Boiling chips in tree sap.

I saw a CCC talk a while back about reverse engineering IC’s (link, recording), it sounded fairly complicated for a hobbyist but I thought I’d give it a try. All I was hoping for was to get some decent pictures and didn’t really care about reversing the design.

I dissolved the plastic casing in acetone and tried sanding down the epoxy blob which didn’t work real well so I started looking for a chemical solution. Apparently people don’t like giving out Nitric Acid so I had to find an alternative. I found a dead temporarily down site describing using Rosin which is basically just tree sap. I tracked some down at the local musical instrument store since violinists use it for what not.

After boiling a smartcard in it for about 20 minutes and dissolving the residue with acetone the chip came out beautifully clean and undamaged. I glued it down to a microscope slide to have something solid to work with, it really is incredibly small. Since the Microscope I was using was 30 years old I couldn’t get any decent pictures so I’m gonna try finding a better one.

From the pictures you can see that only 5 pins are used, some inspection (and common sense) revealed that the high voltage pin on the smartcard wasn’t connected. All the wires survived the epoxy stripping except one wich isn’t bad. With a little luck I’ll be able to find some text on this chip to find out what it is and who makes it, hopefully I can reverse the protocol and play with it a bit since they’re real common here but I haven’t been able to find any info on them.

All I know atm is that it’s a synchronous card with the following ATR:

0xA1 0x2B 0xFF 0x*D 0x** 0x** 0x** 0xCB 0x00 0x00 0x00 0x00 0x00 0xFE

But since the standard describing these aren’t free I don’t have much to work from. If anyone has any info on ISO7816-10 I’d love to hear from you.

[LINKS]

www.break-ic.com
Copy Protection in Modern Microcontrollers
Flylogic Blog
Degate
HOW TO: write an IC
Tamper Resistance – a Cautionary Note
Safety Protection Guides and Fact about Microcontroller You Should Know
Hacking the PIC 18F1320
IC reverse engineering Blog
Silicon Pr0n

Advertisements

~ by s3c on 2010/07/15.

6 Responses to “Boiling chips in tree sap.”

  1. […] is interested in reverse engineering some integrated circuits. One of the biggest hurdles in this process has always been just getting to the guts of the chip. […]

  2. Wow, amazing! I’m trying to crack Czech phone card (i was trying heat (900 °C, 320 °C) and acetone), so i found this article really interesting.

    Some pics: http://kitakitsune.org/raw/Fotky/Hardware/TCardCrack/Chip/

  3. Hello,

    the site berlin.ccc.de is not dead. It was just out of service for a moment.

    Regards,

    Martin

  4. I tried this as well but with no success, I used Hindersine voilin rosin and boiled the chip in it for 15 min at a temperature hot enough to melt solder (about 300 deg C) then as nothing was happening I upped the temp to the point where the rosin was boiling and smoking heavily for another 15 min.

    At the end of all that the chip looked the same as when I put it in. Can you give us more details about your process, temperatures, etc so this can be reproduced? Right now this looks more like a hoax, unless you’re heating your chip so much that the epoxy is just burning off due to the heat and the liquid rosin just washes it away, in which case this doesn’t count.

    I also can’t see anything chemically that would explain how rosin would disolve epoxy.

  5. I was working on a smart card so it only had a little epoxy blob on the back, the asic separated from the contacts within seconds on only a low boiling temperature. The rosin I was using was basically just pure tree sap, I didn’t even pay for it, they just gave it away. I was doing this over a small flame from a science kit and a normal test tube, nothing special.

    Bystroushaak sent me his results using the same method and they were pretty impressive, have a look at:

    http://kitakitsune.org/raw/Fotky/Hardware/TCardCrack/Chip/05_Resin3/

  6. The method I use is based on laser ablation, a process where the material’s molecules bonding are broken by the use of the photochemical interaction of a 355nm UV laser beam.
    A 100mjoule energy fluence on a 30-40µm diameter spot suffice to obtain the wanted result.
    The nice thing is that the organic materials like the epoxy resins used for the IC’s cases require low energy level and, on the other side, it is absolutely insufficient for the IC’s dye semiconductors and metals (requiring around 3-4’000mj instead).
    As a result the ablation process leaves the dye completely clean and without unwanted chemical erosion or resin or other chemical’s remnants.
    The next time do a hack like this I will take some pictures to show what the results are.
    I have discovered that some relative low cost webcam are ideal for making macro and micro level pictures so I use them to work with SMT and to examine the surfaces and consistency of reflowed PCBs.
    Ah, for some reason I already have the ISO standard document paper for synchronous smart-cards you are looking for… 😉

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: