In the last article, I outlined the various options for cracking a phone card. That was some time ago. Since then, I've searched the internet several times and thought about different options. I've found that there is a group of people in the world who, for fun, remove microchip covers and examine their structure.
I became interested in it and tried different methods of decapping at home. Of course, I still don't have access to the lab or dangerous acids, so I've only tried commonly available methods.
Since I only had one phone card and no one around me had any, I bought a supply of cards from a collector for 200 CZK (~8€). Thanks to that, I had enough of them and I didn't have to be afraid to destroy one here and there.
I originally created a card reader from a card case and an Ethernet cable (Homemade phone card reader). After a while, the concept no longer suited me, so I decided to create another version that would be easier to connect to Arduino. Unfortunately, this version does not work for some reason. I suspect the power supply.
This created the need to quickly get a makeshift reader, so I created another version, which connects directly to the chip. I then debugged AdvancedTCardReader on this, which is a program that allows challenge / response authentication.
I was a little surprised that the used hash function returns the same values for a quadratically increasing set of inputs (at the beginning it has the original answer for the first input, then it has the same for the next two, then for four, etc..). It sounds weird to me, so I think I could have made a mistake somewhere. I haven't been in the mood to look into it yet.
Before attempting to remove the cover layer, I always cut out the chip case from the card first. The core itself is encased in something black and hard. Attempting to scratch with the tip of a pin leaves traces visible to the eye. It is an epoxy within which the core is encapsulated during production.
Once the chip casing is cut out, it can be broken - you get a core which is about a millimeter in size, coated with a little epoxy.
I gradually tried several methods to remove epoxy from the core. Some were functional, others were not. I bought a cheap children's microscope for 21 Czech crowns (1€) so I can observe how suitable the given method is.
The biological microscope is not entirely suitable for examining the structure, it is really only suitable to find out how much epoxy is left on the chip.
Burning out the epoxy
The first thing I've tried was the simplest method - removing the epoxy by burning it. I heated the chip case with a lighter (on the second attempt with a gas burner) to 800-900 °C until the case cracked and dropped. After searching the charred remains, I found the core of the chip. It is necessary to state that during this experiment I was unaware that the core can be broken out of the chip, so I fried it with the contacts.
At that time, I did not have a microscope, so I tried to scan the core of the chip in the highest resolution that our home scanner was capable of, 1200 DPI. However, the result was not encouraging:
After I bought a microscope, I found that I had lost the original core, so I was forced to try again. Here are the results at about 200x magnification:
The core of the chip is covered with charred remnants of insulating material. The residue holds relatively firmly, and their removal would result in damage to the structure of the core. This method therefore proved to be completely inappropriate.
I placed the core in foil and then heated it with a hot air gun (320 °C) for about 3 minutes. This technique has proven ineffective because the epoxy needs to be peeled from the core manually, which of course is not possible in the foil.
On the second attempt, I fastened the pistol to the vice and with the help of two sharp tweezers, I almost cleaned the core. Since I was doing it for the first time, I managed to drop it several times and a few times I had a hard time to find a small dot of the core on the floor.
The results are not so bad:
Under the microscope, however, it looks differently:
The core is coated with epoxy residues, which are almost impossible to remove. So, this method also turned out to be insufficient.
According to some sources, one way to remove the epoxide is to use acetone and gasoline. If the epoxy is left soaked in it for a long time, it can be removed. We didn't have pure acetone at home and I preferred not to pump the gas out of the car, so I used paint thinner. It didn't have a label on it, but if my memory serves me right, it contains acetone.
I left the chip core in acetone for several weeks and then tried to mechanically remove the epoxy layer. Unfortunately, the epoxy softened a bit and became more brittle, but I did not manage to remove the layer that covered the core.
An article was published on the hackaday stating that the epoxy can be dissolved in rosin. I couldn't help but try it right away.
I put the core and contacts in the test tube (which is not very clever, details below) and covered it with rosin. For heating, I used a gas burner (900 °C) at a reasonable distance so that the rosin boiled only lightly. When it starts to foam, the burner is too close.
The whole boiling process took place in an open window and in my absence - the steam from the boiling rosin is said to be relatively toxic. After about 20 minutes, I turned off the burner and allowed the tube to cool. Then I used a lighter to heat the tube so that the rosin flowed out. I collected pieces that looked like they contained metal and washed them in thinner. After a moment of soaking, the rosin dissolved, and I was left with a core and a few fused pieces of copper metal from contacts (probably there was tin somewhere). I realized how lucky I am that the core didn't melt between the pieces of copper, next time I have to throw the core there alone! I poured the remaining thinner on a piece of newspaper and burned it in the stove.
The core of the chip is beautifully clean and even just using the magnifying glass, the individual structures can be seen:
This is what it looks like under a microscope:
This method seems to me to be the best so far - it is not expensive, nor does it threaten you with an ugly death, like when you work with aggressive acids.
Now that I've found a simple and reliable method of uncovering the chip's core, it's time to examine it under a microscope. Unfortunately, this requires a relatively expensive microscope (metallurgical, electron, etc.), not a bargain deal microscope for 21 CZK. It will also be necessary to get a source of UV light, which will cause the individual paths on the chip to shine in different colors.
If someone with access to the necessary equipment (high-quality microscope) is found, I'll be happy to send him the core in exchange for the resulting photos so that he can document it