6 Dec
2011
6 Dec
'11
12:58 p.m.
I've got a bunch of Nuclear Data peripheral circuit boards that I need
to reverse engineer. They are simple circuit boards with all the
tracings visible (i.e. no internal layers) and the parts are all 7400
series logic in standard DIP packaging.
If I were to do this manually, I would take high resolution
photographs of both sides of the board. From the photographs, I would
try to recreate engineering drawings: part placement and circuit
topology.
I'm wondering what kind of tools are out there that would assist in
this. Could I process the photos to extract the topology of the
printed circuit traces? Can I correlate this with image recognition
of the part packages and combine them to product a netlist?
I'd appreciate hearing any experiences from others that have reverse
engineered circuitry.
I've reverse-engineered a few devices over the years. My method is
somewhat slow, but it does work.
I don;'t use computers, CAD tools ,or anything like that. Nor do I take
photos of the board (I really can't see the point of doing tht if you
have the board in front of you).
What I use is :
Pen and Paper (lots of the latter). Draw the scheamtic freehad, don't
waste time usign a ruler to draw thwe wires. You can always redraw ity ot
enter it iinto CAD system later if you really want to
A _good_ continutiy tester. This must not be 'fooled' by diode junctiuons
or by most resistors. A good Ohmmeter, readign down to 1 Ohm or less is
useful for checkign that what appears to be a connection is just a
connection and doesn't go via a 10 Ohm series trermiantion resistor
Data sheets on all the ICs, or aty least as many of them as yu can find.
If there are custom chips, you have a lot more work to do working out
what is going on,, but you've said this doesn't apply. You want to be
able ot refer to several at once, I find having them on paper is the only
way that works for me.
A good knowledtge of circuitry (yes, my old favourite the 'brain'). The
point is that while a schematic 'just' shows the conenctions between the
components, it is useful if it's easy to fiogure otu waht's goign on. And
there are conventional ways to draw some circuits. A trivial example is a
pair of NDAN gatges cross-coupled ot make an SR latch. It's easy to
recognise if they;'re drawin one above the other with the cross
conenctions shown. It's not hard to see if they're drawn in-lien witha
feedabck loop. It's almsot impossible to see if the 2 gates are on
differnt sheets with named signals linking them. This, IMHO is where a
person does a lot better than any CAD tools
OK...
Make a list of all the 'significant compoents' on the board. Both
'significant# and 'component' need explanation. It's probably not worth
lisiting every last pull-up ressitor, it's certainly not worth listing
every decoupling capacitor (it may not even be worth drawing the latter).
WHen you come to multi-section ICs, each section si a 'comnponent'. So a
7400 is 4 'componets' -- the 4 NAND gates. The start of such a list might
be :
U1 a b c d '00
U2 a b c d e F '04
U3 '138
U4 Z80A-CPU
U5 6264
Desolder anything form the board that will confuse the continuity tester.
In particualr, switches (unless simple on/off types, in which case turn
them off arter noting the settings if applicable), configuration wire links
(desolder one end), low-value resistors, inductors, transformers,
unbuffered delay lines, relays and the like.
Now start drawing (!). Start with things you can pin down, certainly find
the pwoer supplies (and if there are any on-board derrived lines sort
those out now. Find the master clock oscilaltor cirucit and reset circuit
if there are on the board.
Trace the connectiosn with the continuity tester and/or ohmmeter. It's a
lot more accurate to do that than to try to do it visually, although
follwign a trace will give you some idea where it goes so you have some
idea of a set of pins to test with the continuity tester.
If you're doing an expansion board, you have a bus connector that will
identify addres and data lines for you. If you have a large chip (like a
microprocessor), again it will indetify signals -- but see if any are
buffered.
When yuou are drawing, don't be afraid to splid the circuit up into
little blocks and anem the input and output signals -- but give them
sensible names. That takes knoweldge of the circuit design. Often I have
to fg oabck and rename a few signals as I get more of it worked out, or I
leave signals un-named (but make a note of where they go) until I've
traced out another section
As you draw out each component, cross it off the list. That way you don't
miss anything, you don't find you're drawing the same bit twice.
The easiest boards to do are ones with large, known, ICs like
microprocesors of complex-ish peripheral ICs because things liek address
and data buses are known. Boards of TTL with no other knowledge are
worse. Boards of discrete transitors with no knowledge of the design are
even worse (I've doen all types).
Tou govive you some idea, I find I average 5 ICs pere A4 sheet of paper
(this is a remarkably constant value for many types of circuitry,
obviously it fails if there's a lot of discrete transistor stuff) and
each page takes around 1 hour to trace, draw and document.
-tony