There are a lot of car buffs in the world. And, if we stop to think about it, we realize that when one of the auto manufacturers launches a new model, the others will buy some, take them back to the plant, and rip them apart to see what new features and technology are inside them. And then, if the new ideas are sales-worthy, they introduce similar innovations in their own models.
We also assume that the shift in technology from Europe and North America to Asia is the result of Asian industries buying products, taking them apart, and copying them.
These are two general examples of what is more precisely known by its practitioners as "reverse engineering" (RE). Specifically, the reverse engineer takes an existing product and disassembles it in an almost forensic manner to look at the component parts and the technology used in its production.
RE creates the knowledge of what a device is made from and how it is made. What is done with that knowledge, of course, spans the full spectrum of legality.
RE can cover objects from as large as aircraft down to the smallest microchip. Motivation for RE has varied from the paranoia of the Cold War (remember the U2 spy-plane?), through commercial piracy, to competitive intelligence, and courts of patent law.
Aside from the highly-publicized examples of spy planes and Chinese jets landing in Taiwan, if we look back over the last few decades, the reverse engineer has had a significant influence on the dissemination of technology in the electronics industry. Not the least has been the migration of technology to developing countries and the growth of the electronics industry in Asia—a bit of an apocryphal tale, but undoubtedly true.
After all, if you want to get into a new area of business, the simplest thing to do is to buy the existing product and take it apart to see what's in it. Having done that, you know what parts you have to buy, and what technological challenges you face putting your version together. This is a subset of one of the most basic business rules-know the competition!
In the Cold War era, ideological competition was the driver. RE groups were set up to analyze mostly military technology, and of course electronics hardware has had an increasing share of that field.
Applications of RE have now become more openly commercial. It is a recognized part of competitive intelligence and is commonly used to support patent licensing activities-both of which are means to spread technology, but on a more controlled basis. Don't underestimate the patent part of the business, either, since both Texas Instruments and IBM are now estimated to be receiving more than a billion dollars a year in royalty income.
There is also a need to RE archaic parts that are no longer in production, but still need to be replaced in long-lived equipment such as nuclear reactors, airliners, and ships.
A fact of life these days is that simple tear-downs of products are not good enough any more. Advances in electronics technology, namely the massive integration of billions of individual devices and masses of functions into single components, have forced reverse engineering to evolve into a specialized niche of the profession.
As an example, Chipworks is an industry leader in reverse engineering and the analysis of semiconductors and electronic systems. We have been in the RE business for over 10 years, and employ over 100 people in offices in all over the world. Some of us worked in the Cold War era, and have been in the industry long enough to remember that spy plane!
RE In The Electronics Industry
The question most asked about reverse engineering is "Is it legal?" The short answer is yes.
At least in the case of semiconductors, RE is protected in the U.S. by the Semiconductor Protection law, which allows it "...for the purpose of analysis, evaluating or teaching..." Other countries have similar legislation. In other cases, such as software, the situation is fuzzier and clouded by copyright considerations, but there seems to be a general principle that simply looking at something is an okay thing to do.
Electronics RE customers break down into two groups: those who are interested in technical intelligence and those interested in patent-related intelligence.
The technical intelligence customers are usually within manufacturing companies, performing product development, or doing strategic marketing or benchmarking studies. The patent intelligence clients are usually patent lawyers or intellectual property (IP) groups within manufacturing companies. There are also an increasing number of companies that are purely licensing companies, and only deal in IP.
Reverse engineering of electronics products can broadly take several forms:
Product tear-downs are the simplest type of RE in electronics. The device is dissembled, the boards and sub-assemblies photographed, and a description of the components is noted. Chipworks is usually only interested in what is in the device at this level, but there are also companies that use the data to provide a bill of materials and tentative costing for the manufacture. Figure 1 shows a Panasonic-made NTT FOMA mobile phone partly torn down to expose the smaller LCD display and the camera sub-unit.
System level analysis can be very complex, depending on what degree of analysis is required. Here's an example in a patent context. We needed to know exactly how a digital camera worked in order to prove use of invention, so we took several cameras apart to get one dismembered but functioning camera, and connected probes between the interfaces and a logic analyzer. Then we carefully studied the device's timing, and by comparing the results with the patent claims, produced evidence that the camera operation used the invention. Figure 2 shows the sequence of events followed to examine the camera's functions.
Circuit extraction of semiconductor chips has been become progressively more difficult, if not almost impossible, as device dimensions shrink. In the "olden days," we simply used to take lots of photographs of the different layer of a chip, tape them together, and crawl around on the floor marking up the interconnects (Figure 3).
Today we have 50-nm transistor gate lengths, way beyond the resolution of optical microscopes, and we use electron microscopes just to see the transistors. This is essentially what has made RE of semiconductor circuitry such a specialized business.
Now we need a dedicated SEM (scanning electron microscope) to image the different layers, we use specially developed software to stitch the thousands of images from each layer together with minimal spatial error, and need more software to synchronize the multiple layers so there is no misalignment between layers. Only then can we start the actual circuit extraction.
Figure 4 shows SEM images from the polysilicon transistor layer, and the first and second metal levels of a device, with a couple of interconnects marked up for illustration. Full circuit extraction means taking note of all transistors, all contacts/vias between levels, and all interconnects at each level, and then condensing them to a schematic readable by a design engineer. Typically we extract a block of circuitry at a time, and cross-reference the blocks so that the full schematic is available if required. Not a quick or easy task, but necessary in some circumstances.
Process analysis of chips is in some ways more straightforward, since microanalytical tools have been around for some while. Every wafer fab has a range of equipment for process control and failure analysis, and we use the lab-scale equivalent. Using the cellphone example, we were interested in the CMOS image sensor in the camera. We removed the camera module from the device and took it apart, recording the details until we ended up with the CMOS imager die (Figure 5).
Then we begin the actual chip analysis. This part was a fairly leading-edge sensor, with a small pixel size of 2.85 x 2.85 µm, so the emphasis was on a detailed examination of the pixel. Figure 6 shows some of the features seen in the pixel area.
A few words of explanation here. TEM (transmission electron microscopy) looks through the sample to give high resolution images of the device structure; SCM (scanning capacitance microscopy) is a way of seeing the positive and negative doping that makes up the actual working transistors, resistors, and so on in the silicon chip.
The Challenges Keep Coming
For reverse engineers, life will not get any easier in the electronics business. In semiconductors, our newest challenges are the 65-nm node devices currently being launched, such as the Intel Yonah. The consumer electronics business keeps bouncing from killer app to killer app, and we have to stay on top of all the new gizmos that keep appearing.
The RE business has to continually evolve to keep up with the changes in electronics and design, and it has become a discipline in itself created by the needs of a diverse customer base.