There can be few of us who haven’t gazed with fascination upon the work of IC decappers, whether they are showing us classic devices from the early years of mass semiconductor manufacture, or reverse-engineering the latest and greatest. But so often their work appears to require some hardcore scientific equipment or particularly dangerous chemicals. We’ve never thought we might be able to join the fun. [Generic Human] is out to change all that, by decapping chips using commonly available chemicals and easy to apply techniques. In particular, we discover through their work that rosin — the same rosin whose smell you will be familiar with from soldering flux — can be used to dissolve IC packaging.
Of course, ICs that dissolved easily in the face of soldering wouldn’t meet commercial success, so an experiment with flux meets little success. Pure rosin, however, appears to be an effective decapping agent. [Generic Human] shows us a motherboard voltage regulator boiled in the stuff. When the rosin is removed with acetone, there among the debris is the silicon die, reminding us just how tiny these things are. We’re sure you’ll all be anxious to try it for yourselves, now, so take a while to look at the video below showing their CCC Congress talk.
The master of chip decapping is of course [Ken Shirriff], whose work we’ve featured many times. Our editor [Mike Szczys] interviewed him last year, and it’s well worth a look.
If you are a regular searcher for exotic parts among the virtual pages of semiconductor supplies catalogs, you will have probably noticed that for a given function it is most often the part bearing the Analog Devices logo that is the most interesting. It may have more functionality, perhaps it will be of a higher specification, and it will certainly have a much higher price. [Zeptobars] has decapped and analyzed an AD chip that holds all three of those honors, the AD9361 SDR transceiver.
It’s placed under a slightly inflammatory title, “when microchips are more profitable than drugs“, but does make a good job of answering why a semiconductor device at the very cutting edge of what is possible at the time of release can be so expensive. The AD9361 is an all-in-one SDR transceiver with an astonishing bandwidth, and as such was a particularly special device when it reached the market in 2013. We see some particularly fine examples of on-chip inductors and PLL circuitry that must have consumed a significant design effort to preserve both bandwidth and noise characteristics. This is an item of physical beauty at a microscopic scale as well as one of technical achievement.
The financial analysis puts Analog Devices’s gross profit at about $103 of the $275 retail purchase price of an AD9361. The biggest slice at $105 goes to the distributor, and surprisingly the R&D and manufacturing costs are not as large as you might expect. How accurate these figures are is anybody’s guess, but they are derived from an R&D figure in the published financial report, so there is some credence to be given to them.
Integrated circuits are a fundamental part of almost all modern electronics, yet they closely resemble the proverbial “black box” – we may understand the inputs and outputs, but how many of us truly understand what goes on inside? Over the years, the process of decapping ICs has become popular – the removal of the package to enable peeping eyes to glimpse the mysteries inside. It’s an art that requires mastery of chemistry, microscopy and photography on top of the usual physics skills needed to understand electronics. Done properly, it allows an astute mind to reverse engineer the workings of the silicon inside.
These chips are the basic building blocks of digital logic – NAND gates, inverters, shift registers, decade counters and more. You can build a CPU with this stuff. These days, you may not be using these chips as often in a production context, but those of you with EE degrees will likely have toyed around a few of these in your early logic classes.
There’s only a handful of images up so far, but they’re of excellent quality, and they’re also annotated. This is a great aid if you’re trying to get to grips with the vagaries of chip design. [Robert] is putting in the hard yards to image as many variations of every chip as possible. There’s also the possibility of comparing the same chip for differences between manufacturers. We particularly like this project, as all too often manufacturing techniques and technologies are lost and forgotten as the march of progress continues on. It looks like it’s going to become a great resource for those looking to learn more about integrated circuit design and manufacture!
People who have incredible competence in a wide range of fields are rare, and it can appear deceptively simple when they present their work. [Chris Gerlinksy]’s talk on breaking the encryption used on satellite and cable pay TV set-top boxes was like that. (Download the slides, as PDF.) The end result of his work is that he gets to watch anything on pay TV, but getting to watch free wrestling matches is hardly the point of an epic hack like this.
The talk spans hardware reverse engineering of the set-top box itself, chip decapping, visual ROM recovery, software reverse analysis, chip glitching, creation of custom glitching hardware, several levels of crypto, and a lot of very educated guessing. Along the way, you’ll learn everything there is to know about how broadcast streams are encrypted and delivered. Watch this talk now.
Some of the coolest bits:
Reading out the masked ROM from looking at it with a microscope never fails to amaze us.
A custom chip-glitcher rig was built, and is shown in a few iterations, finally ending up in a “fancy” project box. But it’s the kind of thing you could build at home: a microcontroller controlling a switch on a breadboard.
The encoder chip stores its memory in RAM: [Chris] uses a beautiful home-brew method of desoldering the power pins, connecting them up to a battery, and desoldering the chip from the board for further analysis.
The chip runs entirely in RAM, forcing [Chris] to re-glitch the chip and insert his payload code every time it resets. And it resets a lot, because the designers added reset vectors between the bytes of the desired keys. Very sneaky.
All of this was done by sacrificing only one truckload of set-top boxes.
Our jaw dropped repeatedly during this presentation. Go watch it now.