image image

Olivier THOMAS

Unlocking the secrets within ROMs


Trainer: Olivier THOMAS

Date: 30th May to 1st June 2023

Time: 9:00am to 5:00pm PST

Venue: Santa Clara Marriott

Training Level: Intermediate


Please note: the training ticket does not include access to the conference. Similarly, the conference ticket does not grant access to the trainings. If you have any questions, reach out to us.

Training Objectives:

The primary goal of our trainings is to provide security professionals and team leaders the skills, mindset and background information necessary to successfully perform the reverse engineering of Integrated Circuits (ICs), circumvent their hardware countermeasures and extract the data from them (Hardware and Firmware).

This intermediate training is focused on ROM memories as they often are the primary target of a security analysis at the transistor level. Rather than focusing on a particular device, the training was designed so it can be used as a starting point to deal with any type of ROMs.

As ROM content is encoded physically, it is possible to take pictures of the bits and convert them to a proper binary. Of course, chip vendors are using different techniques such as data scrambling to make these optical dumps not practical.

This training aims at giving a complete understanding of how ROMs are constructed at the transistor level and will describe how analyzing the circuitry can be done to extract scrambling information necessary for the reconstruction of a proper binary. Therefore, it starts with a theoretical sections where ROMs and their building blocs will be explained. This includes the different types of ROMs, the different types of bit encoding, the ROM circuitry (logic, row and column decoders). With that knowledge in mind, the attendees will then be working on the hands-on section which will consists in the extraction of a ROM from pictures only. The attendees will have the oportunity to work from Scanning Electron Microscope pictures and to follow a step by step approach to extract a binary using python, Fiji (imageJ), photoshop and HDL (Hardware Description Language) tools.

At the end of the session, attendees will be familiar with ROM technologies and will be able to adapt the acquired knowledge to real life scenarios.


Detailed Description:

ROMs inside Integrated Circuits are a pretty interesting target as they can contain cryptographic material, boot sections, hidden booting modes such as programing and / or test modes, etc...

Knowing about the code contained in ROMs can be used for a wide variety of targets such as extracting Flash content from non-accessible boot modes or seting up non-, semi- and fully-invasive attacks for a deep security evaluation. These different tasks are interesting for people such as Law Enforcement Agencies for digital forensics, security evaluators, counterfeiters, hackers and of course pirates.

ROMs have their content physically encoded meaning the bits are actually visible. In such a context where a Scanning Electron Microscope can be used to image the content and the memory control circuitry, it is possible to extract at a rather low cost sensitive information.

This hands-on training is designed to give attendees a deep understanding of ROMs and how to dump them. It will rely on a theoretical sections that will describe the different circuits involved in reading from the memory. This knowledge base will be used on a practical case where pictures will be analyzed to extract the content but also to reverse-engineer the control circuitry that can be used to scramble the data.

The theoretical introduction will deal with the following topics:

  • structure of a ROM
  • types of ROM
  • bit encoding
  • data scrambling
  • standard cell Reverse-Engineering
  • semi-custom cell Reverse-Engineering

The hands-on section will take this knowledge and expand it by exploring the following topics:

  • find a ROM on an Integrated Circuit picture
  • extract bits from Scanning Electron Microscope pictures using Fiji and python scripting
  • identify the type of ROM, its control circuit, row and column decoders
  • reverse-engineer the ROM logic
  • use reverse-engineering data from the ROM circuits to build a VHDL model of the complete memory and its content
  • write a VHDL testbench to simulate the ROM behavior
  • dump the ROM from the testbench
  • deal with scrambling

The different chapters are organized so as to let the attendees discover each new topic in a progressive manner that reflects the Reverse-Engineering specific mindset. This way, attendees will be able to derive their own workflows and methods while working on their own projects after the training session.

Finally, this training is also useful to discuss the current state of Integrated Circuits security and embedded counter-measures which can help chip designers improve their own security or help OEMs and integrators choosing the right device for their application.


What to Expect? | Key Learning Objectives:

Without being fully exhaustive, the learning objectives of the training are:

  • identify ROMs on pictures of an Integrated Circuit
  • understand the building blocs of a ROM
  • identify the ROM type
  • extract a raw binary from pictures using simple scripts
  • reverse-engineer standard cells and semi-custom cells
  • reverse-engineer control logic, row and column decoders to find out about internal scrambling
  • convert the raw binary to binary candidates using most common scrambling schemes
  • get the binary of ROMs
  • understand how to strengthen ROM designs
  • etc


Who Should Attend? | Target Audience:

  • Forensic investigators in law-enforcement agencies
  • Pen Testers who want to assess the security of the embedded code, allowing for a complete hardware + Software evaluation
  • Digital ICs designers & test engineers
  • Engineers involved in securing hardware platforms against attacks
  • Team leaders involved in IC security and exploration as well as device security
  • Hardware hackers who want to become familiar with methods on ICs
  • Parties involved in hardware reverse-engineering and Vulnerability analysis

What to Bring? | Software and Hardware Requirements:

To follow the training efficiently, the attendees are asked to come with a laptop with the following softwares installed:

  • Fiji or imageJ
  • python dev environment
  • photoshop (evaluation versions are ok)
  • ModelSim and Quartus Lite
All of these tools can be downloaded as open-source tools or as demo / evaluation software.


What to Bring? | Prerequisite Knowledge and Skills:

For this training, micro-electronics prior knowledge is not mandatory. The attendees should nevertheless be familiar with python scripting and have some knowledge or understanding of HDL language. The training is designed in VHDL as it is closer to the actual design than verilog but people with verilog skills will have no difficulty to adapt to VHDL. To accommodate attendees with no prior experience with HDL (Hardware Description Language), the assignments are provided with scripts and files with blanks to fill.


Resources Provided at the Training | Deliverables:

The participants will be given slides that will cover the theoretical and hands-on sections. The hands-on section will be explained step by step with partial answers for attendees not familiar with the different used languages. Pictures will be provided as photoshop files.


ABOUT THE TRAINERS

Olivier THOMAS studied Electrical Engineering (EE) and subsequently worked for a major semiconductor manufacturer designing analog circuits. Then, Olivier began to work in the field of Integrated Circuit (IC) security as the head of one of the world’s leading IC Analysis Labs. The lab primarily focused on securing future generation devices as well as developing countermeasures for current generation devices to combat piracy and counterfeiting. During this time Olivier helped develop many new and novel techniques for semi- and fully-invasive IC analysis. He has an extensive background in all the Failure Analysis techniques and equipment necessary for accessing vulnerable logic on a target device. Combined with his experience as an IC design engineer, Olivier continues to develop techniques for automating the analysis process. These techniques are not only applicable to lower-complexity devices such as smartcards, which are the traditional targets for IC analysis, but they are applicable to modern semiconductor devices with millions of gates, such as modern System-on-Chips (SoCs). Olivier is the creator of ChipJuice, a software toolchain that efficiently operates the recovery of hardware designs, independently from their technology node, architecture.