Anyone has any idea about the technology that could be used for imaging more dense ICs and multilayer PCBs? In a presentation elsewhere, Ken says that he used a metallurgical telescope and USB microscope. So the imaging is done with visible light and limited resolution. It is enough for old chips, e.g. the 8086 discussed in this article is made with a 3um process.
As I look around I see recent Intel chips haven't been reversed. [0] There are allusions to x-ray tomography and electron microscopes [1]. Anyway a plebs can get close for cheap?
There's a reason I mostly stick to chips from the 1970s. Moore's law makes reverse engineering (literally) exponentially harder for later chips. Multiple layers of metal on the make it much more difficult; you can remove layer-by-layer but it's very hard. An electron microscope helps, and you can get one for semi-hobbyist prices if you try. X-ray tomography looks like a cool technology but it is very cutting edge and extremely expensive. See: https://spectrum.ieee.org/chip-x-ray
My Dad used to do and teach VLSI design from the 1970s on. Later in his life he designed environmental microphones and recording systems using Excel and assembly respectively because, "I don't need software tools because I know the equations" and "I don't need compiled languages because I know where the bits need to go."
Sorry for the thread-jack. Three years on since the passing of a true polymath.
I think a 486 is the last generation for which the feature size is flirting with the wavelength of visible light. Not sure how that translates to reverse engineering but not much road there.
Another great post from Ken - thanks again for all your work.
Looking at the transistor / vacancy counts for microcode it struck me just how this reduces the count of those used for logic in the rest of the CPU - down to less than 12,000 I think. [1]
The 8086's competitor the Z8000 had c17,500 and didn't use microcode so must have been significantly more complex to design - so giving Intel the advantage in getting to market first.
[1] This ignores the transistors used for registers etc.
You mention that you have traced out every transistor from die photos, and I was wondering how much work there would be to make a netlist for the 8086 like that which was used to produce the visual 6502 simulator?
It that feasable or is there lots of work to do to get to that stage?
What is the most recent generation of Intel cpu for which an optical microscope can see enough to (at least theoretically) do what you are doing with the 8086.
Off-topic: how do you you find out that your site has been mentioned on Hacker News? Do you notice a surge in traffic? Do you check Hacker News periodically? Did you feel a disturbance in the force?
How did you actually count the transistors? Was it a completely maddening manual process or did you develop a tool or other approach to reduce toil and preserve sanity?
I traced out the layers of the chip using GIMP, which was tedious and took several days. I have a super-hacky program that extracts transistors from these layers, figures out connectivity, and generates gates from the transistors. So I didn't need to count the transistors one-by-one, but I did need to trace out each one.
I think it'd be interesting to see a bit of that process in a blog post. Maybe something about how you do what you do and how your techniques have progressed? Even if it's a hacky mess, it sounds neat.
These days, I think 8051 has taken over due to their smaller die area, and the increased clock frequencies due to smaller process sizes have made their performance sufficient.
8051 is the basis for many microcontrollers today. They aren't compatible since vendors add all kinds of custom instructions or modifications to the original design but some vendors do still make drop in replacements. You can also get soft core versions for FPGAs that can run original software.
x86 is a fairly uncommon choice in embedded systems, but it does show up occasionally. The DisplayPort to HDMI chip used in some current-generation Apple laptops has an embedded 80186 core, for example.
What you will find all over are 8051-compatible cores. Those show up everywhere, even in some places where you might not have expected to find a microcontroller at all.
Production of the 8086 by Intel stopped in 1998. I imagine that it may have continued by another manufacturer, but I doubt it. 8051 descendants/derivatives are manufactured, but no longer by Intel.
In general ARM and RISC-V have taken much of the low end market and microcontroller market.
I'd pick a driver transistor in the charge pump because it's kind of wild to have this analog circuit generating negative voltage in this otherwise digital chip.
Does there exist a logic gate diagram of the 8086, or similar cpu's (e.g. 6502)? I mean a way to see the discrete digital logic, as opposed to transistors, of the ALU and also any other random logic and control.
