or how to decap microcontrollers at home and cut your life expectancy in 20 years
Have you ever read about IC reversing? Would you like to introduce you to the world of invasive IC attacks but do you think it is very expensive?
Of course! It is very expensive! I am not going to lie you about that. However, your can do the first step of a invasive IC attack – the decapsulation – at your home using very cheap tools. Instead of spending thousands of euros in chemical laboratory equipment we can spend just only 40€ in common household equipment.
BEFORE YOU START:
- BE CAREFUL! VERY CAREFUL! You will play with dangerous acids that may cause permanent injury.
- READ EVERYTHING HERE AND CHECK OTHER SOURCES BEFORE START. YOU HAVE TO BE VERY SURE ABOUT WHAT YOU ARE DOING.
- Wear protective clothes, glasses, gloves and mask when manipulating acids. DON’T BREATH THE ACID FUMES
- I am not responsible of any injury or accident you could have. You are the only responsible of your acts.
Decapsulating is the process of removing the epoxy capsule that protects the integrated circuit. The purpose of removing this epoxy is to access to the silicon die in order to analyse it under microscope or perform a live attack.
There are several ways to remove the encapsulation, but the most commons are chemical attack with acid, softening the epoxy with heat or removing it mechanically with, for example, sand paper (very useful when a ceramic encapsulation is used instead of epoxy). Normally we apply several of these procedures in order to decapsulate the IC.
WHAT WE NEED
Acid (60% nitric acid – 5€)
The most important tool in the process.
Most common acid is Nitric Acid (NHO3) but some encapsulation packages are resistant to Nitric Acid and Sulfuric Acid is used instead.
Professionals use fuming nitric acid (purity >90% and up to 98%) but it is very expensive and very hard to find. In fact, I many countries you have to prove you work in chemistry industry if you want to buy it.
70% nitric acid is cheaper (20-30€ / liter) and easier to get and is also commonly used for decapsulation.
I got very good results using 60% nitric acid and I prefer it because it is very cheap (5€/liter), safer and you can buy it easily. The disadvantage is that in ambient temperature it is not strong enough to attack the epoxy and has to be heated.
60% nitric acid is (relatively) not very dangerous but you should always wear gloves, glasses and mask. Wear also disposable clothes because the splashes of nitric acid will ruin it with horrible stains.
If a drop splashes your hand, just wash it as soon as possible. You will probably have a dark stain on the skin for two weeks, but the damage will not be permanent. However, if a nitric drop splashes in your eyes… you will be really f@#ked. Permanent damage may occur in your eyes. WEAR ALWAYS THE PROTECTION GLASSES.
Protective clothing (5€-20€)
Use safety glasses, gloves and mask. Be sure that they are acid resistant. The glasses and mask can be bought in the painting section of you hardware store and you can buy nitrile gloves in the cleaning section of your supermarket.
You will need a glass container for the acid attack. You don’t have to buy a professional laboratory flask. You can even buy in the supermarket a glass coffee cup but IT IS VERY IMPORTANT TO USE BOROSILICATE GLASS.
The borosilicate glass has a low coefficient of thermal expansion. This is important because we are going to heat the acid. Common glass has a higher thermal expansion coefficient and if we heat or cool the glass very fast and non-uniformly, the hottest surfaces of the container will thermally expand while the cooler ones will not. This creates tensions in the walls of the container and could break the glass.
Have you ever broke a glass teapot because you washed it with cold water immediately after pouring the tea and it was still very hot? This can happens if you don’t use a borosilicate glass container.
The last thing you want in this world is a flask of glass filled with boiling acid exploding in your face, isn’t?
It is also important to use a container with thin walls because the thinner the walls are, the more uniformly the container will be heated and less tensions will appear in the walls.
In the supermarket you can find cheap borosilicate cups or flasks. Maybe they are advertised as PIREX, one of the commercial names of the borosilicate glass.
If you prefer to be a little bit more professional, in any chemistry depot you can buy a laboratory flask. The one of the photo is called Erlenmeyer flask and I paid 10€ for it.
It will be useful to have more recipients. For example, a plastic container like a Tupperware can be used to wash the samples.
Electric cooking griddle (~30€)
Instead of an expensive laboratory hot plate we are going to use an electric griddle. Buy the cheapest one AND NEVER USE IT TO COOK AFTER HAVING USED IT TO HEAT THE ACID. You can reuse it to solder your SMD parts to your PCBs using soldering paste.
Coffee filters (1€)
We will use them to filter the acid and extract the solid deposits like the silicon die.
Acetone (optional – 3€) and distilled water (optional – 3€)
Useful to clean the samples. Don’t use nail polish remover as they usually mix other chemicals with the acetone.
Ultrasonic cleaner (optional – 30€-40€ in Ebay)
To deep clean the samples in a acetone bath.
– PH indicator paper (optional – 2€ in Ebay) and IR thermometer (optional – 12€ in DX)
In order to repeat the results, is interesting to know how long has been a sample in the acid bath and what was the temperature and the PH.
Sand paper (optional – 1€)
Use a coarse grit (CAMI 60) to remove mechanically the epoxy and buy a ultra-fine one (CAMI 1000) to remove the different layers of the IC after the decapsulation.
An open and well ventilated place.
During the attack, a lot of corrosive fumes will be produced. You don’t want to have toxic fumes in your home, so take everything to your garden and do everything there.
First of all choose your samples.
It will be handy to have several samples of the same IC just in case you fail in your first try.
If you don’t have an specific target and you are just experimenting, choose an old IC. Your chances are that it uses a big gate length technology so it will be easier to photograph under the microscope.
The 60% nitric acid is not pure enough to attack the epoxy quickly. It is recommended to remove the excess of material using a sandpaper or a electric grinder. Remove as much as possible but without reaching the silicon die. When sanding the top side, you know when to stop once you reach the bonding wires, but if it is harder to know when to stop without exposing the die when sanding the bottom. If you have several samples and you don’t mind to waste some, you can use your first sample to measure how many epoxy has to be removed before reaching the silicon.
For obvious reasons is preferable a small SMD package than a big DIP one. Smaller package, less epoxy.
Put the sample into the container and pour a small quantity of acid in the borosilicate glass container. You will have to dispose properly the acid after using it, so use only the necessary. 5 cl is probably enough.
Cover the container with plastic wrap. The plastic wrap will prevent the scape of fumes and will condense the acid. The condensed acid drops will fall down to the container.
Even with this plastic wrap, a lot of fumes will escape, so IT IS IMPORTANT YOU DO THIS IN THE GARDEN OR ANY OTHER OPEN PLACE. The nitric acid gases are corrosive.
I even put a standing fan close to the table I work to facilitate the evacuation of gasses.
The acid will not react immediately with the epoxy or the metal terminals of our sample because it is not strong enough (not pure). We have to heat it first.
Put the glass container on the electric griddle. THE GRIDDLE HAS TO BE COLD AND NOT PREHEATED to avoid to heat very fast the glass and break it. Switch on the griddle and heat the acid. Acid should be between 70ºC and 80ºC. Use the IR thermometer to measure it or if you don’t have one, use the griddle thermostat and set it around 90ºC.
In five minutes the acid will be hot enough and will attack the sample. Small bubbles will be produced around the IC, the acid will become yellow-green and will produce brown fumes. That is good because it means that the attack is working.
In less than 20 minutes the acid will corrode the metal terminals but the epoxy will still need between one and two hours. The acid fumes will be darker
Once there is no more epoxy and you can see the silicon die clean, switch off the griddle and let it cool for 20 minutes.
The exhausted acid will be blue-green and you could see in the bottom residues of epoxy dust, small pieces of bounding wire and your IC die.
Use the coffee filter to filter the acid and recover the IC die. You can use a plastic container to pour the acid into when filtering. DO NOT THROW THE ACID TROUGH THE SINK!
Wash the IC die with water. Distilled water would be perfect, but tap water will work too.
Put the IC in a glass flask with acetone and clean in the ultrasonic washing machine for 2 minutes. If you reuse the container used during the attack, be sure that you clean the acid. If you don’t have an ultrasonic washing machine, stir with a spoon for several minutes. It is not the same and will not clean properly the sample, but.. is better than nothing. If you don’t have acetone, distilled or tap water is your second option.
Finally, wash again the sample with water to clean the acetone. The sample is ready!
This is a PIC 16F84 sample against a coffee filter (to compare sizes):
Even with naked eyes you can distinguish the microcontroller blocks like the Flash, EEPROM, RAM and the ALU. This photo has been made with a 12 megapixel camera from a distance of 70 cm, without a macro objetive, and some blocks are recognizable:
WHAT TO DO NOW I HAVE THE SAMPLE DECAPSULATED?
Now you need a microscope to observe the IC, but not every microscope is suitable.
If you search in ebay you can find lot of microscopes for less than 300€, but they are not appropiate for observing the IC because they probably are “biological microscopes”.
In biology most of samples are cells in fluid or organical tissue that is cut in so thin slices that are translucent. The easiest way to illuminate these translucent targets is from behind. In biological microscopes the sample is placed between the lens and the source of light.
In our case, we are observing a small piece of silicon that is opaque. If we observe it using a retro-illuminated biological microscope we will not have enough light to see the target.
We need a “metallurgical microscope”. These microscopes illuminate the target not from behind but directly from the lens so solid specimens can be observed. Unfortunately they are expensive and you are lucky if you get a second hand one for less than 600€. I have seen new metallurgical microscopes in Ebay for even 250$, but they are brandless and I have no idea about the quality. I could not expect too much from them.
As alternative you can use a cheap biological microscope and trying to illuminate the sample externally with a led ring attached to the lens:
The problem with this solution is that if you use a high magnification lense you will have to put the lens very close to the sample and it will project a shadow over it.
Other alternative is to use a strong lateral light to illuminate the sample.
I think I saw this setup in the John McMaster’s blog, but I can’t find the post now.
As example, I made this photo of a 74HC04 using a borrowed metallurgical microscope:
In the photo, the transistors are not really visible because they are under different metallization layers. In order to reverse the circuit every layer has to be removed, one each time, and make photos of the IC in every stage of the delayering.
The easiest, safest and cheap way to do delayer the IC is sanding the microcontroller with an ultra-fine sand paper. This process is already described in several places, so I will not write about it. May be another day…
PREPARING THE SAMPLE FOR LIVE ANALYSIS
In an intrusive live analysis a hole is open in the encapsulation to access the silicon when the IC is being used in a circuit. With the silicon accessible, a micro-probe can be used to tap a internal IC bus and observe the data on it.
In this case, a non destructive decapsulation is needed – the sample has to be 100% functional – so the procedure is very different from the one described above.
The first step is to open a hole in the epoxy using a drill. The radius of the hole has to be a little bit smaller than the size of the die. The acid drops we will put in the hole will make it bigger.
Try to make the cavity as deep as possible but without reaching the die or the bounding wires. We don’t want to mill a bounding wire and ruin the sample. Use a first disposable sample to measure how much you can mill before ruining the sample.
You will need a dropper (0.1€ in Ebay) and an old CPU heat sink.
Put the sample on the heat sink and on the electric griddle. Switch on the griddle to heat the sample. Use the IR thermometer to measure the heat on the surface of the IC. The temperature should be around 70ºC – 80ºC but avoid to get higher because you could ruin the IC. REMEMBER! It has to work after the decapsulation!
Approximately every 10 droplets you have to clean the sample with acetone to remove solid residues and exhausted acid.
The key in the process is to be very patient. Because we are using 60% nitric acid, we will need a lot of time and drops before removing all the epoxy.
If some acid spill out from the hole, clean it immediately. Avoid specially spilling the metal terminals.
Be sure that you work on a very flat and horizontal surface. If the sample is not horizontal, even just a little, after several drops the epoxy will be dissolved unevenly and could “break” the cavity or expose half of the silicon but the other half is still covered with a thick epoxy layer.
WHAT TO DO WITH THE EXHAUSTED ACID?
Once you finish your attacks you will have to dispose properly the exhausted acid.
DO NOT THROW IT TROUGH THE SINK!. It will contaminate the rivers! And it can destroy the pipes if they are made of metal.
Put the acid in a plastic bottle and take it to any place where they collect chemical waste. I use to take it to a friend who works in the university because they have a chemical collect service.
Before disposing the acid you can dilute it in water but DON’T try to neutralize it with a base if you are not pretty sure about what are you doing. The last time I tried to do that the fumes were so nasty I had to leave my garden for half an hour.
WHERE TO READ MORE ABOUT REVERSING IC?
There is a lot of pages and blogs with info about IC reversing but I recommend you Silicon Pr0n because the wiki has external links to the most important pages and blogs.