Chip Decapping on a Budget - Zach Pahle (Shmoocon 2020)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey everybody thank you very much so my name is Zack or fun-sized I tend to go by fun-sized at hacker cons but some people still prefer those IRL names so whichever is more comfortable for you but welcome to chip decapping on a budget so I just want to get something kind of out of the way right away Shmuel Khan has an excellent reputation with high quality talks and really professional presenters so I have no idea why they accepted me this is a really lowbrow talk and there's a reason for that so it's all contained in the title the purpose of this talk was to do something that normally costs hundreds of thousands if not millions of dollars and to do that on essentially $0 I didn't quite get there I got down to about $40 so bear with me so Who am I why should you care about what I have to say and how can you trust what I'm saying by day I'm an electrical engineer I work for a high reliability defense contractor I really enjoy my job when I'm not working on circuits at work I am working on random strange projects at home I really have trouble focusing on one particular project for too long so I'm into everything so things I really enjoy talking about our food magic juggling and scanning electron microscopes as one does so please if you enjoy any of those things come talk to me or check out my Twitter which will I will get to at the end so what is decapping so for as I said I'm a an electrical design engineer so I deal with integrated circuits every day all day and so the black ICS or integrated circuits that you see on your standard PCB are enclosed by a material so you know you got your standard as you can see here on the screen you've got your standard black package with leads coming out why is there that black package it is to protect the guts of that integrated circuit in such a way that they're protected from dust and contaminants from oxidation from vibration and most commonly from reverse engineering so that's why you never see these these materials are actually made out of an epoxy ID and they're never clear because the manufacturer is not trying to to make it easy for you to see how they did their design on that particular chip so if they've gone to all this effort to make it hard to see what's going on inside of the chip why would we be interested in removing that so maybe we just want to see what it looks like maybe we want to verify that that part is what it actually says that it is maybe we want to make sure that we're not receiving counterfeit parts from a supplier for example I often work with milspec parts milspec parts are essentially you take the commercial chip you slightly increase the temperature range of that chip can withstand and then you charge ten times as much for that chip that's just normal so if you are a chip manufacturer you can take a whole bunch of the commercial grade chips don't do anything to the actual product re label them as mil standard and then sell them for much higher income so as someone who deals with those type of chips a lot we need to make sure that the product that we are receiving is actually what we paid for and then finally if you work for an IC manufacturer an ASIC developer or even just someone who's trying to get a leg up on the competition you might be interested in reverse engineering some of those integrated circuits so I'm trying to keep this talk fairly low jargon but there are a few things that I think are useful for you to know if you're interested in this area because they're terms that will commonly come up that maybe aren't commonly found in other areas of ex tee's so a wafer is the silicon disk that ICS are printed on so there is a lengthy process by which integrated circuits are made and it's fascinating and it definitely does not fit inside the scope of this talk so if you're interested in learning more about how transistors are made I would love for you to buy me a drink and I'll tell you all about integrated circuit manufacturing however one of the one of the key aspects of that is they take a really large silicon crystal that has been grown and they cut it into these very thin wafers they then dope those wafers with different materials that give that silicon it's different transistor properties so that it can be turned into something that does the computing tasks that we require and then that wafer is cut into dyes so a dye is just a sliced up wafer into the size of what's going to go in the final IC and then when someone's talking about the process size what they are discussing is what is the longitudinal width or height of the a single transistor on that die so if you've got ten thousand transistors and you're running a nanometer scale process you can you know and it's a it's a centimeter long you can fit that many transistors onto your chip so earlier we had the picture of the IC that was a flat bladed package so I think those are much more common in what hobbyist level people are seeing in cell phones we're going to an even smaller size of packaging like ball grid array this is an older style of IC package it's one that a lot of you will be familiar with from the old school Arduino 's they used this type of lead frame so essentially what's going on is these are pins that you interact with that go down to your board here and here in the middle this is that die that we were talking about can you tell how much caffeine I've had from the laser shaking so immediately underneath that is a heat pad and then all around it is the encapsulation material so in general the capsulation materials are made out of a pox I'd in fact I have a whole slide on this so the usually 99% of consumer-level ICS are epoxy filled with silica or sand so if you've ever used five-minute epoxy or jb weld it's a very similar material to that and it is specifically designed depending on what manufacturer that you are talking about to have certain properties usually those properties are primarily for strength it's to keep the die attached to the bond wires attached to the lead so this is something actually that I want to go over a little bit more in depth real quick so there's these bond wires in between the die and the leads and basically that's how they take you can make a die of any size you can make that die as small as you want and then you grow it with bond wires to fit a package size of the actual chip that you're gonna put on your PCB this is really important because for anybody who has used standard chips like 16 pin sock chips or anything that is designed to go in a 74 series logic those have been the same shape and size since the 80s the the technology for building the silicon inside of that shape has changed drastically and it's now only about 1/10 of the total footprint whereas before it included about 80% of that footprint but nobody had to change their board layout because they were still able to make that package size fit so all right we're interested in getting into some of these ICS so what do we want to how do we want to go about this process what are the ways that you can remove the Epoque side as I said before there are labs all over the world that have been doing this for a long time that cost millions of dollars where they have incredibly high precision tools to get into the ships themselves mechanical removal is the first one that I thought of so these are these are basically listed in order of how my brain works so I'm sorry but mechanical was the first idea that I had and I thought okay well I can I can sand it off I could use a dremel again we're going for low-cost right what do I have in my apartment I was I started this process about two years ago and I was modeling it after what if I was a broke college student because at the time I was a broke college student so it worked out really well and with mechanical removal the first thing that came to mind was I'm gonna get a mill so I'm gonna get a mill and I'm going to figure out I'm gonna measure exactly how far down into the chip I can cut there's a couple of problems with this so process size so if you recall from my earlier slide process size is how large the transistors are it's also a pretty good way of analyzing what the smallest feature you need to look at is what is the minimum resolution of an imaging technique that I need to be able to look at the die that I'm interested in so if I've got a bunch of transistors that are let's just throw out a random number like a hundred micrometers long and maybe they're only 50 micrometers deep that means I need to have a mill with an accuracy of less than or rather than greater than 50 micrometers well most consumer hobbyist level mills are at about and a micrometer and a good engineer would remember exactly what that conversion is but basically it's really hard to get the kind of tolerances that you need on a hobby mill so I went and looked at professional mills so we're already outside of the scope of my project but hey what can they do they still can't get down to the types of resolution that you need to be able to accurately cut away the surface above a die so it's not the worst idea in fact there's some advantages to it so you can basically use mechanical removal for bulk material removal let's say you want to get 90% of the way there and then you have some other technique by which you can remove that material over the top of the die mills are just fine you have to know how deep the die is first which may require either having a secondary chip that you can cut in half and look or you could use an x-ray to figure out how deep that material runs there's a lot of ways that you could start to figure that out but you essentially have to know that knowledge a priori when you start cutting into the chip which is a problem and if you're if you're doing this forensic Lee hopefully you're not doing this on your own budget forensic Lee because that means that someone is not paying you enough but if you're like me and you're just insanely curious about what these ICS look like under the surface then I can probably afford to buy two chips it's unlikely that I only have exactly one chip in my repertoire so another option after we've gone past mechanical removal is chemical removal so this is the one that most people tend to associate when they think of chip decapping if you've ever looked at it before so it's fun types of chemicals so generally you're gonna use sulfur sulfuric and nitric acid in order to dissolve the Epoque side sulfuric and nitric acids have really interesting chemical properties in that they attack different types of metals and polymers in interesting ways and so by using a specific blend of sulfuric and nitric acid you can actually essentially target the type of app oxide that you want to be able to get into the dye that you're working on so I thought to myself how hard could that be it turns out it's a little bit harder than you think it's actually not terribly difficult to source sulfuric and nitric acid I'm already on a bunch of lists so that's not a problem but what kind of concentrations do you want so generally you're gonna want s acid concentrations of about 90% it's actually rather difficult to get acids shipped anywhere even commercially in small quantities at 90% concentrations you're generally gonna get 60 to 70% concentrations what's interesting about that is the easiest way to concentrate an acid is you boil it you know so what happens is the the water evaporates in you're left with a stronger concentration of acid one of the downsides to this methodology is that it also releases acid fumes so if you're gonna do this if you're gonna concentrate these acids and you also have to run them at a fairly high temperature to get a reaction with your Epoque side to get instead of it taking days it'll take a few hours then you need a fume hood because otherwise you're putting out really nasty fumes and it's not so much that they're toxic as they dissolve the inside of your lungs so I was doing this in my kitchen and it it was a little scary so I had turned on the microwave hood and I was running it and I thought to myself today is not that day like that's not how I want to go out so there will be I actually am working on an open-source fume hood design where you should be able to take the components order them from nationally available suppliers and put it all together for less than $200 I will talk about that briefly afterwards but basically when I was doing a lot of this initial research I was like all right either need to buy a fume hood or go find somewhere that is willing to let me do random chip decapping in their lab with no supervision you could do it outside as long as you trust the wind so what are the advantages of chemical Removal so it leaves the bond wires intact this is why most people will go with chemical removal because if you want to see how the bond wires are arrayed or what they're made out of or maybe even do crazy things like run the chip while it's exposed so that you can see what's going on you need those bond wires also the exposed dye is free of debris this is a major difference between mechanical removal and the the chemical removal is mechanical removal up until you're basically removing the very top surface of your dye there's gonna be an optical layer of epoxy that's in the way so what a lot of people will do is they'll go do the bulk material removal with the mill they'll get really close to the top of the dye but not actually touch it and then they'll use fuming sulfuric and nitric acid together so that they can get the rest of the way and have an optically clear image so like I said before this can be kind of a dangerous process you know the major downsides are that it's it's very dangerous it requires a fume hood and a heating plate neither of which are terribly difficult to source but it it means that not everybody has access to those things right and what I really was trying to do with this entire project and this will become more apparent towards the end was make it so that anybody could do it and then it requires some chemistry knowledge which I don't have so all of the stuff that I've been telling you about acids and Epoque sides I probably made up another way that everybody always suggests is what about a laser cutter energize particle removal works just fine but it basically falls under exactly the same upsides and downsides of mechanical removal which is it requires expensive tooling it doesn't get you that close and if you ever want to use the chip after you've D capped it there's the potential that when you're lasering onto the top of this thing it's actually gonna blow out portions of your IC and that's due to you know basically the the silicon substrate itself has a photoelectric effect it's like the opposite of how an LED works and so if you're blasting light into this thing you can blow out channels on your transistors so maybe we don't care about that maybe we just want to look at it let's say that we really don't care how the chip works we just want to look at it so this is where the oh yeah alright um I have a back-up plan I have a video and as you guys know videos never work the way they are supposed to I mean it's a video of me so it would not be terribly difficult to act out it give me just a moment while I find this like all good very prepared presenters I'm gonna look in my downloads folder on Firefox this is the money shot windows come on it's true story I also wouldn't have any self respect on Linux okay I'm gonna continue looking for this video while I continue to talk about what I did so I actually did go out and like I said I was in my kitchen I had this sulfuric and nitric acid it was at 70 percent concentration and I let it sit there for four hours I had I had four chips because I work in an electrical industry it made it really easy to take home some chips that were no longer being used so I had essentially 10 samples of a large microcontroller that I could do almost anything that I wanted to with and so I spent a whole day you know breathing the fumes and getting into trouble and really hoping that lung function wasn't all that terribly critical to life quality and then [Music] I put it in this folder I did so what I finally decided to do I got I'm not gonna lie like this is not a proud moment for me I got angry and I got angry enough that I was like I'm kidding into one of these asses whether they like it or not so I picked up my blowtorch and item Utley did not think this was gonna work right so I just spent the entire day I had these four different ICS one of them my acid mixture dissolved all the metal but it didn't touch the Epoque side at all which was completely useless I tried a really strong base because a lot of solder mask is that essentially the very similar material and it didn't work so finally I just used a blowtorch and I smoked that sucker I I lit it up the leads went red-hot but didn't melt away the app oxide carbonized it turned gray and went to ash and then just fell off so it it all fell out and I was able to access my my I see just fine yes so basically what I'm saying is for $40 which is how much it cost to buy a blow torch at Home Depot you to candy cap icees so real quick I wanted to go over what that looks like so this was the result of that you can see there's discoloration on the thermal part where the blowtorch totally lit up the I see in the black canister on my right the right side of the photo it is that's that's the remaining dies from a number of microcontrollers that ID catch okay that's cool I can't see anything can you see anything what does that look like so this is the very first image that I took this is basically what happens when you move that light all the way to the side and it gives you all those colors so this this was first attempt guys this was you know $40 and here we are so if these things are all a mystery to you that's okay they were initially a mystery to me - there's an entire industry about building all of that stuff and that's that's a talk for a later time of how to actually interpret what you're seeing for me this is started off as more of an art project than anything else so I'm gonna jump to the end here basically these slides I was talking about microscopes and how to select them that is really a topic that doesn't fit very well inside of 20 minutes so these are some images that I wanted to share with you at the end of this slide deck which I will release online there are a bunch of references one of the guys that do really really quality images is Zepto bars so Zepto bars use a number of interesting photographic techniques after they do an excellent job decapping chips to get these high resolution images and you should check them out so these are not these the last three photos were not mine if you're interested in contacting me my twitter handle is also my email which is also my github so feel free to take photos of the slide if you want or come talk to me I have some stuff that I'm doing in the future and if we have some time for questions after this then we can we can go over that so that is that's pretty much my presentation thank you very much

Info

Channel: 0xdade

Views: 1,006

Rating: undefined out of 5

Keywords: shmoocon

Id: mriu_O8bhck

Channel Id: undefined

Length: 25min 11sec (1511 seconds)

Published: Thu Mar 12 2020