lecture 9: memory addressing / mask romsecurity.cs.rpi.edu/courses/hwre-spring2014/lecture9... ·...
TRANSCRIPT
![Page 1: Lecture 9: Memory addressing / mask ROMsecurity.cs.rpi.edu/courses/hwre-spring2014/Lecture9... · 2014-03-18 · CSCI 4974 / 6974 Hardware Reverse Engineering Lecture 9: Memory addressing](https://reader030.vdocuments.site/reader030/viewer/2022040618/5f2504c04b51eb33557473a2/html5/thumbnails/1.jpg)
CSCI 4974 / 6974Hardware Reverse Engineering
Lecture 9: Memory addressing / mask ROM
![Page 2: Lecture 9: Memory addressing / mask ROMsecurity.cs.rpi.edu/courses/hwre-spring2014/Lecture9... · 2014-03-18 · CSCI 4974 / 6974 Hardware Reverse Engineering Lecture 9: Memory addressing](https://reader030.vdocuments.site/reader030/viewer/2022040618/5f2504c04b51eb33557473a2/html5/thumbnails/2.jpg)
Quiz
![Page 3: Lecture 9: Memory addressing / mask ROMsecurity.cs.rpi.edu/courses/hwre-spring2014/Lecture9... · 2014-03-18 · CSCI 4974 / 6974 Hardware Reverse Engineering Lecture 9: Memory addressing](https://reader030.vdocuments.site/reader030/viewer/2022040618/5f2504c04b51eb33557473a2/html5/thumbnails/3.jpg)
Microscopy lecture
● Last ~10 slides from lecture 8 were skipped● Cover them today
![Page 4: Lecture 9: Memory addressing / mask ROMsecurity.cs.rpi.edu/courses/hwre-spring2014/Lecture9... · 2014-03-18 · CSCI 4974 / 6974 Hardware Reverse Engineering Lecture 9: Memory addressing](https://reader030.vdocuments.site/reader030/viewer/2022040618/5f2504c04b51eb33557473a2/html5/thumbnails/4.jpg)
Generic memory components
● Address bus● Row addressing logic● Column addressing logic● Data bus● Memory array
![Page 5: Lecture 9: Memory addressing / mask ROMsecurity.cs.rpi.edu/courses/hwre-spring2014/Lecture9... · 2014-03-18 · CSCI 4974 / 6974 Hardware Reverse Engineering Lecture 9: Memory addressing](https://reader030.vdocuments.site/reader030/viewer/2022040618/5f2504c04b51eb33557473a2/html5/thumbnails/5.jpg)
2D memory addressing
● Logical structure of memory is 1D● 8 x 1M bit array is physically impractical!
– Use 2D structure instead
– Need col muxing
● Mapping of 2D linearaddresses may vary
![Page 6: Lecture 9: Memory addressing / mask ROMsecurity.cs.rpi.edu/courses/hwre-spring2014/Lecture9... · 2014-03-18 · CSCI 4974 / 6974 Hardware Reverse Engineering Lecture 9: Memory addressing](https://reader030.vdocuments.site/reader030/viewer/2022040618/5f2504c04b51eb33557473a2/html5/thumbnails/6.jpg)
PIC12F683 SRAM
● 128 bytes– 32 rows
– 4 cols of 8 bits
![Page 7: Lecture 9: Memory addressing / mask ROMsecurity.cs.rpi.edu/courses/hwre-spring2014/Lecture9... · 2014-03-18 · CSCI 4974 / 6974 Hardware Reverse Engineering Lecture 9: Memory addressing](https://reader030.vdocuments.site/reader030/viewer/2022040618/5f2504c04b51eb33557473a2/html5/thumbnails/7.jpg)
Row decode logic
● Input: N-bit row address bus● Output: 2n word lines● WL[0] = ... & !A3 & !A2 & !A1 & !A0● WL[1] = ... & !A3 & !A2 & !A1 & A0
![Page 8: Lecture 9: Memory addressing / mask ROMsecurity.cs.rpi.edu/courses/hwre-spring2014/Lecture9... · 2014-03-18 · CSCI 4974 / 6974 Hardware Reverse Engineering Lecture 9: Memory addressing](https://reader030.vdocuments.site/reader030/viewer/2022040618/5f2504c04b51eb33557473a2/html5/thumbnails/8.jpg)
Example row decode logic
● PIC12F683 SRAM● Data bus on M1 at right● AND gates at center● WL buffers at left● Local interconnect on M1● Word lines on poly
![Page 9: Lecture 9: Memory addressing / mask ROMsecurity.cs.rpi.edu/courses/hwre-spring2014/Lecture9... · 2014-03-18 · CSCI 4974 / 6974 Hardware Reverse Engineering Lecture 9: Memory addressing](https://reader030.vdocuments.site/reader030/viewer/2022040618/5f2504c04b51eb33557473a2/html5/thumbnails/9.jpg)
Column address logic
● For writable memories– Float BL except during writes
– During writes, drive BL for appropriate column
● For all memories, during reads– Precharge before reads if necessary
– All columns have data on them
– Mux the one of interest to the data bus
![Page 10: Lecture 9: Memory addressing / mask ROMsecurity.cs.rpi.edu/courses/hwre-spring2014/Lecture9... · 2014-03-18 · CSCI 4974 / 6974 Hardware Reverse Engineering Lecture 9: Memory addressing](https://reader030.vdocuments.site/reader030/viewer/2022040618/5f2504c04b51eb33557473a2/html5/thumbnails/10.jpg)
Example column address logic
![Page 11: Lecture 9: Memory addressing / mask ROMsecurity.cs.rpi.edu/courses/hwre-spring2014/Lecture9... · 2014-03-18 · CSCI 4974 / 6974 Hardware Reverse Engineering Lecture 9: Memory addressing](https://reader030.vdocuments.site/reader030/viewer/2022040618/5f2504c04b51eb33557473a2/html5/thumbnails/11.jpg)
Why mask ROM?
● Lowest cost per bit of any memory tech– Single-transistor cells
– No additional masks required (unlike flash etc)
● Highest density of any memory● Immune to magnetic fields etc● Can't be corrupted or tampered by software
– But wait for lecture 14 ;)
![Page 12: Lecture 9: Memory addressing / mask ROMsecurity.cs.rpi.edu/courses/hwre-spring2014/Lecture9... · 2014-03-18 · CSCI 4974 / 6974 Hardware Reverse Engineering Lecture 9: Memory addressing](https://reader030.vdocuments.site/reader030/viewer/2022040618/5f2504c04b51eb33557473a2/html5/thumbnails/12.jpg)
Disadvantages
● Can't (practically) be patched after manufacture– Requires massively costly mask respin
– Need fully debugged code beforehand!
![Page 13: Lecture 9: Memory addressing / mask ROMsecurity.cs.rpi.edu/courses/hwre-spring2014/Lecture9... · 2014-03-18 · CSCI 4974 / 6974 Hardware Reverse Engineering Lecture 9: Memory addressing](https://reader030.vdocuments.site/reader030/viewer/2022040618/5f2504c04b51eb33557473a2/html5/thumbnails/13.jpg)
Mask ROM vs OTP
● Mask ROM– Physically hard-wired
– Dedicated mask for each ROM image
● OTP (one-time-programmable) ROM (PROM)– Programmed (once) after manufacture
– Same mask for all ROM images
– Less dense, requires write circuitry
– Covered in the next lecture
![Page 14: Lecture 9: Memory addressing / mask ROMsecurity.cs.rpi.edu/courses/hwre-spring2014/Lecture9... · 2014-03-18 · CSCI 4974 / 6974 Hardware Reverse Engineering Lecture 9: Memory addressing](https://reader030.vdocuments.site/reader030/viewer/2022040618/5f2504c04b51eb33557473a2/html5/thumbnails/14.jpg)
The hacker's viewpoint
● Target has data in mask ROM● How do we read it?● Full ROM circuit analysis usually not required
– We just want the data
– Figure out enough to know what goes where
![Page 15: Lecture 9: Memory addressing / mask ROMsecurity.cs.rpi.edu/courses/hwre-spring2014/Lecture9... · 2014-03-18 · CSCI 4974 / 6974 Hardware Reverse Engineering Lecture 9: Memory addressing](https://reader030.vdocuments.site/reader030/viewer/2022040618/5f2504c04b51eb33557473a2/html5/thumbnails/15.jpg)
NOR mask ROM
● Pull all BL weakly to Vdd, assert one WL
● Switch to Vss may be at each WL/BL junction
– WL off? Do nothing
– WL on? Pull BL low
![Page 16: Lecture 9: Memory addressing / mask ROMsecurity.cs.rpi.edu/courses/hwre-spring2014/Lecture9... · 2014-03-18 · CSCI 4974 / 6974 Hardware Reverse Engineering Lecture 9: Memory addressing](https://reader030.vdocuments.site/reader030/viewer/2022040618/5f2504c04b51eb33557473a2/html5/thumbnails/16.jpg)
NOR mask ROM
![Page 17: Lecture 9: Memory addressing / mask ROMsecurity.cs.rpi.edu/courses/hwre-spring2014/Lecture9... · 2014-03-18 · CSCI 4974 / 6974 Hardware Reverse Engineering Lecture 9: Memory addressing](https://reader030.vdocuments.site/reader030/viewer/2022040618/5f2504c04b51eb33557473a2/html5/thumbnails/17.jpg)
NAND mask ROM
● Pull all BL weakly to Vdd● Assert all but one WL● Switches in series from BL to ground● If no switch, output goes low● If (open) switch, output stays high● Denser than NOR, but slower
![Page 18: Lecture 9: Memory addressing / mask ROMsecurity.cs.rpi.edu/courses/hwre-spring2014/Lecture9... · 2014-03-18 · CSCI 4974 / 6974 Hardware Reverse Engineering Lecture 9: Memory addressing](https://reader030.vdocuments.site/reader030/viewer/2022040618/5f2504c04b51eb33557473a2/html5/thumbnails/18.jpg)
NAND mask ROM
![Page 19: Lecture 9: Memory addressing / mask ROMsecurity.cs.rpi.edu/courses/hwre-spring2014/Lecture9... · 2014-03-18 · CSCI 4974 / 6974 Hardware Reverse Engineering Lecture 9: Memory addressing](https://reader030.vdocuments.site/reader030/viewer/2022040618/5f2504c04b51eb33557473a2/html5/thumbnails/19.jpg)
Mask ROM technologies
● Via based● Metal based● Implant based
![Page 20: Lecture 9: Memory addressing / mask ROMsecurity.cs.rpi.edu/courses/hwre-spring2014/Lecture9... · 2014-03-18 · CSCI 4974 / 6974 Hardware Reverse Engineering Lecture 9: Memory addressing](https://reader030.vdocuments.site/reader030/viewer/2022040618/5f2504c04b51eb33557473a2/html5/thumbnails/20.jpg)
Via ROM
● Usually NOR type● Transistor is always present
– FEOL processing can be done for all chips
– Then separate wafers for each product
● Remove M1-active via(s) to disable transistor– Single mask change
● Then standard M1 + interconnect routing on top
![Page 21: Lecture 9: Memory addressing / mask ROMsecurity.cs.rpi.edu/courses/hwre-spring2014/Lecture9... · 2014-03-18 · CSCI 4974 / 6974 Hardware Reverse Engineering Lecture 9: Memory addressing](https://reader030.vdocuments.site/reader030/viewer/2022040618/5f2504c04b51eb33557473a2/html5/thumbnails/21.jpg)
Via ROM layout
![Page 22: Lecture 9: Memory addressing / mask ROMsecurity.cs.rpi.edu/courses/hwre-spring2014/Lecture9... · 2014-03-18 · CSCI 4974 / 6974 Hardware Reverse Engineering Lecture 9: Memory addressing](https://reader030.vdocuments.site/reader030/viewer/2022040618/5f2504c04b51eb33557473a2/html5/thumbnails/22.jpg)
Via ROM (Roland LA32)
![Page 23: Lecture 9: Memory addressing / mask ROMsecurity.cs.rpi.edu/courses/hwre-spring2014/Lecture9... · 2014-03-18 · CSCI 4974 / 6974 Hardware Reverse Engineering Lecture 9: Memory addressing](https://reader030.vdocuments.site/reader030/viewer/2022040618/5f2504c04b51eb33557473a2/html5/thumbnails/23.jpg)
Via ROM (Roland LA32)
![Page 24: Lecture 9: Memory addressing / mask ROMsecurity.cs.rpi.edu/courses/hwre-spring2014/Lecture9... · 2014-03-18 · CSCI 4974 / 6974 Hardware Reverse Engineering Lecture 9: Memory addressing](https://reader030.vdocuments.site/reader030/viewer/2022040618/5f2504c04b51eb33557473a2/html5/thumbnails/24.jpg)
Via ROM (unknown source)
![Page 25: Lecture 9: Memory addressing / mask ROMsecurity.cs.rpi.edu/courses/hwre-spring2014/Lecture9... · 2014-03-18 · CSCI 4974 / 6974 Hardware Reverse Engineering Lecture 9: Memory addressing](https://reader030.vdocuments.site/reader030/viewer/2022040618/5f2504c04b51eb33557473a2/html5/thumbnails/25.jpg)
Metal ROM
● Usually NAND type● Transistor is always present● Short out transistors with M1
![Page 26: Lecture 9: Memory addressing / mask ROMsecurity.cs.rpi.edu/courses/hwre-spring2014/Lecture9... · 2014-03-18 · CSCI 4974 / 6974 Hardware Reverse Engineering Lecture 9: Memory addressing](https://reader030.vdocuments.site/reader030/viewer/2022040618/5f2504c04b51eb33557473a2/html5/thumbnails/26.jpg)
Metal ROM layout
![Page 27: Lecture 9: Memory addressing / mask ROMsecurity.cs.rpi.edu/courses/hwre-spring2014/Lecture9... · 2014-03-18 · CSCI 4974 / 6974 Hardware Reverse Engineering Lecture 9: Memory addressing](https://reader030.vdocuments.site/reader030/viewer/2022040618/5f2504c04b51eb33557473a2/html5/thumbnails/27.jpg)
Metal ROM example
● TODO: Example die photo if we can find one
![Page 28: Lecture 9: Memory addressing / mask ROMsecurity.cs.rpi.edu/courses/hwre-spring2014/Lecture9... · 2014-03-18 · CSCI 4974 / 6974 Hardware Reverse Engineering Lecture 9: Memory addressing](https://reader030.vdocuments.site/reader030/viewer/2022040618/5f2504c04b51eb33557473a2/html5/thumbnails/28.jpg)
Active area ROM
● Usually NOR type● Can be read optically after deprocessing● Cut or don't cut channel for transistor
![Page 29: Lecture 9: Memory addressing / mask ROMsecurity.cs.rpi.edu/courses/hwre-spring2014/Lecture9... · 2014-03-18 · CSCI 4974 / 6974 Hardware Reverse Engineering Lecture 9: Memory addressing](https://reader030.vdocuments.site/reader030/viewer/2022040618/5f2504c04b51eb33557473a2/html5/thumbnails/29.jpg)
Active area ROM layout
![Page 30: Lecture 9: Memory addressing / mask ROMsecurity.cs.rpi.edu/courses/hwre-spring2014/Lecture9... · 2014-03-18 · CSCI 4974 / 6974 Hardware Reverse Engineering Lecture 9: Memory addressing](https://reader030.vdocuments.site/reader030/viewer/2022040618/5f2504c04b51eb33557473a2/html5/thumbnails/30.jpg)
Implant ROM
● Can be NAND or NOR● Cannot be read optically
– But can be revealed with SCM or Dash etch
● To short out transistor (for NAND ROMs)– use weak implant to shift Vt = 0
● To open transistor (for NOR ROMs)– use weak implant to shift Vt > Vdd
![Page 31: Lecture 9: Memory addressing / mask ROMsecurity.cs.rpi.edu/courses/hwre-spring2014/Lecture9... · 2014-03-18 · CSCI 4974 / 6974 Hardware Reverse Engineering Lecture 9: Memory addressing](https://reader030.vdocuments.site/reader030/viewer/2022040618/5f2504c04b51eb33557473a2/html5/thumbnails/31.jpg)
Implant ROM layout
![Page 32: Lecture 9: Memory addressing / mask ROMsecurity.cs.rpi.edu/courses/hwre-spring2014/Lecture9... · 2014-03-18 · CSCI 4974 / 6974 Hardware Reverse Engineering Lecture 9: Memory addressing](https://reader030.vdocuments.site/reader030/viewer/2022040618/5f2504c04b51eb33557473a2/html5/thumbnails/32.jpg)
Implant rom top metal
![Page 33: Lecture 9: Memory addressing / mask ROMsecurity.cs.rpi.edu/courses/hwre-spring2014/Lecture9... · 2014-03-18 · CSCI 4974 / 6974 Hardware Reverse Engineering Lecture 9: Memory addressing](https://reader030.vdocuments.site/reader030/viewer/2022040618/5f2504c04b51eb33557473a2/html5/thumbnails/33.jpg)
Implant ROM after Dash etch
![Page 34: Lecture 9: Memory addressing / mask ROMsecurity.cs.rpi.edu/courses/hwre-spring2014/Lecture9... · 2014-03-18 · CSCI 4974 / 6974 Hardware Reverse Engineering Lecture 9: Memory addressing](https://reader030.vdocuments.site/reader030/viewer/2022040618/5f2504c04b51eb33557473a2/html5/thumbnails/34.jpg)
Reading data from mask ROM
● Need to make bits visible first– Via: Delayer to via layer (if nonplanar)
– Metal: Delayer to metal layer
– Implant: Strip to active, then Dash etch
● Acquire imagery
![Page 35: Lecture 9: Memory addressing / mask ROMsecurity.cs.rpi.edu/courses/hwre-spring2014/Lecture9... · 2014-03-18 · CSCI 4974 / 6974 Hardware Reverse Engineering Lecture 9: Memory addressing](https://reader030.vdocuments.site/reader030/viewer/2022040618/5f2504c04b51eb33557473a2/html5/thumbnails/35.jpg)
Reading data from mask ROM
● Extract the 2D bit pattern– Can be done manually or with machine vision
– Polarity and structure aren't yet known
● Figure out structure– Which bit layout is 1 and which is 0?
– How do 2D addresses map to linear?
![Page 36: Lecture 9: Memory addressing / mask ROMsecurity.cs.rpi.edu/courses/hwre-spring2014/Lecture9... · 2014-03-18 · CSCI 4974 / 6974 Hardware Reverse Engineering Lecture 9: Memory addressing](https://reader030.vdocuments.site/reader030/viewer/2022040618/5f2504c04b51eb33557473a2/html5/thumbnails/36.jpg)
Structure analysis
● Many possible layouts– Interleaving of several bytes/words per row
– Top-down or bottom-up address increment
– Interleaved or concatenated banks
● Several ways to make sense of it all– Reverse the decode circuitry
– Trial and error until dump makes sense
![Page 37: Lecture 9: Memory addressing / mask ROMsecurity.cs.rpi.edu/courses/hwre-spring2014/Lecture9... · 2014-03-18 · CSCI 4974 / 6974 Hardware Reverse Engineering Lecture 9: Memory addressing](https://reader030.vdocuments.site/reader030/viewer/2022040618/5f2504c04b51eb33557473a2/html5/thumbnails/37.jpg)
Questions?
● TA: Andrew Zonenberg <[email protected]>
● Image credit: Some images CC-BY from:
– John McMaster <[email protected]>