Reverse Engineering and more using X-Ray

Video thumbnail (Frame 0) Video thumbnail (Frame 1452) Video thumbnail (Frame 3032) Video thumbnail (Frame 3477) Video thumbnail (Frame 15192) Video thumbnail (Frame 18155) Video thumbnail (Frame 24267)
Video in TIB AV-Portal: Reverse Engineering and more using X-Ray

Formal Metadata

Reverse Engineering and more using X-Ray
Alternative Title
You Can Run but You Can't Hide: Reverse Engineering Using X-Ray
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
Most of us have knowledge of PCB construction. In the past reversing someone's design was an easy task due to the simplicity of the PCB design. Now with BGA's( Ball Grid Array's), manufacturers using several plane layers cover the entire PCB design and obscuring the details of the PCB from view. Thru the use of X-Ray, we are able to reverse engineer virtually anything. Slides will be presented show several PCB designs and how easy it was to reverse engineer the PCB. Also presenting videos of live views and dynamic zoom; this will demonstrate the true power of the X-Ray and its ability to see sub-micron features within the PCB structure and devices while manipulating the PCB.
Complex (psychology) Quantum state Virtual machine Shape (magazine) Data management Goodness of fit Hexagon Software Computer hardware Whiteboard Musical ensemble Reverse engineering Window
Slide rule Whiteboard Personal digital assistant Kolmogorov complexity Multiplication sign Complex (psychology) Virtual machine Right angle Digital electronics
Point (geometry) Slide rule Greatest element Differential (mechanical device) Zoom lens Virtual machine 1 (number) Parameter (computer programming) Tracing (software) Event horizon Array data structure Mechanism design Bit rate Whiteboard Average Different (Kate Ryan album) Semiconductor memory Data structure Position operator Exception handling Task (computing) Zoom lens Kolmogorov complexity Complex (psychology) Sampling (statistics) Planning Bit Instance (computer science) Line (geometry) Expandierender Graph Sphere Digital electronics Arithmetic mean Process (computing) Elementary arithmetic Pointer (computer programming) Angle Ring (mathematics) Personal digital assistant Optics Right angle Musical ensemble Whiteboard Reverse engineering
Slide rule Greatest element Real-time operating system Mathematical analysis Power (physics) Bit rate Normal (geometry) Reverse engineering Personal identification number Graphics tablet Area Sampling (statistics) Mathematical analysis Plastikkarte Planning Bit Instance (computer science) Line (geometry) Sphere Connected space Drill commands Vertex (graph theory) output System identification Right angle Whiteboard Bounded variation Task (computing) Reverse engineering
Slide rule Different (Kate Ryan album) Multiplication sign Musical ensemble 2 (number)
good afternoon everybody my name is Jorge Tarnoff ski work with Cisco and I'm a lab manager at one of our labs and Herndon Virginia I thank you for coming this is a talk about hardware it's not at hex rays it's x-rays so if you here for software you might learn something anyway so stick around anyway stay be patient with me because we're gonna start out Elementary and we'll work up to something pretty interesting okay so here we go so as most of you know the circuit boards come in various shapes and sizes and the complexity really is an evident from the outside of the board [Music] okay so this is the x-ray machine that that we use it's a Glen Berg technologies ninety jewel-box ninety so it's a ninety kilovolt machine it's as you can see it's got a window in the front it's a leaded glass so it's pretty
safe you're not gonna you're not gonna have too many issues at all we checked the machine every everyday when we use it to make sure that there's nothing happening that's going to affect us because when you're running this x-ray when you go through the dentist your x-ray is on for three-quarters of a quarter of a second half a second this machine is on for up to 15 minutes so the exposure time is is huge so for your own sake you know it's best that you check it right so there's the slide to the right is that is the actual stage and the red dot I don't know if you can see the red dot on that slide that is where we'll be looking in this particular case on in that picture so it gives you an idea of where you are where you're looking so you know they say that x-rays are dangerous but obviously I don't believe that's the case because this was me just five years ago so you can see nothing's change now that's actually some of you probably I'm dating myself because that's that's
pre pre ibm-pc so it's like 79 80 but anyway okay enough of that so let's get to business so so cross sectional views of some PC boards as I said I'm going to
start out Elementary so just bear with me and we'll work up to something a little more technical but in any event the slide to the left is a two layer simple design you've all probably have seen that you can easily trace through that top and bottom layers easily it's not a problem if you look at a slide to the illustration to the right it's a complex 12 layer board not only is it 12 layers but it's 12 layers including plane layers there's does everybody understand the illustration or should I get into that with regard to what these what these columns go into it no okay just keep moving all right very good so in any event that because you have plane layers in there obviously you're not going to be able to see anything if you're trying to do any reverse engineering like for instance with opticals so common methods for reverse engineering back lighting conductive tracing and mechanical delayering so back lighting is effective again without without plane layers if you have a plane layer or even with a multi-layer board it's difficult but it can be done with a plane layer all bets are off when you're talking about conductive tracing well that's pretty tedious task it can be done it's difficult though mechanical delayering is very destructive it again it can be done even with populated here I say it's ineffective with populated boards yeah it can be done with populated boards in recon Canada they gave an illustration of mechanical delay ring that was effective and of course if you've got nothing left besides a pile of powder when you're done but but you get you get your your layers separated and and you have your you have what you wanted the drawing so in during in in backlighting on a simple double double sided board you can see the top illustration it'd be pretty easy to go through and trace that board right I mean everything is pretty evident with the exception of what's underneath the devices and that you can find so that's pretty simple the bottom illustration you've got backlighting on boards that have internal plane layers both of those I mean you can see that you're not going to get anything except the top and bottom layer you're not gonna find anything within internally so everybody's familiar with BGA ball grid arrays great so so what this is this is a this is an FPGA so what it actually is it's a device sitting on a circuit board that's placed on a circuit board so as compared to conventional means where you've got leads and you put them through a hole and you solder them in this case you've got spheres of solder that's the center that's a single as the center slide and they actually melt onto the pad and that becomes your contact obviously conventional solder means arnica are not going to get the job done so it's done through hot air and it's it's there's some precision you can do it in a toaster oven however good luck you could very well separate the board layers it's it's a little risky the the vial to the right is is standard standard balls for for replacing FPGA spheres or balls after after you remove it for instance if you remove the FPGA you want to reball it and replace it [Music] okay so with the x-ray the the illustration the the picture to the left compliments of semiconductor gurus is a D capsulated device picture on the right is the same device analyzed and x-rayed so what you're seeing is to the left you see details of the actual device memory layout everything is there with with x-ray all you're seeing is the parameter of the die so x-ray sees right through the silicon so that's going to be useless for anything like that because that question has come up before where people think that you can use an x-ray to reverse engineer a device you can't for that reason okay so there's practically nothing that you can hide from an x-ray and I'll show you some some some devices we've had to reverse engineer that were they tried to hide their design from us that didn't work out too well so here's a illustration of a BGA and it looks pretty complicated because you're looking at their convoluted you've got these standard spheres you've got internal bond wires that's that's that matrix you can see coming off of them but then you see you've got like you've got vias on top of vias and then you've got vias of different sizes and that that can be rather confusing but the reason that you're seeing this as you're as I showed you in the one of the first picture of the BGA you've got a circuit board on top of a circuit board so the small feature sizes on the BGA I don't know if I have a pointer no I don't ok nevermind so the small vias are on the circuit board that the BGA is on the large ones are on the circuit board that the BGA is mounted on so that's why it looks a bit odd when you see a via on top of a via or slightly offset you can you can can everybody see the bond wires yeah I think it's it's pretty clear okay so the larger via by the way is about eight thousands of an inch so you can see that the bond wires are fractional any event that's internal to the BGA okay so this I'm gonna skip this slide Oh what happened maybe I won't skip the slide I can't move did it go it went okay everybody all right never mind their mind away okay so so I'll just show this to you this way the the the [Music] the x-ray machine allows me to do angular for use so to give you an idea the the direct view on the left side you can see the traces are are one on top of the other so you really can't differentiate between what we're what we're that's the trace fall within the structure of them of the circuit board what layer is it on so the you can angle it and at that point if you look at the view on the right you can see where now they've separated out and you can clearly see whoa maybe you can't clearly see but if you look at the vias the three views that are along the bottom you'll see that the the lines that are coming off are actually stepped in different positions and you can you can figure out what layer it's on and then you can go through and you can trace it the rest of the way so the one feature that this has that's pretty unique is a geometric zoom so remember I told you this is a live view but I don't think I can I can't do it oh yeah here we go okay cool so the signal-to-noise is sacrificed when you're doing that because you want the sampling rate to be high so that's why it looks a little grainy but once you get to your once you get to where you want to be then you can go back to 256 samples and averages and then clears up so here we go okay there you go so that's so that's it so you can see the benefit of this machine because you can do it live you can actually and I'll show that to you
with a live trace skip that one here we go so this is a trace where we actually had to trace let go oh okay here we go
okay so we're gonna trace that second line off well anyway okay you'll see what's so good I mean so this is again the signal-to-noise isn't is good because because we want we want to see what's going on otherwise it's it they would take minutes but when we get someplace and we want to we want to get clarity like for instance that vertical line that's what we're tracing so it looks a little convoluted so see now I did the 256 samples so it's clear now where it's going and now we can continue to trace and this would be typical if you're looking at something you want it to trace a line so now we're getting into a BGA and again I can't differentiate whether it's the top or the bottom so we increase the sampling rate we stop for a minute we might zoom in I forget if I do that or not but anyway just to clarify for our own sake we're where we are okay so now we're going to zoom in a little bit we don't want to lose our place and you're seeing this in real time I'm not speeding this up or slowing it down for that matter but that's ideally that's what you would be doing if you were actually if you were it was necessary for you to go through and do this to reverse engineer something okay now we're getting into the BGA I don't know if anybody followed this but it's that Center pretty much Center via and it goes up and there we are so that was that would be typical trace if you went
through it so here was another another one where we had a BGA and we had to figure out where it was going and what we didn't know where the i/o lines were going so so we use the X rated to get there I'm sorry I'm not seeing the right things here okay so here's another one where they had the plane layer on the outside so consequently you're not going to see anything on the inside and you can see it's pretty complicated complicated here's here's some methods of obscuring the view the top is epoxy so the the board was coated with epoxy the epoxy is the same resin as the board so consequently if you try to dissolve it you dissolve the board so using x-ray we were able to reverse-engineer that and that was pretty easy the one on the bottom that was a little different because we weren't sure what was going on it turns out that they took a smart card they chopped out the smart card itself to the right you can see that there's a footprint of a heart card there and they glued it in there and they covered it up so nobody knew what they did ha ha okay so here's okay so here's one of the other methods was to epoxy a sheet of lead inside to cover in on top of the board and then covered with epoxy to try to hide the design from x-ray that didn't work either because it Harris all you have to do is increase the power you'll see yeah there's some some variation but you'll see it also we were able to pull the lead out but Henry okay red hardened devices so the rat hardened device is interesting as you can see through it however if you look at the slide to the right you can see the variation between rat hardened device that's that's that dark area you can see saw the pads but that's compared to a normal BGA where we would have seen everything and of course failure analysis is a big reason to have a BGA have an x-ray so the slide to the the slide to the top left there's missing there's a missing sphere I don't know if everybody can see that it's like the fourth one in from the left and fourth one up so that's one reason the other or the other the center slide shows you shorts that you would would not be evident to the tee to anybody because that's the B on the inside you can you can see the spheres on the outside of the BGA if you tilt it and you can see them but you'd never see the inside where they're to the right that's that's a real mess that was yeah that's and that happens when you when you allow moisture the spheres are hydroscopic so they're gonna absorb moisture and if you don't outguess them and you place them this is what happens okay so so this is a little problem we had this was a design using a Xilinx FPGA so there's the bottom view of the of the circuit board on the right and we were trying to we were trying to talk to us through JTAG so there was no no identification so we had nothing so consequently I took a look at the board and I found that the TDI was not connected there was no connection to TDI but I knew where the witch's fear was TDI so rather than removing the device and going through that I took a pin vise drilled a hole touched the sphere and the reason I used a pin vise rather than a drill is because I wanted to be able to feel when I broke through and I was just to the to the ball because if I if I didn't do that I'd probably drill right through the device so took a pin stuck it in there and voila the device was identified and everything was working so we were able to program well that
concludes my my talk do we have time for questions question Jo [Laughter] [Music] well yeah yeah they pretty much it has an internal timer so it shuts off that's Joe gran by the way if anybody didn't recognize him so seconds yeah you can just restart it again you know they're concerned that somebody's going to walk away with it on and you know forget about it and that's happened you know even happened to us you know you get involved with something else and it's still on so time out but yeah that's the reason all right yes yes they have some they have some led in them they actually have some shielding in there and again we're you could see the difference you could see that in that in that one slide you can see the difference between the two of them yeah yes yes thank you very much devices but thank you for asking any other questions yes I'm sorry yes yes oh yeah it came just the way you saw it yeah oh okay I got the X two more two more questions what do you think there's there's we do quite a bit of work different things are you one more question and oh you can't you can by tilting it when you tilt it it you can actually see roughly where it is you can gauge where it is how many layers that went down and then you can trace it all right I thought if anybody else has questions please come and see me because I'm getting thrown off the stage so thank you very much for coming everybody thank you thank you [Applause]