Below are two chip specimen, purchased from an Asian source, that were recently called to my attention. I borrowed them to write this blog post.
The chips claim to be ST19CF68’s, a “CMOS MCU Based Safeguard Smartcard I/O with Modular Arithmetic Processor”. It seems these chips are normally sold in smart-card or diced wafer format, but curiously, these are SOIC-20 packaged devices.
The top chip in the pair has its epoxy top dissolved, and this is what it contains:
Kind of a small die for such a complex MCU, especially in smartcard technology, where process geometries generally trail the mainstream by about 3 or 4 generations…and why are there 20 bondable pads on what should be an 8-pad part?
Zooming in a bit on the die, we find some interesting details:
Well, this chip isn’t made by ST…it’s made by Fairchild Semiconductor (FSC). No bueno.
And in fact, the die within is a Fairchild 74LCX244 “Low Voltage Buffer/Line Driver with 5V Tolerant Inputs and Outputs”, a much cheaper piece of silicon than the reputed ST19CF68 that the package was marked to contain.
Perhaps the most interesting thing about these specimen is the quality of the package and the markings:
Normally, remarked chips are pretty cheesy: they are sanded, painted over, or ground down before being marked, typically with just a silkscreen; rarely do you see a laser used to do the remarking.
These chips show no evidence of any kind of remarking per se. These are original markings — someone acquired blanks of the 74LCX244 chip, and programmed a production laser engraver to put a high-quality fake marking on an otherwise virgin package. I, too, would have been fooled by this up until the chip was decapsulated and examined under a microscope.
This leaves a lot of questions unanswered. How was someone able to acquire unmarked Fairchild silicon? Was it an insider, or was Fairchild sloppy and throwing away unmarked rejects without grinding them up or clipping off leads so they can’t be dumpster-dived and resold? The laser marking machine used isn’t one of the cheap desktop engravers either — the marks are done with a high-power raster engraver, and the engraving artwork is spot-on.
Then again, I shouldn’t be so surprised…I’ve seen brazen remarking of DIMMs in Saige market (Kingston seems to be a popular target for fakes), and many of the counterfeiters openly display their arsenal of professional-quality thermal transfer label printers and hologram stickers at their disposal.
If fakes of this quality become more common, this could present a problem for the supply chain. Clearly, whoever did this, can fake just about any chip they want, and they are gradually finding their way into the US market. Resellers, especially distributors that specialize in buying excess manufacturer inventory, implicitly trust the markings on a chip. I don’t think chip makers will go so far as to put anti-counterfeiting measures on chip markings, but this is definitely something that makes me wary.
“I, too, would have been fooled by this up until the chip was decapsulated and examined under a microscope.”
Um, isn’t the pin count and packaging mismatch a dead giveaway? I’m curious to know who they’re expecting to sell the fakes to. Who’s going to design a board with a 20 pin SOIC space for an eight pin chip that the spec sheet lists as available only as smart card inserts or uncut wafers?
—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1
Have you considered the possibility that its not a commercial fake ? If I understand correctly, this chip is some sort of a memory firewall and the fake, being a buffer, just passes everything through. It would probably enable pure software attacks (possibly remote) against embedded devices that would otherwise require physical access and hardware mod’ing. I could speculate why some well-funded entity would want to floods the market with such fake and let manufacturers embed it in their devices, but thats anybody’s guess…
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHFe564R6EEd4FL5oRAk26AJwL8Pl3Z3wxE+o78A9ol6mdGPGA/gCZAXJk
BRBLkvFdwpcur0lmarTSZFs=
=1SfB
—–END PGP SIGNATURE—–
i’ve had to source a lot of ‘excess inventory parts’ because they haven’t been manufactured for many years (but i still need them) and i remember an entire date-code set of one opamp being completely non-functional as in “no diode connections between any pins”.
i’ve often wondered what was in that epoxy blob, i wouldnt be surprised if it was “nothing”!
sadly i think i threw them all out, if i find any left over how can i get the epoxy off for analysis?
It always amazes me the extent that counterfeiters will go to. This has just raised the bar in my mind.
J. Peterson: pin count aside, the package was convincing. I could believe that the manufacturer perhaps did a run in a 20-pin package that’s no longer documented or supported. This often happens on early runs of chips which have large dies–it wouldn’t fit in an 8-pin package, so they put it in a 20-pin package and wasted 12 of the pins. The pin-count mismatch is suspicious, but the quality of the fake markings is alarming.
ladyada: if you find one, mail it to me and we can get it decapped and have a look on the inside, or perhaps even easier I can take it to an x-ray machine and have a look before even trying decap.
Conspiracy theorist: for reasons I can’t state publicly, I’m fairly confident it was a faker and not an agency attempting to infiltrate systems. Or maybe I’m part of the agency, extending propaganda? ;-) Seriously, though–I hear your point about an agency, but substituting this chip with a 20-pin buffer would leave too big a functionality gap. Part of this chips responsibility is to compute RSA, so it does a lot more than just pass data through. An agency would probably emulate all the functions but just leave a back door in the microcode on the chip…much harder to detect, and much more effective.
ST, Infineon and other smartcard manufactuers commonly will rebond their die’s down into other packages at customers request.
Example- Scientific Atlanta SetTopBox (any of the digital boxes). The 44 pin TQFP part is really a ST19CF68 located on the bottom side of the PCB under or near the internal smartcard slot.
This is very strange.
The ST19CF68 chip is (was) usually used in pay-tv applications and AFAIK is only sold in a ROM configuration.
Also, ST doesn’t sell them to non-contract customers. Moreover, this kind of chip is of absolutely no use without your specific custom mask ROM inside.
The only “market” I see for these chips is to fool stupid pay-tv pirates with fake pirate cards or to use in clones of set top boxes with embedded security chips.
[…] When Bunnie isn’t hacking the Xbox, contributing to MAKE or cranking out open source Chumby’s he figuring out international chip counterfeiting mysteries… Fascinating read! – Link. […]
I know for a fact that ST has partnerships with other semiconductor companies that could explain why a Fairchild Semiconductor chip is in an ST package. The way the partnership works is that one of the semiconductor companies (Fairchild in this case) designs the chip and the other company (ST) buys the wafers from them, tests the devices, and sells them as their own. This practice provides a pseudo dual-source for their mutual customer as well as improving test throughput for high volume devices. Then when a next generation of the part is needed, ST may be the company that designs the parts and Fairchild would buy the wafers.
I don’t know what this really means for these exact chips but it does suggest that the precise packaging of a Fairchild part with an ST marking could have been done on purpose by ST.
[…] When Bunnie isn’t hacking the Xbox, contributing to MAKE or cranking out open source Chumby’s he figuring out international chip counterfeiting mysteries… Fascinating read! – Link. […]
O que que acham que no possvel falsificar?…
H pessoas que julgam no ser possvel falsificar circuitos integrados (e outras coisas…). O que que acham desta falsificao?…
Considering that the die and the packaging are ‘in sync’, is it possible that someone simply mislabelled the device? However, it should not have made it out of the factory if the proper Q/A was in place …
Anyone looking for this part and having received it, they would find out that they couldn’t even place it on the board. A true conterfeit/fake would have the proper packaging that matches the part number code.
I was going to say the same thing as JW. Homer Simpson is working at STMicro one day, and types in the wrong thing to the engraving machine, labeling a bunch of ‘244s as 19CF68s. The testing was already done on the bare dies, so they get packaged up and shipped to a customer or distributor. The distributor notices the unexpected marking and figures it was just a shipping error, so they sell the chips on to a surplus reseller without noticing that the markings don’t match the package. Someone notices the interesting chip number, buys them from the surplusser, and forwards them on to Bunnie. This scenario seems more likely to me than a counterfeiter very carefully forging a chip marking that no one who actually wants to use the chip would believe.
Many die are not packaged by the semiconductor manufacturer, but by a third party packaging house (Amkor is the one with which I’m most familiar), who packages semiconductors from many different manufacturers. Mistakes like this aren’t unheard of.
About fifteen years ago, I worked as a designer at a semiconductor manufacturer. We received prototypes of a new chip design from the packaging house, and we found them to be completely non-functional. After much head-scratching, someone thought to uncap the chips and we found not only that the die within wasn’t the one we had designed, but it was from another semiconductor company altogether!
I think there’s no conspiracy, simple fraud. A few years ago I bought at a fair some Fairchild F3817 NMOS LED clock chips for a few hundreds of Lire (Lire, RIP, now Euro). A few of them where working with minor malfunctions (e.g. snooze not working). I suspect it is common that malfunctioning components make it out of factories sometimes and are sold by unscrupulous employees. These would reach some Chinese fakers and voila’.
The real problem is when out of specs or die-soon devices are put into life-saving devices or things alike (e.g. air-bags). Major companies tend to
buy direct and not through stockist though.
I agree with those who say its simply a mislabeled package. They were discarded, but not destroyed, and picked up by someone else to sell, someone who may or may not know that they are mislabeled.
This part has been sandblasted, the Pin 1 indicator dot should be a shiny flat or concave surface.
If you look at the edges of the part they also look uneven, not nice sharp corners.
The reason I know this, I have used sandblasting and sanding to hide the part numbers on parts to prevent copying. Sandbalsting is bad in that it generates static electricity., but who cares when it’s fruad.
It might also been chemical etch. Does the bottom surface loot like the top?
I also have had parts printed upon again. There are loads of companies that do this as a service. Pretty easy to do, just look under prom programming services in a ee directory.
The package shows no sign of chemical or physical modification. The edges of the package still have the original flashing from the mold, and you can see that the leadframe is flush with the cut line where the package was broken from the mold. Sandblasting or chemical etching would have likely damaged such fragile features, or at least accentuated metal or plastic protrusions due to the differential in the erosion rate of the two. The top and the bottom have identical texture, and the bottom still bears crisp embossed characters that indicate the mold code.
I know that J. Peterson already talked about it, but I am really wondering who would buy some smartcard micromodule in SOIC-20 package ?
I mean, ST would have really missed something if their die was too big to fit in a micromodule. Like even if we consider that having a smartcard processor in a SOIC package could be useful, the package would be at least smaller as the ISO7816 requires smaller die dimensions than what fit in a SOIC-8.
However, you acquired some. How did you managed ?
Sand blasting with a silk screen or some other kind of mask so only the top surface is hit?
One interesting story about remarking chips comes from an old surplus store by the name of Mike Qiunns Electronics in Oakland, CA. Mr Quinn found out that they taking all the reject ICs to the asphalters to get rid of them by paving roads. He struck a deal with the asphalters to get the parts. He would then figure out what the parts were and re-test/mark them.
This was in the mid 70’s and were mostly opamps and 555s. The devices were off spec and vary widely. I used some of 555s, they were off by several decades between parts. They were marked as Q555 or Q741 with no date code. You will only find then in homebrew stuff from the 70’s.
Does anybody know an inexpensive way to permanently hide the laser etched marking on a chip? I am using a legitimate chip on a PWB which is being covered by a thermal pad for good heat transfer. I do not want anybody to know what type of chip this is but it is pretty easy to remove the thermal pad. Sanding and grinding are too labor intensive. Is there a paint/marker that is quick and easy to apply and does not take long to fully cure to allow me to cover the marking with minimal effect on the heat transfer?
http://www.eetimes.com/rss/showArticle.jhtml?articleID=206801296
I am not sure what the deal is over it being in a soic 20 pin package, the st19af08 comes in the same package. That had to be a mistake on the mispackaging though. How did you come across this chip? Did someone send it to you, or did you get a bunch that didnt work and decided to do some investigating?
Brooke
[…] Imagen de bunnie:studios – (Well Executed) Counterfeit Chips […]
[…] Imagen de bunnie:studios – (Well Executed) Counterfeit Chips […]
tell me what a data packet is smart ass!!!
Thanks!!! Nice post!
[…] Quocthai_BK (dịch từ Bunniestudios) […]
http://www.eetimes.com/news/semi/rss/showArticle.jhtml?articleID=222300994
The Top 10
Benny says:
September 21, 2010 at 3:16 am
hi wazzup… i just wanted to say that my Zuse Computer is freezing when I click on the links… are you using some javascript or something?
bunnie's blog is proudly powered by WordPress
Entries (RSS) and Comments (RSS).