Reverse engineering masked ROMs, PLAs

Ray Andraka wrote about reverse-engineering ASICs based on behavior vs.
analyzing the mask layout:

Speaking of such things, I have a number of old chips from which I want
to extract masked ROM and PLA contents from. Since those are very
regular strutures, and they in parts with single layer metal in 5 micron
and larger geometry, it should be fairly easy. In fact, here's an
example of someone doing this:
http://www.pmonta.com/calculators/hp-35/

He extracted code from 10 micron PMOS masked ROMs that were packaged in
metal cans, by the simple expedient of removing the top of the can with
a dremel tool or the like.

I want to do basically the same thing with other chips from that era,
but they're in plastic DIP packaging. I don't want to mess with
high-temperature fuming nitric acid and such things. Can anyone
recommend a lab that will do this, and take photomicrographs, at
a "reasonable" price?

Before everyone jumps on me about piracy, I'll explain that the ROM
and PLA code in question is NOT copyrighted.

Thanks!
Eric

 

....and, pray tell, how do you get to that conclusion?
Every time one generates a document or a pattern (in this case the
codes, masks, etc), such items *by FEDERAL law* are copyrighted!
In fact, your missive to this NG, and my answer here is copyrighted!
Now, if anyone wanted to make some lawyers rich and go to court over
mis-use of copyrighted material, then copyright *registration* would be
considered as the ultimate proof that judges cannot go against.

 

By knowing some of the details of US Copyright Law (Title 17 of the
United States Code).

In the US, that wasn't the case before the Berne Copyright Convention took
effect, March 1, 1989. See 17 U.S.C. 405(a):

Sec. 405. Notice of copyright: Omission of notice on certain copies
and phonorecords

(a) Effect of Omission Copyright on With respect to copies and
phonorecords publicly distributed by authority of the copyright owner
before the effective date of the Berne Convention Implementation Act
of 1988, the omission of the copyright notice described in sections
401 through 403 from copies or phonorecords publicly distributed by
authority of the copyright owner does not invalidate the copyright in
a if work

* (1) the notice has been omitted from no more than a relatively
small number of copies or phonorecords distributed to the
public; or

* (2) registration for the work has been made before or is made
within five years after the publication without notice, and a
reasonable effort is made to add notice to all copies or
phonorecords that are distributed to the public in the United
States after the omission has been discovered; or

* (3) the notice has been omitted in violation of an express
requirement in writing that, as a condition of the copyright
owner's authorization of the public distribution of copies or
phonorecords, they bear the prescribed notice.

In the case of the ROMs and PLAs I want to extract, none of the
conditions for preservation of a copyright without notice have been
met.

Also, these parts were sold before the Semiconductor Chip Protection Act
of 1984 (17 USC 901 et seq.) was enacted, so they are not elgible for
protection as mask works.

True, because the Berne Convention is in effect. I'm including quotes
from your message here as a matter of fair use.

Technically registration is still a legal requirement, even though
a copyright notice is not.

However, the main practical effect of registration is that it allows you
to collect actual damages for infringement. Without registration, you
can only collect statutory damages, though they can be fairly substantial.

Eric

 

Content-Transfer-Encoding: 8Bit

Just for reference, here is a list of when copyrights run
out in various situations. Corrections/comments welcome.

**************************************************

DATE OF WORK: Published before 1923

PROTECTED FROM: In public domain

TERM: None

**************************************************

DATE OF WORK: Published from 1923 - 63

PROTECTED FROM: When published with notice [3]

TERM: 28 years + could be renewed for 47 years,
now extended by 20 years for a total renewal
of 67 years. If not so renewed, now in
public domain

**************************************************

DATE OF WORK: Published from 1964 - 77

PROTECTED FROM: When published with notice 28 years
for first term;

TERM: now automatic extension of 67 years for
second term

**************************************************

DATE OF WORK: Created before 1-1-78 but not published

PROTECTED FROM: 1-1-78 (Effective date of 1976
Copyright Act)

TERM: Life + 70 years or 12-31-2002, whichever is greater

**************************************************

DATE OF WORK: Created before 1-1-78 but published
between then and 12-31-2002

PROTECTED FROM: 1-1-78, (Effective date of 1976
Copyright Act)

TERM: Life + 70 years or 12-31-2047 whichever
is greater

**************************************************

DATE OF WORK: Created 1-1-78 or after

PROTECTED FROM: When work is fixed in tangible
medium of expression

TERM: Life + 70 years [1] (or if work of corporate
authorship, the shorter of 95 years from
publication, or 120 years from creation [2]

**************************************************

Notes:

[1] Term of joint works is measured by life of the
longest-lived author.

[2] Works for hire, anonymous and pseudonymous
works also have this term. 17 U.S.C. § 302(c).

[3] Under the 1909 Act, works published without
notice went into the public domain upon
publication. Works published without notice
between 1-1-78 and 3-1-89, effective date of
the Berne Convention Implementation Act, retained
copyright only if, e.g., registration was made
within five years. 17 U.S.C. § 405.

Source: Tom Field / Lolly Gasaway.

 

IANAL, but I believe that requirement for copyright notice applied to
published works then. But I don't know whether PLA code was considered
an expression that was copyrightable then or that distributing IC
constituted publication even. You probably need a real IP lawyer
to answer that. But since you're incurring the liablity here, it's
your call.

If you were considering putting this stuff under an opensource license
it might be more problematic since you would not be the original author
by your own admission. You'd probably want to document why you think
the work is in the public domain.

 

This seems to have emerged from another newsgroup so the context of the
original question is not clear. However, I think that those who need to
perform reverse engineering of anything (and I have done more than my fair
share of it - by neccessity) should be on clear ground as far as IP issues
are concerned.

My own reverse engineering work was always for a client who owned the
equipment and IP rights but had lost the documentation for systems that
needed to be modified. If you are doing it for reasons other than that then
the wicket is getting very sticky.

--
********************************************************************
Paul E. Bennett ....................<email://>
Forth based HIDECS Consultancy .....<http://www.amleth.demon.co.uk/>
Mob: +44 (0)7811-639972
Tel: +44 (0)1235-811095
Going Forth Safely ....EBA. http://www.electric-boat-association.org.uk/
********************************************************************

 

The Semiconductor Chip Protection Act is not relevant; the masks
could be covered as works of art.
As far as age goes, you are correct - if an item is old enough, then
notice would be needed.
Without registration, collection of statutory damages would be rather
difficult as one would have to prove ownership and priority.
Registration is equivalent to "overkill" proof.

 

So why not look at what they do, the functionality and re-create it
with new parts? That way you avoid legal problems.

Regards,
Pieter

 

I think maybe IDC in Arizona, (Phoenix), and MOSAID used to do a lot of
this delayering and taking picture stuff. Else, anybody that is in the
Failure Analysis business for Semiconductors. Lucky for you these are
from a vintage that makes it conceivable to me. Doing what the chinese
probably did to that crypto equipment on something modern is way beyond
my scope.

del

 

I was referring to the US Electronic Intelligence or something plane
that got kidnapped out of international airspace near china and forced
to land. Got the crew back in a while. As I recall we got the airframe
back in boxes. It was rumored the crew didn't have enough time to
destroy all. Probably within last 10 or so years. Google should turn
it up. EC137 may have been the aircraft type.

I don't know what happened to the electronics but I can guess.

del cecchi

 

A Chinese F-8 and a US EP-3 collided during an intercept; the F-8 was
lost and the EP-3 performed an emergency landing at Hainan airfield. A
fairly standard cock-up between great powers.

Kelly

 

And I'm certain that it wasn't deliberate just to hand bogus equipment to the Chinese. (Excuse me,
somebody's knocking on my door.)

 

the theme for this episode of Jag:
http://www.tvtome.com/tvtome/servlet/GuidePageServlet/showid-242/epid-99581/

though the ending is a bit different

-Lasse