Laser Fault Injection, Now With Optional Decapping

Whether the goal is reverse engineering, black hat exploitation, or just simple curiosity, getting inside the packages that protect integrated circuits has long been the Holy Grail of hacking. It isn’t easy, though; those inscrutable black epoxy blobs don’t give up their secrets easily, with most decapping methods being some combination of toxic and dangerous. Isn’t there something better than acid baths and spinning bits of tungsten carbide?

[Janne] over at Fraktal thinks so, and the answer he came up with is laser decapping. Specifically, this is an extension of the laser fault injection setup we recently covered, which uses a galvanometer-scanned IR laser to induce glitches in decapped microcontrollers to get past whatever security may be baked into the silicon. The current article continues that work and begins with a long and thorough review of various IC packaging technologies, including the important anatomical differences. There’s also a great review of the pros and cons of many decapping methods, covering everything from the chemical decomposition of epoxy resins to thermal methods. That’s followed by specific instructions on using the LFI rig to gradually ablate the epoxy and expose the die, which is then ready to reveal its secrets.

The benefit of leveraging the LFI rig for decapping is obvious — it’s an all-in-one tool for gaining access and executing fault injection. The usual caveats apply, of course, especially concerning safety; you’ll obviously want to avoid breathing the vaporized epoxy and remember that lasers and retinas don’t mix. But with due diligence, having a single low-cost tool to explore the innards of chips seems like a big win to us.

Fail Of The Week: When The Epoxy-Coated Chip Is Conductive

Every once in a while, you’ll find some weirdness that will send your head spinning. Most of the time you’ll chalk it up to a bad solder joint, some bad code, or just your own failings. This time it’s different. This is a story of weirdness that’s due entirely to a pin that shouldn’t be there. This is a package for an integrated circuit that has a pin zero.

The story begins with [Erich] building a few development boards for the Freescale Kinetis K20 FPGA. This is a USB-enabled microcontroller, and by all accounts, a worthwhile effort. So far, so good. The problem with the prototype boards was soon apparent. On some of the boards, the external 32 kHz oscillator was not starting. Resoldering the oscillator or microcontroller sometimes solved the problem, but not always. This is troubling, because that means the issue isn’t code, and it’s not the PCB. This is going to take a deep dive and a good inspection microscope.

One of [Erich]’s friends, [Christian B] somehow found the problem. When the Freescale K40 is manufactured, the die is carefully laid in a chip carrier and coated with epoxy, putting it in a small QFN package. The problem is, there’s an extra connection sticking out of one corner of this chip. This is just an artifact of the chip carrier, but if you leave exposed metal connected to ground, something is eventually going to go wrong.

The best guess [Erich] has is that this additional connection is from the manufacturing and packaging process, with the exposed metal pad in this application being bridged to an adjacent pad. Now, if there’s one failure to [Erich]’s design, it’s that the trace comes out of the pin on the adjacent pad at 90 degrees; this isn’t a best practice, but most of the time you can get away with it. This time, though, somebody got burned.

We don’t know how [Christian] ever found this issue. When you look at a tiny QFN package, you don’t expect there to be an extra pin attached to ground that can be easily bridged with a bit of solder paste. It’s either a lot of luck or skill to find this problem, but it’s a great example of the weird things you have to look out for.

Delivery Drone Aims To Make Package Handoffs Safer Than Ever

Picture this: you’re at home and you hear a rapping on your door. At last!– your parcel has arrived. You open the door, snatch a drone out of the air, fold it up, remove your package, unfold it and set it down only for it to take off on its merry way. Hand-delivery courier drones might be just over the horizon.

Designed in the [Laboratory of Intelligent Systems] at Switzerland’s École Polytechnique Fédérale de Lausanne and funded by [NCCR Robotics], this delivery drone comes equipped with its own collapsible carbon fibre shield — it fold up small enough to fit in a backpack — and is able to carry packages such as letters, small parcels, and first aid supplies up to 500 g and to 2 km away!

Continue reading “Delivery Drone Aims To Make Package Handoffs Safer Than Ever”

Autonomous Delivery And The Last 100 Feet

You’ve no doubt by now seen Boston Dynamics latest “we’re living in the future” robotic creation, dubbed Handle. [Mike Szczys] recently covered the more-or-less-official company unveiling of Handle, the hybrid bipedal-wheeled robot that can handle smooth or rugged terrain and can even jump when it has to, all while remaining balanced and apparently handling up to 100 pounds of cargo with its arms. It’s absolutely sci-fi.

[Mike] closed his post with a quip about seeing “Handle wheeling down the street placing smile-adorned boxes on each stoop.” I’ve recently written about autonomous delivery, covering both autonomous freight as the ‘killer app’ for self-driving vehicles and the security issues posed by autonomous delivery. Now I want to look at where anthropoid robots might fit in the supply chain, and how likely it’ll be to see something like Handle taking over the last hundred feet from delivery truck to your door.

Continue reading “Autonomous Delivery And The Last 100 Feet”

Hacker Sends This Through The Mail To Record A Video Of The Process

[Ruben van der Vleuten] wanted to get a look at the adventure a package experiences when shipped from one place to another. So he threw together this mishmash of components to record the experience. We certainly enjoyed watching the fast motion video found after the break. We wonder what the shipping agency thinks about this sort of thing?

Camera, digital storage, and battery technology have gotten to the point that it’s both cheap and easy to do this sort of surveillance. But there are a few logistical things that [Ruben] took into account to make this work quite well. First off, he need to hide the camera in a way that would ensure the package didn’t look suspicious. He ended up writing his name on the side of the box and boring a hole through one of the black letters which is smaller than a pea and very hard to spot. To make sure he wasn’t recording a ton of empty (dark) frames he also included electronics to sense motion. When the package is moving the video is always rolling. when not moving the hardware wakes for just 3 seconds every minute to shoot video.

Continue reading “Hacker Sends This Through The Mail To Record A Video Of The Process”

Hackaday Links August 31, 2012

Landing a fixed-wing through hotel balcony french doors

As you can see, launching an RC airplane off of a hotel balcony is easy. But watch the video and you’ll find out trying to fly through the french doors for a landing is another story. [Team BlackSheep] hits (har, har) Thailand in this collection of breathtaking flights.

Quieting rack-mount switch for home use

[VictorB] got his hands on this switch to beef up his home network. Since the three fans on the back sound like a jet engine he did some cutting to use a larger, quieter fan.

Component package alphabet

Sure, you probably know what SOIC stands for, but what is a CSP? You can clear things up a bit by studying your IC Alphabet.

ZX Spectrum audio card

For those still looking to squeeze everything they can out of a classic ZX Spectrum, here’s a way to improve the audio with a custom sound card (translated).

AVR programmer reprogrammed as an NES controller interface

[Slack] modified his USBasp programmer to uses as an NES controller interface. The hardware can be had on eBay for under $10, and he was already using one as a dev board. After seeing this USB to NES dongle post it didn’t take long to make the programmer into a gaming tool.

Red Hat Confirms Security Breach


After a week of wondering, Red Hat has confirmed that someone broke in and compromised their security. Although It doesn’t appear the attacker was able to retrieve the passphrase used to sign Fedora packages, the team is switching to new keys. In a separate intrusion the attacker tampered with and signed OpenSSH packages for RHEL. While it’s good to get the full story, no one is happy how long it took Red Hat to release these details.

[via Zero Day]

[photo: afsilva]