What Johnnythought was H 2 O was H 2 SO 4 Busting a Cap without Die-ing* IC decapsulation for those afraid of dangerous chemicals and government watch lists Eric M. Busse, http://eirev.blogspot.com,
[email protected] *With brief diversions in system & hardware RE 1 Slides & materials: http://bit.ly/1isrg3d Disclaimer • Research presented was conducted on my own time, and is not representative of my employer, their customers, associates, etc. • All statements and opinions are my own, unless otherwise noted. • Science is dangerous, attempting to replicate these techniques could result in serious injury, death, fire, imprisonment, etc. • I take no responsibility for your stupid mistakes Please, be careful. Possible foul language, sorry about that… 2 BACKSTORY An investigative prelude to science 3 Bored in a Store 4 Altierre Wireless Signage • A “bidirectional wireless technology” for managing “buildings like retail stores with only a couple of wireless access points” • “RF mixed signal chip technology” with “multiple layers of security … the most secure low power bi-directional wireless technology” • “Includes a server/gateway, wireless access points, wireless digital signage, and other wireless endpoints .... network uses our proprietary ultra-low-power, low-cost radio technology” • “Web-based, Enterprise, Client/Server, and System applications ... N-tier Client/Server development architecture ... systems such as the Altierre Service Gateway (ASG); Altierre Access Point (AAP); Altierre Wireless Tags (AWT); and Altierre Portable Terminal (APT)” • Hiring ASIC designers, firmware developers, wireless system engineers, web and database developers.. http://www.altierre.com/overview.html, http://www.altierre.com/job_srfweng.html, http://www.altierre.com/jobopenings.html, http://www.altierre.com/job_seniorsweng.html, 5 The FCC, a friend you never knew you had… http://bit.ly/1irzacX (https://apps.fcc.gov/oetcf/eas/reports/Generic Search.cfm) http://bit.ly/1nQuuD5 (https://apps.fcc.gov/oetcf/eas/reports/Grantee Search.cfm) 6 No really, it’s amazing • 2.4GHz ISM Band FHSS • 2401.5 - 2475.5 MHz, Binary FSK • 75 channels, ~1MHz spacing • Hopping period ~0.504mS • “Altierre Tethered Device (ATD) is a short range radio to provision Altierre Electronic Shelf Labels … makes use of a short range 100MHz loop to identify an Altierre electronic shelf label… uses a 2.4GHz RF link to provision and load data.” Taken from FCC OET reports for W22-AAP400, W22-ATAG400E, W22- ATD100 7 You’ve got my attention… Now what? • Loiter in/near store with antennas – Tends to attract unwanted attention • Pilfer some – Seriously? No. Just no. • eBay! – People are selling this stuff 8 Its all fun and games until the mall caps, police, and feds show up and you have to explain that no, you’re not attempting to pull a TJX/Target… Tear some stuff apart… • Images (scanner is best) – Epson V33 (PoS), awesome depth of field • Two antennae – 2.4GHz, 100Mhz • Lots of test points • Not a lot of information – Die on board (DoB) = No part numbers Guess its decap time… 9 2.4 Ghz 100 MHz ?? ICS, EXPOXY, CHEMICALS AND YOU Now back to your regularly scheduled presentation 10 Why decap? • Its cool – IC layout and design is interesting – Art • Identify [un|de|re]marked packages – Manufacturers grind off package markings as anti RE/knockoff technique – Package on board issues – Counterfeit detection • SD Cards, FDTI chips • Recover masked ROM content • Live probing & analysis 11 http://zeptobars.ru/en/read/FTDI-FT232RL-real-vs-fake-supereal http://www.bunniestudios.com/blog/?page_id=1022 Integrated Circuit Basics Yes, I’m lying a bit here, but for argument it’s close enough… • IC (usually) attached to carrier • Wire bonds to/from bond pads to external leads • Encapsulated (sealed) in epoxy • Die is a 3D device, many layers – Packaging, Carrier, Passivation – Metal (interconnect) – Gate/Poly 12 Epoxy/Potting Silicon Die Carrier DIP BGA https://en.wikipedia.org/wiki/File:Cmos-chip_structure_in_2000s_(en).svg https://en.wikipedia.org/wiki/File:Silicon_chip_3d.png Decapping Techniques 13 Method Options Issues Acids • Nitric • Hot [1, 2, 10] • Room temp [3] • Hot sulfuric [4, 5] • Fast (Minutes to hours) • Dangerous/deadly/gov’t watch list • Fumes melt your lungs • Dead before you know it’s a problem • Boiling/heating is really bad • Likely hard to get Specialty • Professional stuff [6] • Fast? • Very expensive, hard to get, dangerous Rosin • Rosin boil package [7, 8, 9] • Cheap but slow-ish (1-5 hours) • Semi-dangerous • 200-300°C liquid, flammable, inhalation issues Physical • Sanding/lapping • Thermal expansion • Nearly free • Good initial approach • Reduce package prior to chemicals • Difficult to control • Potentially expensive equipment Generally useful: Siliconp0rn, Degate I’m bored, why do we care again? 14 Die is 4x4mm Image is 4248x3920 (30MB) AFAIK this is first publically available image of this die http://bit.ly/1isrg3d What do I need to do that? • Chem goggles and gloves [1], [2] <$50 – Seriously, get good PPE • 1000°F Heat gun ~$23 • Rosin, $3 – Light is better, its translucent • Pyrex Test Tubes, <$13 • Ring stand + clamps, <$30 • Thermocouple, <$25 • Kapton tape, <$14 • Plastic Pipets, $5 • Solvents (hardware store) – Denatured Alcohol, $8 – Acetone, $8 – Methyl-Ethyl-Ketone, $10 Assuming you had none of this on hand, & are impatient or bad at eBay, less than $200, and it’ll do many chips… 15 Also useful: pyrex microscope slides, petri dishes, assorted beakers, test tube tongs, plastic tweezers, super glue, IR thermometer, watch glasses, wash bottles, etc… Safety Check • Rosin – Resin acids, mostly abietic – Crystallizes near instantly when heat is removed • Similar to plastic burns – Fumes/Vapors • Flammable & semi-toxic • Form sharp crystals in your lungs – Colophony disease • Have a plan – Where am I moving this to? – Is that surface flammable/heat resistant? – Are there things in the way? • Solvents – Heavier than air – Flammable – Carcinogenic • Waste materials – Dissolved epoxy, contaminated solvent, other nastiness – These must be stored – DO NOT POUR IT DOWN THE DRAIN – Hazmat disposal days are your friend • Know your MSDSes 16 HAVE & USE PERSONAL PROTECTIVE EQUIPMENT Goggles, gloves, adequate ventilation (open a window, turn on a fan), fire extinguisher. Have friends check up on you. Keep pets & children away. Rough Procedure • Fill test tube 1/3 with rosin, heat to melting, add package to be decapped, raise to working temp – Want 250-300°C • Measured with thermocouple kapton’ed to the test tube – Rosin should be a low-mid viscosity fluid, minimal bubbling – Control temp of rosin by moving test tube closer/farther from the heat gun • Rosin will change color – Starts a lovely amber – Ends brown/black • About 45-60m for my application • 2-3 treatments to fully decap – Dump rosin – Wash die – Start again • Epoxy goes from rock hard to fibrous 17 Start Stop Too long/hot Description is of apparatus shown previous, pictures are of a failed attempt to decap while keeping the bond wires intact. Might have worked had I not over cooked & sonic’ed the assembly. Die Washing • Rosin hardens fast – Pour contents of test tube into heat safe container – Let cool a bit (important) – Dissolve waste rosin with denatured alcohol • CAREFULLY use the heat gun to move this along – Too much heat = boiling, followed by FIRE • Several washings needed to fully remove rosin • Post wash use a clean test tube • Bonus: Sonicate! ($80) 18 Glued to the bottom… Tips/Tricks • Die is delicate – Metal tweezers = Bad! • Industry uses carbon fiber • Conductive/ESD safe plastic works fine [1] – Slowly dissolve in solvent • Pipets are useful – Transfer (vacuum) – Cleaning (solvent agitation) • Superglue the die to – Pyrex slide (best), petri dish – Acetone dissolves superglue, if you need to remove it 19 Imaging • Microscope ($145, 1) – Dissecting, inspection, metallurgical, (transmitted/incident illumination) – Lighting ($40, 2) – XY Stage ($8, eBay) • Camera ($30, 3) – Expensive may != Good… • Software – VLC? (snapshot) – Hugin [4] • FoV [5] 20 Crappy Camera vs. Adapters + μ4/3 21 Higher effective mag, good focus Edge blur, higher res Same objective (4x) on scope Hugin • XY stage, ~2/3 overlap between images – Use the Focus Luke • Images -> Hugin – Set FoV (2°?) • Auto align – Images taken in a pattern, maybe avoid/improve this? • Create Panorama – Maybe… 22 Things go Poorly… 23 Pincushioning, Bad FoV (10°?) Loss of focus Bad stich, poor overlap Die is very dirty… ANALYSIS Now what the hell do I do? 24 Pretty, but useful..? 25 Amicom CC2420 Thanks to Travis Goodspeed Altierre Next Steps • Delayer and reimage – Determine • Masked rom or flash • Processor type • Chip regions to test points – Mark orientation or bond wires intact • Widen examination to rest of system 26 QUESTIONS? With luck I haven’t wasted your time... 27 RAPID FIRE! RFID Hotel Keycard (Mifare Classic 1K?) 28 29 30 31 32 33 34 35 36 37 38 39