Cloning iButton using RW1990 and AVR

Ahojte! 🙂IMG_20150613_095826

Yesterday arrived my RW1990 keys I had ordered from aliexpress. They look the same as original iButton (DS1990A) but they hide one awesome feature: they are writeable so you can change their Serial Number! This is how I managed to write them white some cheap parts I had at hand.

My first steps with iButtons were done few weeks ago when I wrote a simple program to read them. Using some help on wikipedia and some elaboration with timing I managed to send command, reset and read response from connected 1-wire chip (later I also wrote a program to read 1-wire DS18B20 temperature sensor).

Wiring:

schema IMG_20150613_095411 IMG_20150613_095351Everything is powered from USB so no external power is needed. The heart is a ATTiny2313 connected to USBasp programmer. USB to TTL serial adapter is used only for debug purposes. RW1990 is powered through 1k8 resistor which servers also as a pull-up. Communication with AVR is done via PORTB – PIN0. The socket for key is made from a paper clip and a clothes-peg.

Protocol

After a short googling, I have found a russian page describing the protocol. With some help from google translate I managed to implement and test it. RW1990 supports the same protocol as standard DS1990. In addition, it supports a new command – 0xD5 for changing the Serial Number. The most important information is, that you need a special procedure for writing. After some testing, I’ve found out that you don’t need to implement it exactly the same as described on mentioned page. This is the procedure I use:

  1. send reset
  2. wait for response
  3. send Read Serial command (0x33)
  4. read 8byte serial
  5. wait 16ms
  6. send reset
  7. wait for response
  8. send Write Serial command (0xD5)
  9. write 8byte serial
  10. send reset
  11. wait for response
  12. send Read Serial command (0x33)
  13. read 8byte serial

Writing new serial number is performed in a special way. Probably due to the energy required for writing to internal memory, each bit is followed by 10ms high state on the bus. In addition, the “1” and “0” are inverted:

  • write “1” – level low, wait 60us, level up, wait 10ms
  • write “0” – level low, level up, wait 10ms

Programming

Source code is written in C and compiled using avr-gcc. You can find I on my github. This is example output of the program (captured through USB-TTL converter):

0A0B0C0D0E0F0102  <= read original serial
P
P
Z <= new serial written
P
0102030405060708  <= read new serial

The main function is called only once after AVR boot, new serial can be adjusted in the source code.

If you have any comments or questions, feel free to comment.

Dovidenia nabuduce. 🙂

7 thoughts on “Cloning iButton using RW1990 and AVR”

  1. Hi friend:
    this is Henry from Smart Way in China。

    i am ibutton supplier,other products is RFID,nfc。
    if you need these,welcome to ask price。

    Best Regards!
    Henry
    Smart Way

    1. Hi, I’m interested in Ibutton, I would like values
      Another thing, I need to clone some, what do you have for availability?

      1. hello,
        thanks for your reply,I am Henry’s coworker.he takes charge other works now,pls contact me for details.
        SHENZHEN SMART-WAY TECHNOLOGY CO.,LTD
        ADD:Office 1610 ,Block A,Nanxian Commercial Plaza,No.455 Meilong RD,Longhua District,Shenzhen,China 518172
        cherry@ylmtech.com
        skype:smartwaysales01
        whatsapp/tel:+86-15338845019
        wechat:smartway01
        http://www.ylmtech.com

  2. Images and source link for protocol are missing as of 3-14-20
    Would you have backups for this information handy?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.