What Johnny

thought was
H
2
O was H
2
SO
4
Busting a Cap without Die-ing*
IC decapsulation for those afraid of dangerous chemicals and government watch lists
Eric M. Busse, http://eirev.blogspot.com, embusse@gmail.com
*With brief diversions in system & hardware RE
1
Slides & materials:
http://bit.ly/1isrg3d
Disclaimer
Research presented was conducted on my own time, and is
not representative of my employer, their customers,
associates, etc.
All statements and opinions are my own, unless otherwise
noted.
Science is dangerous, attempting to replicate these
techniques could result in serious injury, death, fire,
imprisonment, etc.
I take no responsibility for your stupid mistakes

Please, be careful.

Possible foul language, sorry about that
2
BACKSTORY
An investigative prelude to science
3
Bored in a Store
4
Altierre Wireless Signage
A bidirectional wireless technology for managing buildings like retail
stores with only a couple of wireless access points
RF mixed signal chip technology with multiple layers of security the
most secure low power bi-directional wireless technology
Includes a server/gateway, wireless access points, wireless digital
signage, and other wireless endpoints .... network uses our proprietary
ultra-low-power, low-cost radio technology
Web-based, Enterprise, Client/Server, and System applications ... N-tier
Client/Server development architecture ... systems such as the Altierre
Service Gateway (ASG); Altierre Access Point (AAP); Altierre Wireless Tags
(AWT); and Altierre Portable Terminal (APT)
Hiring ASIC designers, firmware developers, wireless system engineers,
web and database developers..
http://www.altierre.com/overview.html, http://www.altierre.com/job_srfweng.html,
http://www.altierre.com/jobopenings.html, http://www.altierre.com/job_seniorsweng.html,
5
The FCC, a friend you never knew you had

http://bit.ly/1irzacX
(https://apps.fcc.gov/oetcf/eas/reports/Generic
Search.cfm)

http://bit.ly/1nQuuD5
(https://apps.fcc.gov/oetcf/eas/reports/Grantee
Search.cfm) 6
No really, its amazing
2.4GHz ISM Band FHSS
2401.5 - 2475.5 MHz, Binary FSK
75 channels, ~1MHz spacing
Hopping period ~0.504mS
Altierre Tethered Device (ATD) is a
short range radio to provision Altierre
Electronic Shelf Labels makes use of a
short range 100MHz loop to identify an
Altierre electronic shelf label uses a
2.4GHz RF link to provision and load
data.
Taken from FCC OET reports for W22-AAP400, W22-ATAG400E, W22- ATD100
7
Youve got my attention Now what?
Loiter in/near store with antennas
Tends to attract unwanted attention
Pilfer some
Seriously? No. Just no.
eBay!
People are selling this stuff


8
Its all fun and games until the mall
caps, police, and feds show up and
you have to explain that no, youre
not attempting to pull a TJX/Target
Tear some stuff apart
Images (scanner is best)
Epson V33 (PoS), awesome
depth of field
Two antennae
2.4GHz, 100Mhz
Lots of test points
Not a lot of information
Die on board (DoB) = No
part numbers

Guess its decap time

9
2.4 Ghz
100 MHz
??
ICS, EXPOXY, CHEMICALS AND YOU
Now back to your regularly scheduled presentation
10
Why decap?
Its cool
IC layout and design is
interesting
Art
Identify [un|de|re]marked
packages
Manufacturers grind off
package markings as anti
RE/knockoff technique
Package on board issues
Counterfeit detection
SD Cards, FDTI chips
Recover masked ROM content
Live probing & analysis
11
http://zeptobars.ru/en/read/FTDI-FT232RL-real-vs-fake-supereal
http://www.bunniestudios.com/blog/?page_id=1022
Integrated Circuit Basics
Yes, Im lying a bit here, but for argument its close enough
IC (usually) attached to carrier
Wire bonds to/from bond
pads to external leads
Encapsulated (sealed) in
epoxy
Die is a 3D device, many
layers
Packaging, Carrier,
Passivation
Metal (interconnect)
Gate/Poly

12
Epoxy/Potting
Silicon Die
Carrier
DIP
BGA
https://en.wikipedia.org/wiki/File:Cmos-chip_structure_in_2000s_(en).svg
https://en.wikipedia.org/wiki/File:Silicon_chip_3d.png

Decapping Techniques
13
Method Options Issues
Acids
Nitric
Hot [1, 2, 10]
Room temp [3]
Hot sulfuric [4, 5]
Fast (Minutes to hours)
Dangerous/deadly/govt watch list
Fumes melt your lungs
Dead before you know its a problem
Boiling/heating is really bad
Likely hard to get
Specialty Professional stuff [6]
Fast?
Very expensive, hard to get, dangerous
Rosin Rosin boil package [7, 8, 9]
Cheap but slow-ish (1-5 hours)
Semi-dangerous
200-300C liquid, flammable, inhalation
issues
Physical
Sanding/lapping
Thermal expansion
Nearly free
Good initial approach
Reduce package prior to chemicals
Difficult to control
Potentially expensive equipment
Generally useful: Siliconp0rn, Degate
Im bored, why do we care again?
14
Die is 4x4mm
Image is 4248x3920 (30MB)

AFAIK this is first publically
available image of this die
http://bit.ly/1isrg3d
What do I need to do that?
Chem goggles and gloves [1], [2] <$50
Seriously, get good PPE
1000F Heat gun ~$23
Rosin, $3
Light is better, its translucent
Pyrex Test Tubes, <$13
Ring stand + clamps, <$30
Thermocouple, <$25
Kapton tape, <$14
Plastic Pipets, $5
Solvents (hardware store)
Denatured Alcohol, $8
Acetone, $8
Methyl-Ethyl-Ketone, $10

Assuming you had none of this on hand, & are
impatient or bad at eBay, less than $200, and
itll do many chips
15
Also useful: pyrex microscope slides, petri dishes,
assorted beakers, test tube tongs, plastic tweezers,
super glue, IR thermometer, watch glasses, wash
bottles, etc
Safety Check
Rosin
Resin acids, mostly abietic
Crystallizes near instantly when heat
is removed
Similar to plastic burns
Fumes/Vapors
Flammable & semi-toxic
Form sharp crystals in your lungs
Colophony disease
Have a plan
Where am I moving this to?
Is that surface flammable/heat
resistant?
Are there things in the way?
Solvents
Heavier than air
Flammable
Carcinogenic
Waste materials
Dissolved epoxy, contaminated
solvent, other nastiness
These must be stored
DO NOT POUR IT DOWN THE DRAIN
Hazmat disposal days are your friend
Know your MSDSes
16
HAVE & USE PERSONAL PROTECTIVE EQUIPMENT
Goggles, gloves, adequate ventilation (open a window, turn on
a fan), fire extinguisher. Have friends check up on you.
Keep pets & children away.
Rough Procedure
Fill test tube 1/3 with rosin, heat to
melting, add package to be
decapped, raise to working temp
Want 250-300C
Measured with thermocouple
kaptoned to the test tube
Rosin should be a low-mid viscosity
fluid, minimal bubbling
Control temp of rosin by moving test
tube closer/farther from the heat gun
Rosin will change color
Starts a lovely amber
Ends brown/black
About 45-60m for my application
2-3 treatments to fully decap
Dump rosin
Wash die
Start again
Epoxy goes from rock hard to fibrous
17
Start Stop
Too long/hot
Description is of apparatus shown previous, pictures are of a failed attempt to
decap while keeping the bond wires intact. Might have worked had I not over
cooked & soniced the assembly.
Die Washing
Rosin hardens fast
Pour contents of test tube
into heat safe container
Let cool a bit (important)
Dissolve waste rosin with
denatured alcohol
CAREFULLY use the heat gun
to move this along
Too much heat = boiling,
followed by FIRE
Several washings needed to
fully remove rosin
Post wash use a clean test
tube

Bonus: Sonicate! ($80)
18
Glued to the
bottom
Tips/Tricks
Die is delicate
Metal tweezers = Bad!
Industry uses carbon fiber
Conductive/ESD safe plastic
works fine [1]
Slowly dissolve in solvent
Pipets are useful
Transfer (vacuum)
Cleaning (solvent agitation)
Superglue the die to
Pyrex slide (best), petri dish
Acetone dissolves superglue, if
you need to remove it

19
Imaging
Microscope ($145, 1)
Dissecting, inspection,
metallurgical,
(transmitted/incident
illumination)
Lighting ($40, 2)
XY Stage ($8, eBay)
Camera ($30, 3)
Expensive may != Good
Software
VLC? (snapshot)
Hugin [4]
FoV [5]
20
Crappy Camera vs. Adapters + 4/3
21
Higher effective mag, good focus
Edge blur, higher res
Same objective (4x) on scope
Hugin
XY stage, ~2/3 overlap
between images
Use the Focus Luke
Images -> Hugin
Set FoV (2?)
Auto align
Images taken in a pattern,
maybe avoid/improve this?
Create Panorama
Maybe

22
Things go Poorly
23
Pincushioning,
Bad FoV (10?)
Loss of focus
Bad stich, poor overlap
Die is very dirty
ANALYSIS
Now what the hell do I do?
24
Pretty, but useful..?
25 Amicom
CC2420
Thanks to Travis Goodspeed
Altierre
Next Steps
Delayer and reimage
Determine
Masked rom or flash
Processor type
Chip regions to test points
Mark orientation or bond wires intact
Widen examination to rest of system
26
QUESTIONS?
With luck I havent wasted your time...
27
RAPID FIRE!
RFID Hotel Keycard (Mifare Classic 1K?)
28
29
30
31
32
33
34
35
36
37
38
39