Cloning iButton using RW1990 and AVR

Ahojte! ­čÖéIMG_20150613_095826

Yesterday arrived my RW1990 keys I had ordered from aliexpress. They look the same as original iButton (DS1990A) but they hide one awesome feature: they are writeable so you can change their Serial Number! This is how I managed to write them white some cheap parts I had at hand.

My first steps with iButtons were done few weeks ago when I wrote a simple program to read them. Using some help on wikipedia and some elaboration with timing I managed to send command, reset and read response from connected 1-wire chip (later I also wrote a program to read 1-wire DS18B20 temperature sensor).

Wiring:

schema IMG_20150613_095411 IMG_20150613_095351Everything is powered from USB so no external power is needed. The heart is a ATTiny2313 connected to USBasp programmer. USB to TTL serial adapter is used only for debug purposes. RW1990 is powered through 1k8 resistor which servers also as a pull-up. Communication with AVR is done via PORTB – PIN0. The socket for key is made from a paper clip and a clothes-peg.

Protocol

After a short googling, I have found a russian page describing the protocol. With some help from google translate I managed to implement and test it. RW1990 supports the same protocol as standard DS1990. In addition, it supports a new command – 0xD5 for changing the Serial Number. The most important information is, that you need a special procedure for writing. After some testing, I’ve found out that you don’t need to implement it exactly the same as described on mentioned page. This is the procedure I use:

  1. send reset
  2. wait for response
  3. send Read Serial command (0x33)
  4. read 8byte serial
  5. wait 16ms
  6. send reset
  7. wait for response
  8. send Write Serial command (0xD5)
  9. write 8byte serial
  10. send reset
  11. wait for response
  12. send Read Serial command (0x33)
  13. read 8byte serial

Writing new serial number is performed in a special way. Probably due to the energy required for writing to internal memory, each bit is followed by 10ms high state on the bus. In addition, the “1” and “0” are inverted:

  • write “1” – level low, wait 60us, level up, wait 10ms
  • write “0” – level low, level up, wait 10ms

Programming

Source code is written in C and compiled using avr-gcc. You can find I on my github. This is example output of the program (captured through USB-TTL converter):

0A0B0C0D0E0F0102  <= read original serial
P
P
Z <= new serial written
P
0102030405060708  <= read new serial

The main function is called only once after AVR boot, new serial can be adjusted in the source code.

If you have any comments or questions, feel free to comment.

Dovidenia nabuduce. ­čÖé

2 thoughts on “Cloning iButton using RW1990 and AVR

  1. Henry

    Hi friend´╝Ü
    this is Henry from Smart Way in ChinaŃÇé

    i am ibutton supplier´╝îother products is RFID´╝înfcŃÇé
    if you need these´╝îwelcome to ask priceŃÇé

    Best Regards´╝ü
    Henry
    Smart Way

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *