Silicon Reverse Engineering

Dissolve a chip's plastic package in acid, photograph the die under a microscope, and trace the metal wires and doped silicon regions until you have a complete schematic. This is silicon reverse engineering — part archaeology, part circuit analysis, part obsessive puzzle-solving — and it reveals things about hardware design that no datasheet will ever tell you.

Reading a Die Photo

A silicon die photo looks like an alien city viewed from orbit. Yellowish lines are metal traces — the wiring that connects everything. Reddish and greenish regions are doped silicon, forming transistors and resistors. The trick is learning to spot the basic components. An NPN transistor has its emitter on top, base in a thin layer beneath, and collector underneath — all constructed vertically in cross-section. A PNP transistor often has a ring-shaped collector surrounding a central emitter. Resistors appear as long, narrow red strips — they're expensive in silicon real estate and inaccurate, so designers avoid them where possible.¹

Ken Shirriff's reverse engineering of the 76477 Complex Sound Generation chip — the one that made the UFO sound in Space Invaders — is a masterclass in reading silicon. The chip combines a voltage-controlled oscillator, a super-low-frequency oscillator, a white noise generator, an envelope generator, and a digital mixer, all on a single 1978-era die. Most of the chip is analog, built from hundreds of transistors, with about a third dedicated to digital logic implemented in Integrated Injection Logic (I2L), a 1970s technology that promised VLSI-density bipolar logic but lost out to CMOS.¹

The dominant circuit motif in the 76477 is the current mirror — a circuit that takes one reference current and "clones" it to produce matched output currents. Current mirrors are used everywhere in analog IC design as replacements for resistors (which are large and inaccurate on silicon) and as bias current generators. The 76477's die has pinwheel-shaped transistors with four collectors surrounding a single emitter, each producing a matched current output. A huge fraction of the die area is dedicated to these current mirrors, which would be invisible in a block-level description of the chip but are essential to its operation.¹

What the Datasheet Doesn't Say

The 76477's datasheet calls its VCO duty cycle control a "pitch control." Shirriff notes drily that this is wrong — the frequency is unaffected. This kind of discrepancy between documentation and silicon reality is the norm, not the exception. Modern SoCs are far worse: their "full user's manuals" run to thousands of pages, with hundreds of pages of errata, and the truly interesting parts are behind NDAs or simply unpublished.²

bunnie Huang's analysis of SoC "dark matter" is the security-focused version of this observation. Building chips is less like snapping Legos together and more like sculpting from marble: adding a circuit costs a million dollars in new masks and seventy days of delay, while deactivating one costs maybe ten thousand dollars and a few days. So every SoC mask set starts with extra features, spare logic, and debug facilities that are chiseled away until the final shape emerges. Some features are disabled in pre-boot code that runs before the CPU executes its first instruction. The result is a non-trivial fraction of transistors that are present, powered, and theoretically accessible — but undocumented.²

From a security standpoint, the Built-In Self-Test (BIST) infrastructure alone has "everything you need to do code injection, if you can just cajole it into the right mode." And because SoC integrators all buy functional blocks like DDR, PCI, and USB from a tiny set of IP vendors, the same undocumented logic motifs are baked into hundreds of millions of devices across competing brands. bunnie's word for the hazard: "an unpatchable, ecosystem-shattering security break."²

The Connection Machine and Thinking With Hardware

There's a different kind of hardware understanding that comes not from taking chips apart but from building machines from scratch. Danny Hillis's Connection Machine — a massively parallel computer with 64,000 processors connected in a 20-dimensional hypercube — was designed by a group of not-quite-graduated MIT students who, as Hillis later admitted, would never have started if they'd understood how complicated the project would be.³

Richard Feynman showed up on the first day and asked for a real assignment. They gave him the router — the most worrisome part of the design, responsible for finding paths through the hypercube when many processors needed to communicate simultaneously. Feynman studied the circuit diagrams "as if they were objects of nature," simulating each gate with pencil and paper rather than accepting explanations of how things should work. When he delivered his analysis, it was in the form of partial differential equations — treating boolean circuits as a continuous, differentiable system. Their discrete analysis said they needed seven buffers per chip. Feynman's equations said five. They went with seven, hit a chip-size limit months later, cut to five, and the machine worked.³

Feynman's approach — treating digital hardware as physics rather than engineering — produced insights that a conventional analysis missed. The same instinct drew him to cellular automata as a model of physics: discrete in space and time, with macroscopic laws emerging from simple local rules. He was always skeptical of specific proposals (he called Fredkin and Wolfram's models "kooky") but fascinated by the possibility. When Wolfram used the Connection Machine to simulate fluid dynamics with hexagonal lattice automata, Feynman got excited enough to start pushing the company toward numerical computing — "Hey Danny, you're not going to believe this, but that machine of yours can actually do something useful!"³

The first program ever run on the Connection Machine was Conway's Game of Life.

The 8008: X86's Ancestor on a Die

Shirriff's work extends to the Intel 8008, the chip that started the x86 family tree. Opening the package and photographing the die reveals a design where the physical layout maps almost directly to the block diagram in the user's manual — a luxury of an era when one engineer (Hal Feeney, whose initials are etched into the silicon) could hold the entire chip in his head.⁴

The 8008's ALU has a distinctive triangular shape, driven by its carry look-ahead circuit. Because low-order carries depend on fewer bits than high-order carries, the circuit block naturally forms a triangle, and the eight ALU bit-slices are arranged haphazardly around it rather than in the neat rectangular bit-slice layout that later processors would adopt. The register file is an 8-by-7 grid of three-transistor dynamic RAM cells — an unusual choice reflecting Intel's identity as a memory company first. Unlike later processors that used static latches, the 8008 stores its seven registers in the same kind of DRAM technology Intel was selling commercially.⁴

The most revealing detail is the 18-pin package. The 8008 uses 14 address bits and 8 data bits, but with only 18 pins, it has to multiplex: the same 8 pins transmit low address, high address, and data in three separate cycles. This made the chip slow and required a forest of support chips to use. There was no engineering reason for this — 40-pin and 48-pin packages existed at other manufacturers. But "16 pins was a religion at Intel." They grudgingly moved to 18 for the 8008. By the time the 8080 came along, Intel had accepted 40-pin packages, and the simpler bus design was a major reason for the 8080's greater success.⁴

The power routing is particularly instructive. With only one metal layer, Vcc and Vdd paths can't cross each other — they must be planned as interlocking networks that branch out from the power pins to reach every part of the chip. It's a constraint that would be invisible in a schematic but dominates the physical layout, and it's the kind of thing you only learn from die photos.

From Ferrite Cores to Flash

The archaeology of computing extends beyond silicon. Wayne Holder's reconstruction of a one-bit ferrite core memory is a beautiful exercise in understanding hardware that no longer exists. Core memory works through magnetic hysteresis: tiny toroid-shaped ferrite rings can be magnetized in one of two circular directions by threading a wire through the core and pulsing current. When a core flips state, it produces a small induced current — a kickback pulse — that can be detected. If you don't flip, there's no pulse. That's your read operation, and it's destructive: reading a core always forces it to a known state, so every read must be followed by a write-back.⁵

The scaling trick is coincident-current selection: thread two wires through a grid of cores, send half the required current on each wire, and only the core at the intersection gets enough force to flip. One sense wire threads through all the cores in a serpentine pattern designed to cancel out noise from the drive lines. Commercial systems used hundreds of thousands of microscopic cores threaded together by hand — a feat of manual dexterity that Holder openly admits he can't match. His single-bit demonstration uses an Arduino, an H-bridge driver chip, and a tiny 1mm ferrite toroid bought from Bulgaria via eBay.⁵

What makes this more than nostalgia is that the principles are the same ones that matter in modern hardware design. Coincident-current selection is address decoding. Destructive reads followed by write-back show up in DRAM. The sense amplifier — a delicate analog circuit detecting a tiny signal against a noisy background — is the same problem faced by modern memory designers at nanometer scales. Understanding core memory doesn't just teach you history; it teaches you why modern memory works the way it does.

Why Look Inside

Silicon reverse engineering, in all its forms — die photos, security analysis, historical reconstruction — serves the same purpose: it replaces trust with understanding. When you've traced every transistor in a 76477, you know exactly how it makes the UFO sound, including the datasheet errors. When you've analyzed a modern SoC's dark matter, you know exactly what you don't know, which is more useful than assuming the vendor told you everything. When you've built a core memory from scratch, you understand not just what memory does but why it works the way it does — from the physics of magnetic hysteresis up through the addressing scheme.

This is the same impulse that drives open hardware: the belief that understanding matters, that abstraction boundaries should be transparent rather than opaque, and that the gap between what a system is documented to do and what it actually does is where the interesting (and dangerous) things live.

Reverse engineering the 76477 "Space Invaders" sound effect chip from die photos by Ken Shirriff — source ↩ ↩² ↩³
What is a System-on-Chip (SoC), and Why Do We Care if They are Open Source? by bunnie — source ↩ ↩² ↩³
Richard Feynman and The Connection Machine by Danny Hillis — source ↩ ↩² ↩³
Die photos and analysis of the revolutionary 8008 microprocessor by Ken Shirriff — source ↩ ↩² ↩³
One Bit Ferrite Core Memory by Wayne Holder — source ↩ ↩²

Linked from

Hardware And Digital Design Overview
Silicon Reverse Engineering approaches from the opposite direction — dissolving chips in acid and tracing transistors to discover what datasheets don't tell you, including bunnie's warning about SoC "dark matter" that's present, powered, and undocume…

Open in stacked reader →