Reverse Engineering of Firmware, Software and Circuits

Sometimes enough information can be gleaned from publicly available information on a product to perform a patent claims analysis. But often, there is not enough information in the public domain to make a determination about whether a product infringes a patent.

In these cases, a company might be inclined to just assume that a competitor is infringing a patent and proceed to sue them, hoping that during the discovery process they will get the information they need to prove their case. However there is a legal obligation (referred to as Rule 11) for a claimant to fully investigate claims.

So what can be done if you think that someone may be infringing your patent but you have no evidence of it? One way to make a determination of infringement is to take a manufactured product apart, and reverse engineer parts of it: that is, analyze the circuitry in terms of patent claims.

I have experience in reverse engineering for the purpose of performing patent claims analysis. I have reverse engineered hardware for clients who want to investigate whether they should seek revenue or royalties from a potential infringer through a technology licensing agreement. I am one of the few reputable firms with experience in extracting firmware from secure microcontrollers. I have disassembled and analyzed microcontroller firmware to evaluate both patent and copyright infringement claims.

Reverse Engineering at the component level

Reverse engineering at the component level involves taking the allegedly infringing product apart, determining what components are used in the product, and determining how the components are interconnected. Electronic products are usually comprised of one or more printed circuit boards (PCB). Multiple PCBs may be further interconnected by connectors, or a backplane (a special PCB designed specifically for interconnecting multiple PCBs). Each PCB may have many components mounted on it, with the individual components connected via circuit traces. To reverse engineer the PCB, the circuit traces are followed to determine the interconnects between components. Many PCBs have multiple layers that make reverse engineering more difficult: traces embedded within the various layers can make interconnections that can't be seen with the naked eye. A primary output of the reverse engineering process is one or more schematic diagrams that show the components and interconnects between various components.

The reverse engineering process also involves identifying the components used in a product. While some components are well marked, others may have no markings at all. This is especially true of surface mount components (SMT) such as capacitors and inductors. Occasionally it is useful or necessary to decapsulate a part in order to determine the origin of the part or its functionality.

I have performed reverse engineering at the component level of electronic products incorporating multiple PCBs and various interconnection systems. I have reverse engineered SMT (surface mount) PCBs as well as discrete types of circuitry.

Reverse Engineering of Microcontroller Software or Firmware

It is often not sufficient to reverse engineer a product to the component level in order to determine infringement. Many products incorporate microprocessors or microcontrollers in their design. A microprocessor or microcontroller operates in accordance with programming instructions programmed into a ROM, RAM, EPROM, or FLASH memory. To determine how the microcontroller or microprocessor operates it is necessary to reverse engineer the software or firmware within the memory. This is not as easy as one might think. First, the program embodied by the firmware is simply a collection of binary digits (1's and 0's). In order to decipher this machine specific program code it is necessary not only to convert the binary data into a readable form, but to assign meaning to the program and data. Thus, reverse engineering of microcontroller software or firmware requires program disassembly via a disassembler or decompiler. The problem is that no disassembler or decompiler exists for many (if not most) commercial processors - especially those of more recent vintage.

I have reverse engineered software or firmware for which no disassembler or decomplier is available. I have done this by creating my own disassembly tools based upon a knowledge of the machine code (instruction set) of the microcontroller. Sometimes it has even been necessary to bypass security features of a microcontroller in order to read out its contents. I consider myself one of the few reputable reverse engineering specialists that have the capability to do this cost effectively. (By reputable, I mean to say that pirates need not contact me. I won't help you.)