DS1991 Special Functions (iButtonStandards CH.6) - kr1spyK/DS1991SecureViewer GitHub Wiki
iButton Standards - Ch.6 Special Functions
II. ROM/NV-RAM Devices
B. DS1991 MultiKey iButton
B.1. Overview
By design, the DS1991 does not supply data directly like other iButton Memories so that information can be kept secret. In addition to the ROM, the DS1991 incorporates a
64–byte NV RAM scratchpad and three password–protected memory pages, called Subkeys. This makes the DS1991 differ from other iButton Memories at the Transport layer and higher. Instead, the DS1991 has a hardware file system implemented in the device: each subkey can be used as an independent file, starting with a file name, followed by the password and 48 bytes of protected NV RAM.
According to its intended application, the DS1991 supports a different command set at the Transport layer. Some of the commands are the same as with other Memory iButtons, but binary codes and addressing are different. The DS1991 supports the scratchpad commands: Write Scratchpad, Read Scratchpad, Copy Scratchpad; the memory commands: Read Subkey, Write Subkey and the command Write Password.
B.2. Scratchpad
The scratchpad can be used, as with other Memory iButtons, as intermediate storage before data is transferred to the final memory. Unlike other Memory iButtons, the DS1991 allows the user to select blocks of eight bytes or the complete scratchpad to be copied. Copying with the DS1991 means that the copied section of the scratchpad will be cleared to 0’s after copying is finished.
B.3. Memory
Instead of memory pages, the DS1991 contains three subkeys. A subkey is very similar to a memory page. The first eight bytes of a subkey contain the identifier that can be used as the file name of the stored data. The identifier is available for public reading with the Read Subkey command. The next eight bytes store the password, which is write–only. The remaining 48 bytes of a subkey are the password–secured memory. These locations can only be accessed if the password is known. Unlike other Memory iButtons, the DS1991 allows direct writing to the subkey.
The command: Write Subkey has a relatively high potential of transferring data incorrectly if the electrical contact is poor. Therefore, it is recommended in touch applications to use the scratchpad as intermediate storage for verifying before the Copy Scratchpad command transfers the data. Although the password and the identifier can be redefined using the scratchpad, there is a special command to write directly both password and identifier.
This command, called Write Password, is essential to initialize a subkey, since the Copy Scratchpad command requires knowledge of the current password to write a new one. Directly writing the password of a subkey clears the identifier, the current password, and the contents of the protected memory to 0s. Copying the new password from the scratchpad does not clear the identifier or the protected memory.
B.4. Data Transfer
Flow charts of the commands implemented in the DS1991 at the Transport layer are shown in Figures 6–1 and 6–2. Before the DS1991 reaches the Transport layer, a reset and one ROM command have to be executed. Like the other iButtons, the DS1991 accepts only one data transfer command every time the Transport layer is reached. The binary structure of DS1991 data transfer commands is different from other iButtons.
Every DS1991 command consists of three bytes.
The first of these bytes is the command itself, similar to other iButtons. The second byte provides addressing information. The two most significant bits contain the requested subkey number. Valid subkey numbers are 0, 1 and 2. Scratchpad read and write operations require the subkey number to be set to 3. The six lower bits of the address byte contain the start address where data has to be read from or written to. Valid addresses within subkeys are 10H to 3FH, since the first 16 bytes are reserved for the identifier and password. Within the scratchpad, all addresses between 00H and 3FH can be used. To write the password or copy the scratchpad, no byte address is required; the corresponding bits in the addressing byte must be 0. Copying data from the scratchpad to a subkey does not change the data addresses.
Which of the eight data blocks of eight bytes each, or whether the entire scratchpad will be copied, is defined in the block selector code that must be provided together with the password of the desired subkey. The third byte of a DS1991 data transfer command is simply the 1’s complement (bit inversion) of the address byte. Table 6–1 summarizes the command structure. Like other iButtons, the DS1991 requires commands and data to be sent starting at the least significant byte and the least significant bit.
The DS1991 has no user–readable registers for target address, byte offset and ending offset. Also, the Partial flag, Overflow flag and Authorization Accepted flag are missing. Thus a different method is required to provide data integrity. If the scratchpad is used as intermediate storage for writing, reading it back will be sufficient to verify the integrity of the new data. After the data in the scratchpad is determined to be correct, a single command is issued to transfer the new data to the target subkey. In order to guarantee integrity of this transfer, one of nine different eight–byte codes is required, each one differing from the other by at least 32 bits.
The subkey data format may include a preceding length byte and a following inverted CRC16 double byte to allow for easy checking of data integrity when reading. Using Table 6–1, it is very easy to build up the complete binary code for each command. Figures 6–1 and 6–2 explain what has to be sent by the master and what the DS1991 will do. The commands Write Scratchpad and Read Scratchpad don’t need further explanation. It is evident that data cannot be written or read outside of available address space. The Copy Scratchpad command, however, requires a Block Selector code to define which bytes must be copied to the selected subkey.
Block Selector codes (Table 6–2) are 8–byte binary numbers. This highly redundant coding was chosen to avoid inadvertent modification of subkey data. The Block Selector code is sent starting at the least significant byte with the least significant bit. If several but not all blocks have to be copied, first the scratchpad can be filled with the new data and then the Copy Scratchpad command with the appropriate Block Selector code must be sent.
Every copy cycle requires a Reset Pulse and a ROM command to be executed before the new Copy command can be issued by the master. Therefore,it can be more economical to load the complete scratchpad with data and to copy it in one stroke to the subkey, even if some of the blocks remain effectively unchanged. Every access to the password–protected memory requires sending the 8–byte password. For the DS1991, the password is always eight bytes; every bit is significant. All commands shown in Figure 6–2 include reading the subkey’s identifier before the master has to send the password. As with the password, for the DS1991 the length of the identifier is always eight bytes. The DS1991 will count the time slots to decide if it has to listen or to answer. Therefore, it is important to always read all of the bits of the identifier.
DS1991 COMMAND STRUCTURE Table 6-1
| Command | 1st byte | 2nd byte | 3rd byte |
|---|---|---|---|
| b7 b6 / b5 b4 b3 b2 b1 b0 | |||
| write scratchpad | 0x96 | 1 1 / any value 0x00 to 0x3F | |
| read scratchpad | 0x69 | 1 1 / " " 0x00 to 0x3F | ones |
| copy scratchpad | 0x3C | SubKey/ 0 0 0 0 0 0 | complement |
| read SubKey | 0x66 | SubKey/any value 0x10 to 0x3F | of |
| write SubKey | 0x99 | SubKey/ " " 0x10 to 0x3F | 2nd byte |
| write password | 0x5A | SubKey/ 0 0 0 0 0 0 |
BLOCK SELECTOR CODES OF THE DS1991 Table 6-2
| Block num | Address Range | (LSByte) Codes (MSByte) |
|---|---|---|
| 0 to 7 | 0x00 to 0x3F | 56 56 7f 51 57 5D 5A 7F |
| 0 | identifier | 9A 9A B3 9D 64 6E 69 4C |
| 1 | password | 9A 9A 4C 62 9B 91 69 4C |
| 2 | 0x10 to 0x17 | 9A 65 B3 62 9B 6E 96 4C |
| 3 | 0x18 to 0x1F | 6A 6A 43 6D 6B 61 66 43 |
| 4 | 0x20 to 0x27 | 95 95 BC 92 94 9E 99 BC |
| 5 | 0x28 to 0x2F | 65 9A 4C 9D 64 91 69 B3 |
| 6 | 0x30 to 0x37 | 65 65 B3 9D 64 6E 96 B3 |
| 7 | 0x38 to 0x3F | 65 65 4C 62 9B 91 96 B3 |
B.5. Initialization
If new DS1991s need to be initialized, the password actually stored is always unknown. In this situation, only the command Write Password starts the devices’ preparation for the application. Although the flow chart for this command looks very similar to Write Subkey, it differs in one very important point: the public readable identifier is compared to allow access, not the password. That is,instead of the unknown password, the master has to transmit exactly the subkey’s identifier that it has just read from the device. Writing the password will automatically erase the data of the subkey. The command Write Password also writes a new identifier for the subkey. As soon as the new identifier (eight bytes) and the pass-word (eight bytes) have safely arrived in the device, further changes of identifier and password should recopied from the scratchpad.