Android Hardware Reverse Engineering

The Full Stack: Android SoC Decapping, Die Stitching, and Microarchitecture Mapping Tutorial

By Antigravity Research Published May 29, 2026 ⏱️ 7 Min Read
Google AdSense Native Placement - Horizontal Top-Post banner

Introduction to Android SoC Hardware Reverse Engineering

Delving into the intricate world of Android System-on-Chips (SoCs) offers unparalleled insights into their design, security mechanisms, and potential vulnerabilities. This expert-level tutorial guides you through the entire process of exposing an SoC’s silicon die, capturing high-resolution images, and stitching them together to create a comprehensive map of its internal microarchitecture. From the delicate art of chemical decapsulation to sophisticated image analysis, understanding these techniques is crucial for advanced hardware reverse engineering and security research.

The journey begins with carefully removing the protective packaging, continues through the meticulous capture and assembly of microscopic images, and culminates in the identification of key functional blocks like CPU cores, GPUs, and memory controllers. This hands-on approach provides a foundational understanding for anyone looking to perform deep-dive hardware analysis on mobile platforms.

Part 1: SoC Decapping – Exposing the Silicon Die

Decapsulation, or decapping, is the process of removing the protective epoxy packaging around an integrated circuit (IC) to expose the bare silicon die. This step requires precision, specialized tools, and strict safety protocols due to the use of corrosive chemicals.

1.1 Essential Tools and Safety Protocol

Before beginning, ensure you have the following:

  • Safety Gear: Chemical-resistant gloves, full-face shield, lab coat, fume hood (absolutely critical).
  • Chemicals: Fuming nitric acid (HNO3) or sulfuric acid (H2SO4), acetone, isopropyl alcohol (IPA).
  • Equipment: Hot plate (with ceramic top), glass beakers/petri dishes, fine-tip tweezers, dissection microscope with variable magnification, ultrasonic cleaner, syringe with blunt needle.
  • Epoxy Removal Tools: Dremel with fine grinding bit, scalpel, sandpapers (fine grit).

Safety First: Always work in a well-ventilated fume hood. Nitric acid produces highly corrosive fumes. Wear all personal protective equipment. Have an emergency eye wash station and a chemical spill kit readily available.

1.2 Mechanical Preparation

Start by carefully isolating the SoC from the Android device’s PCB. If the SoC is BGA-packaged, you may need to de-solder it. Once isolated, the initial layer of epoxy can often be mechanically removed.

# Step 1: Isolate the SoC from the PCB. Use a hot air rework station.# Example: Carefully heat the area around the SoC to approximately 250-300°C. # Apply flux and gently lift the SoC using tweezers or a vacuum pen.# Step 2: Mechanical grinding to reduce epoxy bulk.# Under a dissection microscope, use a Dremel with a fine grinding bit (e.g., diamond tip)# to carefully remove as much epoxy as possible without touching the die or bond wires.# This reduces the amount of chemical etching required.

1.3 Chemical Decapsulation Process

The core of decapping involves chemically dissolving the remaining epoxy.

  1. Pre-heat: Place the prepared SoC (die-side up) in a glass petri dish on a hot plate, pre-heated to 120-150°C.
  2. Acid Application: Using a blunt-tip syringe, apply a few drops of fuming nitric acid directly onto the remaining epoxy. The heat will accelerate the reaction. The epoxy will turn dark brown and release fumes.
  3. Etching & Monitoring: Continuously observe under the microscope. The acid will bubble and etch away the epoxy. Re-apply acid as needed, ensuring it doesn’t dry out. The process can take 5-30 minutes, depending on the epoxy type and thickness.
  4. Cleaning: Once the die is fully exposed and clean, carefully remove the SoC from the hot plate. Quench the reaction by dousing the chip with acetone, then rinse thoroughly with IPA and deionized water.
  5. Ultrasonic Bath: A brief ultrasonic bath in IPA can help remove any stubborn residue, but be cautious not to damage the delicate bond wires if still present.

Part 2: High-Resolution Die Photography and Stitching

With the silicon die exposed, the next step is to capture high-resolution images and stitch them into a single, comprehensive view.

2.1 Microscope Setup for Die Imaging

You’ll need a metallurgical microscope with high magnification (e.g., 50x, 100x, 200x objectives) and a digital camera attachment. Proper illumination is crucial: use brightfield for general overview and darkfield for revealing subtle surface features and defects.

Ensure your microscope’s stage is precise and can move incrementally to capture overlapping fields of view consistently. Calibration with a stage micrometer is essential to determine pixel-to-micron ratios at each magnification.

2.2 Systematic Image Acquisition

The die is typically too large to capture in a single high-resolution shot. Therefore, you’ll take hundreds or thousands of overlapping images, creating a mosaic.

  1. Grid Planning: Determine the overlap percentage (e.g., 20-30%) between adjacent images. This overlap is crucial for reliable stitching.
  2. Automated Stage: Ideally, use a motorized microscope stage controlled by software to systematically move across the die and trigger image captures. If manual, be meticulously consistent.
  3. Focus & Lighting: Maintain consistent focus and lighting across all images to ensure uniform quality and prevent stitching artifacts.
  4. Image Format: Save images in a lossless format like TIFF or PNG to preserve maximum detail.

2.3 Die Stitching Software and Workflow

Specialized software is used to combine the many individual images into one seamless, high-resolution panorama.

# Example: Using Hugin (open-source panorama photo stitcher)# 1. Prepare images: Ensure consistent naming (e.g., row_col.tiff).# 2. Generate control points automatically.#    Hugin can automatically find overlapping features. For very large mosaics,#    you might need custom scripts or more specialized tools.# 3. Optimize lens parameters and image positions.#    This corrects for any distortions or misalignment.# 4. Stitch and output the final image.#    For example, to stitch all TIFF files in a directory:#    Hugin_stitch_project.py -o final_stitched_die.tiff --input-files *.tiff# More advanced tools for very large die images might involve custom Python scripts# utilizing libraries like OpenCV for feature matching and image registration.import cv2# (Conceptual snippet for feature matching)# orb = cv2.ORB_create()# kp1, des1 = orb.detectAndCompute(img1, None)# kp2, des2 = orb.detectAndCompute(img2, None)# bf = cv2.BFMatcher(cv2.NORM_HAMMING, crossCheck=True)# matches = bf.match(des1, des2)

Part 3: Microarchitecture Mapping and Analysis

With a fully stitched die image, the true reverse engineering begins: identifying and mapping the different functional blocks of the SoC.

3.1 Identifying Functional Blocks

This stage combines visual pattern recognition with knowledge of typical chip architectures.

  • CPU Cores: Often appear as distinct, complex blocks with tightly packed logic gates and multiple levels of cache memory (SRAM cells will look like repetitive arrays). They usually have distinct instruction fetch/decode, execution units, and register files.
  • GPU: Graphics processing units are typically large, highly parallel structures. Look for arrays of execution units, texture units, and rasterizers. Their layout often appears more regular and repetitive than general-purpose CPU logic.
  • Memory Controllers: Often situated near the edges of the die, adjacent to where external memory interfaces (like LPDDR) would connect. They feature arbitration logic and buffers.
  • SRAM/DRAM Blocks: Distinguished by their highly repetitive, grid-like cell structures. They are usually compact and easily recognizable.
  • Analog/Mixed-Signal Blocks: Power management units (PMUs), PLLs, ADCs/DACs often have less regular, more ‘organic’ layouts with larger transistors, inductors, and capacitors.
  • Peripherals: USB controllers, PCIe interfaces, image signal processors (ISPs), and network controllers will have specific, identifiable logic blocks, sometimes with dedicated memory buffers.

3.2 Advanced Mapping Techniques

Comparing your die shots with publicly available block diagrams, patent filings, or even other researchers’ annotated die photos can provide significant clues. Advanced analysis might involve:

  • Power Gating/Clock Gating Analysis: Identifying isolated power domains or clock trees can help delineate functional units.
  • Gate-Level Reverse Engineering: For critical small sections, individual standard cells or even transistor layouts can be identified and analyzed. This is extremely time-consuming but yields the deepest understanding.
  • Automated Feature Detection: Using image processing algorithms to identify repeating patterns or structural anomalies can assist in segmenting the die.
# Conceptual pseudo-code for automated block identification# function analyze_die_segment(segment_image):#   density = calculate_logic_density(segment_image)#   pattern_matches = detect_repeating_patterns(segment_image)#   if density > high_threshold and

        
        
        

            

                
            

            

                
Android Mobile Specs & Compare Directory

                
Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!

                Compare Devices Specs →
Google AdSense Inline Placement - Content Footer banner
Tags: #Android SoC #Die Stitching #Hardware Reverse Engineering #IC Decapping #Microarchitecture Mapping

Related Technical Guides

Deep Dive into eMMC Physical Memory: Architectures & Access Methods for Android RE

May 29, 2026

From Firmware to Function: Advanced Techniques for TrustZone Cryptographic Primitive Reverse Engineering

May 30, 2026

Unlocking Encrypted Android Bootloaders: An SWD Sniffing Approach

May 29, 2026