If you need assistance, please send an email to forum at 4hv dot org. To ensure your email is not marked as spam, please include the phrase "4hv help" in the subject line. You can also find assistance via IRC, at irc.shadowworld.net, room #hvcomm.
Support 4hv.org!
Donate:
4hv.org is hosted on a dedicated server. Unfortunately, this server costs and we rely on the help of site members to keep 4hv.org running. Please consider donating. We will place your name on the thanks list and you'll be helping to keep 4hv.org alive and free for everyone. Members whose names appear in red bold have donated recently. Green bold denotes those who have recently donated to keep the server carbon neutral.
Special Thanks To:
Aaron Holmes
Aaron Wheeler
Adam Horden
Alan Scrimgeour
Andre
Andrew Haynes
Anonymous000
asabase
Austin Weil
barney
Barry
Bert Hickman
Bill Kukowski
Blitzorn
Brandon Paradelas
Bruce Bowling
BubeeMike
Byong Park
Cesiumsponge
Chris F.
Chris Hooper
Corey Worthington
Derek Woodroffe
Dalus
Dan Strother
Daniel Davis
Daniel Uhrenholt
datasheetarchive
Dave Billington
Dave Marshall
David F.
Dennis Rogers
drelectrix
Dr. John Gudenas
Dr. Spark
E.TexasTesla
eastvoltresearch
Eirik Taylor
Erik Dyakov
Erlend^SE
Finn Hammer
Firebug24k
GalliumMan
Gary Peterson
George Slade
GhostNull
Gordon Mcknight
Graham Armitage
Grant
GreySoul
Henry H
IamSmooth
In memory of Leo Powning
Jacob Cash
James Howells
James Pawson
Jeff Greenfield
Jeff Thomas
Jesse Frost
Jim Mitchell
jlr134
Joe Mastroianni
John Forcina
John Oberg
John Willcutt
Jon Newcomb
klugesmith
Leslie Wright
Lutz Hoffman
Mads Barnkob
Martin King
Mats Karlsson
Matt Gibson
Matthew Guidry
mbd
Michael D'Angelo
Mikkel
mileswaldron
mister_rf
Neil Foster
Nick de Smith
Nick Soroka
nicklenorp
Nik
Norman Stanley
Patrick Coleman
Paul Brodie
Paul Jordan
Paul Montgomery
Ped
Peter Krogen
Peter Terren
PhilGood
Richard Feldman
Robert Bush
Royce Bailey
Scott Fusare
Scott Newman
smiffy
Stella
Steven Busic
Steve Conner
Steve Jones
Steve Ward
Sulaiman
Thomas Coyle
Thomas A. Wallace
Thomas W
Timo
Torch
Ulf Jonsson
vasil
Vaxian
vladi mazzilli
wastehl
Weston
William Kim
William N.
William Stehl
Wesley Venis
The aforementioned have contributed financially to the continuing triumph of 4hv.org. They are deserving of my most heartfelt thanks.
Registered Member #119
Joined: Fri Feb 10 2006, 06:26AM
Location: USA
Posts: 114
After seeing a video of a talk at 25C3, I decided I wanted to take a stab at IC reverse engineering as an interesting security research topic and an excuse to learn something about VLSI. My eventual goal is to try to reverse engineer some security chips to look for weaknesses, but in the meantime my main goal is to follow the Intel x86 line since its been a roadmap in the semiconductor industry for some time. Using inverted metallurgical microscopes, it looks like I can image up to Coppermine (late PIII) without too much trouble. While manufacturing tolerences have to be tight, I only need circuitry to be discernible, not crisp. That said, better images definitely lead to easier analysis. If I can get good images up to there, I will look more seriously into electron microscopy. The process current is something like this. Find a sample chip and decap it. Ceramic chips made easy first targets as they can usually be opened with a heat gun. Now I'm using nitric acid to dissolve plastic/epoxy packages. Supposedly RFNA allows room temperature decapping but the first batch I made (since it was such a pain to order) was fairly low quality and it was much easier to just boil it. I'm working on getting some better chemistry equipment and started filling out some forms so I can order it directly. After a raw die is available, I scan across it using XY stages on the microscope, getting about 1/3 picture overlap. These pictures are then fed into autopano, then Hugin to generate high resolution die images. The biggest trick on this part is the images need to be well focused for best results and proper optimization settings in Hugin are necessary. Lower layers can be reached by using hydrofluoric acid (nasty chemical, but can be had from over the counter rust remover in the US) to etch away the silicon glass. I haven't had good results with this part yet for some reason. Current issues are getting summer microscope access and inability to etch to the transistor layer. I'm considering going to the next HOPE where I know some people do this sort of thing and can probably give me some advice. If you want to read more about some of the stuff I've tried I'm compiling information at two sites. The first is a braindump, and the second is a Wiki that eventually will have more refined knowledge. I'm considering moving the Wike to Wikia though as I'm finding I like MediaWiki a lot better. I thought I was going to be able to work on stuff this summer break from school, but it hasn't worked out for me to get a microscope over here (Cambridge, MA) and I haven't had the chance to look around since I'm working full time. Nonetheless, I hope to continue this in August or so once I get back to school if I don't get an imaging setup up for the summer. Attached are a few low res (but I have higher) test images. Since having some time now during the summer, I got a lot better at learning what it takes to get good stitches, so they aren't perfect, but are still nice looking. They include 74LS125 top metal, AD534 top metal, and a few misc die copyrights. The 74LS125 shows before and after cleaning with acid the top metal. Also, I tried to adding H2O2 to the HF mixture (I even found a paper citing that this should work before I tried it) to speed up the etch process, but it just resulted in funkiness and the die turning to mush! The AD534 is my favorite. I messed up taking the pictures though by turning the knobs too far and didn't analyze it until after I had a microscope, but it still looks pretty cool. I had to manually align some of the images and its not stitched very will in the center because of this, but it might not be too evident in the low res picture. Its in a ceramic package, so you can still see the bonding wires as opposed to the 74LS125 which was removed from a SMD epoxy package by nitric acid. The last picture is the copyright on a TI BQ8011 battery IC, but I didn't flip it (taken with inverted metallurgical microscope), so its an unmodified image where the witting is backwards. If people have suggestions, I'd be more than happy to open a discussion thread for ideas. Thanks for looking!
Registered Member #2261
Joined: Mon Aug 03 2009, 01:19AM
Location: London, UK
Posts: 581
I like to explore IC's under a microscope from time to time - generally old intel/AMD cpu's. For me the best results are when the IC has a metal or quartz (EPROM) lid you can remove so the chip hasn't suffered any chemical or mechanical damage. For encapsulated chips I've found sometimes a bit of heat helps get most of the plastic off. Then my version of Piranha mix removes what's left. My version uses 9% H2O2 from the local chemists (hair bleach). There are lots of horror stories about Piranha mix, but I guess my dilute H2O2 makes for a more civilised cocktail, still worthy of respect of course! It does a good job of removing organic compounds, but I found it quite a drain on my chemical supplies as its effectiveness quickly wears off after mixing the chemicals. Heat helps get as much oxidising goodness from a batch as possible, but to improve efficiency further I take the plastic encapsulated chip (with as much package removed mechanically as possible) and carbonise the plastic with very hot concentrated Sulphuric acid. You can leave the package in a flask on a hotplate with stir bar for hours. The end result is the chip embedded in a honeycomb of carbon, probably with some unreacted/semireacted plastic buried underneath, so you may want to clean and repeat. When there isn't too much left to remove, change to the weak Piranha mix to tidy up without scratching the chip.
I don't know much about dissolving layers off of a chip to get to the lower layers, but I have observed varying top coating on chips, so I doubt a single chemistry will fit all situations. Another approach I've heard of is to step by step polish away the chip surface. If you're in a metallurgy lab you might have just the type of polishing machine you need available for preparing metal samples before etching? With careful optical grade polishing you should be able to successively strip away as much or as little material as you want, practically down to the atomic scale. The trick will be getting the material removal rate uniform across the chip, I suspect, but the silicone is very flat so it can be done. I'm not familiar with metallurgy microscopes but you should be able to get much better images than those. I would try some other microscopes! Lighting can have a strong effect on the visibility of structures as interference effects result in all sorts of pretty colours depending of layer thicknesses etc..
Good luck with your project. As an IC tourist I'm a fan of 'Silicon Zoo'. They have a collection of unexpected images that IC designers have tucked into spare bits of silicon in their designs over the years. e.g. , Index
Just found this place which might interest you. Looks like they do what you're describing They have nice pictures here , e.g.
Registered Member #119
Joined: Fri Feb 10 2006, 06:26AM
Location: USA
Posts: 114
I wasnn't familar with Piranha solution. I looked into it and it looks of something that might be of use to me. I'll have to figure out a way to supress the H2SO4 eating the top metal (aluminum) though. Nitric acid doesn't react with aluminum and usually would work to protect it I think, but it reacts with H2O2 in a somwhat dangerous manner, so I'll have to find another solution to that. The main reason this intersts me is because a number of Intel chips (eg: PIII) have a thin organic spacer between the die and the external contacts. I've tried a number of chemicals to remove it, but the only way so far I've found is to eat away the top metal. Obviously this never lets me photograph the top metal though. There are a number of nice websites. Flylogic does some neat stuff and even publishes some research. A few others that are good include the OTHER Silicon Zoo which has some nice diagrams on basic digital logic reversing and Degate which is free softare that aids in manual analysis. Finally, "Integrated circuit failure analysis: a guide to preparation techniques" is a good read which has many techniques. I tried polishing with a Dremel a bit back which some groups seem to have good luck with. Unfortuantly, I didn't and the surface came out very scratched. I did later get some higher quality polishing compound and wheels, but haven't tried since. I also have some largish turntables from an old wafer polisher, I might see if I can fix them up for operation again. As far as getting labs to help me, I talked to some EE staff at my school (RPI) and they didn't see to want anything to do with a reverse engineering project. I didn't take pictures of this, but I have some EPROM chips that are first generation or something. They have no makers marks or chip number of any type that I can find anywhere. But what I found really entertaining is the die actually has labels for the wires on it (eg: +, -)! I haven't seen that on any other chips.
Registered Member #480
Joined: Thu Jul 06 2006, 07:08PM
Location: North America
Posts: 644
McFluffin -
Do you have access to a dark-field microscope?
The overall appearance of the IC metallization is shockingly different with dark-field illumination: contrast, surface texture, edge defination, the appearance of "depth" are all quite different than is seen with conventional illumination.
Registered Member #2099
Joined: Wed Apr 29 2009, 12:22AM
Location: Los Altos, California
Posts: 1716
McFluffin wrote ... My eventual goal is to try to reverse engineer some security chips to look for weaknesses, but in the meantime my main goal is to follow the Intel x86 line since its been a roadmap in the semiconductor industry for some time.
Nice pictures! Beware that the makers of security chips, such as smart cards, are well aware of attacks by decapping and inspecting or even micro-probing the IC. Chip design, process, and package details include measures to increase the difficulty and cost of such attacks.
Many very smart people make a career of computer security. Good luck if you go there.
Registered Member #2261
Joined: Mon Aug 03 2009, 01:19AM
Location: London, UK
Posts: 581
This describes how a professional decaps plastic encapsulated IC's. Heat the chip to 150C, add a drop of 90% Fuming Nitric Acid to the top of the package and after several seconds to allow it to react, rinses away with acetone (caution!). Repeat. I'll have to look into making Fuming Nitric as it's harder to obtain than ordinary Concentrated Nitric (70%). The chip is then rinsed in 'NMP solvent, which I think is N-Methylpyrrolidone, and cleaned in an ultrasonic cleaner to remove small glass particles. I don't know N-Methylpyrrolidone, but from the Wikipedia article, perhaps Methylene Chloride would be worth trying instead. Have fun (but be careful)!
Registered Member #119
Joined: Fri Feb 10 2006, 06:26AM
Location: USA
Posts: 114
Do you have a dark field microscope you can lend me? :) I don't have access to a dark field microscope, but I did look into it briefly before. My conclusion seemed to be that dark field microscopes are not as available and the metallurgical microscopes are providing enough information for the time being. I did do a comparison between the compound light microscope and the metallurgical microscopes I had. While the difference for the top metal was interesting, only the metallurgical microscope could see the interconnect layer which showed up mostly black under the compound biological microscope. Yes, I am aware of the attack, countermeasure paradigm. This summer I'm doing malware reverse engineering, which is a digital warzone of attack and countermeasure. I've read papers on creating and defeating IC RE techniques and seems to be similar stuff I'd enjoy. In the short term though, I'm doing it mostly as practice and as a practical way to learn basic digital VLSI and so don't have to worry so much about that. There is a decapsulting facility at the lab complex I am interning at over the summer and I'm hoping to talk to them to get some insights on professional analysis. The stuff on the counterfeit Atmels are interesting. I have heard of counterfeit ICs here and there, but never seem much of a writeup on it.
Registered Member #1062
Joined: Tue Oct 16 2007, 02:01AM
Location:
Posts: 1529
Here are two pictures I took today with a Differential Interference Contrast microscope w/ a piece of crap camera attached. It was a die, not from a packaged chip. No idea what it is.
This site is powered by e107, which is released under the GNU GPL License. All work on this site, except where otherwise noted, is licensed under a Creative Commons Attribution-ShareAlike 2.5 License. By submitting any information to this site, you agree that anything submitted will be so licensed. Please read our Disclaimer and Policies page for information on your rights and responsibilities regarding this site.