From: Jon M. Taylor <taylorj@ecs.csus.edu>
  To  : ggi-develop@eskimo.com
  Date: Fri, 26 Feb 1999 13:40:52 -0800 (PST)

Re: STB and S3 tech specs

On Thu, 25 Feb 1999, Sengan Baring-Gould wrote:

> Jon M. Taylor wrote:
> 
> >        It is actually an information theory thing, at least that it how
> > it was explained to me.  Just take the register spec, hook the chip up to
> > a specialized logic analyzer, and have it start feeding every data
> > permutation through the registers.  By observing what registers change
> > when and how, you'll quickly be able to get a good enough idea of the
> > basics of how the chip works to be able to figure out the rest by hand if
> > necessary.  And information theory _guarantees_ that you can always
> > determine the chip design 100%, given enough time, with a logic analyzer
> > and register spec only.
> 
> Do you realise the search space on that? Keep you busy for a year or  2.

	On a brute-force linear try-all-combinations approach, sure.  But
you don't do that.  What you do is do linear searches until you get a
better idea of some general layout rules, and then you reimplement your
probing system with the knowledge you have learned.  Now your probing can
be more targeted (no more probing bits you know are ununsed, regs which
can only hold a small range of meaningful values, etc).  Now you can
discover more subtle layout rules, re-implement the probing system, etc. 

	Now you have a **MUCH** more powerful system, by combining the
brute-force power of a chip analyzer with the human brain's
pattern-recognition abilities.  Thus, the time to discover X perecent of
the total layout info in the chip goes down exponentially (more or less,
mostly depending on how good the human element is) with each
probe-discover-reimplement-reprobe cycle.  You don't even need a logic
analyzer, you can do it by combinatorial register setting in software.  It
just takes a lot longer, and thus is unsuitable for more than
reverse-engineering a couple of registers here and there. 
 
>        On the Slashdot forum attached to the notice of my being hired by
> 
> > Creative, someone brought up an example I wasn't aware of: the Weitek
> > P9000 video chipset.  Now, Weitek was best known for making math
> > coprocessors.  How'd they come up with one graphics chipset design out of
> > the blue?  By reverse engineering some proprietary Sun chipset, that's
> > how!  Sun accidentally released a .h file with the full register spec for
> > the chipset on some version of Solaris, and Weitek had a 100% compatible
> > clone up and running in no time flat.  It was so good, it was even
> > bug-for-bug compatible!!  So this is NOT unjustified paranoia.  People
> > *have* gotten burned - BADLY burned - many times in the past on this
> > very issue.
> 
> Hmm... let me be very sceptical that they reverse engineered it from the
> chip. Either that or it was a god-damn simple chip. 

	Well this was in ~1992, so I think it was much simpler.

> If they did reverse
> engineer it, I don't see why the .h file was such a help. As previously
> stated: if you can hook into the kernel and see how it does stuff, you'll
> be able to work out what the API is.

	But with a register layout, you can skip the initial step where
you have to discover the register layout for yourself.  This lets you
start a lot farther along on that exponential curve, which will result in
such a large decrease in the effective time of reverse-engineering that it
might make the difference between such reverse-engineering being
profitable or not. 

Jon

---
'Cloning and the reprogramming of DNA is the first serious step in 
becoming one with God.'
	- Scientist G. Richard Seed