Circuit Engineering Co., Limited

IC Copy’s general process

1 — The first step of intrusive IC Copy is thrown off IC chip package (referred to as “DECAP”, decapsulation). There are two ways to achieve this purpose: one is completely dissolved IC chip package, expose metal wires connections. The other one is only removed the plastic package on top of the silicon-core. The first method requires the chip to be binded on the test fixture and then proceed  to operate. The second method requires IC Copyier has certain degree of knowledge and the necessary skills, moreover, personal wisdom and patience are critical, but the operation process is relatively easier to complete even in family.

The plastic cover on top of IC chip can be opened with a knife, epoxy resin around the chip can be etched away with concentrated nitric acid. Hot concentrated nitric acid will dissolve out of the plastic cover of IC chip package without affecting the metal connection and IC. The process generally should be operated in a very dry conditions, because the presence of water could erode the exposed aluminum wire connections (which may cause decryption failures).

2 — Then, IC Copyier should use acetone to wash IC chip in ultrasonic cleaning the pool in order to remove residual nitric acid, and soaking.

3 — The final step is to find the location of the protection fuse and expose it under the UV light. Usually with a microscope with magnification of at least 100 times, follow up from the connections of programming voltage input pin to find protection fuse. If without microscope, a simple way can be taken for the purpose of search by expose different parts of IC chip under the UV light. Opaque paper should be used to cover IC chip in order to protect the program memory won’t be erased by ultraviolet light. The effect of the protection location will be eliminated after the protecting fuse being exposed to UV light for 5 to 10 minutes, afterwards, using a simple programmer can directly read the contents of program memory.

4 — For those MCU ICs with the protective layer to protect the EEPROM cell devices, the use of ultraviolet light reset protection circuit is not feasible. For this type of MCU IC, micro-probe techniques generally being used to read the memory contents. After IC chip package open, under the microscope the data bus which connected from memory to other parts of circuit can easily be found . For some reason, IC chip programming mode lock bit won’t lock in the access to memory under programming mode. Take advantage of this flaw, if put the probe on the data line would be able to read all required data. In programming mode, restart the reading process and connect the probe to the other dataline can read all programs and data memory in the IC chip.

5 — There is also another possible means of IC Copy is through the microscope and laser cutting machine to find the protection fuse to check and find those parts of circuit associated with all signal lines. Due to design defects, therefore, to cut off a signal line from protection fuse to the other circuits (or cut off the entire encrypted circuits) or to connect 1 to 3 gold wire (usually called FIB: focused ion beam), can disable the entire protection functions, so that a simple programmer can directly read out the contents of program memory.

6 — While most ordinary MCU IC has function that blown fuse to protect the code, due to low-end MCU IC not targeted at the production of safe products, so they often do not provide targeted preventive measures and the level of security is low. Moreover MCU IC has a wide range of application, sales quantity is very large, frenquency of consigned processing and technology transfer is high, let a lot of technical information out, IC Copyier can make use of loopholes in the design of such MCU IC and test interface, plus through intrusive attack or non-intrusive means of attack to read the controller’s internal procedures have become easier.

Circuit Engineering Company Limited provide a complete IC Crack, MCU Crack, PCB Reverse Engineering, PCB Clone and PCB Restoration service, Rapid Prototyping and functional test services using the latest technologies combined with traditional skills for a wide range of industries. By integrating our traditional skills with the latest technologies, we can offer clients a comprehensive portfolio of product development services all under one roof. For more details please contact us.