“IC REVERSE ENGINEERING & DATA EXTRACTION” Training

I.1. Integrated Circuits

This module provides a structured learning path through the fundamentals of integrated circuits. The key topics covered include:

Integrated Circuits and Packaging
– Role of ICs in systems
– Packaging types
– Chip-level analysis

Physical Chip Access
– Access techniques to IC die
– Smart card approaches
– Package styles
– Safety precautions

IC Architecture
– Core components (core, peripherals, memory)
– Layered structure (interconnect, active)

Transistor Fundamentals
– NMOS/PMOS structure and switching
– Technology nodes

Logic Gate Construction
– Transistor combinations for logic gates
– Resistive load vs. CMOS designs

Layout to Schematic
– Interpreting IC layouts
– Deciphering circuit schematics

Transistor-Level Exploitation
– Hardware-based attack techniques
– Side-channel and fault injection

I.2. Digital Electronics

This module explores the core concepts of digital electronics, progressing from fundamental logic gates to sequential circuits and potential hardware vulnerabilities. The following chapter outlines provide a concise overview of the key topics covered:

Combinatorial Logic Fundamentals
– Introduction to logic gates and their operation
– Truth tables: construction and use in reverse engineering
– Inverter, NAND, NOR gates
– Layout representation

Combinatorial Logic Analysis
– Deriving truth tables from transistor circuits
– Boolean algebra and equations
– Analyzing circuits with multiple transistors
– Simplifying logic expressions

Advanced Combinatorial Logic
– Efficient equation derivation techniques
– Pull-up/pull-down networks
– Series/parallel to AND/OR translation
– Propagation delay

Sequential Logic and Latches
– Need for memory in digital circuits
– Inverter ring and transmission gate
– Latch operation and timing.

Flip-Flops and Registers
– Flip-flop implementation and edge-triggered operation
– Registers
– Register-combinatorial logic architecture

Timing and Clock Glitching
– Critical path
– Clock glitching fault injection

I.3. Memories

This module focuses on memory architectures and analysis within integrated circuits. It covers address decoding, memory types, and techniques for both analyzing and securing memory structures.

Memory Architecture
– Memory block diagram (storage array, decoders)
– Row and column decoder functions

Row Decoder
– Row decoder operation and layout
– Address decoding and word line selection
– Scrambling detection

Column Decoder
– Column decoder as a multiplexer
– Implementation and scrambling

Memory Types
– RAM (SRAM, DRAM) and non-volatile memory (ROM, Flash)

RAM Details
– DRAM and SRAM operation
– SRAM analysis techniques

ROM Details
– ROM architecture and reading
– NAND ROM

Flash Memory
– Flash cell structure and operation
– Charge pump

Flash Analysis
– AFM and SEM for flash memory analysis

Charge Pump and Security
– Charge pump function
– Fault injection

II.1. Manufacturing Process

This module provides a structured overview of integrated circuit (IC) manufacturing and layout analysis.

The key topics covered include:

Manufacturing Processes
– IC fabrication overview
– Photolithography and etching
– Planarization

Metallization
– Aluminum vs. copper interconnects
– Impact on etching/delayering
– Tungsten vias

Standard Cell Layout
– Standard cell libraries
– Layout to schematic overview
– Stick diagrams

Stick Diagram Analysis
– Transistor identification
– Inverter and NAND gate examples
– Logic function derivation

Standard Cell Optimization
– Layout optimization (power, speed, area)
– Layout variations
– Cell placement and orientation

Cell Identification from Images
– PCS and M1 layer interpretation
– Power rails and cell boundaries

Stick Diagram Exercise
– Schematic to stick diagram construction
– Rail, diffusion, and gate representation

Summary
– Review and preparation for image-based reverse engineering

II.2. Reverse Engineering Standard Cells

This module covers standard cell reverse engineering, from signal identification to function derivation and layout variations.

The module’s content will focus on:

Standard Cell Introduction
– Reverse engineering overview
– Key cell analysis questions
– nMOS/pMOS identification

Signal Classification
– Input/output/internal node annotation
– Signal definitions
– Examples

Cell Equation
– Boolean equation derivation
– Schematic tracing
– AND/OR/inversion logic

Layout Optimization
– Optimization goals
– Layout variations
– Cell placement

Reverse Engineering Applications
– Examples and applications
– Netlist/bus/JTAG/crypto analysis
– Custom logic

II.3. Failure Analysis

This module covers failure analysis techniques applied to IC reverse engineering, including defect analysis, equipment, and workflow.

The main subjects explored are:

Failure Analysis
– Definition and purpose
– Defect types/scale
– FA vs. RE focus

FA Techniques
– Equipment overview
– Deprocessing
– Optical beam techniques
– Microscopy

RE Adaptations
– Large-area imaging
– Sample preparation
– Black box analysis

RE Workflow
– Workflow stages
– Depackaging/cross-sectioning
– Imaging
– Deprocessing methods

Image Analysis
– Analysis tasks
– Applications and scale

II.4. Deprocessing / Delayering

This module details IC deprocessing techniques, covering chip removal, cross-sectioning, and layer removal methods.

This module will address the following topics:

Depackaging
– Chemical etching
– Safety protocols
– Chip rinsing

Cross-Sectioning
– Mechanical polishing
– Layer visualization
– Material identification
– Tilt/theta adjustment

Deprocessing Methods
– Chemical etching (HF, TMAH, aqua regia)
– Dry chemical etching (RIE)
– Mechanical polishing
– Combined techniques
– Side effects

Advanced Polishing
– Assisted polishing systems
– Automated tilt/theta control
– In-situ optical scanning

II.5. Imagery

This module compares optical and SEM microscopy for IC analysis, focusing on their strengths and weaknesses in reverse engineering.

In this module, we will examine:

Optical Microscopy
– Limitations (noise, focus, magnification)
– Applications (overview, mapping)

SEM Advantages
– High resolution
– Depth of field

SEM Distortion
– Distortion issues
– Stitching and alignment problems

SEM Image Types
– Track/via, PCS images
– Feature detail

Justification for SEM
– Image quality comparison
– Relevance to chip manufacturing

Distortion Illustration
– Visual example of distortion
– Distortion characteristics

II.6. Circuit Modification

This module details invasive circuit modification techniques used in IC analysis, covering sample preparation, FIB editing, and microprobing.

This module will address:

Circuit Modification Introduction
– Context: Reverse engineering and FIB
– Chapter focus: microprobing and circuit modification

Sample Preparation
– Original packaging advantages
– Depackaging methods
– Chip rewiring challenges

Repackaging
– Advanced repackaging scenarios
– Backside access
– Wiring complexity

Wire Bonding
– Wire bonding machine operation
– Bonding parameters and challenges
– Capillary issues

Wire Bonding Methods
– Ball bonding vs. wedge bonding
– Method comparison

FIB Technology
– FIB vs. SEM
– Ion beam etching
– Gas-assisted editing

FIB Edit Example
– Via creation process
– Metal deposition and insulation
– Probing pad creation

Microprobing
– Probing setup considerations
– Signal integrity
– Active probes
– Signal observation and forcing

RE Workflow with Modification
– Overall process: deprocessing, imaging, netlist, modification, probing
– Applications of circuit modification

This module explores invasive attacks and reverse engineering techniques, focusing on ROM analysis and circuit modification.

This module will explore:

Invasive Attacks
– Invasive attack potency
– Complexity and cost
– Role in circuit analysis

Sample Preparation
– Packaging considerations
– Repackaging methods
– Wire bonding

Advanced Repackaging
– Complex scenarios
– Backside access

Wire Bonding
– Wire bonding process
– Parameters and challenges

Wire Bonding Methods
– Ball vs. wedge bonding

FIB Technology
– FIB operation
– Material removal/deposition

FIB Edit Example
– Via creation
– Metal deposition

Microprobing
– Probing setup
– Signal observation/forcing

RE Workflow
– Deprocessing and imaging
– Netlist extraction
– Circuit modification

ROM Analysis Introduction
– ROM analysis overview
– Bit encoding

ROM Analysis Techniques
– Layout analysis
– Circuit simulation

ROM Analysis Examples
– Case studies
– Scrambling/encryption