Recently at Toorcon9 (www.toorcon.org), some individuals asked to see images of decapsulated parts still in their packages. I dug around and came up with some examples. Click on any of the pictures for a larger version.
Above: Microchip PIC18F2550
Above: Dallas DS89C450
Above: Microchip dsPIC30F6013
Using our proprietary procedures, all parts remain 100% functional with no degradation after exposing the substrate.
I know you do this for a living and won’t like to share your secrets, but could you please explain some other processes that can be done to a chip to de-cap it?
I have always been interested in seeing the insides of some telephone cards that I have
The acids we use are very dangerous and will burn if you come in contact with them.
We happened to have a telephone card from Mexico that we scanned in. This particular card used an ST 1355 serial memory. The die revision is ‘D’. We also have a Canadian phone card that has not been imaged of the same die but instead is revision ‘A’ of the silicon.
Rev ‘A’ = 1993
Rev ‘D’ = 2001
We immediately see a security related change between the two parts. We’ll get the older part imaged and do a write up sometime soon.
Click on this link for a larger version of the pic: http://www.flylogic.net/chippics/phonecards/st1355D_large.jpg
Awesome, thanks! I’ll be looking forward to reading that write-up.
Burn Burn Burn!
sweeeeet
oscar Says:
November 4th, 2007 at 4:20 pm
I know you do this for a living and won’t like to share your secrets, but could you please explain some other processes that can be done to a chip to de-cap it?
I have always been interested in seeing the insides of some telephone cards that I have
admin Says:
November 5th, 2007 at 7:43 pm
The acids we use are very dangerous and will burn if you come in contact with them.
You said you use HF acid, is that how u “burn off” the encapsulation?
I read some articles in Holland about 7 years ago,Telegraaf newspaper saturday edition, that someone at the Twenthe university managed to “micro probe” a smartcard and was able to reset config bits, by using a certain voltage, one disadvantage, he needed more then one card to
succeed.
He used acid aswell to etch true the plasic.
23th april 2008
When you say proprietary process, you mean fuming sulfuric acid and a hot plate. I do this all the time, it’s not a secret process, it’s a well known industry standard practice.
I am not trying to be a dick, but by saying that it’s some sort of secret you were just begging to get called out.
We mean we dont want to explain in details why we mix chemicals together to better break down the various barriers protecting the die. If you told me you use fuming sulfuric we would tell you that your devices are dirty but you get your job done
Not that difficult if you know what you’re doing… I did this one at home in less than half an hour. (No RFNA necessary, 70% works very well if you get the chip nice and hot.)
The chip is a PIC18F1320-I/P (new revision) which I ordered samples of after reading your teardown. It still has filler over the code protection fuses. Next step: spin coat a drop of photoresist, expose, and etch a nice little hole
Preparation (PIC is at top, bottom is a 7400 series chip I did in the same session)
http://i.imgur.com/bIPa6.jpg
Checking etch progress, one corner still covered in epoxy
http://i.imgur.com/zsXZ0.jpg
Target power not detected – Powering from PICkit 2 ( 5.00V)
PIC18F1320 found (Rev 0×7)
http://i.imgur.com/Cot9I.jpg
Any chance to see a teardown of the Siemens SLE4436 based phonecards?
They are used for example in Romanian phonecards.
Here are some links to a great explanation of their functionality:
http://gsho.thur.de/gsho/phonecard/advanced_e.htm
http://ciscom.ru/hackersrussia/Cards/Syncro/Eurochip.txt
A challenge-response algorithm is used.
“Algorithm is fully hardware based and uses a 48 bit
moving register and only XOR or NXOR logic cells. Also card
have three 9 bit, 6 bit, 5 bit counters with unknown function.
”
Can you send us some samples of the SLE44 series device?
We’ve seen the 4442, 4428 and 5542 series to date.
Thx!
Nice job,
I’m intrested in pic30f5013 die, is it similar to 30f6013? where is eeprom? config fuses, and so on? maybe it’s possible to see some dies? Now i’m decaping 30f5013..so some information would be nice