What Johnny thought was

H2O was H2SO4

Busting a Cap without Die-ing*

IC decapsulation for those afraid of dangerous chemicals and government watch lists

Eric M. Busse, http://eirev.blogspot.com, embusse@gmail.com

*With brief diversions in system & hardware RE

1

Slides & materials: http://bit.ly/1isrg3d

Disclaimer

• Research presented was conducted on my own time, and is not representative of my employer, their customers, associates, etc.

• All statements and opinions are my own, unless otherwise noted.

• Science is dangerous, attempting to replicate these techniques could result in serious injury, death, fire, imprisonment, etc.

• I take no responsibility for your stupid mistakes

Please, be careful.

Possible foul language, sorry about that…

2

BACKSTORY An investigative prelude to science

3

Bored in a Store

4

Altierre Wireless Signage

• A “bidirectional wireless technology” for managing “buildings like retail stores with only a couple of wireless access points”

• “RF mixed signal chip technology” with “multiple layers of security … the most secure low power bi-directional wireless technology”

• “Includes a server/gateway, wireless access points, wireless digital signage, and other wireless endpoints .... network uses our proprietary ultra-low-power, low-cost radio technology”

• “Web-based, Enterprise, Client/Server, and System applications ... N-tier Client/Server development architecture ... systems such as the Altierre Service Gateway (ASG); Altierre Access Point (AAP); Altierre Wireless Tags (AWT); and Altierre Portable Terminal (APT)”

• Hiring ASIC designers, firmware developers, wireless system engineers, web and database developers..

http://www.altierre.com/overview.html, http://www.altierre.com/job_srfweng.html, http://www.altierre.com/jobopenings.html, http://www.altierre.com/job_seniorsweng.html,

5

The FCC, a friend you never knew you had…

http://bit.ly/1irzacX (https://apps.fcc.gov/oetcf/eas/reports/GenericSearch.cfm)

http://bit.ly/1nQuuD5 (https://apps.fcc.gov/oetcf/eas/reports/GranteeSearch.cfm) 6

No really, it’s amazing

• 2.4GHz ISM Band FHSS • 2401.5 - 2475.5 MHz, Binary FSK • 75 channels, ~1MHz spacing • Hopping period ~0.504mS • “Altierre Tethered Device (ATD) is a

short range radio to provision Altierre Electronic Shelf Labels … makes use of a short range 100MHz loop to identify an Altierre electronic shelf label… uses a 2.4GHz RF link to provision and load data.”

Taken from FCC OET reports for W22-AAP400, W22-ATAG400E, W22- ATD100 7

You’ve got my attention… Now what?

• Loiter in/near store with antennas – Tends to attract unwanted attention

• Pilfer some – Seriously? No. Just no.

• eBay! – People are selling this stuff

8

Its all fun and games until the mall caps, police, and feds show up and you have to explain that no, you’re

not attempting to pull a TJX/Target…

Tear some stuff apart…

• Images (scanner is best) – Epson V33 (PoS), awesome

depth of field

• Two antennae – 2.4GHz, 100Mhz

• Lots of test points

• Not a lot of information – Die on board (DoB) = No

part numbers

Guess its decap time…

9

2.4 Ghz

100 MHz ??

ICS, EXPOXY, CHEMICALS AND YOU Now back to your regularly scheduled presentation

10

Why decap?

• Its cool – IC layout and design is

interesting – Art

• Identify [un|de|re]marked packages – Manufacturers grind off

package markings as anti RE/knockoff technique

– Package on board issues – Counterfeit detection

• SD Cards, FDTI chips

• Recover masked ROM content • Live probing & analysis

11

http://zeptobars.ru/en/read/FTDI-FT232RL-real-vs-fake-supereal

http://www.bunniestudios.com/blog/?page_id=1022

Integrated Circuit Basics Yes, I’m lying a bit here, but for argument it’s close enough…

• IC (usually) attached to carrier

• Wire bonds to/from bond pads to external leads

• Encapsulated (sealed) in epoxy

• Die is a 3D device, many layers – Packaging, Carrier,

Passivation

– Metal (interconnect)

– Gate/Poly

12

Epoxy/Potting

Silicon Die Carrier

DIP

BGA

https://en.wikipedia.org/wiki/File:Cmos-chip_structure_in_2000s_(en).svg https://en.wikipedia.org/wiki/File:Silicon_chip_3d.png

Decapping Techniques

13

Method Options Issues

Acids

• Nitric • Hot [1, 2, 10] • Room temp [3]

• Hot sulfuric [4, 5]

• Fast (Minutes to hours) • Dangerous/deadly/gov’t watch list

• Fumes melt your lungs • Dead before you know it’s a problem • Boiling/heating is really bad

• Likely hard to get

Specialty • Professional stuff [6] • Fast? • Very expensive, hard to get, dangerous

Rosin • Rosin boil package [7, 8, 9]

• Cheap but slow-ish (1-5 hours) • Semi-dangerous

• 200-300°C liquid, flammable, inhalation issues

Physical • Sanding/lapping • Thermal expansion

• Nearly free • Good initial approach

• Reduce package prior to chemicals • Difficult to control • Potentially expensive equipment

Generally useful: Siliconp0rn, Degate

I’m bored, why do we care again?

14

Die is 4x4mm Image is 4248x3920 (30MB)

AFAIK this is first publically available image of this die

http://bit.ly/1isrg3d

What do I need to do that?

• Chem goggles and gloves [1], [2] <$50

– Seriously, get good PPE

• 1000°F Heat gun ~$23

• Rosin, $3

– Light is better, its translucent

• Pyrex Test Tubes, <$13

• Ring stand + clamps, <$30

• Thermocouple, <$25

• Kapton tape, <$14

• Plastic Pipets, $5

• Solvents (hardware store)

– Denatured Alcohol, $8

– Acetone, $8

– Methyl-Ethyl-Ketone, $10

Assuming you had none of this on hand, & are impatient or bad at eBay, less than $200, and

it’ll do many chips… 15

Also useful: pyrex microscope slides, petri dishes, assorted beakers, test tube tongs, plastic tweezers, super glue, IR thermometer, watch glasses, wash bottles, etc…

Safety Check • Rosin

– Resin acids, mostly abietic

– Crystallizes near instantly when heat is removed • Similar to plastic burns

– Fumes/Vapors • Flammable & semi-toxic

• Form sharp crystals in your lungs – Colophony disease

• Have a plan – Where am I moving this to?

– Is that surface flammable/heat resistant?

– Are there things in the way?

• Solvents – Heavier than air

– Flammable

– Carcinogenic

• Waste materials – Dissolved epoxy, contaminated

solvent, other nastiness

– These must be stored

– DO NOT POUR IT DOWN THE DRAIN

– Hazmat disposal days are your friend

• Know your MSDSes

16

HAVE & USE PERSONAL PROTECTIVE EQUIPMENT Goggles, gloves, adequate ventilation (open a window, turn on

a fan), fire extinguisher. Have friends check up on you. Keep pets & children away.

Rough Procedure

• Fill test tube 1/3 with rosin, heat to melting, add package to be decapped, raise to working temp – Want 250-300°C

• Measured with thermocouple kapton’ed to the test tube

– Rosin should be a low-mid viscosity fluid, minimal bubbling

– Control temp of rosin by moving test tube closer/farther from the heat gun

• Rosin will change color – Starts a lovely amber – Ends brown/black

• About 45-60m for my application

• 2-3 treatments to fully decap – Dump rosin – Wash die – Start again

• Epoxy goes from rock hard to fibrous

17

Start Stop

Too long/hot

Description is of apparatus shown previous, pictures are of a failed attempt to decap while keeping the bond wires intact. Might have worked had I not over cooked & sonic’ed the assembly.

Die Washing

• Rosin hardens fast – Pour contents of test tube

into heat safe container – Let cool a bit (important) – Dissolve waste rosin with

denatured alcohol • CAREFULLY use the heat gun

to move this along – Too much heat = boiling,

followed by FIRE

• Several washings needed to fully remove rosin

• Post wash use a clean test tube

• Bonus: Sonicate! ($80)

18

Glued to the bottom…

Tips/Tricks

• Die is delicate – Metal tweezers = Bad!

• Industry uses carbon fiber • Conductive/ESD safe plastic

works fine [1] – Slowly dissolve in solvent

• Pipets are useful – Transfer (vacuum) – Cleaning (solvent agitation)

• Superglue the die to – Pyrex slide (best), petri dish – Acetone dissolves superglue, if

you need to remove it

19

Imaging

• Microscope ($145, 1) – Dissecting, inspection,

metallurgical, (transmitted/incident illumination)

– Lighting ($40, 2) – XY Stage ($8, eBay)

• Camera ($30, 3) – Expensive may != Good…

• Software – VLC? (snapshot) – Hugin [4]

• FoV [5]

20

Crappy Camera vs. Adapters + μ4/3

21 Higher effective mag, good focus Edge blur, higher res

Same objective (4x) on scope

Hugin

• XY stage, ~2/3 overlap between images

– Use the Focus Luke

• Images -> Hugin

– Set FoV (2°?)

• Auto align

– Images taken in a pattern, maybe avoid/improve this?

• Create Panorama

– Maybe…

22

Things go Poorly…

23

Pincushioning, Bad FoV (10°?)

Loss of focus

Bad stich, poor overlap

Die is very dirty…

ANALYSIS Now what the hell do I do?

24

Pretty, but useful..?

25 Amicom

CC2420

Thanks to Travis Goodspeed

Altierre

Next Steps

• Delayer and reimage

– Determine

• Masked rom or flash

• Processor type

• Chip regions to test points

– Mark orientation or bond wires intact

• Widen examination to rest of system

26

QUESTIONS? With luck I haven’t wasted your time...

27

RAPID FIRE! RFID Hotel Keycard (Mifare Classic 1K?)

28

29

30

31

32

33

34

35

36

37

38

39