kanzure | azonenberg: would you be willing to decap the nintendo 3ds chip? | 16:44 |
---|---|---|
azonenberg | kanzure: i'd have to talk to my friend john, he does most of my wet work these days | 16:47 |
azonenberg | we have a backlog of chips but i might be able to push a few through ahead | 16:47 |
kanzure | azonenberg: would you need any resources to help with that? | 16:48 |
azonenberg | do you know the process tech / layer count? | 16:48 |
kanzure | i assume you would want me to mail you the actual device | 16:48 |
azonenberg | what kind of package is it? | 16:48 |
kanzure | nope i have no clue | 16:48 |
azonenberg | and how old is it | 16:48 |
azonenberg | something easy like a CERDIP or are we talking a modern bga? | 16:49 |
azonenberg | not that it makes a big difference, just curious | 16:49 |
Sanky | hello | 16:49 |
kanzure | Sanky: 08:49 < azonenberg> something easy like a CERDIP or are we talking a modern bga? | 16:49 |
Sanky | er okay those are questions I probably won't be able to answer | 16:50 |
azonenberg | in either case i'm about to head up to campus for a class but we can talk later today | 16:50 |
azonenberg | we haven't yet met a chip we can't open | 16:50 |
Sanky | I haven't actually read much about what the 3ds looks like | 16:50 |
kanzure | can you at least read the words on the die packaging? | 16:50 |
Sync | http://1.bp.blogspot.com/-ugbzA5sa7hg/TZHbSHutlyI/AAAAAAAAASw/D0fP1P_IFP0/s1600/Nintendo_3DS_PCB-Top.jpg | 16:50 |
azonenberg | the only question is how hard it is t oget open in one piece | 16:50 |
Sanky | there's been a guy who hacked it to record video, but not much else | 16:50 |
azonenberg | So we're interested in which chip, the applications processor? | 16:50 |
Sanky | probably | 16:51 |
azonenberg | looks like a wire-bonded bga at quick glance | 16:51 |
azonenberg | what do you want to know about it? | 16:51 |
kanzure | he wants to do ssl interception and needs to replace the cert, so i suggested emulation | 16:51 |
kanzure | so the goal would be to know enough to write an emulator | 16:51 |
azonenberg | Judging by the look of it, that's gonna be tricky | 16:51 |
Sync | yeah | 16:52 |
Sanky | like that is my goal, this is the entire ds homebrew community's dream | 16:52 |
azonenberg | released 2011, dual core arm11 | 16:52 |
kanzure | oh it's arm? arm is fairly standard. | 16:52 |
Sanky | I just had a quick glance at the networking to see if I could crack something through it (even if improbable) | 16:52 |
azonenberg | according to wiki, yes | 16:52 |
Sanky | yeah nintendo's done arm since the gba | 16:52 |
Sanky | http://www.3dscapture.com/ this is really the most somebody has done with it | 16:53 |
kanzure | if it's arm i'm not sure why an emulator doesn't already exist? | 16:53 |
Sanky | but it has nothing to do with the chip | 16:53 |
azonenberg | http://www.3dsbuzz.com/3ds-forum/threads/nintendo-3ds-cpu-processor-wth.1473/ | 16:53 |
Sanky | there are no roms either | 16:53 |
kanzure | i don't see what decapping would help with in this case | 16:54 |
Sanky | signed with a key we don't have | 16:54 |
kanzure | i mean, the instruction set is probably known | 16:54 |
kanzure | and with no roms there's no way to test whether or not the emulation actually works | 16:54 |
azonenberg | anyway, judging by those specs you're probably looking at 65nm or smaller | 16:54 |
azonenberg | Which is not a trivial project | 16:54 |
Sanky | shrug, I'm not actually involved in the project I linked | 16:54 |
azonenberg | for starters that means SEM time | 16:55 |
kanzure | yes i imagine an SEM would be involved | 16:55 |
azonenberg | and while i know how to use them, and have access to several, they're not exactly cheap | 16:55 |
Sync | I guess there are cheaper attack vectors | 16:55 |
azonenberg | the low-end one, which probably doesn't have sufficient resolution for 65nm stuff, is $45/hr for academic users | 16:55 |
kanzure | i might have someone with access to a SEM but does it need to be on-site of the decapping? | 16:55 |
azonenberg | the nice Zeiss in the cleanroom is $188.50/hr | 16:56 |
azonenberg | and is the one you'd likely need to get this kind of resolution | 16:56 |
azonenberg | The depackaging is trivial | 16:56 |
kanzure | ok cool that's pretty cheap | 16:56 |
kanzure | so what, 10 hours? | 16:56 |
azonenberg | Would be hard to say | 16:56 |
azonenberg | the other thing is you'd need to delayer | 16:56 |
azonenberg | and analysis of the images would take a long time | 16:56 |
kanzure | i assume analysis would be "upload the images to the interwebs, write some software, hope someone else is interested enough to figure this out too" | 16:57 |
azonenberg | 'the images' is a LOT of data | 16:57 |
kanzure | a few terabytes? | 16:57 |
azonenberg | also consider the time it takes to do each exposure | 16:57 |
azonenberg | 2048x1536 frame at slow scan is likely to be close to a minute per image | 16:57 |
azonenberg | maybe more | 16:57 |
azonenberg | let's say you want your smallest features to be 10 pixels so 65nm =10px comes out to 6.5nm/pix or about a 13 micron field of view, cut that down to about 10 microns of unique image per field since you need some overlap | 16:58 |
azonenberg | so 10x5 just to be simple for estimates | 16:58 |
azonenberg | that's 50 square microns of unique content per image, one minute per image | 16:59 |
azonenberg | typical OMAP is about 60mm^2 | 16:59 |
azonenberg | 60 million square microns for the whole die | 16:59 |
azonenberg | that's around a million images | 17:00 |
Sync | that is not viable | 17:00 |
azonenberg | and that's for one layer of the chip | 17:00 |
azonenberg | it'd come out to around 2.9TB of data per layer | 17:01 |
azonenberg | about two months of SEM time if you use an optimistic ~6 second per frame exposure time, its likely to be al ot more | 17:01 |
azonenberg | so yes, full chip imaging is nontrivial | 17:01 |
azonenberg | Normally you're interested in a tiny fraction, say security bits | 17:01 |
Sync | and then someone would have to reverseengineer it | 17:01 |
azonenberg | so you can get a firmware dump | 17:02 |
azonenberg | or you want to study the process technology in use | 17:02 |
azonenberg | or look at the SRAM cell design | 17:02 |
azonenberg | cloning an entire chip to netlist is nontrivial | 17:02 |
Sync | yeah huge fun | 17:02 |
azonenberg | now, the numbers i gave are probably off by a bit compared to what a nice profesisonal shop like chipworks could do | 17:03 |
Sync | especially with newer chips that are designed with security in mind | 17:03 |
azonenberg | they do get full-chip images at transistor resolution | 17:03 |
azonenberg | my guess is they have modified SEMs that can do automatic step-and-repeat with continuous scan | 17:03 |
azonenberg | kind of like e-beam litho in reverse | 17:03 |
azonenberg | with one of those you could probably cover a full die at 1;1 resolution in the same time it'd take to e-beam a mask | 17:03 |
azonenberg | so maybe a day or so per layer | 17:04 |
azonenberg | Then you have to polish down and repeat | 17:04 |
azonenberg | luckily the top layers are bigger feature sizes so you can do those faster | 17:04 |
azonenberg | But then you have to register all of the images and analyze them which is nontrivial | 17:04 |
azonenberg | to give you an idea of scale, me and my friend are working on two chips now to practice - the RSA SecurID and a 24C EEPROM made by ST | 17:05 |
Sync | azonenberg: yes they have such SEMs | 17:05 |
kanzure | i would probably spin up some ec2 servers to do the image analysis and dumping to netlist | 17:05 |
azonenberg | both are maybe 10mm^2 and giant ~1 micron process technology | 17:05 |
Sync | if you have multiple chips you just polish to all layers you need and pop them into the revolver | 17:05 |
azonenberg | we have full chip images at full resolution of each | 17:06 |
azonenberg | (optically) | 17:06 |
azonenberg | optical imaging of a chip of that size takes us most of a day per layer | 17:06 |
azonenberg | using automated step-and-repeat | 17:07 |
azonenberg | and once you have the resulting gigapixel-sized image you need to crunch it, we're still working on automated tools for that | 17:07 |
azonenberg | degate isnt reliable enough in our experience | 17:07 |
Sync | degate worked pretty good for me | 17:08 |
kanzure | oh i didn't expect something like that to exist | 17:08 |
azonenberg | it's segfaulted a lot for me | 17:08 |
Sync | but I only tried it on some sample images I found | 17:09 |
azonenberg | when working on real data from the SecurID | 17:09 |
kanzure | http://www.degate.org/ is not loading for me | 17:09 |
azonenberg | also, we need to work on registration | 17:09 |
Sync | yeah it does crash sometimes | 17:09 |
azonenberg | i had a 100% reproducible segfault as soon as i tried adding inter-layer connections | 17:09 |
azonenberg | which made it useless | 17:09 |
azonenberg | i was trying to trace out M2 and M1 of the securid cpu | 17:09 |
azonenberg | in one small corner | 17:10 |
azonenberg | we had all of the cells IDed but couldn't connect them | 17:10 |
kanzure | ah https://github.com/nitram2342/degate | 17:10 |
azonenberg | i forget what version i've used, not sure if its any more robust now | 17:10 |
Sync | ha my pu tubing arrived | 17:11 |
azonenberg | plutonium? do i want to know? | 17:11 |
azonenberg | this is not #homenukes | 17:12 |
Sync | polyurethane :P | 17:12 |
azonenberg | ...oh | 17:12 |
azonenberg | :p | 17:12 |
Action: azonenberg is a tiny bit less scared now :P | 17:12 | |
Sync | where the fuck would one get _tubes_ out of plutonium | 17:12 |
azonenberg | i have no idea, i thought you meant like round bar stock or something | 17:13 |
azonenberg | or reactor fuel pellets | 17:13 |
Sync | they'd compliment my neutron counter nicely | 17:15 |
soul-d | im celebrating with some fresh old coffee that my fpga vga code works :) | 17:16 |
azonenberg | soul-d: lucky you | 17:16 |
azonenberg | i'm staring down a deadlock :p | 17:16 |
azonenberg | its sort of a race condition i guess, two clock domains are each running state machines and using handshake-based synchronizers to exchange data | 17:17 |
azonenberg | if one tries to transmit and the other wants to receive, and the two operations overlap | 17:17 |
azonenberg | they get stuck each waiting for the other to ACK | 17:17 |
azonenberg | i need to split them into two state machines so i can do full duplex | 17:17 |
azonenberg | (two per clock domain) | 17:17 |
soul-d | yeah was some nasty things like clock being actualy a bus so it warned just somewhere about pin not having exact location | 17:18 |
azonenberg | o_O | 17:18 |
soul-d | but since it's a dev kit with loaded pin assignments im used to 400 warnings :P | 17:18 |
azonenberg | in other news i have CMake working nicely with the Xilinx toolchain | 17:18 |
soul-d | and ignoring them | 17:18 |
azonenberg | so i can compile firmware, PC-side software, RTL simulations, and FPGA bitstreams with one "make" command :D | 17:19 |
Sync | pneumatic quick connects ftw :) | 17:20 |
soul-d | im using altera since i own 3 dev kits now and had orded some chips to | 17:20 |
azonenberg | yeah, i have one xilinx dev board plus several that i made myself with xilinx chips | 17:20 |
azonenberg | in any case i should probably get going since it's almost 12:30 and i want to grab lunch before my 14:00 class | 17:20 |
azonenberg | (and i'm not even on campus yet) | 17:20 |
soul-d | k, have a nice one :) | 17:21 |
azonenberg | So i just found some obsolete masks someone here had made at laserlab | 22:25 |
azonenberg | going to pop them under the microscope and look at mask quality | 22:25 |
soul-d | fried my brain trying to think about how to do char rom / display memory | 22:29 |
soul-d | i made it synthesyze somthing now lets see what ;) a line :P ah wel still displays somthing from some mem so can't complain much | 23:27 |
azonenberg | lol | 23:30 |
--- Fri Dec 7 2012 | 00:00 |
Generated by irclog2html.py 2.9.2 by Marius Gedminas - find it at mg.pov.lt!