How it is made : Zelda Breath of the Wild's cartridge on Nintendo Switch

How it is made : Zelda Breath of the Wild's cartridge on Nintendo Switch

How it is made : Zelda Breath of the Wild's cartridge on Nintendo Switch

Introduction

Nintendo released its new hardware, the Nintendo Switch, and made the choice to store games on cartridges. This will make those the preferred target for hackers that may not have to compromise the console itself to counterfeit games. 

Before talking about the resilience of the games against any form of piracy, let’s discover what stands inside the game package. For our study, we will work on the famous game "Zelda Breath of the Wild".

1. Opening the cartridge

The cartridge itself is small and exhibits 16 connections to the console on what appears to be a PCB. The first step of this teardown is to open the cartridge to further assess its construction.

Zelda cartridge's front and back

Opening the cartridge is fairly easy and can be done with a scalpel for example. Once opened, a single chip is visible with the PCB visible from the outside being part of the chip. 

Zelda cartridge opened

2. A System In Package

 The chip is labelled with the manufacturer name being MXIC and has a number of reference. 

Chip package

Few drops of hot fuming nitric acid can be used to create a partial opening on top of the chip. 

System in package after partial opening

Two chips are standing inside the package epoxy which makes the MXIC device a System In Package. The biggest chip may be a memory that stores the game while a second one can serve as an authentication device and can possibly be used to decrypt the main memory content.

3. Cross section of the entire package


From that point, a cross section of the entire package can be done on the same sample or on a new one to keep the result clean. 

Package cross section

This package cross section shows that the package internal PCB is made of two layers that can be made visible by using a fine abrasive and « polishing » its bottom layer to make the second one visible. In that process, the intermediate layer with via connecting both PCB layers can also be made visible.

Close up of the cross section

4. Wires

Using Nitric acid to create a partial opening is etching copper away. In that particular setup, the bonding wires that connect the two chips together and to the PCB would also be etched away if made of Copper. This is obviously not the case which indicates gold bonding wires. 

Bonding wires

As a funny fact, the bonding wires do not connect the two chips directly. The « security » module as well as the main memory have their bonding pads on one side but those two sides are not facing each other which results in the bonding wires being connected to the PCB that routes the signals underneath the main memory.

Memory chip

5. The chips

More nitric acid can be used to dissolve the remainder of the package and access the naked dies. 

From this point, the two chips can be studied through Reverse-Engineering to give their secrets away. 

It is pretty easy to guess the strategy pirates would use to create counterfeited games. Some assumptions can be made at this early phase of the study. The memory can be either ROM or Flash based. This can be easily verified by etching the chip interconnections and looking at the patterned silicon. 

The memory can use a proprietary protocol which would require a custom chip design which would not be necessary and would add an extra cost for the design and manufacturing. 

It is also likely that the chip is a standard flash storing encrypted data. In this condition, the second chip would be used to decrypt data on the fly when needed. 

To further protect their IP, the « security » module can also be used to authenticate the game when plugged to the console. Therefore, it would serve a dual purpose: authentication and decrypting. 

Optical scan of the 2nd chip top layer

Conclusion

From this point, this « security » module would become the main target for a counterfeiter. Reverse-Engineering can then be used to extract its firmware and potential cryptographic keys. With that knowledge and assuming the attacker can emulate the authentication protocol and the decryption algorithm on a publicly available micro-controller, a counterfeit product could be designed. 

Of course, at this stage of the study, it is impossible to conclude on the different aspects discussed here. 

Coming soon: the Chip ID that goes into more details with:

  • Cross sections of the package and chips
  • Pictures of the PCB layers
  • Top optical scans of the chips
  • Visible die marks
  • Substrate optical scans 
  • SEM close up showing the system in greater details 
  • And more!

Let me know when the Chip ID is available!

Leave a Comment

* Name:
* E-mail: (Not Published)
   Website: (Site url with http://)
* Comment:
Type Code
Please wait...