Ethical Reverse Engineering
If you can’t beat ’em, cheat ’em?
It was a sweltering August afternoon, hot enough to fry an egg on the mean streets of Silicon Valley, when I got the call … er, email. Somebody needed help. My help. And fast. They were desperate. That’s why they call me.
<cue lonely, monotonous, wailing saxophone solo>
My name doesn’t matter. What matters is I’m an American guy who does reverse engineering. Ethical reverse engineering.
<cue decisive-sounding music fraught with portent>
What the …?
Not so fast. Impossible, you say? A contradiction in terms? The conjunction of two mutually exclusive terms (“American guy” and “reverse engineering”). About as likely as a rich bloviator being elected president!
Oh.
Maybe a second look is in order.
That’s where I come in. I’m the archivist’s best friend. When doc control is no more, I’m at the end of the road. Waiting.
Because they don’t have a choice.
<cue more wailing saxophone music>
When mergers became acquisitions in the ’70s, ’80s, and ’90s, whole sets of paperwork vanished. For you twenty-something app designers out there, as astonishing as this may sound, know there was a time when everything was put down on paper. In quintuplicate. By people who were adept at losing files. Or simply didn’t care if they were lost. Someone else’s problem. Especially if those people have retired, or transitioned to the Great Archive in the Sky.
A vanished world. Just like platform shoes.
Oh.
If your world is military, aerospace or medical, those files never went to China. At least not intentionally. Certainly not overtly. Nor will they now.
More important, those designs never went away. Duty calls: their service life has been extended. Airframes designed in the ’50s and ’60s are still flying. B-52s are flown by the third generation of airmen. Only the guts, the avionics, has changed. And the pilots, who nowadays are younger than the airplane. That includes the generals who command the air wings.
Likewise, barring an actual shooting conflict, warships are designed to last 50 years or more. The recently decommissioned nuclear aircraft carrier USS Enterprise was in service from 1962 until 2012. That is the norm nowadays, not the exception. Lots of electronics to repair, replace and upgrade. But being military, the designs are often 30 years old, sometimes older.
Which returns us to hard-bitten, yet ethical individuals, like me. Somebody has to support these systems, if not indefinitely, then at least for years into the future. Support means documentation and data so new, fresh subsystems can be built as the need arises. Keep ’em flying. Keep ’em sailing.
Our nation’s defense and security demands it. Congress in its wisdom funds it.
<cue stirring rendition of The Stars and Stripes Forever>
Brings a lump to your throat, doesn’t it? Don’t overlook that we owe this red, white and blue business to somebody’s screw-up. The need arose because one anonymous someone in the distant past lost the data.
So, how to proceed, when all you have is a bare board, or a very old assembled board that must be disassembled to arrive at the original bare board? It may not even be an electrically good board. What you do have is the electronic equivalent of The Leader’s Nose. The rest must be reconstructed as faithfully to the original as possible.
Oh, and it needs to work.
Technology to the rescue: behold the flying probe first and the imaging system second.
Flying probe test systems, as a class, are ideal for this task. Most contemporary flying probes possess one or more troubleshooting algorithms designed to learn boards by measuring net impedances. Refinements in this software, combined with an ability to digitize x-y positioning of test points and other features of the board enable netlists to be reconstructed. Crude schematics can also be created from the net data. This information can then be used to evaluate and diagnose field return failures of older boards. Likewise, these same data, and the board in question, can be handed over to a layout service bureau to recreate a complete design documentation package: Gerber photoplot files, CAD data in ODB++ format, bills of materials, assembly and fab drawings, and complete schematics.
Digital tomographic imaging (CT scanning) is another valuable tool for reproducing and assuring mechanical and electrical integrity. Capture images of all the layers of the board, stitched together by software in the case of larger boards, and save them for the board layout engineer to refer to as a verification step.
All it takes is money, time and our determination that the project is above board. This is, after all, about ethical reverse engineering.
Whose ethics, you ask?
Well, if our customer isn’t willing to disclose the purpose for which the board reconstruction is intended, we won’t accept the engagement.
So dust off your halo, Mr. Holier-Than-Thou. Purposes are all relative, you quickly retort. Easy to disguise the ultimate intent.
True enough. You need to ask the right questions.
Recently a customer approached us about ostensibly reconstructing a certain board that was part of a security system governing retail transactions. They claimed a lack of information about an OMAP processor driving the main processor board in the system. Several dozen emails and two months later, it became apparent the customer’s actual motivation was to hack into a competitor’s hardware to divine its inner workings and gain an unseen advantage. That was their version of ethics.
Not ours. Thank you for your time and interest.
Experience teaches you the right questions to ask.
Again recently, an aerospace customer contacted us about reverse engineering a set of communication boards for military vehicles. There were 17 boards in the system, of which the critical three lacked any documentation. A merger-and-acquisition byproduct, with docs gone with the wind. All that existed were three conformally coated, assembled boards, with failure tags attached. The mission: reconstruct these boards, or the vehicles won’t roll. Oh, and since it was military, the reconstruction had to be an exact reproduction of the older boards. Or there would be repercussions.
Got that, soldier?
<cue drumroll>
Yes sir! But first, sir, with all due respect, a few questions. Like define exact. One of the boards has six layers. If CT imaging of those layers reveals a partially cut trace on the second signal plane, are we to reproduce that partially cut trace? If layer spacing is not uniform, in the absence of a fab drawing with a layer stackup and dielectric spacing, are we to exactly reproduce the layer spacing contained within the specimen board? Conformal coating needs to be removed to run the board through the flying probe to obtain the netlist. If, in the act of chemically removing the conformal coating, certain nomenclature is removed or obscured, rendering precise reproduction impossible, does that invalidate the process? If this system fails, and soldiers are killed as a result of that failure, and that failure is traced to one or the other of these boards, will large SUVs with heavily tinted windows, discharging large unsmiling men in bulging dark suits with wires emerging from their collars, show up in our driveway with greetings from the Government?
<cue grumbling sounds on the other end of the phone line>
“We will make allowances.”
<cue cymbals clashing>
How reassuring.
So, with the understanding that our customer was willing to sign the Mother of all Disclaimers, we bounded ahead with a quote.
That will be $100,000 and three months, please. Net 30, not your stated net 90. And in progress payments. Not negotiable. You have a problem. We represent your salvation.
It is not just the thought of impending hanging that concentrates the mind. Impending six-figure sums do too. Miracles result.
After weeks of radio silence, on the sixteenth email, requesting status, this ecstatic bulletin:
“Good news! One of our IT guys stumbled upon this dusty old PC. It contained the missing files for our three boards. We will not need to go forward with your reverse engineering proposal. Isn’t this great news?”
Indeed. I’m so happy for you.
<cue one dramatic, sullen piano chord>