Boiling chips in tree sap.
I saw a CCC talk a while back about reverse engineering IC’s (link, recording), it sounded fairly complicated for a hobbyist but I thought I’d give it a try. All I was hoping for was to get some decent pictures and didn’t really care about reversing the design.
I dissolved the plastic casing in acetone and tried sanding down the epoxy blob which didn’t work real well so I started looking for a chemical solution. Apparently people don’t like giving out Nitric Acid so I had to find an alternative. I found a
dead temporarily down site describing using Rosin which is basically just tree sap. I tracked some down at the local musical instrument store since violinists use it for what not.
After boiling a smartcard in it for about 20 minutes and dissolving the residue with acetone the chip came out beautifully clean and undamaged. I glued it down to a microscope slide to have something solid to work with, it really is incredibly small. Since the Microscope I was using was 30 years old I couldn’t get any decent pictures so I’m gonna try finding a better one.
From the pictures you can see that only 5 pins are used, some inspection (and common sense) revealed that the high voltage pin on the smartcard wasn’t connected. All the wires survived the epoxy stripping except one wich isn’t bad. With a little luck I’ll be able to find some text on this chip to find out what it is and who makes it, hopefully I can reverse the protocol and play with it a bit since they’re real common here but I haven’t been able to find any info on them.
All I know atm is that it’s a synchronous card with the following ATR:
0xA1 0x2B 0xFF 0x*D 0x** 0x** 0x** 0xCB 0×00 0×00 0×00 0×00 0×00 0xFE
But since the standard describing these aren’t free I don’t have much to work from. If anyone has any info on ISO7816-10 I’d love to hear from you.
Copy Protection in Modern Microcontrollers
HOW TO: write an IC
Tamper Resistance – a Cautionary Note
Safety Protection Guides and Fact about Microcontroller You Should Know
Hacking the PIC 18F1320
IC reverse engineering Blog