Recent Experiments with Mask ROMs

Presented at REcon 2023, June 9, 2023, 2 p.m. (60 minutes)

Truly read-only memory is sometimes found as a ROM encoded in a mask layer of a microcontroller. This is hard to extract electrically when the debugging protocol is undocumented, so many of these chips are dumped photographically after chemically decapsulating the chip with nitric acid, delayering it with hydrofluoric acid, and if they look identical, staining the ones to be a little darker than the zeroes. In this lecture, I'll explain how I build a home lab for taking these photographs, how I wrote CAD software for converting the photos into bits. I'll also describe some prior work in the field, and how to reproduce those results quickly and cleanly.

Presenters:

• Travis Goodspeed
  Travis Goodspeed is a reverse engineer from East Tennessee. After years as a bum and years as a corporate sellout, he's happily reverse engineering microcontrollers in Knoxville, driving a fleet of Studebakers and knowing all the best dogs by name at his corner bar. Greetz to Ruger, Riley, Josie, Molly, and Maggie!

Links:

• https://cfp.recon.cx/2023/talk/WKLBWW/

Similar Presentations:

• REcon 2019 / The ROM matrix revolutions: Unscrambling bits
• 30C3 (2013) / Acid Pauli!!!!!!: Acid Pauli!!
• ShmooCon 2023 / A Mask ROM Tool in Qt6 and C++