in the mask work or circuitry. . . " There is similar legislation in Japan, the European Union, and other jurisdictions.
關於逆向工程最常被問的問題是“合法嗎?”簡短的答案是 "是"!在半導體的情況下,RE在美國受到“半導體芯片保護法案”的保護,它被允許用在以教學的為目的教學上,它也被允許用來分析或評估在程式碼或電路中所呈現的概念或技術。...“在日本,歐盟和其他司法管轄區,都有類似的立法。
In the semiconductor business, RE customers fall into two groups:those who are interested in technical information, and those that are interested in patent-related information. The technical information customers are usually within manufacturing companies, performing product development, or strategic marketing or benchmarking studies. The patent clients are usually patent lawyers or intellectual property (IP) groups within companies. There are also companies that are purely licensing companies, and deal only in IP.
在半導體業務中,RE客戶分為兩類:對技術信息感興趣的人,和對專利相關信息感興趣的人。技術信息感興趣的客戶,通常在製造公司內,負責執行產品開發或策略營銷或標竿研究。專利相關信息感興趣的客戶,通常是公司內的專利律師,或各種IP智慧財產權擁有者。也有公司是純粹只處理IP的授權與交易。
Types of RE RE的類型 (逆向工程技術內容)
Reverse engineering of semiconductor-based products can broadly take several forms:
半導體為主的產品的逆向工程,可以廣泛地採取幾種形式:
_ Product teardowns { identify the product, package, internal boards,and components
_ System level analysis { analyse operations, functions, timing, signal paths, and interconnections
_ Process analysis { examine the structure and materials to see how it is manufactured, and what it is made of
_ Circuit extraction { delayer to transistor level, then extract interconnections and components to create schematics and netlists
1 產品拆卸:識別產品,包裝,內部板和組件
2 系統層次分析:分析操作,功能,時序,信號路徑和互連
3 製程分析:檢查結構和材料,了解它是如何製造的,以及它是哪些東西構成
4 電路提取:去除層次從最上層的連線到最底層的電晶體,一層一層依序剝開,然後提取互連和組件,以產生線路圖和網表(線路文字檔)
1 Product Teardowns 產品拆解
Product teardowns are the simplest type of RE in the electronics arena; the unit is simply disassembled, the boards and sub-assemblies are photographed, and the components are inventoried.
Reverse engineers are usually only interested in what components are in the device at this level, but there are also companies that use the data to provide a bill of materials and tentative costing for the manufacture.
產品拆卸是電子領域中最簡單的RE類型;該單元被簡單地拆卸,板子和組件被拍攝,並且被保存。
在此階段,逆向工程師通常只對設備中的某些組件感興趣,但也有某些公司會使用到材料清單數據,做為暫時性的製造成本。
Figure 1 shows an Apple 8 GB iPod nano personal media player, partly torn down to expose the internal board and the ICs used [1].
Optical and x-ray analyses (Fig. 2) showed that the 64 Gb flash memories were actually 2 x 32 Gb stacked packages, each containing four 8 Gb dice (total 64 Gb). In this case, we continued with detailed process analyses of the 8 Gb flash chips, since they were leading edge devices from Samsung and Toshiba.
圖1顯示了一個蘋果8 GB iPod nano個人媒體播放器,拆下一部分,露出內部板和使用的IC [1]。
(圖2)光學和x射線分析,表明64Gb快閃記憶體實際上是2×32Gb堆疊封裝,每個包含四顆8Gb的芯粒(總共64Gb)。在這種情況下,我們對8 Gb快閃記憶體芯片,繼續進行進一步的製程分析,因為它們來自於三星和東芝的先進元件。
2 System Level Analysis系統層次分析
Just as there is a huge variation in electronic systems, there is also a variety of methods for system analysis. Electronic systems can consist of hardware, software, firmware, comunications, transducers, etc. System analysis is useful for all of these.
正如同在電子系統中存在巨大變化一樣,系統分析同樣存在許多種方法。電子系統可以包括硬件,軟件,韌件,通訊,換能器等,對所有這些,系統分析都是有用的。
2.1 Hardware 硬件
Hardware analysis takes one of two forms: reverse engineering or functional analysis.Reverse engineering is a hierarchical analysis method. Take the example of a cell phone. The first phase of reverse engineering is to tear down the phone, making notes of all connections between subsystems. Next, the main board is reverse engineered. Photos are taken of the board for future work.
硬件分析採用兩種形式之一:逆向工程或功能分析,逆向工程是一種從上到下的層次性分析法,以手機為例,逆向工程的第一階段是主機板的逆向工程:拆解系統,記錄子系統(各種元件)之間的所有連接,照片存查,做為未來主機板重新製造的參考。
All components on the board are catalogued and then selectively removed. If the board is multi-layered, it can be delayered and imaged (Figure 3). The connections between all components are then identified and entered into the board schematic. Alternatively, electrical probing can sometimes be used to _nd the connections. Either way, a complete schematic of the board can be re-created.
主機板上的所有組件都給予編目,然後選擇性移除某些組件。如果主機板是多層板,就要進行去層和成像(圖3)。然後人工辨識所有組件之間的連線,連接成主機板線路圖,並將其鍵入電腦。有時候需要利用電探測方法,找出各元件之間的連線,這樣雙管齊下,重建主機板的完整線路圖。
Functional analysis entails system monitoring during functional operation.
A system can be instrumented with probes wherever needed (sometimes with great difficulty, but it can usually be done, as shown in Figure 4). Microprobing is used to monitor on-chip signals. Test case are developed, and stimulus created for operating the system in its functional modes. Signal generators, logic analyzers, and oscilloscopes are used to drive the system and collect the results. The signals and full system are then analyzed.
在系統功能操作期間,因為系統監控的需要,進行功能分析。系統可以在任何需要的地方使用探針儀器(有時難度很高,但是通常它是可以辦到的,如圖4所示),微針測被用來監測晶片內部點信號。測試案例被發展出來,並產生操作系統的刺激,用在其功能分析模式。信號發生器,邏輯分析儀和示波器被用來驅動系統並收集結果,得到完整系統的分析信號。
Using the cell phone example once again, the phone can be partially disassembled, but still electrically connected to allow for operation. Probes can be used to monitor key buses, pins of chips, and connectors. The phone can then be operated, and the signals analyzed,to understand the operation.
再次使用手機範例,手機可以部分地拆卸,但仍然電連接以允許操作。探針頭可用於監視主要總線,芯片引腳和連接器。然後可以對手機進行操作,並對信號進行分析,以了解操作。
2.2 Software 軟件
As with hardware, software can be analyzed using the same two techniques; reverse engineering and functional analysis.
Software reverse engineering is the process of taking machine code and converting it back into human-readable form.
與硬件一樣,可以使用相同的兩種技術來分析軟件;逆向工程和功能分析。
軟件逆向工程,是獲取機器代碼,並將其轉換回人類可讀形式的過程(反組譯)。
The first task is often extraction of embedded code from an on-chip memory. Many techniques are available, such as EEPROM programmers, bus monitoring during code upload, and schematic extraction. Sometimes the code is protected with software or hardware locks. These can often be disabled via a collection of techniques. A chip's test port can be a good method of accessing its con-tents. IC microsurgery can be used to modify or bypass hardware locks. Usually these techniques require circuit analysis first, in order to identify the locks and second modifications that will disable them.
第一個任務通常是從晶片上記憶體提取嵌入代碼。有許多技術可用,例如EEPROM編程器,利用程式碼上傳期間的總線監視和示意圖提取。有時,程式碼受軟件或硬件鎖保護,這些通常可以通過一組技術來解鎖用。芯片的測試端口可以是提取程式內容的一種很好的方法。 也可利用IC顯微外科技術,進行修改或繞過硬件鎖的程序。通常這些技術首先需要電路分析,以便識別鎖和第二道修改,進行解禁。
Encrypted code requires encryption analysis, followed by decryption.This requires both the keys and an understanding of the encryption algorithm. The keys can often be read from the embedded memory, along with the code, using the techniques described above. The encryption algorithm can sometimes be discovered via documentation or functional analysis. If these methods fail, then circuit extraction can often be used to reverse engineer the algorithm.
加密代碼需要加密分析,才能進行後續的解密,這需要密鑰和對加密算法的理解方法。
通常使用上面所描述的技術,可以從嵌入式記憶體中讀取密鑰以及代碼。
有時可以透過功能分析的技術文件發現加密算法。
如果這些方法都失敗,那麼進行逆向工程提取電路,是最後可以用的方法,破解加密解密的技術。
Once the code is extracted, disassemblers can be used as long as the processor and instruction set are known. Tools are then available to help take assembly code and structure it into a more C-like format. This structured code can then be analyzed by software experts. Code can be analyzed in either \static" (\dead") mode or \dynamic" (\live") mode. Live analysis is undertaken when it is possible to obtain the full control of the processor: starting and stopping code, inspecting registers, memory, tracing code execution. Live analysis is always preferable to dead code analysis which consists of analyzing just the instructions without the ability to inspect the code while running.
一旦代碼被提取,可以使用反組譯器,只要處理器和指令集是已知的。然後可以使用工具來幫助獲取彙編代碼並將其結構化為更類似C的格式。然後可以由軟件專家分析該結構化代碼。代碼可以在\靜態(靜止)模式或\ 動態(送電實況)模式下進行分析。當處理器可以獲得完全控制時,進行實況分析:啟動和停止代碼,檢查寄存器,存儲器,追踪代碼執行。實況分析總是優於靜止不動的程式碼分析,靜態(靜止)模式只能分析指令,而無法在運行中檢查程式碼。
Using software simulators enables another mode of software RE which is in between these two.Software functional analysis is similar to hardware functional analysis.Test cases are designed, stimulus is created, the code can be instrumented,and the software executed. The outputs of this software can take many forms, from creating charts or driving a GUI, to controlling a robot or playing a song. These outputs can be analyzed to better understand the
software or system.
使用軟件模擬器,使得能夠在這兩者之間,進行另一種模式的軟件逆向分析。軟件功能分析類似於硬件功能分析。設計測試案例,產生刺激訊號,程式碼就可以利用儀器進行檢測,並且軟件可以被執行。該軟件的輸出可以採取許多形式,從創建圖表或驅動GUI,到控制機器人或播放歌曲。藉由這些輸出的分析,可以更容易理解軟件或系統。
3 Process Analysis製程分析
Process analysis of chips is straightforward in theory, since microanalytical tools have been around for some time. Every wafer fab has a range of equipment for process control and failure analysis, and Chipworks uses the lab-scale equivalent.
芯片的製程分析在理論上是直接的,因為微量分析工具已經存在了一段時間。每個晶圓廠都有一系列用於製程控制和故障分析的設備,Chipworks使用實驗室規模的等效設備。
Using a Sony DCR-DVD505 Handycam as an example, we were interested in the CMOS image sensor in the camera.We removed the camera module from the unit and took it apart,recording the details as we went, and ended up with the CMOS imager die (Figure 5), which turns out to be a Sony Clearvid IMX013 chip.Then we get into the actual chip analysis. This part was a fairly leading-edge sensor, with a small pixel size of 2.85 _m x 2.85 _m, so
emphasis was on a detailed examination of the pixel.
使用Sony DCR-DVD505 Handycam作為範例,我們對相機中的CMOS圖像傳感器感興趣。我們從設備中取出相機模塊,並將其拆開,記錄過程中所有細節,最後才進入到CMOS感測器晶粒(圖5),結果才發現是一顆索尼Clearvid IMX013芯片。然後我們進入實際的芯片分析。這零件是一個相當先進的傳感器,具有小的像素尺寸2.85 _m x 2.85 _m,所以 重點是對像素的詳細檢查。
Figures 6 to 9 show some of the features seen in the pixel area.When performing process analysis, plan-view imaging gives limited process information, so the primary source of data is cross-sectional analysis, usually using SEM, TEM, and scanning capacitance microscopy (SCM). For details of the chemical composition, the most commonly used technique is energy dispersive x-ray analysis, although occasionally we use other methods such as secondary ion mass spectrometry or Auger analysis.A few words of explanation here with respect to Figures 8 and 9.
圖6至圖9示出了在像素區域中看到的一些特徵。當執行製程分析時,平面圖成像給出的製程信息是有限的,因此主要的數據源是剖面分析,通常使用SEM,TEM和掃描電容顯微鏡(SCM)。對於化學成分的細節,最常用的技術是能量色散x射線分析,儘管偶爾我們使用其它方法,例如二次離子質譜法或俄歇分析。在此關於圖8和9的幾個解釋。
A TEM looks through the sample to give high resolution images of the device structure, and SCM is a way of seeing the positive and negative doping that makes up the actual working transistors, resistors, etc., in the silicon chip.
Looking at Figure 6, we see a plan-view image of part of the pixel array, showing the transfer transistor (T1), and the T2 reset transistor and T3 source follower transistors, comprising the 3 transistor pixel circuit.
The short black line in the centre of the image represents a metal 1 strap joining the oating di_usion (FD), between T1 and T2, to the gate of T3.Figure 7 shows a cross section of the pixel structure, illustrating the organic and nitride lenses, the colour filters, three layers of copper metallization in the array, and the T3 transistors on the substrate.
TEM透過樣品觀察,給予元件結構高解析圖像,SCM是透過觀察正和負摻雜離子的方式,了解構成矽芯片中的實際工作電晶體,電阻器等。 參見圖6,我們看到像素陣列的一部分的平面圖像,示出了包括3電晶體像素電路的傳輸電晶體(T1),T2復位電晶體和T3源極跟隨器電晶體。 圖像中心中的短黑線表示將T1和T2之間的金屬離子(FD)連接到T3的柵極的金屬1帶。圖7示出像素結構的剖面,標示出了有機和氮化物透鏡,彩色濾光片,陣列中的三層銅金屬化,以及襯底上的T3電晶體。
There is also a fourth aluminium metal layer, not shown in this section, used for bond pads and as a light shield (the white bars in the die photograph in Figure 4). The 28_ angle of acceptance is also shown.Figure 8 is a TEM image of the transfer transistor gate, and it is clear that the nitride layer used for the sidewall spacer has only been partially etched o_ the top of the gate; the residual nitride on the photocathode (left) side has been used as an antireective (AR) layer in the photocathode area.
同樣還有在該部分中未示出的用於接合焊盤和作為遮光件的第四鋁金屬層(圖4中的晶片照片中的白色條)。還顯示了28°接受角。 圖8是轉移電晶體柵極的TEM圖像,並且清楚的是,用於側壁間隔物的氮化物層僅在柵極的頂部被部分地蝕刻;光電陰極(左)側的殘餘氮化物已經用作光電陰極區域中的抗反射(AR)層。
The doping structure of the pixels is illustrated in the SCM image in Figure 9. Chemical staining has been used for decades to highlight the doped areas in silicon, but even after many years of experiment, it is still more of an art than a science. The development of the SCM allows us to distinguish features such as the P-pinning layer above the photocathode,and the oating di_usion, more clearly. The deeper blue areas are the P-type isolation regions in the N-substrate.
在圖9中的SCM圖像中,標示出了像素的摻雜結構。化學染色已經使用了幾十年來突出矽中的摻雜區域,但是即使在多年的實驗之後,它仍然是一門藝術而不是科學。 SCM的發展使我們能夠更清楚地區分諸如光電陰極上方的P釘扎層以及浮雕凹陷的特徵。較深的藍色區域是N基底中的P型隔離區域。
There are two parallel trends in semiconductor processing. There is the well publicized Moores law shrinkage of dimensions, moving to the 45 nm node and below, with the introduction of high-k/metal gate transistors,and there is a drive to more process integration as RF/mixed signal and embedded memory processes are merged into CMOS logic processes.As can be imagined, examining features deep into the nanometer scale (gate oxides are now 1.2 nm - 1.5 nm thick) stretches analytical capabilities to the limits. They can be imaged with high-resolution electron microscopy, but obtaining details of the chemical composition of the structure is now in the realm of counting atoms [5,6].Similarly to the other forms of RE, our _nal documents can take several forms, from reports speci_cally focused on a feature described in a patent claim, to comprehensive reports detailing the full structural and process analysis of a high-end chip. It all depends on what the customer wants!
半導體處理有兩個平行的趨勢,被廣為宣傳的摩爾定律收縮的尺寸,移動到45nm節點和以下,隨著高k /金屬柵極晶體管的引入,驅動出更多的集成,讓RF /混合信號和嵌入式存儲器等等製程被合併到CMOS邏輯製程中。可以想像,深度檢視納米尺度的特徵(柵極氧化物現在是1.2nm-1.5nm厚)將分析能力擴展到極限。它們可以用高解析度電子顯微鏡成像,但獲得結構的化學組成的細節,現在在計數原子的領域[5,6]。類似於其他形式的RE,我們的文件可以採取幾種形式,從專門針對專利權利要求中描述的特徵的報告,到詳細描述高端芯片的全部結構和過程分析的綜合報告。這一切都取決於客戶的需求!
4 Circuit Extraction 電路提取
Circuit extraction of semiconductor chips becomes increasingly more difficult with each new generation. In the \good old days" of 10 to 20 years ago, a circuit analyst's life was much simpler. A typical IC of those days may have had one layer of metal, and used 1 _m - 2 _m technology.After package removal, all features could usually be seen from the top
level metal planar view.
越是新一代的半導體芯片,電路提取難度變得越高。在10到20年前的“美好的舊時代”中,電路分析師的生活簡單得多,這些日子的典型IC可能有一層或兩層金屬,並使用1 微米或2 微米技術。封裝去除後,所有功能通常從最上層金屬平面圖就可以被辨識出來。
The die could then be put under optical imaging equipment in order to take multiple high-magnification images. The photographs were developed and taped together in an array to recreate an image of the chip. Engineers then used the \crawl-aroundon- the-floor" technique (Figure 10),where they annotated the wires and transistors. This was followed by drawing out the schematic _rst on paper, then in a schematic editor.
晶片放在光學成像設備下,拍攝出高倍率圖像。將照片一張一張貼在一起以重新產生芯片的圖像。然後工程師使用"趴在地板上"技術(圖10),在那裡他們標註了連線和元件,然後在紙上繪出線路圖,然後鍵入電腦中
Life has changed since those days. The complexity of devices has followed Moores law, and we are now extracting circuits from 45 nm chips.Moreover, these devices now have up to 12 layers of metal, and use an esoteric combination of materials to create both the conductors and dielectrics [2,3]. They may have hundreds of millions of logic gates, plus
huge analog, RF, memory, and other macrocell areas. MEMs, inductors,and other devices are also being integrated onchip.
晶片集成的複雜度,遵循摩爾定律的驅動下,我們現在面對的是從45nm芯片中提取電路。此外,這些晶片的連線,現在具有多達12層的金屬,並且使用材料的深奧組合來產生導體和電介質[2, 3]。他們可能有數億個邏輯門,加上大型的類比線路,RF,記憶體和其他各種不同功能的組合元件,還有微機電,電感器和其他器件也都進入芯片集成。自從這些事實一一呈現,美好的舊時代終於被改變。
The circuit extraction proceeds as follows: 電路提取進行步驟如下:
1 Package removal (known in the industry as device \depot") 封裝去除取晶粒
2 Delayering 層次去除
3 Imaging 成像
4 Annotation 標註各連線與元件序號名稱
5 Schematic read-back and organization 線路圖回讀整理重新組織
6 Analysis 分析
1 Device Depot封裝去除取晶粒
Depot may well be the only step of the process that still follows the traditional methods. Typically, packages are etched in a corrosive acid solution (Figure 11). A variety of acids at various temperatures are used depending on the composition and size of the particular package. These solutions dissolve away the packaging material, but do not damage the die.Hermetic and ceramic packages require di_erent techniques that usually involve mechanical or thermal treatment to remove lids, or dice from substrates, or even polish away a ceramic substrate.
封裝去除取晶粒,仍然遵循傳統方法的過程的唯一步驟。通常,在腐蝕性酸溶液中蝕刻封裝(圖11)。根據具體封裝的組成和尺寸,使用各種溫度的各種酸。這些溶液溶解掉封裝材料,但不損壞模具。表面和陶瓷封裝需要不同的技術,通常涉及機械或熱處理以移除蓋子,或從基材切割,或甚至拋光陶瓷基材。
2 Device Delayering層次去除
Modern semiconductor devices range from 1.0 um single metal bipolar chips, through 0.35 um BiCMOS diffused MOS (BCDMOS) chips, to 45 nm 12 metal microprocessors, and everything in between. Both aluminum and copper can be used for metal on the same chip. Depending on the process generation, the polysilicon gates and source/drains can use di_erent silicides. A variety of low-k dielectrics are now interspersed with uorosilicate glass (FSG), phosphosilicate glass (PSG), and SiO2. Layer thicknesses vary greatly. For instance, on a 7 metal 65 nm Texas Instruments (TI) [4] baseband processor chip we recently analyzed (Figure 12),we found:
_ Interconnect layers included Cu, Al, TiN, and TaN
_ Metal thicknesses ranged from 0.15 to 1.4 _m
_ Dielectrics included silicon nitride, oxynitride, oxide, SiOC, SiONC,and PSG
_ Dielectric thicknesses varied from _0.3 _m to 2.6 _m (with individual layers of particular materials as thin as 47 nm), and gate oxide was 2.2 nm thick.
現代半導體器件範圍從1.0 微米單金屬雙極芯片,通過0.35 微米 BiCMOS /BCDMOS芯片,到45 nm 12層金屬微處理器,以及之間的一切。鋁和銅都可以用於同一芯片上的金屬。根據製程發展過程,多晶矽柵極和源極/漏極可以使用不同的矽化物。各種低k電介質現在散佈有矽酸鹽玻璃(FSG),磷矽酸鹽玻璃(PSG)和SiO 2。各層厚度差別很大。例如,在我們最近分析的7個金屬65nm德州儀器(TI)[4]基帶處理器芯片上(圖12),我們發現:
_互連層包括Cu,Al,TiN和TaN
_金屬厚度範圍為0.15至1.4μm
_電介質包括氮化矽,氧氮化物,氧化物,SiOC,SiONC和PSG
_電介質厚度從_0.3μm到2.6μm(具有47nm薄的特定材料的各個層)變化,並且柵極氧化物為2.2nm厚。
A delayering lab needs to create a single sample of the device at each metal layer, and at the polysilicon transistor gate level. As such, it needs to accurately strip o_ each layer, one at a time, while keeping the surface planar. This requires detailed recipes for removal of each layer. These recipes include a combination of methods such as plasma (dry) etching,wet etching, and polishing. As the complexity and variation of chips increases, so too does the number of recipes. A modern chipdelayering lab would now have over a hundred such recipes, speci_c to di_erent processes and materials.
去層實驗室需要在每一層金屬層,以及Poly層,產生各層的單個樣本。因此,它需要精確地剝離每層,一次一層,同時保持表面平坦。這需要詳細的配方去除每一層。這些配方包括諸如等離子體乾蝕刻,濕蝕刻和拋光的方法的組合。隨著芯片的複雜性和變化增加,去層的配方數量也跟著增加。現代芯片實驗室現在將有超過一百種這樣的配方,特定於不同的過程和材料
For unknown or unusual chips, it is advisable to start with a cross section (Figure 12). The cross section can be analyzed using scanning electron microscopes (SEM), transmission electron microscopes (TEM),and other techniques to determine the composition and thickness of all the layers. A delayering technician uses this information to choose the best delayering recipe for a chip. The recipe also varies depending on the type of imaging to be performed. Optical imaging looks best if the transparent dielectric is left on over the layer to be imaged. SEM, due to its operating methodology of electron reection from a non-planar surface, requires the dielectric to be removed.
對於未知或不常見的芯片,建議從剖面的製程分析開始(圖12)。可以使用掃描電子顯微鏡(SEM),透射電子顯微鏡(TEM)和其它技術分析橫截面,以確定所有層的組成和厚度。去層技術人員使用該信息來選擇芯片的最佳去層配方。配方還根據要執行的成像的類型而變化。如果透明電介質留在要成像的層上,則光學成像看起來最好。 SEM,由於其從非平面表面進行電子掃描的操作方法,需要除去電介質。
3 Imaging 成像
Advanced RE labs currently use two types of imaging, optical and SEM. Up to and including the 0.25 um generation of semiconductor chips,optical imaging was suficient. However, for 0.18um technologies and smaller, optical imaging cannot resolve the smallest features, and SEM must be used (Figure 13).The size of ICs, and the large magnitucations required for the advanced feature sizes, now means that manually shooting images is no longer practical. Imaging systems now must have automated steppers integrated with the microscope. Our twodimensional steppers allow us to set up a shoot in the evening, and come back in the morning to end the entire layer imaged.
高級RE實驗室目前使用兩種類型的成像,光學和SEM。直到並包括0.25微米時代的半導體芯片,光學成像是優先的。然而,對於0.18μm技術和更小的技術,光學成像不能分辨最小的特徵,並且必須使用SEM(圖13)。IC的尺寸和高放大需求所需的大的放大率,現在意味著手動拍攝圖像不再實用。成像系統現在必須具有與顯微鏡集成的自動步進機。我們的二維步進器允許我們在晚上設置拍攝,並在早上回來,完成整個層的成像。
Next we use specially developed software to stitch the thousands of images per layer together, with minimal spatial error. Then more software is required to synchronize the multiple layers so that there is no misalignment between layers. Contacts and vias must be lined up with the layers above and below in order for extraction to proceed.
接下來,我們使用專門開發的軟件將每層的數千張圖像自動拼接在一起,具有最小的空間誤差。然後需要更多的軟件來做多層對準,使得層與層之間沒有偏移。接觸點和連接通孔必須與上面和下面的層對齊,以便進行線路提取。
4 Annotation標註各節點各元件序號名稱
Once all images are stitched and aligned, the actual work of reading back the circuit begins. Full circuit extraction requires taking note of all transistors, capacitors, diodes, and other components, all interconnect layers, and all contacts and vias. This can be done manually or using automation.
一旦所有圖像被連結和對準,讀回電路的實際工作才算開始。全電路提取需要注意所有電晶體,電容器,二極管和其他組件,所有互連層,以及所有接觸點和連接通孔。這可以手動或使用自動化。
There are multiple tools available to help with this process, including Chipworks' ICWorks Extractor. This tool is used to view all the imaged layers of a chip individually and aligned to each other. In one mode it allows several layers of a chip to be visible in multiple windows simultaneously (Figure 14).
有多個工具可以幫助這個過程,包括Chipworks的ICWorks Extractor。該工具用於單獨查看芯片的所有成像層並彼此對齊。在一種模式下,它允許芯片的多個層同時在多個窗口中可見(圖14)
Each window shows the same two-dimensional area in each layer. A lock-step cursor allows the engineer to see exactly what lies above or below the feature he is looking at in one layer.An extraction engineer can then use the tool to annotate and number all wires and devices in his area of interest (Figure 15). 2D and 3D image recognition and processing software can be used (Figure 16), or the engineer may do it manually. Image recognition software can also be used to recognize standard cells in digital logic. This can greatly aid the extraction of large blocks of digital cells.
每個窗口在每個層中顯示相同的二維區域。同步鎖定光標,允許工程師準確地看到在一層中正在觀察的特徵的上方或下方。然後,提取工程師可以使用該工具來註釋和編號在他感興趣的區域中的所有連線和元件(圖15 )。可以使用2D和3D圖像識別和處理軟件(圖16),或者工程師可以手動進行。圖像識別軟件也可以用於識別數位邏輯中的標准元件。這可以極大地幫助提取大塊數位元件。
5 Verification and Schematic Creation驗證和線路圖創建
The annotation process can be error prone. Often the images are not perfect, manual techniques are used, bits of dust fall on the chip during imaging, or the image recognition software introduces an error. Hence,verification is performed at this stage. Design rule checks can find many issues, such as below minimum sized features or spaces, hanging wires,vias without wires, etc.At this stage the ICWorks tool can automatically extract a netlist from the annotations, and from this netlist create a at schematic (see Fig. 17). The schematic, netlist, and annotations are all associated with each other, such that one cannot be changed without changing all three.The netlist and schematic can now be checked for other simple rule violations. Floating gates, shorted outputs, nets with no inputs or outputs,and shorted supplies can be checked.
標註過程可能容易出錯。通常圖像不完美,使用手動技術,成像期間灰塵落在芯片上,或圖像識別軟件引入錯誤。因此,在該階段須要執行驗證。設計規則檢查可以發現很多問題,例如最小尺寸的特徵或間距,懸空連線,沒有連接線的連接通孔等。在這個階段,ICWorks工具可以從標註中自動提取網表(線路文字檔),產生一個完整的線路圖(參見圖17)。網表(線路文字檔)、線路圖和標註都彼此相關聯,這些相關連是無法單獨改變的。網表(線路文字檔)和線路圖可以檢查其他簡單規則違反。可以檢查浮接柵極,短路輸出,無輸入或輸出的連線和短路電源。
6 Schematic Analysis and Organization線路分析整理
This is one of the steps requiring the most thought, since the schematic organization on a page, or in hierarchy, goes a long way to making a design coherent. Devices placed poorly on a schematic, or a strange hierarchy,can make the design very diffficult to understand. Hence, this step usually requires very experienced analysts.
這是需要最多思考的步驟之一,因為頁面上或者層次結構中的線路圖組織,要經過很長的路徑連結,使得設計連貫一致。線路元件是隨機放置,或層次結構也是隨意組合,這種隨意組合的線路,使設計非常難理解。因此,這一步通常需要非常有經驗的分析師進行分析整理
The analysis phase can be very iterative, and use many sources of information. Often public information is available for devices. This can take the form of marketing information, datasheets, technical papers, or patents. These can often help with the schematic organization, for instance if block diagrams are available. They can also help in the understanding of architectures and sometimes circuit designs.
分析階段是須要不斷反覆推敲的,並且須要借助許多資訊,例如一些元件的開放資訊。這可以從市場資訊,規範數據,技術論文或專利的形式中取得。這些通常可以幫助線路圖整理組織,例如有些可用的方塊圖。他們還可以幫助理解架構和電路設計。
Analysis can also be done using typical chip design techniques. A circuit can be hand analyzed using transistor and logic theory. Layout structures are often recognizable, for instance differential pairs, bipolar devices for bandgap references, etc. In fact, The ICWorks tool can _nd these structures automatically. Hierarchy can also sometimes be seen in the layout. If not, it can be created using a bottom-up schematic organization approach. Functional and timing analysis can be further validated using simulation.
還可以使用典型的芯片設計技術來進行分析。可以使用電晶體和邏輯理論對電路進行手動分析。佈局結構通常是可識別的,例如差分訊號對,用於帶隙基準的雙極器件等。事實上,ICWorks工具可以自動地連結這些結構。有時可以在佈局中看到層次結構。如果不是,可以使用自下而上、層次化的示意圖組織方法建圖。功能和時序分析可以使用模擬進一步驗證。
Multiple methods are usually used for verification.The final product of circuit reverse engineering can take many forms.A complete set of hierarchical schematics can be delivered. This set of schematics can be used to also create a hierarchical netlist. Simulated waveforms, block diagrams, timing diagrams, analysis discussion, and circuit equations can be used to round out the report.Since RE companies analyze so many ICs, they can also create comparative and trend reports. For instance, Chipworks has analyzed many CMOS image sensors over the years. As the technology and circuit designs evolve, they are monitored. The evolution can be shown from both a process point of view and a circuit point of view.
逆向工程,驗證通常有多種方法,最終產品可以採取多種形式,可以交付一套完整的分層線路圖。這組線路圖也可用於創建層次化網表(線路文字檔)。模擬波形,方塊圖,時序圖,分析討論和電路方程可用於整理報告。由於RE公司分析了這麼多IC,他們還可以創建比較符合趨勢的報告。例如,Chipworks已經分析了許多CMOS圖像傳感器多年。隨著技術和電路設計的發展,對它們進行監控。可以從處理的觀點和電路的觀點來展示演進。
A Case Study案例研究
Used together, the above techniques can be very powerful.
To illustrate that point, lets review a project we just _nished; analyzing a digital ASIC with embedded analog and memory blocks, and including embedded encryption hardware. The goal of the project was to fully understand the ASIC, build a model of the ASIC, and get simulations up and running.
上述技術整合起來使用,可以非常強大。
為了說明這一點,讓我們審查一個我們剛剛完成的項目;分析具有嵌入式模擬和存儲器塊的數字ASIC,並且包括嵌入式加密硬件。該項目的目標是完全理解ASIC,構建ASIC的模型,並得到模擬和運行。
The first step was to run system level functional tests while the chip was still in its system. Logic probes were connected, the system was powered up, and vectors were collected which could be used later for simulations. Next, the chip was depotted, delayered, imaged, stitched, and aligned.We found the chip contained 12,000 gates of digital logic and an embedded EEPROM. The entire chip was annotated, and the ICWorks tool created a netlist and at schematic from this annotation.
第一步是執行系統級功能測試,而芯片留在系統中。連接邏輯探針,對系統加電,收集載體,其可以稍後用於模擬。接下來,芯片被取出晶粒,去層,成像,連結和對準。我們發現芯片包含12000個門的數字邏輯和嵌入式EEPROM。對整個芯片進行了標註,ICWorks工具從這個註釋中創建了一個線路文字檔和線路圖。
A portion of the digital logic annotation is shown in Figure 18. Annotation and schematic rule checks were used to verify a quality schematic starting point.
In fact, for this project we annotated the entire chip twice, then compared the results to minimize annotation errors.The schematics were then partially organized. The memory schematic was completely organized, and the main registers of the digital block were grouped. A few of the major busses were labeled and the I/Os were connected to the major blocks.
圖18中示出了數位邏輯標註的一部分。標註和線路圖規則檢查,用於驗證優質線路圖做為起點。
事實上,對於這個項目,我們標註了整個芯片兩次,然後比較結果達到最小化標註錯誤。然後部分線路圖被整理組織。記憶體線路圖被完全整理組織,數字模塊的主寄存器被集合分組。幾個主要的總線被標記,I / O連接到主要方塊
In order to run a full chip simulation on the netlist, we would need to extract all the contents of the chip, including both the hardware and memory contents. Different memory types have different challenges in reading them. Embedded SRAMs are the simplest. These memories are volatile, no data is stored in them during power down, so they do not need to be extracted. ROMs can be extracted using traditional RE techniques of physically reading back the mask programming. Figure 19 shows a metal 1 mask programmed ROM. Unfortunately EEPROMs are more dificult than either of these.
為了在線路文字檔上執行全芯片仿真,我們需要提取芯片的所有內容,包括硬件和記憶體內容。 不同記憶體類型,在讀取它們時有不同挑戰。嵌入式SRAM是最簡單的。這些存儲器內容是會消失的,在斷電期間沒有數據存儲在它們中,因此它們不需要被提取。可以使用物理地讀回程式碼編程的傳統RE技術來提取ROM。圖19示出了金屬1程式碼編程ROM。不幸的是,EEPROM比這些都更難。
We knew up front that this chip included on-chip encryption, and that the keys were stored in the EEPROM. Hence, we anticipated a challenge in being able to access this memory. As expected, the memory was well protected, and much of this memory could not be directly read on-chip.Additionally, the interface to this chip was encrypted, so we had no idea
how to generate a memory read command anyhow. The solution to this was to use the test hardware embedded in the chip.
我們知道這個芯片包括芯片加密,並且密鑰存儲在EEPROM中。因此,我們預期在能夠訪問該記憶體時的挑戰。正如預期的那樣,記憶體被很好地保護,並且大部分記憶體不能直接從晶片讀取。另外,這個芯片的外聯介面是加密的,所以我們不知道,如何產生記憶體讀取命令,無論如何,解決方案是使用嵌入在芯片中的測試硬件。
This particular chip had both scan path test circuitry for the digital logic, and memory BIST for the EEPROM. Once we had organized the test and memory circuits, we set to work analyzing them. The scan test control circuit is shown in Figure 20. We found a method where we could almost read out the memory locations using a combination of the digital and memory test circuitry. A single application of microsurgery looked as though it would unlock the bits.
該特定芯片具有用於數位邏輯的掃描路徑測試電路和用於EEPROM的存儲器BIST。一旦我們整合了測試和記憶體的電路,我們就開始分析它們。掃描測試控制電路如圖20所示。我們發現了一種方法,其中我們幾乎可以使用數位組合,讀出記憶體位置和記憶體測試電路。單個應用顯微外科看起來好像它可以解鎖位。
We took a single chip, used jet-etching to remove a portion of the package, then used focused ion beam (FIB) techniques to modify a connection on the chip (Figure 21). Next we used our analysis to create scan path vectors, with the appropriate control signals, and successfully read out the encryption keys and other memory contents via the test port.At this point, we created a memory model to use with our netlist.The vectors collected from the actual system were run on the netlist,and we verified that our chip model gave the same outputs as the actual chip tested. Hence, we confirmed our netlist and memory contents were correct.
我們採用單芯片,使用噴射蝕刻去除一部分封裝,然後使用聚焦離子束(FIB)技術來修改芯片上的連接(圖21)。接下來,我們使用我們的分析來產生具有適當控制信號的掃描路徑向量,並且通過測試端口,成功地讀出加密密鑰和其它存儲器內容。在這一點上,我們創建了用於我們的線路文字檔的記憶體模型。從實際系統收集的在網表(線路文字檔)上運行,我們驗證了我們的芯片模型給出與實際芯片測試相同的輸出。因此,我們確認我們的網表(線路文字檔)和記憶內容是正確的。
The encryption algorithm also needs to be understood to be able to complete the analysis of this chip. This was accomplished via schematic organization and simula- tion. As we organized the chip, we found some interesting structures, such as a 56 bit register. Therefore, we ran our simulations, and monitored the busses in the area of this register. Sure enough, keys were read from our memory model, loaded into this embedded block, and a standard DES algorithm was observed.Now we understood the encryption, had the keys, and had full chip simulations running. Since we had a full netlist, we were able to run full chip simulations and monitor any internal nodes required. This allowed
us to complete the analysis of this chip and understand all the commands it could execute.
加密算法還需要被理解,才能夠完成對該芯片的完整分析。這是通過線路圖組織和模擬實現的。在我們組織芯片時,我們發現了一些有趣的結構,如56位寄存器。因此,我們運行我們的模擬,並監視該寄存器區域中的總線。果然,從我們的內存模型中讀取密鑰,加載到這個嵌入式塊中,並且觀察到標準的DES算法。現在我們了解加密,有密鑰,並且運行全芯片模擬。由於我們有一個完整的網表(線路文字檔),我們能夠運行全芯片模擬和監控所需的任何內部節點。這允許我們完成了這個芯片的分析並理解了它可以執行的所有命令。
Summary 結論
In this paper we have reviewed the di_erent types of reverse engineering pertinent to the semiconductor industry. For reverse engineers, life will not get any easier in the electronics business. In semiconductors, the next challenge will be the 32 nm node devices already being ramped up in development fabs. The consumer electronics business keeps ouncing from new toy to yet another new toy, and it is necessary to be aware of all the new products that keep appearing.As is shown in this paper, the RE business has to keep evolving to keep up with the changes in electronics and design, and it has become a discipline in itself, created by the needs of the global market for competitive intelligence and IP support.
在本文中,我們回顧了與半導體工業相關的逆向工程的不同類型。對於逆向工程師來說,生活在電子業務中不會更容易。在半導體領域,下一個挑戰將是32納米節點器件已經在開發晶圓廠上提升。消費電子產品業務繼續從新玩具轉移到另一個新玩具,並且必須意識到所有新產品的出現。如本文所示,RE業務必須不斷發展以跟上電子和設計的變化,它已經成為一個學科本身,由全球市場的競爭情報和知識產權支持的需要創造的。
Acknowledgements致謝
We would like to thank Chipworks' laboratory sta_ and engineers who actually do all the hard work of analyzing these complex devices. Without them, we would have no material for this paper!
我們要感謝Chipworks的實驗室工程師和工程師,他們真正做了所有分析這些複雜設備的艱苦工作。沒有他們,我們將沒有本文的材料!