Integrated circuits are the beating heart of every modern device—from routers and sensors to the automotive ECUs your shop tests during incident response work. When an investigation hinges on understanding what's physically happening inside a chip, we sometimes need to go deeper than firmware dumps or JTAG pads. That is where IC decapsulation comes into play.

Decapping is the controlled removal of the protective packaging that houses a silicon die. At TKOResearch, we approach this not as a curiosity but as a forensically defensible, highly controlled laboratory procedure that helps us answer questions like:

Is this chip counterfeit or remarked?
Was this component damaged due to electrical overstress or by design?
Do internal structures match the vendor's stated specifications?
Is there evidence of physical tampering, implants, or side-channel modifications?

This post walks through how we routinely decap chips in our lab—from preparation and chemical safety to imaging and analysis—highlighting workflows, tooling, and safety controls we've designed to meet a professional R&D and investigative standard.

Why Decap an IC?

IC decapsulation enables multiple forensic views:

1. Authenticity Verification

Counterfeit components often have mismatched die sizes, incorrect mask revisions, or repackaged dies from different vendors. Removing the encapsulant exposes these inconsistencies.

2. Failure Analysis

For root-cause investigations—e.g., a failed EPS MCU in an automotive unit or an anomalous sensor behavior—we evaluate:

Bond wire integrity
ESD damage
Die cracks
Metallization burn-ins

3. Security Research

For hardware security, we may analyze:

ROM mask contents
OTP structures
Fuses
Tamper-evident coatings
Embedded security modules

Our Lab Workflow for Chip Decapsulation

Below is the professional-tier process used in our forensics environment. It assumes proper fumehood infrastructure, PPE, and chemical handling controls—all of which we maintain under ISO-aligned SOPs.

1. Component Intake & Documentation

Every chip undergoes a formal intake:

Chain-of-custody creation

ICs get logged with:

Case ID
Source evidence
Serial numbers / package markings
High-res pre-decap photography

Vendor datasheet correlation

We note:

Package type (e.g., SOIC-8, QFN-48, BGA)
Expected die size
Bond pad layout
Fuse map location (if documented)

Non-destructive imaging

Depending on the case, we may first use:

Stereo microscope photography
X-ray imaging to preview bond wires and die placement
Acoustic microscopy for delamination

This ensures our decap step is targeted and justified.

2. Selective Material Removal Strategy

Different chips require different approaches. The three we commonly use:

A. Chemical Decapsulation (Acid Etch)

This is the gold standard for epoxy-packaged ICs because it preserves bond wires and die features.

We use:

Fuming nitric acid (HNO₃) for bulk epoxy removal
Sulfuric acid (H₂SO₄) sometimes for harder molding compounds
Temperature-controlled acid cup inside a ducted fume hood

Our safety stack includes:

Face shield, acid apron, neoprene gloves
Full GHS labeling / NFC-tagged reagent bottles
Spill kit + calcium carbonate neutralizer
Continuous air quality monitoring via HELIX sensors (CO, VOCs, particulates)

Workflow snapshot:

Secure the chip in a PTFE or ceramic holder
Preheat acid bath in controlled micro-etch station (80–120 °C depending on resin)
Introduce minimal acid volume to the package center
Monitor under microscope until the die surface appears
Rinse in DI water then isopropanol to remove residual acid
Dry using warm air or vacuum desiccation

Chemical methods give the cleanest results but require heavy lab controls—which we have.

B. Mechanical Decapsulation

Used when chemical methods are unsafe for the device or unnecessary.

Tools:

Precision vise
Rotary tool with diamond burrs
End mills
Micro-sandblaster (alumina)

This approach removes package layers gradually. It is slower and risks damaging bond wires, but it avoids reactive acids and works well for ceramic packages.

C. Plasma Decapsulation

A non-liquid, low-damage method for sensitive chips.

Uses:

O₂ or CF₄ plasma reactors
Ideal for high-security devices with thin passivation layers

This method is clean and preserves metallization but is slower and requires expensive hardware.

3. Exposing the Die

Once the encapsulant is thinned or removed, we transition to manual precision:

Micro-scalpel trimming

Remove remaining shards of resin around the die edges.

Bond wire preservation

We avoid disturbing ultrafine Au wires, documenting their condition meticulously.

Surface cleaning

We perform a final wash with:

Acetone
IPA (99%)
Light ultrasonic cleaning if safe for the die type

The goal is a clear optical path to the silicon.

4. Imaging the Die

Once exposed, the die becomes extremely fragile. Imaging is performed immediately.

Optical microscopy

We use:

Brightfield
Darkfield
Polarized
High-mag (up to ~1000×) for gate-level structure visualization

Digital stitching

Large dies require stitched panoramas. Our pipeline does automatic:

Focus stacking
Contrast normalization
Mask revision highlighting

SEM (Scanning Electron Microscopy)

When required, we use SEM for:

Metallization layer analysis
Failure features (voids, burn-in channels)
Gate structure confirmation
Counterfeit verification

5. Analysis & Reporting

After imaging, we translate the physical evidence into actionable insights.

Verification steps:

Die size → compare to vendor specs
Mask revision codes → confirm authenticity
Wirebond layout → check against expected topology
ESD damage → locate and classify
Over-voltage signatures → metallization migration, punch-through
Tamper evidence → coating penetration, unusual traces

DFIR Integration

For cases involving firmware manipulation or suspected hardware implants, we correlate:

ROM patterns
eFuse/OTP states
Security block configuration

All findings are logged in a defensible chain-of-custody report with annotated imaging.

6. Post-Processing & Long-Term Storage

The decapped chip is:

Placed in an anti-static, labeled micro-container
Cross-referenced with imaging dataset
Stored under controlled humidity
Tagged in our Vector/LabSense inventory with hazard class, storage zone, and evidence status

This ensures repeatability and legal defensibility.

Safety & Compliance Notes

Our lab is configured to safely handle corrosive and oxidizing acids required for chemical decapsulation under:

OSHA 1910.1200 (HazCom)
NFPA 45 and 30
ISO 17025-aligned SOPs
RCRA household hazardous waste exemptions (where applicable)

We employ:

Ducted fume hoods
Continuous VOC/NOₓ monitoring via HELIX sensor arrays
Secondary containment for acid vessels
Emergency eyewash and spill protocols

This allows us to perform sophisticated failure analysis while maintaining a safe, compliant environment.

Conclusion

IC decapsulation is one of the most powerful tools available in hardware forensics and security research. It moves the investigation from software claims to physical truth. Whether validating supply-chain integrity, uncovering electrical failures, or verifying that a component is what it claims to be, this workflow gives us a level of visibility otherwise impossible.

If you're building a security program, lab, or research capability—and want help implementing professional-grade hardware forensics—TKOResearch can design and deploy the entire capability stack, from fumehood and safety protocols to imaging workflows and DFIR integration.

Learn More About Our Hardware Forensics Capabilities

Hardware Forensics Services - Complete chip-off and IC decapsulation capabilities
OASIS Analytical Framework - Our comprehensive laboratory infrastructure
Strategic Intelligence & Advisory - Hardware security assessments

For immediate consultation: Secure Intake Line at 445-895-1790
For confidential inquiries: Signal at KevinBytes.42

TKOResearch: From silicon-level forensics to firmware analysis, we investigate at every layer of the technology stack.