Want to Join Us ?

you'll be able to discuss, share and send private messages.

Tutorial Decapping integrated circuits using the "Plink Plink Fizz" method "warning dangerous"

Discussion in 'Reverse engineering' started by storm shadow, Jul 7, 2013.

Share This Page

  1. storm shadow

    Techbliss Owner Admin Ida Pro Expert Developer

    source http://zacsblog.aperturelabs.com

    Using the "Plink Plink Fizz" method: all you will be left with is a silicon die, some attached bond wires and some pretty nasty acid.
    A few words on safety. Everything here involves some sort of risk, it all seems cool and fun up until you get a face full of boiling acid or are found asphyxiated on the floor of your garage. Safety equipment is cheap and safety precautions are often just common sense, you can buy a full face visor for 17 quid, a respirator 20, both from a reputable supplier (Farnell). Think of that minuscule cost compared to living the rest of your life blind, or unable to leave your wheelchair because you have destroyed your lungs. So spend some time picking up some basic safety gear, and most importantly understand and actually use it. If an accident doesn't kill you, you will be living maimed for the rest of your life. Standard disclaimer applies to everything here. Anything you attempt from information here is entirely at your own risk. I take no responsibility for the completeness and/or accuracy of any information here. On that cheery note....

    What you need:

    • Nitric acid 70% (you only need a small quantity 10-20ml/chip):- Ebay
    • Acetone a few hundred ml's should do:- Ebay
    • lab hotplate:- Ebay
    • Borosilicate glass Beakers 100ml & 500ml:- Ebay
    • Glass pipette and pipette bulb:- Ebay
    • Acetone wash bottle:- Ebay
    • Borosilicate petri dishes:- Ebay
    • Spirit filled lab thermometer:- Ebay
    • Universal indicator paper PH1-15:- Ebay
    • Bucket:- Ebay
    • Sodium bicarbonate:- Ebay
    • Surgical gloves :- Chemist
    • Faceguard:- Farnell.co.uk
    Ebay.... Are we sensing a theme here :)

    Nitric acid is evil:


    • It dissolves nearly everything, Organics and metals.
    • It burns you (badly) and pretty much everything else.
    • It produces choking toxic fumes: From the acid, and from things the acid reacts with.
    • If it harms you, you may not find out until 8 hours later when your lungs melt.
    • It's an oxidiser and causes spontaneous combustion of some materials principally organics.Not to labour a point, here is what happens if you get some on those usually lab-safe nitrile gloves:

    For spills I use this stuff:
    Ampho-Mag automatically neutralises spills and absorbs liquid.

    Acetone is evil:


    • Dissolves Plastics etc
    • Choking Fumes that are toxic, explosive and heavier than air, sink to the ground creating an explosive layer (goes down stairs too! (dead cat/people in cellar!)
    • (you don’t find out until you drop a cigarette on the ground or it hits the boiler in the cellar.)
    • Bang!


    I originally tried this outside. It worked OK, but there were a few things that were an issue.
    Wind would change direction and one second you would think you were safe and then the next fumes were wafting towards you, the other is that any sort of rain would cause the acid to spit out of the beaker. So if you are going to try this yourself take care, and also ensure that there aren't any kids or anything else around that could disrupt proceedings or distract you.

    These days I use a fume cabinet it cost 10 pounds on eBay plus 35 quid for the mini cab to go pick it up, and with a brand new set of filters it works perfectly.

    Before you start, I strongly suggest reading through the instructions thoroughly and playing it out in your head. Where are you going to put things. If there is a spill what will it spill onto, where will it run. How will you deal with it. For example, once you dispense the acid into the beaker with the pipette you will then have a pipette that is wet with acid. What are you going to do with it?!

    Read the Material Safetey Data Sheet (MSDS) for each of the chemicals you are using and understand what to do in case of an emergency. For example you may have eyewash bottles, but can you find them if you cant see. Is the neutraliser to hand, etc.

    1. Don protective gear, gloves and face shield.

    2. Place 400ml of water in the 500ml beaker and put to one side. This will be used to dilute the acid. Fill the bucket with water and place to one side or on the ground. this will be used to dilute acid from contaminated instruments such as the pipette and thermometer.

    3. Put approximately 12-15 ml of acid into the empty 100ml beaker using the pipette (enough to completely cover the chip by a 2-3 mm, but don't put the chip in yet )(if the chip is a DIP type fold the legs up so the chip is flat or cut them off completely). Once you open the nitric acid bottle it will start fuming. Have your small beaker next to the bottle so you have to move the pipette only a small distance. As we are dispensing about 15ml you may have to make several transfers with your pipette. Dispense any unused acid in the pippette back into the acid bottle, place the pipette in the bucket and recap the acid bottle.

    4. Place the beaker on the hotplate and heat on the lowest setting, you want to get the acid hot but not boiling (the boiling point for 70% Nitric acid is 121 degrees Celsius). Heat to approx 90 degrees Celsius and turn the hotplate off. Be careful that you don't make contact with the bottom of the beaker when measuring the temperaturewith the thermometer, as that could give you a falsely high reading. Also be careful that the temperature doesn't climb too high after the hotplate is turned off.

    5. Once the acid is hot (measured with the thermometer about 90 Celsius ), carefully drop the chip in. Try and keep it face up and not make any splashes. The reaction should be instantaneous. Brown nitrogen dioxide fumes will appear and you will see a spall of epoxy particles spread across the beaker. I normally put one half of the petri dish over the top of the beaker to avoid any splashes, the beaker spout will vent any vapour.
    The reaction will normally take anything between 3 and 10 Min's depending on the strength and temperature of the acid and the size of the chip.
    Once it has completed you will be left with a bunch of gritty debris on the bottom of the beaker and the exposed die with the bond wires attached.

    6. Let the solution cool then carefully decant the acid and debris into the 500ml beaker leaving the die in the smaller beaker. Rinse the die with a small amount of acetone and carefully pour out onto the petri dish. Pick the die up with some tweezers, rinse with a small spray of acetone and place on a small piece of kitchen paper in a clean petri dish.

    7. To neutralise the acid, add bicarbonate of soda or calcium carbonate to the 500ml beaker a teaspoon at a time until the indicator paper reads 7 (neutral) and dispose of down sink. As long as the items in the bucket only had traces of acid on them you should be able to pour the bucket of water down the sink without resorting to neutralisation, but follow the same procedure as the beaker if you are concerned.

    Above is the die with the bond wires still attached.

    If you don't mind loosing the bond wires we can clean the die up with some acetone and a cotton bud.
    Now under a proper microscope we can see some detail:
    Above you can see some remaining bond wires which have been ball bonded to the contact pads on the die.
    Above is a panel with manufacturing info the different colours of the characters in the box relate to the layer that they are on.
    Closer still.
    Extreeme closeup!
    So, why go to all the bother....

    Doing this provides us with a lot more than just pretty pictures. Often a microchip's package markings can make it hard to identify the device or manufacturer, especially if it is a custom run for a specific client. Decapping can provide you with insight into the technology used, allow the detection of counterfit devices, provide access for microprobing and sometimes access to the code itself.
    Generally microcontrollers are designed to protect any program code and data programmed into the chip by the manufacturer of the device that it forms a component of. This is purely a protection for their intellectual property. This data is normally protected by "fuses" which are blown once the data has been programmed into the device and verified. The fuses prevent access to an external device reading out the data. These days the fuses are really non-volatile memory cells that are set up so that it is possible to erase the device and reset the fuse to allow it to be programmed again (a device manufacturers nightmare is a "bricked chip" that is now totally non functional due to a programming error).

    It is possible by various methods to reset these fuses and gain access to the data on the chip. This is the last bastion of computer security. It is the only way these days that secrets can be hidden away from hackers and other interested parties. Only careful engineering by the chip designers can prevent it. If the chip has not been actively engineered to resist attack, techniques like this can expose that secret data to the world.
    A real life example

    A project we worked on recently involved masked ROM. This is read only memory created as part of the chip manufacturing process. It's design is quite simple. It is a grid of conductive tracks laid down on the chip across several layers. The tracks run horizontally and vertically.

    Data is stored by the creation a transistor between these tracks, or not, as the case may be.
    Above you can see actual data bits sored on the masked ROM. A dark dot represents a via that connects the top layer to one beneath that forms a transistor to indicate the presense of a bit. Because of this physical structure we can see the state of each bit and read the data from the ROM. Of course doing this by hand over the entire ROM would be tedious and error prone. We have a solution to that of course, and the problem was solved by my partner in crime Adam Laurie, who documents it in his blog over here. We have released the code that he has developed to the greater community in the hope that you will put it to good use.
    Rip Cord likes this.