re:trace — PCB Reverse Engineering Toolkit

No Design Files

Works from a photograph alone. No Gerbers, no schematics, no vendor cooperation needed. Point your phone at a board.

Security-First

Every output is threat-informed. CVSS scoring, MITRE ATT&CK mapping, attack path visualization, debug interface enumeration.

Zero ML Dependencies

YOLO and EasyOCR are optional. Core pipeline runs on pure Python with OpenCV. Works air-gapped on classified networks.

Pipeline

Nine stages. One command. No design files required.

🔍

Detect

YOLO v8 / OpenCV

→

📜

OCR

EasyOCR

→

🔌

Trace

HSV+LAB / Zhang-Suen

→

🎯

Identify

128-part fuzzy DB

→

🧠

Infer

AC-3 constraint

→

💡

Advise

Bayesian entropy

→

🛡

Analyze

CVSS / ATT&CK

→

📌

Pinout

Probe diagrams

→

📦

Export

SVG / HTML / KiCad

Interactive Analysis Layers

One SVG. Nine layers. Ten view presets. Three rendering styles. Like switching between Satellite and Terrain on Google Maps.

Rendering Styles

📷

Photo

Board image with translucent overlays. Default mode — like Google Maps satellite view.

📐

Schematic

Vector-only, no photo. Opaque component outlines, thick traces, bold labels. Like Google Maps roadmap.

☢

X-Ray

Dimmed photo with high-contrast overlays. Everything visible at once. Hybrid satellite + roadmap.

View Presets

Satellite

Board photo only. Clean view for orientation.

Analysis

Components + traces + BOM. Default RE view.

Schematic

Vector-only with net labels and grid.

X-Ray

All layers with dimmed photo. Full visibility.

Attack Surface

Security findings + attack path arrows.

Recon

Pentester first look: security + power rails.

Power Map

VRMs, LDOs, rails, decoupling caps.

Zones

Functional zone overlay: CPU, memory, power.

Debug

Debug interfaces + net classification.

All Layers

Everything visible. Full analysis mode.

retrace scan board.jpg --format svg — self-contained SVG with JavaScript layer controls. Open in any browser.

Board Analysis

Two targets. Both analyzed from photos alone.

Cisco ASA 5506-X V05

Enterprise firewall — Thrangrycat target (CVE-2019-1649)

JTAG CVSS 7.6 UART CVSS 6.8 177 components 88 traces

Cisco ASA 5506-X — annotated board overlay with 177 components

Intel Atom C2508 · Xilinx Spartan-6 Trust Anchor · 4× DDR3 ECC · W25Q128JV SPI flash

Cisco ASA 5506-X — Thrangrycat attack path

JTAG (J15) → CPU (U1) → FPGA (U6) ← unencrypted SPI flash (U7)

16 zones — CPU, memory, VRM, network, Trust Anchor FPGA

Grouped by type · confidence bars · part numbers

Cisco ASA 5506-X — interactive layered SVG with 9 layers, 3 rendering styles

9 layers · 10 presets · 3 styles (Photo / Schematic / X-Ray) · Open full SVG →

JTAG (J15) · 20-pin ARM standard · J-Link / Bus Pirate / FTDI wiring

UART (J10) · TX/RX/GND · Bus Pirate / FTDI FT232 wiring · Common baud rates

Xbox One Model 1540

Gaming console — AMD Liverpool APU (Durango)

JTAG CVSS 7.6 150 components 68 traces

AMD Liverpool APU (BGA-1170) · 8× SK Hynix DDR3 · Southbridge X861949

JTAG (J5) → APU (U1) → eMMC (U8) · Southbridge (U9)

Xbox One Model 1540 — 12 functional zones

12 zones — CPU, memory, power, I/O, debug, storage, network

150 components · OCR confidence · part identification

Xbox One Model 1540 — interactive layered SVG

9 layers · 10 presets · 3 styles · Open full SVG →

JTAG (J5) · 20-pin ARM standard · J-Link / Bus Pirate / FTDI / OpenOCD wiring

Security Findings

Automatically detected debug interfaces with CVSS 3.1 scoring and MITRE ATT&CK mapping.

Severity	CVSS	Interface	Target	Component	CWE	ATT&CK
HIGH	7.6	JTAG	Cisco ASA 5506-X	J15	CWE-1191	T1200, T0839
MEDIUM	6.8	UART	Cisco ASA 5506-X	J10	CWE-1299	T1200
HIGH	7.6	JTAG	Xbox One 1540	J5	CWE-1191	T1200, T0839

Component Intelligence

Every identified IC is enriched with security-relevant datasheet specs. Debug interfaces, boot mode pins, readout protection, JEDEC IDs, flashrom commands — actionable intel for hardware hackers.

MCU Debug Intel

42 microcontrollers with JTAG/SWD interfaces, BOOT mode pins, readout protection levels (RDP, APPROTECT, lock bits). STM32, ESP32, nRF52, AVR, PIC, RP2040.

JTAG · SWD · debugWIRE · ISP · Spy-Bi-Wire

Flash Extraction

9 SPI NOR flash chips with JEDEC IDs, read commands, write-protect pin locations, and exact flashrom command lines. Winbond, Macronix, GigaDevice, ISSI, Infineon.

JEDEC ID · flashrom · SOIC-8 pinout · WP# bypass

FPGA Bitstreams

4 FPGAs with configuration interfaces, JTAG chain info, bitstream formats, and toolchains. Xilinx Artix-7 and Spartan-6, Lattice iCE40 (open-source reversible), Intel MAX 10.

Vivado · ISE · Yosys+icestorm · Quartus

Secure Elements & TPMs

8 crypto/trust chips with I2C/SPI addresses, FIPS/CC certifications, key storage capabilities, and attestation protocols. ATECC608, SE050, SLB9670, STSAFE.

TPM2_Quote · EK cert · CC EAL4+ · ECDSA P-256

Power Rails

26 voltage regulators with output voltages, enable pins, input ranges, and topology. LDO, buck, boost, buck-boost. Know which rail to glitch.

EN pin · Vout · topology · current rating

IC Pinout Diagrams

Schematic-style package diagrams for SOIC-8, TQFP-48, QFN-24, and TSOP-48 packages. Quad-sided rendering with function-group colors and security intel panels. Flash chips include extraction cheat sheets.

W25Q128JV · AT24C256 · STM32F103 · iCE40UP5K

Power Tree Diagram

Standalone schematic-style power delivery topology. Shows power flow from input sources through VRMs/LDOs to load ICs with voltage rail labels and decoupling cap counts.

Example power tree · auto-classifies sources, regulators, loads

Bus Topology Graph

Circular graph showing component interconnections via inferred protocol buses. Auto-detects SPI, I2C, UART, JTAG, USB, SDIO, PCIe, and DDR from trace context and component markings.

Example topology · 8 bus protocols · color-coded legend

119 of 128 components enriched with security intel · CSV/JSON exports include flattened intel columns

What Makes re:trace Different

Not just detection — inference, optimization, and learning across boards.

Bayesian Probe Advisor

Stop guessing where to put your multimeter. The probe advisor maintains a Dirichlet belief distribution per unresolved node and ranks every point by expected Shannon entropy reduction.

Pin-name priors give 10× weight to likely labels. After each measurement, beliefs collapse at the probed node and propagate through union-find groups. Voltage, resistance, and continuity readings are auto-classified to net labels.

6–10

measurements to converge

O(n)

vs O(n²) brute-force

4.8

bits avg info gain

$ retrace advise board.jpg

Top 5 Probe Recommendations (269 nodes, Dirichlet belief)

#1 U1.DDR3_DQ0 EIG: 4.807 bits VCC_CORE (3.6%)

#2 U1.DDR3_A0 EIG: 4.807 bits VCC_CORE (3.6%)

#3 U1.PCIE_TX0 EIG: 4.807 bits VCC_CORE (3.6%)

#4 U1.PCIE_RX0 EIG: 4.807 bits VCC_CORE (3.6%)

#5 U1.SATA_TX EIG: 4.807 bits VCC_CORE (3.6%)

> Feed measurements back with retrace advise --update

AC-3 Constraint Solver

Trace extraction from photos is inherently partial — expect 40–70% recovery. The constraint solver infers the rest using pinout rules, proximity heuristics, and arc consistency propagation.

Pinout rules enforce MCU VDD→power, GND→ground. Proximity rules link decoupling caps to nearby IC power pins. Differential pair detection, union-find merging of traced connections, and AC-3 propagation iteratively prune impossible values. Runs in O(ed³) — fast enough for real-time probe feedback loops.

85–95%

gaps resolved

88

iterations on Cisco ASA

<50ms

propagation time

$ retrace solve board.jpg

AC-3 iterations: 88 | 269 nodes | 3 inferred

[POWER] U1.VCC, U2-U5.VDD, U6.VCC, U10-U12.VIN

[GROUND] U1.GND, J1-J9.GND, J10-J15.GND (36 nodes)

Inferred: U1.VCC ↔ U11.SW (VRM → CPU core)

Inferred: U6.TRUST_VERIFY ↔ U11.SW (FPGA via rail)

Cross-Board Learning

Every scan builds a persistent knowledge base. The more boards you analyze, the faster the next one goes. 15 subcircuit patterns transfer automatically between targets.

Recognizes LDO supplies, buck converters, crystal oscillator circuits, SPI flash circuits, I2C pull-up pairs, USB ESD protection, H-bridges, reset circuits, and 7 more. Component frequency tracking shows which parts appear most across your fleet. Extensible via the plugin system.

15

built-in patterns

128

component DB

∞

extensible via plugins

$ retrace cross-board board.jpg

Subcircuit Pattern Matches

✓ ldo_supply U10 + C12, C13 — 3.3V LDO regulator

✓ buck_converter U11 + L1 + C14 — 1.8V switching reg

✓ spi_flash U7 + R3, R4 + C8 — W25Q128JV

✓ crystal_osc Y1 + C2, C3 — 25MHz reference

✓ decoupling_pair C20, C21 near U1 — bulk+bypass

5 patterns matched · 119/128 parts with intel

Case Study: Thrangrycat (CVE-2019-1649)

Cisco's Trust Anchor module is a Xilinx Spartan-6 FPGA that verifies boot image integrity on ASA, IOS-XE, and NX-OS. The FPGA loads its bitstream from an external SPI flash (W25Q128JV) at power-on — and that bitstream is not authenticated or encrypted. re:trace maps this entire attack path automatically from a board photo: identifies the FPGA, traces the SPI flash connection, flags the unencrypted bitstream, and marks the JTAG header that provides initial access.

JTAG (J15) → CPU (U1) → FPGA (U6) ← SPI Flash (U7) = Unencrypted Bitstream

Same attack surface exploited by the ArcaneDoor state-sponsored campaign (2024) — CISA Emergency Directive ED 25-03

Hardware pentesting Supply chain verification Incident response CTF challenges Academic research Product teardowns Fault injection recon Counterfeit detection

Assessment Reports

Self-contained HTML deliverables. Sortable BOM, datasheet hyperlinks, print-friendly. What a consultancy ships to clients.

Cisco ASA 5506-X V05

Enterprise firewall assessment. Intel Atom C2508, Xilinx Spartan-6 Trust Anchor, Thrangrycat attack path mapped. 5 findings, 177 components, 88 traces.

CVSS 7.6 (HIGH) · CWE-1191, CWE-1299 · T1200, T0839

Xbox One Model 1540 (Durango)

Gaming console assessment. AMD Liverpool APU, 8x DDR3 banks, Southbridge X861949, SK Hynix eMMC. 1 finding, 150 components, 68 traces.

CVSS 7.6 (HIGH) · CWE-1191 · T1200, T0839

Export Formats

Every artifact from a single scan.

KiCad Netlist

Reconstructed schematic netlist. Components mapped to KiCad footprint libraries, nets from trace extraction.

cisco.net (54 KB) · xbox.net (44 KB)

BOM (JSON / CSV)

Machine-readable bill of materials. Part numbers, markings, confidence scores, datasheet URLs.

cisco_bom.json · xbox_bom.json

Detection JSON

Raw pipeline output. Component bounding boxes, trace polylines, pattern matches, timing metadata.

cisco_detection.json · xbox_detection.json

Pinout Diagrams

Annotated debug header close-ups with pin labels and probe wiring guides for J-Link, Bus Pirate, FTDI, and ST-Link.

cisco JTAG · cisco UART · xbox JTAG

Interactive Layered SVG

Self-contained SVG with 9 layers, 10 presets, and 3 rendering styles. Switch views like Google Maps Satellite/Terrain/Roadmap.

cisco interactive · xbox interactive

Power Tree & Bus Topology

Power delivery topology from input through VRMs to loads. Bus topology graph with auto-detected SPI, I2C, UART, JTAG, USB, PCIe, DDR connections.

Power tree · Bus topology

Probe Plan & Solver Output

Bayesian probe advisor output and AC-3 constraint solver results. Machine-readable for automated test rigs or field assessment notes.

cisco probe plan · cisco solver