DS28E01 IC unlock success

Posted by

Nowadays, more and more people are familiar with the IC unlock industry, engineers will pay more attention to the encryption of products, so many encryption chips on the market, such as ATSHA204 series, AT88 series, LKT4100 series, DS28E01 series, Korean ALPU series, TI BQ26100 Wait.
Our company focuses on the research of various encryption chips, the structure and assembly instructions of various singlechip, free disassembly, the successful cases of deciphering all kinds of encryption chips on the market. Recently, we have successfully cracked the DS28E01 chip, and welcome the customers to call for consultation.
A brief introduction to DS28E01:
DS28E01 communicate with MCU through 1 single buses. The single bus does not say much, and the time required is very strict, accurate to us level.
DS28E01 has four storage areas:
Data storage (EEPROM) (divided into 4 pages, 32 bytes per page).
Key memory (secret) (8 bytes)
Register pages containing specific functions and user bytes (register page)
Volatile register (scratchpad) (8 bytes)
MCU can read and write scratchpad only through single bus, but can not read and write other storage areas directly.
When writing data to the data memory, carrying the initial key or writing the data to the register page, the data is written to the register first, and then the chip copies the data from the register to the destination address by the corresponding command.
Working principle:
There is a SHA-160 encryption module inside the chip, which participates in the data format of SHA algorithm in 55 byte format.
These data include 8 byte keys, 5 byte user specified random numbers, 32 byte EEPROM content, 7 byte ROMID, 2 byte fixed data (0xFF) and 1 byte EEPROM address TA1.
MCU can read the 20 byte hash value encrypted by the chip through SHA, and compare it with the hash value calculated by MCU itself through the same algorithm.
Since MCU wants to perform the same encryption operation, it must generate the 55 byte message exactly the same as the chip itself. How did it come from?
The 8 byte key is generated and written in itself. ->OK
The 5 byte random number is written to the register before the chip executes SHA. ->OK
The 32 byte EEPROM data will return the 32 byte content before the 20 byte hash value is read back. ->OK
7 bytes ROMID, you can read the ROMID. ->OK of the chip at any time.
2 bytes fixed value, see the handbook to know ->OK
1 bytes TA1, write it yourself. ->OK
Typical application process:
Process 1: initialize the DS28E01 key
The initialization key only operates in the factory before the product is produced, and only needs to be operated once.
Program flow:
1. read chip ROMID
2. generate a unique 64 bit key through a certain algorithm, ensuring that the keys generated by each motherboard are different.
3. write the key to the chip temporary storage area and read back to verify that the write is correct.
4. execute the chip loading key command, so that the chip saves the 64 bit key in the temporary storage area to the key storage area.
5. complete.
Process two: verify the DS28E01 key
The authentication key is carried out in the product application, and every time the product is started, it will verify the correctness of the DS28E01 key.
Validation is normal, and verification is incorrect, and the product is not working properly by certain means.
Program flow:
1. read chip ROMID
2. generate the 64 bit key through the same algorithm in the initialization process.
3. write 8 byte random numbers (only 5 bytes) to the chip temporary storage area, and read back the validation.
4. encrypting the authentication command to the chip, it can read back 32 byte EEPROM data and 20 byte hash value.
5. read data on top, generate 55 byte summary message, and perform SHA1 operations.
6. compare the calculated hash values with the hash values read from the chip.

Leave a Reply

Your email address will not be published. Required fields are marked *