Blog

Don't Try This at Home: Decapping ICs With Boiling Acid.

What?

Decapping is the process of removing the black epoxy packaging which makes up a microchip in order to expose the silicon inside. The silicon chip inside is where all of the processing happens and is where the data is stored. In the case of a microcontroller, the kind you would find in most electronic devices, it is also where the firmware is stored.

There are a couple of methods for actually performing the decapping process and this post is going to look at using Nitric acid and Sulphuric acid to dissolve the black epoxy packaging. It is possible to use sandpaper to remove most of the packaging first which would allow you to be a little more precise with the acid if you needed to target a specific area of the silicon. Remember though, that being too aggressive with the sandpaper may end up damaging the silicon.

Why?

Good question. There are a few reasons why we might want to decap a chip so let's examine them here.

Identifying Counterfeit Chips

Sometimes it may be necessary to confirm that a batch of ICs (Integrated Circuits) from a supplier are genuine or that the IC you found in a particular device is what it says it is.

The silicon wafer, when examined under a microscope, will likely have markings which should identify the manufacturer, date of production and possibly some other interesting information regarding the manufacturing process. It is also very unlikely, near impossible, that counterfeit chips are going to have exactly the same layout as the genuine article.

Resetting Lock Bits

One of the main goals of attacking the hardware is to extract the firmware so it can be reverse engineered later. Many microcontrollers will provide some ability to lock down the chip, by disabling debugging and preventing the flash memory from being read. This protection is provided in the form of lock bits (or bytes) which can only be cleared by erasing the entire chip (therefore deleting the firmware). However, if we can find these lock bits on the silicon it may be possible to use another technique to reset these bits and unlock the device.

Reading Out a Masked ROM

Some microcontrollers or custom ICs may have a bootloader "burnt" into the silicon itself by the IC manufacturer, these can usually be quite interesting as they might allow us to access other features of the chip, or allow us to read out the firmware and bypass other protections.

A chip with a masked ROM will have an area of memory whose contents are programmed during the manufacture of the silicon itself as part of the photolithography process. The 1's and 0's which make up the program are determined by either the presence or absence of a connection between two layers. This pattern is usually quite easily to spot and it allows us to extract the bootloader program directly from the silicon.

Check out Wikipedia for a decent explanation.

Optical Fault Injection

This will be covered in more detail in a future post, but it consists of using a laser to flip the state of individual bits while the device is in operation. This method could be used to reset lock bits, introduce errors into cryptographic processes or alter the program flow, to bypass a password prompt or bounds check for example.

Microprobing

This advanced process is where the program or data is read directly from the data bus connecting CPU to the Flash, SRAM or other peripherals, depending how your particular chip is designed. This technique is quite advanced and expensive but it allows us to read things like encryption keys or firmware directly from the silicon.

There are many other reasons why you may want to get at the silicon itself such as reverse engineering the logic, researching the manufacturing process, art, fun or maybe you're just hunting for interesting Easter eggs left by the silicon designers like these guys at the silicon zoo. Whatever your reasons you don't have to convince me, let's look at how the process is done.

How?

Hang on for one second, remember those two words in the title, the reason you clicked in the first place; "Boiling Acid". Believe it or not this process is somewhat hazardous so you will need the proper safety equipment as well as a plan in case something goes awry.

Nitric acid in concentrations above ~70% (hey, that's what we're using!) emits visible fumes which will damage your lungs if inhaled so a decent respirator with filters rated E1 or above (you can buy a respirator with A1B1E1 filters off ebay) is necessary for the duration of the process, and no that dust mask you used to decorate your bedroom is not sufficient.

Getting any acid on your skin is not going to be a pleasant experience so to avoid any risk of living the rest of your life physically maimed the following safety equipment is required:

  • Goggles/Face shield
  • Respirator - With filters rated A1B1E1
  • Lab Coat - Long sleeves
  • Lab Apron
  • Nitrile Gloves - Wear two pairs
  • Acid Spill Kit
  • Fume Hood - You at least need plenty of ventilation away from other people, children, pets e.t.c.
  • Bucket of Water for Equipment Disposal

Disclaimer

If you do attempt to decap chips yourself make sure you thoroughly read through the COSHH data sheets for the chemicals you will be using and follow any safety precautions detailed therein.

DO NOT work alone, you cannot call an ambulance if you are passed out and dangerous fumes are filling the room. Nitric acid is an oxidiser so there is a risk of fire or explosion - no naked flames.

It is your responsibility to make sure that all safety precautions are in place and followed, I will not be held responsible any damages or injuries you may suffer, do your research!

Tools and Equipment Required

With that out of the way we can look at what tools and equipment are needed to actually carry this out.

  • Nitric Acid >=70% Concentration
  • Sulphuric Acid >90% Concentration - Although this can be done with nitric acid alone
  • Deionized/Distilled Water
  • Glass Pipette/Lots of Disposable Plastic Pipettes
  • 2 x 100ml Borosilicate Beakers
  • Several Petri Dishes
  • 500ml Borosilicate Beaker
  • Tweezers
  • Hot Plate
  • Borosilicate Stirring Rod
  • Glass Thermometer
  • Kitchen Roll
  • Extraction Fan/Fume Hood/Ventilation
  • Acid neutraliser - Bicarbonate of soda can also be used
  • Some ICs to decap

 

Here's a look at some of the equipment used.

equipment

And the chemicals used in the process.

chemicals

The ICs

The ICs I chose to decap are the NXP LPC11C24F in a QFP package. These ICs are small ARM Cortex-M0 32bit microcontrollers used for Industrial sensors, smart meters, white goods e.t.c. and I'm under the impression that they include a masked boot ROM which is something we will find out soon.

The Process - Method 1

The first step is to prepare the work area, make sure you have enough room to work, plenty of ventilation and have a bucket of distilled, deionised water nearby to dispose of any acid-covered tools. I also prepared a 500ml beaker of deionised water ready to dilute the acid at the end of the process.

The first method I tested was using pure nitric acid. I first used the pipettes to transfer ~15-20ml of nitric acid into a 100ml beaker which was placed on the hotplate. The nitric acid begins to fume immediately upon opening so the container was re-sealed and the beaker covered with a pitri dish like so.

Nitric acid lid

Next, the hotplate was turned to a low setting to heat the nitric acid to about 90 degrees C. I used a fan to ensure that any fumes were extracted away. Once the hotplate was up to temperature the chip was carefully dropped into the acid; shown below.

Chip in nitric acid start

The reaction starts immediately and produces nitrogen dioxide fumes so I re-covered the beaker with the pitri dish. This was quite effective at preventing fumes from escaping and filling the room, instead they condense on the pitri dish and are contained. The reaction produces a black precipitate in the beaker and plenty of fumes as shown below.

reaction process underway

It took approximately 11 minutes for the reaction to cease, at which point the hotplate was turned off. Once suitably cool, the acid was CAREFULLY poured into the 500ml beaker of water which was prepared earlier.

All that remained in the small beaker at this point was some black epoxy precipitate and 2 small silicon dies.

The final step was to make everything safe by neutralising the acid in the 500ml beaker using the neutraliser or bicarbonate of soda. Litmus paper can be used to check the acidity of the solution is about P.H 7. Professional acid neutraliser usually changes colour to indicate that the solution is neutral.

Due to the quantities in use, it is safe to dilute the acid with plenty of water and dispose of it in an outside drain.

The silicon dies were placed in another small beaker which contained about 20ml of acetone and gently cleaned with a lint-free cloth to remove any remaining epoxy.

The Process - Method 2

Once all the equipment had been thoroughly cleaned and dried it was time to attempt a different method using a 75%-25% Sulphuric acid-Nitric acid mix. For this approach I also decided to try to be more precise with the decapping and see if I could just expose the top of the silicon and leave the connections and pins intact.

The first step was to use a fresh pipette to make up a solution which was made up of 6ml of sulphuric acid and 2ml of nitric acid. This solution was heated on the hotplate, on a low setting.

Next, the chip was placed into a petri dish which was also placed on the hotplate to keep it warm. Once the acid solution was warm, a small amount was transferred from the beaker and dripped onto the top of the IC. The addition of sulphuric acid meant that the disposable pipettes would only survive long enough to make one transfer before they lost their shape and had to be disposed of. For this method I would recommend using a glass pipette.

The reaction started immediately as it did before, and the petri dish was covered again to contain the fumes.

pitri dish begin

This method was much less intense and took a lot longer to complete, over an hour and a half, and involved regular re-applications of the acid solution.

The image below shows the process after about an hour and you can see the silicon die beginning to show and, as you can probably tell, my attempt at preserving the device's legs had failed.

pitri dish almost done

Once I was happy that enough plastic had been removed I followed the same procedure as before of neutralising and disposing of the acid solution.

The device was cleaned by immersing it in about 20ml of acetone, as before, and then gently cleaned with a lint-free cloth. The results of the two procedures are shown below.

The package on the left is what was left at the end of the second procedure. The two smaller silicon dies on the right are all that remained after dropping the IC into pure nitric acid for 11 minutes.

final results

Conclusions

I was quite surprised to find that the IC contained 2 separate dies, the function of each should become clear once I am able to take a high resolution image of the silicon.

Overall I found that the method using pure nitric acid was much faster, although it was much more violent. This method would be useful when you do not need the device to be operational, instead you just want an image of the silicon for evaluation or reverse engineering purposes.

The second method using sulphuric acid was much slower but this meant that it was easier to control. This process is more suited to a scenario where you want the device to be operational after the silicon is exposed, for example when attempting an optical fault injection attack or microprobing.

Summary & Next Steps

The ICs which were decapped here were not intended to be used again so it was not a problem if the connecting wires were damaged or the pins destroyed. The next step for these chips is to obtain high resolution images of the silicon and try to determine if a masked boot ROM is present. If one is found then it should be possible to try to reverse engineer its operation.

I have two development boards which are based around these microcontrollers so a plan for the future would be to try and remove enough of the epoxy to allow for an optical fault injection attack while still leaving the device operational. This is probably best achieved by using sandpaper to remove the bulk of the packaging and then using a nitric acid & sulphuric acid mix to remove the remaining plastic.