INSIGHTS, NEWS & DISCOVERIES
FROM IOACTIVE RESEARCHERS

Friday, October 26, 2007

Decapsulated devices

Recently at Toorcon9 (www.toorcon.org), some individuals asked to see images of decapsulated parts still in their packages. I dug around and came up with some examples. Click on any of the pictures for a larger version.




Above: Microchip PIC18F2550


Above: Dallas DS89C450



Above: Microchip dsPIC30F6013


Using our proprietary procedures, all parts remain 100% functional with no degradation after exposing the substrate.

13 comments:

  1. I know you do this for a living and won't like to share your secrets, but could you please explain some other processes that can be done to a chip to de-cap it?

    I have always been interested in seeing the insides of some telephone cards that I have ;)

    ReplyDelete
  2. The acids we use are very dangerous and will burn if you come in contact with them.



    We happened to have a telephone card from Mexico that we scanned in. This particular card used an ST 1355 serial memory. The die revision is 'D'. We also have a Canadian phone card that has not been imaged of the same die but instead is revision 'A' of the silicon.

    Rev 'A' = 1993
    Rev 'D' = 2001

    We immediately see a security related change between the two parts. We'll get the older part imaged and do a write up sometime soon.

    Click on this link for a larger version of the pic: http://www.flylogic.net/chippics/phonecards/st1355D_large.jpg

    ReplyDelete
  3. Awesome, thanks! I'll be looking forward to reading that write-up.

    ReplyDelete
  4. oscar Says:

    November 4th, 2007 at 4:20 pm
    I know you do this for a living and won̢۪t like to share your secrets, but could you please explain some other processes that can be done to a chip to de-cap it?

    I have always been interested in seeing the insides of some telephone cards that I have

    admin Says:

    November 5th, 2007 at 7:43 pm
    The acids we use are very dangerous and will burn if you come in contact with them.

    You said you use HF acid, is that how u "burn off" the encapsulation?

    I read some articles in Holland about 7 years ago,Telegraaf newspaper saturday edition, that someone at the Twenthe university managed to "micro probe" a smartcard and was able to reset config bits, by using a certain voltage, one disadvantage, he needed more then one card to
    succeed.
    He used acid aswell to etch true the plasic.
    23th april 2008

    ReplyDelete
  5. When you say proprietary process, you mean fuming sulfuric acid and a hot plate. I do this all the time, it's not a secret process, it's a well known industry standard practice.

    I am not trying to be a dick, but by saying that it's some sort of secret you were just begging to get called out.

    ReplyDelete
  6. We mean we dont want to explain in details why we mix chemicals together to better break down the various barriers protecting the die. If you told me you use fuming sulfuric we would tell you that your devices are dirty but you get your job done ;)

    ReplyDelete
  7. Not that difficult if you know what you're doing... I did this one at home in less than half an hour. (No RFNA necessary, 70% works very well if you get the chip nice and hot.)

    The chip is a PIC18F1320-I/P (new revision) which I ordered samples of after reading your teardown. It still has filler over the code protection fuses. Next step: spin coat a drop of photoresist, expose, and etch a nice little hole ;)

    Preparation (PIC is at top, bottom is a 7400 series chip I did in the same session)
    http://i.imgur.com/bIPa6.jpg

    Checking etch progress, one corner still covered in epoxy
    http://i.imgur.com/zsXZ0.jpg

    Target power not detected - Powering from PICkit 2 ( 5.00V)

    PIC18F1320 found (Rev 0x7)
    http://i.imgur.com/Cot9I.jpg

    ReplyDelete
  8. Any chance to see a teardown of the Siemens SLE4436 based phonecards?
    They are used for example in Romanian phonecards.
    Here are some links to a great explanation of their functionality:
    http://gsho.thur.de/gsho/phonecard/advanced_e.htm
    http://ciscom.ru/hackersrussia/Cards/Syncro/Eurochip.txt

    A challenge-response algorithm is used.
    "Algorithm is fully hardware based and uses a 48 bit
    moving register and only XOR or NXOR logic cells. Also card
    have three 9 bit, 6 bit, 5 bit counters with unknown function.
    "
    :)

    ReplyDelete
  9. Can you send us some samples of the SLE44 series device?

    We've seen the 4442, 4428 and 5542 series to date.

    Thx!

    ReplyDelete
  10. Nice job,

    I'm intrested in pic30f5013 die, is it similar to 30f6013? where is eeprom? config fuses, and so on? maybe it's possible to see some dies? Now i'm decaping 30f5013..so some information would be nice ;)

    ReplyDelete
  11. azonenberg says:
    October 15, 2010 at 5:36 pm

    Not that difficult if you know what you’re doing… I did this one at home in less than half an hour. (No RFNA necessary, 70% works very well if you get the chip nice and hot.)

    The chip is a PIC18F1320-I/P (new revision) which I ordered samples of after reading your teardown. It still has filler over the code protection fuses. Next step: spin coat a drop of photoresist, expose, and etch a nice little hole ;)
    ===========================================

    I have also a 18F4550 that is code protect to read , write, and bootloader protect.
    to reset of code protect zone , after expose the Cip, is possible only electrical ??? or is possible also with UV focus in that zone?.
    UV exposure will not damage the all program from inside , or vicinal sectors near exposure?

    how you recommend to change easier the code protect Bit, after is expose the cip ? I want to extract the soft from inside, program, and bootloader, all.

    thanks

    ReplyDelete