China’s first DS28E01 and other DALLAS series original chips are no longer replaced by STC

DS28E01 chip

The decryption of DS28E01 series chips has always been consulted by customers. Our engineer team has worked hard and used international advanced decryption technology and equipment to overcome technical problems and successfully cracked! Now that the technology is perfect, it can be successfully cracked at one time, bringing practical benefits to customers. Customers in need are welcome to come to negotiate business, and we will give more discounts! There are no problems with other chips in this series, such as DS2431/DS2432/DS2401/DS28E22/DS28EXX and so on.

At present, we have achieved 100% cracking for the DS28E01 chip, and there is no need to replace it with an STC chip. Our company has a complete FIB solution for DS28E01 and other series chips, which can directly crack the chip password.

The first and most popular method is to disassemble, decompile the code of the main control chip, and then find the encrypted verification code, skip it directly, or force the verification of the modified memory RAM. This method is very effective but very complicated, requiring The crackers are proficient in the assembly instructions of various microcontrollers and controllers, the chip architecture, the use of encryption chips, and development tools. Another is that the operability is not high from a commercial point of view, because no one can do it before the cracking is completed. It is guaranteed whether it can be cracked, but the decrypted machine code must be obtained first. If the customer wants to get the machine code, he needs to pay the cost of cracking the chip first, and finally the customer’s decryption cost will be spent regardless of whether it is successful or not. The second method is to simulate the communication waveform at the time of verification. The slow one can be simulated with a single-chip microcomputer, and the high-speed communication protocol can only be used with CPLD. The same random number is generated each time.

A brief introduction to DS28E01:
The DS28E01 communicates with the MCU through a single bus. There is not much to say about the single bus. The time required is very strict, accurate to the us level.
The DS28E01 has four memory areas:
Data memory (EEPROM) (4 pages, 32 bytes per page)
key memory (secret) (8 bytes)
register page containing specific functions and user bytes
Volatile scratchpad (scratchpad) (8 bytes)

The MCU can only read and write the scratchpad through a single bus, but cannot directly read and write other storage areas.
When writing data to the data memory, loading the initial key or writing data to the register page, the data is first written into the scratchpad, and then through the corresponding command, the chip can backup the data from the scratchpad to the destination address by itself.

working principle:
There is a SHA-160 encryption module inside the chip, and the data involved in the SHA algorithm is 55 bytes of data in a specific format.
These data consist of 8 bytes of key, 5 bytes of user-specified random number, 32 bytes of EEPROM content, 7 bytes of ROMID, 2 bytes of fixed data (0xFF), and 1 byte of EEPROM address TA1.
The MCU can read the 20-byte hash value of the chip encrypted by SHA and compare it with the hash value calculated by the MCU itself through the same algorithm.
Since the MCU has to perform the same encryption operation, or it must generate the exact same 55-byte message inside the chip, how did it come about?
The 8-byte key is generated and written by itself. ->OK
The 5-byte random number is the value written into the scratchpad before the chip performs SHA. ->OK
32 bytes of EEPROM data, the chip will return the 32 bytes of content before reading back the 20-byte hash value. ->OK
7-byte ROMID, the ROMID of the chip can be read at any time. ->OK
2-byte fixed value, you can know from the manual ->OK
1 byte TA1, written by myself. ->OK

Typical application process:
Process 1: Initialize the DS28E01 key
The initialization key is only operated in the factory before the product is produced, and only needs to be operated once.
Procedure flow chart:
1. Read the chip ROMID
2. Generate a unique 64-bit key through a certain algorithm to ensure that the keys generated by each motherboard are different.
3. Write the key to the chip temporary storage area, and read it back to verify whether the writing is correct
4. Execute the chip load key command to let the chip save the 64-bit key in the temporary storage area to the key storage area
5. Done.

Process 2: Verify the DS28E01 key
The verification key is done in the product application, every time the product is started, the DS28E01 key is verified to be correct,
If the verification is passed, it will run normally, and if the verification is not correct, the product will not work properly through certain means.
Procedure flow chart:
1. Read the chip ROMID
2. Through the same algorithm as in the initialization process, generate a 64-bit key
3. Write an 8-byte random number to the chip temporary storage area (only 5 bytes are used), and read it back for verification
4. Send an encrypted authentication command to the chip, which can read back 32 bytes of EEPROM data and 20 bytes of hash value
5. Use the data read above, generate a 55-byte digest message, and perform SHA1 operation
6. Compare whether the hash value calculated by yourself is consistent with the hash value read back from the chip

Some models of other crackable chips:
DS2432, DS2431, DS2433, DS1961, DS1990A, DS1991, DS1205, DS1994, DS2405, DS1993, DS1992, DS1982, DS2502, DS1995, DS1985, DS2505, DS1996, DS1986, DS2506, DS1920, DS1820, DS2406, DS1983, DS2503, DS1971, DS2430A, DS1954, DS1955, DS1963S, DS1963L, DS2436.

Leave a Comment

Your email address will not be published.

About Well Done

Well Done Technology was established in 2008, focus on PCB reverse engineering, PCB assembly, PCB design and manufacturing. Our technical team of more than 20 people includes senior engineers with rich experience.

Share

Latest Case

welldone pcb manufacturer

Start to Achieve Your PCB Project

Open chat
Scan the code
Hello 👋
Can we help you? Chat with us on WhatsApp↓, or send an email to us: info@reversepcb.com