Ever wanted to make your own LED? You might be tempted to after reading how easy it is. No, this won’t really be a practical LED that you would use to light a project, but it is very cool anyway. [Michael] picked up a box of Moissanite, or Silicon Carbide, on eBay for roughly $1. Making the LED is as easy as putting your positive lead to the crystal and touching it with a sewing needle attached to a negative lead. He has tips on how to get the best results as well as a little bit of history of LEDs on the site.
The silicon wizards at Flylogic have certainly posted an interesting chip this time around. The Intel 4004 was the first widely used microprocessor. The logic gates are much larger than you’d find in modern chips. The unique feature is that each gate is designed to make the most efficient use of the silicon instead of the standardized shapes you find now. They’ve uploaded a full image of the chip.
For an introduction to silicon hacking, we reccomend [bunnie]’s talk from Toorcon and [Karsten]’s talk from 24C3. You can find many more posts on the topic in our silicon tag.
Peripheral manufacturer Datel has been hard at work attempting to crack the PSP 3000 since its release. They’ve developed the Lite Blue Tool battery to force the PSP into service mode so hackers can run any arbitrary code they want. According to MaxConsole, Datel performed a silicon level investigation of the PSP’s chips to determine how to break into service mode. This means they decapsulated the the chips and reverse engineered any cryptographic protections. We’d love to hear exactly what chips were being used since some are fundamentally flawed.
Silicon hacking has always been a favorite topic of ours and we suggest you check out [Chris Tarnovsky]’s decapsulation technique to learn more about it.
[Karsten Nohl] has recently joined the team on Flylogic’s blog. You may remember him as part of the team that reverse engineered the crypto in MiFare RFID chips. In his first post, he starts out with the basics of identifying logic cells. By studying the specific layout of the transistors you can reproduce the actual logic functions of the chip. The end of post holds a challenge for next week (pictured above). It has 34 transistors, 3 inputs, 2 outputs, and time variant behavior. Also, check out the Silicon Zoo which catalogs individual logic cells for identification.
The Last HOPE is off and running in NYC. [Karsten Nohl] started the day by presenting The (Im)possibility of Hardware Obfuscation. [Karsten] is well versed in this subject having worked on a team that the broke the MiFare crypto1 RFID chip. The algorithm used is proprietary so part of their investigation was looking directly at the hardware. As [bunnie] mentioned in his Toorcon silicon hacking talk, silicon is hard to design even before considering security, it must obey the laws of physics (everything the hardware does has to be physically built), and in the manufacturing process the chip is reverse engineered to verify it. All of these elements make it very interesting for hackers. For the MiFare crack, they shaved off layers of silicon and photographed them. Using Matlab they visually identified the various gates and looked for crypto like parts. If you’re interested in what these logic cells look like, [Karsten] has assembled The Silicon Zoo. The Zoo has pictures of standard cells like inverters, buffers, latches, flip-flops, etc. Have a look at [Chris Tarnovsky]’s work to learn about how he processes smart cards or [nico]’s guide to exposing standard chips we covered earlier in the week.
Have you ever wanted to break open your IC and see where those pins really go? [nico] goes through his process of dissolving ICs to their core and photographing the tiny die. The technique involves liquefying the package in sulfuric acid until all the packaging material and pins are gone. He even explains how to use sodium bicarbonate (common baking soda) to neutralize the solution thus allowing for simple sink disposal. Although silicon hacking is generally done by funded hackers with a really nice lab, it is certainly possible to execute some of these techniques with limited equipment and chemical access. For instance, if you can’t get sulfuric acid, send your IC off to a failure analysis lab like MEFAS. For more information and stories on silicon hacking, check out [Chris Tarnovsky]’s process for hacking smartcards and [bunnie]’s talk Hacking silicon: secrets behind the epoxy curtain.
Wired recently posted an article and video detailing our friend [Chris Tarnovsky]’s process for hacking smart cards. In the video, [Chris] shows how he strips away physical components of the chips inside the smartcards using various gadgets and chemicals.
The first step is to remove the chip from its plastic frame. After soaking it in acid for about 10 minutes, the epoxy is removed and the chip is exposed. After that the outer layer is loosened by soaking the chip in two solutions of acetone, the second being the “clean” one. Then the chip is placed on a hotplate where a drop of fuming nitric acid is applied with a dropper; the chip is washed again in an ultrasonic cleaner, removing any residue left.
[Chris] then returns the chip to the card. He will apply nail polish to act as a masking material. He scratches a hole through the polish with a needle held by a micro positioner in the area of interest. The hole is treated with hydrofluoric acid and then etched in short intervals until the desired layer of silicon is exposed. At this point, the card is fully prepped.
Now by powering the chip with the needle resting on the bus, [Chris] can read the code on the chip by sending it various commands and watching how it reacts. To see more of [Chris]’s reverse engineering work, check out Flylogic Engineering’s Analytical Blog. It’s a enjoyable read even if you’re new to silicon hacking.