Additional resources here: https://microwiki.org/wiki/index.php/Infrared

Backside analysis can include:
  * Imaging transistor layout without delayering
  * Imaging transistor activity using PMT, camera, etc for side channnel analysis
  * Laser fault injection, bypassing security meshes and other things usually in the way

This page is mostly geared towards fault injection, but general imaging is also lumped here.

Fabs often thin wafers and perform backside analysis to get at the transistors without going through metal.  [Functional IC Analysis] doesn't look like they thinned and they got pretty decent refsults.

[[http://jiam.utk.edu/new/PDF/Allied-Backside-Thinning.pdf|Sample preparation example]]

Summary:
  * General
    * Try on back thinned sample first to get started easier
  * Camera
    * Vidicon may have higher sensitivity but lower resolution than CCD
    * CMOS will give weak images and is generally not reccomended
    * Try CCD first
    * Recommended vidicon: Hamamatsu C2741-03
      * Sergei and Volodymyr both came to conclusion its decent for application
      * Cursory "IR vidicon" searches also point to it
  * Illumination
    * Halogen light + wafer works okay
    * Epi illumination may not produce good results
    * Tried IR LED, may be too weak
  * Laser
    * Required power: TBD
    * DIY: 3W c-mount diode + housing preliminary results good (~150 USD)
    * Commercial: 


https://www.riscure.com/uploads/2017/07/ringlight_datasheet.pdf
  * A lot of great information
  * Confirms observation that oblique illumination is required
  * Presents effects of surface reflection, such as how higher magnification can help eliminate
    * General issue: surface reflection severely limits seeing into the IC
    * High power LED illuminator (24 LEDs!)
  * General advice / pictures on polished vs unpolished
  * Other: Digikey search shows 1060 nm are the lowest cost IR LEDs between 1060 and 1550 nm @ ~$10 each
    * 25 LEDs => $250


https://link.springer.com/chapter/10.1007/3-540-36400-5_2
  * TODO: read paper

http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.486.7647&rep=rep1&type=pdf
  * Near IR Absorption in Heavily Doped Silicon – An Empirical Approach

Simple Photonic Emission Analysis of AES
  * https://www.iacr.org/archive/ches2012/74280037/74280037.pdf
  * Great read on the subject

PICA
  * "Well known that well working gates emit light during switching"
  * "Emission is strongest when gate voltage is half of the drain voltage - the midpoint of the logic transition"
  * "PICA uses a strobed, intensified detector to gather spatial information and time information"
  * Specifically used a ring oscillator as an example of something it can image


====== Reference systems ======

===== SS =====

https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-630.pdf

Hamamatsu C2741-03C  + Mituotyo NIR objections on FS60Y

Halogen lamP: Gilway L6409-G has gold coating that is more IR reflective

===== Volodymyr Pikhur =====

{{:volodymyr:ir:vp.jpg?400|}}

‏
Source: https://twitter.com/vpikhur/status/973583545351335936

https://twitter.com/vpikhur/status/976998977026453504

https://twitter.com/vpikhur/status/975161177528459264

<code>
(11:54:38 AM) vold: I know for sure tube from lamp house to trinocular prism has IR coating
(11:54:54 AM) vold: but I tried side illumination and didn't work either
(11:55:13 AM) vold: maybe prism reflects a lot of IR too

(11:58:51 AM) vold: I tried now ring illuminator and different optics
(11:59:04 AM) vold: it was great on small magnification

(12:51:32 PM) vold: I bought 3W 1064nm c-mount diode out of ebay
(12:51:52 PM) vold: https://www.ebay.com/itm/1064nm-3W-100-m-Aperture-C-Mount-Laser-Diode-/262694273052

(01:01:24 PM) vold: right now I'm using bench PSU with chinese c-mount housing
(01:02:01 PM) vold: https://www.ebay.com/itm/House-Housing-Heatsink-for-C-mount-Laser-Diode-LD-Module-33-80mm-w-Glass-Lens-/120921382858
</code>

Using CCD: https://www.ptgrey.com/chameleon-13-mp-mono-usb-2-sony-icx445-camera

Got a good high level backside image. Looks like a CSP on some random PCB

Includes:
  * Camera: Hamamatsu C2741-03
    * Vidicon type. Are these more sensitive?
  * Lens: random eBay Chinese lens
    * Tried Mitutoyo NIR 20x objective but didn't get good results. Why / what happened?
  * Illumination: halogen light + fiber


Alphanov presentation: http://conferenze.dei.polimi.it/FDTC17/shared/FDTC%202017%20-%20session%203.1.pdf
  * Spot	source:	980nm
  * Spot	power:	250mW
  * Sport	duration:	100ns	to	200ns
  * Spot	size:	1	to	10	microns

===== mcmaster PoC =====

Notes below

mcmaster TODO: try Brainscope illuminator(s). Order another fiber if necessary


===== Riscure / ALpHANOV =====

[[https://www.riscure.com/uploads/2017/09/Practical-optical-fault-injection-on-secure-microcontrollers.pdf|Riscure paper]]

Commercial solutions include:
  * [[http://www.alphanov.com/40-optoelectronics-systems-and-microscopy-single-spot-laser-station.html|Alphanov]]
  * [[https://www.riscure.com/security-tools/inspector-fi/|Riscure Inspector FI]]
  * ChipWhispherer has voltage glitching. Could probably rig something similar up for optical glitching


===== Sample commercial unit =====

With IR imaging and laser fault injection

Camera:
  * uEeye Cockpit
  * ueye IDS camera
  * U124xSE-NIR
    * Or maybe: UI24xSE-NIR
  * think its standard camera they removed IR filter
  * https://en.ids-imaging.com/store/produkte/kameras/usb-2-0-kameras/ueye-se.html


====== Camera ======

Excellent resource: https://github.com/cameras/camerasIR

TODO: understand what is best for this application:
  * Vidicon
  * CCD
  * CMOS

mcmaster: I bought an MU800 with the intention of removing the IR filter, but then I realized it also has color filters on the pixels. Ended up using a GW CMOS camera like came with Brainscope instead

{{:photonics.com:swir_ipt:swir_imaging_sensorsunlimited_figure1.jpg|}}

Above: "Figure 1. The electro-optical spectrum shows the relationship of the visible, short-wave infrared, mid-wave infrared and long-wave infrared wavelength bands. Also illustrated are the response curves for detectors in the visible and short-wave IR." [SWIR IPT]

"InGaAs cameras have been replacing near-IR vidicon tubes in furnace inspection applications due to their high resolution, low lag, long lifetime, and superior signal-to-noise performance." [SWIR IPT] Think this is primarily thermal focused though?

{{:misc:ast_det:qecurves-vardetec.jpg?400|}}

Above: Vidicon seems to have pretty bad efficiency in SWIR? Data is not explicitly given though. [[http://www.faculty.virginia.edu/rwoclass/astr511/im/QEcurves-vardetec.jpg|Source]]

Some good choices for cameras might be:
  * Astronomy cameras. Apogee seems to be pretty popular and had a few <$1000 USB options on eBay
    * Ex: Alta U2
      * 1536 x 1024, 9 x 9 micron pixels
      * 5 MHz 12-bit and 1 MHz 16-bit digitization
      * Programmable, intelligent cooling to 50 ° C below ambient
      * Linear Full Well (typical): 100K electrons
      * Peak QE (640 nm): 82% (1603ME)
      * Imaging Area: 13.82 x 9.22 mm (127 mm2)
      * Video out: USB
      * Exposure Time: 30 milliseconds to 183 minutes (2.56 microsecond increments)
      * Dark Current (typical): 0.1 e - /pixel/sec (-25 ° C)
  * Gel cameras? Alpha Innotech had a bunch. I think these are cooled CCDs
    * Ex: AlphaImager HP System
      * 1.4 Megapixel camera with 12 bit A/D
      * Full well capacity: 32,000 e-
      * Read noise: 31 e- rms
      * Dark current: 2e-/p/s
      * Video out: composite?


====== Illumination ======

mcmaster: I also might put silicon wafer in the imaging path to filter out the visible light. Unclear if my microscope optics can pass the IR light, say, even the relay lens. But I suppose if they have an IR filter it must pass some?. Ordering some IR lasers

mcmaster: ordered some IR LEDs. Going to try to make a ring illuminator


====== Optical fault injection ======

Basic idea: change how the circuit switches current in order to introduce a glitch. For a combinitorial circuit you probably want a CW laser to keep the glitch active. If its a CPU, you probably want a pulsed laser to trigger the glitch for a short period of time

{{:backside:transmission-spectrum-of-crystalline-silicon-from-the-visible-to-the-near-ir.png?400|}}

Above: "FIGURE 3.1 Transmission spectrum of crystalline silicon from the visible to the near-IR." ([[https://www.researchgate.net/figure/Transmission-spectrum-of-crystalline-silicon-from-the-visible-to-the-near-IR_fig1_235941520|source]])

In its simplest form, a CSP can be strobed with a camera flash

You need to excite the silicon with a photo of wavelength no more than 1.1 um (reference: "1234.5eV⋅nm/1.1eV is about 1100 nm. Putting 1100 back into the denominator yields 1.1 eV" (link))

[[https://www.cl.cam.ac.uk/~sps32/ches2010-bumping.pdf|Sergei paper]] references using 1065 nm laser. The paper shows using IR objectives. So maybe a broadband source would work okay too.

{{:fi:optical:transmission-spectrum-of-crystalline-silicon-from-the-visible-to-the-near-ir_mod.png?400|}}

Above: silicon transmission marked with bandgap and for 980 nm laser (commonly available)

Possible sources:
  * Photo flash, such as with mask
  * 980 nm laser will have high attenuation (roughly 2% transmittance), but should work if power is high enough
    * Specifically? Maybe 100's of mW, maybe even 500. Needs testing
  * 1065 nm (ie 1064 nm from Nd:YAG) and such is probably ideal
    * Must Nd:YAG are flashlamp pumped
    * Depending on glitch target might want either flashlamp or diode pumped

2018-02-20: bought some sources:
  * [[https://www.ebay.com/p/1064nm-100mw-IR-Infrared-Laser-Dot-Module-Analog-ttl-Tec-Cooling-Power/833847393?iid=132172313240&opts=opick|1064nm 100mw IR Infrared Laser Dot Module Analog/ttl Tec Cooling Power]]
    * $500 shipped
    * Did not get this in the end
    * Instead: https://www.ebay.com/itm/1064nm-100mW-IR-Laser-Dot-Module-TTL-Analog-TEC-Power-Digital-Display-Adjust/132172318363
  * [[https://www.ebay.com/itm/Focusable-0-8W-800mW-980nm-Infrared-IR-Laser-Diode-Module-12V-w-TTL-Driver-Out/322348588190?ssPageName=STRK%3AMEBIDX%3AIT&_trksid=p2057872.m2749.l2649|Focusable 0.8W 800mW 980nm Infrared IR Laser Diode Module 12V w/TTL & Driver Out]]
    * $133
  * [[https://www.ebay.com/itm/27mm-Laser-Filter-Blue-Green-Red-400nm-750nm-thru-Infrared-IR-808nm-1064nm/382179180418?ssPageName=STRK%3AMEBIDX%3AIT&_trksid=p2057872.m2749.l2649|27mm Laser Filter Blue Green Red 400nm-750nm thru Infrared IR 808nm-1064nm]]
    * $8 each
    * Also will try silicon wafers as filters
  * Need to order another MU800? Check inventory
    * Have 3: 1 for pr0nscope, 1 for inspection scope, 1 for brainscope
    * Could also use another one for k2scope and one for this
    * Order 2 more?

2018-03-12
  * https://twitter.com/johndmcmaster/status/973413083749076992
  * PoC worked!
    * IR filter placed on top of objective (where illuminator mounts)
      * Focused using visible light initially
      * Then installed IR filter
    * Random CCD camera from eBay (GW202D or something like that)
    * Heatlamp placed very close
      * High heat, not sustainable
    * Mituotyo NIR 10x objective
    * Used 2x filter 
  * Ordered some IR LEDs last night
    * 1125-1416-ND: EMITTER IR 1060NM 5MM RADIAL
    * 1125-1331-ND: SWIR EMITTER 1200NM 1206 SMD
  * Order 2x more filter
    * Broke one
    * Want some spare
  * TODO: try silicon wafer as filter
    * Think I have a small one
    * Alternatively cut down a wafer

====== BJT emission ======

https://lab.whitequark.org/notes/2014-06-14/transistor-as-a-light-source/

https://twitter.com/whitequark/status/1119454148766961665

https://twitter.com/frickler01/status/1119559064164417536


====== References ======

  * http://nedos.net/host2012.pdf 
  * http://conferenze.dei.polimi.it/FDTC10/shared/FDTC-2010-keynote-2.pdf
    * Laser fault injection
  * SWIR IPT: https://www.photonics.com/a25134/SWIR_Imaging_An_Industrial_Processing_Tool
  * http://tima.univ-grenoble-alpes.fr/alfa-nicron/documents/seminar%20PUCP_pouget_2007.pdf
    * Has a good overview of OBIC and other optical stuff
    * TODO: need a page on these other techniques
  * https://www.emse.fr/~dutertre/doc_recherche/C_2010_1_PASTIS2010.pdf
  * https://twin.sci-hub.tw/6668/565d852b8454ae1cb3ef135fadb6defe/vasselle2017.pdf#view=FitH
  * https://eprint.iacr.org/2018/717.pdf Xilinx key extraction