#homecmos IRC log for Thursday, 2012-12-06

kanzureazonenberg: would you be willing to decap the nintendo 3ds chip?16:44
azonenbergkanzure: i'd have to talk to my friend john, he does most of my wet work these days16:47
azonenbergwe have a backlog of chips but i might be able to push a few through ahead16:47
kanzureazonenberg: would you need any resources to help with that?16:48
azonenbergdo you know the process tech / layer count?16:48
kanzurei assume you would want me to mail you the actual device16:48
azonenbergwhat kind of package is it?16:48
kanzurenope i have no clue16:48
azonenbergand how old is it16:48
azonenbergsomething easy like a CERDIP or are we talking a modern bga?16:49
azonenbergnot that it makes a big difference, just curious16:49
Sankyhello16:49
kanzureSanky: 08:49 < azonenberg> something easy like a CERDIP or are we talking a modern bga?16:49
Sankyer okay those are questions I probably won't be able to answer16:50
azonenbergin either case i'm about to head up to campus for a class but we can talk later today16:50
azonenbergwe haven't yet met a chip we can't open16:50
SankyI haven't actually read much about what the 3ds looks like16:50
kanzurecan you at least read the words on the die packaging?16:50
Synchttp://1.bp.blogspot.com/-ugbzA5sa7hg/TZHbSHutlyI/AAAAAAAAASw/D0fP1P_IFP0/s1600/Nintendo_3DS_PCB-Top.jpg16:50
azonenbergthe only question is how hard it is t oget open in one piece16:50
Sankythere's been a guy who hacked it to record video, but not much else16:50
azonenbergSo we're interested in which chip, the applications processor?16:50
Sankyprobably16:51
azonenberglooks like a wire-bonded bga at quick glance16:51
azonenbergwhat do you want to know about it?16:51
kanzurehe wants to do ssl interception and needs to replace the cert, so i suggested emulation16:51
kanzureso the goal would be to know enough to write an emulator16:51
azonenbergJudging by the look of it, that's gonna be tricky16:51
Syncyeah16:52
Sankylike that is my goal, this is the entire ds homebrew community's dream16:52
azonenbergreleased 2011, dual core arm1116:52
kanzureoh it's arm? arm is fairly standard.16:52
SankyI just had a quick glance at the networking to see if I could crack something through it (even if improbable)16:52
azonenbergaccording to wiki, yes16:52
Sankyyeah nintendo's done arm since the gba16:52
Sankyhttp://www.3dscapture.com/ this is really the most somebody has done with it16:53
kanzureif it's arm i'm not sure why an emulator doesn't already exist?16:53
Sankybut it has nothing to do with the chip16:53
azonenberghttp://www.3dsbuzz.com/3ds-forum/threads/nintendo-3ds-cpu-processor-wth.1473/16:53
Sankythere are no roms either16:53
kanzurei don't see what decapping would help with in this case16:54
Sankysigned with a key we don't have16:54
kanzurei mean, the instruction set is probably known16:54
kanzureand with no roms there's no way to test whether or not the emulation actually works16:54
azonenberganyway, judging by those specs you're probably looking at 65nm or smaller16:54
azonenbergWhich is not a trivial project16:54
Sankyshrug, I'm not actually involved in the project I linked16:54
azonenbergfor starters that means SEM time16:55
kanzureyes i imagine an SEM would be involved16:55
azonenbergand while i know how to use them, and have access to several, they're not exactly cheap16:55
SyncI guess there are cheaper attack vectors16:55
azonenbergthe low-end one, which probably doesn't have sufficient resolution for 65nm stuff, is $45/hr for academic users16:55
kanzurei might have someone with access to a SEM but does it need to be on-site of the decapping?16:55
azonenbergthe nice Zeiss in the cleanroom is $188.50/hr16:56
azonenbergand is the one you'd likely need to get this kind of resolution16:56
azonenbergThe depackaging is trivial16:56
kanzureok cool that's pretty cheap16:56
kanzureso what, 10 hours?16:56
azonenbergWould be hard to say16:56
azonenbergthe other thing is you'd need to delayer16:56
azonenbergand analysis of the images would take a long time16:56
kanzurei assume analysis would be "upload the images to the interwebs, write some software, hope someone else is interested enough to figure this out too"16:57
azonenberg'the images' is a LOT of data16:57
kanzurea few terabytes?16:57
azonenbergalso consider the time it takes to do each exposure16:57
azonenberg2048x1536 frame at slow scan is likely to be close to a minute per image16:57
azonenbergmaybe more16:57
azonenberglet's say you want your smallest features to be 10 pixels so 65nm =10px comes out to 6.5nm/pix or about a 13 micron field of view, cut that down to about 10 microns of unique image per field since you need some overlap16:58
azonenbergso 10x5 just to be simple for estimates16:58
azonenbergthat's 50 square microns of unique content per image, one minute per image16:59
azonenbergtypical OMAP is about 60mm^216:59
azonenberg60 million square microns for the whole die16:59
azonenbergthat's around a million images17:00
Syncthat is not viable17:00
azonenbergand that's for one layer of the chip17:00
azonenbergit'd come out to around 2.9TB of data per layer17:01
azonenbergabout two months of SEM time if you use an optimistic ~6 second per frame exposure time, its likely to be al ot more17:01
azonenbergso yes, full chip imaging is nontrivial17:01
azonenbergNormally you're interested in a tiny fraction, say security bits17:01
Syncand then someone would have to reverseengineer it17:01
azonenbergso you can get a firmware dump17:02
azonenbergor you want to study the process technology in use17:02
azonenbergor look at the SRAM cell design17:02
azonenbergcloning an entire chip to netlist is nontrivial17:02
Syncyeah huge fun17:02
azonenbergnow, the numbers i gave are probably off by a bit compared to what a nice profesisonal shop like chipworks could do17:03
Syncespecially with newer chips that are designed with security in mind17:03
azonenbergthey do get full-chip images at transistor resolution17:03
azonenbergmy guess is they have modified SEMs that can do automatic step-and-repeat with continuous scan17:03
azonenbergkind of like e-beam litho in reverse17:03
azonenbergwith one of those you could probably cover a full die at 1;1 resolution in the same time it'd take to e-beam a mask17:03
azonenbergso maybe a day or so per layer17:04
azonenbergThen you have to polish down and repeat17:04
azonenbergluckily the top layers are bigger feature sizes so you can do those faster17:04
azonenbergBut then you have to register all of the images and analyze them which is nontrivial17:04
azonenbergto give you an idea of scale, me and my friend are working on two chips now to practice - the RSA SecurID and a 24C EEPROM made by ST17:05
Syncazonenberg: yes they have such SEMs17:05
kanzurei would probably spin up some ec2 servers to do the image analysis and dumping to netlist17:05
azonenbergboth are maybe 10mm^2 and giant ~1 micron process technology17:05
Syncif you have multiple chips you just polish to all layers you need and pop them into the revolver17:05
azonenbergwe have full chip images at full resolution of each17:06
azonenberg(optically)17:06
azonenbergoptical imaging of a chip of that size takes us most of a day per layer17:06
azonenbergusing automated step-and-repeat17:07
azonenbergand once you have the resulting gigapixel-sized image you need to crunch it, we're still working on automated tools for that17:07
azonenbergdegate isnt reliable enough in our experience17:07
Syncdegate worked pretty good for me17:08
kanzureoh i didn't expect something like that to exist17:08
azonenbergit's segfaulted a lot for me17:08
Syncbut I only tried it on some sample images I found17:09
azonenbergwhen working on real data from the SecurID17:09
kanzurehttp://www.degate.org/ is not loading for me17:09
azonenbergalso, we need to work on registration17:09
Syncyeah it does crash sometimes17:09
azonenbergi had a 100% reproducible segfault as soon as i tried adding inter-layer connections17:09
azonenbergwhich made it useless17:09
azonenbergi was trying to trace out M2 and M1 of the securid cpu17:09
azonenbergin one small corner17:10
azonenbergwe had all of the cells IDed but couldn't connect them17:10
kanzureah https://github.com/nitram2342/degate17:10
azonenbergi forget what version i've used, not sure if its any more robust now17:10
Syncha my pu tubing arrived17:11
azonenbergplutonium? do i want to know?17:11
azonenbergthis is not #homenukes17:12
Syncpolyurethane :P17:12
azonenberg...oh17:12
azonenberg:p17:12
Action: azonenberg is a tiny bit less scared now :P17:12
Syncwhere the fuck would one get _tubes_ out of plutonium17:12
azonenbergi have no idea, i thought you meant like round bar stock or something17:13
azonenbergor reactor fuel pellets17:13
Syncthey'd compliment my neutron counter nicely17:15
soul-dim celebrating with some fresh old coffee  that my fpga vga code works :)17:16
azonenbergsoul-d: lucky you17:16
azonenbergi'm staring down a deadlock :p17:16
azonenbergits sort of a race condition i guess, two clock domains are each running state machines and using handshake-based synchronizers to exchange data17:17
azonenbergif one tries to transmit and the other wants to receive, and the two operations overlap17:17
azonenbergthey get stuck each waiting for the other to ACK17:17
azonenbergi need to split them into two state machines so i can do full duplex17:17
azonenberg(two per clock domain)17:17
soul-dyeah was some nasty things like   clock being actualy a bus  so   it warned   just somewhere about pin not having exact location17:18
azonenbergo_O17:18
soul-dbut since it's a dev kit with  loaded pin assignments  im used to 400 warnings :P17:18
azonenbergin other news i have CMake working nicely with the Xilinx toolchain17:18
soul-dand ignoring them17:18
azonenbergso i can compile firmware, PC-side software, RTL simulations, and FPGA bitstreams with one "make" command :D17:19
Syncpneumatic quick connects ftw :)17:20
soul-dim using altera since i own 3 dev kits now and  had orded some chips to17:20
azonenbergyeah, i have one xilinx dev board plus several that i made myself with xilinx chips17:20
azonenbergin any case i should probably get going since it's almost 12:30 and i want to grab lunch before my 14:00 class17:20
azonenberg(and i'm not even on campus yet)17:20
soul-dk, have a nice one :)17:21
azonenbergSo i just found some obsolete masks someone here had made at laserlab22:25
azonenberggoing to pop them under the microscope and look at mask quality22:25
soul-dfried my brain trying to think about  how  to do char rom / display memory22:29
soul-di made it synthesyze somthing now lets see what ;) a line :P  ah wel still displays somthing from some mem  so can't complain much23:27
azonenberglol23:30
--- Fri Dec 7 201200:00

Generated by irclog2html.py 2.9.2 by Marius Gedminas - find it at mg.pov.lt!