0 00:00:00,000 --> 00:00:30,000 This subtitle is not finished yet. If you are able to, please support us and watch the talk in amara for the last changes: https://c3subtitles.de/talk/382 Thanks! 1 00:00:09,700 --> 00:00:18,890 Marcus: Thank you for the kind introduction. Welcome to our talk about 2 00:00:18,890 --> 00:00:24,000 engaging microchips. So the background in here is twofold. On the one hand side, we 3 00:00:24,000 --> 00:00:28,630 would like to encourage you also to make some own experiments and to see what is 4 00:00:28,630 --> 00:00:38,090 inside a semiconductor device that means what is inside a microchip. And so the 5 00:00:38,090 --> 00:00:43,680 goal is that you also have some knowledge how to open up a microchip and how to get 6 00:00:43,680 --> 00:00:47,660 direct access to the silicon. On the other hand, also, very often there's a rumor 7 00:00:47,660 --> 00:00:50,087 that chip is highly secured because the silicon is inside of plastic coverage. And 8 00:00:50,087 --> 00:00:56,920 if a plastic package is really high security, we can also explain today, 9 00:00:56,920 --> 00:01:00,090 because very often even this amateur equipment, it's possible to open up chips 10 00:01:00,090 --> 00:01:03,739 and to get direct access to the silicon. We are not only focusing on microchips, 11 00:01:03,739 --> 00:01:07,100 but we are also focusing on more complex systems, how to open up the system to get 12 00:01:07,100 --> 00:01:10,649 access to the silicon in our background. We have started more than 25 years ago 13 00:01:10,649 --> 00:01:15,189 with analyzing the first telephone cards. And so starting off with some experiments 14 00:01:15,189 --> 00:01:21,780 at the Commodore 64, as well as working with the first telephone card, it was our 15 00:01:21,780 --> 00:01:25,859 major interest to find out what is the functionality of this telephone card and 16 00:01:25,859 --> 00:01:30,579 also what is inside. And of course, for identifying what's inside. It was also our 17 00:01:30,579 --> 00:01:35,299 target to open up stores, plastic cards and to get access to the silicon chip 18 00:01:35,299 --> 00:01:39,200 inside the telephone card. Nowadays, we are also very often open up chips in order 19 00:01:39,200 --> 00:01:45,850 to make some analysis or in order to apply some high tech methods, for example, for 20 00:01:45,850 --> 00:01:50,060 putting some over particular variation on the top of the surface, also to apply some 21 00:01:50,060 --> 00:01:52,549 laser. It's, of course, necessary to have direct access to the silicon itself. And 22 00:01:52,549 --> 00:01:57,939 therefore, also today we are utilizing a lot of professional equipment in order to 23 00:01:57,939 --> 00:02:00,409 observe chips. So today we would like to give a short overview about the different 24 00:02:00,409 --> 00:02:04,099 techniques and methods, how to open up different kinds of chips, and also to 25 00:02:04,099 --> 00:02:07,639 encourage you, because it is very interesting also to open microchip 26 00:02:07,639 --> 00:02:11,970 packages in order to get further analysis. First of all, sometimes it's not quite 27 00:02:11,970 --> 00:02:14,330 clear whether this is really a package which contains a chip or whether there's 28 00:02:14,330 --> 00:02:18,810 only a kind of label, as you can see, in the lower picture. So in the lower 29 00:02:18,810 --> 00:02:23,090 picture, it might be only a barcode labor, but perhaps also an RFID chip might be in 30 00:02:23,090 --> 00:02:28,379 there. And therefore, a first analysis. It's the question, a inside the package. 31 00:02:28,379 --> 00:02:30,379 And then, of course, also there's the question, what is it about the chip 32 00:02:30,379 --> 00:02:36,200 functionality itself? That means how many functions are implemented in such a chip? 33 00:02:36,200 --> 00:02:41,410 This is only a memory. Ship ourselves for some logic inside there. And what kind of 34 00:02:41,410 --> 00:02:48,019 logic is implemented here? And by the way, on the most of the chips are also so- 35 00:02:48,019 --> 00:02:52,670 called time markings. That means some small numbers and these identified as the 36 00:02:52,670 --> 00:02:55,989 silicon itself and these same markings as possible to make some research and some, 37 00:02:55,989 --> 00:02:58,790 um, findings from literature, as well as also from tools in order to get more 38 00:02:58,790 --> 00:02:59,890 information about the chip itself. And finally, watching on the silicon itself 39 00:02:59,890 --> 00:03:00,890 indicates also, if this is a more modern chip, that means smaller technology or 40 00:03:00,890 --> 00:03:07,540 whether this is an old fashioned chip. And so you cannot expect so much functionality 41 00:03:07,540 --> 00:03:11,599 or security funds the chip itself. So from this perspective, these are some 42 00:03:11,599 --> 00:03:15,090 motivation which also may encourage you to open up some microchip packages and to 43 00:03:15,090 --> 00:03:20,040 find out what's really inside there. We have fought also three examples, um, to 44 00:03:20,040 --> 00:03:24,390 show what is a potential finding out of this. For example, it's well known that 45 00:03:24,390 --> 00:03:29,540 some goods are tracked down with RFID chips. And so recently we also got a t 46 00:03:29,540 --> 00:03:36,069 shirt with a dedicated label inside here. And it was not clear whether this label is 47 00:03:36,069 --> 00:03:41,359 just about label or whether there are some more, um, techniques inside the specialty 48 00:03:41,359 --> 00:03:48,850 and RFID chip. So as you can see in the second picture, it's quite easy to 49 00:03:48,850 --> 00:03:52,349 identify if this is more than a barcode label, because simply with a torch limb, 50 00:03:52,349 --> 00:03:57,430 it's possible to eliminate those from the back side. And so the flash indicates a. 51 00:03:57,430 --> 00:04:03,349 There's something more than a bar code inside there and indeed is some structure 52 00:04:03,349 --> 00:04:11,400 inside. We have put this into a glass of acetone and after a short while is the 53 00:04:11,400 --> 00:04:14,790 label has to eliminate it. And so we can got we got the final picture with the 54 00:04:14,790 --> 00:04:20,700 antenna inside here. And in the middle of the antenna is a small, dark spot. And 55 00:04:20,700 --> 00:04:26,500 this is a chip. So it was clearly from the antenna size, such as communicating in UHF 56 00:04:26,500 --> 00:04:34,330 frequency range and also the small dot. It's an hour edition. So now it's prepared 57 00:04:34,330 --> 00:04:42,430 for further analysis with a microscope. So you see, it might be very simple to get 58 00:04:42,430 --> 00:04:45,040 some more information out here. Another example brings us back where we back to 59 00:04:45,040 --> 00:04:48,490 the history. And as I mentioned before, we have started this investigation on 60 00:04:48,490 --> 00:04:54,630 telephone cards. And, of course, not only the telephone calls, but also the 61 00:04:54,630 --> 00:04:57,530 telephone card system has been of high interest for us. And so we were in lucky 62 00:04:57,530 --> 00:05:02,870 situations that we found some, uh, printed circuit boards from Cox Telephone where we 63 00:05:02,870 --> 00:05:07,840 only got access to those because those car telephones has been burned down 64 00:05:07,840 --> 00:05:13,260 completely. So it was a huge fire. And so inside is this area and so is the, um, uh, 65 00:05:13,260 --> 00:05:16,860 telephone also get burned? Anyhow, we managed to get those printed circuit 66 00:05:16,860 --> 00:05:23,090 board. And in the second picture, you can also see that the X-ray picture of the 67 00:05:23,090 --> 00:05:30,160 printed circuit board, uh, clearly shows that all the borrowings are still OK. So 68 00:05:30,160 --> 00:05:35,820 it was possible for us to draw a dramatic, uh, schematic and, uh, to see how the 69 00:05:35,820 --> 00:05:40,110 different pins of this, uh, printed circuit boards are connected. Well, 70 00:05:40,110 --> 00:05:44,520 anyhow, it was not clear what are the different shapes, because due to the heat, 71 00:05:44,520 --> 00:05:49,680 simply the marking on the chip itself has been vanished. So from this perspective, 72 00:05:49,680 --> 00:05:53,030 we have used some, uh, capitulation method in order to get the singer chips, the 73 00:05:53,030 --> 00:05:57,020 silicone chips out of those devices. And as you can see in the lower picture, then, 74 00:05:57,020 --> 00:06:00,530 uh, with some, uh, microscopy work, we were able to find out what is each single 75 00:06:00,530 --> 00:06:02,930 chip. And so, uh, identifying the different names of those chips and also 76 00:06:02,930 --> 00:06:06,170 combining this was a schematic. It was possible for us to, uh, resolve the main 77 00:06:06,170 --> 00:06:10,830 function in those days from the cartoon itself. And this gives us a clear clue in 78 00:06:10,830 --> 00:06:14,910 what direction the telephone has worked in those days. Yeah. And finally, also, there 79 00:06:14,910 --> 00:06:18,840 was something in the beginning of 2000 there was a price competition. And is this 80 00:06:18,840 --> 00:06:23,640 price competition, um, mean such as the small sticker, which has to be applied to 81 00:06:23,640 --> 00:06:28,120 the, uh, TV set. And then in this perspective, uh, it was also that a lot of 82 00:06:28,120 --> 00:06:38,340 rumors, whether this kind of spacechip inside Syria and you see on the lower side 83 00:06:38,340 --> 00:06:42,940 says, uh, some, um, comment from the Internet at those days that there should 84 00:06:42,940 --> 00:06:48,120 be an electronic chip inside Syria. And this electronics should not only record 85 00:06:48,120 --> 00:06:53,870 what you are watching on TV, but also, um, make some sound recording in order to find 86 00:06:53,870 --> 00:07:01,350 out how many people are in the room watching this show and so on and so on. 87 00:07:01,350 --> 00:07:08,450 But anyhow, um, we clearly thought, well, this is just a rumor. And so, of course, 88 00:07:08,450 --> 00:07:14,370 we use our, uh, techniques in order to open up this device and also to find out, 89 00:07:14,370 --> 00:07:23,570 uh, what's inside there. And in the end of the day, it was clearly that this was only 90 00:07:23,570 --> 00:07:30,460 a dot mask and below officers, there were some foom which is photosensitive. And 91 00:07:30,460 --> 00:07:37,050 when you watch, uh, special TV shows and this film has been illuminated and 92 00:07:37,050 --> 00:07:41,430 therefore it was clearly identifiable whether this show has been seen or not. So 93 00:07:41,430 --> 00:07:48,620 it was clear for us that we could identify there's no spacechip inside and this was 94 00:07:48,620 --> 00:07:51,650 only a rumor. So also, therefore, the preparation techniques are quite useful 95 00:07:51,650 --> 00:07:54,650 and helps to understand what's going in inside Syria. 96 00:07:54,650 --> 00:08:00,280 Peter: All right. Some some somewhat to the chips and the packages. So there are 97 00:08:00,280 --> 00:08:02,590 many thousands of different packages for troops today. And sometimes the 98 00:08:02,590 --> 00:08:04,920 functionality of the chip that just inside will directly determine the way, such as 99 00:08:04,920 --> 00:08:10,330 packaged. And this is the case for these troops here especially. And if you look on 100 00:08:10,330 --> 00:08:14,280 the left, that's an interesting thing. A fingerprint sensor, which is another from. 101 00:08:14,280 --> 00:08:21,210 Even use today with his fingerprints, and this is a specialty that the chip itself 102 00:08:21,210 --> 00:08:26,050 can be directly touched with the finger. Normally you would avoid such a situation, 103 00:08:26,050 --> 00:08:30,210 but here you have the direct silicone accessible and there's only a frame which 104 00:08:30,210 --> 00:08:34,969 is covering the surrounding of the chip to make it mountable and the device itself. 105 00:08:34,969 --> 00:08:40,050 Then we have a webcam webcam shown here, which is just covered by a thin plate of 106 00:08:40,050 --> 00:08:43,880 glass. Of course, the picture or the optical radiation has to reach the chip 107 00:08:43,880 --> 00:08:48,460 and therefore the same is true for your microscope. You can directly observe such 108 00:08:48,460 --> 00:08:54,570 chips without further preparation. Um, yeah, I think the older one of you know, 109 00:08:54,570 --> 00:08:58,600 this is prom type of memory, old fashioned thing, but sometimes it's still seen 110 00:08:58,600 --> 00:09:03,160 today. You can electrically write such an issue from memory, but if you want to 111 00:09:03,160 --> 00:09:06,990 erase it, you have to put it under ultraviolet light to make the erasing 112 00:09:06,990 --> 00:09:14,070 function. And so this means also this package has a window in this case that's 113 00:09:14,070 --> 00:09:21,920 made of silica because this uses to be UV transparent. And again, you can have a 114 00:09:21,920 --> 00:09:25,860 look inside without any preparation, which sometimes quite interesting. And then on 115 00:09:25,860 --> 00:09:30,460 the right, we have an amplifier chip shown here and which is an instrumentation 116 00:09:30,460 --> 00:09:34,200 amplifier, and therefore it should be sealed from the environment, but also from 117 00:09:34,200 --> 00:09:38,150 electromagnetic radiation. And this is done here in this case by a ceramic 118 00:09:38,150 --> 00:09:44,710 package. And this package has a metal that over it. And again, here, it's very easy 119 00:09:44,710 --> 00:09:50,520 to open this package. We will see later on and was just using a blade. So all of 120 00:09:50,520 --> 00:09:56,540 these four packages are quite interesting for an amateur. You don't need any 121 00:09:56,540 --> 00:10:03,540 equipment at all to have a look inside. But as we said, from open to amateur hour, 122 00:10:03,540 --> 00:10:07,529 some more difficult shops to open. And here on the left side, that's a typical 123 00:10:07,529 --> 00:10:10,310 chip which you will encounter and millions today and all consumer goods. It's a 124 00:10:10,310 --> 00:10:16,870 plastic package here. We have an order, one which is a plastic package. But you 125 00:10:16,870 --> 00:10:21,000 also know the surface mounted devices and so on. So this plastic packages are quite 126 00:10:21,000 --> 00:10:23,190 robust against environment, but also they are robust against chemicals. And this 127 00:10:23,190 --> 00:10:26,300 means you need quite harsh conditions to open them and the chemical weigh. Are you 128 00:10:26,300 --> 00:10:30,680 when it laser, which we will see later on, epoxy resin. And the same is true for the 129 00:10:30,680 --> 00:10:35,180 laptop package, which is a very low cost kind of package, just as it is put on the 130 00:10:35,180 --> 00:10:38,380 circuit board, then it's connected point wires to the circuit board itself and then 131 00:10:38,380 --> 00:10:44,491 afterwards just a drop of epoxy resin as part of it. And you see, it's not a 132 00:10:44,491 --> 00:10:50,830 rectangular form which should have. It's more just a drop which put on top of 133 00:10:50,830 --> 00:10:52,940 clocktower package is also seen here. And the third picture, which is the smartcard 134 00:10:52,940 --> 00:10:55,750 package, the typical one, if you would turn this picture around, then you would 135 00:10:55,750 --> 00:10:58,240 see on the other side that there are the typical Golden Smartcard contacts. And 136 00:10:58,240 --> 00:11:00,770 from the back side, it's a picture like this. You have the chip and the chip is 137 00:11:00,770 --> 00:11:07,200 connected, was bond wires to the connection points and then afterwards to 138 00:11:07,200 --> 00:11:13,860 hold it in place and also to make it resistant from the environmental 139 00:11:13,860 --> 00:11:19,040 conditions. It's also protected with a blocked off package. So it just epoxy 140 00:11:19,040 --> 00:11:24,900 resin is poured over it. And then finally on the right is something which some 141 00:11:24,900 --> 00:11:26,370 people call a security package. You see that matterson hyphenation. Not only is it 142 00:11:26,370 --> 00:11:30,480 dark so that you can see directly through the through to the chip, but there's also 143 00:11:30,480 --> 00:11:34,690 there can be some special Latisse, for example, in this case, there's an 144 00:11:34,690 --> 00:11:37,710 additional layer which is put on the chip, which is also made of silicon itself. But 145 00:11:37,710 --> 00:11:42,910 yeah, as we showed here, it's not I would say it's not really security. And many 146 00:11:42,910 --> 00:11:46,440 cases of this package, just because of the security, does not start in the chip 147 00:11:46,440 --> 00:11:50,950 itself. And I would say then it's a little bit too late. All right. So what can you 148 00:11:50,950 --> 00:11:57,040 see if you look inside such chips and we have chosen some examples where you don't 149 00:11:57,040 --> 00:12:01,810 need any preparation at all. Here you can see some memories for beginning. It's 150 00:12:01,810 --> 00:12:05,120 quite interesting to have a look at all the chips which are sometimes available to 151 00:12:05,120 --> 00:12:08,840 store. And that's because simple fact. And the older days, the technologies were not 152 00:12:08,840 --> 00:12:15,260 so small as today. So this means you can see the structures. What's your barai or 153 00:12:15,260 --> 00:12:18,310 maybe you need your grandfather's magnifying glass, maybe, but you don't 154 00:12:18,310 --> 00:12:22,172 need a high definition microscope. And so here on the far left, that's a chip from 155 00:12:22,172 --> 00:12:25,589 nineteen seventy six, very old one very small memory. And you can directly see 156 00:12:25,589 --> 00:12:28,650 with your eye all the structures inside just through the window without opening it 157 00:12:28,650 --> 00:12:31,070 at all. And then if we proceed in time also to a vintage chip from nineteen 158 00:12:31,070 --> 00:12:34,990 eighty eight, one megabit it from there. See already it's more like a gray mass, 159 00:12:34,990 --> 00:12:39,690 that's a memory cells and you definitely would need a microscope to have a further 160 00:12:39,690 --> 00:12:42,490 look inside how such a memory is built and to analyze it. And then on the right. 161 00:12:42,490 --> 00:12:44,640 That's also an interesting example of a memory. But this memory has some access, 162 00:12:44,640 --> 00:12:47,290 right. Tied to it, because that's the telephone chip card. And here you have a 163 00:12:47,290 --> 00:12:50,820 very small memory of only 88 bits. But the rest is controlled logic so that only the 164 00:12:50,820 --> 00:12:53,710 people who are or should be allowed to load it and to erase it have this access 165 00:12:53,710 --> 00:12:57,110 rights given to them. And if we look at the little microcontroller units and they 166 00:12:57,110 --> 00:13:00,650 are quite more interesting than just a memory. And here again, we have four 167 00:13:00,650 --> 00:13:05,220 different chips brought to you. Two of those also have windows. You don't need 168 00:13:05,220 --> 00:13:11,460 any preparation at all. And the one on the left is, again, a chip from nineteen 169 00:13:11,460 --> 00:13:14,680 seventy six, very old. One can see directly all the different structures like 170 00:13:14,680 --> 00:13:19,960 Rom Ram that you prompt part and also the logic part which contains the CPU and also 171 00:13:19,960 --> 00:13:23,779 some analog devices which are needed for the functionality of the chip. I think 172 00:13:23,779 --> 00:13:26,850 that pick 16, the second picture, you know, and the flash version, which is very 173 00:13:26,850 --> 00:13:33,330 common today, you just can program it and erase it again and a normal device. But in 174 00:13:33,330 --> 00:13:39,000 1988, these types of the control that were made was EPROM. So this means you could 175 00:13:39,000 --> 00:13:45,410 program it. And then if you want to erase it again for reprograming, you have to put 176 00:13:45,410 --> 00:13:50,110 it under ultraviolet lamp for five minutes. So therefore, there are some 177 00:13:50,110 --> 00:13:54,800 older versions of the controller. But what you can see is that the technology is 178 00:13:54,800 --> 00:13:59,720 smaller and that the chip is just a very high density and comparison to the chip, 179 00:13:59,720 --> 00:14:05,370 which is 12 years older. Interestingly, the smart all the smart card controls look 180 00:14:05,370 --> 00:14:10,240 quite the same, like these older devices. And they also have from RAM you prom are 181 00:14:10,240 --> 00:14:14,230 normally prom. So electrical eraser, a programable rom. And so therefore the 182 00:14:14,230 --> 00:14:19,750 smart card units, even those of in the 90s look like the same, like the older and 183 00:14:19,750 --> 00:14:24,390 serious. And finally, just for comparison, we also brought a sixty eight case. If you 184 00:14:24,390 --> 00:14:30,540 this has only cash but no nonvolatile memory and was used in some old home 185 00:14:30,540 --> 00:14:37,350 computers for example, but also in instrumentation technology. So what do you 186 00:14:37,350 --> 00:14:41,840 need if you want to start with preparing microchips. Just to have a look, if it's 187 00:14:41,840 --> 00:14:49,750 interesting for you to have a glimpse inside. So what you definitely need is a 188 00:14:49,750 --> 00:14:55,120 simple microscope. And we showed there a student version that's about 300 euros. 189 00:14:55,120 --> 00:14:59,530 But they are also quite interesting USB microscopes today and which come ready for 190 00:14:59,530 --> 00:15:03,940 use for about 150 euros. So that's quite good tools. You need definitely some 191 00:15:03,940 --> 00:15:08,040 mechanical tools like scalpels, tweezers, which we have here sometimes some sort of 192 00:15:08,040 --> 00:15:12,000 dentist tools, which also would serve quite well, an ultrasonic cleaner. It's a 193 00:15:12,000 --> 00:15:17,020 very good thing to have because this is really nice for package preparation, 194 00:15:17,020 --> 00:15:21,660 cleaning, but also removing particles and also of the chip is prepared and ready. 195 00:15:21,660 --> 00:15:25,890 Then you can remove all remaining residues and particles from it. And finally, there 196 00:15:25,890 --> 00:15:29,360 are three solvents which you need for beginners, which is alcohol, ethanol and 197 00:15:29,360 --> 00:15:33,610 acetone and also benzene. These are three solvents from non polla to polla type. And 198 00:15:33,610 --> 00:15:37,709 with these three solvents, you can open a lot of different packages. Then for 199 00:15:37,709 --> 00:15:43,990 upgrading such equipment, it's quite interesting to have a 3-D view. So was a 200 00:15:43,990 --> 00:15:46,210 stereo microscope. You can make preparation with both your eyes. You have 201 00:15:46,210 --> 00:15:49,040 a 3-D vision and you can directly see what you are doing, which is sometimes quite 202 00:15:49,040 --> 00:15:53,529 difficult. If you have on your monocular side, then if you want to share your 203 00:15:53,529 --> 00:15:56,320 results, a microscope camera could serve your well, which is available for about 204 00:15:56,320 --> 00:16:01,010 300 euros. But there are also some DIY versions, for example, with no cameras 205 00:16:01,010 --> 00:16:04,860 which are adapted to the microscope itself. Some further chemicals can be 206 00:16:04,860 --> 00:16:09,490 needed, which I will also show you later on the table, which are not without 207 00:16:09,490 --> 00:16:14,680 danger, I would say, and therefore also typically a lab coat and some protective 208 00:16:14,680 --> 00:16:22,380 wear would be used. So now we are in a moment we will come to a different details 209 00:16:22,380 --> 00:16:28,190 of how to open a package and and the steps itself. And this will be sorted from 210 00:16:28,190 --> 00:16:30,550 physical opening statements, the methods or mechanical methods over to chemical 211 00:16:30,550 --> 00:16:34,540 methods for you directly open. So device with chemical means. But there's also a 212 00:16:34,540 --> 00:16:36,100 mixture of both. And therefore, I would like to hand over to Marcus. 213 00:16:36,100 --> 00:16:38,690 Marcus: Yes, thank you. Let's go to the workbench and open some packages. So 214 00:16:38,690 --> 00:16:41,060 beginning, as Peter mentioned, with the physical ones. And the first one is quite 215 00:16:41,060 --> 00:16:44,670 easy. You just need advice. And as you puts a chip inside vis a with the lower 216 00:16:44,670 --> 00:16:50,380 part of the I see as depicted in the first picture and then you just put some more 217 00:16:50,380 --> 00:16:55,050 forces to the I see. Pictures save and during the time device will be smaller and 218 00:16:55,050 --> 00:17:01,450 smaller, the package will break up and the upper part lift up. So as visible in the 219 00:17:01,450 --> 00:17:03,940 third picture, you can use a simple screwdriver to remove the upper limit. And 220 00:17:03,940 --> 00:17:08,209 then finally, in the last picture, it's visible that the bare silicon chip is 221 00:17:08,209 --> 00:17:10,579 visible for your further analysis, also connected to the lead frame. So the frame 222 00:17:10,579 --> 00:17:13,439 which connects to the outer pins and to the outer communication. So this is a 223 00:17:13,439 --> 00:17:18,100 quite simple method. And indeed, this is the first method we have also used in the 224 00:17:18,100 --> 00:17:20,890 example of the copper telephone I have explained earlier. So it was quite easy to 225 00:17:20,890 --> 00:17:26,909 break up those chips in order to get the silicon parts out of the ICS and then 226 00:17:26,909 --> 00:17:35,210 analyzing them with a microscope, even if the package will be a little bit more 227 00:17:35,210 --> 00:17:42,139 hardened. For example, a ceramic housing like use in eponyms, then it's also a good 228 00:17:42,139 --> 00:17:49,070 idea to have fixes and device and just to replace a screwdriver on the top part of 229 00:17:49,070 --> 00:17:58,799 the see, and there's a small bump on the back of the screwdriver. The upper limit 230 00:17:58,799 --> 00:18:01,769 will be removed. And as you can see in the chart picture directly, the access to the 231 00:18:01,769 --> 00:18:06,029 chip is possible. So indeed, I think these pictures clearly identify that this must 232 00:18:06,029 --> 00:18:11,730 be not high, sophisticated techniques or some sensors, sometimes really a normal 233 00:18:11,730 --> 00:18:15,759 workbenches sufficient to get access to very easy. It's in the case if there's a 234 00:18:15,759 --> 00:18:21,590 special package, as Peter has explained, with such a metal lid on top of this, 235 00:18:21,590 --> 00:18:25,210 because this method to it is sold out on the academic housing. And typically you 236 00:18:25,210 --> 00:18:30,863 can think about where grindings as a way or try to sold out or something like. But 237 00:18:30,863 --> 00:18:32,060 there's a very easy method to open up those kinds of packages. You just use a 238 00:18:32,060 --> 00:18:36,739 blade as visible in the second picture and, um, use a hammer for a small store. 239 00:18:36,739 --> 00:18:40,629 And then this blade drives and is this metal dirt and you can simply lift off 240 00:18:40,629 --> 00:18:44,220 this metal without any further, um, effort. So it's just, uh, two seconds, uh, 241 00:18:44,220 --> 00:18:48,230 work to open up those kinds of packages. And even those blades are quite easy to 242 00:18:48,230 --> 00:18:53,080 access because you can see in the lower pictures that they are sold also in 243 00:18:53,080 --> 00:18:57,549 discounters for, uh, cleaners of Deskovic. So these blades are easy to use just with 244 00:18:57,549 --> 00:19:07,960 the hammer. You can drive them below the lid. And so this opens. So you see 245 00:19:07,960 --> 00:19:11,340 physical mechanisms can be very easy. Now, as also mentioned before, our first topic 246 00:19:11,340 --> 00:19:13,650 has been to, uh, check what's inside a telephone card. And, of course. Such a 247 00:19:13,650 --> 00:19:16,309 physical preparation, it's more complicated on a small plastic card, and 248 00:19:16,309 --> 00:19:19,700 therefore it more goes into the direction of physical chemical reaction on source 249 00:19:19,700 --> 00:19:27,269 cards. And you can see here in this hall of pictures, we have just played such a 250 00:19:27,269 --> 00:19:32,740 smart card in it's. And after five minutes, as was a in the second picture, 251 00:19:32,740 --> 00:19:38,090 the plastic of the card absorbed some acetone and therefore swails. After 15 252 00:19:38,090 --> 00:19:41,779 minutes, you can just wait for those minutes. Then the structure is fully 253 00:19:41,779 --> 00:19:46,669 destroyed. And so it's quite easy to remove the remaining plastic parts as 254 00:19:46,669 --> 00:19:54,149 visible on the fourth picture in the apple. So, again, just by waiting about 15 255 00:19:54,149 --> 00:20:01,120 minutes in, etc. on the smart card is um. Yeah, destroyed. And so, um, as visible in 256 00:20:01,120 --> 00:20:05,700 the lower picture, all it's possible to remove the antenna and censorchip itself. 257 00:20:05,700 --> 00:20:13,010 And I think the result and the last picture on the law, uh oh it's quite 258 00:20:13,010 --> 00:20:15,880 impressive. It's a complete antenna, including the chip has been resolved out 259 00:20:15,880 --> 00:20:34,929 of this, uh, plastic card. And so, um, it was quite easy to analyze the antenna and 260 00:20:34,929 --> 00:20:40,610 the size and how this is implemented in here. Anyhow, you may recognize that the 261 00:20:40,610 --> 00:20:46,220 chip is still covered by, uh, uh, a laptop. That means a small piece of, uh, 262 00:20:46,220 --> 00:20:56,269 epoxy on top of this. And so it's a question how to remove this here. It's 263 00:20:56,269 --> 00:21:00,940 possible to use, for example, a laser with, uh, um, infrared laser, especially 264 00:21:00,940 --> 00:21:04,730 for about Servais flying of 10000 nanometers. Um, it's quite useful to open 265 00:21:04,730 --> 00:21:09,850 up those kinds of pictures because the silicon itself is transparent for such an 266 00:21:09,850 --> 00:21:12,429 infrared radiation. So the chip itself would be not directly affected by the 267 00:21:12,429 --> 00:21:16,159 infrared radiation, but all the energy will be absorbed by the package itself. So 268 00:21:16,159 --> 00:21:17,960 it's just a trauma to, um, destruction of the package as visible in the lower 269 00:21:17,960 --> 00:21:22,340 picture. And especially also this is quite useful to open up so-called secure 270 00:21:22,340 --> 00:21:25,249 pictures, as Peter has explained. So even those kinds of packages, uh, are just 271 00:21:25,249 --> 00:21:31,889 applied with a laser and, um, it's opened up so that all the, um, silicon can be 272 00:21:31,889 --> 00:21:35,500 directly accessed. Anyhow, this, uh, may also be some risk. It appears on the one 273 00:21:35,500 --> 00:21:42,480 hand side, the risk that the chips to get damage due to the fact that is, uh, 274 00:21:42,480 --> 00:21:46,820 package components are heated up and souless temperature could also be applied 275 00:21:46,820 --> 00:21:52,139 to the silicon chip itself or make some, uh, Tominaga medical attention and 276 00:21:52,139 --> 00:21:57,090 therefore, chip may break down. On the other hand, of course, infrared laser 277 00:21:57,090 --> 00:22:01,929 radiation may also, um, make some, uh, health, uh, difficulties. And therefore, 278 00:22:01,929 --> 00:22:04,730 it's very important, um, to be careful with those laser radiations. So question 279 00:22:04,730 --> 00:22:11,639 is, OK, how to open up epoxy in other ways, not, uh, having such a laser, and 280 00:22:11,639 --> 00:22:16,470 therefore for us, again, a physical preparation take place. So for applying 281 00:22:16,470 --> 00:22:19,514 Shamika, it's it's very good to prepare the chips with some, um, mechanical 282 00:22:19,514 --> 00:22:23,620 preparation. And you see here again, the chip and advise and then with a grinding 283 00:22:23,620 --> 00:22:27,549 disk and some parallel movement as visible in the, uh, third picture here. And this 284 00:22:27,549 --> 00:22:36,859 whole small curve has been set up. And so we have two advantages in here. The first 285 00:22:36,859 --> 00:22:40,559 advantage is that already some material is finished. And so therefore we have, uh, 286 00:22:40,559 --> 00:22:45,629 faster access to the silicone and save. On the other hand, also, we have some, uh, 287 00:22:45,629 --> 00:22:52,379 area where some chemicals can be dropped on and, uh, will take place here. So let's 288 00:22:52,379 --> 00:22:56,940 go with the chip to the, uh, Shamika treatment. And here again, in the first 289 00:22:56,940 --> 00:23:00,010 two pictures, you'll see the preparation by the mechanical grinding and censorchip 290 00:23:00,010 --> 00:23:06,450 is, uh, put into a sandbaggers, which is heated up. So at about 50 to 90 degrees 291 00:23:06,450 --> 00:23:09,990 Celsius, send some nitric acid, uh, will be dropped on there. And just after 292 00:23:09,990 --> 00:23:15,000 overseer's epoxy will be removed and, uh, you can get direct access to the silicone. 293 00:23:15,000 --> 00:23:19,690 So after you have the desired result, that means after all the epoxy has gone, you 294 00:23:19,690 --> 00:23:24,610 can remove the rest of the. Set by using some acetone, as was a boot in the lower 295 00:23:24,610 --> 00:23:30,110 picture. Um, hole and also it's a good idea to clean up, um, the chip into the 296 00:23:30,110 --> 00:23:39,440 ultrasonic cleaner in order to remove the remaining particles. If you don't want to 297 00:23:39,440 --> 00:23:47,480 wait for a long time, then you can again use some acetone in order to have some 298 00:23:47,480 --> 00:23:54,159 carpet try drying. And finally, you have a very good, uh, preparation where you have 299 00:23:54,159 --> 00:23:58,570 access to the silicone, but also have, uh, the connection. Uh, most of the cases do 300 00:23:58,570 --> 00:24:04,419 OK for using the chip and operating the chip in this environment. Anyhow, as this 301 00:24:04,419 --> 00:24:07,600 is, it may also damage some parts of the chips. And therefore, it's also the 302 00:24:07,600 --> 00:24:14,789 question if you do not need to operate the chip, but just for inspection, that's 303 00:24:14,789 --> 00:24:19,389 another method to open up those kinds of epoxy. And it's just using California or 304 00:24:19,389 --> 00:24:23,710 in German, California. Um, so putting parts of California together with a chip 305 00:24:23,710 --> 00:24:30,740 into, um, glass, then you can heat up this to the boiling point. It's about, uh, 306 00:24:30,740 --> 00:24:34,929 three hundred twenty two or three hundred sixty degrees Celsius. So it's possible to 307 00:24:34,929 --> 00:24:40,200 use simply a heat gun and make this very fast anyhow by using so, uh, such a heat 308 00:24:40,200 --> 00:24:43,239 gun and, uh, heating up California. It also makes some ugly smells. So be 309 00:24:43,239 --> 00:24:50,479 prepared that this is not in your living room because otherwise you won't access a 310 00:24:50,479 --> 00:24:57,100 living room for the next days. Anyhow, after a short while, about five to 20 311 00:24:57,100 --> 00:25:03,139 minutes depend on the, uh, package itself, how big this package is. Um, the epoxy is 312 00:25:03,139 --> 00:25:05,800 completely dissolved and therefore the chip could be, uh, taken out of this and 313 00:25:05,800 --> 00:25:07,489 can be cleaned again in acetone. So you see in the last picture on the top, oh, 314 00:25:07,489 --> 00:25:09,373 it's a very good, uh, way to expect to complete a chip and to get, uh, good 315 00:25:09,373 --> 00:25:13,690 access to the silicone. But anyhow, in this case, of course, the chip cannot be 316 00:25:13,690 --> 00:25:16,870 operated any further. It's also the connections, the bonding wires and solid 317 00:25:16,870 --> 00:25:20,059 frame, uh, has been dissolved in the California. And therefore, um, it's not 318 00:25:20,059 --> 00:25:27,870 operational anymore. So you see there are also some shemekia ways for using even as 319 00:25:27,870 --> 00:25:33,109 an amateur and so for using those kinds of Shamika, there's also the question of what 320 00:25:33,109 --> 00:25:38,049 kind of chemicals can be used in here. Peter: Marcus already showed you some 321 00:25:38,049 --> 00:25:42,769 examples were in the process. You need some chemicals, and so typically a problem 322 00:25:42,769 --> 00:25:49,570 with chemicals is that they are quite hard to obtain, especially for private persons. 323 00:25:49,570 --> 00:25:52,989 And they are typically, if they are pure, quite expensive, especially if you buy 324 00:25:52,989 --> 00:25:57,039 them in small quantities. And therefore, we have set up a small list which contains 325 00:25:57,039 --> 00:26:02,440 chemicals which are available readily from household products, or we would say from 326 00:26:02,440 --> 00:26:06,259 the supermarket. And these chemicals here are listed. And alphanumeric order also 327 00:26:06,259 --> 00:26:11,779 was a German name because they are quite different from the English name. And what 328 00:26:11,779 --> 00:26:16,190 mainly is available in supermarkets or household products are quite pure 329 00:26:16,190 --> 00:26:19,989 chemicals. And these are solvents. And remember, we need solvents for opening 330 00:26:19,989 --> 00:26:23,200 packages, especially if we want to dissolve one kind of plastic, but not the 331 00:26:23,200 --> 00:26:26,159 other. For example, opening an RFID label are you don't want to destroy the antenna 332 00:26:26,159 --> 00:26:31,440 itself, which is put on a plastic, but you want to open the package where the antenna 333 00:26:31,440 --> 00:26:35,940 is put inside the laminate. And so therefore, we have put together several 334 00:26:35,940 --> 00:26:41,059 chemicals from acetone, for example, over benzene, ethanol, but also ethylene glycol 335 00:26:41,059 --> 00:26:44,940 and PACULA ethylene, which are solvents for different kinds of plastics, which you 336 00:26:44,940 --> 00:26:49,009 can see in the US case, raw. That's a very special solvent, which is the second last 337 00:26:49,009 --> 00:26:52,470 one for tetra, hydro for rain. And because this dissolves also Pevensie polyvinyl 338 00:26:52,470 --> 00:26:56,269 chloride, which is normally robust and could not be dissolved. But with this 339 00:26:56,269 --> 00:27:00,309 special solvent, you can also dissolve privacy. Then, of course, you need the 340 00:27:00,309 --> 00:27:02,960 mineralized water or distilled water. It's sometimes called the jar because we don't 341 00:27:02,960 --> 00:27:08,700 want to leave residues on the on the chips, especially if cleaning them, for 342 00:27:08,700 --> 00:27:12,500 example, in the ultrasonic bath. And there's also some chemicals like the 343 00:27:12,500 --> 00:27:15,779 sodium bicarbonate and sodium hydroxide, which is needed to neutralize acids. But 344 00:27:15,779 --> 00:27:20,360 it also can be used, for example, to dissolve aluminum. And aluminum is also 345 00:27:20,360 --> 00:27:24,200 used, for example, for Antenna's on Earth text. So you can dissolve it away and just 346 00:27:24,200 --> 00:27:33,110 the chip is left open. Um, that's one chemical which is not available in the 347 00:27:33,110 --> 00:27:41,890 supermarket. I think that's also a good idea. That's not there. And that's a 348 00:27:41,890 --> 00:27:45,230 fuming nitric acid. And assuming nitric acid is often used in professional 349 00:27:45,230 --> 00:27:48,950 versions of packaged opening, that's we will see later on for destroying epoxy 350 00:27:48,950 --> 00:27:53,169 material. So directly oxidizers the material and it's less an acid, then more 351 00:27:53,169 --> 00:27:59,809 and Occident, at least if it's water free. So if the water was just mixed with acid, 352 00:27:59,809 --> 00:28:03,960 then it gets more acid characteristics and then it will destroy metals and also the 353 00:28:03,960 --> 00:28:09,260 chip itself, therefore. And if one uses it, it should be water free. Um, of course 354 00:28:09,260 --> 00:28:12,759 if it destroys epoxy materials and it can also destroy skin, closer's your 355 00:28:12,759 --> 00:28:16,019 furniture, everything, all your devices are rusting away and so on. So that's 356 00:28:16,019 --> 00:28:22,789 really a nasty and therefore appropriate safety equipment must be used so it can be 357 00:28:22,789 --> 00:28:27,269 bought. It's about 100 to 200 euro are quite expensive and also quite difficult 358 00:28:27,269 --> 00:28:30,859 to obtain because it's also used for some other more dangerous purposes. But there's 359 00:28:30,859 --> 00:28:34,960 also also a way of maybe doing it by yourself. So. Thanks, so, of course, we 360 00:28:34,960 --> 00:28:38,590 were looking for recipes on the Internet which are there, but that's much cooler. 361 00:28:38,590 --> 00:28:43,720 That's the book here, which I got from my 15th birthday. I think it's a science book 362 00:28:43,720 --> 00:28:47,970 for kids from quote unquote, Wesolowski and also contains a recipe for making 363 00:28:47,970 --> 00:28:50,739 fuming nitric acid. Also also with some 600000 fuming nitric acid works on wood, 364 00:28:50,739 --> 00:28:54,080 for example, when it gets burning and so on. So that's that's the recipe. And then 365 00:28:54,080 --> 00:28:55,789 you, of course, need the equipment. So the reaction is that concentrated sulfuric 366 00:28:55,789 --> 00:28:57,570 acid, which can be bought, for example, and pharmacist reacts, was potassium 367 00:28:57,570 --> 00:28:58,799 nitrate, also typical of Pharmacy Chemica. And then the fuming nitric acid, which is 368 00:28:58,799 --> 00:29:03,500 generated, is distilled from this mixture. You can see this in the picture as well. 369 00:29:03,500 --> 00:29:07,139 That's the normal distillation apparatus. The one which is used here is much 370 00:29:07,139 --> 00:29:09,749 simpler. And on the right, that's a micro distillation, distillation, glassware, 371 00:29:09,749 --> 00:29:13,580 which can be used, for example, if you only need some milliliters of this acid. 372 00:29:13,580 --> 00:29:17,129 So typically for opening one package, I would suggest, for example, five to 10 373 00:29:17,129 --> 00:29:21,809 million liters of acid. So it does not make sense to have more than than that. 374 00:29:21,809 --> 00:29:25,769 I'm talking about professional chemicals that are some more of these. So you you're 375 00:29:25,769 --> 00:29:33,639 already recognized as the hazard of pictograms which are here on the right 376 00:29:33,639 --> 00:29:38,909 side. So these are chemicals which are not harmless. And so therefore also they are 377 00:29:38,909 --> 00:29:42,849 typically only available in a professional or from professional sources, just some 378 00:29:42,849 --> 00:29:47,440 chemicals or some chemicals which are good solvents for epoxy material. So this means 379 00:29:47,440 --> 00:29:53,340 in this case, the epoxy is not oxidized, but it's dissolved. Or I should rather say 380 00:29:53,340 --> 00:29:58,080 that it's it's swollen. So the molecules of the solvent go into the epoxy and then 381 00:29:58,080 --> 00:30:02,129 it swells and you can brush it away. It's not material. The solvent process in this 382 00:30:02,129 --> 00:30:05,889 case, um, besides these epoxy dissolving chemicals, there are also some specialties 383 00:30:05,889 --> 00:30:11,950 for some of the first one. Colene, this is used in industry for cheap cleaning, but 384 00:30:11,950 --> 00:30:16,480 also for wafer cleaning. And then finally, the three ones on the bottom. These are 385 00:30:16,480 --> 00:30:20,309 the assets which are used for destructive opening nitric acid. You are not already 386 00:30:20,309 --> 00:30:24,159 now. And then we have two other ones, sulfuric acid, which must be used in a hot 387 00:30:24,159 --> 00:30:29,330 variant, and also the so-called Olian, which is a more aggressive version of the 388 00:30:29,330 --> 00:30:33,070 sulfuric acid, which can be used also at room temperature. So looking at 389 00:30:33,070 --> 00:30:35,659 professional methods which are available, for example, for semiconductor 390 00:30:35,659 --> 00:30:38,299 manufacturers, if they want to do a failure analysis, for example, then also 391 00:30:38,299 --> 00:30:42,179 we have brought you some examples. And this one here uses also fuming nitric 392 00:30:42,179 --> 00:30:46,789 acid. It's a chemical capsule later. It's a typical tool for industry if packages 393 00:30:46,789 --> 00:30:50,299 are to be opened, for example, for failure analyzers or other means. And so in this 394 00:30:50,299 --> 00:30:55,470 case here, the acid is not dropped onto the surface of the package, but it's first 395 00:30:55,470 --> 00:30:59,380 heated and then it's pumped through a small nozzle, which is made of Teflon of 396 00:30:59,380 --> 00:31:06,399 glass. And then a jet of hot acid is pushed on the surface of the package 397 00:31:06,399 --> 00:31:12,239 itself. So this means all the reaction products are readily flushed away and are 398 00:31:12,239 --> 00:31:20,450 purged and the chip only comes in connection with pure nitric acid. So this 399 00:31:20,450 --> 00:31:27,479 means it can also not be damaged by reaction products, which is very good. So 400 00:31:27,479 --> 00:31:31,210 typically such devices give very good results, but that's a disadvantage. Of 401 00:31:31,210 --> 00:31:37,099 course, on the one hand side, it's professional equipment that's quite 402 00:31:37,099 --> 00:31:42,809 expensive, on the other hand, and you need much higher volumes of the FUMIE nitric 403 00:31:42,809 --> 00:31:50,559 acid. Typically, if you do it manually, you would need five milliliters or 10 and 404 00:31:50,559 --> 00:31:55,159 here you need much more, maybe 50 milliliters or even more. This one is a 405 00:31:55,159 --> 00:31:58,880 sincere milling machine, which we would also be using, for example, and 406 00:31:58,880 --> 00:32:04,830 professional environment, and I think they are a lock picking people here. I would 407 00:32:04,830 --> 00:32:09,450 like to have something like this, too. That's really nice machine, which can make 408 00:32:09,450 --> 00:32:14,070 he programed milling. It has done not just preprogrammed inside, but it can also 409 00:32:14,070 --> 00:32:17,679 launch new packages. And the interesting thing is that you can also use diamond 410 00:32:17,679 --> 00:32:22,059 drills and thereby open ceramic packages. Also, for example, from the back side, if 411 00:32:22,059 --> 00:32:27,090 you want to get access to the chip side for a special purpose. Nevertheless, this 412 00:32:27,090 --> 00:32:32,599 equipment is very expensive, also an operation. So this diamond dress cost very 413 00:32:32,599 --> 00:32:44,009 have a high cost and last but not least, very heavy. So it cannot be used in all 414 00:32:44,009 --> 00:32:49,520 laboratories. This one here is a laser, the capsule later laser the capsule that 415 00:32:49,520 --> 00:32:54,379 is mainly laser scanner. And I think you saw some of these on the assembly already 416 00:32:54,379 --> 00:32:58,259 for cutting what are Styrofoam and so on. And that's nearly the same. But it works 417 00:32:58,259 --> 00:33:04,320 more on a on the microscopic level or millimeter level. And so then hit by a 418 00:33:04,320 --> 00:33:07,759 complete plastic package, for example, can be scanned with a focused laser and laser 419 00:33:07,759 --> 00:33:11,090 just evaporates the material. That's an inch on a few more so that the reaction 420 00:33:11,090 --> 00:33:15,249 products are purged. And so therefore, that's really a nice way of opening 421 00:33:15,249 --> 00:33:19,429 packages. Again, like for the machine that are preprogrammed packages, but it can 422 00:33:19,429 --> 00:33:23,820 also learn to use new packages. Nevertheless, there are also disadvantages 423 00:33:23,820 --> 00:33:29,259 of such methods. Again here, like Mockus already set for the laser, you have a 424 00:33:29,259 --> 00:33:33,149 thermal stress to the chip, which sometimes can lead to breaking the chip, 425 00:33:33,149 --> 00:33:38,809 which you don't want. And also, again, the costs are quite high milling. And also 426 00:33:38,809 --> 00:33:43,340 this laser encapsulation are typically not used to completely open a package. It is 427 00:33:43,340 --> 00:33:47,059 more used for generating a recess, which is then further treated by chemical 428 00:33:47,059 --> 00:33:49,419 etching. So this means you would only make a recess and the plastic package, which is 429 00:33:49,419 --> 00:33:53,129 nicely fitting the capsule as a chemical to capture that. And then afterwards, this 430 00:33:53,129 --> 00:33:57,799 fuming nitric acid, you would do the final opening of the package either manually or 431 00:33:57,799 --> 00:34:01,289 with an automatic version. So if the trip is properly prepared and here, for 432 00:34:01,289 --> 00:34:08,169 example, on the right, you can see a trip which has opened with a professional, um, 433 00:34:08,169 --> 00:34:14,889 a device, then you can have full access first with a microscope. Of course, you 434 00:34:14,889 --> 00:34:19,230 can see if there's a chip in the package. You can have a look if there are some dye 435 00:34:19,230 --> 00:34:21,849 markings which can lead you to a more material literature, data sheets and so 436 00:34:21,849 --> 00:34:26,659 on. Um, have a look inside what the function may be and what this is used for 437 00:34:26,659 --> 00:34:30,119 and the device which you are currently investigating. But, uh, sometimes after 438 00:34:30,119 --> 00:34:33,460 you have done that and the real fun starts, which means preparation of an 439 00:34:33,460 --> 00:34:37,849 attack or finding attack vectors and then finally also at doing such attacks. So 440 00:34:37,849 --> 00:34:40,579 attacks could be further reverse engineering, for example, making a 441 00:34:40,579 --> 00:34:43,819 complete preparation of the chip, grinding away the different layers of it for, uh, 442 00:34:43,819 --> 00:34:48,339 doing a complete reverse engineering. And then if the package is opened, you can do 443 00:34:48,339 --> 00:34:50,559 some attacks, which you normally won't do or can't do with packages, um, with chips 444 00:34:50,559 --> 00:34:54,679 and side, which are, for example, laser attacks that you focus on the focus laser 445 00:34:54,679 --> 00:35:00,079 on the chip to make some false or to induce some wrong calculations inside. 446 00:35:00,079 --> 00:35:05,240 There are many other devices which have ultraviolet fuzes which can be erased, for 447 00:35:05,240 --> 00:35:08,859 example, against code protection. One can do permanent manipulations, for example, 448 00:35:08,859 --> 00:35:13,330 by focus on beam or laser cutter, if that's what all the chips, um, one can do. 449 00:35:13,330 --> 00:35:16,050 Alpha radiation attacks because alpha radiation also would not penetrate a 450 00:35:16,050 --> 00:35:20,400 package, but, uh, they will penetrate the silicon and then make faults, for example, 451 00:35:20,400 --> 00:35:25,460 electromagnetic attacks by applying a probe on the top of the chip or on the 452 00:35:25,460 --> 00:35:27,890 backside. And, um, the one which I have left out a photon emission. Such an 453 00:35:27,890 --> 00:35:33,049 analysis. That's quite interesting. Um, that's a way of looking at the chip, how 454 00:35:33,049 --> 00:35:35,930 it generates infrared photons, while calculating, for example, if a transistor 455 00:35:35,930 --> 00:35:40,230 switches and photons are emitted. And that's that's a method which we are 456 00:35:40,230 --> 00:35:44,829 professionally using since 2001. But recently I read in the press that also 457 00:35:44,829 --> 00:35:49,130 some other people looking for this method, uh, for example, the German one does not 458 00:35:49,130 --> 00:35:54,069 wants to get such a device to, um, which sounds quite, um. Yeah. Quite reasonable 459 00:35:54,069 --> 00:35:57,410 to me because there are some smart catch chips today available which are not 460 00:35:57,410 --> 00:36:02,400 prepared against such kind of a text. And also this may be a way of using this 461 00:36:02,400 --> 00:36:06,390 photon emission, such an analysis for, um, exploiting a backdoor which could be 462 00:36:06,390 --> 00:36:10,320 induced by physically unclogging other functions. If you are interested. We made 463 00:36:10,320 --> 00:36:15,559 talk last year and we have also a small chapter about it. But this would lead to 464 00:36:15,559 --> 00:36:23,810 far in this environment here. So, um, if you are interested in the topic itself 465 00:36:23,810 --> 00:36:28,880 and, uh, want to have an overview, then we would recommend this book that's, um, 466 00:36:28,880 --> 00:36:34,240 available in German. But also there's an English version of it which we have put 467 00:36:34,240 --> 00:36:39,460 under the literature here. It's from a Siemens failure analysis guy and the 468 00:36:39,460 --> 00:36:42,099 contents of the package opening, but also a chip preparation techniques. And there's 469 00:36:42,099 --> 00:36:44,950 a nice presentation about using fuming nitric acid for the capitulations from on 470 00:36:44,950 --> 00:36:51,510 semiconductor in 2008. Um, if you use, um, colorfully or Rosana sometimes called, um, 471 00:36:51,510 --> 00:36:57,309 then there are two interesting projects. One is from the cost of Belene. Um, it's 472 00:36:57,309 --> 00:37:00,950 along with California, unfortunately is only in Germany, in German. And then 473 00:37:00,950 --> 00:37:07,020 there's also a project from the LEP which is called As a Californian User, which is 474 00:37:07,020 --> 00:37:11,960 an automated way of opening packages, was kind of funny. And then finally, there's 475 00:37:11,960 --> 00:37:16,079 also an interesting thing about laser chip access, how to open chips with laser and 476 00:37:16,079 --> 00:37:19,069 3D techniques. So these are only a few points. Um, this book we have also an 477 00:37:19,069 --> 00:37:24,569 assembly. So if you want to have a look inside, then be invited to visit us today. 478 00:37:24,569 --> 00:37:27,869 Finally, if you have a look inside chips and sometimes, uh, interesting things open 479 00:37:27,869 --> 00:37:32,300 up not only technology, not only attack vectors, but sometimes you also see some 480 00:37:32,300 --> 00:37:36,352 artwork. Sometimes today there's not much place left because that's also cost, and 481 00:37:36,352 --> 00:37:40,520 so therefore this year art is getting less and less. But these are some examples 482 00:37:40,520 --> 00:37:44,710 which we found sailboard and here in the upper right corner, that citya arms of 483 00:37:44,710 --> 00:37:47,800 Hamburg, which belongs to Chip from Philips. All right. So that's not 484 00:37:47,800 --> 00:37:55,540 complete. Our small presentation about Chip opening. And now we have some some 485 00:37:55,540 --> 00:38:01,309 minutes for questions, of course. 486 00:38:01,309 --> 00:38:08,589 Herald: Wow, amazing. I see my shopping list grow. So are there any questions, I 487 00:38:08,589 --> 00:38:10,590 would say from from the Web? Are you OK? Signal Angel: Indeed. OK, that's one 488 00:38:10,590 --> 00:38:15,700 question from the Internet, and it's concerning the left overs of the 489 00:38:15,700 --> 00:38:21,609 chemicals. Um, do you have any hints about how to get rid of them after you practice 490 00:38:21,609 --> 00:38:25,540 in your private environment? Peter: All right. So first of all, I would 491 00:38:25,540 --> 00:38:30,029 recommend not to buy any chemicals that you don't need, because that's all 492 00:38:30,029 --> 00:38:36,930 environmental pollution which is generated just in the moment they are produced. And 493 00:38:36,930 --> 00:38:40,660 so, therefore, buy only the chemicals you need, um, buy only the amounts of 494 00:38:40,660 --> 00:38:43,940 chemicals that you need, I would recommend. And then afterwards, there are 495 00:38:43,940 --> 00:38:46,779 also ways of neutralizing these agents, for example, fuming nitric acid can be 496 00:38:46,779 --> 00:38:51,170 neutralized with baking soda, which also we have on our list here. And so 497 00:38:51,170 --> 00:38:53,410 therefore, I would have a look inside Internet sources, for example, to see what 498 00:38:53,410 --> 00:38:57,520 are the special ways of neutralizing each agent. So for a private person, it's, I 499 00:38:57,520 --> 00:39:09,880 would say nearly the same. Like for industry or certainly industry, this 500 00:39:09,880 --> 00:39:21,789 chemical are neutralized and then given away to the appropriate institutions. 501 00:39:21,789 --> 00:39:27,960 Sometimes you can just flush it away after neutralizing it, but sometimes as a 502 00:39:27,960 --> 00:39:32,640 result, you may be toxic and then you have to give it to a special institution. 503 00:39:32,640 --> 00:39:37,610 Herald: Question answered. Guess, um, any more questions from from the web. OK, um, 504 00:39:37,610 --> 00:39:42,130 I would say we do some load balancing. You start first please. 505 00:39:42,130 --> 00:39:47,020 Mic: Oh. Is there a way to actually verify where our chips are identical. So if you 506 00:39:47,020 --> 00:39:50,543 have two chips or whatever, they are the same or generated using the same mask set? 507 00:39:50,543 --> 00:39:51,770 Or any mechanical way to actually verify that? 508 00:39:51,770 --> 00:39:57,970 Peter: If these chips are identical. OK. So if there would be a way, for example, 509 00:39:57,970 --> 00:40:01,020 to make an X-ray, this would be, of course, fine, because then you don't need 510 00:40:01,020 --> 00:40:05,950 any preparation at all. So some years ago, I would have recommended to ask your 511 00:40:05,950 --> 00:40:11,400 dentist, for example, because he has an X-ray. But normally X-rays are today not 512 00:40:11,400 --> 00:40:15,650 used for other purposes purposes. They are intended to. So therefore, X-ray would be, 513 00:40:15,650 --> 00:40:18,080 of course, the best one to have a look inside the chip. Um, if these are 514 00:40:18,080 --> 00:40:21,589 smartcards, then sometimes infrared can serve well, because also with infrared, 515 00:40:21,589 --> 00:40:26,539 you can look through the smartcard itself sometimes and then see the surrounding. 516 00:40:26,539 --> 00:40:30,960 And also chips have typically characteristic bond wires. So this means 517 00:40:30,960 --> 00:40:35,029 that the alignment of bond wires. So where are the pads, for example, differ also 518 00:40:35,029 --> 00:40:40,280 from chip to chip. And finally, of course, the marking, because typically a marking 519 00:40:40,280 --> 00:40:44,529 is only valid for for one specific chip and another chip, which would be in next 520 00:40:44,529 --> 00:40:47,099 generation, for example, would also have a different chip marking then. 521 00:40:47,099 --> 00:40:51,680 Marcus: But anyhow, of course, so you can distinguish whether this is the same 522 00:40:51,680 --> 00:40:56,170 hardware or not very often today. Also, the chips are equipped with some flash. 523 00:40:56,170 --> 00:41:01,130 And later, if you open up one chip, you can identify whether there's a nonvolatile 524 00:41:01,130 --> 00:41:06,960 memory on the chip. And of course, you cannot distinguish by the microscope 525 00:41:06,960 --> 00:41:12,960 whether the same flash content is in there or not. So it might be that in different 526 00:41:12,960 --> 00:41:16,490 operating system or different programmers running on such a microcontroller 527 00:41:16,490 --> 00:41:23,630 containing some flash, even if this is the same hardware. But at least, you know, OK, 528 00:41:23,630 --> 00:41:29,319 this is the same hardware. And you're also learning, as you have done on a first 529 00:41:29,319 --> 00:41:35,460 chip, you can also use on the same ship. Herald: Question answered? All right, 530 00:41:35,460 --> 00:41:38,329 let's go. Mic: So have you ever opened up a package 531 00:41:38,329 --> 00:41:40,869 just to find you've been hit by a counterfeit part? 532 00:41:40,869 --> 00:41:45,839 Peter: Personally, not so. I know that are many counterfeits, especially from from 533 00:41:45,839 --> 00:41:49,480 Asia Pacific Range. And sometimes it's quite interesting. I've seen such devices. 534 00:41:49,480 --> 00:41:53,109 I did not open them by myself, but sometimes that's a totally different chip. 535 00:41:53,109 --> 00:41:58,740 And. So it does not even match the type of functionality which what you would expect, 536 00:41:58,740 --> 00:42:03,020 for example, instead of microcontrollers as a 74 something logic chip inside, which 537 00:42:03,020 --> 00:42:07,079 would not work at all. Marcus: But again, here also, if you open 538 00:42:07,079 --> 00:42:11,600 up the chip package, you can see the dye marking and have no clue about the chip 539 00:42:11,600 --> 00:42:16,190 itself and also about the functionality, because the logical chip, uh, 74 series, 540 00:42:16,190 --> 00:42:20,220 it's much less complexity and so quite clearly visible in the microscope compared 541 00:42:20,220 --> 00:42:26,500 to a microcontroller or something. So it's quite easy to identify whether the 542 00:42:26,500 --> 00:42:32,480 printing on the package is correct or whether this is just a fake chip. 543 00:42:32,480 --> 00:42:36,549 Mic: Well, that's not clear. But you know what? After all. 544 00:42:36,549 --> 00:42:40,390 Herald: Question answered? I guess. Yes, please go. Go on. 545 00:42:40,390 --> 00:42:46,150 Mic: So you said you can generally look at chips using just optical microscopes, what 546 00:42:46,150 --> 00:42:47,930 kind of magnification we can need for different types of chips? 547 00:42:47,930 --> 00:42:51,160 Peter: OK, so typically for a stereo microscope, for preparation, you would 548 00:42:51,160 --> 00:42:57,070 need only some five, four or twenty four to magnification, but usually for looking 549 00:42:57,070 --> 00:43:02,369 optically at chips, you would need a 100 fold to I would say five hundred fold 550 00:43:02,369 --> 00:43:07,960 magnification. That's of course there's a limit because of the technology gets 551 00:43:07,960 --> 00:43:12,100 smaller than the wavelengths of light and then you've got a problem. And so 552 00:43:12,100 --> 00:43:14,369 therefore we also have recommended here for amateurs or for beginners in this 553 00:43:14,369 --> 00:43:18,550 topic to use all the chips, because you have, for example, one point two 554 00:43:18,550 --> 00:43:23,750 micrometer technology, which is far away from from the wavelengths of the light. 555 00:43:23,750 --> 00:43:31,500 But a few today would have, for example, 90 nanometer or 65 nanometers of the CPUs, 556 00:43:31,500 --> 00:43:35,420 even 22 nanometers. So that's 20, 20 times smaller than the wavelengths of light. And 557 00:43:35,420 --> 00:43:40,070 then you don't see anything at all and just colors. 558 00:43:40,070 --> 00:43:43,190 Herald: Question answered? Marcus: And please be invited to our 559 00:43:43,190 --> 00:43:48,650 assembly later on because we have got a microscope and some sample chips with us 560 00:43:48,650 --> 00:43:55,089 so you can make some own experience in there and watch the silicon and see what 561 00:43:55,089 --> 00:43:59,269 kind of such you can see so please be invited. 562 00:43:59,269 --> 00:44:04,380 Herald: I'm totally sorry. I totally overlooked Microphone four. Please, please 563 00:44:04,380 --> 00:44:09,029 go ahead. Mic: So if you have just a limited amount 564 00:44:09,029 --> 00:44:12,279 of chips and want to maybe reuse them again like we want them. Um.. 565 00:44:12,279 --> 00:44:14,869 Herald: Could you please repeat the question with a microphone, because then 566 00:44:14,869 --> 00:44:17,240 it's recorded. Mic: Yeah, so if you have, like, only a 567 00:44:17,240 --> 00:44:20,410 couple of chips and want to reuse them again and dissolve epoxy, like what or 568 00:44:20,410 --> 00:44:26,799 what method would you recommend to use? Peter: All right. So if you want to use 569 00:44:26,799 --> 00:44:34,210 them, um, after preparing, then it's very important that there are no acid residues 570 00:44:34,210 --> 00:44:41,430 left because we sometimes see, for example, if you prepare a chip with fuming 571 00:44:41,430 --> 00:44:46,750 nitric acid and there's just a small amount of acid which is left, then after 572 00:44:46,750 --> 00:44:51,540 one week or two week, the chips deteriorate. And so this means that they 573 00:44:51,540 --> 00:44:53,450 have to be and the acid has to be neutralized very good. Rinsed with acetone 574 00:44:53,450 --> 00:45:00,200 and then afterwards dry it carefully. So I would recommend to to store them also 575 00:45:00,200 --> 00:45:04,329 maybe, um, under dry conditions, but if you are interesting. And afterwards you 576 00:45:04,329 --> 00:45:07,920 could also contact us because we have some methods also for conserving chips. 577 00:45:07,920 --> 00:45:10,519 Herald: Question answered right from the Internet, please. 578 00:45:10,519 --> 00:45:14,839 Signal Angel: Yeah, there's another one. Um, it's about have you noticed any 579 00:45:14,839 --> 00:45:15,839 manufacturers implementing countermeasures, new guards to decaping 580 00:45:15,839 --> 00:45:19,470 the chips? Marcus: So yes, indeed, there are some, 581 00:45:19,470 --> 00:45:25,700 uh, countermeasures at advertised by, uh, manufacturers who say, yes, we have a kind 582 00:45:25,700 --> 00:45:30,440 of secure package. Uh, one of those secure packages also shown in the presentation 583 00:45:30,440 --> 00:45:33,779 where, for example, uh, special coverage on top has been placed. Uh, but anyhow, 584 00:45:33,779 --> 00:45:37,230 also there we have, uh, displayed some, uh, methods in order to open up those 585 00:45:37,230 --> 00:45:42,609 kinds of packages. So, uh, it's always a trade off how much, uh, security you can 586 00:45:42,609 --> 00:45:48,720 expect from the chip package. And so, in my opinion, I think the package there are 587 00:45:48,720 --> 00:45:52,880 so many, uh, methods to remove a package. It could not be a completely secure 588 00:45:52,880 --> 00:45:57,030 package just by the package itself. So if you need to have some secrets inside a 589 00:45:57,030 --> 00:46:00,940 chip, then really the chip hardware should be secured and therefore protected against 590 00:46:00,940 --> 00:46:07,059 spying out of those data. And this will be more on logical ways, for example, using 591 00:46:07,059 --> 00:46:11,289 encryption instead of using some, uh, material in the package. 592 00:46:11,289 --> 00:46:16,690 Peter: So there should be no trade off between buying, uh, insecure or less 593 00:46:16,690 --> 00:46:22,260 secure chip and then adding a package. We think that the chip itself has to be 594 00:46:22,260 --> 00:46:28,619 secure or secure enough, I should say, and it cannot be afterwards put the security 595 00:46:28,619 --> 00:46:37,280 cannot be put afterwards around the chip. So that's not the way of, uh, of clean, 596 00:46:37,280 --> 00:46:42,490 uh, engineering. Herald: Right. Um, we have time for a last 597 00:46:42,490 --> 00:46:58,490 question. If you could please keep short and you guys also please go ahead. 598 00:46:58,490 --> 00:47:15,330 Mic: I have a question about, uh, legal problems. When you publish photos of the 599 00:47:15,330 --> 00:47:26,589 internal parts, and maybe sharing in a public database to to make education 600 00:47:26,589 --> 00:47:37,570 better or I don't know. Peter: Um, that's if you make photos of 601 00:47:37,570 --> 00:47:44,490 chips themselves which you have prepared by yourselves, then I think it should not 602 00:47:44,490 --> 00:48:09,079 be critical. So we have also here are some pictures which we made sometimes of our 603 00:48:09,079 --> 00:48:17,900 own chips, sometimes of other chips. But this does not contain any trade secrets, 604 00:48:17,900 --> 00:48:41,130 for example. But of course, that's a difficult question, especially if it goes, 605 00:48:41,130 --> 00:48:50,810 for example, to pictures which contain material where you see, for example code, 606 00:48:50,810 --> 00:48:57,839 a ROM picture if you would publish a picture of a ROM and then it could be that 607 00:48:57,839 --> 00:49:12,299 this ROM contains code and then you would publish this code. So it's very difficult 608 00:49:12,299 --> 00:49:25,299 to tell which is which is right and which is wrong. But, um, usually we don't think 609 00:49:25,299 --> 00:49:36,579 that that just took pictures are critical. Marcus: And it really depends also on the 610 00:49:36,579 --> 00:49:57,440 resolution. If you have a complete chip and a overal resolutions that you cannot 611 00:49:57,440 --> 00:50:14,170 identify single lines and cannot use this as a schematic to include such a chip, 612 00:50:14,170 --> 00:51:35,230 then it's something different compared to a high resolution picture where you can 613 00:51:35,230 --> 00:52:26,570 draw a complete schematics in there, but we can also talk later on in the assembly 614 00:52:26,570 --> 00:52:51,039 more on this topic. And also I see some further question, but I think we are 615 00:52:51,039 --> 00:53:44,180 running out of time so we can do this later on. 616 00:53:44,180 --> 00:54:38,359 Herald: Yeah, great. Thank you very much. Thank you for your questions. 617 00:54:38,359 --> 00:54:42,539 *applause* 618 00:54:42,539 --> 00:55:20,499 The guys with the open chips go to the assembly and ask them if you have any more 619 00:55:20,499 --> 01:01:41,631 questions, please. OK, thank you. 620 01:01:41,631 --> 01:01:56,000 Subtitles created by c3subtitles.de in the year 2021. Join, and help us!