MindShaRE: Decapping Chips for Electromagnetic Fault Injection (EMFI)

The automotive VR team has attempted to reproduce a software extraction attack on a target device used in the Automotive Pwn2Own 2024 in Tokyo, Japan. They chose the electromagnetic fault injection (EMFI) approach to bypass the device's readout protection mechanisms. To narrow down the search area for the attack, they decided to decap the device, which involved using hot sulfuric acid to dissolve the packaging epoxy. The process required heating the device, applying acid, cooling, washing off the acid with acetone, and repeating the process multiple times. After decapping, they took measurements of the package, die, and die positioning using a graphics editor. This information will help in programming the EM probe motion to focus on the die area only, reducing experiment time by 25 times. Another approach is moving the probe in a spiral fashion from the package center, but this method has limitations. Decapping took about 1-2 hours including cleanup and was deemed worth the information gained. The team will continue to post guides and methodologies in future posts.