What Johnny thought was
H2O was H2SO4
Busting a Cap without Die-ing*
IC decapsulation for those afraid of dangerous chemicals and government watch lists
Eric M. Busse, http://eirev.blogspot.com, [email protected]
*With brief diversions in system & hardware RE
1
Slides & materials: http://bit.ly/1isrg3d
Disclaimer
• Research presented was conducted on my own time, and is not representative of my employer, their customers, associates, etc.
• All statements and opinions are my own, unless otherwise noted.
• Science is dangerous, attempting to replicate these techniques could result in serious injury, death, fire, imprisonment, etc.
• I take no responsibility for your stupid mistakes
Please, be careful.
Possible foul language, sorry about that…
2
BACKSTORY An investigative prelude to science
3
Bored in a Store
4
Altierre Wireless Signage
• A “bidirectional wireless technology” for managing “buildings like retail stores with only a couple of wireless access points”
• “RF mixed signal chip technology” with “multiple layers of security … the most secure low power bi-directional wireless technology”
• “Includes a server/gateway, wireless access points, wireless digital signage, and other wireless endpoints .... network uses our proprietary ultra-low-power, low-cost radio technology”
• “Web-based, Enterprise, Client/Server, and System applications ... N-tier Client/Server development architecture ... systems such as the Altierre Service Gateway (ASG); Altierre Access Point (AAP); Altierre Wireless Tags (AWT); and Altierre Portable Terminal (APT)”
• Hiring ASIC designers, firmware developers, wireless system engineers, web and database developers..
http://www.altierre.com/overview.html, http://www.altierre.com/job_srfweng.html, http://www.altierre.com/jobopenings.html, http://www.altierre.com/job_seniorsweng.html,
5
The FCC, a friend you never knew you had…
http://bit.ly/1irzacX (https://apps.fcc.gov/oetcf/eas/reports/GenericSearch.cfm)
http://bit.ly/1nQuuD5 (https://apps.fcc.gov/oetcf/eas/reports/GranteeSearch.cfm) 6
No really, it’s amazing
• 2.4GHz ISM Band FHSS • 2401.5 - 2475.5 MHz, Binary FSK • 75 channels, ~1MHz spacing • Hopping period ~0.504mS • “Altierre Tethered Device (ATD) is a
short range radio to provision Altierre Electronic Shelf Labels … makes use of a short range 100MHz loop to identify an Altierre electronic shelf label… uses a 2.4GHz RF link to provision and load data.”
Taken from FCC OET reports for W22-AAP400, W22-ATAG400E, W22- ATD100 7
You’ve got my attention… Now what?
• Loiter in/near store with antennas – Tends to attract unwanted attention
• Pilfer some – Seriously? No. Just no.
• eBay! – People are selling this stuff
8
Its all fun and games until the mall caps, police, and feds show up and you have to explain that no, you’re
not attempting to pull a TJX/Target…
Tear some stuff apart…
• Images (scanner is best) – Epson V33 (PoS), awesome
depth of field
• Two antennae – 2.4GHz, 100Mhz
• Lots of test points
• Not a lot of information – Die on board (DoB) = No
part numbers
Guess its decap time…
9
2.4 Ghz
100 MHz ??
ICS, EXPOXY, CHEMICALS AND YOU Now back to your regularly scheduled presentation
10
Why decap?
• Its cool – IC layout and design is
interesting – Art
• Identify [un|de|re]marked packages – Manufacturers grind off
package markings as anti RE/knockoff technique
– Package on board issues – Counterfeit detection
• SD Cards, FDTI chips
• Recover masked ROM content • Live probing & analysis
11
http://zeptobars.ru/en/read/FTDI-FT232RL-real-vs-fake-supereal
http://www.bunniestudios.com/blog/?page_id=1022
Integrated Circuit Basics Yes, I’m lying a bit here, but for argument it’s close enough…
• IC (usually) attached to carrier
• Wire bonds to/from bond pads to external leads
• Encapsulated (sealed) in epoxy
• Die is a 3D device, many layers – Packaging, Carrier,
Passivation
– Metal (interconnect)
– Gate/Poly
12
Epoxy/Potting
Silicon Die Carrier
DIP
BGA
https://en.wikipedia.org/wiki/File:Cmos-chip_structure_in_2000s_(en).svg https://en.wikipedia.org/wiki/File:Silicon_chip_3d.png
Decapping Techniques
13
Method Options Issues
Acids
• Nitric • Hot [1, 2, 10] • Room temp [3]
• Hot sulfuric [4, 5]
• Fast (Minutes to hours) • Dangerous/deadly/gov’t watch list
• Fumes melt your lungs • Dead before you know it’s a problem • Boiling/heating is really bad
• Likely hard to get
Specialty • Professional stuff [6] • Fast? • Very expensive, hard to get, dangerous
Rosin • Rosin boil package [7, 8, 9]
• Cheap but slow-ish (1-5 hours) • Semi-dangerous
• 200-300°C liquid, flammable, inhalation issues
Physical • Sanding/lapping • Thermal expansion
• Nearly free • Good initial approach
• Reduce package prior to chemicals • Difficult to control • Potentially expensive equipment
Generally useful: Siliconp0rn, Degate
I’m bored, why do we care again?
14
Die is 4x4mm Image is 4248x3920 (30MB)
AFAIK this is first publically available image of this die
http://bit.ly/1isrg3d
What do I need to do that?
• Chem goggles and gloves [1], [2] <$50
– Seriously, get good PPE
• 1000°F Heat gun ~$23
• Rosin, $3
– Light is better, its translucent
• Pyrex Test Tubes, <$13
• Ring stand + clamps, <$30
• Thermocouple, <$25
• Kapton tape, <$14
• Plastic Pipets, $5
• Solvents (hardware store)
– Denatured Alcohol, $8
– Acetone, $8
– Methyl-Ethyl-Ketone, $10
Assuming you had none of this on hand, & are impatient or bad at eBay, less than $200, and
it’ll do many chips… 15
Also useful: pyrex microscope slides, petri dishes, assorted beakers, test tube tongs, plastic tweezers, super glue, IR thermometer, watch glasses, wash bottles, etc…
Safety Check • Rosin
– Resin acids, mostly abietic
– Crystallizes near instantly when heat is removed • Similar to plastic burns
– Fumes/Vapors • Flammable & semi-toxic
• Form sharp crystals in your lungs – Colophony disease
• Have a plan – Where am I moving this to?
– Is that surface flammable/heat resistant?
– Are there things in the way?
• Solvents – Heavier than air
– Flammable
– Carcinogenic
• Waste materials – Dissolved epoxy, contaminated
solvent, other nastiness
– These must be stored
– DO NOT POUR IT DOWN THE DRAIN
– Hazmat disposal days are your friend
• Know your MSDSes
16
HAVE & USE PERSONAL PROTECTIVE EQUIPMENT Goggles, gloves, adequate ventilation (open a window, turn on
a fan), fire extinguisher. Have friends check up on you. Keep pets & children away.
Rough Procedure
• Fill test tube 1/3 with rosin, heat to melting, add package to be decapped, raise to working temp – Want 250-300°C
• Measured with thermocouple kapton’ed to the test tube
– Rosin should be a low-mid viscosity fluid, minimal bubbling
– Control temp of rosin by moving test tube closer/farther from the heat gun
• Rosin will change color – Starts a lovely amber – Ends brown/black
• About 45-60m for my application
• 2-3 treatments to fully decap – Dump rosin – Wash die – Start again
• Epoxy goes from rock hard to fibrous
17
Start Stop
Too long/hot
Description is of apparatus shown previous, pictures are of a failed attempt to decap while keeping the bond wires intact. Might have worked had I not over cooked & sonic’ed the assembly.
Die Washing
• Rosin hardens fast – Pour contents of test tube
into heat safe container – Let cool a bit (important) – Dissolve waste rosin with
denatured alcohol • CAREFULLY use the heat gun
to move this along – Too much heat = boiling,
followed by FIRE
• Several washings needed to fully remove rosin
• Post wash use a clean test tube
• Bonus: Sonicate! ($80)
18
Glued to the bottom…
Tips/Tricks
• Die is delicate – Metal tweezers = Bad!
• Industry uses carbon fiber • Conductive/ESD safe plastic
works fine [1] – Slowly dissolve in solvent
• Pipets are useful – Transfer (vacuum) – Cleaning (solvent agitation)
• Superglue the die to – Pyrex slide (best), petri dish – Acetone dissolves superglue, if
you need to remove it
19
Imaging
• Microscope ($145, 1) – Dissecting, inspection,
metallurgical, (transmitted/incident illumination)
– Lighting ($40, 2) – XY Stage ($8, eBay)
• Camera ($30, 3) – Expensive may != Good…
• Software – VLC? (snapshot) – Hugin [4]
• FoV [5]
20
Crappy Camera vs. Adapters + μ4/3
21 Higher effective mag, good focus Edge blur, higher res
Same objective (4x) on scope
Hugin
• XY stage, ~2/3 overlap between images
– Use the Focus Luke
• Images -> Hugin
– Set FoV (2°?)
• Auto align
– Images taken in a pattern, maybe avoid/improve this?
• Create Panorama
– Maybe…
22
Things go Poorly…
23
Pincushioning, Bad FoV (10°?)
Loss of focus
Bad stich, poor overlap
Die is very dirty…
ANALYSIS Now what the hell do I do?
24
Pretty, but useful..?
25 Amicom
CC2420
Thanks to Travis Goodspeed
Altierre
Next Steps
• Delayer and reimage
– Determine
• Masked rom or flash
• Processor type
• Chip regions to test points
– Mark orientation or bond wires intact
• Widen examination to rest of system
26
QUESTIONS? With luck I haven’t wasted your time...
27
RAPID FIRE! RFID Hotel Keycard (Mifare Classic 1K?)
28
29
30
31
32
33
34
35
36
37
38
39