[[capture]]
 
Trace: capture

This is an old revision of the document!

Table of Contents

“Polygon capture” is the process of recovering the original layout and/or schematic based on die images. This is often done as two steps (image ⇒ layout ⇒ schematic) but for quick analysis it may be quicker to generate the schematic directly.

You may run into one of the following scenarios:

Modern planarized ICs have regular metal layers and repeated standard cells. This makes the metal easy to capture because it can be snapped to a grid (ie gives error recovery). The metal is also planarized, eliminating artifacts (noise) from other layers to make automated capture easier. Finally, standard cells can be recognized from a pre-tagged list. However, they may require more expensive equipment to image and more involved processes to delayer. They also may also contain a very large number of transistors, forcing automated techniques or more selective analysis.

Non-planerized IC images are generally more difficult to process automatically due to lower layers showing on upper layers. They also are typically full custom designs not using standard cells. However, it may be able to reverse engineer the entire IC from a single image due to the same artifact. This technology also generally limits ICs to simple designs.

Sea of gates use a pre-fabricated active layer that is often metal or contact programmed. This may be non-planarized but will be more regular than a full custom layout.

The general consensus is that planarized chips can be semi-automatically reverse engineered using high contrast images (confocal and/or SEM). However, no-one in the open community has produced a tool that accelerates capturing non-planarized chips. Although metal has proven difficult, I suspect that it would be relatively easy to make a tool to capture the active area of a delayered IC. I have not seen any results for

Mask ROMs are very regular and generally lend themselves well to automated techniques.

See also captured chips

Mask ROM

Note: ROM specific tools are covered on a separate page

Standard cell based

Tools that rely on standard cells or other regular layout

ARES

By Olivier Thomas / Texplained

REcon 2013 video

Overview

Related training

TODO: youtube presentation Link

Chipworks

Proprietary internal tool. Some screenshots have been released

As of 2016, I've heard rumors that its analysis capabilities are not very good and its mostly a glorified image viewer with some doodling capabilities. Since I've never used the tool I can't really say

Above: some pictures from http://www.iacr.org/archive/ches2009/57470361/57470361.pdf

Degate

Source

http://degate.org/

The highest profile FOSS tool. Tutorials and other stuff available.

Users have noted significant stability issues. I (JM) tried tool again in 2016 and noted considerable stability improvements, but still had it crash on me before I was able to get any results. Still, it might not take that much work to stabilize the tool and unite the community behind it.

Flylogic

Known to primarily use photoshop. Focus is on tracing specific (security) circuits rather than trying to capture an entire design

pr0nsweeper

An experimental semi-automated polygon capture tool for chips using lambda rules (grid layout)

psxdev

Info here

Non-planerized

Tools that operate on irregular designs

For the most part people use Inkscape, gimp, or photoshop with it mostly being personal preference which tool you use

Inkscape

John M

Inkscape capture tutorial

I prefer Inkscape because I've used it for other projects and IMHO a vector drawing program is better suited to the task

General tips:

  • Check source images for stitch artifacts before beginning capture
    • Gross stitch errors: image misalignment, excessive translation, etc
    • Rotation: make sure power buses going around entire chip stay vertical / horizontal
  • Consider focusing on a specific area of the chip (IP block)
    • Will give you a usable deliverable if you don't finish
    • Gives a better sense how everything fits together
    • Better sense of time involved
  • Consider exploring multiple tools: inkscape, gimp, photoshop
    • Especially if you are pretty good with one tool already

TODO

  • Find a tool / workflow to morph two separately stitched images into aligned layers
  • Crowd source polygon capture

Robert B

Video showing Inkscape

He has a pretty cool workflow using a tablet to quickly draw out chips (above link doesn't show this I think)

gimp

IIRC some v6502 folks prefer gimp

Segher

Peter Monta

Automated methods

A number of people have tried but IMHO nobody has beat manual methods yet:

  • Robert B: experimented with using neural networks to capture 7400 series chips. Promising, but last I saw needs more testing
  • John M: misc tests. Main result was that active layer should be feasible if delayered
  • Ken S: tried some things, but think didn't get far
  • Visual 6502: don't recall details except that they claimed although they could get some automated, it took more time to fix mistakes than it would to do from scratch

Visual 6502

Internal python tool to help draw polygons. Not publicly released

They also explored automation

TODO: I had a screencap of this. Where did it go?

 
capture.1504761537.txt.gz · Last modified: 2017/09/07 05:18 by mcmaster
 
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution 4.0 International
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki