Chip Detectives

The chip industry is finding new uses for reverse engineering--to defend patents, spur innovation, and trace product failures

11 min read

Call up the dictionary.com Web site, type in "reverse engineering," and you will get a four-sentence response that begins and ends as follows: "The process of analysing an existing system to identify its components and their interrelationships and create representations of the system in another form or at a higher level of abstraction.... An integrated circuit might...be reverse engineered by an unscrupulous company wishing to make unlicensed copies of a popular chip."

Chip cloning, piracy, industrial espionage. At one time, reverse engineering had a less than savory reputation within the semiconductor industry, and with good reason. During the 1960s and '70s, companies in Asia built up their market share in part by copying--legally and illegally--their competitors' products. The Soviets and Chinese, starved for Western electronics, also became proficient chip cloners. The loss of business for U.S. companies meant that "a lot of American engineers lost their jobs," noted Arthur Nutter, president of Taeus, an engineering consulting firm based in Colorado Springs, Colo.

These days, though, reverse engineering is coming to be accepted, and in some circles even embraced, as a part of doing business. The main reason for the shift stems from the growing recognition that intellectual property, when vigorously defended, can add to a company's bottom line. IBM, Texas Instruments, and Motorola now pull in something like US $1 billion a year from patent royalties and licensing fees. Rambus Inc., based in Mountain View, Calif., derives essentially all of its revenues ($17.8 million in the latest reported quarter) from licensing its high-speed interface technology for memory chips.

Intellectual property negotiations rely on technical ammunition, and over the last decade or so, a handful of laboratories specializing in IC reverse engineering (including Taeus) have sprung up to provide it. As their clients will attest, the ability of these labs to dissect even the most complicated IC is essential for pinpointing cases of patent infringement, and also determining whether a patented technology is worth licensing or buying. Beyond that, semiconductor manufacturers turn to these reverse-engineering houses to get a sense of how their products stack up against the competition, to test the quality of their products, and to trace the root cause of device failures [see "Anatomy of a crash"].

The technical challenge

"This used to be the kind of work that one engineer could do in his spare time, working in his basement or garage," said Terry Ludlow, president of Chipworks Inc., a reverse-engineering lab based in Ottawa, Canada. But that is next to impossible now, given the growing sophistication of the techniques needed to take apart and analyze today's ICs. [See "Deconstructing a chip"]

"Chip dimensions have shrunk unbelievably," said Tony Denboer, executive vice president of Integrated Circuit Engineering Corp. (ICE), Scottsdale, Ariz. "A single memory bit-cell for a DRAM is 5 or 10 percent [the size] it was 10 years ago." And, although the mainstay of reverse-engineering companies used to be memory devices, they are now branching out into microprocessors and mixed-signal devices, as well as product teardowns of cell phones, digital cameras, electronic toys, and the like.

Given the complexity of IC devices--line widths approaching 0.18 µm, layer upon layer of metal, insulator, and interconnect--just how does a lab go about taking such devices apart?

With extreme care. It starts with a set of identical chips, each of which will be parsed and imaged in a different way. "First we do a quick X-ray, to figure out how the pads connect to the wires or if there's something weird in there, like a battery," explained Chipworks' Ludlow. The next step is to drop the packaged chip into a hot sulfuric acid bath, to dissolve away the outer coating of black plastic. What emerges after five minutes is a square bit of shiny glass threaded with metal.

Clients are typically interested in one of two things: how the chip is made (known as process analysis) or how it is put together (circuit analysis). One chip in the sample set gets cross-sectioned. That exposes the various layers of metal, interconnect, and insulator layers. With surgical precision, the rest of the chips are then selectively "delayered," meaning that each one gets etched (in a plasma etcher) or hand-polished (using, say, a grinding wheel covered with 30-µm diamond film) to a specific depth in the chip.

Preparing a seven-chip sample can take upwards of a week, and it is painstaking work. As Jeff Campbell, a Chipworks technician, ground down a chip headed for transmission electron microscopy, he explained that the aim is for a sample thickness of 2 µm. "Silicon transmits light at about 6 to 7 microns thickness," he said. "At that thickness, silicon becomes like a ribbon, and it will bend." The samples are extremely fragile, he added. "If you touch one with tweezers, it will crumble."

From there, the chip fragments are imaged, using whatever high-resolution, high-magnification technique is called for. The chemical composition is verified by means of spectroscopy. For examining the microstructures, there are optical microscopes equipped with 35mm cameras, scanning electron microscopes, and transmission electron microscopes. The last is the most sensitive, yielding magnifications of more than 200 000-fold.

The thousands of raw images must then be compiled, organized, and analyzed. Each reverse-engineering lab has its own way of going about the job. It used to be that all the images got printed out and taped together into a photomosaic, onto which engineers would trace individual signals with Magic Marker.

A photomosaic of a simple device with large design features might cover a large desk. But a more complicated device could span the length and breadth of a good-sized conference room. "I think our record was 80 feet [25 meters] across," Ludlow recalled. "And that was just part of a chip." This method got to be especially unwieldy when signal pathways had to be traced down through five, six, and seven layers.

To save wear and tear on the engineers, the process was automated. Chipworks no longer relies on photomosaics; instead it has developed a proprietary desktop circuit-tracing system, known as the design analysis workstation (DAW). With it, the engineer identifies signal paths on screen, rather than across the floor, and can effortlessly flip back and forth between device layers.

In the case of Ottawa-based Semiconductor Insights Inc., the largest of the reverse-engineering labs, the innovation is known as CircuitMiner, an automated image recognition tool that takes scanning-electron-microscope images and then generates a rough circuit layout. Both CircuitMiner and DAW are especially time-efficient on auto-routed devices where the logic is separated across the chip. "Tracing signals that run everywhere can be frustrating for a human to do," noted Ed Keyes, chief technology officer at Semiconductor Insights. "But the machine doesn't care. It doesn't get tired, and it doesn't ask for a raise."

The last stage is to produce a final report for the client, highlighting any novel features. A typical project costs from $10 000 to $50 000, but a six-month-long full-circuit extraction can go as high as a quarter-million dollars.

Bare naked chips

Even those who make chips for a living are taken aback by how much a competent reverse-engineering lab can uncover. "I was visiting a client in Tokyo and showing him some of our reports," recalled Derek Nuhn, general manager of Semiconductor Insights. "At the end, he just sat back and said, 'Ah, my circuits are naked now.' "

To be sure, all or nearly all that Semiconductor Insights and the other reverse-engineering firms do could be done by the R&D divisions of large chip-makers, who will typically have on hand the same kinds of equipment and expertise, for use in refining their own products and keeping tabs on others'. So in a sense, these in-house groups present the biggest competition to the independent labs, according to Julia Elvidge, Chipworks' vice president of marketing and sales. As it turns out, though, these same divisions are also among their biggest clients.

The main difference between the in-house groups and the outside labs is one of specialization. "Realistically, our clients should be using their engineering talent to design and develop new products," Semiconductor Insights' Nuhn argued. "And we can supply the information about their competition and support their legal departments."

According to Nutter, one of his company's clients recently estimated that the opportunity cost of pulling a senior engineer off a project for a year would run him about $1 million. By contrast, Nutter said, "we're always available. When they say 'jump,' we can say 'how high?' "

Jan Bissey, who heads the competitor analysis group at Micron Technology Inc., Boise, Idaho, said his six-person team handles "targeted circuit extractions" on select pieces of an IC. But he uses Chipworks when he needs a full chip schematic report, which runs him about $70 000. Tackling that kind of job in-house would cost about two to three times as much, he estimates. "They have automatic tracking software to trace signals. I use sheets of acetate and colored markers."

Yes, but is it legal?

"I like to tell people that what I do is spying," Bissey added. "And it's all legal." The legitimacy of reverse engineering was established in the standard-setting Semiconductor Chip Protection Act, which the U.S. government adopted in 1984 and to which most industrialized countries now subscribe. Specifically, it allows reverse engineering of commercial semiconductor products for "educational purposes."

Studying the competition actually accelerates the growth of an industry as a whole, contended Chipworks' Ludlow. "People aren't making the same mistakes their competitors make," he said. "They're not wasting time reinventing things." He pointed to Advanced Micro Devices Inc.'s fabled reverse engineering of Intel's 386 microprocessor in the late 1980s, which allowed the Sunnyvale, Calif., company to match the Intel chip's functions without treading on protected technology. "It put them in the microprocessor business," Ludlow said.

There are legal limits, though, to how far reverse-engineering firms may go. For one thing, the U.S. Economic Espionage Act of 1996 criminalizes the theft of trade secrets. So reverse-engineering firms must carefully screen clients, analyze only products bought on the open market--no prototypes or stolen samples, please--and otherwise try to ensure that the request is legitimate. Taeus' Web site spells it out: "We will not support, condone, aid or assist any organization who may have the appearance of participating in industrial espionage."

The statement is more than just window dressing. During its first few years of business, Semiconductor Insights was hired to look at a smart card used by the UK satellite television service Sky TV, whose parent is British Sky Broadcasting Group PLC, Isleworth. The cards plugged into set-top boxes and recorded how much viewing time users purchased. The client claimed to be in the same business, but in fact was feeding the data, complete with software encryption keys, to a company selling illegal clones of the Sky TV cards. Every time Sky TV changed its encryption code, the client had the card reverse-engineered anew. After several such rounds, Semiconductor Insights became suspicious and dropped the project. But in a subsequent criminal investigation, the client was found guilty and given a four-year jail term, and Semiconductor Insights had to pay a CAN $125 000 fine.

"It just emphasized that there's a reason reverse engineering has a negative connotation," Nuhn said. "You have to be careful."

To its credit, Semiconductor Insights turned the experience into a profitable, and above-board, part of its business--namely, helping banks, credit card issuers, and smart card vendors shore up the security of their smart card products. The company does that by seeing how easy, or hard, it is to hack into the cards' embedded microprocessor and memory chips. (Still wary of the potential for abuse, the company now stows its smart card samples in a locked windowless room, known to employees as "the vault.")

SI's work has been "very integral to our activities," said Ken Ayer, chip card security director at Visa International, in Foster City, Calif. "If they tell us, 'There's a theoretical way to hack into the card but it's extremely difficult,' then that's probably reasonably secure." The goal, he said, is to make the devices tamper-resistant but still affordable. Security precautions are becoming even more important with the trend toward so-called open platform cards, onto which applications may be downloaded after the card is issued. But that flexibility is offset by greater vulnerability to computer viruses.

Devil's in the details

One thing that those who do reverse engineering will tell you over and over is that they love getting to work with state-of-the-art technology. There's the "aha!" of discovering just how a company pulled off an innovative scheme, or figuring out that a device's advertised feature falls short of the mark. It's the same kind of tinkering that leads many youngsters to pursue science or engineering careers in the first place. (The name Taeus originally stood for "take apart everything under the sun.")

There's also a certain voyeuristic thrill in getting to see stuff hidden from all but a few. An example is chip art, the whimsical drawings or messages that designers etch into their creations. [see " For the fun of it...".]

Reverse engineering can also provide a peek at new technologies that a company may be trying out. "One chip we're reading now, an S-DRAM, has whole blocks of unused circuitry, where the input and outputs are all grounded," explained Semiconductor Insights engineer Siva Manoharan. The designers "were obviously using [the circuitry] for something. We have a rough idea what that was." That in turn may offer a clue to a company's next generation of devices, information that SI's clients are only too happy to know about.

"You can almost see the personality of the designers," added Nuhn. "What they were confident about, and where they were insecure and so built a workaround."

To catch a thief

As a countermeasure against illegal copying, chip designers sometimes insert traps in their layouts, perhaps a block of circuitry that looks real enough but serves no function, or a digital watermark in embedded code. A cloner would unwittingly copy the fake stuff along with the real.

It's not foolproof, to be sure. Back in the late '70s, chipmaker Mostek (since taken over by SGS Thomson Microelectronics) designed its MK4116 DRAMs with two-step contacts. Some of the contacts, though, were dummies and went only halfway down. A copier who put a real contact there would cripple the chip. After a few generations of DRAM, Mostek switched to using one-step contacts--but forgot to delete the dummies. Only after product yields dropped suddenly to zero did it remember.

Nor is deliberate entrapment the only means of spotting counterfeits. Two years ago, a Japanese company was desperate to find out who was cloning its video game cartridges. Each cartridge was built around a proprietary IC, on which the game software was stored. Somehow, perhaps through reverse engineering, perhaps by direct theft, the cloners had gotten hold of the chip design.

Working with a set of the game cartridge clones, engineers at Semiconductor Insights cross-sectioned and delayered them, and then compared the results to similar devices in their extensive library. No two wafer fabrication plants will execute the same design in exactly the same way. One fab may devise a way to skip a mask step, to cut costs. The transistors may have an unusual shape or configuration. A distinctive font may be used to label the die. All these differences add up to a kind of silicon fingerprint.

From its analysis, Semiconductor Insights was able to pinpoint the foundry where the chips had been made. Confronted with the findings, the foundry contended that it had no idea the chips were clones, but agreed to stop making them.

For legal reasons, Semiconductor Insights won't reveal the names of the game maker, foundry, or counterfeiter. Indeed, the vast majority of clients who hire Semiconductor Insights, Chipworks, and the rest prefer to remain anonymous. Past and present SI customers include 27 of the top 30 semiconductor manufacturers in the world, said Nuhn, as well as intellectual property law firms, and the U.S. and Canadian governments. "It's everybody's little secret," is how he puts it. "I can walk into [an industry] meeting and recognize nearly everybody in the room. But I know better than to go up and say 'Hi.' "

Because of his clients' insistence on confidentiality, "I can't tell you squat about the bulk of our business," said Nutter of Taeus, with typical bluntness. In fact, few people who work for the company are privy to that information. Taeus is structured with a "virtual headquarters," which oversees a handful of full-time technical people based in Colorado and a much bigger and geographically dispersed network of consultants. On any given project, specialists will be brought in as needed--a bit of high-resolution photography here, some electron microscopy there. But only the project leader knows the full scope of the work and the client's name.

In defense of patents

General attitudes toward reverse engineering may be loosening up, though, as more companies recognize its value in defending patents. In fact, the bulk of the work that reverse-engineering houses take on is related to intellectual property: uncovering instances of infringement, as well as assessing a company's portfolio of patents, to spot those likely to net the highest fees or that claim technology most likely to be used by others.

Here, the typical client is a manufacturer trying to hammer out a licensing agreement. In those discussions, said Nutter, "you don't necessarily get what you deserve--you get what you can negotiate."

Ron E. Pyle, who heads up semiconductor-related intellectual property activities at Motorola Inc.'s Austin, Texas, facility, agrees. "Our licensing program is founded on reverse engineering," he said. "If we were to walk into an intense negotiation with a competitor claiming infringement but with no proof, it really isn't going to go very far." That was not always the case. In the industry's early days, fundamental patents were distinctive enough that it was fairly easy to detect infringement, he said. Today's patents cover shades of difference, like the use of a certain material as a protective layer in an IC. Only the closest inspection will reveal infringement.

Most cases of infringement are inadvertent, he added. "For all its expansion, the semiconductor industry is still fairly narrow. We're all buying the same processing tools from the same vendors and using similar recipes.... The owner of intellectual property is basically the person who got there first."

Ultimately, whether they're helping clients defend patents or size up the competition, those who do reverse engineering believe their efforts are moving the semiconductor business forward. As product lifecycles continue to contract, "people are under tremendous pressure to innovate faster--they're really getting the screws put to them," said Nuhn. "So they rely on us to be an ear to the ground, to identify what's new and interesting. We aim to give them some peace of mind."

Index of players

Chipworks Inc.
Ottawa, Ont., Canada
https://www.chipworks.com

Cochran Consulting Inc.
Richardson, Texas https://mcochran.com

Integrated Circuit Engineering Corp.
Scottsdale, Ariz.
https://www.ice-corp.com

Semiconductor Insights Inc.
Ottawa, Ont., Canada
https://www.semiconductor.com

Taeus
Colorado Springs, Colo.
https://www.taeus.com

This article is for IEEE members only. Join IEEE to access our full archive.

Join the world’s largest professional organization devoted to engineering and applied sciences and get access to all of Spectrum’s articles, podcasts, and special reports. Learn more →

If you're already an IEEE member, please sign in to continue reading.

Membership includes:

  • Get unlimited access to IEEE Spectrum content
  • Follow your favorite topics to create a personalized feed of IEEE Spectrum content
  • Save Spectrum articles to read later
  • Network with other technology professionals
  • Establish a professional profile
  • Create a group to share and collaborate on projects
  • Discover IEEE events and activities
  • Join and participate in discussions