Skip to main content

Reverse Engineering Flash EEPROM Memories Using Scanning Electron Microscopy

  • Conference paper
  • First Online:
Smart Card Research and Advanced Applications (CARDIS 2016)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10146))


In this article, a methodology to extract Flash EEPROM memory contents is presented. Samples are first backside prepared to expose the tunnel oxide of floating gate transistors. Then, a Scanning Electron Microscope (SEM) in the so called Passive Voltage Contrast (PVC) mode allows distinguishing ‘0’ and ‘1’ bit values stored in individual memory cell. Using SEM operator-free acquisition and standard image processing technique we demonstrate the possible automating of such technique over a full memory. The presented fast, efficient and low cost technique is successfully implemented on 0.35 \(\mu m\) technology node microcontrollers and on a 0.21 \(\mu m\) smart card type integrated circuit. The technique is at least two orders of magnitude faster than state-of-the-art Scanning Probe Microscopy (SPM) methods. Without adequate protection an adversary could obtain the full memory array content within minutes. The technique is a first step for reverse engineering secure embedded systems.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others


  1. Bauer, E.: Low energy electron microscopy. Rep. Prog. Phys. 57(9), 895 (1994).

    Article  Google Scholar 

  2. Brown, W., Brewer, J.: Nonvolatile Semiconductor Memory Technology: A Comprehensive Guide to Understanding and Using NVSM Devices. IEEE Press Series on Microelectronic Systems. Wiley, New York (1997)

    Book  Google Scholar 

  3. Cole Jr., E.I.: Beam-based defect localization techniques. In: Ross, R.J. (ed.) Microelectronics Failure Analysis: Desk Reference, 6th edn., pp. 246–262. ASM International (2011)

    Google Scholar 

  4. Courbon, F., Loubet-Moundi, P., Fournier, J.J.A., Tria, A.: Increasing the efficiency of laser fault injections using fast gate level reverse engineering. In: IEEE International Symposium on Hardware-Oriented Security and Trust, HOST (2014)

    Google Scholar 

  5. Courbon, F., Loubet-Moundi, P., Fournier, J.J.A., Tria, A.: A high efficiency hardware trojan detection technique based on fast SEM imaging. In: Proceedings of the 2015 Design, Automation & Test in Europe Conference & Exhibition, DATE 2015, Grenoble, France, 9–13 March 2015, pp. 788–793 (2015)

    Google Scholar 

  6. De Nardi, C., Desplats, R., Perdu, P., Beaudoin, F., Gauffier, J.-L.: Oxide charge measurements in EEPROM devices. Microelectron. Reliab. 45(9–11), 1514–1519 (2005). ISSN: 0026–2714

    Article  Google Scholar 

  7. De Nardi, C., Desplats, R., Perdu, P., Gurin, C., J.-L., G., Amundse, T.: Direct measurements of charge in floating gate transistor channels of flash memories using scanning capacitance microscopy. In: ISTFA 2006 (2006)

    Google Scholar 

  8. De Nardi, C.: Techniques d’analyse de défaillance de circuits intégrés appliquées au descrambling et à la lecture de données sur des composants mémoires non volatiles. Ph.D. thesis, Toulouse, INSA (2009)

    Google Scholar 

  9. Dhar, R., Dixon-Warren, S., Campbell, J., Green, M., Ban, D.: Direct charge measurements to read back stored data in nonvolatile memory devices using scanning capacitance microscopy (2013)

    Google Scholar 

  10. Dhar, R., Dixon-Warren, S., Kawaliye, Campbell, J., Green, M., Ban, D.: Read back of stored data in non volatile memory devices by scanning capacitance microscopy (2013)

    Google Scholar 

  11. Hanzii, D., Kelm, E., Luapunov, N., Milovanov, R., Molodcova, G., Yanul, M., Zubov, D.: Determining the state of non-volatile memory cells with floating gate using scanning probe microscopy. vol. 8700, p. 87000V–87000V-11 (2013)

    Google Scholar 

  12. Humes, T.: Ensuring data security in logic non-volatile memory applications: Floating-gate versus oxide rupture. In: Virage logic (2009)

    Google Scholar 

  13. Jenkins, M., Tangyunyong, P., Cole Jr., E., Soden, J., Walraven, J., Pimentel, A.: Floating substrate passive voltage contrast. In: ISTFA 2006 (2006)

    Google Scholar 

  14. Kömmerling, O., Kuhn, M.G.: Design principles for tamper-resistant smartcard processors. In: Proceedings of the USENIX Workshop on Smartcard Technology, WOST 1999, p. 2 (1999)

    Google Scholar 

  15. Konopinski, D.: Forensic applications of atomic force microscopy (2013)

    Google Scholar 

  16. Korchnoy, V.: Investigation of choline hydroxide for selective silicon etch from a gate oxide failure analysis standpoint (2002)

    Google Scholar 

  17. Ramkumar, K.: Cypress SONOS technology, Cypress (2008)

    Google Scholar 

  18. Skorobogatov, S.P.: Semi-invasive attacks - a new approach to hardware security analysis (2005)

    Google Scholar 

  19. Smith, G.: Addressing security concerns of flash memory in smart cards, Sharp (2005)

    Google Scholar 

  20. Smith, K.C., Wells, O.C., McMullan, D.: The fiftieth anniversary of the first applications of the scanning electron microscope in materials research. Phys. Procedia 1(1), 3–12 (2008)

    Article  Google Scholar 

  21. Sugawara, T., Suzuki, D., Fujii, R., Tawa, S., Hori, R., Shiozaki, M., Fujino, T.: Reversing stealthy dopant-level circuits. In: Batina, L., Robshaw, M. (eds.) CHES 2014. LNCS, vol. 8731, pp. 112–126. Springer, Heidelberg (2014). doi:10.1007/978-3-662-44709-3_7

    Google Scholar 

  22. Torrance, R., James, D.: The state-of-the-art in IC reverse engineering. In: Clavier, C., Gaj, K. (eds.) CHES 2009. LNCS, vol. 5747, pp. 363–381. Springer, Heidelberg (2009). doi:10.1007/978-3-642-04138-9_26

    Chapter  Google Scholar 

  23. Watanabe, Y., Fukuda, Y., Jinno, T.: Analysis of capacitive coupling voltage contrast in scanning electron microscopy. Jpn. J. Appl. Phys. 24(10R), 1294 (1985)

    Article  Google Scholar 

  24. Weingart, S.H.: Physical security devices for computer subsystems: A survey of attacks and defences. In: Proceedings of the Cryptographic Hardware and Embedded Systems - CHES 2000, Worcester, MA, USA, August 17–18, 2000, pp. 302–317 (2000)

    Google Scholar 

  25. Zajac, C.: Protect your electronic wallet against hackers, Synopsys (2011)

    Google Scholar 

Download references

Author information

Authors and Affiliations


Corresponding author

Correspondence to Franck Courbon .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Courbon, F., Skorobogatov, S., Woods, C. (2017). Reverse Engineering Flash EEPROM Memories Using Scanning Electron Microscopy. In: Lemke-Rust, K., Tunstall, M. (eds) Smart Card Research and Advanced Applications. CARDIS 2016. Lecture Notes in Computer Science(), vol 10146. Springer, Cham.

Download citation

  • DOI:

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-54668-1

  • Online ISBN: 978-3-319-54669-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics