What’s Inside a USB Isolator?

Coil Die

 

In this acid powered teardown, [Lindsay] decapped a USB isolator to take a look at how the isolation worked. The decapped part is an Analog Devices ADUM4160. Analog Devices explains that the device uses their iCoupler technology, which consists of on chip transformers.

[Lindsay] followed [Ben Krasnow]‘s video tutorial on how to decap chips, but replaced the nitric acid with concentrated sulphuric acid, which is a bit easier to obtain. The process involves heating the chip while applying an acid. Over time, the packaging material is dissolved leaving just the silicon. Sure enough, one of the three dies consisted of five coils that make up the isolation transformers. Each transformer has 15 windings, and the traces are only 4μm thick.

After the break, you can watch a time lapse video of the chip being eaten by hot acid. For further reading, Analog Devices has a paper on how iCoupler works [PDF warning].

[Thanks to Chris for the tip!]

[Read more...]

Reverse engineering the die of a ULN2003 transistor array

uln2003-die-reverse-engineering

We’re no strangers to looking at uncapped silicon. This time around it’s not just a show and tell, as one transistor form a ULN2003 chip is reverse engineered.

The photo above is just one slice from a picture of the chip after having its plastic housing remove (decapped). It might be a stretch to call this reverse engineering. It’s more of a tutorial on how to take a functional schematic and figure out how each component is placed on a photograph of a chip die. Datasheets usually include these schematics so that engineers know what to expect from the hardware. But knowing what a resistor or transistor looks like on the die is another story altogether.

The problem is that you can’t just look at a two dimensional image like the one above. These semiconducting elements are manufactured in three dimensions. The article illustrates where the N and P type materials are located on the transistor using a high-res photo and a reference diagram.

If you want to photograph your own chip dies there are a few ways to decap them at home.

Extracting secured firmware from Freescale Zigbee radios

decapped_MC13224

[Travis Goodspeed] recently tore down the Freescale MC13224 wireless radio chip in an effort to demonstrate how the device’s firmware could be read, even when locked down in “secure” mode. While you might not recognize the Freescale MC13224 radio by name alone, you are certainly familiar with some of its practical applications. Found in the QuahogCon and Ninja Party badges among other consumer goods, the popular Zigbee radio turned out to be a fairly easy conquest.

[Travis] first used acid to decap one of the microcontrollers to see what was going on under the plastic casing. Inside, he discovered a discrete flash memory chip, which he removed and repackaged using a wedge wire bonder. He was easily able to extract the firmware, however decapping and repackaging a flash chip isn’t necessarily the most user-friendly process.

After digging further, he discovered that holding one of the chip’s pins low during boot would allow him to run custom code that recovers the firmware image once the pin is pulled high once again. This far more practical means of firmware recovery can be easily facilitated via a circuit board revision, as [Travis] mentions in his blog.

Follow

Get every new post delivered to your Inbox.

Join 94,415 other followers