Welcome
Username or Email:

Password:


Missing Code




[ ]
[ ]
Online
  • Guests: 68
  • Members: 0
  • Newest Member: omjtest
  • Most ever online: 396
    Guests: 396, Members: 0 on 12 Jan : 12:51
Members Birthdays:
One birthday today, congrats!
David (38)


Next birthdays
12/25 Kolas (17)
12/25 Dillon4DynamicHarmonics (40)
12/26 buxtronix (49)
Contact
If you need assistance, please send an email to forum at 4hv dot org. To ensure your email is not marked as spam, please include the phrase "4hv help" in the subject line. You can also find assistance via IRC, at irc.shadowworld.net, room #hvcomm.
Support 4hv.org!
Donate:
4hv.org is hosted on a dedicated server. Unfortunately, this server costs and we rely on the help of site members to keep 4hv.org running. Please consider donating. We will place your name on the thanks list and you'll be helping to keep 4hv.org alive and free for everyone. Members whose names appear in red bold have donated recently. Green bold denotes those who have recently donated to keep the server carbon neutral.


Special Thanks To:
  • Aaron Holmes
  • Aaron Wheeler
  • Adam Horden
  • Alan Scrimgeour
  • Andre
  • Andrew Haynes
  • Anonymous000
  • asabase
  • Austin Weil
  • barney
  • Barry
  • Bert Hickman
  • Bill Kukowski
  • Blitzorn
  • Brandon Paradelas
  • Bruce Bowling
  • BubeeMike
  • Byong Park
  • Cesiumsponge
  • Chris F.
  • Chris Hooper
  • Corey Worthington
  • Derek Woodroffe
  • Dalus
  • Dan Strother
  • Daniel Davis
  • Daniel Uhrenholt
  • datasheetarchive
  • Dave Billington
  • Dave Marshall
  • David F.
  • Dennis Rogers
  • drelectrix
  • Dr. John Gudenas
  • Dr. Spark
  • E.TexasTesla
  • eastvoltresearch
  • Eirik Taylor
  • Erik Dyakov
  • Erlend^SE
  • Finn Hammer
  • Firebug24k
  • GalliumMan
  • Gary Peterson
  • George Slade
  • GhostNull
  • Gordon Mcknight
  • Graham Armitage
  • Grant
  • GreySoul
  • Henry H
  • IamSmooth
  • In memory of Leo Powning
  • Jacob Cash
  • James Howells
  • James Pawson
  • Jeff Greenfield
  • Jeff Thomas
  • Jesse Frost
  • Jim Mitchell
  • jlr134
  • Joe Mastroianni
  • John Forcina
  • John Oberg
  • John Willcutt
  • Jon Newcomb
  • klugesmith
  • Leslie Wright
  • Lutz Hoffman
  • Mads Barnkob
  • Martin King
  • Mats Karlsson
  • Matt Gibson
  • Matthew Guidry
  • mbd
  • Michael D'Angelo
  • Mikkel
  • mileswaldron
  • mister_rf
  • Neil Foster
  • Nick de Smith
  • Nick Soroka
  • nicklenorp
  • Nik
  • Norman Stanley
  • Patrick Coleman
  • Paul Brodie
  • Paul Jordan
  • Paul Montgomery
  • Ped
  • Peter Krogen
  • Peter Terren
  • PhilGood
  • Richard Feldman
  • Robert Bush
  • Royce Bailey
  • Scott Fusare
  • Scott Newman
  • smiffy
  • Stella
  • Steven Busic
  • Steve Conner
  • Steve Jones
  • Steve Ward
  • Sulaiman
  • Thomas Coyle
  • Thomas A. Wallace
  • Thomas W
  • Timo
  • Torch
  • Ulf Jonsson
  • vasil
  • Vaxian
  • vladi mazzilli
  • wastehl
  • Weston
  • William Kim
  • William N.
  • William Stehl
  • Wesley Venis
The aforementioned have contributed financially to the continuing triumph of 4hv.org. They are deserving of my most heartfelt thanks.
Forums
4hv.org :: Forums :: Projects
« Previous topic | Next topic »   

IC die imaging

1 2 
Move Thread LAN_403
McFluffin
Sun Jun 27 2010, 06:17AM Print
McFluffin Registered Member #119 Joined: Fri Feb 10 2006, 06:26AM
Location: USA
Posts: 114
After seeing a video of a talk at 25C3, I decided I wanted to take a stab at IC reverse engineering as an interesting security research topic and an excuse to learn something about VLSI. My eventual goal is to try to reverse engineer some security chips to look for weaknesses, but in the meantime my main goal is to follow the Intel x86 line since its been a roadmap in the semiconductor industry for some time. Using inverted metallurgical microscopes, it looks like I can image up to Coppermine (late PIII) without too much trouble. While manufacturing tolerences have to be tight, I only need circuitry to be discernible, not crisp. That said, better images definitely lead to easier analysis. If I can get good images up to there, I will look more seriously into electron microscopy.
The process current is something like this. Find a sample chip and decap it. Ceramic chips made easy first targets as they can usually be opened with a heat gun. Now I'm using nitric acid to dissolve plastic/epoxy packages. Supposedly RFNA allows room temperature decapping but the first batch I made (since it was such a pain to order) was fairly low quality and it was much easier to just boil it. I'm working on getting some better chemistry equipment and started filling out some forms so I can order it directly. After a raw die is available, I scan across it using XY stages on the microscope, getting about 1/3 picture overlap. These pictures are then fed into autopano, then Hugin to generate high resolution die images. The biggest trick on this part is the images need to be well focused for best results and proper optimization settings in Hugin are necessary. Lower layers can be reached by using hydrofluoric acid (nasty chemical, but can be had from over the counter rust remover in the US) to etch away the silicon glass. I haven't had good results with this part yet for some reason.
Current issues are getting summer microscope access and inability to etch to the transistor layer. I'm considering going to the next HOPE where I know some people do this sort of thing and can probably give me some advice.
If you want to read more about some of the stuff I've tried I'm compiling information at two sites. The first is a braindump, and the second is a Wiki that eventually will have more refined knowledge. I'm considering moving the Wike to Wikia though as I'm finding I like MediaWiki a lot better. I thought I was going to be able to work on stuff this summer break from school, but it hasn't worked out for me to get a microscope over here (Cambridge, MA) and I haven't had the chance to look around since I'm working full time. Nonetheless, I hope to continue this in August or so once I get back to school if I don't get an imaging setup up for the summer.
Attached are a few low res (but I have higher) test images. Since having some time now during the summer, I got a lot better at learning what it takes to get good stitches, so they aren't perfect, but are still nice looking. They include 74LS125 top metal, AD534 top metal, and a few misc die copyrights. The 74LS125 shows before and after cleaning with acid the top metal. Also, I tried to adding H2O2 to the HF mixture (I even found a paper citing that this should work before I tried it) to speed up the etch process, but it just resulted in funkiness and the die turning to mush! The AD534 is my favorite. I messed up taking the pictures though by turning the knobs too far and didn't analyze it until after I had a microscope, but it still looks pretty cool. I had to manually align some of the images and its not stitched very will in the center because of this, but it might not be too evident in the low res picture. Its in a ceramic package, so you can still see the bonding wires as opposed to the 74LS125 which was removed from a SMD epoxy package by nitric acid. The last picture is the copyright on a TI BQ8011 battery IC, but I didn't flip it (taken with inverted metallurgical microscope), so its an unmodified image where the witting is backwards.
If people have suggestions, I'd be more than happy to open a discussion thread for ideas. Thanks for looking!



1277618740 119 FT0 Top Metal  Sinc 256  Small

1277618740 119 FT0 Top Metal Sinc1024  Winsmall

1277618740 119 FT0 Interconnect Sinc256 Small

1277618740 119 FT0 Hf Interconnect Sinc256 Small

1277618740 119 FT0 80486 Label

1277618853 119 FT0 Bq8011 Die Copyright
Back to top
IntraWinding
Sun Jun 27 2010, 10:08AM
IntraWinding Registered Member #2261 Joined: Mon Aug 03 2009, 01:19AM
Location: London, UK
Posts: 581
I like to explore IC's under a microscope from time to time - generally old intel/AMD cpu's. For me the best results are when the IC has a metal or quartz (EPROM) lid you can remove so the chip hasn't suffered any chemical or mechanical damage. For encapsulated chips I've found sometimes a bit of heat helps get most of the plastic off. Then my version of Piranha mix removes what's left. My version uses 9% H2O2 from the local chemists (hair bleach). There are lots of horror stories about Piranha mix, but I guess my dilute H2O2 makes for a more civilised cocktail, still worthy of respect of course! It does a good job of removing organic compounds, but I found it quite a drain on my chemical supplies as its effectiveness quickly wears off after mixing the chemicals. Heat helps get as much oxidising goodness from a batch as possible, but to improve efficiency further I take the plastic encapsulated chip (with as much package removed mechanically as possible) and carbonise the plastic with very hot concentrated Sulphuric acid. You can leave the package in a flask on a hotplate with stir bar for hours. The end result is the chip embedded in a honeycomb of carbon, probably with some unreacted/semireacted plastic buried underneath, so you may want to clean and repeat. When there isn't too much left to remove, change to the weak Piranha mix to tidy up without scratching the chip.

I don't know much about dissolving layers off of a chip to get to the lower layers, but I have observed varying top coating on chips, so I doubt a single chemistry will fit all situations. Another approach I've heard of is to step by step polish away the chip surface. If you're in a metallurgy lab you might have just the type of polishing machine you need available for preparing metal samples before etching? With careful optical grade polishing you should be able to successively strip away as much or as little material as you want, practically down to the atomic scale. The trick will be getting the material removal rate uniform across the chip, I suspect, but the silicone is very flat so it can be done.
I'm not familiar with metallurgy microscopes but you should be able to get much better images than those. I would try some other microscopes! Lighting can have a strong effect on the visibility of structures as interference effects result in all sorts of pretty colours depending of layer thicknesses etc..

Good luck with your project. As an IC tourist I'm a fan of 'Silicon Zoo'. They have a collection of unexpected images that IC designers have tucked into spare bits of silicon in their designs over the years.
e.g. Link2,
Index Link2

Just found this place which might interest you. Looks like they do what you're describing Link2 They have nice pictures here Link2 , e.g. Link2

Back to top
McFluffin
Sun Jun 27 2010, 06:17PM
McFluffin Registered Member #119 Joined: Fri Feb 10 2006, 06:26AM
Location: USA
Posts: 114
I wasnn't familar with Piranha solution. I looked into it and it looks of something that might be of use to me. I'll have to figure out a way to supress the H2SO4 eating the top metal (aluminum) though. Nitric acid doesn't react with aluminum and usually would work to protect it I think, but it reacts with H2O2 in a somwhat dangerous manner, so I'll have to find another solution to that. The main reason this intersts me is because a number of Intel chips (eg: PIII) have a thin organic spacer between the die and the external contacts. I've tried a number of chemicals to remove it, but the only way so far I've found is to eat away the top metal. Obviously this never lets me photograph the top metal though.
There are a number of nice websites. Flylogic does some neat stuff and even publishes some research. A few others that are good include the OTHER Silicon Zoo which has some nice diagrams on basic digital logic reversing and Degate which is free softare that aids in manual analysis. Finally, "Integrated circuit failure analysis: a guide to preparation techniques" is a good read which has many techniques.
I tried polishing with a Dremel a bit back which some groups seem to have good luck with. Unfortuantly, I didn't and the surface came out very scratched. I did later get some higher quality polishing compound and wheels, but haven't tried since. I also have some largish turntables from an old wafer polisher, I might see if I can fix them up for operation again. As far as getting labs to help me, I talked to some EE staff at my school (RPI) and they didn't see to want anything to do with a reverse engineering project.
I didn't take pictures of this, but I have some EPROM chips that are first generation or something. They have no makers marks or chip number of any type that I can find anywhere. But what I found really entertaining is the die actually has labels for the wires on it (eg: +, -)! I haven't seen that on any other chips.
Back to top
Herr Zapp
Sun Jun 27 2010, 06:37PM
Herr Zapp Registered Member #480 Joined: Thu Jul 06 2006, 07:08PM
Location: North America
Posts: 644
McFluffin -

Do you have access to a dark-field microscope?

The overall appearance of the IC metallization is shockingly different with dark-field illumination: contrast, surface texture, edge defination, the appearance of "depth" are all quite different than is seen with conventional illumination.

Herr Zapp
Back to top
klugesmith
Mon Jun 28 2010, 06:59PM
klugesmith Registered Member #2099 Joined: Wed Apr 29 2009, 12:22AM
Location: Los Altos, California
Posts: 1716
McFluffin wrote ...
My eventual goal is to try to reverse engineer some security chips to look for weaknesses, but in the meantime my main goal is to follow the Intel x86 line since its been a roadmap in the semiconductor industry for some time.
Nice pictures!
Beware that the makers of security chips, such as smart cards, are well aware of attacks by decapping and inspecting or even micro-probing the IC. Chip design, process, and package details include measures to increase the difficulty and cost of such attacks. Link2 Link2

Many very smart people make a career of computer security. Good luck if you go there.
Back to top
IntraWinding
Wed Jun 30 2010, 09:27AM
IntraWinding Registered Member #2261 Joined: Mon Aug 03 2009, 01:19AM
Location: London, UK
Posts: 581
This describes how a professional decaps plastic encapsulated IC's. Heat the chip to 150C, add a drop of 90% Fuming Nitric Acid to the top of the package and after several seconds to allow it to react, rinses away with acetone (caution!). Repeat.
I'll have to look into making Fuming Nitric as it's harder to obtain than ordinary Concentrated Nitric (70%).
The chip is then rinsed in 'NMP solvent, which I think is N-Methylpyrrolidone, and cleaned in an ultrasonic cleaner to remove small glass particles. I don't know N-Methylpyrrolidone, but from the Wikipedia article, perhaps Methylene Chloride would be worth trying instead.
Have fun (but be careful)!
Link2
Back to top
Patrick
Wed Jun 30 2010, 09:40AM
Patrick Registered Member #2431 Joined: Tue Oct 13 2009, 09:47PM
Location: Chico, CA. USA
Posts: 5639
Russian and German rocket scientists of the 1930's called nitric acid "devil's venom" because of the red-brown fuming vapor-liquid color.

Just try not to die. Weee, have fun.
Back to top
IntraWinding
Wed Jun 30 2010, 09:55AM
IntraWinding Registered Member #2261 Joined: Mon Aug 03 2009, 01:19AM
Location: London, UK
Posts: 581
On the plus side, Nitric Acid fumes give you plenty of warning it's bad for you!
Back to top
McFluffin
Wed Jun 30 2010, 11:33PM
McFluffin Registered Member #119 Joined: Fri Feb 10 2006, 06:26AM
Location: USA
Posts: 114
Do you have a dark field microscope you can lend me? :) I don't have access to a dark field microscope, but I did look into it briefly before. My conclusion seemed to be that dark field microscopes are not as available and the metallurgical microscopes are providing enough information for the time being. I did do a comparison between the compound light microscope and the metallurgical microscopes I had. While the difference for the top metal was interesting, only the metallurgical microscope could see the interconnect layer which showed up mostly black under the compound biological microscope.
Yes, I am aware of the attack, countermeasure paradigm. This summer I'm doing malware reverse engineering, which is a digital warzone of attack and countermeasure. I've read papers on creating and defeating IC RE techniques and seems to be similar stuff I'd enjoy. In the short term though, I'm doing it mostly as practice and as a practical way to learn basic digital VLSI and so don't have to worry so much about that. There is a decapsulting facility at the lab complex I am interning at over the summer and I'm hoping to talk to them to get some insights on professional analysis.
The stuff on the counterfeit Atmels are interesting. I have heard of counterfeit ICs here and there, but never seem much of a writeup on it.
Back to top
rp181
Tue Jul 06 2010, 09:39PM
rp181 Registered Member #1062 Joined: Tue Oct 16 2007, 02:01AM
Location:
Posts: 1529
Here are two pictures I took today with a Differential Interference Contrast microscope w/ a piece of crap camera attached. It was a die, not from a packaged chip. No idea what it is.
Back to top
1 2 

Moderator(s): Chris Russell, Noelle, Alex, Tesladownunder, Dave Marshall, Dave Billington, Bjørn, Steve Conner, Wolfram, Kizmo, Mads Barnkob

Go to:

Powered by e107 Forum System
 
Legal Information
This site is powered by e107, which is released under the GNU GPL License. All work on this site, except where otherwise noted, is licensed under a Creative Commons Attribution-ShareAlike 2.5 License. By submitting any information to this site, you agree that anything submitted will be so licensed. Please read our Disclaimer and Policies page for information on your rights and responsibilities regarding this site.