DS28E01 IC unlock

Posted by

DS28E01 is generally used in encryption protection to prevent products from being pirated easily by copy.
The first most popular is disassembling, recompiling the code of the main control chip, then finding the code of the encrypted verification, jumping over directly, or forcing the modified memory RAM to verify the validity of the code. This method is very effective but complex, and requires the decryption of the assembler instructions of a variety of singlechip and controllers, the chip architecture, The use of encryption chips, development tools are very proficient, and one is from the business perspective is not high operability, because no one can be solved before the crack can not be guaranteed to be able to crack, but first to get the decipher machine code, the customer to get the machine code needs to break the cost of the chip, finally regardless of the cost. Success or failure of the customer’s IC unlock costs have been spent. The second method is to simulate the verification of the communication waveform, the slow speed can be simulated with a single chip computer, the high-speed communication protocol can only use CPLD, but in the time of this method to do a job is to let the main control chip produce the same random number each time.
A brief introduction to DS28E01:
DS28E01 communicate with MCU through 1 single buses. The single bus does not say much, and the time required is very strict, accurate to us level.
DS28E01 has four storage areas:
Data storage (EEPROM) (divided into 4 pages, 32 bytes per page).
Key memory (secret) (8 bytes)
Register pages containing specific functions and user bytes (register page)
Volatile register (scratchpad) (8 bytes)
MCU can read and write scratchpad only through single bus, but can not read and write other storage areas directly.
When writing data to the data memory, carrying the initial key or writing the data to the register page, the data is written to the register first, and then the chip copies the data from the register to the destination address by the corresponding command.
Working principle:
There is a SHA-160 encryption module inside the chip, which participates in the data format of SHA algorithm in 55 byte format.
These data include 8 byte keys, 5 byte user specified random numbers, 32 byte EEPROM content, 7 byte ROMID, 2 byte fixed data (0xFF) and 1 byte EEPROM address TA1.
MCU can read the 20 byte hash value encrypted by the chip through SHA, and compare it with the hash value calculated by MCU itself through the same algorithm.
Since MCU wants to perform the same encryption operation, it must generate the 55 byte message exactly the same as the chip itself. How did it come from?
The 8 byte key is generated and written in itself. ->OK
The 5 byte random number is written to the register before the chip executes SHA. ->OK
The 32 byte EEPROM data will return the 32 byte content before the 20 byte hash value is read back. ->OK
7 bytes ROMID, you can read the ROMID. ->OK of the chip at any time.
2 bytes fixed value, see the handbook to know ->OK
1 bytes TA1, write it yourself. ->OK
Typical application process:
Process 1: initialize the DS28E01 key
The initialization key only operates in the factory before the product is produced, and only needs to be operated once.
Program flow:
1. read chip ROMID
2. generate a unique 64 bit key through a certain algorithm, ensuring that the keys generated by each motherboard are different.
3. write the key to the chip temporary storage area and read back to verify that the write is correct.
4. execute the chip loading key command, so that the chip saves the 64 bit key in the temporary storage area to the key storage area.
5. complete.
Process two: verify the DS28E01 key
The authentication key is carried out in the product application, and every time the product is started, it will verify the correctness of the DS28E01 key.
Validation is normal, and verification is incorrect, and the product is not working properly by certain means.
Program flow:
1. read chip ROMID
2. generate the 64 bit key through the same algorithm in the initialization process.
3. write 8 byte random numbers (only 5 bytes) to the chip temporary storage area, and read back the validation.
4. encrypting the authentication command to the chip, it can read back 32 byte EEPROM data and 20 byte hash value.
5. read data on top, generate 55 byte summary message, and perform SHA1 operations.
6. compare the calculated hash values with the hash values read from the chip.
Crack method:
As you can see from the application process above, the key algorithm here is SHA1, and there are two copies of the data involved in SHA computing, and one in the chip, we can’t read it.
But the other is generated inside the MCU, so as long as the process of obtaining the generated messages inside the MCU is completed.
The key data is the 8 byte key, because the 8 byte key is generally bound to ROMID and CPUID.
Therefore, as long as we can analyze the key generation algorithm from the program, we can achieve the purpose of cracking. This process is only a matter of time.
The encryption chip does not have any eggs, and the complex encryption algorithm only increases the difficulty of the solution, and can not fundamentally solve the problem.
The only way to prevent products from being cracked and pirated is to prevent reading the correct binary code from the product.
Unfortunately, there is no chip FLASH content that can not be read.

DALLAS2401 IC crack

Posted by

IC crack

DALLAS2401 is usually packaged in TO-92 and is often ignored in reverse development. DS2401 is usually listed next to the main MCU as serial number memory and unique ID number.
The DS2401 enhanced silicon sequence number is a low-cost electronic registration code that provides absolute, unique identification with the least electrical interface (usually only one microprocessor port). It contains 64 bits of ROM engraved in a factory, including 48 bit unique sequence code, 8 bit CRC check code and 8 bit family code (01h). The data is based on the 1-Wire protocol, which is transmitted only through a signal lead and a ground loop. The power supply for reading and writing devices can be generated by the data line itself without external power supply. DS2401 is an upgraded version of DS2400. DS2401 is fully compatible with DS2400, but has additional multi-point communication capability, allowing multiple devices to be connected to the same data bus. The general TO-92, SOT-223 or TSOC packages provide a compact installation structure to facilitate the processing of standard installation equipment.