Fraktal's Open Source Laser Fault Injection Rig Has a Surprise Second Use: As a Laser Decapper

Finnish cybersecurity firm Fraktal has unveiled a second string to its Raspberry Pi Pico-powered laser fault injection (LFI) rig: the ability to blast away a chip's packaging to expose the silicon beneath.

Fraktal's blog series on laser fault injection started a month ago with the unveiling of a Raspberry Pi Pico-powered rig, which allows security researchers to experiment with triggering security-bypassing faults in chips with a powerful laser for under $550 — something which Fraktal's Janne Taponen said aimed at breaking down the barriers to entry for those interested in the technology "previously achievable only in specialist labs."

The latest entry in the series addresses the biggest issue with laser-fault injection: it can only take place if you can see the silicon chip itself. With the majority of chips being packaged in a way that buries the silicon die beneath layers of epoxy, plastic, metal, and/or ceramic, that means de-encapsulating, or "decapping" — something that Taponen reveals can also be achieved with lasers, rather than the usual techniques of mechanical abrasion or harsh chemicals.

"One of the most groundbreaking features of our low-cost Laser Fault Injection (LFI) rig is its dual functionality," Taponen explains. "The same rig that you use for LFI attacks can also be used for laser decapping, making it an incredibly versatile tool. This capability drastically simplifies the decapping process, as you can decap and then immediately move on to glitching the chip — no need to switch between different equipment or complicated setups. By using our rig, you save time, space, and the hassle of working with multiple devices."

A 2W infrared laser in the LFI rig is enough to etch away at a chip's package, unveiling the silicon beneath in under a minute — with, Taponen claims, "a repeatable success rate of close to 100%." It does, of course, come with caveats — including the likelihood that you'll a sacrificial chip first, to measure the thickness of the package and the size of the die pad underneath, and a warning that good fume extraction, ideally filtered, is a must.

"Based on our testing," Taponen concludes, "laser decapping offers the highest likelihood of leaving the chip functional after the process. The precision, speed, and non-contact nature of laser decapping make it the preferred choice for modern IC packages, especially when working with high-value or complex chips."

The full write-up is available on Fraktal's blog; design files and source code for the rig, including detailed instructions on using it for laser de-encapsulation, are available on GitHub under the permissive MIT license.