Decapping integrated circuits with sap

posted Jul 16th 2010 10:25am by
filed under: chemistry hacks, classic hacks

[James] is interested in reverse engineering some integrated circuits. One of the biggest hurdles in this process has always been just getting to the guts of the chip. He used acetone to dissolve the plastic case but had trouble getting through the epoxy blob. Commonly, the epoxy is soaked in nitric acid for a few minutes but [James] didn’t have access to that chemical. Instead he popped into the local music store and picked up some rosin (used to make violin bows sticky enough to grab the strings of the instrument). After boiling down the rock-hard rosin and the chip for 20 minutes, he got a clean and relatively undamaged semiconductor that he can easily peer into.



26 Responses to Decapping integrated circuits with sap

  • cpmike says:
    July 16, 2010 at 10:46 am

    To what end, curiousity? Can a chip really be analyzed visually like this, to make any determination as to its function? I would imagine that it can’t help much more than normal creative testing of the existing pins…

    Reply Report comment
  • catzburg says:
    July 16, 2010 at 10:47 am

    Sure if you get good enough magnification you can see the individual transistors, though most of these chips are multi-layer so you have to dissolve through the layer one at a time.

    Reply Report comment
  • Erwin says:
    July 16, 2010 at 11:07 am

    Check the latest hitb slides, there was one about thermo analysisng chips to find out their functions.
    You can do it when the device operates so I guess its how jack bauer steal military secrets from embedded devices and uploads them to CTU :D

    Reply Report comment
  • Jake says:
    July 16, 2010 at 11:17 am

    @cpmike

    Absolutely. My company regularly decaps/X-Rays IC’s for various purposes. Usually it’s to explore the possibilities of patent infringement, lol.

    Reply Report comment
  • spiritplumber says:
    July 16, 2010 at 11:18 am

    It can also be used to get an idea of what’s in a chip that may let you reprogram it. Do those pins lead to an internal eeprom directly? JTAG? Level shifter for a serial port?

    Reply Report comment
  • Jon says:
    July 16, 2010 at 11:35 am

    Another hackish way of decapping is just to simply take a blowtorch to the chip. It’ll become very britte and fall apart, except for the die itself.

    Reply Report comment
  • LarrySDonald says:
    July 16, 2010 at 11:37 am

    Doesn’t look that undamaged but hard to tell w/ low magnification. Nowhere near well equipped enough to start trying anything anyway though so I dunno. Nurdrage (no relation to them, but have used their demos at times) have pretty good instructions for making small amounts of Nitric Acid from OTC only, supposing it’s only unavailable rather then illegal. Needs heavier concentrating, but then it’s not like you need much if you’re just decapping with it.

    Reply Report comment
  • mungewell says:
    July 16, 2010 at 11:37 am

    Interesting… I wonder if the ‘oil’ (really a sap-derivative) which they use for dust control on North American gravel roads would work the same way. It comes in 55gal drums at a reasonable price, and I’m sure the local MD could spare a litre or two.

    Reply Report comment
  • steeve says:
    July 16, 2010 at 11:38 am

    I wonder whether the chip still works!

    Reply Report comment
  • Chuckt says:
    July 16, 2010 at 11:46 am

    LOL. Our company paid to get rid of their nitric acid. We could have just given you some. Now we would have to order it.

    Reply Report comment
  • Brent says:
    July 16, 2010 at 2:06 pm

    You sure he’s not making Meth? ;-)

    Reply Report comment
  • Chuck Norris says:
    July 16, 2010 at 2:38 pm

    Nitric acid is used for explosives, not for meth

    Reply Report comment
  • Jonathan Wilson says:
    July 16, 2010 at 6:55 pm

    One use for decapping chips is when the chips contain internal ROM, decapping can be used to read it out. If it contains mask ROM, you can decap it and photograph the ROM. In some cases you can decap the chip, disable the protection circuitry and read out the data.

    Reply Report comment
  • hyte says:
    July 16, 2010 at 7:38 pm

    careful of rosin fume, it will give you asthma. we used to encase the chips in Bakelite then polish, it worked well. Nice to see different options.

    Reply Report comment
  • Vonskippy says:
    July 16, 2010 at 10:52 pm

    What rock does this guy live under?

    You can buy Nitric acid pretty much anywhere.

    Reply Report comment
  • James says:
    July 16, 2010 at 11:47 pm

    @Vonskippy, I live under the really big one called Africa…

    Reply Report comment
  • Tachikoma says:
    July 17, 2010 at 12:10 am

    Fuming nitric acid? Really?

    Reply Report comment
  • Fallen says:
    July 17, 2010 at 6:24 am

    Hmm didn’t realize flux could do that.(that sap is just rosin…it’s been used in solder forever)I wonder if rosin sap is more effective than just using a bottle of rosin flux. Hmm would no clean fluxes work as well?

    Reply Report comment
  • catzburg says:
    July 17, 2010 at 7:58 am

    @Fallen
    I can’t tell if you are joking, so no, no clean wouldn’t do the same thing

    Reply Report comment
  • Drone says:
    July 17, 2010 at 8:44 am

    Sparkfun has a very interesting series of identifying fake ATMEL processors they purchased via decapitation at the ATMEL laboratories. Start here and drill down

    http://www.sparkfun.com/commerce/news.php?id=395

    Yes Nitric Acid is involved. Good read

    Regards, Drone

    Reply Report comment
  • kabukicho2001 says:
    July 17, 2010 at 9:08 am

    the rosin can be dangerous, boiling would produce toxic gases.

    Reply Report comment
  • Shocked says:
    July 17, 2010 at 9:09 am

    Pretty sure that the chip doesn’t work (at least properly) after boiling it in rosin at +320 C for 20 minutes. With large geometries could be lucky enough though.

    I think that may be good for failure or topological analysis (like reading a rom) but not for an active attack. But if nothing is going to be lost trying… :)

    Reply Report comment
  • Jayson says:
    July 17, 2010 at 9:52 am

    Wow!

    There’s a music shop still open?

    Reply Report comment
  • Terry says:
    July 17, 2010 at 7:48 pm

    If a hobbyist in the US wanted to do this with fuming nitric acid where could I find some? I understand the stuff needs to be handled very carefully, with proper safety and ventilation and not disposed of in an unsafe way.

    Reply Report comment
  • Anonymouse says:
    July 18, 2010 at 1:40 am

    @Terry,

    Not sure if you will be able to get it, one of the uses of it are making explosives, and you live in the usa…

    Reply Report comment
  • M4CGYV3R says:
    July 18, 2010 at 6:36 am

    @Jayson
    Where else do people buy pianos and guitars and such?

    Even in my relatively small home town, we had at least 6 or 7 dedicated music shops, not including the 3 Guitar Centers, which is like the sell-out version. Cheap MIDI controllers though.

    Reply Report comment

    • Leave a Reply

    XHTML: You can use these tags: <a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <pre> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

    Hack a Day serves up fresh hacks each day, every day from around the web as well as hacking related news.

    Send us your hacks






         



    Hacks

    Resources