Laser delayering test

I received my new probe micro-positioner, two S-931 from Signatone and my first idea was to use them to dump the Firmware of the previous PIC16C57 to discover this method, but quickly I needed to delayer this chip. There are many ways to do that the most classic is to use HF by doing a window to selectively remove glass over the traces. Like I said before I don’t have a chemical lab and so I don’t want to use HF (this is a deadly chemical compound). Since I have a spare microscope to do test I bought a Laser from ebay to test some laser surgery on silicon die.


Current Setup

I took a 200mW green one. The choice of green comes from the Signatone website. Before going further I must say that the experiment only had few chance to be a success, 200mW CW laser is not really powerful and burn only black plastic, plus the optic on my microscope is not manufactured for laser use (Mitutoyo have series of objective for that), but I thought that concentrating the laser on a really small surface could do the job. I did the test using my old microscope (on the right):


The results is promising but I need to do a better setup with an other laser, in fact I managed to dig a small hole in the glass of a chip by putting the laser right behind a Neo 40x objective (the objectiv didn’t survive to this test):

DF_large_view BF_close_up BF_large_view DF_close_up

Some pictures in BF and DF of the point of impact.

Future tests

For now I need to find an other Laser, those results confirm the need of a pulsed one (Q-Switched YAG like advise by some people), since finding a TEC/air cooled YAG setup for few bucks is hard I have 4 choices:

Trying 1W Green or IR laser

Maybe that could do the job but I think pulse is necessary to have the max amount of heat at one instant to avoid the dissipation in the die. I will try this anyway when I’ll have enough money (or if someone lend me one ;))

eBaying to find a YAG setup

This option could be the best but need lot of search to find good cavity/lamp and rod in an usable shape (many ebay rod are scratched and I don’t want to polish them) plus will need work to design a good and secured PSU to integrate to the microscope.

Using a tattoo removal machine

There are many cheap tattoo removal machine on eBay (I won’t use those on my body but…) based on Q-Switched YAG laser and delivering IR and Green pulse,  there are two drawbacks, first I’ll need to put water near the setup to cool the laser machine and that’s not wanted for home use, second it’s not so cheap (about 1000$). At the moment it seems to be my best option because I know nobody selling a used setup for a reasonable price (I would love to get a SSY-1).

Signing a contract with the NSA

and stole laser setup before running to Ecuador 😀

So if you know people having used setup or piece of laser etc…. I’ll be interested. No need to say that the full setup will be documented as much as possible to be cloned around the world 🙂


PIC16C57C Unlocking and code dumping

After some tests on reading back the Program Memory of the PIC16C57C (I have many of them, thanks to you ;)) I finally managed to have a full working dump. The first one based on the previously decaped PIC was half a failure because of the nail polish area, there was many bad opcode right in the middle of the code and especially in the most interesting part. But that was a good starting point fuse were not protected against UV.

Badly covered area

Following the results only the little area on top right of the picture was in fact reset to 0xFF, the big part was protected (thanks to the mega Gemey long lasting UV resistant nail polish). To be sure of that we did a Full zero programming of the program memory and read it back. Quickest option was to redo the whole process on an other part.

Example of corrupted bit:

1274   4F9     191          XORWF 0x11, W
1275   4FA     193          XORWF 0x13, W
1276   4FB     199          XORWF 0x19, W
1277   4FC     00E
1278   4FD     34E          RLF 0xe, W
1279   4FE     370          RLF 0x10, F
1280   4FF     371          RLF 0x11, F

Good version:

1275   4FA     193          XORWF 0x13, W
1276   4FB     199          XORWF 0x19, W
1277   4FC     02E          MOVWF 0xe
1278   4FD     36E          RLF 0xe, F
1279   4FE     370          RLF 0x10, F
1280   4FF     371          RLF 0x11, F

The second try was worst with a much more destroyed code dump, but the Zero test for leak in the UV shield passed without any problem. In fact after some investigation I shorted some bond wires together while applying the polish on the EPROM area. It gave some weird stuff and totally broke the code.

1275   4FA     193          XORWF 0x13, W
1276   4FB     199          XORWF 0x19, W
1277   4FC     03E          MOVWF 0x1e
1278   4FD     B7E          GOTO 0x17e
1279   4FE     B70          GOTO 0x170
1280   4FF     B71          GOTO 0x171

Here are some details of the fuse section, I think the Code Protect one is copied in the C version of that Pic because there is still 4 fuses where the datasheet gives a 12bits fuse register. It could make sense to do that to avoid undefined values in the code when reading the fuses (in fact this feature is present on all revision of the serie). This part is just a theory, if you have a better idea don’t hesitate to post it.

PIC16C57C Datasheet:

bit 11-3: CP: Code Protection Bit
bit 2: WDTE: Watchdog timer enable bit
bit 1-0: FOSC1:FOSC0: Oscillator Selection Bit

PIC16C57 Datasheet:

bit 11-4: Unimplemented : Read as ‘0’
bit 3: CP: Code protection bit.
bit 2: WDTE: Watchdog timer enable bit
bit 1-0: FOSC1:FOSC0: Oscillator selection bits

PIC16C57C Top Metal

Details (Neo DPlan 50x) of the FET with no protection on the gate:
pic16c57c fuse details

H2SO4 Decaping – Many failures analysis

For a little project I need to decap a PIC16C57C but keeping it alive for analysis. I finally manage to have a clean “localized” decaping but I did many test before. If you have stuff needed to work with HNO3 it will be easier, there are many article on that point on the mega Interweb. In my case I’m more comfortable with H2SO4 mainly because it’s easier to source (drain cleaner that’s what I use) where Nitric Acid is regulated (explosiv manufacturing ?). So my today results seem promising, the decaping is really clean.

Ready for live analysis

Ready for live analysis

Continue reading

Hello on saturday afternoon

No safety

First post on a blog I wanted to do for a long time, it will be specialized in pictures of electronics failures. Since the first time that idea pops out I did some IC reverse engineering (at least I try to learn;)). So I will have more stuff to post here.