Tuesday, April 20, 2010

Paypal payload

There have been several advancements including work on finishing the automation of the biological microscope and automation of the inverted metelergical microscope, but school has kept me busy and I haven't had time to finish those. In the meantime, here is a small deviation on taking apart a security key to get to the IC. In such situations, there is a double decap. We not only have to decap the IC pacakge, but its a bit of an effort to even get to it.
At DEF CON 17, there was a side event of sorts called BSides/Neighborcon (thanks Travis!). This actually had my favorite talk of the entire trip by HD Moore on WarVOX. In any case, PayPal handed out stacks of the PayPal (or someone anyway, I think it was them) Security Key.

From some articles such as this it is based off of RSA’s Securid. I'm not a crypto guy, but I figure if I take some images of this and work out some of the logic, someone else more experienced in the field who can't do this type of hardware analysis might be able to build off of this work. I won't be be imaging the chip until I can get some more experience since future cards will cost me $5 a pop. Plus, I haven't made any agreements at this point not to tear it to shreds. I originally had a lot, but I gave them away to a number of people who thought they were cool.
One cool feature of these things its display Basically, it will retain the image on it even with power gone. It is the same (class?) of technology used in the more famous Amazon Kindle.
From what I hear, GM week at RPI use to be about getting wasted and they use to bring large amounts of beer for students to drink. But they don't do that anymore. I don't drink, but it would have been hillarious to watch. On the surface, its about elections...w/e. I still have my mug from last year which is better and I needed some glassware to dissolve the card in. To top it off, it had a Vegas theme, which seemed appropriete to make the card go full circle.
In any case, lets get started with the teardown. After a few minutes in acetone, the outter cover is starting to shed:
A side view showing the ridges a bit better:
I think peeled this off to speed things up and soaked it a bit more:
The other half is starting to break apart a bit:
A little dissolving later, I can peel off the outside plastic to reveal the circuit board:
Closeup of the label section:
There are very small surface mount components on the board. The label says "InCardIC006AV11". There's also a number 2, whatever that is for. My guess is that five dot gold pattern is for programming and/or testing. That black dot should be the IC, which is what I'm primarily after. Unfortunately, it has no external labeling of any kind. Finally, the last component is what appears to be a lithium polymer battery based on its shape. Voltage reading:
Amazingly, the card still works! (the battery was removed later, still had battery here)

video
The acetone was getting a bit dirty. Time to clean it up a little:
After soaking for the last time, I wasn't able to get much else to come off even after soaking for a while. I had been hoping the board was going to dissolve at least slightly and release the IC package. Final front board image:
The battery came off with minimal force. Final back image:
The black IC package was then forcably removed and stored into a vial for later analysis. As I get better suited to dissolve the resin, I'll dissolve it and take at least a top metal layer picture. In the meantime, I'll keep practicing on expendable chips so scarcer chips like this can be properly analyzed.
To top things off, what kind of person would I be if I let flammables go to waste?

Thursday, April 15, 2010

IC decapping round 4: burnt perfection

As you can hopefully see from some of the previous posts, people employ many techniques to remove the irritating resin casing. I've seen suggestions of simply burning away the casing, which I was somewhat skeptical of, thinking this would annihilate the chip. However, I am open to ideas, and thought I'd give it a spin.
First off, burning is probably a bad word. The image I had in my head of how this would work was the physically heat the chip until the resin was utterly destroyed, like burning away a piece of wood. It turns out its not hard to make the resin brittle through heating. Or in other words, all one has to do is apply a short burst of intense heat and you can crumble the casing away with minimal chip damage. A picture is worth a thousand words, lets see an example. This was the result of the first chip I tried:
It came out amazingly clean like this in under a minute. Microscope inspection seems to indicate the die is healthy. More on this later. Starting from the beginning, here is a virgin chip:
A CP82C59A interrupt controller. All torch images are of one of these, but not necesarily the exact same unit. A tube of them was being kicked around in the RPI Electronics Club junk drawer. Torch meat now:
You shouldn't heat the chip too strongly. If you get this, you've gone too far:
I actually would have never guessed you could get a red hot IC package. In any case, as will be seen in the video, the most important thing is even heating. I'm not sure what the shock temperature is, but there was a certain cutoff line where the chip was extremely brittle vs very hard. In the video I don't heat the lower half of the chip good enough and it only breaks moderately well.
After removing the torch, it will burn like a well down marshmallow for a few seconds:
It should go out by itself fairly quick, but I was waving or blowing it out. Result:
Breaking now:
This final image is the die from the video. The one from the sequence above is the one on top shown here (contrasted with the very first one I flame decapped):
The heat managed to separate the die and the carrier! So that's what happens when you apply too much heat. I wasn't paying attention at the time and I'm not sure what happened to the die. I figured it had been melted in some weird way where as it probably fell to the floor when I cracked the casing open. The first one I tried (bottom die above) couldn't have gone any better. The case split perfectly and no resin was left covering the die.
Seeing how well the die withstood the heat, I wondered how far can we go? So I torched a die red hot. Although it was not as clear under the microscope as before, it still was of decent quality. I'll try to add a pic in a bit comparing an area of the first die extracted with the one that I tortured.
Here is a short video showing an heat based extraction:
video
In this test setup, that blue thing is a filter system to help reduce fumes. I also have a gas mask handy for exactly this sort of work. It really does help a lot. The resin was really brittle and very little force was required to break it. However, I didn't heat it enough towards the bottom, so one side of the die was still relatively well set into the case. This can be easily fixed though and is partly due to me trying to get this on film and not doing for an ideal setup.
For some future work, I may have gotten away with this due to the relatively large traces the 2 um test die I used had. Thinner traces may be much more sensitive. Still, the results are much more promising than I was expecting. As I move down the semiconductor technology roadmap, I'll revisit this and see how well it does against finer masks.
Thanks to Will Carder for lending me the torch!

Sunday, April 11, 2010

PLACE SANDWICH HERE: the camera

The original camera setup involved zip-tying t-slot aluminum to the microscope neck and positioning the camera based on a series of adjustments to the slot angles. There were a few issues with this setup. First, I didn't have any t-slot nuts, so it was always a pain to tighten things. I at first didn't have any t-slot L brackets either, but I had some nearly equivalent aluminum brackets, so that wasn't as big of a deal. Next, the small distances between the neck and the eyepiece really limited the flexibility in positioning the camera. It was very hard to position it accurately. Finally, the zip ties were only moderately stable, so if you hit it too hard, it would shift around.
The second setup I tried was to use a neck lamp as a flexible mount. It was abandoned because the camera was so much heavier than the light bulb that it caused it to sag. I took an old style fuse and ran a 1/4" bolt through it so it could mount to a camera. The camera isn't mounted to it here, but here I am disassembling it since I'm not going to use it anymore and bad things would happen if someone plugged in the lamp by mistake:

As the current setup is being upgraded for CNC control, the camera positioning will still remain manual since it doesn't need to be moved as the die is being scanned. Here is an overview of it:
Basically, this has two easy to position axis, which really help. The microscope eyepeice is on an angular axis and there is a linear slide that the camera is mounted on. Usually only minimal adjustment is needed with the t-slots, mostly for height. The slide was spring loaded to keep accurate positioning. When viewing the image manually, the eyepeice is swung around to the front of hte microscope where the neck is rather than at a 90 degree offset to standard orientation. This makes switching between manual and camera based viewing convenient.
Interesting to see the focal length as it relates to magnification. Here is 10X objective:

And here is 40X objective:


It looks like its touching, but its not. However, its very, very close. You can still get it out of focus by moving it closer. If you move it too close, the spring loaded objective lenses will move up rather than break. Here is what you see on the camera at 400X (more like 800X actually since we are zoomed in on the camera itself):
There is also a 100X objective, but I haven't looked into what it would take to use it. I believe I need to do something with immersion oil.
The original setup used an incandescent light. However, it only provided moderately acceptable light levels with the 40X objective. I recently bought a 500W halogen light that has really helped. However, its not very directional, so I installed a sandwich wrapper as a deflector to increase directionality to the sample and not blind the operator. As my friend Alex finished his lunch, he probably never thought about his burger wrapper again until he reads this. Little did he know it would become a critical ingredient in the camera setup after being banished to the gray cylinder labeled "TRASH."
Although it is festive, I'll probably replace it with some aluminum foil when I get a chance to go to the store or something.
This setup is pretty stable and I'm a lot happier with it over the previous one. It seems like a flexible mount would have been nice, but with the stability I've gained from the T-slot, this setup is probably best.
Thanks to Dane Kouttron (http://transistor-man.com/Index.html) for the pictures! Also thanks to Magesh Alagiriraj for lending me an SD card since mine died :(

Stepping things up

One of the goals for an effective setup is to automate taking pictures of the dies. Current technique is to manually move the chip around while snapping pictures. As the chips get large, technology shrinks, etc, it becomes increasingly desirable to get more precise and automated control. The plan: use EMC2 controlling some linear stages and gphoto2 controlling a Canon SD100 to scan across a die to be assembled by Hugin.
The control system doesn't necessarily have to be EMC2. In fact, I've heard people have difficulty using it outside of the GUI. So, I might just use raw outp() calls to pulse a parallel port as needed to control the stepper drivers. I have some old Precision Motion Control drivers that can just barely be seen to the right in this image. The motors I'm using are fairly small, but the drivers are current limited, so it might work out. Otherwise, I'll make up a transistor based driver which shouldn't take too long. On the same note, I might end up using that stage setup if I want to scan some larger images later under high precision. I have a few other things I need to get detailed images of that are much larger.
The original plan to control the stepper motors was to couple them with springs to the stages. Something like this:
However, in early testing before even mounting things, I realized that they would build up enough force to overcome the static friction, but the stored energy in the spring would cause a large movement. Higher spring constants would only lead to the stiffness problems I was trying to avoid in the first place, so this solution was a no go.
Here is the current attempt at linear motion control:

It uses two stepper motors with longish gears to overcome issues from the micrometer moving in and out as turned. The Y axis (one on right) will be slightly trickier as the gear will move back and forth as the X axis is actuated. To overcome this, I'm going to try to put a spring force on it. With the small distances being moved, it shouldn't move enough to become a problem.
My luck with libgphoto2 has been mixed so far. It tends to get into internal error states fairly easily. Also, I've had difficulty building it to get the latest version. I tried to use a VM which could get a better version, but still same issues. In particular, I need to disable the flash, but this results in internal errors. Since I really need this, I'll probably put in the effort to get the newest version working and/or get in contact with the libgphoto2 team to help develop a patch to fix w/e the error is. This is an issue because it severely lowers the exposure time, resulting in bad pictures despite my relatively bright levels of light. I got this camera because gphoto claimed very good support for it and they were available on eBay at quite a reasonable price ($15 + S/H for used units, maybe $40 + S/H for newish units). I bought a SD110 originally, but it turned out to be much worse condition than the seller claimed, but since it was so inexpensive I didn't find it worth the effort to pursue. I found a SD100 buy it now for $15 without charger and get a good condition one for around $40. So all in all, I have a SD110 for parts and two SD100s. This has been quite good as the major complaint of the units is their relatively short battery life. With a spare battery or two, I can let one charge while I use the unit, which leads to good usage. The batteries tend to charge faster than then are drained.
My experience with Hugin has also been mixed. Under Linux, when I try to stitch together pictures, it crashes. I tried to use it under Windows to stitch together some of my dies, but they ended up coming out more like pretzels than beautiful images. In theory, use of the stages will make this process much easier as the images should be able to be precision aligned to each other.
Thanks to Robert Reeve for helping me with the design of this stage setup and for fitting the gears on the ends of the micrometers! Also, thanks to Jim Schatz for letting me borrow the microscope!

IC decapping, round 3: chemical etch

In my last post, I discussed some of my early experience with sanding. After sanding, I tried some simple chemical etching. Unfortunately, my memory card died and I lost some cool stuff such as a microscope etch video, but I will hopefully be able to get some new, better images and videos later.
In any case, there were two areas to try: etching the case and etching the die. Etching the resin case is usually done with nitric acid. Travis Goodspeed has a good blog post about doing this at room temp here. I was able to get 70% nitric considerably easier than RFNA, so I decided I'd try that first. If you use non fuming nitric acid (but still required to be high conc I think), you must strongly heat the mixture. But, I did try a few other things first to see if there were alternatives. The first thing I tried was just to let it set overnight. This ate away the metal leads pretty quickly, but not the resin. The next thing I tried was to adding HCl to form aqua regia, hoping such a strong mixture would eat it away. Alas, this did not help either. Out of simple ideas, I then moved on to heat it to 80C using a hotplate. Unfortunatly, I didn't have a fume hood availible (someone is workong on getting me access to one), so I could only do it for a short time before having to cut if off due to fumes. I did not see signigant chip etching on the time I was working.
However, since I had other ways to get to the die, I figured I'd still try chemically etching the die. Using one of my cermic packaged dies, I was able to easily place HF into the die cavity so I could watch it etch under the miscrope. Defintly want to get another video of this. I was able to get a clean etch of what seems to be the top layer off and reveal the intermediate connection layer with vias. If I let it sit for longer, I imagine I could easily eat layer by layer. The top layer was taken off quite quickly even at the low concentration of acid.
I later tried to see if HCl would etch the chip. I saw initial high activity followed by not little activity. I then tried to put fresh HF on the chip and saw no reaction. I'm wondering if a protective SiCl4 or w/e coating formed on the surface, making the chip highly reistant to further chemical attack by a dilute acid. If the concentration was stronger it may have been able to dissolve this coating if thats what had happened. I ran out of decapped chips and couldn't easily decap another one at the time, so I'll go back to heat gunning some caps off. I have a stash of centrifuging tubes that I've realized work well for clean storage of dies.
I need to work on getting better storage for my HF acid. I've ordered a set of plastic test tubes with rubber stoppers for stage. Ideally I wanted screw cap, but couldn't find them at a quick look and stopopers is probably just as good. I had two different types of glass test tubes I stored it in intermitantly and one was corroded by it and the other wasn't. I'm not sure if this is simply because it had been used up by the time it got to the second test tube. In any case, it couldn't etch the IC after this, so I assume it was just that it got rapidly used up.

IC decapping, round 2: sanding

The earliest way to view chips was to "cheat" and use old chips that were more readily accessible by soldering their physical caps. However, modern chips generally don't do this. The ones that do do similar things include chips like Xilinx Virtex or Intel x86 chips that run very hot. These can probably be decapped simply by throwing into some moderate acid to eat away the metal.
There seem to be three major techniques for decapping, but only two are used in the hobbyist space. From what I can tell, professional shops use plasma etch machines (http://www.stockly.com/forums/archive/index.php?t-16.html). These are slow, but accurate, and the machines can be had for only a few thousand dollars for a small one. I've even seen presumably working industrial sized ones for under a thousand on eBay. While a few thousand dollars is nothing to the core of a busines, its a bit much for a hobbyist.
The first technique I was introduce to was from Karsten Nohl's talk at the 25thCCC (http://events.ccc.de/congress/2008/Fahrplan/events/2896.en.html). He advocates the use of sanding techniques. Since I didn't need a particular chip to start with, I started with a wide DIP I could mount in a ZIF socket.

This is after I just started doing a thin amount of Dremeling. I then used a Dremel to go down until I could see the wire bonding arcs. Wikipedia has a good picture to help visualize this (http://en.wikipedia.org/wiki/File:DIP_Cross-section.svg):
On some chips I could see this with naked eye, but usually had to be made wet with something first. It was easiest to just use a 10X lens to do periodic inspection when you think you are about there. In practice, this might look something like this:
You can't see the wires very well in this one, but just note how we are almost at the leads. Here is a (slightly) better picture with some zoom:
They are barely noticeable as gold dots. Much more visible if you put some fluid on there. Basically, I could see them easily by getting it wet or by inspection under a 10X lens.
The rest will need to be carefully sanded and polished. After a brief bit of sanding, the bonding wires become much more visible:
Some sanding later...

We can now begin to see the die. I didn't sand it very evenly as you can see one corner much sooner than the rest of the die. This takes a bit of practice to learn how to sand evenly. Basically though, once you begin to see this, tilt your peice slighly so as to try to get the other parts to catch up.
I decided this uneveness was probably just as well anyway since it would give me a gradient slice of the die. After sanding away until we have a good gradient:
You can see resin still in the upper right hand corner. It turns out you can see through this more than you might expect:
The top section still has some resin and the bottom section doesn't It gets a bit fuzzy, but not too much more so, even on the deeper sections. Here we can see some damage from the sanding:

Two types of damage occur: planar depth going too low and particulates causing die scratches. Both need to absolutely be avoided for a decent die image. In any case, after polishing up one of the better sections a bit with some mystery paste substance:

Although we have a lot of damage, we are getting a smoother image. Future work will be around getting better images. A key factor will probably be higher quality polishing pastes instead of the mystery brand dried out paste I tried to use. In any case, I still can't see multiple layers and even sanded down very finly until I saw raw silicon.
And to top it off, I sanded it down really far just to get a feel for it.

Basically, you'll notice some cement used to hold the die in place under the silicon and how the leads go through the package. I'm curious what those two extra leads are for...someone suggested to me something related to power.
Well, that was what came out of round 2. Since I did this, I bought some more polishing compounds including a bottle of actual Dremel brand.
In conclusion, sanding seems like a viable option to get to the die, but I've had some bad luck actually getting multiple layers out of it. As you will find out in later posts, I had decent results with chemical etch of the die, but bad resulsts with chemical etch of the resin. Here, I had good resulsts with sanding off the resin, but bad results sanding off the die. So, I will probably be focusing on this hybrind technique in the future.

IC decapping round 1: very first IC images

Some easy IC chips to work with are the old gold capped ceramic chips. Something like this:

This particular chip is labeled MD513 76R / 7407. Since a 7407 is just a line buffer, I can't imagine it being that complicated on silicon and it must be some military grade other chip with an obscure part number. I did find similar chips that were listed as DRAM, which seems consistent with the very regular, memory like die image. Although it took a bit of practice to figure out how to do this, you can use a heat gun to take the cap off. I tried doing this again the other day and I couldn't get the caps off. Thinking back, before I used a vice with a plastic jaw and held the chip in the end, just barley not burning it. This time I put it full in a metal vice which wouldn't release it even under extreme heat. Maybe I'll Dremel them slightly to get a small hole I can grab with pliers. In any case, this is what you get:

Well the first thing to try is to use a bright light and a magnifying glass or similar. I had a 10X objective from a projector, microscope, or something. Setup:


And an idea of the image quality you get:



You can just barely read the text on the die if you strain your eye, but probably not in that picture.
Next, a biological microscope was acquired. I seem to not have a picture of it, but later setups will anyway, and you probably used one at some point in your life or Google can help you. Anyway, you can now get pictures like this:


If you use the camera optical zoom, you can get slightly higher details and also eliminate that eyepiece ring. The biggest issue is probably that the zoom level is then a bit hard to tell. I need a standardized length object to calibrate against. Looks like this:
This was an old die I wasn't protecting well and you can see some dust on it. The electronics club is sorta the anti-cleanroom. More on how the camera was mounted, lighting and such later.
Oh and don't drive yourself mad trying to line up the pictures. I think they were from the same chip, but not entirely sure.

This blog

This blog is my adventures as I try to unravel the mysteries of silicon based life. The ultimate goal would be to create a toolsuite that can take raw collections of chip images and convert them into VHDL or verilog. Under the hood it might use something like Hugin to stich the images together and Degate to create the netlists. I'd probably make the HDL decompiler as a stand alone program with a library core that could make tranformed into a Degate plugin.
There also a wiki setup at http://siliconpr0n.wikispaces.com/ to provide a more summarized form of what I learn. Another RPI student has been working with me on a few things here and there with this as well. Additionally, I'll probably be collaborating with Travis Goodspeed and Karsten Nohl throughout this process. Travis seems to be a big fan of chemical etch, where Karsten seems to favor physical etching techniques more such as using a Dremel. As I get better with the imaging process, I might see if I can get in touch with the Degate authors to provide patches and such.
I've already explored a few things and had some good starting results before I start writing this, so the first few posts will be about past results.