Chip Decapping The Easy Way

Chip decapping videos are a staple of the hacking world, and few things compare to the beauty of a silicon die stripped of its protective epoxy and photographed through a good microscope. But the process of actually opening that black resin treasure chest seems elusive, requiring as it does a witch’s brew of solvents and acids.

Or does it? As [Curious Marc] documents in the video below, a little heat and some finesse are all it takes, at least for some chips. The method is demonstrated by [Antoine Bercovici], a paleobotanist who sidelines as a collector of old chips. After removing chips from a PCB — he harvested these chips from an old PlayStation — he uses hot air to soften the epoxy, and then flexes the chip with a couple of pairs of pliers. It’s a bit brutal, but in most of the Sony chips he tried for the video, the epoxy broke cleanly over the die and formed a cleavage plane that allowed the die to be slipped out cleanly. The process is not unlike revealing fossils in sedimentary rocks, a process that he’s familiar with from his day job.

He does warn that certain manufacturers, like Motorola and National, use resins that tend to stick to the die more. It’s also clear that a hairdryer doesn’t deliver enough heat; when they switched to a hot air rework station, the success rate went way up.

The simplicity of this method should open the decapping hobby up to more people. Whether you just want to take pretty pictures or if reverse engineering is on your mind, put the white fuming nitric acid down and grab the heat gun instead.

Continue reading “Chip Decapping The Easy Way”

Why Some Chips Have Inconvenient Pinouts

If you’ve ever handled a chip with a really strange or highly inconvenient pinout and suspected that the reason had something to do with the inner workings, you may be interested to see [electronupdate]’s analysis of why the 4017 Decade Counter IC has such a weirdly nonintuitive pinout. It peeks into an IC design dating from the 1970s to see an example of the kind of design issues that can affect physical layout.

Inside the 4017. Want to make sense of how lines and shapes on a silicon wafer make an IC work? With the right teachers, it’s simple.

In the case of the 4017, once decapped and the inner workings exposed, things became more clear. Inside the chip are a bunch of flip-flops and NAND gates, laid out in a single layer. Some of the outputs (outputs 5 and 1 for example, physically on pins 1 and 2 respectively) share the same flip-flop.

The original design placed the elements in a way that made the most logical sense for routing and layout, which resulted in nice and tidy inner workings but an apparently illogical pinout. A lot of this is probably feeling familiar to anyone who has designed and routed a single-layer PCB, where being limited to one layer makes it important to get the most connections as directly near one another as possible.

Chip design has of course come a long way since the 70s, but there is forever some level of trade-off to be made between outward tidiness and inner design harmony. The next time you’re looking at a part with an apparently illogical pinout, there’s a fair chance it makes far more sense on the inside.

If any of you are interested in decapping ICs yourselves to see what’s inside, we saw that it’s possible with commonly available chemicals, not just nasty ones.

Continue reading “Why Some Chips Have Inconvenient Pinouts”

Have LED Bulbs Reached Their Final (and Cheapest) Form?

[electronupdate] has done a lot of LED light bulb teardowns over the years, witnessing a drive towards ever-cheaper and ever-simpler implementations, and suspects that LED light bulb design has finally reached its ultimate goal. This teardown of a recent dollar store example shows that cost-cutting has managed to shave even more off what was already looking like a market saturated with bottom-dollar design.

The electrical components inside this glowing model of cost-cutting consists of one PCB (previously-seen dollar store LED bulb examples had two), eleven LEDs, one bridge rectifier, two resistors, and a controller IC. A wirewound resistor apparently also serves as a fuse, just in case.

Inside the unmarked controller IC. The design is as cheap as it is clever in its cost-cutting.

That’s not all. [electronupdate] goes beyond a simple teardown and has decapped the controller IC to see what lurks inside, and the result is shown here. This controller is responsible for driving the LEDs from the ~100 Volts DC that the bridge rectifier and large electrolytic cap present to it, and it’s both cheap and clever in its own way.

The top half is a big transistor for chopping the voltage and the bottom half is the simple control logic; operation is fast enough that no flicker is perceived in the LEDs, and no output smoothing cap is needed. The result, of course, is fewer components and lower cost.

Some of you may recall that back in the early days of LED lighting, bulbs that could last 100,000 hours were a hot promise. That didn’t happen for a variety of reasons and the march towards being an everyday consumable where cost was paramount continued. [electronupdate] feels they have probably reached that ultimate goal, at least until something else changes. They work, they’re cheap, and just about everything else has been successfully pried up and tossed out the door.

Vintage Fairchild IC Proves Tough To Decap

You’d think that something called “white fuming nitric acid” would be more than corrosive enough to dissolve just about anything. Heck, it’s rocket fuel – OK, rocket fuel oxidizer – and even so it still it wasn’t enough to pop the top on this vintage Fairchild μL914 integrated circuit, at least not without special measures.

As [John McMaster], part of the team that analyzed the classic dual 2-input NOR gate RTL chip from the 1960s, explains it, decapping modern chips is a straightforward if noxious process. Generally a divot is milled into the epoxy, providing both a reservoir for the WFNA and a roughened surface for it to attack. But the Fairchild chip, chosen for dissection for the Maker Faire Bay Area last week specifically because the features on the die are enormous by modern standards, was housed in an eight-lead TO-99 case with epoxy that proved nigh invulnerable to WFNA. [John] tried every chemical and mechanical trick in the book, going so far as to ablate epoxy with a Nd:YAG laser. He eventually got the die exposed, only to discover that it was covered with silicone rather than the silicon dioxide passivation layer of modern chips. Silicone can be tough stuff to remove, and [John] resorted to using lighter fluid as a solvent and a brush with a single bristle to clean up the die.

We applaud the effort that this took, which only proves that decapping is more art than science sometimes. And the results were fabulous; as Hackaday editor-in-chief [Mike Szczys] notes, the decapping led to his first real “a-ha moment” about how chips really work.

Continue reading “Vintage Fairchild IC Proves Tough To Decap”

Ken Shirriff Explains His Techniques For Reverse Engineering Silicon

When it comes to reverse engineering silicon, there’s no better person to ask than Ken Shirriff. He’s the expert at teasing the meaning out of layers of polysilicon and metal. He’s reverse engineered the ubiquitous 555 timer, he’s taken a look at the inside of old-school audio chips, and he’s found butterflies in his op-amp. Where there’s a crazy jumble of microscopic wires and layers of silicon, Ken’s there, ready to do the teardown.

For this year’s talk at the Hackaday Superconference, Ken walked everyone through the techniques for reverse engineering silicon. Surprisingly, this isn’t as hard as it sounds. Yes, you’ll still need to drop acid to get to the guts of an IC (of course, you could always find a 555 stuck in a metal can, but then you can’t say ‘dropping acid’), but even the most complex devices on the planet are still made of a few basic components. You’ve got n-doped silicon, p-doped silicon, and some metal. That’s it, and if you know what you’re looking for — like Ken does — you have all the tools you need to figure out how these integrated circuits are made.

Continue reading “Ken Shirriff Explains His Techniques For Reverse Engineering Silicon”

Lessons In Disposable Design From A Cheap Blinky Ball

Planned obsolescence, as annoying as it is when you’re its victim, still has to be admired. You can’t help but stand in awe of the designer who somehow managed to optimize a product to live one day longer than its warranty period. Seriously, why is it always the next day?

The design of products that are never intended to live long enough to go obsolete must be similarly challenging, and [electronupdate] did a teardown of a cheap LED blinky toy to see what’s involved. You’ve no doubt seen these seizure-triggering silicone balls before, mostly at checkout counters and the like where they’re sold at prices many hundreds of times what it took to make them. This particular device, which seems representative of the species, has two bright LEDs, a small controller chip, a trio of button cells for power, and a springy switch to activate it. All this is mounted to a cheap scrap of phenolic resin PCB, with the controller chip and one of the LEDs covered by a blob of clear epoxy.

This teardown one-ups most others, as [electronupdate] disrobes the chip and points a microscope at the die; the video below shows just how few transistors are employed and proposes a likely circuit. Everything about this ball just oozes cheapness, and it’s likely these things cost essentially nothing to build. Which makes sense for something destined for the landfill within a week or so.

Yes, this annoying blinky-thing is low-end garbage, but there are still design lessons to be learned from it. Anything that’s built for a broad market has to be built to a price point, and understanding those constraints is important to understanding how planned obsolescence works.

Continue reading “Lessons In Disposable Design From A Cheap Blinky Ball”

Cracking The Case Of Capcom’s CPS2 Security

We love a good deep-dive on a specialized piece of technology, the more obscure the better. You’re getting a sneak peek into a world that, by rights, you were never meant to know even existed. A handful of people developed the system, and as far as they knew, nobody would ever come through to analyze and investigate it to find out how it all went together. But they didn’t anticipate the tenacity of a curious hacker with time on their hands.

[Eduardo Cruz] has done a phenomenal job of documenting one such system, the anti-piracy mechanisms present in the Capcom CPS2 arcade board. He recently wrote in to tell us he’s posted his third and final entry on the system, this time focusing on figuring out what a mysterious six pin header on the CPS2 board did. Hearing from others that fiddling with this header occasionally caused the CPS2 board to automatically delete the game, he knew it must be something important. Hackaday Protip: If there’s a self-destruct mechanism attached to it, that’s probably the cool part.

He followed the traces from the header connector, identified on the silkscreen as C9, back to a custom Capcom IC labeled DL-1827. After decapping the DL-1827 and putting it under the microscope, [Eduardo] made a pretty surprising discovery: it wasn’t actually doing anything with the signals from the header at all. Once the chip is powered up, it simply acts as a pass-through for those signals, which are redirected to another chip: the DL-1525.

[Eduardo] notes that this deliberate attempt at obfuscating which chips are actually connected to different headers on the board is a classic trick that companies like Capcom would use to try to make it harder to hack into their boards. Once he figured out DL-1525 was what he was really after, he was able to use the information he gleaned from his earlier work to piece together the puzzle.

This particular CPS2 hacking journey only started last March, but [Eduardo] has been investigating the copy protection systems on arcade boards since 2014.

[Thanks to Arduino Enigma for the tip.]