Date : Fri, 29 Oct 2010 18:21:54 +0100
From : list-a_cloud9.bbc-micro@... (Theo Markettos)
Subject: Reversing the Tube ULA (destructively)
In article <AANLkTi=NE-_et2NN0hrBgTtNMNSfdnmBB=xVopL0mFG9@...>
you wrote:
> Great! They say prices start from ?25 to dissolve down to a bare die: I'll
> stump up (or chip in) for that if someone (perhaps Mark) can provide a Tube
> ULA, and if someone (perhaps Theo) can get suitable high resolution photos
> of the result.
I've had a chat with Sergei Skorobogatov (keeper of the microscopes) and I
can use one when I have a chip to play with.
Some questions:
Do we know what technology they're in? 1um? 5um?
He says that on 100x lens you get 20um x 20um photos, and on 20x you get
100x100um. Do we know what sort of die size we're looking at? At 5mm x 5mm
and 100x that's 2500 photos.
What tools do you plan to use for analysis? Stitching and track following
isn't going to be doable by hand with 2500 pictures each 2000x3000 (I have a
6 megapixel camera). I found: http://www.degate.org/
> But also, in your photo of the 3 generations:
> http://www.retroclinic.com/misc/tubechips.jpg
> isn't the top one plastic packaged? Would that be depackageable with
> acetone?
Sergei says that chips of that era are less difficult to decap, the hardest
ones being modern PGA and QFPs. But I'm not sure that package is
thermoplastic (as used in smartcards)... it might just be epoxy without
filler (think about cured Araldite, it looks similarly-shiny).
Contact-based smartcard chips can be removed from thermoplastic cards just
with controlled heating (it's harder for RFID as it's embedded in the
plastic, hence the use of acetone).
Find a similar chip and set fire to it, that's the easiest way to tell...
> > Whilst it's not the Tube ULA, the Electron one is much easier to open...
> >
> > http://retroclinic.com/misc/12c021.jpg
> >
> > Gives an idea of what they look like inside, albeit this one is larger, 12
> > cell instead of 9.
How many gates are we expecting?
> BTW, I mentioned earlier abrasion for chip+pin, and in fact I was thinking
> of Nohl and Evans and the Mifare/Oyster work:
> http://www.usenix.org/events/sec08/tech/nohl.html
> "Once we had isolated the silicon
> chips, we removed each successive layer through me-
> chanical polishing, which we found easier to control than
> chemical etching. Simple polishing emulsion or sandpa-
> per with very ?ne grading of 0.04?m suf?ces to take off
> micrometer-thick layers within minutes."
If the cell structure is known, that shouldn't be necessary since the metal
layer is visible from the top of the die.
Theo