The Information Button (iButton), also known as the TM Card (Touching Memory), is a memory chip complying with the 1-wire single-bus communication protocol. The commonly used models at present include DS1991 and DS1961S. DS1425 is an early product and has now been replaced by DS1991, with its timing sequence completely consistent with that of DS1991.
Different from most current serial data communication methods (such as SPI and I2C), the 1-wire single bus realizes bidirectional data transmission through a single signal line (excluding the ground wire). It has the advantages of saving I/O line resources, simple structure, low cost, and easy expansion and maintenance. The single bus is suitable for scenarios where a single master device system controls one or more slave devices. When there is only one slave device on the single bus, it can be operated in a single-node mode.
Due to the few connecting wires required for the application of the Information Button (2 in total, only 1 except the ground wire), sturdy shell that can withstand harsh environments, and easy portability, it is often used for PC software dongles, identity recognition or electronic payment. DS1991, a multi-key Information Button, is a non-volatile data memory in the form of an Information Button package with key protection function launched by Dallas Semiconductor, and is the most common in current software dongles. DS1961S is a new-generation secure memory with an SHA-1 engine for protection, thus having higher security.
The memory of DS1991 is divided into 3 secure storage partitions, each with a storage capacity of 384 bits. Each partition has an independent 64-bit identification code (ID) and a 64-bit key. When reading and writing the secure storage area, the device will verify the 64-bit key of each partition. If the key does not match, the secure memory can only be erased and written, but cannot be read out.
Some domestic companies often encounter the loss of Information Button keys due to high personnel turnover or poor document management. If the lost key cannot be retrieved, the application system cannot continue to be sold, causing losses to the enterprise. For this reason, a relatively simple method must be adopted to retrieve the Information Button key for the enterprise to avoid unnecessary losses.
2. Analysis of the Operation Process of the Information Button
The operation process of all single-bus devices is basically the same, which can be divided into three basic steps: initialization, execution of ROM commands and execution of function commands. Each access to a single-bus device must follow this operation process. If the operation process is incorrect, the single-bus device will not respond to the master device. For different devices, the specific command sets of ROM commands and function commands may not be completely the same, but the operation sequence will not change.
Initialization means that the master device sets the single bus from high level to low level and keeps it for more than 480μs to reset all slave devices connected to the single bus. All access processes to the device must start with initialization. The initialization process is shown in Figure 3.2. First, the master device sends a reset pulse, and then the slave device gives a response pulse. The response pulse of the slave device lets the master device know that there is a slave device on the single bus and it is ready. For the timing requirements of sending the reset pulse and the presence pulse, please refer to [1].
DS1991/DS1425 has a total of 4 ROM commands: Read ROM, Match ROM, Search ROM and Skip ROM.
DS1991 supports a total of 6 function commands, including 3 scratchpad operation commands: Read Scratchpad, Write Scratchpad and Copy Scratchpad; and 3 secure storage partition operation commands: Read Subkey, Write Subkey and Write Password. The 3 secure storage partition operation commands are related to the key.
Figure 1 Initialization Flow Chart
A function command consists of 3 bytes. The first byte is the function command code, which defines 6 executable function commands; the second byte is the operation address, in which the lower 6 bits are the start address in the storage partition, and the upper 2 bits are the secure storage partition code; the third byte of the command is the one's complement of the second byte, as shown in Table 1.
Table 1 Composition of DS1991 Function Commands

In all these signal response timings, except for the response pulse, the synchronization signals are all sent by the master device.
3. Principle of Key Cracking
However, because the communication process is not encrypted and the microprocessor must transmit the key to the device in plaintext during key verification, the key is easy to be intercepted and thus the security is not high.
Figure 2 Reset Timing Diagram
It can be seen from the timing diagram and command flow of DS1991 [1] that we can analyze the key by using a single-chip microcomputer system to form a key cracking device to quickly track and analyze the data of the single bus.
The reset timing diagram of DS1991 is shown in Figure 2. The single-chip microcomputer first sends a reset pulse to make the single bus stay at low level for a duration longer than tRSTL; then, the master device releases the single bus and switches to the receiving mode at the same time. The single bus is pulled up to high level through a pull-up resistor; after detecting the rising edge of the data port, the slave device will delay for tPDH, and then send a response pulse tPDL. To detect the response pulse, the master device must detect the logic level of the single bus after the tMSP (sampling time) moment. The tRSTH window time must be no less than the sum of tPDHMAX, tPDLMAX and tRECMIN. Once tRSTH ends, data communication can start between the devices.
The analysis process is shown in Figure 3. First, the 1-WIRE reset pulse sent by the reader-writer must be analyzed, otherwise it will wait all the time. Once the 1-WIRE reset pulse appears, it must be followed by one of the four ROM commands. It is necessary to analyze which ROM command is sent to determine how many bytes of data should be abandoned afterwards. After abandoning several bytes, the tracking device can receive the function command. Once a function command is analyzed, such as one of 66H, 99H or 5AH, the corresponding key and secure storage partition number can be obtained. As mentioned above, a DS1991 or DS1425 may use up to 3 keys. Therefore, even if a certain key is analyzed, it does not mean the end of the cracking work, and the analysis must continue to wait.
Figure 3 Key Analysis Flow Chart
The electrical schematic diagram of the key cracking device is shown in Figure 4. A liquid crystal display (LCD) is adopted here, which enables the device to have more functions. To adapt to the standard single-bus communication protocol, the frequency of the crystal oscillator of the cracking device must be high enough, and 36MHz is used here. To avoid the cracking device from affecting the original single-bus application system, a NOT gate 74HC04 is added to the incoming line. The "CRYPTO EEPROM" in Figure 3 is AT88SC0104C, a non-volatile secure memory, which is used both to store the cracked key and to prevent board copying.
4. Equivalent Replacement of DS1991/DS1425
All Information Buttons have a unique ROM code. If the Information Button reader-writer verifies the ROM code, the possibility of directly replacing it with another Information Button can be excluded. However, if we use a single-chip microcomputer system to simulate and realize all the functions of DS1991/DS1425 in accordance with the 1-WIRE communication protocol, there is no problem at all. The technical route of equivalent replacement is as follows: 
A. Track all keys of the Information Button used by the reader-writer;
B. Use the reader-writer to read out all the contents of each secure storage partition used in DS1991/DS1425 with the cracked key and partition number;
C. Load all the contents of each read secure storage partition into the single-chip microcomputer system in the equivalent replacement device.
Figure 4 Electrical Schematic Diagram of the Key Cracking Device
Conclusion
Innovations of the authors: The initialization, ROM commands and function commands flow diagrams and timing charts of two Information Button devices (DS1991 and DS1425) are analyzed, the principle of DS1991 key cracking is discussed in detail, and the hardware design of a practical key cracking device and the corresponding software flow chart are given.
References
[1] Dallas Semiconductor. DS1991 Multi-key iBUTTON. Dallas Semiconductor Website: http：// www.maxim-ic.com/products/ibutton/
[2] Li Yuhua, Li Fang, Sun Ming. Self-assembled IC Smart Card Reader. Xi'an: Xi'an Jiaotong University Press, 2005.
[3] YuanZhi Technology Co., Ltd. (Yantai) Website: http://www.1-wire.com.cn
[4] Shicheng Electronics Website: Electronic Product Encryption Technology Based on AT88SC0104C. http：// www.setchief.com.
[5] Research on USB Software Dongle Based on Chaotic Encryption and Its Anti-decryption. Microcomputer Information. 2005, 21 (8): 15~17
[6] Yang Zhenye. IC Card Technology and Its Application. Beijing: Science Press, 2006.
Exploitation and Replacement of iButton DS1991 Keys
ZHENYE YANG，FANGMING WEI，KUNCHENG CHEN，XINGMIN HU
Department of Electronic Information Engineering
Guangdong Polytechnic Normal University，510665
Abstract：The flow diagram and timing chart of initialization, ROM commands and function commands of DS1991/DS1425 is analyzed in the paper, and then the exploitation principle of DS1991 Keys is discussed detail. Then, key exploitation and replacement of iButton DS1991/DS1425 is introduced in this paper. According to interface of 1-wire and Exploitation and Replacement of iButton DS1991 Keys, the practical hardware is given in the paper.
Keywords：Information button, Key，Exploitation, Replacement
Author Profile: Yang Zhenye (1957-), Male (Han Nationality), Nantong, Jiangsu Province, Professor and PhD, Department of Electronic Information Engineering, Guangdong Polytechnic Normal University, main research directions: IC card application devices and systems, and medical electronic instruments (ECG instruments and B-ultrasound).
Biography: Zhenye Yang（1957-），male（Han），Nantong of Jiangsu Province，Ph D. Professor of Electronic Information Engineering Department，Guangdong Polytechnic Normal University，main interesting: identification card application and biomedical engineering.
Correspondence Address: No.293, Zhongshan Avenue, Guangzhou (Postal Code: 510665); Tel: 020-85662866, 13710680786; E-mail:yang1006@21cn.com
Fund Project: Yueke Ji Zi [2004] No.211 (2004-12-24)