Reverse Engineering Custom ASICs By Exploiting Supply-Chain Leaks

Explore hardware reverse engineering techniques for custom chips and vulnerability discovery using Siemens S7-1200 (v1 and v4) series as case studies. Delve into the process of analyzing Application Specific Integrated Circuits (ASICs) in SCADA systems, focusing on identifying standardized modules and custom functionalities. Learn how leaked circuit boards from Chinese online shops facilitated the reverse engineering of over 60% of chip pins. Discover methods for protocol and voltage level identification using oscilloscopes, as well as resistance measurement techniques for component connections. Gain insights into locating interfaces for flash memories, RAM, and JTAG ports on both chip versions. Uncover the specifications of the SoCs used in different S7-1200 series, including the Fujitsu ARM-BE chip in v1 and the ARM-Cortex-R4 r1p3 in v4. Explore the creation of a working debug setup with a JTAG adapter for the newer PLC series, enabling memory manipulation, breakpoint setting, and live debugging capabilities applicable to all S7-1200 devices.