Call up the dictionary.com Web site, type in “reverseengineering,” and you will get a four-sentenceresponse that begins and ends as follows: “Theprocess of analysing an existing system to iden-

tify its components and their interrelationships and createrepresentations of the system in another form or at a higherlevel of abstraction.… An integrated circuit might…bereverse engineered by an unscrupulous company wishingto make unlicensed copies of a popular chip.”

Chip cloning, piracy, industrial espionage. At one time,reverse engineering had a less than savory reputation withinthe semiconductor industry, and with good reason. Duringthe 1960s and ‘70s, companies in Asia built up their mar-ket share in part by copying—legally and illegally—theircompetitors’ products. The Soviets and Chinese, starvedfor Western electronics, also became proficient chip clon-ers. The loss of business for U.S. companies meant that“a lot of American engineers lost their jobs,” noted ArthurNutter, president of Taeus, an engineering consulting firmbased in Colorado Springs, Colo.

ChipChipdetectivesdetectives

The chip industry is finding new

uses for reverse engineering—to

defend patents, spur innovation,

and trace product failures

intellectual property

JEAN KUMAGAISenior Associate Editor

0018-9235/00/$10.00©2000 IEEE 43

[1] X-rays reveal the basic wiring scheme of a Texas Instrumentschip [shown here enlarged] extracted from a Nokia cell phone. C

HIP

WO

RK

S IN

C.

3

21

4

Reverse engineering an IC device used to be the kind ofthing a curious engineer could do at home, with littlemore than a camera and a cheap microscope. The com-

plexity of today’s ICs, however, demands a comparably sophis-ticated suite of devices and techniques.

At Semiconductor Insights, a reverse-engineering lab inOttawa, these are the main steps:

An X-ray of the chip package reveals the overall wiringscheme and also alerts engineers to any unusual features, like

an on-chip battery. [See Fig. 1, p. 43, for an X-ray example.]The IC package then gets dunked in hot sulfuric acid, to

remove the protective plastic coating.Reactive ion etching and polishing on a grinding wheel

are two ways to selectively remove layers from the chip. Severalspecimens of a chip are prepared, each to a different layer.

A field-emission scanning electron microscope (SEM) imageschip cross sections and topographical features; on the moni-tor at left is a Motorola MPC7400 microprocessor, also knownas the G4, which uses copper interconnects.

Additional SEM images are taken at higher resolutions. For

Deconstructing a chip

1

2

3

5

6

4

6

8

7

5 even greater magnification (up to200 000 times), a transmission elec-tron microscope may be used.

Digitally stored SEM images arefed into Semiconductor Insights’ pro-prietary CircuitMiner system, whichautomatically extracts individual sig-nal pathways and generates a roughcircuit layout.

Alternatively, SEM images can beprinted out and taped together intoa photomosaic, one for each layer ofmetal and interconnect. Engineersthen trace and label the signals by hand. (Semiconductor Insights’chief competitor, Chipworks Inc., hasdeveloped a desktop system for tracing circuits.)

The final step is to produce areport for the client, complete withhierarchical set of schematics that,ideally, an IC designer will recognize.

—J.K.PHOTOGRAPHS: RON DEVRIES/LIAISON AGENCY INC.

7

8

46 IEEE SPECTRUM NOVEMBER 2000

These days, though, reverse engineer-ing is coming to be accepted, and in somecircles even embraced, as a part of doingbusiness. The main reason for the shiftstems from the growing recognition thatintellectual property, when vigorouslydefended, can add to a company’s bottomline. IBM, Texas Instruments, and Motorolanow pull in something like US $1 billiona year from patent royalties and licensingfees. Rambus Inc., based inMountain View, Calif., derivesessentially all of its revenues($17.8 million in the latestreported quarter) from licens-ing its high-speed interfacetechnology for memory chips.

Intellectual property nego-tiations rely on technical am-munition, and over the lastdecade or so, a handful of lab-oratories specializing in ICreverse engineering (includ-ing Taeus) have sprung up toprovide it. As their clients willattest, the ability of these labsto dissect even the most com-plicated IC is essential for pin-pointing cases of patentinfringement, and also deter-mining whether a patentedtechnology is worth licensingor buying. Beyond that, semi-conductor manufacturers turnto these reverse-engineeringhouses to get a sense of howtheir products stack up againstthe competition, to test thequality of their products, and to trace theroot cause of device failures [see “Anatomyof a crash,” p. 47].

THE TECHNICAL CHALLENGE“This used to be the kind of work that

one engineer could do in his spare time,working in his basement or garage,” saidTerry Ludlow, president of Chipworks Inc.,a reverse-engineering lab based in Ottawa,Canada. But that is next to impossible now,given the growing sophistication of thetechniques needed to take apart and ana-lyze today’s ICs. [See “Deconstructing achip,” pp. 44–45.]

“Chip dimensions have shrunk unbe-lievably,” said Tony Denboer, executivevice president of Integrated CircuitEngineering Corp. (ICE), Scottsdale, Ariz.“A single memory bit-cell for a DRAM is 5or 10 percent [the size] it was 10 yearsago.” And, although the mainstay ofreverse-engineering companies used to bememory devices, they are now branchingout into microprocessors and mixed-signaldevices, as well as product teardowns ofcell phones, digital cameras, electronictoys, and the like.

Given the complexity of IC devices—

line widths approaching 0.18 µm, layerupon layer of metal, insulator, and inter-connect—just how does a lab go about tak-ing such devices apart?

With extreme care. It starts with a set ofidentical chips, each of which will be parsedand imaged in a different way. “First we doa quick X-ray, to figure out how the padsconnect to the wires or if there’s somethingweird in there, like a battery,” explained

Chipworks’ Ludlow. Thenext step is to drop thepackaged chip into a hotsulfuric acid bath, to dis-solve away the outercoating of black plastic.What emerges after fiveminutes is a square bit ofshiny glass threadedwith metal.

Clients are typicallyinterested in one of twothings: how the chip ismade (known as processanalysis) or how it is puttogether (circuit analy-sis). One chip in thesample set gets cross-sectioned. That exposesthe various layers ofmetal, interconnect, andinsulator layers. Withsurgical precision, therest of the chips are thenselectively “delayered,”meaning that each onegets etched (in a plasmaetcher) or hand-pol-

ished (using, say, a grinding wheel coveredwith 30-µm diamond film) to a specificdepth in the chip.

Preparing a seven-chip sample can takeupwards of a week, and it is painstakingwork. As Jeff Campbell, a Chipworks tech-nician, ground down a chip headed fortransmission electron microscopy, he ex-plained that the aim is for a sample thick-ness of 2 µm. “Silicon transmits light at about6 to 7 microns thickness,” he said. “At thatthickness, silicon becomes like a ribbon, andit will bend.” The samples are extremelyfragile, he added. “If you touch one withtweezers, it will crumble.”

From there, the chip fragments areimaged, using whatever high-resolution,high-magnification technique is called for.The chemical composition is verified bymeans of spectroscopy. For examining themicrostructures, there are optical micro-scopes equipped with 35mm cameras, scan-ning electron microscopes, and transmis-sion electron microscopes. The last is themost sensitive, yielding magnifications ofmore than 200 000-fold.

The thousands of raw images must thenbe compiled, organized, and analyzed.Each reverse-engineering lab has its own

way of going about the job. It used to bethat all the images got printed out andtaped together into a photomosaic, ontowhich engineers would trace individual sig-nals with Magic Marker.

A photomosaic of a simple device withlarge design features might cover a largedesk. But a more complicated device couldspan the length and breadth of a good-sizedconference room. “I think our record was 80feet [25 meters] across,” Ludlow recalled.“And that was just part of a chip.” Thismethod got to be especially unwieldy whensignal pathways had to be traced downthrough five, six, and seven layers.

To save wear and tear on the engineers,the process was automated. Chipworks nolonger relies on photomosaics; instead it hasdeveloped a proprietary desktop circuit-trac-ing system, known as the design analysisworkstation (DAW). With it, the engineeridentifies signal paths on screen, rather thanacross the floor, and can effortlessly flip backand forth between device layers.

In the case of Ottawa-based Semicon-ductor Insights Inc., the largest of thereverse-engineering labs, the innovation isknown as CircuitMiner, an automated imagerecognition tool that takes scanning-elec-tron-microscope images and then generatesa rough circuit layout. Both CircuitMinerand DAW are especially time-efficient onauto-routed devices where the logic is sep-arated across the chip. “Tracing signals thatrun everywhere can be frustrating for ahuman to do,” noted Ed Keyes, chief tech-nology officer at Semiconductor Insights.“But the machine doesn’t care. It doesn’t gettired, and it doesn’t ask for a raise.”

The last stage is to produce a final reportfor the client, highlighting any novel fea-tures. A typical project costs from $10 000to $50 000, but a six-month-long full-cir-cuit extraction can go as high as a quarter-million dollars.

BARE NAKED CHIPSEven those who make chips for a living

are taken aback by how much a competentreverse-engineering lab can uncover. “I wasvisiting a client in Tokyo and showing himsome of our reports,” recalled Derek Nuhn,general manager of Semiconductor Insights.“At the end, he just sat back and said, ‘Ah,my circuits are naked now.’ ”

To be sure, all or nearly all that Semi-conductor Insights and the other reverse-engineering firms do could be done by theR&D divisions of large chip-makers, whowill typically have on hand the same kindsof equipment and expertise, for use in refin-ing their own products and keeping tabson others’. So in a sense, these in-housegroups present the biggest competition tothe independent labs, according to JuliaElvidge, Chipworks’ vice president of mar-keting and sales. As it turns out, though,

Index ofplayersChipworks Inc.

Ottawa, Ont., Canadahttp://www.chipworks.com

Cochran Consulting Inc.Richardson, Texas

http://mcochran.com

Integrated CircuitEngineering Corp.

Scottsdale, Ariz.http://www.ice-corp.com

Semiconductor Insights Inc.

Ottawa, Ont., Canadahttp://www.semiconductor.com

TaeusColorado Springs, Colo.http://www.taeus.com

these same divisions are also among theirbiggest clients.

The main difference between the in-house groups and the outside labs is one ofspecialization. “Realistically, our clientsshould be using their engineering talent todesign and develop new products,” Semi-conductor Insights’ Nuhn argued. “And wecan supply the information about their com-petition and support their legal departments.”

According to Nutter, one of his com-pany’s clients recently estimated that theopportunity cost of pulling a senior engi-neer off a project for a year would run himabout $1 million. By contrast, Nutter said,“we’re always available. When they say‘jump,’ we can say ‘how high?’ ”

Jan Bissey, who heads the competitoranalysis group at Micron Technology Inc.,Boise, Idaho, said his six-person team han-dles “targeted circuit extractions” on selectpieces of an IC. But he uses Chipworkswhen he needs a full chip schematic report,which runs him about $70 000. Tacklingthat kind of job in-house would cost abouttwo to three times as much, he estimates.“They have automatic tracking software totrace signals. I use sheets of acetate and col-ored markers.”

YES, BUT IS IT LEGAL?“I like to tell people that what I do is spy-

ing,” Bissey added. “And it’s all legal.” Thelegitimacy of reverse engineering was estab-lished in the standard-setting Semicon-ductor Chip Protection Act, which the U.S.government adopted in 1984 and to whichmost industrialized countries now subscribe.Specifically, it allows reverse engineering ofcommercial semiconductor products for“educational purposes.”

Studying the competition actually accel-erates the growth of an industry as a whole,

contended Chipworks’ Ludlow. “Peoplearen’t making the same mistakes their com-petitors make,” he said. “They’re not wast-ing time reinventing things.” He pointed toAdvanced Micro Devices Inc.’s fabledreverse engineering of Intel’s 386 micro-processor in the late 1980s, which allowedthe Sunnyvale, Calif., company to matchthe Intel chip’s functions without treadingon protected technology. “It put them in themicroprocessor business,” Ludlow said.

There are legal limits, though, to how farreverse-engineering firms may go. For onething, the U.S. Economic Espionage Act of1996 criminalizes the theft of trade secrets.So reverse-engineering firms must carefullyscreen clients, analyze only products boughton the open market—no prototypes orstolen samples, please—and otherwise tryto ensure that the request is legitimate.Taeus’ Web site spells it out: “We will notsupport, condone, aid or assist any organi-zation who may have the appearance of par-ticipating in industrial espionage.”

The statement is more than just windowdressing. During its first few years of busi-ness, Semiconductor Insights was hired tolook at a smart card used by the UK satel-lite television service Sky TV, whose parentis British Sky Broadcasting Group PLC,Isleworth. The cards plugged into set-topboxes and recorded how much viewing timeusers purchased. The client claimed to be inthe same business, but in fact was feedingthe data, complete with software encryptionkeys, to a company selling illegal clones ofthe Sky TV cards. Every time Sky TVchanged its encryption code, the client hadthe card reverse-engineered anew. After sev-eral such rounds, Semiconductor Insightsbecame suspicious and dropped the project.But in a subsequent criminal investigation,the client was found guilty and given a four-

year jail term, and Semiconductor Insightshad to pay a CAN $125 000 fine.

“It just emphasized that there’s a reasonreverse engineering has a negative conno-tation,” Nuhn said. “You have to be careful.”

To its credit, Semiconductor Insightsturned the experience into a profitable, andabove-board, part of its business—namely,helping banks, credit card issuers, andsmart card vendors shore up the securityof their smart card products. The companydoes that by seeing how easy, or hard, it isto hack into the cards’ embedded micro-processor and memory chips. (Still waryof the potential for abuse, the companynow stows its smart card samples in alocked windowless room, known toemployees as “the vault.”)

SI’s work has been “very integral to ouractivities,” said Ken Ayer, chip card securitydirector at Visa International, in Foster City,Calif. “If they tell us, ‘There’s a theoreticalway to hack into the card but it’s extremelydifficult,’ then that’s probably reasonablysecure.” The goal, he said, is to make thedevices tamper-resistant but still affordable.Security precautions are becoming evenmore important with the trend toward so-called open platform cards, onto whichapplications may be downloaded after thecard is issued. But that flexibility is offset bygreater vulnerability to computer viruses.

DEVIL’S IN THE DETAILSOne thing that those who do reverse

engineering will tell you over and over isthat they love getting to work with state-of-the-art technology. There’s the “aha!” ofdiscovering just how a company pulled offan innovative scheme, or figuring out thata device’s advertised feature falls short ofthe mark. It’s the same kind of tinkeringthat leads many youngsters to pursue sci-

Anatomy of a crash

Beyond the bread-and-butter circuitextractions and patent reviews that

reverse-engineering labs do, there is also,on occasion, the chance to do a bit more.After Swissair Flight 111 crashed into theAtlantic Ocean off Nova Scotia in August1998, it took months to recover the flightcontrol computer. Amazingly, the moth-erboard was still intact, but a number ofchips, including the microprocessor, hadshattered in the initial impact, and seawater had corroded what remained.

Chipworks was brought in by theTransportation Safety Board of Canadato assist—if at all possible—in rebuildingthe damaged memory chip, an EEPROM[right], and extracting any data it stillheld. “We spoke to the [chip] manu-

facturer and other experts, and theypretty much said it couldn’t be done,”recalled Ray Haythornthwaite, who ledthe Chipworks investigation.

The team first studied an identicalbut undamaged chip. “It’s a memorychip, so we had to make sure we didn’t inadvertently erase or write ourown data to it,” Haythornthwaiteexplained. “For example, we couldn’tuse the electron microscope becausethe radiation would destroy the data.”The team spent several months just devis-ing a plan of action. “Once we had that,it was relatively simple,” he said.

A focused ion-beam technique wasused to disconnect faulty areas of thechip and lay down new metal connec-

tions. New bonding wires were alsoadded to reattach the damaged circuits.Eventually, the team was able to extractthe binary string of 1s and 0s in the chip’smemory array. That data was sent on tothe transportation board, whose investi-gation is ongoing. —J.K.

KUMAGAI | CHIP DETECTIVES 47

CH

IPW

OR

KS

INC

.

48 IEEE SPECTRUM NOVEMBER 2000

ence or engineering careers in the firstplace. (The name Taeus originally stoodfor “take apart everything under the sun.”)

There’s also a certain voyeuristic thrill ingetting to see stuff hidden from all but a few.An example is chip art, the whimsical draw-ings or messages that designers etch intotheir creations. [See samples at right.]

Reverse engineering can also provide apeek at new technologies that a companymay be trying out. “One chip we’re read-ing now, an S-DRAM, has whole blocks ofunused circuitry, where the input and out-puts are all grounded,” explained Semi-conductor Insights engineer SivaManoharan. The designers “were obviouslyusing [the circuitry] for something. Wehave a rough idea what that was.” That inturn may offer a clue to a company’s nextgeneration of devices, information that SI’sclients are only too happy to know about.

“You can almost see the personality ofthe designers,” added Nuhn. “What theywere confident about, and where they wereinsecure and so built a workaround.”

TO CATCH A THIEFAs a countermeasure against illegal copy-

ing, chip designers sometimes insert trapsin their layouts, perhaps a block of circuitrythat looks real enough but serves no func-tion, or a digital watermark in embeddedcode. A cloner would unwittingly copy thefake stuff along with the real.

It’s not foolproof, to be sure. Back in thelate ’70s, chipmaker Mostek (since takenover by SGS Thomson Microelectronics)designed its MK4116 DRAMs with two-step contacts. Some of the contacts, though,were dummies and went only halfwaydown. A copier who put a real contact therewould cripple the chip. After a few gener-ations of DRAM, Mostek switched to usingone-step contacts—but forgot to delete thedummies. Only after product yields droppedsuddenly to zero did it remember.

Nor is deliberate entrapment the onlymeans of spotting counterfeits. Two yearsago, a Japanese company was desperate tofind out who was cloning its video gamecartridges. Each cartridge was built arounda proprietary IC, on which the game soft-ware was stored. Somehow, perhapsthrough reverse engineering, perhaps bydirect theft, the cloners had gotten hold ofthe chip design.

Working with a set of the game cartridgeclones, engineers at Semiconductor Insightscross-sectioned and delayered them, andthen compared the results to similar devicesin their extensive library. No two wafer fab-rication plants will execute the same designin exactly the same way. One fab may devisea way to skip a mask step, to cut costs. Thetransistors may have an unusual shape orconfiguration. A distinctive font may beused to label the die. All these differences

add up to a kind of silicon fingerprint.From its analysis, Semiconductor In-

sights was able to pinpoint the foundrywhere the chips had been made. Con-fronted with the findings, the foundry con-tended that it had no idea the chips wereclones, but agreed to stop making them.

For legal reasons, SemiconductorInsights won’t reveal the names of the gamemaker, foundry, or counterfeiter. Indeed,the vast majority of clients who hireSemiconductor Insights, Chipworks, andthe rest prefer to remain anonymous. Pastand present SI customers include 27 of thetop 30 semiconductor manufacturers in theworld, said Nuhn, as well as intellectualproperty law firms, and the U.S. andCanadian governments. “It’s everybody’s lit-tle secret,” is how he puts it. “I can walk into[an industry] meeting and recognize nearlyeverybody in the room. But I know betterthan to go up and say ‘Hi.’ ”

Because of his clients’ insistence on con-fidentiality, “I can’t tell you squat about thebulk of our business,” said Nutter of Taeus,with typical bluntness. In fact, few peoplewho work for the company are privy to thatinformation. Taeus is structured with a “vir-tual headquarters,” which oversees a hand-ful of full-time technical people based inColorado and a much bigger and geo-graphically dispersed network of consul-tants. On any given project, specialists willbe brought in as needed—a bit of high-res-olution photography here, some electronmicroscopy there. But only the projectleader knows the full scope of the work andthe client’s name.

IN DEFENSE OF PATENTSGeneral attitudes toward reverse engi-

neering may be loosening up, though, asmore companies recognize its value indefending patents. In fact, the bulk of thework that reverse-engineering houses takeon is related to intellectual property: uncov-

ering instances of infringement, as well asassessing a company’s portfolio of patents,to spot those likely to net the highest feesor that claim technology most likely to beused by others.

Here, the typical client is a manufacturertrying to hammer out a licensing agree-ment. In those discussions, said Nutter, “youdon’t necessarily get what you deserve—you get what you can negotiate.”

Ron E. Pyle, who heads up semicon-ductor-related intellectual property activ-ities at Motorola Inc.’s Austin, Texas, facil-ity, agrees. “Our licensing program isfounded on reverse engineering,” he said.“If we were to walk into an intense nego-tiation with a competitor claiming infringe-ment but with no proof, it really isn’t goingto go very far.” That was not always thecase. In the industry’s early days, funda-mental patents were distinctive enough thatit was fairly easy to detect infringement, hesaid. Today’s patents cover shades of dif-ference, like the use of a certain material asa protective layer in an IC. Only the clos-est inspection will reveal infringement.

Most cases of infringement are inad-vertent, he added. “For all its expansion,the semiconductor industry is still fairlynarrow. We’re all buying the same pro-cessing tools from the same vendors andusing similar recipes.… The owner of intel-lectual property is basically the person whogot there first.”

Ultimately, whether they’re helpingclients defend patents or size up the com-petition, those who do reverse engineer-ing believe their efforts are moving thesemiconductor business forward. As prod-uct lifecycles continue to contract, “peo-ple are under tremendous pressure to inno-vate faster—they’re really getting thescrews put to them,” said Nuhn. “So theyrely on us to be an ear to the ground, toidentify what’s new and interesting. We aimto give them some peace of mind.” ◆

Rembrandt might have sneered, but chip art reveals the playful side of IC design. Ordinarily,you’d need a high-end microscope to view such micro-images. But Chipworks curates an on-line gallery of chip art that has appeared on devices the company reverse engineered. Featuredare [from left] Milhouse, a character on the TV series “The Simpsons,” taken from a SiliconImages digital transmitter; Moose Boy, discovered on a Motorola RF chip used in a Nokia cellphone; and a flexing robot, found on a UTMC radiation-hardened microcontroller.

CH

IPW

OR

KS

INC

.

For the fun of it…