Full Report
The three minute video consists of the author trying to access JTAG ports within the chip. So, they scrape off the SoC with a pair of tweezers then use some acid to get to the reset. After this, they solder onto the wires to get access to the JTAG interface. Pretty neat!
Analysis Summary
# Research: Physical Access to Silicon: Invasive Extraction of JTAG Debug Interfaces via Package Decapsulation
## Metadata
- **Authors:** Mickey (@HackingThings)
- **Institution:** Independent Security Research Community (Hardware Hacking)
- **Publication:** Social Media (X/Twitter)
- **Date:** December 21, 2022
## Abstract
This technical demonstration showcases a high-precision invasive hardware attack aimed at gaining debug access to a System-on-Chip (SoC). By manually removing the protective epoxy resin of the chip package (decapsulation) using mechanical and chemical means, the researcher exposes internal JTAG pads that were not routed to the external Printed Circuit Board (PCB). This process bypasses board-level security design by interfacing directly with the silicon’s interconnects.
## Research Objective
The primary objective of this research is to evaluate the feasibility of gaining JTAG (Joint Test Action Group) access when debug ports are intentionally omitted from the PCB layout. The research asks: Can low-cost physical bypass techniques be used to access internal debug interfaces hidden beneath the SoC package?
## Methodology
### Approach
The researcher utilizes a multi-stage destructive physical analysis (DPA) approach:
1. **Mechanical Abrasion:** Using precision tweezers and scraping tools to remove the top layer of the SoC’s epoxy molding compound.
2. **Chemical Etching:** Applying localized acid (likely fuming nitric acid or a specialized solvent) to dissolve remaining resin and isolate the internal reset and signal wires.
3. **Physical Interconnect:** Performing micro-soldering onto the exposed package-level pads/wires.
### Dataset/Environment
A standard surface-mount SoC integrated into a consumer or industrial electronics device.
### Tools & Technologies
- Precision tweezers and mechanical scrapers.
- Chemical solvents for epoxy removal.
- Micro-soldering station with high-gauge wire.
- Microscope for visual verification of chip topology.
## Key Findings
### Primary Results
1. **Non-routed Ports are Not "Secure":** Even if JTAG pins are not connected to copper traces on the PCB, they remain physically present within the chip package.
2. **Access Persistence:** Manual decapsulation can successfully expose internal pads without destroying the functional logic of the silicon.
3. **Low Barrier to Entry:** The attack does not require a cleanroom or multi-million dollar Focused Ion Beam (FIB) equipment; it can be performed with high-quality manual tools.
### Supporting Evidence
- The video demonstration confirms the successful exposure of internal wiring and the subsequent attachment of jumper leads to the JTAG interface.
### Novel Contributions
- Demonstrates a "middle-ground" bypass technique: more advanced than simple needle-probing on a PCB, but significantly more accessible and cheaper than professional laboratory IC decapsulation or laser voltage probing.
## Technical Details
The process targets the **interconnect level** of the IC packaging. Most modern SoCs utilize BGA (Ball Grid Array) or QFP (Quad Flat Package) designs where "extra" features like JTAG are bonded to internal pads but not connected to the external pins or solder balls. By scraping the top of the package (often referred to as a "backside" or "top-down" attack depending on the orientation), the researcher bypasses the logic-state protections of the PCB to reach the hardware-level "Root of Trust" debug interface.
## Practical Implications
### For Security Practitioners
- Physical access remains the ultimate threat vector. If an attacker has physical possession, silicon-level obfuscation is required, not just PCB-level omission.
### For Defenders
- **Disabling JTAG:** Hardware designers should use eFuses to permanently disable JTAG/Debug functionality during the manufacturing stage (Production Mode), rather than simply not routing the traces.
- **Tamper Evident Coating:** Use specialized potting compounds that make mechanical scraping more likely to destroy the underlying silicon.
### For Researchers
- This highlights the need for further study into low-cost invasive attacks on IoT and "secure" hardware modules.
## Limitations
- **Destructive Nature:** This is a one-way process; the device is permanently altered and risks total failure if the scraping depth is not precisely controlled.
- **Skill Requirement:** Requires extreme manual dexterity and experience in micro-electronics.
## Comparison to Prior Work
Unlike traditional hardware hacking which focuses on "glitching" (Voltage/Clock manipulation) or "side-channel analysis," this work builds on the field of **Invasive Physical Analysis**. It simplifies the complex industrial process of acid decapsulation into a "benchtop" methodology accessible to a wider range of security researchers.
## Real-world Applications
- **Reverse Engineering:** Extracting firmware from locked devices where the UART/JTAG ports are hidden.
- **Forensics:** Recovering data from damaged or security-locked components.
## Future Work
- Analysis of how effective internal "shroud" layers or active shields are at preventing this manual scraping method.
- Development of automated mechanical decapsulation tools for better repeatability.
## References
- Post via Mickey (@HackingThings): `https://x.com/HackingThings/status/1605684402373156864`
- Related Work: *The Art of Decapsulation*, various authors (Hardware Hacking Manuals).