tag:blogger.com,1999:blog-38325072581372711122024-03-18T07:15:59.746+00:00Zac Franken's Hardware Security BlogA foray into the world of embedded systems and physical security.Zac Frankenhttp://www.blogger.com/profile/12067397971579153833noreply@blogger.comBlogger3125tag:blogger.com,1999:blog-3832507258137271112.post-88341978383584537982013-02-25T11:32:00.000+00:002013-02-25T11:38:07.639+00:00DIY decapping machine: The Decapinator part 1<div class="separator" style="clear: both; text-align: center;">
<span id="goog_579850481"></span><span id="goog_579850482"></span><br /></div>
I have previously discussed the "plink plink fizz" method of decapping here, but what I really need to do is to selectively etch away a certain portion of a chip to allow me to probe it whilst it is in situ on the board. This is not possible with plink plink fizz method as it removes the package and leadframe completely. So what I ideally want to do is create a "pit" in the epoxy exposing the die and any other areas we would want to probe.<br />
<span id="goog_2112044895"></span><span id="goog_2112044896"></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDtrPirZTCsM9p_jCSFvaH3Sxt6XjDtHStx61of_4sqirf_AJUD4W5XRolz0PTDs5GLTIRf8PFClb7zL5pkqxbi9T4_zFYAl0uEk_udmU0dWOyPmHHMTJj_AKTreDwIhlU_kfY4HC4hyphenhyphenOo/s1600/opened_state.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDtrPirZTCsM9p_jCSFvaH3Sxt6XjDtHStx61of_4sqirf_AJUD4W5XRolz0PTDs5GLTIRf8PFClb7zL5pkqxbi9T4_zFYAl0uEk_udmU0dWOyPmHHMTJj_AKTreDwIhlU_kfY4HC4hyphenhyphenOo/s1600/opened_state.jpg" height="158" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
Above is a chip decapped bu Bunnie Huang. His interesting blog post <a href="http://www.bunniestudios.com/blog/?page_id=40" target="_blank">here</a> shows him defeating the protection fuses on the chip allowing it's program to be read out.</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<h3 class="separator" style="clear: both; text-align: left;">
Professional decapping devices</h3>
<span id="goog_1253762219"></span><span id="goog_1253762220"></span><br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgpOp0Wn8lxd4HmT1ZCxnGpYZcoDml-dCTb2kIe0pdZdkhi3MHR4iPiJXxSkes2XcBUQMLRM_Ny0T67mO3zCcZwx0iKugqM0BMC18WizabfKQ-HQDwdSrSoJJsxS7WbfKnU-JQxg84LhDau/s1600/new_jetetch.gif" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgpOp0Wn8lxd4HmT1ZCxnGpYZcoDml-dCTb2kIe0pdZdkhi3MHR4iPiJXxSkes2XcBUQMLRM_Ny0T67mO3zCcZwx0iKugqM0BMC18WizabfKQ-HQDwdSrSoJJsxS7WbfKnU-JQxg84LhDau/s320/new_jetetch.gif" height="235" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: small;">Nisene Jet Etch the gold standard in decapping.</span></td></tr>
</tbody></table>
<br />
There is an amazingly cool device to do this which is commercially available, it's called a <a href="http://www.nisene.com/jetetch.shtml" target="_blank">Nisene Jet Etch</a>, and costs about $22,000. Now this is great if you are decapping on a daily basis, but it is just too expensive to justify us buying one. :( Another way to do this is by hand. Carefully dripping acid drop by drop onto the chip, however the chip we are interested in, is small. A single drop of acid would easily overflow and destroy the legs. As I want to be able to put the decapped chip back into a circuit, this is a probelm. So, I'm going to attempt to create a device that will (hopefully) provide the ability to decap repeatedly, albeit without all the speed, ease of use and other amazing features of the JetEtch. <br />
<br />
The reagent I want to use is nitric acid. This is due to it's speed at eating away epoxy. It does however also eat away at the leadframe with astonishing speed and vigour, so that must be protected. So... this led me into a short foray into things that are resistant to hot concentrated nitric acid. I came across various materials but I settled on PTFE (Teflon) and a rubber called <a href="http://dupontelastomers.com/Products/Viton/viton.asp" target="_blank">Viton</a> made by DuPont.<br />
<br />
PTFE is relatively cheap, easily machineable and relatively cheap. Viton comes in several grades from relatively cheap to super expensive. It is also made in various formats such as sheets and o-rings.<br />
<br />
So here is my initial design: <br />
<br />
<h3>
The Decapinator</h3>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQ6gcGdiiiaj3Ks4AN2eqxxUNDmeM-HLoKyJDEMg07sKDD3ziX4I5vZVr1rfjBmpQCqk372_rCgOsz5i5xGXF8aEpP2CLAekBeymFPKaaC_Y4tR2Ayd1bou5Qx1whWVFehA6jxJabWHCVT/s1600/IMG_4744.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQ6gcGdiiiaj3Ks4AN2eqxxUNDmeM-HLoKyJDEMg07sKDD3ziX4I5vZVr1rfjBmpQCqk372_rCgOsz5i5xGXF8aEpP2CLAekBeymFPKaaC_Y4tR2Ayd1bou5Qx1whWVFehA6jxJabWHCVT/s640/IMG_4744.png" height="640" width="593" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: small;">Decapinator Plan A</span></td></tr>
</tbody></table>
<br />
<br />
Two PTFE rods drilled out to form two cups, one fits inside the other. The large one (main body) has two holes in the bottom. One for the acid spray and one for the acid waste. The smaller one (chip holder) has a three holes drilled in the bottom. One hole goes through the bottom of the cup, and the other two are drilled into the sides of the cup to allow me to install threaded rods. The acid sprays on a disk of Viton rubber with and aperture cut in the centre which acts as a mask for the chip, ensuring the acid only acts on that area. then there is a PTFE disk cut from the smaller rod which acts as a clamp to hold the chip firmly onto the hole. The chip holder is then inverted and inserted into the main body so that the acid sprays through the centre hole onto the chip.<br />
<br />
I ordered my PTFE rods from <a href="https://www.directplastics.co.uk/ptfe-rod" target="_blank">Direct plastics</a> and they arrived with an enclosed bag of haribo sweets (nice marketing guys!). I chose 50mm and 30mm diameters respectively. This was mainly based on the availability of tools to drill out the centre of the rods. I would normally use a high speed spade bit to cut larger diameter holes, but the long point on those bits would prevent me from getting the tight aperture that I wanted. I settled on a MAD (Multi Angle Drill) bit. These were available in multiple sizes and have only a small centering point that would allow me to get the shape that I wanted, and, align the centre holes nicely. <a href="http://www.screwfix.com/p/disston-multi-angle-drill-bit-set-8pcs/76232" target="_blank">MAD drill bit set</a>:<br />
<div class="separator" style="clear: both; text-align: center;">
<span id="goog_1968061496"></span><a href="http://www.blogger.com/"></a><span id="goog_1968061497"></span><br /></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjynSETasBHRtoj9G9dPF632AcCrdDLC4p41Es-IjjJg2lzWaudQt8tmCRh0wihRNCLxwOscSRFd3kVfK2-IiafNtD8ZtneBssqX0O-ZvjWiLFrceMlg4FVR-Yxn4t4LVgrYVKEFxCFxpi6/s1600/ae235.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjynSETasBHRtoj9G9dPF632AcCrdDLC4p41Es-IjjJg2lzWaudQt8tmCRh0wihRNCLxwOscSRFd3kVfK2-IiafNtD8ZtneBssqX0O-ZvjWiLFrceMlg4FVR-Yxn4t4LVgrYVKEFxCFxpi6/s1600/ae235.jpg" /></a></div>
<div style="text-align: center;">
As you can see from the above image they have very small centre points.<br />
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
The next was the choice of glassware. Everything had to be borosilicate glass (Pyrex) to withstand the heat without shattering. I chose a <a href="http://www.rapidonline.com/Education/Erlenmeyer-Flasks-with-Wide-Neck-123526" target="_blank">wide necked 500ml Erlenmeyer flask</a> because of its wide base which would give stability and good heat contact with the hotplate. As this is going to be top heavy I opted for a lab stand to securely hold the flask in place. </div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
Nitic acid vapour is highly corrosive to items such as rubber, but I couldn't find suitable bungs to resist the acid, so I was leaning to machining down the 50mm rod on a lathe to give me a plug that I could insert into the mouth of the flask and seal with Viton o-rings. This would mean laying my hands on a lathe, and as this was a proof of concept I decided to forgo the new toy and use a <a href="http://www.scichem.net/productinfo.aspx?kw=stopper&tier1=Stoppers&tier2=Rubber+2-Hole&catref=RTS030190" target="_blank">rubber stopper</a> instead. This would degrade, but they are cheap and I should get a few uses out of it.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
One of my next problems is how to seal the glass tubes delivering and draining the acid into the PTFE. The drain was a problem because I would be taking it out from an angle. I came up with the idea of using a plug cutter. This is normally used to cut a small plug of wood to cover over a screw hole. Normally you would drill it into a piece of wood and then snap off the plug. I figured that if I used it in the PTFE I could then drill through the middle of the plug into the centre cavity, and then slip my drain tube over the plug. See below.</div>
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoAVdPlZtxOZO2jbD0CvSYWoqaX1frEaxBJ-CC5REAgHHKqGuhFktckWRZ0OXyg_GUwu9IbcaD_Y10ie_Ep0oiEDiSDAu5XtZ1U1sdYz6nfB6qZkMuEAaw4eGyrjkV0bPID57C9D-QOykr/s1600/IMG_4749.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoAVdPlZtxOZO2jbD0CvSYWoqaX1frEaxBJ-CC5REAgHHKqGuhFktckWRZ0OXyg_GUwu9IbcaD_Y10ie_Ep0oiEDiSDAu5XtZ1U1sdYz6nfB6qZkMuEAaw4eGyrjkV0bPID57C9D-QOykr/s400/IMG_4749.png" height="300" width="400" /></a></div>
<div style="text-align: center;">
<span style="font-size: small;">Detail of main body showing viton gasket around </span></div>
<div style="text-align: center;">
<span style="font-size: small;">delivery capillary and plug cut drain port.</span></div>
<div style="text-align: center;">
<br /></div>
I will them drill two holes in the bottom for the delivery tube. One just deep enough to hold a Viton gasket, and the other all the way through to hold the capillary tube.<br />
<br />
As for the glass tubes I'm planning to use a <a href="http://www.scichem.net/productinfo.aspx?id=-1&tier1=Tubing&tier2=Capillary+Borosilicate&catRef=TCB010010" target="_blank">0.8mm inside diameter capillary tube</a> for the acid delivery which should give me a nice fine jet, and a <a href="http://www.scichem.net/productinfo.aspx?id=-1&tier1=Tubing&tier2=Borosilicate+Glass&catRef=TBG010050" target="_blank">10mm outside diameter</a> for the drain.<br />
<br />
As I mentioned earlier Viton comes in a variety of grades. The only one that would appear to consistantly resist hot concentrated nitric acid is Viton ETP 600-S also known as Viton extreme.<br />
As it turns out Viton Extreme is also rare as rocking horse s**t. One supplier I called said, and I quote: "No F*****g chance". Another said they could only order the minimum order from Dupont and that was 940mm square 1mm thick and cost 1700 quid, plus VAT, plus delivery. I managed to track down a <a href="http://www.dichtomatik-kalrez.co.uk/" target="_blank">supplier</a> that would supply me with a 200mm square 2mm thick for about 200 pounds. Not cheap, but as I only needed to use a small piece at a time and I could re-use it on another chip if I needed the same size aperture.<br />
<br />
<span style="font-size: small;">So at this point various packages are con<span style="font-size: small;">verging on <a href="http://aperturelabs.com/">Aperture Labs</a></span> </span>from various parts of the UK. Once everything arrives and I start construction I'll document this in another post.<br />
<span id="goog_1219466234"></span><span id="goog_1219466235"></span><br />Zac Frankenhttp://www.blogger.com/profile/12067397971579153833noreply@blogger.com336tag:blogger.com,1999:blog-3832507258137271112.post-54494494996408357572013-02-18T12:03:00.003+00:002013-02-18T12:40:59.582+00:00Decapping integrated circuits using the "Plink Plink Fizz" method<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.youtube.com/embed/spC0-aAPzEQ?feature=player_embedded' frameborder='0'></iframe> </div>
<div class="separator" style="clear: both; text-align: center;">
<b>Using the "Plink Plink Fizz" method: all you will be left with is a
silicon die, some attached bond wires and some pretty nasty acid.</b> </div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<span style="font-weight: normal;"><span style="font-size: small;">A few words on safety. Everything here involves some sort of risk, it
all seems cool and fun up until you get a face full of boiling acid or
are found asphyxiated on the floor of your garage. Safety equipment is
cheap and safety precautions are often just common sense, you can buy a
full face visor for 17 quid, a respirator 20, both from a reputable
supplier (Farnell).
Think of that minuscule cost compared to living the rest of your life
blind, or unable to leave your wheelchair because you have destroyed
your lungs. So spend some time picking up some basic safety gear, and
most importantly understand and actually use it. If an accident doesn't kill
you, you will be living maimed for the rest of your life. Standard
disclaimer applies to everything here. Anything you attempt from
information here is entirely at your own risk. I take no responsibility
for the completeness and/or accuracy of any information here.</span><span style="font-size: small;"> On that cheery note....</span></span><br />
<br />
<br />
<br />
<h3>
What you need: </h3>
<br />
<ul>
<li><span style="font-size: small;"><span style="color: black; font-family: Calibri;">Nitric
acid 70% (<span style="font-size: small;">you only need <span style="font-size: small;">a small quantity 10-20ml/chip)</span></span>:- </span><b><span style="color: black; font-family: Calibri;">Ebay</span></b></span></li>
<li>
<span style="font-size: small;"><span style="color: black; font-family: Calibri;">Acetone a <span style="font-size: small;">f<span style="font-size: small;">ew hundred ml's should do</span></span></span><span style="color: black; font-family: Calibri;">:- </span><b><span style="color: black; font-family: Calibri;">Ebay</span></b></span></li>
<li>
<span style="font-size: small;"><span style="font-family: Arial;"></span><span style="color: black; font-family: Calibri;">lab
hotplate:- <b>Ebay</b></span></span></li>
<li>
<span style="font-size: small;"><span style="color: black; font-family: Calibri;">Borosilicate
glass Beakers 100ml <span style="font-size: small;">& 500ml</span>:- </span><b><span style="color: black; font-family: Calibri;">Ebay</span></b></span></li>
<li>
<span style="font-size: small;"><span style="color: black; font-family: Calibri;">Glass <span style="font-size: small;">p</span>ipette</span><span style="color: black; font-family: Calibri;"> and pipette bulb:- </span><b><span style="color: black; font-family: Calibri;">Ebay</span></b></span></li>
<li>
<span style="font-size: small;"><span style="font-family: Arial;"></span><span style="color: black; font-family: Calibri;">Acetone
wash bottle</span><span style="color: black; font-family: Calibri;">:- </span><b><span style="color: black; font-family: Calibri;">Ebay</span></b></span></li>
<li>
<span style="font-size: small;"><span style="font-family: Arial;"></span><span style="color: black; font-family: Calibri;">Borosilicate
petri dishes</span><span style="color: black; font-family: Calibri;">:-
</span><b><span style="color: black; font-family: Calibri;">Ebay</span></b></span></li>
<li><span style="font-size: small;"><span style="color: black; font-family: Calibri;">Spirit filled lab thermometer:-</span><b><span style="color: black; font-family: Calibri;"> Ebay </span></b></span></li>
<li><span style="font-size: small;"><span style="color: black; font-family: Calibri;"><span style="font-size: small;">U</span>niversal indicator paper <span style="font-size: small;">PH</span>1-15:- </span><b><span style="color: black; font-family: Calibri;">Ebay</span></b></span></li>
<li><span style="font-size: small;"><span style="color: black; font-family: Calibri;">Bucket<span style="font-size: small;"> </span></span><b><span style="color: black; font-family: Calibri;">:- Ebay</span></b></span></li>
<li><span style="font-size: small;"><span style="color: black; font-family: Calibri;">Sodium bicarbonate<span style="font-size: small;">:-</span></span><b><span style="color: black; font-family: Calibri;"><span style="font-size: small;"> Ebay</span> </span></b></span></li>
<li><span style="font-size: small;"><span style="color: black; font-family: Calibri;">Surgical gloves :- <b>Chemist</b></span></span></li>
<li><span style="font-size: small;"><span style="color: black; font-family: Calibri;">Faceguard:- <b>Farnell.co.uk</b></span><b><span style="color: black; font-family: Calibri;"><br /></span></b></span></li>
</ul>
<div style="direction: ltr; margin-bottom: 0pt; margin-left: 0.38in; margin-top: 7.68pt; text-align: left; text-indent: -0.38in; unicode-bidi: embed; word-break: normal;">
<span style="font-size: small;"><b><span style="color: black; font-family: Calibri;">Ebay</span></b><span style="color: black; font-family: Calibri;"><span style="font-size: small;">.... <span style="font-size: small;">Are we sensing a theme here :)</span></span></span><b><span style="color: black; font-family: Calibri;"> </span></b></span></div>
<br />
<span id="goog_539221997"></span><span id="goog_539221998"></span><br />
<h3>
<span style="font-size: small;"> Nitric acid is evil:</span></h3>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEio6EqG1aQ8vhBvYIuGjGPU_rWC3N3y7mzWVO9tLBcjTB6ws5es78N2HBYGR5-5VUh9IQ7wiNFdRSJFzdW9uOzn8yZ9-rMmTdb9oi0cuoaMRnwsuobKqJZ_mivjLq3X2xemrTVv8SJ0WrvF/s1600/nitric.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEio6EqG1aQ8vhBvYIuGjGPU_rWC3N3y7mzWVO9tLBcjTB6ws5es78N2HBYGR5-5VUh9IQ7wiNFdRSJFzdW9uOzn8yZ9-rMmTdb9oi0cuoaMRnwsuobKqJZ_mivjLq3X2xemrTVv8SJ0WrvF/s1600/nitric.jpg" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<ul>
<li><span style="font-size: small;"><span style="color: black; font-family: Calibri;"><span style="font-size: small;">It </span>dissolves nearly everything, Organics and metals.</span></span></li>
<li><span style="font-size: small;"><span style="color: black; font-family: Calibri;"><span style="font-size: small;">It b</span>urns
you (badly) and p<span style="font-size: small;">retty much everything else.</span></span></span><span style="font-size: small;"><span style="color: black; font-family: Calibri;"><span style="font-size: small;"> </span></span></span></li>
<li><span style="font-size: small;"><span style="color: black; font-family: Calibri;"><span style="font-size: small;">It </span>produces choking
toxic fumes<span style="font-size: small;">: </span></span></span><span style="font-size: small;"><span style="color: black; font-family: Calibri;">From
the acid, and f</span></span><span style="font-size: small;"><span style="color: black; font-family: Calibri;">rom
things the acid reacts with.</span></span></li>
<li><span style="font-size: small;"><span style="color: black; font-family: Calibri;">If
it harms you, you may not find out until 8 hours later when your lungs melt.</span></span></li>
<li><span style="font-size: small;"><span style="color: black; font-family: Calibri;">It's an oxidiser and causes
spontaneous combustion of some materials principally organics.</span></span><span style="font-size: small;"><span style="color: black; font-family: Calibri;"><span style="font-size: small;"><span style="font-size: small;"> </span>Not to labour a point, h</span>ere is what happens <span style="font-size: small;">if you get some on those usually lab-<span style="font-size: small;">safe nitrile glove<span style="font-size: small;">s<span style="font-size: small;">: </span></span></span></span></span></span></li>
</ul>
<div style="text-align: center;">
<span style="font-size: small;"><span style="color: black; font-family: Calibri;"><span style="font-size: small;"><span style="font-size: small;"><span style="font-size: small;"><span style="font-size: small;"> </span></span></span></span></span></span><iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.youtube.com/embed/XNpNuPvMhOc?feature=player_embedded' frameborder='0'></iframe></div>
<br />
For spills I use this stuff:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-H9u5bKeb6BXRY5rbAD-7miGwbLK3qBRVOgxdSjwxcDUkWGbkYTp2HpB5cZLqxsigK5OvWAoMz69a3lYqK4J8obufP_8zYkZu14exqOfGivXVdsB5uH_M48SScc7N5OkKf40S9Xjk1gJv/s1600/amphomag.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-H9u5bKeb6BXRY5rbAD-7miGwbLK3qBRVOgxdSjwxcDUkWGbkYTp2HpB5cZLqxsigK5OvWAoMz69a3lYqK4J8obufP_8zYkZu14exqOfGivXVdsB5uH_M48SScc7N5OkKf40S9Xjk1gJv/s320/amphomag.jpg" width="320" /></a></div>
<div style="text-align: center;">
Ampho-Mag automatically neutralises spills and absorbs liquid.</div>
<br />
<h3>
<span style="font-size: small;"> Acetone is evil:</span></h3>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipGkSxP8MB3B0I9ESjlZpwlMoOl-tK6JNLaSFebQimSKfWrvsapC5WagNZOfoTs913JQLF4iUACS5lJI59nm_JLDpOHlDbDYfMOAoFm7gjlz1-b-Gd5fUg4cSwzEYuREmTE2wwTPp8eXHF/s1600/Aceton+Warning+label.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="228" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipGkSxP8MB3B0I9ESjlZpwlMoOl-tK6JNLaSFebQimSKfWrvsapC5WagNZOfoTs913JQLF4iUACS5lJI59nm_JLDpOHlDbDYfMOAoFm7gjlz1-b-Gd5fUg4cSwzEYuREmTE2wwTPp8eXHF/s320/Aceton+Warning+label.jpg" width="320" /></a></div>
<h3>
</h3>
<div class="separator" style="clear: both; text-align: center;">
</div>
<ul>
<li><span style="font-size: small;"><span style="color: black; font-family: Calibri;">Dissolves
Plastics </span><span style="color: black; font-family: Calibri;">etc</span></span></li>
<li><span style="font-size: small;"><span style="color: black; font-family: Calibri;">Choking Fumes
that are toxic, explosive and heavier than air, sink to the ground creating an explosive layer
(goes down stairs too! (dead cat/people in cellar!)</span></span></li>
<li><span style="font-size: small;"><span style="color: black; font-family: Calibri;">(you
don’t find out until you <span style="font-size: small;">drop a cigarette</span> on the ground or it hits the boiler in the cellar.)</span></span></li>
<li><span style="font-size: small;"><span style="color: black; font-family: Calibri;">Bang!</span></span></li>
</ul>
<br />
<h3>
<span style="font-size: small;"><span style="color: black; font-family: Calibri;">Procedure </span></span></h3>
I originally tried this outside. It worked OK, but there were a few things that were an issue.<br />
Wind would change direction and one second you would think you were safe and then the next fumes were wafting towards you, the other is that any sort of rain would cause the acid to spit out of the beaker. So if you are going to try this yourself take care, and also ensure that there aren't any kids or anything else around that could disrupt proceedings or distract you.<br />
<br />
<i>These days I use a fume cabinet it cost 10 pounds on eBay plus 35 quid for the mini cab to go pick it up, and with a brand new set of filters it works perfectly.</i><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZTC2NrNJzwT54-T8N6fBr_MNWke1C-lJyJwz2az6QYjGoqTyrHfenFuGP0_v2foEYi8lJA86QYbPv5bv3fY0QkHmExTi9uPcbC4-a30L8QlR4AJ3wztwo9couZEoOlilQBxWVAXYLnAHp/s1600/15-02-2013+11-18-40.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="327" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZTC2NrNJzwT54-T8N6fBr_MNWke1C-lJyJwz2az6QYjGoqTyrHfenFuGP0_v2foEYi8lJA86QYbPv5bv3fY0QkHmExTi9uPcbC4-a30L8QlR4AJ3wztwo9couZEoOlilQBxWVAXYLnAHp/s400/15-02-2013+11-18-40.png" width="400" /></a></div>
<br />
<br />
<span style="font-size: small;">Before you start, I strongly suggest reading through the instructions thoroughly and playing it out in your head. Where are you going to put things. If there is a spill what will it spill onto, where will it run. How will you deal with it.<span style="font-family: inherit;"> For example, once you dispense the acid into the beaker with the pipette you will then have a pipette that is wet with acid. What are you going to do with it?!</span></span><br />
<br />
<span style="font-size: small;"><span style="font-family: inherit;">Read the Material Safetey Data Sheet (MSDS) for each of the chemicals you are using and understand what to do in case of an emergency. For <span style="font-size: small;">example you may have eyewash bottles, but can you find them if you cant see. Is the ne<span style="font-size: small;">utraliser to han<span style="font-size: small;">d<span style="font-size: small;">,</span> etc.</span></span></span></span></span><br />
<br />
<span style="font-family: inherit;"><span style="font-size: small;">1. Don protective gear, gloves and face shield.</span></span><br />
<br />
2. Place 400ml of water in the 500ml beaker and put to one side. This will be used to dilute the acid.<span style="font-size: small;"><span style="font-family: Calibri;"> Fil<span style="font-size: small;">l the bucket with water and place to one side or on the ground. this will be used to</span></span></span> dilute acid from contaminated instruments such as the pipette and thermometer.<br />
<br />
<br />
3. Put approximately 12-15 ml of acid into the empty 100ml beaker using the pipette (enough to completely cover the chip by a 2-3 mm, but don't put the chip in yet )(if the chip is a DIP type fold the legs up so the chip is flat or cut them off completely). Once you open the nitric acid bottle it will start fuming. Have your
small beaker next to the bottle so you have to move the pipette only a
small distance. As we are dispensing about 15ml you may have to make several
transfers with your pipette. Dispense any unused acid in the pippette back into the acid bottle, place the pipette in the bucket and recap the acid bottle.<br />
<br />
<br />
4. <span style="font-family: inherit;">Place the beaker on the hotplate<span style="font-size: small;"><span style="color: black;"><span style="font-size: small;"><span style="font-size: small;"> <span style="font-family: inherit;">and heat on the lowest setting, you want to get the acid hot but not boiling (the boiling point for <u>70%</u> Nitric acid is 121 degrees Celsius).</span></span></span></span></span> Heat to approx 90 degrees Celsius and turn the hotplate off. Be careful that you don't make contact with the bottom of the beaker when measuring the temperature<b><span style="font-size: small;"> </span></b><span style="font-size: small;"><span style="font-size: small;">with the thermometer</span></span>, as that could give you a falsely high reading. Also be careful that the temperature doesn't climb too high after the hotplate is turned off.</span><br />
<br />
<br />
5. Once the acid is hot (measured with the thermometer about 90 Celsius ), carefully drop the chip in. Try and keep it face
up and not make any splashes. The reaction should be instantaneous.
Brown nitrogen dioxide fumes will appear and you will see a spall of
epoxy particles spread across the beaker. I normally put one half of the petri dish over the top of the beaker to
avoid any splashes, the beaker spout will vent any vapour.<br />
The reaction will normally take anything between 3 and 10 Min's
depending on the strength and temperature of the acid and the size of
the chip.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.blogger.com/video.g?token=AD6v5dyQAV8m7vgFbeJPbChk6pqc-3rTPf9ffxDrEwYac8RItwS4R170_D8AwkkKrR8QpeQeNpVOutf0dLuPYqWzFg' class='b-hbp-video b-uploaded' frameborder='0'></iframe></div>
<div style="text-align: center;">
Above is a video showing the speed of the reaction.<br />
You can see a dark spall of broken down epoxy spreading across the bottom of the beaker.</div>
<br />
Once it has completed you will be left with a bunch of gritty debris on the bottom of the beaker and the exposed die with the bond wires attached.<br />
<br />
<br />
6. Let the solution cool then carefully decant the acid and debris into the 500ml beaker leaving the die in the smaller beaker. Rinse the die with a small amount of acetone and carefully pour out onto the petri dish. Pick the die up with some tweezers, rinse with a small spray of acetone and place on a small piece of kitchen paper in a clean petri dish.<br />
<br />
7. To neutralise the acid, add bicarbonate of soda or calcium carbonate to the 500ml beaker a teaspoon at a time until the indicator paper reads 7 (neutral) and dispose of down sink. As long as the items in the bucket only had traces of acid on them you should be able to pour the bucket of water down the sink without resorting to neutralisation, but follow the same procedure as the beaker if you are concerned.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjncntOuc43JTMFOkxJPL0g1pqU8SGXSgRqEgkYrRvweKmiiggjABs17XoetUOPu4fgjeBz508DUfTjO9CAuxslvUHEzxc_bvtFCSFmgE0C2GIx7VdJzLNlWji5p2LCTSlzoZguZBN6ftLW/s1600/dfirty+29-01-2013+16-19-56.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="558" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjncntOuc43JTMFOkxJPL0g1pqU8SGXSgRqEgkYrRvweKmiiggjABs17XoetUOPu4fgjeBz508DUfTjO9CAuxslvUHEzxc_bvtFCSFmgE0C2GIx7VdJzLNlWji5p2LCTSlzoZguZBN6ftLW/s640/dfirty+29-01-2013+16-19-56.jpg" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div style="text-align: center;">
Above is the die with the bond wires still attached.</div>
<div style="text-align: center;">
<br /></div>
<div style="text-align: center;">
<br /></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjy9udEOEm_TE0WhE9L-9W_xGHud0FNgRBpK2cZN-FMj5MB4g6rSwMNQ76MnaC2paFmjNSwDePhmq9OQAaUQzP5LIDqQa6ABWTNnsnrGBXX4NcJ7C_9cSUOq9pZNdoQZ3X4dHvo6WkBIofF/s1600/2013-02-15_153236_630.bmp" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjy9udEOEm_TE0WhE9L-9W_xGHud0FNgRBpK2cZN-FMj5MB4g6rSwMNQ76MnaC2paFmjNSwDePhmq9OQAaUQzP5LIDqQa6ABWTNnsnrGBXX4NcJ7C_9cSUOq9pZNdoQZ3X4dHvo6WkBIofF/s640/2013-02-15_153236_630.bmp" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div style="text-align: center;">
If you don't mind loosing the bond wires we can clean the die up with some acetone and a cotton bud.</div>
<div style="text-align: center;">
<br /></div>
<div style="text-align: left;">
Now under a proper microscope we can see some detail:</div>
<div style="text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjIOX5S-RipZYdvYoRcaRZctRVDPGgqfJN2Yl0hNXULqfm7pd161jTpEL93aG0a2uJ8FsB-rgegJjuPWHyY78wecfEe6R0wb2ef800mPNRSU2Hz_HBR7o1VrIpBYqFO9Igt_VjVAZjl7qdQ/s1600/2013-01-29_155211_318.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjIOX5S-RipZYdvYoRcaRZctRVDPGgqfJN2Yl0hNXULqfm7pd161jTpEL93aG0a2uJ8FsB-rgegJjuPWHyY78wecfEe6R0wb2ef800mPNRSU2Hz_HBR7o1VrIpBYqFO9Igt_VjVAZjl7qdQ/s640/2013-01-29_155211_318.png" width="640" /></a></div>
<div style="text-align: center;">
Above you can see some remaining bond wires which have been ball bonded to the contact pads on the die.</div>
<div style="text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJAMqLeG9J6AMKydyUAQW3MODm4tXHelJbMtkV5EZIkfuUuXhmwJ_6r3ZNd0OvZoBVSVBXGcyMB1Fvfb61d3VjozPThmLn5uYCIi33iKIA271J0K6dL6tzcYxtH53l4c2h1-5PcVNUXSer/s1600/2013-01-29_155133_474.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJAMqLeG9J6AMKydyUAQW3MODm4tXHelJbMtkV5EZIkfuUuXhmwJ_6r3ZNd0OvZoBVSVBXGcyMB1Fvfb61d3VjozPThmLn5uYCIi33iKIA271J0K6dL6tzcYxtH53l4c2h1-5PcVNUXSer/s640/2013-01-29_155133_474.png" width="640" /></a></div>
<div style="text-align: center;">
Above is a panel with manufacturing info the different colours of the characters in the box relate to the layer that they are on.</div>
<div style="text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDzaTI3LwB3jC6AhdiZ7jbdwZs_hJMGKXpRBIQc79t-zZ2MuBW_0kIx7YYFg3f5A6wVd58nFeg9SpospwdtT3-rHsBTF3LB589zKL8zTEPJNu5FLrnkigve4PdzeY5amE2Yun4_p1fnFxh/s1600/2013-01-29_155054_007.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDzaTI3LwB3jC6AhdiZ7jbdwZs_hJMGKXpRBIQc79t-zZ2MuBW_0kIx7YYFg3f5A6wVd58nFeg9SpospwdtT3-rHsBTF3LB589zKL8zTEPJNu5FLrnkigve4PdzeY5amE2Yun4_p1fnFxh/s640/2013-01-29_155054_007.png" width="640" /></a></div>
<div style="text-align: center;">
Closer still.</div>
<div style="text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhj0bC-xdzOpVgNX9ycLljQZrK2jXAIw8-sAZ5clfrouKLJQXi48KrN9-2HD3IM4wDxRCERR40JdADV_6EL0E56cb7SSq7So-O3YJMUrwfdfwWAhtu7os1Hk-2ZUq1m7rB7t0XEHn1XX2wP/s1600/2013-01-29_155033_614.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhj0bC-xdzOpVgNX9ycLljQZrK2jXAIw8-sAZ5clfrouKLJQXi48KrN9-2HD3IM4wDxRCERR40JdADV_6EL0E56cb7SSq7So-O3YJMUrwfdfwWAhtu7os1Hk-2ZUq1m7rB7t0XEHn1XX2wP/s640/2013-01-29_155033_614.png" width="640" /></a></div>
<div style="text-align: center;">
Extreeme closeup!</div>
<div style="text-align: center;">
<br /></div>
<h2 style="text-align: left;">
So, why go to all the bother....</h2>
<div style="text-align: left;">
Doing this provides us with a lot more than just pretty pictures. Often a microchip's package markings can make it hard to identify the device or manufacturer, especially if it is a custom run for a specific client. Decapping can provide you with insight into the technology used, allow the detection of counterfit devices, provide access for microprobing and sometimes access to the code itself.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
Generally microcontrollers are designed to protect any program code and data programmed into the chip by the manufacturer of the device that it forms a component of. This is purely a protection for their intellectual property. This data is normally protected by "fuses" which are blown once the data has been programmed into the device and verified. The fuses prevent access to an external device reading out the data. These days the fuses are really non-volatile memory cells that are set up so that it is possible to erase the device and reset the fuse to allow it to be programmed again (a device manufacturers nightmare is a "bricked chip" that is now totally non functional due to a programming error).</div>
<div style="text-align: left;">
<br />
It is possible by various methods to reset these fuses and gain access to the data on the chip. This is the last bastion of computer security. It is the only way these days that secrets can be hidden away from hackers and other interested parties. Only careful engineering by the chip designers can prevent it. If the chip has not been actively engineered to resist attack, techniques like this can expose that secret data to the world.</div>
<div style="text-align: left;">
<br /></div>
<h2 style="text-align: left;">
A real life example</h2>
<div style="text-align: left;">
A project we worked on recently involved masked ROM. This is read only memory created as part of the chip manufacturing process. It's design is quite simple. It is a grid of conductive tracks laid down on the chip across several layers. The tracks run horizontally and vertically.</div>
<div style="text-align: left;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div style="text-align: left;">
Data is stored by the creation a transistor between these tracks, or not, as the case may be. </div>
<div style="text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiILElAe9EysjD6WbXHwK4dDRLNjgquOgAnO9FcVx-u2bNWFeNu3EvEGzbxiHXykpb8f2B93zaAV-8a5_Z1C8ko5OrXOzr5fBx4MPQybzGDUZ8s-95U3utnsvhwWrB0qc-tTpGUK6AYozHf/s1600/A1+2013-01-23_151727_113.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiILElAe9EysjD6WbXHwK4dDRLNjgquOgAnO9FcVx-u2bNWFeNu3EvEGzbxiHXykpb8f2B93zaAV-8a5_Z1C8ko5OrXOzr5fBx4MPQybzGDUZ8s-95U3utnsvhwWrB0qc-tTpGUK6AYozHf/s640/A1+2013-01-23_151727_113.png" width="640" /></a></div>
<div style="text-align: center;">
<br /></div>
Above you can see actual data bits sored on the masked ROM. A dark dot represents a via that connects the top layer to one beneath that forms a transistor to indicate the presense of a bit. Because of this physical structure we can see the state of each bit and read the data from the ROM. Of course doing this by hand over the entire ROM would be tedious and error prone. We have a solution to that of course, and the problem was solved by my partner in crime Adam Laurie, who documents it in his blog <a href="http://adamsblog.aperturelabs.com/2013/01/fun-with-masked-roms.html" target="_blank">over here</a>. We have released the code that he has developed to the greater community in the hope that you will put it to good use.<br />
<br />
Well that wraps it up for my first proper blog entry. I hope you enjoyed it. <br />
<br />Zac Frankenhttp://www.blogger.com/profile/12067397971579153833noreply@blogger.com161tag:blogger.com,1999:blog-3832507258137271112.post-60125988329331992912013-02-18T12:03:00.001+00:002013-02-18T12:03:33.194+00:00First postMy name is Zac Franken and this is my first foray into blogging. It's to share the bits and
pieces that I design, dig up, discover or otherwise furtle around with
and my day job at <a href="http://www.aperturelabs.com/" target="_blank">Aperture Labs</a>
a security company that specialises in security auditing embedded
systems. For many years I have been a behind the scenes sort of guy.
I've been operations director for Defcon for 19 years and have enjoyed
contibuting to the security community by primarily making sure Defcon
goes off with a few hitches as possible each year. Normally the most
people get to see of me is thanking my teams at the closing ceremonies
and hurrying along corridors looking stressed. It has been suggested to
me, by my friend and business partner Adam Laurie aka Major Malfunction
aka Code Monkey that a bunch of the stuff is do is "cool &
interesting", so here it is, and I'll let you be the judge of that.<br />
<br />
So if you read this I hope you enjoy, and take care, as some of the
contents are not for the faint hearted and are quite frankly hazardous
in the extreme. If you do try and have a go at this stuff, do try and
not maim/kill yourself and/or anyone else, burn/blowup the house or
anything else.<br />
<h2>
<span style="font-weight: normal;"><span style="font-size: small;"> <span style="font-size: small;">This </span>disclaimer applies to everything poste<span style="font-size: small;">d on this blog:</span> Anything you <span style="font-size: small;">do, b<span style="font-size: small;">ased on or from any </span></span>information here is entirely at your own risk. Neither I or Aperture Labs take any responsibility
for the completeness and/or accuracy of any information<span style="font-size: small;">, your safetey<span style="font-size: small;">, or any harm you cause <span style="font-size: small;">t</span>o anybody or anything else.</span></span></span></span></h2>
Zac Frankenhttp://www.blogger.com/profile/12067397971579153833noreply@blogger.com221