This method has couple of serious flaws. Aside the fact that you need to know what each component is (so you pick correct symbol for it), physical image graphically does not correspond to a schematic symbol. It is similar for most passives and some 3 pin semiconductors, but when it comes to ICs, esp. packaging multiple instances of the same functionality or arrays, this method very quickly becomes so messy that it is very easy to get lost, not to mention the accuracy of PCB to Schematic is not 100% guaranteed.

It would be much preferred to overlay CAD's footprints on the PCB image rather than their electric symbols - this way each component on drawn PCB will exactly match the original photo, it is very easy to visually compare the two. Then copper traces are drawn standard way in the layout editor as you would designing any PCB.

At that point the image of the board can be removed. What's follows is standard generation of the netlist but in reverse - the PCB layout software exporting it and the schematic capture software importing it. The netlist can be scanned for errors electrically and all of them have to be fixed before 100% valid schematic will emerge. This is no different than fixing errors after importing a schematic netlist into the PCB layout editor - until they're all resolved, you cannot produce electrically functional PCB matching your schematic.

That's what I will illustrate here. For clarity I will use very simple board - the shunt measurement board that is being part of A123 current sensor module for an electric vehicle.

I'd like to emphasize that the purpose of this document is not to actually hack someone else's hardware in order to reproduce it or extract some hind of proprietary information. It is to learn the tools and reverses engineering technique. Of course, knowledge of emerged circuit fundamentals comes as the bonus at the end and this is how you learn - same as learning designs from application notes put together by someone else. FWIW, the IC used in this design is obsolete and is no longer in production, however for learning the reverse engineering skill this is not relevant. Applying this technique in theory the PCB of any complexity can be reconstructed to its electrical schematic, however you must identify each IC and semiconductor used. Most ICs have clear marking, and as you will see, most small active parts can successfully be guessed with experience and sometimes - direct measurements.

A bit about the software I use. When it comes to reverse engineering, Altiums OrCads and Cadences of this world are not the best tools for this type of job, if suitable at all. These packages claim to be the best for designing layouts (which CAD company wouldn't claim that?), but the thing is – with reverse engineering task at hand the layout is already done, so all cool features aiming design become kind of pointless. Also, such mammoth software packages are meant to be corporate design tools geared toward cloud connectivity and collaboration between people, revision controls, real time parts sourcing, licensing policing and other features that might be important if you’re in a company environment and have to share native design work with others. But ifd you work alone, many such features are absolutely useless, expecially if your PCB is already designed and all you want to go from finished PCB back to the source and have CAD automatically rebuild original schematic for you. Acide the fact that a license seat for such commercial EDA software will cost about as much as your slightly used SUV worth, it has very limited external graphics and image manipulation features as it's normally not required for new designs. Many such software packages follow only standard (forward) design flow as far as netlist generating - schematic to PCB, but not backwards, which is what's required here.

Many years ago, I was lucky to stumble across ideal for my needs ECAD package called CIRCAD, produced by Holophase Inc. - lean and mean CAD software created by hardware designer with just making and reverse engineering PCBs job in mind. Blazingly fast, since entire core is written in assembly language (!), consisting of a single <6MB executable file. Weight wise CIRCAD compares to most modern ECAD packages the same way as DOS compares to Windows, however functionality wise it’s got everything you’d need for straight forward modern schematic capture and PCB design, unless your work is very specialized.

Original CIRCAD was later modernized with using Omniglyth engine. Unfortunately, this CAD is no longer supported, but I believe eval copy can still be downloaded. It won’t let you produce gerber files, but that’s not required for this job – you’re not designing a PCB for manufacturing. CIRCAD not only to design professional quality PCBs, but reverse engineer them - the PCB layout and schematic capture parts of software are "symmetrical" - the design flow can go either way, which is its unique feature I'm exploiting every time I need to reconstruct a PCB. Granted, you can use any ECAD software for this job, but the tutorial below is based on CIRCAD.

Other than that, the only software you'd need is any graphics manipulating utility to change resolution and enhance a photo. I use Photoshop, but there are plenty of other programs allowing just that. Granted, you'd need a digital camera, or if your PCB is fairly flat, you might obtrain decent result with a flatbed scanner.

So, I wanted to reconstruct this CSM (Current Sensing Module) design developed by A123 Systems. I've extracted this module from Better Place's EV that I took apart Nissan Qashqai EV if you're curious. Here is the photo of the unit:

It consists of the main controller PCB and the shunt measurement module, both connected by a 10 pin header hard soldered into both boards. The current shunt is connected directly to the PCB using Kelvin connection:

I must say, the small board could have been soldered in more straight. But 'course electrically it makes no difference.

Here is closer look:

For the purposes of this writing, I’ll reverse engineer just this module because its simplicity will keep this tutorial short, yet it will describe each critical step and have all the info one would use for a larger project. It will just be exponentially more tedious, but still the steps are all the same.

The measurement circuit is based on the AS8501 IC (obsolete IC by now), manufactured by AMS systems. First you always should try to obtain original datasheets and specs for all the parts you can identify. Here is its pinout and what’s inside:

It is packaged into standard wide SO-16 package. Granted, you have to have all the packages used on the PCB you’re reverse engineering defined in your footprints library. Same goes for schematic symbols – it is unlikely as obscure as the AS8501 IC in your library, but in CIRCAD it takes no more than 5 min to grab any 16 pin IC, rename pins according to the datasheet and re-save under different name.

Next I separated this PCB from the main controller PCB, unsoldered the shunt and cleaned pads using solder wick. For such a small board it was convenient to use “helping hand” – a small jig made for this purpose. I’ve modified it replacing crocodile clips with plain wooden cloth pins. Wood won’t damage PCB, won’t melt and won’t sink heat when you work on your boards, not to mention it is easily replaceable.

So here is what the PCB looks like, front and back:

From the AS8501 spec it became clear that the shunt used for the measurement has 0.1 milliohm resistance, which produces 30 mV on it when rated 300A current flows through it. To confirm it, I measured the shunt resistance. To resolve such a low value, you just pass fixed known current through the shunt using Kelvin connection and measure voltage drop. Here is what the test looks like. The current was 3A.

Considering accuracy of this quick setup I’d call this 0.3 mV, which corresponds to 100 µOhm.

The board dimensions are 54.90 x 20.25 mm. We will need this number to scale down the photo which should have been taken with the highest resolution your camera allows.

Next you decide how to scale it. You can compress and resample the image, or you can increase its resolution setting so it will appear smaller once imported in CAD.

Resampling will make file file smaller but deep zoom in will be way pixelated. Compare res. increase (top) and resampling (bottom):

If you want to resample, here is CIRCAD graphics manipulation menu you will appreciate:

You'd specify target in each corner if the image and corresponding target on the board drawing.

CIRCAD will remap each pixel compressing the image to fit. If the photo is not taken straight and one side is longer than the other resulting in trapezoid appearance, not a problem. CIRCAD will reshape the board image to map each target point to the point on the layout drawing you specify:

There is no need for this step if you pre-process the image. I increased resolution of the front and back images of the board from 300 dpi to 1110 dpi to make image size match specified dimensions.

Here is what the imported high rez. images look like (top image of the back side was flipped along X axis) so the holes coincide and tracks can be drawn on both top and bottom layers:

You start off replicating the layout by defining size of the pads and dropping them on the board. There are just handful of types, and you can visually adjust them to match the photo. All the pads of the same type get adjusted globally with one command, very convenient. Below all the ground pads get assigned "GND name. I also drew tracks on the bottom first - it is simpler because there are no components there:

Each pad gets adjusted to match actual original:

You don't need to be very precise here unless your goal is to reproduce actual board. As long as copper meets a pad and electrical connection is established, valid netlist will be generated and the original schematic will be reconstructed errors free.

At this point you can move the image out of the way but don't delete it yet. Here is what you'll be left with

Next the back gets flooded with copper and started looking like real thing:

Here is outcome of the flood fill:

Next - the top side. You just drop the footprints from your library right onto the respective components on the image and draw all visible tracks:

Detail of this step: you can see routing starting from pin 4 of SOT23-5 package:

Then this step is completed, place references on the silk screen layer, right over the image. When done and the image is moved away, the board layout will look like this:

Both layers displayed here:

The tracks directly under the AS8501 are not visible, but I was confident that H1 and H3 connection points of the shunt must be joined together as they are grounded, and so are points H2 and H4 to provide Kelvin connection to the IC. I’ve decided to unsolder the chip to see the shape of the tracks under it. You can use hot air workstation for this, but for small ICs it is quicker to use special dual jaw solder iron. Usually this method preserves tracks and the IC in case later on you'd want to put chip back and restore functionality. Here is close up photo of the AS8501 removal; the board is in the same jig as before.

The tracks on top are drawn, here what the complete layout looks like:

You can recognize competently laid out Kelvin connection from both H2 and H4 points to pin 2 (shunt input) of the AS8501.

At this point entire layout is electrically reconstructed, so I’ll let CAD to scan all the nets and assign the same net names to all the tracks connected together:

Once done and no errors reported, there I no longer need to mess with graphics or photos of the PCB, they can be removed from the layout. Electrically all the interconnections are saved in the netlist.

All that’s left in the layout portion of the software is to make sure each footprint I placed on the board is assigned a respective symbol name so it can be automatically placed on the schematic sheet. Here is that step: other than R and C there are symbols of voltage regulators because they have 5 pins, and the AS8501 I’m going to make below.

When completed, the netlist can be exported:

This was last operation in the layout part of the work. Now the netlist gets imported into the schematic capture part. For that to work all the schematic symbol names the netlist calls for must be present in the symbols library. So I had to create the AS8501 symbol, but it is literally 5 minutes job – all you do is grab any existing symbol of 16 pin IC, edit names of pins to directly match the spec and save it as new “AS8501” symbol. Here:

I wouldn’t worry about contents of 5 pin SOT23 and SOT323 ICs for now. Once the schematic emerges it should be clear what those can possibly be. For now I just use generic box with pins numbered 1 through 5.

Let’s import the netlist into schematic capture:

All the symbols were found in the library and placed along the bottom of the sheet, but some pin names we assigned in the layout are not matching with defaults in the library. For instance J1 header footprint has pins named J1-GND and J1-Vdd, but the electrical symbol has pins just numbered 1 through 10. Not a problem, once symbol is placed on the schematic sheet, you can directly edit each mismatching pin to match respective pad of the footprint. When this is done, we can display ratsnest showing interconnections between each component, and this will aid in dragging symbols around so the schematic makes sense. This part is more intuition and experience than science, and it also depends on your style of drawing schematics.:

Starting from the AS8501 you reposition it in the middle of the sheet. All ratsnest lines will rubberbend and follow the symbol. Once in place you can get resistors and capacitors close to it. Usually components close together on the layout are also near each other on the schematic, but not always. Once you place the symbol you can draw schematic “wires” following ratsnest lines, which will disappear when wire connection is completed. Here is repositioning of the IC and “routing” the schematic in progress:

Dragged component is still connected with ghost ratsnest lines aiding finding new placement location.

As the schematic emerges, you can outline group of already pre-wired components and move it so it makes logical sense.

Once in new location, all vertices will be straightened, and it will look neat and tidy:

Here all the connections specified by ratsnest lines are made made, and values of components are edited. You can look at the marking on the package (ICs) or just measure values (resistors). Ceramic capacitors are never marked. First stab at the complete schematic:

Both unidentified 5 pin ICs have pin 2 grounded and pin 5 connected to Vdd. What these could be? There are connections to pin 1 and 2 of the header, and I traced them to the main CPU. It is unlikely these are inputs because they are connected through a couple of resistors directly to the shunt – it would totally obscure the measurements as the voltage drop on the shunt is just hundreds of microvolts. Assuming pin 1 and 2 are outputs then, I see that they are connected to pin 1 of both ICs – usual number for an op amp or comparator in SOT23 package. Based on my experience virtually all standard single op amps packaged in SOT23 have power and ground connected to pins 5 and 2 respectively – the schematic confirms this. Additional clue is that resistors between outputs (pin 1) and inverting inputs (pin 4) are different values, which signifies feedback gain settings, which in turn tells me these are not comparators but really op amps. Non-inverting inputs are connected together after noise filtering RC networks, this must be some fixed reference voltage defining initial offset. Since these are connected to IC5 and another end of IC5 is only connected to the Vdd power, I’m pretty sure the IC5 is a voltage reference providing this offset. It just makes sense that inputs of the op amps are also connected to the shunt – the amplified voltage is then outputted through pins 1 and 2 of the header and read in by the analog inputs of the CPU for further processing.

With this in mind, I replaced IC 1 and IC2 symbols with op amps and re-arranged the schematic, so it makes logical sense to me:

From what emerged here it became absolutely clear now how this measurement board works! The AS8501 digitizes measurements and outputs them through the serial bus resembling SPI. The AS8501 spec describes this comm. protocol in detail. The same signal is fed into two inverting op amp amplifiers whose gains are set to 22.5 and 90 (exactly 4x) based on the ratios of feedback to input resistors’ values. The max input limit of measured voltage by the AS8501 is programmable and can be set by the software to measure from <10mV to almost 1V on the shunt full scale. I placed values on the schematic assuming +/-30mV corresponding to +/-300A battery current through the 100 µOhm shunt.

Based on reference voltage dividers and gains, the outputs will stay at 2.7VDC with zero shunt current (idle) and swing between 0V and +5V for shunt current of +/-300A for IC1 and 4x of that or +/-1,200A for IC2. These are not as precise measurement as provided by the AS8501 but they don't have to be - these are only to dertermine the current range to reconfigure the gain of the AS8501 on the fly to accommodate. Actual current measurement through the shunt is done only by the AS8501.Why the idle output voltage is not centered around 2.5VDC but sits at 2.7VDC? That’s because vehicle’s max. drive current is bigger than regen current, so the outputs must have more headroom (2.7V to 0V) for positive currents measurements than 5-2.7=2.3V for negative currents.

Finally, the IC4 – its type is not known, but based on its filtered input into pin 4 and no other connection it is safe to assume it is a linear analog temperature sensor.

That’s about it.

Bottom line of the exercise: CAD took care of electrical connectivity for me, thus I’m 100% positive that this reconstructed schematic above represents actual hardware I took the photo of. This technique sure can be scaled up for more serious reverse engineering. It is not hard and actually very straight forward process – it just gets exponentially more tedious for larger boards. Very determined users can reverse engineer multilayer boards exact same way, but deprocessing PCB itself to take clear photos of each inner layer will require precise grinding on a large polishing wheel or by hand and take photos of each emerging layer.

Happy learning!
Victor Tikhonov
Metric Mind Engineering