A Touch Memory Primer
by Kingpin (kingpin@l0pht.com
Have you ever wondered what those small coin-like devices attached to a person's key-chain or ID badge are for? No? Well, you will. Dallas Semiconductor iButton Touch Memory devices are cropping up all over the world. Used as a replacement for smart cards, barcodes, magnetic stripes, and RF tags, these devices contain a combination of non-volatile RAM, EEPROM, real-time clock, temperature, cryptography, and Java features that are used for applications ranging from debit to access control to medicine tracking. These devices are specified to have 10-year data retention and are housed in a rugged stainless steel can.
Sun Microsystems recently gave away iButton Java Rings to attendees of the Java One conference in California. The ring has 32 kB of ROM, 6 kB of non-volatile SRAM, a real-time clock, "math accelerator" for RSA encryption, and a Java virtual machine. Upon check-in at the conference, one entered data into the ring - personal information and preferred coffee type. Similar to a college ID, one used the iButton for identification and debit throughout the conference. Walk up to the coffee machine, insert your ring, communicate via an encrypted channel, and receive your favorite coffee. One can program their own Java applets into the ring to exchange and store "business card" information or other data. Trivial, yes, but think of what may come. The possibilities are endless.
There are many types of iButtons, allowing for a practically unlimited range of use, but they all have the same underlying technology and all communicate in the same way. This article will give you a basic overview of the functionality and methods of communication with the iButton.
Functionality
The iButtons use a novel type of "1-Wire Interface," created by Dallas Semiconductor, to communicate between the button and the host - a PC or other type of embedded system (see 1-Wire Networking Protocol section). By using minimal circuitry, often just a Zener diode for port pin protection from static discharge and a pull-up resistor, one can easily interface the iButton with a microprocessor. The internal circuitry of the iButton lends itself to easy, albeit timing-sensitive, communications. The data are both read and written with a single pin, plus signal ground. By toggling the direction of a port pin (input or output) on a microprocessor, one can transmit commands, serially, bit-by-bit, to the iButton and read its responses. The communication protocol is very clever. Dallas Semiconductor actually uses the 1-Wire Interface for some of its other components as well, not just the iButton.
Each iButton, no matter what type, is assigned a 64-bit ID etched into the silicon. It can be broken down in the following fashion:
Family Code (8-bits) - Serial # (48-bits) - CRC (8-bits) |
The 1-byte Family Code identifies the specific type of iButton.
The 6-byte Serial Number is unique and no two buttons will have the same number. This may lead to Big Brother-type thoughts in your head because of its complete traceability, but there are actually many instances where the unique ID is necessary.
The 1-byte Cyclic Redundancy Check (CRC) is just that. A checksum. This can and should be used by the host system to verify proper data transfer.
Currently, this 64-bit number is not a secret. It is printed directly onto the stainless steel case of the iButton. Although it's very helpful for testing and debugging, this may lead to a security problem if identification is based solely on the ID and someone finds a way to "clone" the iButton. Of course, some one could just steal it. As with any security implementation, you want to try and raise the bar to prevent the "ankle biters" from unauthorized access.
Along with the unique ID, each iButton can contain NVRAM, EEPROM, real-time clock, or a temperature sensor. See Table 1 for a listing of iButton types (graciously borrowed from www.ibutton.com/data-apps.html).
Table 1: iButton Product Selection Guide Part Number Description Memory DS1920 Temperature iButton 16-bit EEPROM DS1954 Crypto iButton Secure co-processor with 6 kB RAM and 32 kB ROM DS1963 Monetary iButton 4096-bit NVRAM DS1971 EEPROM iButton 256+64-bit EEPROM DS1982 Add-Only iButton 1024-bit EPROM DS1985 Add-Only iButton 16,384-bit EPROM DS1986 Add-Only iButton 65,536-bit EPROM DS1990A Serial Number iButton Not Applicable DS1991 Multikey iButton 1344-bit NVRAM DS1992 Memory iButton 1024-bit NVRAM DS1993 Memory iButton 4096-bit NVRAM DS1994 Memory iButton + Time 4096-bit NVRAM DS1995 Memory iButton 16,384-bit NVRAM DS1996 Memory iButton 65,536-bit NVRAM |
You would, of course, choose the iButton that most closely fits your needs. The prices are all relatively cheap and may run between $1.00 and $4.00 if purchased in quantity.
The United States Postal Service has recently started to use the DS1990A Serial Number-only iButton as a replacement for the barcode technology that was used for many years. The iButton can withstand being out in an open environment, unlike a barcode that will rapidly wear. There is an iButton mounted on the inside of every blue mailbox across the country, which is used to easily identify the mailbox and track the movement of the mail. It might also be a way to keep tabs on the postal workers to make sure they retrieve the mail from each of the locations. The DS1990A iButton consists of the 64-bit unique ID only and doesn't support any type of memory. The postal workers carry a portable, pen-sized reader, which records the time and identification of each mailbox along the route.
Operation
There are three basic software routines that are used to communicate with the iButton. There is example code available (see Table 3) in assembly language for the Intel 8051 and in C for the PC with a standard UART. Communications with the iButton are half-duplex (either transmitting or receiving, not both at the same time) and extremely timing sensitive. If the system is interrupted during iButton communications, it will fail. For my particular application, I simply disabled global interrupts while the iButton was in action. In some cases, this isn't possible to do, and you'll have to write your code to keep resetting and re-attempting the communication until it finishes undisturbed.
TouchReset(void)
This procedure transmits the Reset signal (480 µS low pulse) to the Touch Memory and watches for a presence pulse (low pulse) returned from the iButton (see Figure 1). When the iButton is inserted into its socket, it is powered by the 1-Wire Interface. It immediately sends out a "presence pulse," which says, "I'm here" to the host. This initial presence pulse can be tied to an active-low interrupt line of the processor. Once the presence pulse is detected, the TouchReset() function is called to reset the iButton and confirm that the button is still there and ready for communications. This is similar to debouncing a mechanical switch.
TouchByte(unsigned char outch)
This procedure sends a byte, outch, to the Touch Memory and simultaneously returns one byte from the Touch Memory to the calling routine. Specific one-byte, iButton-specific commands are transmitted serially, bit-by-bit, to the Touch Memory (read ROM, write to Memory, etc. - see Tables 2 and 3). This is the most important piece of the puzzle. Sending and receiving specific commands using this routine will allow complete control of the Touch Memory.
TouchByte() consists of eight calls to a Touch Bit routine, which transfers only one bit of information between the host and the Touch Memory. Using a single port pin to both send and receive data fits exactly with the bi-directional port pin hardware philosophy. Configuring the port pin as either an input or output will affect how the data is interpreted by the iButton. The state of the port pin is varied many times during a data transfer.
PulWidth(void)
This procedure, unused in most implementations depending on the family of iButton, generates a 0.5 ms low pulse (see Figure 2). This routine is used to generate a programming pulse for the EPROM (one-time-programmable, not erasable) Touch Memory devices.
1-Wire Networking Protocol
The Dallas Semiconductor 1-Wire Networking/Interfacing protocol consists of an OSI-layered architecture, similar to TCP/IP or IrDA. The 1-Wire Interface supports having multiple iButton devices on the bus at any given time. It is necessary to look at this protocol, since it defines all of the communications and standards of the Dallas iButton. The following information was taken from the Dallas Semiconductor Book of DS19xx iButton Standards, which goes into greater detail than what is provided here.
1-Wire Protocol Layered Architecture
Physical Layer
This layer defines the electrical characteristics, required logical voltage levels and timing constraints of the Touch Memory interface.
Link Layer
This layer defines the basic communication functions of Touch Memory: TouchReset and TouchByte, described in the Operation section above. Once the iButton responds to the TouchReset command with a Presence Pulse, communication continues with the Network layer.
Network Layer
This layer handles the commands responsible for identification of the Touch Memory device, known as "ROM Commands" (see Table 2). All iButtons support these commands, with the exception of the DS1990A, which support only a subset.
Transport Layer
This layer handles the commands responsible for non-ROM features of the Touch Memory device - Non-Volatile RAM (NVRAM), scratchpad, temperature sensor, and other special functions. Each iButton family supports only a subset of these commands (see Table 3) depending on its capabilities.
Presentation Layer
This layer provides a DOS-like file system supporting functions like Format, Directory, Type, Copy, Delete, etc. This allows the Touch Memory device to be treated like a floppy disk. By using this layer, one can avoid using the "low level" commands from the Network and Transport layers.
Table 2: Basic Touch Memory Command Set
Command Hex Value Description
READ ROM $33 Responds with 64-bit unique ID.
$0F (DS1990A)
---------------------------------------------------------------------------------------------------------
SKIP ROM $CC To broadcast data to all Touch Memory devices connected to the bus.
---------------------------------------------------------------------------------------------------------
MATCH ROM $55 To address a specific Touch Memory device on the bus.
---------------------------------------------------------------------------------------------------------
SEARCH ROM $F0 All devices on the bus respond with its 64-bit unique ID.
---------------------------------------------------------------------------------------------------------
OVERDRIVE SKIP ROM $3C To set all capable devices to "overdrive" speed and broadcast
data to all Touch Memory devices connected to the bus.
---------------------------------------------------------------------------------------------------------
OVERDRIVE MATCH ROM $69 To address a specific Touch Memory device on the bus and set it into
"overdrive" speed.
|
Table 3: Advanced Touch Memory Command Set
Command Hex Value Description
READ MEMORY $F0 To read one or more consecutive bytes.
---------------------------------------------------------------------------------------------------------
EXTENDED READ $A5 (EPROM) To read one or more consecutive bytes with inverted CRC16 response.
MEMORY
---------------------------------------------------------------------------------------------------------
READ SUBKEY $66 (DS1991) To read one or more consecutive bytes from a password-protected page.
---------------------------------------------------------------------------------------------------------
WRITE SCRATCH PAD $0F, $96 (DS1991) To write one or more consecutive bytes to the scratchpad.
---------------------------------------------------------------------------------------------------------
READ SCRATCH PAD $AA To read one or more consecutive bytes of the scratch pad.
$69 (DS1991)
---------------------------------------------------------------------------------------------------------
COPY SCRATCH PAD $55, $3C (DS1991) To copy scratchpad data to a location in memory.
---------------------------------------------------------------------------------------------------------
WRITE SUBKEY $99 (DS1991) To write one or more consecutive bytes to a password-protected page.
---------------------------------------------------------------------------------------------------------
WRITE PASSWORD $5A (DS1991) Set the password of a password protected page.
Erases all data within that page.
---------------------------------------------------------------------------------------------------------
WRITE MEMORY $0F (EPROM) To transfer, verify, and program one or more consecutive bytes.
---------------------------------------------------------------------------------------------------------
WRITE STATUS $55 (EPROM) To transfer, verify, and program one or more consecutive bytes to
the "status memory" section.
---------------------------------------------------------------------------------------------------------
READ STATUS $AA (EPROM) To read one or more consecutive bytes from "status memory" section
with inverted CRC16 response.
|
You Want More?
If this article has piqued your interest, which I hope is has, I'd suggest reading through the databooks and application notes, which explain the devices more thoroughly than I have.
You should also read through the application notes for iButton interfacing and standards. You will find timing diagrams and detailed datasheets here. They are available in both PDF and printed form.
- Application Note #74 - Reading and Writing iButton via Serial Interface
- Dallas Semiconductor Technical Reference Documents
- Book of DS19xx iButton Standards
- Automatic Identification Data Book
An iButton Development Kit is also available, which includes many types of iButtons and sockets and comes with a nice serial port interface and PC software for iButton experimentation. Although not free (less than $100, I believe), it's highly recommended if you decide to do development or take a deeper look into the iButton.
You can talk to and request information from a real human being by calling the Dallas Semiconductor/iButton office at 800-336-6933. Please be nice.