IC Reverse Engineering
Project IC Reverse Engineering | |
---|---|
Status | In progress |
Contact | User:peterbjornx |
Last Update | 2019-10-17 |
Introduction
Integrated circuits are a black box to most electronics hackers: the datasheet tells you how to interface to them and if you stick to this your project works. Sometimes, however, the chip does not behave as you expected it to, or the vendor decides to withhold information from you. In these cases you might want to take a look under the hood and see what makes the IC tick.
This project is about developing the tools and methods to do so. Some of these tools are taken from existing projects such as Decapping. Others are adapted from professional techniques, and others still are made up on the go.
Decapping
To start reverse engineering an IC, you first need to liberate the die (the silicon "chip"). The methods for doing this depend on the type of package.
Ceramic + sintered glass DIP packages
These are the packages used for EPROMs and 54-series glue logic. They consist of two ceramic slabs with the lead frame cemented in between them. You can easily open these with a pair of pliers by prying apart the slabs.
Ceramic lidded packages
These are used for processors and can be either DIP or PGA. They will either have one or two lids, and the lid is soldered in place using high temperature solder. Desoldering can easily be done using a torch.
Organic lidded packages
Mostly used by Intel for Pentium II and onwards. Taking the lid off by desoldering will not yield access to the die as the die void is filled with epoxy resin. This can be removed by trimming off the edges of the package and treating the die+epoxy part with molten colophony resin.
Plastic packages
These can be decapped using RFNA as described in Decapping.
Die removal
After decapping the die may still be attached to a metal base plate or in the case of ceramic packages, the bottom of the package. In order to do etches the die must be separated from the metal base, the means for doing so depend on the type of die attach used.
Epoxy die attach
This is the more tricky kind of die attach, and removal can be attempted using the molten colophony resin method, dissolving the metal base in nitric acid, or by thermally attacking the bond.
Soldered die
If the die is soldered, there are two options for detaching the die: The base metal can be dissolved in nitric acid or the die can be desoldered from the package.
Die photography
Now that we have our die, we can inspect it. This can be done in various ways, such as:
Binocular microscope (5x-30x magnification)
The binocular microscope can be used for cursory examination of the die but does not have enough power to resolve individual features in any but the simplest ICs. For 5x and 15x magnification the 1/2x add-on lens is required.
Reflected light microscope
TODO: Document this tool
Delayering: Passivation
In order to view any but the topmost layer of the circuit we need to remove the layers above it. The first layer on the IC is the so called passivation layer, which consists of several sub-layers. Depending on the type of layer different methods may be used.
Glass (oxide/SiO2)
Glass passivation can either be removed using chemical means or mechanical means. Currently we do not have the means to perform the chemical methods.
Nitride
Nitride passivation can either be removed using chemical means or mechanical means. The chemical method is still being developed.
Delayering: metal
The metal layers on an IC are either made out of copper or aluminium. ICs made before ~1995 will usually have aluminium metal, while more modern circuits may use either. After a metal layer is removed there will be a thin oxide layer. Depending on the use of the metal layer the thickness may vary, it can be very difficult to selectively remove a single metal layer by lapping because of this. For example: The P5 processor die has a very thick metal_3 layer followed by a thin metal_2 layer. The metal_3 layer takes about 30 minutes of hand-lapping and the metal_2 layer only one or two. (TODO: add image of this)
Aluminium (Al)
Aluminium can either be removed using chemical means or mechanical means.
Copper (Cu)
Copper can either be removed using chemical means or mechanical means. We have not yet worked on an IC with copper interconnect.
Procedures
These are rough guides for the techniques put forward in this page. They are not full safety manuals and should not be attempted without a thorough understanding of the risks involved
Colophony Decapping
This is a more subtle way of attacking epoxy compared to RFNA. The process is quite simple:
- Set up a test tube in a clamp (in the fume hood)
- Fill it with enough colophony resin to cover the object to be decapped with 1cm of resin above it.
- Add the object
- Carefully heat it with a torch or the temperature controlled heat gun (the fumes coming off this are combustible and splashing may occur if the tube is allowed to overheat)
- Pour the hot, molten resin into a beaker filled with water.
- Take out the die and clean it using IPA and possibly the ultrasonic bath
Ceramic package heating
For the various methods that involve heating ceramic packages, these precautions should be used.
- For delidding, the lid should be heated while avoiding the surrounding ceramic as much as possible
- For desoldering a die or thermally removing the epoxy die attach, the backside of the package should be heated, not the die itself.
- The ceramic is sensitive to heat shock, rapid/uneven heating or cooling might cause the package to crack and spread hot pieces of ceramic everywhere. This process should thus only be attempted outdoors.
Nitric acid metal removal
For removing large quantities of metal, such as packaging or leadframe remains, nitric acid can be used. There are several risks involved:
- Nitric acid is corrosive and will burn skin on contact: Wear gloves
- The reaction between the acid and metal produces nitrogen oxides which are corrosive and poisonous, they can be recognized by their dark orange colour and their diesel-exhaust like smell.
- The product of the reaction is a solution of copper and heavy metal salts, which should either be treated to drop the metals out of solution or be discarded wholly as liquid chemical waste.
The fume production can be limited by placing a watchglass over the beaker/petri dish used for the reaction.
The reaction may be accelerated by heating on the hotplate, but this should be done *very* carefully.
Lapping
Lapping involves carefully abrading away layers, because of the incredibly thin nature of these layers this is done using polishing compound and a soft object.
For a less complicated work flow, planar lapping is preferred, but this is very difficult to accomplish as it requires specialized tooling.
Non planar lapping methods that are slow enough will still yield a locally planar result, meaning that even though different parts of the die will have different layers exposed, full images of a specific layer/depth can be acquired by selectively stitching images acquired from multiple lapping passes.
Lapping is more safe than chemical etching but has a big downside: it is a mostly planar process and thus selects by depth, not by layer. Metal layers are not flat and reconstructing them will take considerable effort and a resolution high enough to resolve the isolating oxide in a cross-sectioned metal/oxide/metal part of a die.
Oxide etch
Silicon oxide can be etched by several chemical compounds, each of which makes them either unsuitable for use at the space or unsuitable for selectivity reasons.
Hydrogen fluoride / Buffered Oxide Etch
Due to the hazardous nature of these HF containing solutions we plan to first study alternative etchants
Sodium hydroxide / Potassium hydroxide
These etch silicon orders of magnitude faster than SiO2 and will thus dissolve the die before removing the oxide.
Aluminium etch
Aluminium can not be etched using normal metal etch solutions such as nitric acid as it forms a protective oxide layer, which is strong enough to resist these.
A mixture of phosphoric acid and nitric acid will however remove the aluminium oxide as well as removing the metal. There is a bottle of pre-mixed aluminium etch at the space
Manual, local lapping
For the P5 project I (pbx) used copper/brass polish compound and cotton swabs/Q-tips to very carefully lap the IC. This took several hours to get through the passivation layer and interconnect and is in no way planar.