This talk is a sequel to my last year's talk "Proprietary silicon ICs and dubious marketing claims? Let's fight those with a microscope!", where I showed how I reverse engineered a pretty old device (1986) by looking at microscope silicon pics alone, with manual tracing and some custom tools. Back then I claimed that taking a look at a more modern device would be way more challenging, due to the increased complexity.

This time, in fact, I've reverse engineered a much modern chip: the custom Roland/Toshiba TC170C140 ESP chip (1995). Completing this task required a different approach, as doing it manually would have required too much time. We used a guided automated approach that combines clever microscopy with computer vision to automatically classify standard cells in the chip, saving us most of the manual work. The biggest win though came from directly probing the chip: by exploiting test routines and sending random data to the chip we figured out how the internal registers worked, slowly giving us insights about the encoding of the chip ISA. By combining those two approaches we managed to create a bit-accurate emulator, that also is able to run in real-time using JIT.

In this talk I want to cover the following topics:

• What I learned since my previous talk by looking at more complicated chips
• Towards automating the silicon reverse engineering process
• How to find and exploit test modes to understand how stuff works
• How we tricked the chips into spilling its own secrets
• How the ESP chip works, compared to existing DSP chips
• How the SuperSaw oscillator turned out to work