A few options:
0. Semiconductors rarely fail on their own. It's probably not the issue, something else is.
0a. But yeah, if something caused it to fail (surge, ESD, crossed wiring, etc.), it can be toast. In which case both the underlying cause, and the chip, need to be replaced. Find a replacement board and, well, replace the board, no need to transfer just the chip at that point, huh?..
1. Sometimes, firmware functions include limited inspection or debugging or modification (code execution) operations. You'll have to poke extensively at the chip. A logic analyzer and generator -- often an FPGA or MCU board -- can be used to fuzz the inputs, and discover potentially useful internal state.
The actual hacking process is lengthy, requires careful observation and insight, and commitment -- likely, millions of input combinations will fail before finding interesting ones.
Once you find a foot in the door, you can leverage memory data or pointers to modify or read out some things. For example, writes to the stack (assuming it's not a dedicated hardware stack) can be used to generate arbitrary return jumps (ROP, return oriented programming). Blindly discovering function pointers in this way, isn't very attractive (probably it'll lead to a lot of crashes, hangups or resets -- automatic power cycling is often a necessary part of the setup..), but it's at least... plausible. Eventually, you can build up a kit of "gadgets" that seem to do useful things without disturbing overall state (crashing), and potentially read out the program memory for complete disassembly.
Also, this assumes the chip is okay, or a replacement can be found.
1a. Even if its exact functions cannot be read out, in the process you may simply end up measuring the totality of its external function -- as a black box. In which case you can simply write your own state machine and drop in any new MCU that is capable (via pin converter PCB, most likely).
2. Especially if it's dead-dead -- you can decap it and read it out directly. Decapping typically isn't hard: the risky way is to simply heat the chip until its plastic softens (something like 300-400°C), and gently twisting it so that the plastic peels away from the die,
without bending the die. Typically the die is soldered or epoxied to a metal tab, and it can be gently pried or slid out of the remaining package. See:
https://youtu.be/ZQeHHYJYWXoYou do, of course, need a microscope to image the ROM. If it truly is the mask ROM version, it should be pretty obvious, given adequate magnification. Downside: if it happens to be a fine-pitch device, it might end up needing an electron microscope instead...
The safer method is boiling in acid, dissolving the plastic chemically. This requires some dangerous materials not usually available to the public -- fortunately there are more than a few people, so equipped, on the internet, who can perform this service for a modest fee or donation (sometimes just the die itself, I think?).
And if an electron microscope is still required, all hope is not lost; there are commercial decapping and inspection services, of course the bill goes up considerably at this point; but if you were concerned about sheer possibility over economics, yes, it certainly is...
...But more available perhaps, there are a few netizens also with such microscopes, who you might be able to schmooze some machine time with. Or probably more local, many universities are so equipped -- ask around, faculty are happy to respond and may be able to offer you some time on their machine, school year allowing. Typical uses include, well, the same exact thing, micro-fabrication; as well as geology, metallurgy, chemical analysis, physics... So, just because a university doesn't have a specialty like IC fabrication, doesn't mean they won't have one.
Tim
Home
Help
Search
Login
Register
