"Polygon capture" is the process of recovering the original layout and/or schematic based on die images. This is often done as two steps (image => layout => schematic) but for quick analysis it may be quicker to generate the schematic directly. You may run into one of the following scenarios: * Modern planerized IC * Traditional non-planerized IC * Sea of gates (SoG) * Mask ROM Modern planarized ICs have regular metal layers and repeated standard cells. This makes the metal easy to capture because it can be snapped to a grid (ie gives error recovery). The metal is also planarized, eliminating artifacts (noise) from other layers to make automated capture easier. Finally, standard cells can be recognized from a pre-tagged list. However, they may require more expensive equipment to image and more involved processes to delayer. They also may also contain a very large number of transistors, forcing automated techniques or more selective analysis. Non-planerized IC images are generally more difficult to process automatically due to lower layers showing on upper layers. They also are typically full custom designs not using standard cells. However, it may be able to reverse engineer the entire IC from a single image due to the same artifact. This technology also generally limits ICs to simple designs. Sea of gates use a pre-fabricated active layer that is often metal or contact programmed. This may be non-planarized but will be more regular than a full custom layout. The general consensus is that planarized chips can be semi-automatically reverse engineered using high contrast images (confocal and/or SEM). However, no-one in the open community has produced a tool that accelerates capturing non-planarized chips. Although metal has proven difficult, I suspect that it would be relatively easy to make a tool to capture the active area of a delayered IC. I have not seen any results for Mask ROMs are very regular and generally lend themselves well to automated techniques. See also [[https://siliconpr0n.org/archive/doku.php?id=digitized|captured chips]] ====== Mask ROM ====== Note: ROM specific tools are covered on a [[:rom:mask|separate page]] ====== Standard cell based ====== Tools that rely on standard cells or other regular layout [[https://twitter.com/furrtek/status/1216091911020253184?s=20|Furrtek experiment]] ===== ARES ===== By Olivier Thomas / Texplained {{:texplained:capture:slide.png?400|}} [[https://www.youtube.com/watch?v=o77GTR8RovM|REcon 2013 video]] [[http://www.texplained.com/process|Overview]] [[http://hardwear.io/olivier-thomas-training-2016/|Related training]] TODO: youtube presentation Link ===== Chipworks ===== Proprietary internal tool. Some screenshots have been released As of 2016, I've heard rumors that its analysis capabilities are not very good and its mostly a glorified image viewer with some doodling capabilities. Since I've never used the tool I can't really say {{:chipworks:stateoftheart:img-040.png}} {{:chipworks:stateoftheart:img-042.png}} {{:chipworks:stateoftheart:img-047.png}} {{:chipworks:stateoftheart:img-049.png}} {{:chipworks:stateoftheart:img-051.png}} Above: some pictures from [[http://www.iacr.org/archive/ches2009/57470361/57470361.pdf|http://www.iacr.org/archive/ches2009/57470361/57470361.pdf]] ===== Degate ===== [[https://github.com/DegateCommunity/Degate|{{ :degate:degate-logo.png?150 |Degate}}]] ==== The project ==== [[https://github.com/DegateCommunity/Degate|Degate]] is a multi-platform software for semi-automatic VLSI reverse engineering of digital logic in chips. It is the highest profile FOSS tool, with tutorials and other stuff available. ==== Little history ==== Degate was actively developed by Martin Schobert, during his thesis, from 2008 to 2011. For now, the project is inactive and only get some small fixes since 2011. The project is composed of a library (libGate) and a GUI interface (Degate). In 2016 it was said here: "''Users have noted significant stability issues. I (JM) tried tool again in 2016 and noted considerable stability improvements, but still had it crash on me before I was able to get any results. Still, it might not take that much work to stabilize the tool and unite the community behind it.''" Degate has definitely a great potential, mainly because it is the only free and open-source software for hardware reverse engineering of chips, but never knew how to impose itself in the community. One possible reason for that is because Degate was known to be unstable and have impacting bugs in a first place. You can visit the initial project website to learn more: [[http://degate.org/|http://degate.org/]] ==== Current status ==== In 2019, I ([[https://github.com/DorianBDev|Dorian Bachelot]]) forked the project. This new version aims to totally replace the old Degate, with a focus on Windows and Linux support, getting better stability and general modernization. To achieve this the aim was to drop GTK and move to Qt and merge the lib and the GUI part of the project. Another objective was to minimize the number of dependencies, for now it uses only Boost and Qt and the mid-term objective is to only keep Qt and remove Boost. The stability was the main problem of the old Degate and the main reason why the community hadn't already united around it. Regarding that, we want to have fewer bugs as possible, even if some functionality needs to be dropped (for the moment). A lot of bugs were fixed in this newer version, and it should be a better base to improve Degate even more in the future. {{ :degate:degate-annotation.png?850 |Degate}} \\ [[https://github.com/DegateCommunity/Degate|Degate repository]] [[https://github.com/DegateCommunity/DegateDocs|Degate documentation]] [[https://github.com/DegateCommunity/DegateDemoProjects|Degate demo projects]] ====== bsim ====== [[https://bitbucket.org/spramod/bsim-tetc14/overview|bitbucket.org/spramod/bsim-tetc14/overview]] Implements the following paper algos. Provides aggregation and function inference scheme, but doesn't reach behavioural HDL level. ===== Flylogic ===== Known to primarily use photoshop. Focus is on tracing specific (security) circuits rather than trying to capture an entire design ===== pr0nsweeper ===== {{pr0ntools:cfcv:pr0nsweeper:overview.png?400}} An experimental crowdsourced semi-automated polygon capture tool for chips using lambda rules (grid layout) [[https://siliconpr0n.org/wiki/doku.php?id=pr0ntools:cfcv:pr0nsweeper|Link]] Above: Playstation 1 CPU top metal test using confocal microscope ===== psxdev ===== {{:ogamespec:psxdev:psxcpu_cells_map_sm.jpg?400|}} [[https://github.com/ogamespec/psxdev|Info here]] ====== Non-planerized ====== Tools that operate on irregular designs For the most part people use Inkscape, gimp, or photoshop with it mostly being personal preference which tool you use ===== Automated methods ===== A number of people have tried but IMHO nobody has beat manual methods yet: * Robert B: experimented with using neural networks to capture 7400 series chips. Promising, but last I saw needs more testing * John M: misc tests. Main result was that active layer should be feasible if delayered * Ken S: tried some things, but think didn't get far * Visual 6502: don't recall details except that they claimed although they could get some automated, it took more time to fix mistakes than it would to do from scratch * [[https://nerdstuffbycole.blogspot.com/2020/01/end-of-year-update.html|ColeJ AY-3-8500 experiments]] ===== Inkscape ===== ==== John M ==== {{:mcmaster:capture:inkscape.png?400|}} [[:tutorial:digitizing_with_inkscape|Inkscape capture tutorial]] I prefer Inkscape because I've used it for other projects and IMHO a vector drawing program is better suited to the task General tips: * Check source images for stitch artifacts before beginning capture * Gross stitch errors: image misalignment, excessive translation, etc * Rotation: make sure power buses going around entire chip stay vertical / horizontal * Consider focusing on a specific area of the chip (IP block) * Will give you a usable deliverable if you don't finish * Gives a better sense how everything fits together * Better sense of time involved * Consider exploring multiple tools: inkscape, gimp, photoshop * Especially if you are pretty good with one tool already TODO * Find a tool / workflow to morph two separately stitched images into aligned layers * Crowd source polygon capture ==== Robert B ==== {{:robert_b:capture:inkscape.png?400|}} [[https://www.youtube.com/watch?v=r8Vq5NV4Ens|Video showing Inkscape]] He has a pretty cool workflow using a tablet to quickly draw out chips (above link doesn't show this I think) ===== gimp ===== IIRC some v6502 folks prefer gimp Segher Peter Monta ===== Visual 6502 tool ===== {{:v6502:capture:visual6502_editor.png?400|}} {{:v6502:capture:visual6502_running.png?400|}} Internal python tool to help draw polygons. Not publicly released ====== Netlist extraction ====== A lot of people roll their own for this and that ===== dietools ===== https://github.com/SiliconAnalysis/dietools "Series of tools for die shot reverse-engineering" A few people use this one, so its arguably the most popular ===== polychip ===== https://github.com/RobertBaruch/polychip "Python app to extract a netlist of NMOS transistors from an Inkscape diagram." ===== magic ===== Magic VLSI, along with many other semi tools, should have something of this sort ====== References ====== * Reverse Engineering Digital Circuits Using Functional Analysis (Pramod Subramanyan): [[http://www.academia.edu/2909575/Reverse_Engineering_Digital_Circuits_Using_Functional_Analysis|http://www.academia.edu/2909575/Reverse_Engineering_Digital_Circuits_Using_Functional_Analysis]]