Monday, 25 February 2013

DIY decapping machine: The Decapinator part 1


I have previously discussed the "plink plink fizz" method of decapping here, but what I really need to do is to selectively etch away a certain portion of a chip to allow me to probe it whilst it is in situ on the board. This is not possible with plink plink fizz method as it removes the package and leadframe completely. So what I ideally want to do is create a "pit" in the epoxy exposing the die and any other areas we would want to probe.

Above is a chip decapped bu Bunnie Huang. His interesting blog post here shows him defeating the protection fuses on the chip allowing it's program to be read out.
 
 

Professional decapping devices


Nisene Jet Etch the gold standard in decapping.

There is an amazingly cool device to do this which is commercially available, it's called a Nisene Jet Etch, and costs about $22,000. Now this is great if you are decapping on a daily basis, but it is just too expensive to justify us buying one. :(  Another way to do this is by hand. Carefully dripping acid drop by drop onto the chip, however the chip we are interested in, is small. A single drop of acid would easily overflow and destroy the legs. As I want to be able to put the decapped chip back into a circuit, this is a probelm. So, I'm going to attempt to create a device that will (hopefully) provide the ability to decap repeatedly, albeit without all the speed, ease of use and other amazing features of the JetEtch.

The reagent I want to use is nitric acid. This is due to it's speed at eating away epoxy. It does however also eat away at the leadframe with astonishing speed and vigour, so that must be protected. So... this led me into a short foray into things that are resistant to hot concentrated nitric acid. I came across various materials but I settled on PTFE (Teflon) and a rubber called Viton made by DuPont.

PTFE is relatively cheap, easily machineable and relatively cheap. Viton comes in several grades from relatively cheap to super expensive. It is also made in various formats such as sheets and o-rings.

So here is my initial design:

The Decapinator

Decapinator Plan A


Two PTFE rods drilled out to form two cups, one fits inside the other. The large one (main body) has two holes in the bottom. One for the acid spray and one for the acid waste. The smaller one (chip holder) has a three holes drilled in the bottom. One hole goes through the bottom of the cup, and the other two are drilled into the sides of the cup to allow me to install threaded rods. The acid sprays on a disk of Viton rubber with and aperture cut in the centre which acts as a mask for the chip, ensuring the acid only acts on that area. then there is a PTFE disk cut from the smaller rod which acts as a clamp to hold the chip firmly onto the hole. The chip holder is then inverted and inserted into the main body so that the acid sprays through the centre hole onto the chip.

I ordered my PTFE rods from Direct plastics and they arrived with an enclosed bag of haribo sweets (nice marketing guys!). I chose 50mm and 30mm diameters respectively. This was mainly based on the availability of tools to drill out the centre of the rods. I would normally use a high speed spade bit to cut larger diameter holes, but the long point on those bits would prevent me from getting the tight aperture that I wanted. I settled on a MAD (Multi Angle Drill) bit. These were available in multiple sizes and have only a small centering point that would allow me to get the shape that I wanted, and, align the centre holes nicely. MAD drill bit set:

 


As you can see from the above image they have very small centre points.

The next was the choice of glassware. Everything had to be borosilicate glass (Pyrex) to withstand the heat without shattering. I chose a wide necked 500ml Erlenmeyer flask because of its wide base which would give stability and good heat contact with the hotplate. As this is going to be top heavy I opted for a lab stand to securely hold the flask in place.

Nitic acid vapour is highly corrosive to items such as rubber, but I couldn't find suitable bungs to resist the acid, so I was leaning to machining down the 50mm rod on a lathe to give me a plug that I could insert into the mouth of the flask and seal with Viton o-rings. This would mean laying my hands on a lathe, and as this was a proof of concept I decided to forgo the new toy and use a rubber stopper instead. This would degrade, but they are cheap and I should get a few uses out of it.

One of my next problems is how to seal the glass tubes delivering and draining the acid into the PTFE. The drain was a problem because I would be taking it out from an angle. I came up with the idea of using a plug cutter. This is normally used to cut a small plug of wood to cover over a screw hole. Normally you would drill it into a piece of wood and then snap off the plug. I figured that if I used it in the PTFE I could then drill through the middle of the plug into the centre cavity, and then slip my drain tube over the plug. See below.

Detail of main body showing viton gasket around 
delivery capillary and plug cut drain port.

I will them drill two holes in the bottom for the delivery tube. One just deep enough to hold a Viton gasket, and the other all the way through to hold the capillary tube.

As for the glass tubes I'm planning to use a 0.8mm inside diameter capillary tube for the acid delivery which should give me a nice fine jet, and a 10mm outside diameter for the drain.

As I mentioned earlier Viton comes in a variety of grades. The only one that would appear to consistantly resist hot concentrated nitric acid is Viton ETP 600-S also known as Viton extreme.
As it turns out Viton Extreme is also rare as rocking horse s**t. One supplier I called said, and I quote: "No F*****g chance". Another said they could only order the minimum order from Dupont and that was 940mm square 1mm thick and cost 1700 quid, plus VAT, plus delivery. I managed to track down a supplier that would supply me with a 200mm square 2mm thick for about 200 pounds. Not cheap, but as I only needed to use a small piece at a time and I could re-use it on another chip if I needed the same size aperture.

So at this point various packages are converging on Aperture Labs from various parts of the UK. Once everything arrives and I start construction I'll document this in another post.

Monday, 18 February 2013

Decapping integrated circuits using the "Plink Plink Fizz" method


 
Using the "Plink Plink Fizz" method: all you will be left with is a silicon die, some attached bond wires and some pretty nasty acid.

A few words on safety. Everything here involves some sort of risk, it all seems cool and fun up until you get a face full of boiling acid or are found asphyxiated on the floor of your garage. Safety equipment is cheap and safety precautions are often just common sense, you can buy a full face visor for 17 quid, a respirator 20, both from a reputable supplier (Farnell). Think of that minuscule cost compared to living the rest of your life blind, or unable to leave your wheelchair because you have destroyed your lungs. So spend some time picking up some basic safety gear, and most importantly understand and actually use it. If an accident doesn't kill you, you will be living maimed for the rest of your life. Standard disclaimer applies to everything here. Anything you attempt from information here is entirely at your own risk. I take no responsibility for the completeness and/or accuracy of any information here. On that cheery note....



What you need:


  • Nitric acid 70%  (you only need a small quantity 10-20ml/chip):- Ebay
  • Acetone a few hundred ml's should do:- Ebay
  • lab hotplate:- Ebay
  • Borosilicate glass Beakers 100ml & 500ml:- Ebay
  • Glass pipette and pipette bulb:- Ebay
  • Acetone wash bottle:- Ebay
  • Borosilicate petri dishes:- Ebay
  • Spirit filled lab thermometer:- Ebay 
  • Universal indicator paper PH1-15:- Ebay
  • Bucket :- Ebay
  • Sodium bicarbonate:- Ebay
  • Surgical gloves :- Chemist
  • Faceguard:- Farnell.co.uk
Ebay.... Are we sensing a theme here :)


 Nitric acid is evil:


  • It dissolves nearly everything, Organics and metals.
  • It burns you (badly) and pretty much everything else. 
  • It produces choking toxic fumes: From the acid, and from things the acid reacts with.
  • If it harms you, you may not find out until 8 hours later when your lungs melt.
  • It's an oxidiser and causes spontaneous combustion of some materials principally organics. Not to labour a point, here is what happens if you get some on those usually lab-safe nitrile gloves:
 

For spills I use this stuff:
 Ampho-Mag automatically neutralises spills and absorbs liquid.

 Acetone is evil:

  • Dissolves Plastics etc
  • Choking Fumes that are toxic, explosive and heavier than air, sink to the ground creating an explosive layer (goes down stairs too! (dead cat/people in cellar!)
  • (you don’t find out until you drop a cigarette on the ground or it hits the boiler in the cellar.)
  • Bang!

Procedure

I originally tried this outside. It worked OK, but there were a few things that were an issue.
Wind would change direction and one second you would think you were safe and then the next fumes were wafting towards you, the other is that any sort of rain would cause the acid to spit out of the beaker. So if you are going to try this yourself take care, and also ensure that there aren't any kids or anything else around that could disrupt proceedings or distract you.

These days I use a fume cabinet it cost 10 pounds on eBay plus 35 quid for the mini cab to go pick it up, and with a brand new set of filters it works perfectly.


 
Before you start, I strongly suggest reading through the instructions thoroughly and playing it out in your head. Where are you going to put things. If there is a spill what will it spill onto, where will it run. How will you deal with it. For example, once you dispense the acid into the beaker with the pipette you will then have a pipette that is wet with acid. What are you going to do with it?!

Read the Material Safetey Data Sheet (MSDS) for each of the chemicals you are using and understand what to do in case of an emergency. For example you may have eyewash bottles, but can you find them if you cant see. Is the neutraliser to hand, etc.

1. Don protective gear, gloves and face shield.

2. Place 400ml of water in the 500ml beaker and put to one side. This will be used to dilute the acid. Fill the bucket with water and place to one side or on the ground. this will be used to dilute acid from contaminated instruments such as the pipette and thermometer.


3. Put approximately 12-15 ml of acid into the empty 100ml beaker using the pipette (enough to completely cover the chip by a 2-3 mm, but don't put the chip in yet )(if the chip is a DIP type fold the legs up so the chip is flat or cut them off completely).  Once you open the nitric acid bottle it will start fuming. Have your small beaker next to the bottle so you have to move the pipette only a small distance. As we are dispensing about 15ml you may have to make several transfers with your pipette. Dispense any unused acid in the pippette back into the acid bottle, place the pipette in the bucket and recap the acid bottle.


4. Place the beaker on the hotplate and heat on the lowest setting, you want to get the acid hot but not boiling (the boiling point for 70% Nitric acid is 121 degrees Celsius). Heat to approx 90 degrees Celsius and turn the hotplate off. Be careful that you don't make contact with the bottom of the beaker when measuring the temperature with the thermometer, as that could give you a falsely high reading. Also be careful that the temperature doesn't climb too high after the hotplate is turned off.


5. Once the acid is hot (measured with the thermometer about 90 Celsius ), carefully drop the chip in. Try and keep it face up and not make any splashes. The reaction should be instantaneous. Brown nitrogen dioxide fumes will appear and you will see a spall of epoxy particles spread across the beaker. I normally put one half of the petri dish over the top of the beaker to avoid any splashes, the beaker spout will vent any vapour.
The reaction will normally take anything between 3 and 10 Min's depending on the strength and temperature of the acid and the size of the chip.

Above is a video showing the speed of the reaction.
You can see a dark spall of broken down epoxy spreading across the bottom of the beaker.

Once it has completed you will be left with a bunch of gritty debris on the bottom of the beaker and the exposed die with the bond wires attached.


6. Let the solution cool then carefully decant the acid and debris into the 500ml beaker leaving the die in the smaller beaker. Rinse the die with a small amount of acetone and carefully pour out onto the petri dish. Pick the die up with some tweezers, rinse with a small spray of acetone and place on a small piece of kitchen paper in a clean petri dish.

7. To neutralise the acid, add bicarbonate of soda or calcium carbonate to the 500ml beaker a teaspoon at a time until the indicator paper reads 7 (neutral) and dispose of down sink. As long as the items in the bucket only had traces of acid on them you should be able to pour the bucket of water down the sink without resorting to neutralisation, but follow the same procedure as the beaker if you are concerned.


Above is the die with the bond wires still attached.



If you don't mind loosing the bond wires we can clean the die up with some acetone and a cotton bud.

 Now under a proper microscope we can see some detail:

Above you can see some remaining bond wires which have been ball bonded to the contact pads on the die.

 Above is a panel with manufacturing info the different colours of the characters in the box relate to the layer that they are on.

Closer still.

 Extreeme closeup!

So, why go to all the bother....

Doing this provides us with a lot more than just pretty pictures. Often a microchip's package markings can make it hard to identify the device or manufacturer, especially if it is a custom run for a specific client. Decapping can provide you with insight into the technology used, allow the detection of counterfit devices, provide access for microprobing and sometimes access to the code itself.

Generally microcontrollers are designed to protect any program code and data programmed into the chip by the manufacturer of the device that it forms a component of. This is purely a protection for their intellectual property. This data is normally protected by "fuses" which are blown once the data has been programmed into the device and verified. The fuses prevent access to an external device reading out the data. These days the fuses are really non-volatile memory cells that are set up so that it is possible to erase the device and reset the fuse to allow it to be programmed again (a device manufacturers nightmare is a "bricked chip" that is now totally non functional due to a programming error).

It is possible by various methods to reset these fuses and gain access to the data on the chip. This is the last bastion of computer security. It is the only way these days that secrets can be hidden away from hackers and other interested parties. Only careful engineering by the chip designers can prevent it. If the chip has not been actively engineered to resist attack, techniques like this can expose that secret data to the world.

A real life example

A project we worked on recently involved masked ROM. This is read only memory created as part of the chip manufacturing process. It's design is quite simple. It is a grid of conductive tracks laid down on the chip across several layers. The tracks run horizontally and vertically.

Data is stored by the creation a transistor between these tracks, or not, as the case may be.


Above you can see actual data bits sored on the masked ROM. A dark dot represents a via that connects the top layer to one beneath that forms a transistor to indicate the presense of a bit. Because of this physical structure we can see the state of each bit and read the data from the ROM. Of course doing this by hand over the entire ROM would be tedious and error prone. We have a solution to that of course, and the problem was solved by my partner in crime Adam Laurie, who documents it in his blog over here. We have released the code that he has developed to the greater community in the hope that you will put it to good use.

Well that wraps it up for my first proper blog entry. I hope you enjoyed it.

First post

My name is Zac Franken and this is my first foray into blogging. It's to share the bits and pieces that I design, dig up, discover  or otherwise furtle around with and my day job at Aperture Labs a security company that specialises in security auditing embedded systems. For many years I have been a behind the scenes sort of guy. I've been operations director for Defcon for 19 years and have enjoyed contibuting to the security community by primarily making sure Defcon goes off with a few hitches as possible each year. Normally the most people get to see of me is thanking my teams at the closing ceremonies and hurrying along corridors looking stressed. It has been suggested to me, by my friend and business partner Adam Laurie aka Major Malfunction aka Code Monkey that a bunch of the stuff is do is "cool & interesting", so here it is, and I'll let you be the judge of that.

So if you read this I hope you enjoy, and take care, as some of the contents are not for the faint hearted and are quite frankly hazardous in the extreme. If you do try and have a go at this stuff, do try and not maim/kill yourself and/or anyone else, burn/blowup the house or anything else.

This disclaimer applies to everything posted on this blog: Anything you do, based on or from any information here is entirely at your own risk. Neither I or Aperture Labs take any responsibility for the completeness and/or accuracy of any information, your safetey, or any harm you cause to anybody or anything else.