_____ ____                       
|_   _/ __ \                      
  | || |  | | __ _ _ __ _ __ ___  
  | || |  | |/ _` | '__| '_ ` _ \ 
 _| || |__| | (_| | |  | | | | | |
|_____\____/ \__,_|_|  |_| |_| |_|

ARM1 gate-level

Whether modern day ARM architectures like the ARMv7 on which ioarm runs, and especially the 64bit Aarch64 chips can still be called a RISC chip is debatable. The architecture and instruction set has gotten pretty complex. With variable length instructions, several extensions, complex instructions and so on.

What isn't debatable though is that it started out as a RISC chip. Where x86 chips remain backwards compatible with the complex instructions from when the ease of coding in assembly was a genuine reason to buy a CPU. ARM competed by being simple. This allowed for a cheap and power efficient chip. It was up to the compilers to hide how tedious coding in tiny simple instructions can be.

The first ARM chip wasn't widely used at all, but in November 2015, 25 years after its release the schematics for the chip were made publically available. Not only that, visual6502.org provides a gate-level simulator that allows you to observe the chip in action. The Simulator.

The layout of this chip was done by computer and is not heavily optimized, which makes it relatively easy to figure out what each of the 25000 transistors are doing. Excellent work has been done reversing and creating writups by Ken Shirriff and Dave from Dave's hacks. Reading through these articles will probably give you an idea how an ARM cpu could possibly work on the lowest level.

All of it is interesting, but if you have limited time, I recommend you browse through:
- this introduction, to make sense of what you're seeing.
- LDM/STM instructions are unusual for RISC architectures. They were implemented in silicon by isolated components, allowing us to zoom in on one component and get a sense of how transistors accomplish the high level behavior of the instruction.
- Instruction decoding, the central part of the Fetch-Decode-Execute cycle. (PLA: programmable logical array)


Reversing silicon

Reversing silicon is not restricted to curiosities like the ARM1. Companies like chipworks or siliconinvestigations will attempt to extract gate level, and manufacturing information from the silicon. In itsec reversing how a chip works has often allowed breaking it, an example here would be discovering some of the weak cryptographic algorithms used in RFID cards. (RFID cards have few and large transistors) You can read a bit more about it here and here.

So far public reversing of circuits has been limited to chips which can be optically imaged by an optical microscope, and with limited transistor count. Typically chips which are at least 20 years old. It will be quite some time before for example a skylake chip is reversed. Not just are transistors only 14nm wide (blue light has a 400nm wavelength), there are also 1.7 billion of them. decapping, imaging, analysing it would be no small feat.

--bla