IC reverse engineering—a design team perspective
It has been quite a bit of fun writing these IC Insider columns over the last year. Concurrently, one of us, Randy Torrance, has been invited to speak at three IEEE chapters on the "the state of the art in reverse engineering." Given the interest, we thought that we would depart from the usual device-centric article and tell you a bit about how circuit reverse engineering is done.
One of the most basic business requirements is the need to know what the competition is doing. This starts with tracking news releases, financial filings, and win/loss reports from the sales team. But on a product level, the engineering teams often need more detail to help make design and manufacturing decisions that can reduce engineering effort and deliver market-winning specifications. This analysis inevitably starts with a basic teardown of electronics devices like mobile phones or computers. For a semiconductor company, the process very commonly includes decapsulating a die from its package and looking at it under the microscope to do basic benchmarking of die size and functional block layout. It is this latter type of analysis that typically is called RE (reverse engineering).
In the semiconductor industry, RE has long been a recognized and well used part of competitive intelligence. It's commonly leveraged to both benchmark products and support patent licensing activities (by evidence that proves infringement or prior art). Advances in semiconductor technology, specifically the massive integration of billions of individual devices and masses of functions into single components, have caused RE to evolve from skunk-works projects in the failure-analysis lab into a specialized niche of the engineering profession.
RE in the semiconductor industry
The question most often asked about reverse engineering is, "Is it legal?" The short answer is, Yes! In the case of semiconductors, the Semiconductor Chip Protection Act protects RE in the United States and allows RE "for the purpose of teaching, analyzing, or evaluating the concepts or techniques embodied in the mask work or circuitry." Similar legislation exists in Japan, the European Union, and other jurisdictions.
Reverse engineering of semiconductor-based products can broadly take several forms:
Product teardowns identify the product, package, internal boards, and components of "downstream" consumer products.
System-level analysis analyzes operations, functions, timing, signal paths, and interconnections.
Process analysis examines the structure and materials to see how a device is manufactured and what it is made of.
Circuit extraction involves delayering to the transistor level, then extracting interconnections and components to create schematics and netlists.
As the following case studies show, RE can have significant immediate and lasting impacts:
An image-sensor firm saved a multimillion-dollar business line. The maker of high-performance CCD imaging components for camera phones had invested in an expensive, but proven, technology. Its competitors were using lower-cost CMOS image sensors, posing a threat to its entire business line and hundreds of millions of dollars. Chipworks identified how two leading CMOS image-sensor manufacturers were setting new performance and cost standards, used reverse engineering to detail the CMOS sensors' design and function, and created a circuit-analysis report, schematic design, and process reports describing the device assembly. As a result, the client derisked the design effort for less than 3% of the R&D budget, saving eight times the investment in Chipworks in R&D costs alone, and it cut 24 months and $500,000 off the design, saving a multimillion-dollar business and retaining market leadership.
A computing firm built a strong case against a global electronics company worth licensing revenue over $100 million. The firm, which had unsuccessfully pursued negotiations with a large electronics company, turned to Chipworks to secure substantially stronger evidence to build its case. Chipworks extracted data from a read-protected portion of a commercial decoder, including chip delayering, imaging, and circuit extraction to find key nodes; conducted microsurgery of many samples to read the target data; decompiled the target data as software; and performed RE of the software driver interfacing with the commercial decoder to document evidence of infringement. Chipworks developed three claim charts to support potential licensing revenue over $100 million and found evidence of infringement in areas not initially identified, strengthening its case even further.
Circuit extraction of semiconductor chips has become increasingly difficult with each new generation. The complexity of devices has followed Moore's Law; now circuits are extracted from 32-nm chips. Moreover, these devices have up to 12 layers of metal and use an esoteric combination of materials to create both the conductors and dielectrics. They may have hundreds of millions of logic gates, plus huge analog, RF, memory, and other macrocell areas, as well as MEMS devices, inductors, and other devices integrated on-chip. Circuit extraction flow proceeds as follows:
Package removal or device depot
Schematic read-back and organization
Device depot may well be the only step of the process that still follows traditional methods. Typically, packages are etched off using one of a variety of corrosive acid solutions at temperatures determined by the composition and size of the particular package. Hermetic and ceramic packages require different techniques that usually involve mechanical or thermal treatment to remove lids, to remove dice from substrates, or even to polish away a ceramic substrate.
As for device delayering, modern semiconductor devices include 1.0-µm single-metal bipolar chips, 0.35-µm BCDMOS (BiCMOS diffused MOS) chips, 45-nm 12-metal microprocessors, and everything in between and beyond. Both aluminum and copper can be used for metal on the same chip. Depending on the process generation, the polysilicon gates and source/drains can use different silicides; a variety of low-k dielectrics are now interspersed with FSG (fluorosilicate glass), PSG (phosphosilicate glass), and SiO2. Layer thicknesses vary greatly.
Because of this complexity, a delayering lab must create a single sample of the device at each metal layer, and at the polysilicon transistor gate level, accurately strip off each layer, one at a time, while keeping the surface planar. This process requires detailed recipes for removal of each layer that include a combination of methods such as plasma (dry) etching, wet etching, and polishing. A modern chip-delayering lab has well over a hundred such recipes, specific to different processes and materials. For unknown or unusual chips, it is advisable to start with a cross section that can be analyzed using SEMs (scanning electron microscopes), TEMs (transmission electron microscopes), and other techniques to determine the composition and thickness of all the layers.
Advanced RE labs currently use two types of imaging, optical and SEM (Figure 1). Up to and including the 0.25-µm generation of semiconductor chips, optical imaging was sufficient. However, for 0.18-µm technologies and smaller, optical imaging cannot resolve the smallest features, and SEM is required. The size of ICs, and the large magnifications required for the advanced feature sizes, makes manually shooting tens of thousands of images impractical. Imaging systems must have automated steppers integrated with the microscope. Two-dimensional steppers allow a shoot to be set up in the evening so that in the morning the entire layer is imaged. Specially developed software stitches the thousands of images per layer together, with minimal spatial error, while synchronizing the multiple layers so that there is no misalignment; contacts and vias must be lined up with the layers above and below in order for extraction to proceed.
Annotation proceeds once all images are stitched and aligned; then, the actual work of reading back the circuit begins. Full circuit extraction requires taking note of all transistors, capacitors, diodes, and other components; all interconnect layers; and all contacts and vias, manually or using automation. At Chipworks we use a custom-developed application we call ICWorks Extractor to perform this function (Figure 2). This tool lets engineers see all the imaged layers of a chip individually and aligned with each other. In one mode it allows several layers of a chip to be visible in multiple windows simultaneously. Each window shows the same two-dimensional area in each layer. A lock-step cursor allows the engineer to see exactly what lies above or below the feature he is looking at in a particular layer.
Using ICWorks Extractor, an extraction engineer can annotate and number all wires and devices in his area of interest, manually or using 2-D and 3-D image-recognition and -processing software. Without some automation the task would take too long and be too costly. For example, image-recognition software recognizes standard cells in digital logic, greatly aiding the extraction of large blocks of digital cells.
The next step is verification and schematic creation. Because the annotation process is so complex, it can be error prone. Since RE is a "catastrophic" procedure as it relates to tiny devices, the images cannot always be perfect. A tiny bit of introduced dust can introduce an error where automation is concerned. Verification is done through a series of design rule checks that find issues such as below-minimum-sized features or spaces, hanging wires, or vias without wires. The ICWorks tool automatically extracts a netlist from the annotations, and from this netlist creates a flat schematic. The schematic, netlist, and annotations are all associated with each other, so one alone cannot be changed. The netlist and schematic can be checked for other simple rule violations, including floating gates, shorted outputs, nets with no inputs or outputs, and shorted supplies.
Schematic organization on a page, or in hierarchy, is essential to making a design coherent. The analysis phase is very iterative and uses many sources of information, including public information such as marketing materials, data sheets, technical papers, or patents. These often help with the schematic organization (for instance, if block diagrams are available) and in understanding architectures and circuit designs.
Analysis can be completed using typical chip-design techniques. A circuit can be hand-analyzed using transistor and logic theory. Layout structures, such as differential pairs or bipolar devices for bandgap references, are often recognizable, and in fact, the ICWorks tool finds these structures automatically. If hierarchy cannot be identified in the layout, it can be created using a bottom-up schematic-organization approach. Simulation further validates functional and timing analysis. Verification typically includes multiple methods.
The analysis is received by engineers in an EDA-like tool called ICWorks Arranger (for flat schematics) or in ICWorks Browser (for hierarchical schematics). By using ICWorks Arranger, a design team is able to reduce the out-of-pocket cost and time to information by getting the images and annotations quickly. The team can then navigate the floorplan to identify the most important innovations first and, using the software, organize only as much as is needed to understand the design. By using ICWorks Browser, the engineer receives a fully organized schematic and can begin to learn and apply the analysis to his forward design immediately. In either case, a netlist is readily accessible for simulations in their own technology platform.
Used together, the above techniques can be very powerful. To illustrate that point, Chipworks reviewed a recently completed project: analyzing a digital ASIC with embedded analog and memory blocks, including embedded encryption hardware. The goal of the project was to fully understand the ASIC, build a model of the ASIC, and get simulations up and running.
For reverse engineers, life will not get any easier in the electronics business. In semiconductors, the next challenge will be the 32-nm-node devices already in development, while today's more mass-market challenges include a continuing trend to mixed-signal SOCs and embedded memory technologies. Clearly, RE is a discipline in itself, created by the needs of the global market for competitive intelligence and IP support.