I did this once when I worked in semiconductor to identify a counterfeit component. The basic process I used was the same as OP: dremel a pocket, slowly drip nitric acid to dissolve the package, and an bath with ultrasonic cleaning. Although I thought we used isopropyl alcohol instead of acetone. It's been a few years so my memory may be incorrect.
Looking at dies under a microscope is fascinating, especially if there is anyone around who can help explain what you're looking at. Sort of like exploring an alien robot civilization. :-)
In this case it turned out someone had taken one of our competitor's dies (probably a test reject), packaged it, and labeled it as ours. I'm not sure why they bothered with a die at all since it wasn't like it was pin compatible or even functional.
Is this a method that, in the most extreme cases of needing to do it, could be used to try and recover data from memory? Like if someone's iPhone needed to be hacked by law enforcement? Would they try this, to read registers or memory directly?
There's a couple of options. For hardwired ROM, you can sometimes just decap/delid your target device and check it out under a microscope. Take very high quality pictures, difference 1s from 0s simply by looking at it, and reconstruct the binary data in your computer. That's been done to extract private keys from smartcards (such process was described in the book Murdoch's Pirates, where hackers would pull private keys off satellite TV cards, and use them to create and sell pirated cards).
Another option, more relevant to systems where the data is in regular EPROM/EEPROM/Flash/... is to attack the "read only" eFuse. The attack basically consists of decapping your target IC, finding the read-only efuse, covering the memory area with black tape, and shinning UV light on the eFuse. The photons will excite the electrons stuck in the cell, draining it, and enabling memory reads. At the end of the post I provided a link to Bunnie's blog where he does exactly that on a PIC target device, and manages to extract protected data.
RAM and registers are volatile memory, meaning it loses information when its power source is cut. In computer forensics, RAM is usually captured before shutting down the computer.
We had older tech parts that had physical fuses that could be observed with a microscope, and in fact, were observed with a microscope during wafer test to verify they had been properly burnt in. So what you're saying it's plausible. I've been out of semiconductor for about a decade so I'm hesitant to speak to something in a modern iPhone.
More interesting to me was how we would package the same part differently and sell it at different price points depending on how much functionality was brought out. You might decap a $10 part with X amount of I/O, cores, memory, etc and a $20 part with Y and find the exact same die. If the testing process was really sophisticated the $10 part would have a defect in the unused portion that made it more economical to down rate it than throw it away, but more often, it was just cheaper to maintain a single set of masks and sell the same die in multiple packages.
Looking at dies under a microscope is fascinating, especially if there is anyone around who can help explain what you're looking at. Sort of like exploring an alien robot civilization. :-)
In this case it turned out someone had taken one of our competitor's dies (probably a test reject), packaged it, and labeled it as ours. I'm not sure why they bothered with a die at all since it wasn't like it was pin compatible or even functional.