Recovery Mask ROMs in 2024

Abtract

Suppose you have a cryptography chip or an LCD game. The program in those is entirely contained in a microscopic grid of transistors, with a working transistor for each one and a broken transistor for each zero. By chemically opening the chip, delayering and staining it, we can make a photograph of those bits.

This lecture will describe the design and implementation of Mask ROM Tool, my open source CAD program for marking these bits and decoding them to bytes for disassembly, reverse engineering, and emulation. I'll also introduce you to the chemistry and the nifty tricks that make what used to be a months-long chore into a quick afternoon of dumping a ROM.

Bio

Travis Goodspeed is a reverse engineer of embedded systems from East Tennessee. His car is timed by a distributor, his watch by a spring. His new book, Microcontroller Exploits, catalogs a whole bunch of ways to extract firmware from a locked microchip using memory corruption exploits, voltage glitching, and chemistry.