The DS28E01/DS2430/DS2431 chips are widely used in medical/printer and other related consumables due to their good encryption and stability. Therefore, more and more customers are consulting the reverse cracking of these chips. We have made a breakthrough in this series of models, and has successfully reversed relevant cases for many customers, with rich experience.
DS28E01 is a chip that integrates 1024-bit eeprom. The eeprom has 4 pages, each page is 256 bits, including 64-bit key/64-bit ROM serial code/512-bit SHA-1 engine/register page, etc. The data is transmitted through the 1-wire protocol, and the rate is divided into two types: high-speed mode and standard mode. At the same time, only 2 IO ports are required for data transmission, which saves the occupation of IO ports to the greatest extent.
There are 4 memory areas on DS28E01 chip:
- EEPROM: divided into 4 pages, 32 bytes per page;
- Key memory: 8 bytes;
- Register page: contains specific function and user bytes;
- Volatile scratchpad: 8 bytes.
The first way to decrypt the DS28E01 chip is to decompile its code, and then find the encrypted and verified code, or force the verification of the modified RAM to be legal. This method is very effective but very complicated. It requires crackers to be proficient in the assembly instructions of various single-chip microcomputers and controllers, chip architecture, principles of encryption chips, and development tools.
DS2430 integrates 256-bit 1-wire erasable and editable read-only memory and 64-bit one-time editable application memory in two modes. The eeprom is arranged in pages, each page is 32 bytes, random access is possible, and the communication speed is higher than The standard mode of DS28E01 is slightly higher (16.3kbps), and data control and power supply are all on one pin to effectively save IO port occupancy.
- 256-bit electrically erasable programmable read-only memory (EEPROM);
- 64-bit one-time programmable application register;
- Unique, 64-bit registration number (8-bit family code + 48-bit serial number + 8-bit CRC check code) ;
- The built-in multi-point controller ensures compatibility with other micro-LAN products;
- The EEPROM is organized into 32-byte random access pages;
- Integrate control, address, data and power supply into one data pin;
- Connects directly to a single port of the microprocessor and communicates at speeds up to 16.3 kilobits per second;
- Communication requirements of 8-bit family code reader DS2430A;
- When the online detection transponder is powered on for the first time;
- Low-cost TO-92 or 6-pin TSOC surface mount package;
- Read and write over a wide voltage range of 2.8V to 6.0V from -40°C to +85°C.
DS2431 is a 1024-bit integrated chip, which is divided into 4 memory pages with 256 bits per page. The 2431 communication follows the 1-wire protocol, and the independent memory contained in it can be permanently write-protected or eprom emulation mode. Other related parameters have much in common with 28E01 and 2430.
All three chips have a unique 64-bit registration number. The registration number is written by factory lithography. The registration number is used as the device address. Their storage content can only be changed from 1 to 0, so it can be seen that the eprom of the chip is limited to the OTP function, so these chips are often used in medical and printing consumables PCBA, and the use time limit is limited.