Olivier Thomas

Trainer Name:
Olivier Thomas                                                      seats-sold-out-btn
Title: Integrated Circuit Reverse Engineering 101
Duration: 2days
Dates:  20th to 21st Sept 2016


In the security industry it is common to assume that security implemented in hardware is imne to analysis. In reality, the hardware may be the most vulnerable component of a security system. Analyzing hardware requires some additional knowledge about circuits, the engineering and especially the manufacturing. However, the skills required for performing vulnerability and/or risk analysis of the underlying circuit are very similar to vulnerability analysis of software.

This training will provide security professionals the skills necessary for performing the vulnerability analysis of Integrated Circuits (ICs). Students who complete this course will be familiar with all important classes of low-level hardware attacks. Students will have an opportunity to study several real-world examples of devices with different classes of vulnerabilities. Students will then develop analysis strategies for the target devices and will apply these strategies for extracting the data from images of the device.

Course outline

Module 1: Introduction

  • Recommended reading
    • Background on Hardware Security
    • Reverse-engineering mindset
    • History of hardware hacking
    • Smartcard security
  • Overview of analysis techniques
  • Previous and current threat models
  • Common Criteria and certification
  • Piracy and monetization scenarios

Module 2: Background: IC Reverse-Engineering Basics

  • What is a chip?
  • CPU architecture basics
  • Synthesized logic vs. licensed and/or IP blocks
  • Assignment 1: Identification of Functional Block

Module 3: Background: The IC Manufacturing Process

  • Steps in IC manufacturing
  • Lithography and photolithographic masks
  • Device layers and their role
  • Standard CMOS process
  • CMOS Layout
  • Packaging Techniques
  • ASIC design cycle
  • Costs associated with manufacturing

Module 4: Constraints for IC Analysis

  • Planirization
  • Proprietary material makeup
  • Black box analysis
  • Overall device complexity

Module 5: Digital Circuits

  • Transistors
    • Theory of operation
    • Theory of malfunctions
  • Combinatorial logic
  • Register Transfer Logic
  • Assignment 2: Logical Functions

Module 6: CMOS layout

  • Basic gates
  • Complex gates
  • Finite State Machines
  • Assignment 3: Reconstructing the Cell Library

Module 7: IC Failure Analysis

  • Deprocessing
    • Wet-Chemical
    • CMP
    • Dry-Chemical (Plasma)
  • Imaging
    • Optical
    • SEM
    • Laser scanning
  • Invasive tools
    • EZ Laze
    • FIB
    • Microprobing

Module 8: Security Analysis of Targets

  • What to look for and why?
  • Countermeasures
    • Sensors
    • Erasing memories
    • Shields
  • FIB Bypass of a shield
    • FIB edit of shields
  • Introduction to ROM Extraction
    • Optical readout
    • Scripting for ROM reading with FiJi
  • Memory architectures
    • Addressing and data multiplexing
  • Assignment 4: ROM Extraction

Module 9: Security Analysis of Targets (Part II)

  • Strategies for reading out non ROMs
    • EEPROM
    • Flash
    • Fuses
    • OTP
  • Microprobing
  • Linear Code Extraction
  • Assignment 5: Dynamic Extraction Techniques

Module 10: Security Analysis of Targets (Part III)

  • Potential countermeasures
  • Techniques to manipulate the control flow after startup
  • Assignment 6: Manipulating the Execution Flow

Module 11: Advanced Analysis techniques

  • Accessing different memory regions
  • Devise a fully-invasive strategy for extracting data
  • Assignment 7: Focused Ion Beam Circuit edit

Module 12: Potential limitations

  • Amount of probe points
  • Capacitance
  • Smaller technologies

Module 13: Future of IC Analysis

  • Automated analysis techniques
  • Outsourcing the anlaysis workflow
  • IC anlaysis of SoCs
  • Device emulation
  • IC obsolecense
  • Patent Infringement

Module 14: Conclusion

  • Where to begin?
  • Where to get access to the equipment?


  1. Identification of Functional Block

Goal: Visually identify all functional blocks of a device.

  • Analog blocks
  • Volatile Memories
    • SRAM
    • Registers
  • Non-Volatile Memories (NVM)
    • Flash
    • EEPROM
    • ROM
  • CPU Core
    • ALU
    • Instruction registers
    • Microcode tables
  • Fuses
  1. Logical Functions

Goal: Understand how logic gates are used to construct essential logical functions.

  • Terminology
    • Netlists
    • Truth tables
    • Timing Diagram
  • Basic gates
  • Inverter
  • NAND
  • NOR
  • Transfer
  • Combinatorial logic
  • Complex logic gates
  • Basic logical functions
  • Complex logical functions
  • Sequential logic
  • Latch
  • Flip-flop
  • Register with control signals
  • Finite State Machines (FSMs)
  • Register Transfer Logic (RTL)
  1. Reconstructing the Cell Library

Goal: Identify the functionality of the gate from the layout.

  • Standard Cell
  • CMOS Logic
  • Location of PMOS and NMOS transistors
  • Supply rails
  • Complex combinatorial
  • Write the boolean equations
  • Draw the schematic
  • Sequential logic
  • Timing diagrams
  • Flip-flops
  • Registers
  • Additional control signals
  1. ROM Extraction

Goal: Identify the memory encryption and memory scrambling used.

  • Identify the addressing
  • Address decoders
  • Data multiplexers
  • Mapping based on decoder/multiplexer layout
  • Utilize image analysis for extracting the binary from different example memories
  • Clear ROM
  • Scrambled ROM
  • Encrypted ROM
  • Decompile and analyze the binary
  1. Dynamic Extraction Techniques

Goal: Identify the data path from the NVM to the CPU core of the target device.

  • Identify non-volatile blocks
  • Output Buffers
  • Output Multiplexers
  • Trace signals to core
  • Identify relevant signals
  • Charge Pumps
  • Buffers
  • Memory buses
  • Instruction registers
  • Code analysis
  • Typical boot-ROM routines
  • Asynchronous clocks
  • Typical timing diagrams
  1. Manipulating the Execution Flow

Goal: Understand ways in which the control flow of the execution can be manipulated.

  • Opcode encoding and manipulation
  • Register control signals
  • Generating static values at multiplexer outputs
  1. Focused Ion Beam Circuit edit

Goal: Introduction to fully-invasive FIB Circuit edits.

  • Understand the constraints of FIB Edits
  • Devise a strategy to access inaccessible memory regions
  • Review the steps necessary to perform the circuit edit

Brief overview of the Advanced IC RE training

Topics Covered during the course

IC analysis, Code Extraction, ROM, Flash, Databus, Focused Ion Beam Edits, ROM Decryption, Feature Extraction, SEM Imaging, Optical Imaging, Sample Preparation

Who Should Take This Course

IT security professionals from all fields of IT Security:

  • Hardware hackers who want to become familiar with attacks on integrated circuits
  • Engineers involved in securing hardware platforms against attacks
  • Researches who want to understand the nature of many hardware attacks
  • Parties involved in hardware reverse-engineering and vulnerability analysis
  • Integrated circuit and failure analysis engineers

Minimum Software to Install

  • VMware Player, VMware Workstation, VMware Fusion or Virtualbox.
  • Virtual machine images will be distributed at the training along with all the written assignments.
What to expect?
  • Learning how do components work and communicate on low level
  • Understand how an embedded system works
  • Perform basic reversing exercises which will be useful in the real world
What not to expect?
  • Becoming a hardware hacker in two days
  • Decaff coffee
  • Disappointment

About the Trainer

Olivier Thomas

Oliver THOMAS studied Electrical Engineering (EE) and subsequently worked for a major semiconductor manufacturer designing analog circuits. Subsequently, Olivier began to work in the field of Integrated Circuit (IC) security as the head of one of the world’s leading IC Analysis Labs. The lab primarily focused on securing future generation devices as well as developing countermeasures for current generation devices to combat piracy and counterfeiting. During this time Olivier helped develop many new and novel techniques for semi- and fully-invasive IC analysis. He has an extensive background in all the Failure Analysis techniques and equipment necessary for accessing vulnerable logic on a target device. Combined with his experience as an IC design engineer, Olivier continues to develop techniques for automating the analysis process. These techniques are not only applicable to lower-complexity devices such as smartcards, which are the traditional targets for IC analysis, but they are applicable to modern semiconductor devices with millions of gates, such as modern System-on-Chips (SoCs). Olivier is the author of ARES (Automated Reverse Engineering Software), a software toolchain for the efficient analysis of designs of independent of their logical size. He is the founder and a security consultant at Texplained SARL.