Peeling Back The Layers: How to Decap ICs and Spot Counterfeit Chips
It may not be the safest activity, but decapping can teach us a lot about counterfeit chips and ICs as a whole.
They say you shouldn’t judge a book by its cover, but the same concept rings true when you’re looking at integrated circuits. Don’t judge a chip by its epoxy coating. A look beneath the surface reveals a very different story in some cases. The process of “decapping” a chip essentially refers to removing this outer layer to expose the silicon layer.
It’s an exciting way to see what makes a chip tick, but it’s not without risk. Safety is the name of the game here, but those who are careful can not only learn a lot about their integrated circuits, they can also spot an counterfeit from a mile away.
Decapping an Integrated Circuit: A Step-by-Step Guide
Removing the outer layer of a chip offers unique insight into the way it functions. The silicon die is where the magic happens, and in the case of microcontrollers, it’s also where the firmware is stored.
There are a few different ways to decap a chip, but the most common method utilizes chemicals like nitric acid, sulfuric acid, and acetone to essentially melt the epoxy right off the top of the chip, then neutralize the acid so it’s safe to examine.
Other methods include sandpaper to remove the epoxy, or torching the chip to remove the package. These methods won’t let you probe the chip, but they will most certainly get you inside to see the electronics on the die.
It goes without saying, but there are some serious health and safety concerns here that need to be addressed. Thankfully, equipment like face visors and respirators are relatively inexpensive.
Disclaimer: Anything you do with this information provided here is done entirely at your own risk. Practice safety standards according to the Material Safety Data Sheet (MSDS) for the chemicals you’re using, utilize proper equipment, and always work with at least one other person.
Safety concerns aside, these are the things you’re going to need:
- Nitric Acid with 70% concentration (about 10–20 ml)
- Sulfuric Acid greater than 90% concentration (You can do this with just nitric acid if you prefer)
- Acetone (a few hundred Milliliters)
- Distilled Water
- Lab hotplate
- Acetone wash bottle
- Borosilicate petri dishes, stirring rod, and several beakers between 100ml and 500ml
- Glass pipette and pipette bulb
- Goggles and face shield
- Fume hood or fume cabinet
- Respirator with A1B1E1-rated filters
- Lab coat and apron
- Nitrile gloves (wear two pairs at once)
- Acid spill kit
- Bucket of water
- Glass thermometer
- Acid neutralizer (such as sodium bicarbonate)
- Universal indicator paper PH1–15
- And of course, some ICs you don’t mind ruining in the name of science
Step one: Preparation
Before you begin, plan everything out ahead of time. Are you going to do this outside? If you do, check the weather and ensure there are no children or pets nearby.
Have a plan in place for things like acid spills so you’re not caught off guard if something goes wrong. Put on your protective gear first, including your gloves and face shield. Make sure your ventilation system is in place, be it a fume hood or cabinet.
Fill your bucket with distilled, deionized water to dispose of any equipment covered in acid. Fill your 500ml beaker with water as well for diluting acid. Place one of your 100ml beakers on the hotplate.
Bring your bottle of nitric acid and a pipette close to the beaker before you open the acid bottle, as it will begin fuming immediately. Using the pipette, transfer 15–20ml’s into the 100ml beaker. You can cover the beaker with a petri dish to keep the fumes from running out. Reseal the acid bottle when you’re finished.
Finally, turn on the hotplate to a low setting to begin heating the nitric acid. We’re looking for a temperature of around 90 degrees Celsius, at which point you should turn the hotplate off. Keep an eye on the temperature, we don’t want the acid to boil (70% concentration boils at 121 degrees Celsius). It’s time to get started.
Step two: Decapping the Chip
Once the acid has reached the proper temperature, it’s time to drop your chip inside. Try to keep it face up and avoid any splashing as the reaction will be immediate.
Nitrogen dioxide fumes will begin emitting from from the beaker. You’ll also notice epoxy particles and debris scattering across the inside of the beaker, this is normal. The reaction can take anywhere between 3 and 10 mins or more depending on the size of the chip and the concentration of the acid.
When all is said and done, you’ll have a bunch of epoxy at the bottom of the beaker and the chip’s die will be exposed with the bond wires attached. Let everything cool on its own before decanting the excess material into the larger 500ml beaker while leaving your die in the small beaker.
Step three: Cleaning and Examining Your Die
Transfer the cleaned die using tweezers into a clean petri dish with a paper towel. Once this is complete, it’s time to neutralize the remaining acid with your sodium bicarbonate.
Add the sodium bicarbonate to the beaker one teaspoon at a time until your indicator reads a PH level of 7 (neutral). Rinse the die with your acetone. Dispose of all the excess materials, and you’re ready to take a closer look at your chip!
Why Would You Decap a Chip?
This process may seem like a lot to just look at the inside of a chip, but there are actually a few reasons why someone would go through the trouble of decapping an integrated circuit:
Counterfeit chips are a very real thing, and beyond their inherent problems, they can also pose safety concerns as they may not function in the same way as an authentic chip.
The methods by which these chips are made vary, but often it involves cheap copies, old parts being sold as new, repurposed chips rejected from factories, or low-spec parts being placed in high-spec packaging.
When you’ve finished with your decapping, here are some clear indicators of a counterfeit chip:
- Wrong part number
- Incorrect date
- Pre-soldered pins
- Laser cut lines in the markings
- Poor copies of manufacturer logos
- IC Markings are written in ink and wipe away when exposed to acetone
The part numbers in particular tend to be the biggest giveaway. These are sometimes random numbers used by the counterfeiter. When you try to compare them to official numbers from the manufacturer, the issue becomes apparent.
Since the laser tolerance used for counterfeit chips is much lower than the ones used in a fab house, the text and logo will be easy to spot issues with as well. Whether it’s the wrong font, or the logo is too blurry, these are easy to spot as well.
Optical Fault Injection
This involves using a laser to flip the state of specific bits while the device is in operation. It allows you to reset lock bits, but it can also be used to introduce errors into cryptographic processes or the program flow. This allows you to bypass passwords prompts or check bounds.
This method can be used to test the countermeasures within secure microcontrollers, but it’s ultimately used for nefarious purposes as it’s not easy or simple to implement countermeasures against it. You can read more about this method here.
This is a very expensive process allows you to read data like encryption keys or firmware directly from the silicon itself by interfacing with the data bus that connects the CPU to the Flash, SRAM, or other peripheral.
Resetting Lock Bits
By using optical fault injection techniques, it’s also possible to access the firmware on a chip for the purposes of reverse engineering it. Many microcontrollers have the ability to prevent this by disabling, debugging, and preventing the flash memory from being read.
The only way to clear the lock bits/bytes is to erase the chip and delete the firmware in the process. With the right optical fault injection techniques, however, the states of these individual lock bits can be triggered, thus unlocking the device.
Reading Out a Masked ROM
Some microcontrollers or integrated circuits have a bootloader essentially burned into the silicon by the manufacturer. Accessing this can open up new features of the chip, read the firmware, or bypass protections in place.
The term comes from the masked off regions of the chip, which are creating during the process of photolithography. This technique offers a trade-off in the sense that mask ROMs are much cheaper than any other type of semiconductor memory, but the singular cost is high, plus it takes longer to manufacture.
Counterfeit Components: A Growing Cause for Concern
It’s more than likely that you’re doing this out of a professional curiosity, or to verify the authenticity of your chips, but counterfeits are a growing problem in the electronics industry.
Counterfeiters increasingly take advantage of long lead times and rising costs to swindle companies and makers. By charging more for a lower quality component disguised as the real thing, they are earning a huge profit, but IC failures can lead to catastrophic problems with larger devices.
Whether it’s the sensors in a medical device, or the ICs responsible for monitoring the health of commercial and military aircraft, it’s easy to see how a failure can put a lot of people in danger or directly result in injury.
When timetables become tight and procurement professionals need a quick fix, they all too often will turn to suppliers that aren’t approved by manufacturers.
Both professionals in the industry and customers themselves should strive for authenticity above all else. By planning ahead or doing research accordingly, we can all avoid falling into the traps of counterfeit chips.
In the meantime, if you suspect an issue with your ICs, now you know how to decap them and prevent further issues if they are indeed counterfeit.