Hacking an iButton


Maxim’s iButtons, which are small ICs in button-sized disks, are starting to show up in more and more places. They have a range of uses, from temperature loggers to identification, and all use the 1-wire protocol to communicate. Over a furrtek, they hacked an iButton used for buying things from vending machines and created an infinite money cheat. They built a small rig based on the ATmega8 to read and write data to the chip. The data was encrypted, so it wasn’t feasible to put an arbitrary amount on the card. Instead, they used a similar technique to the Boston subway hack and restored a previous state to the iButton after something was bought. They also created a hand-held device to backup and restore the contents of a button for portable hacking.

[Thanks furrtek]


  1. Jen says:

    As much as I like iButtons, this is the fault of whatever engineer decided that it was a good idea to use the NVRAM button instead of one of the secure buttons. The DS1961S or DS1991 would have been a much better choice.

    Otherwise, they may as well just use MMC cards.

  2. h_2_o says:

    agreed, the secure buttons are more difficult to do anything with and i’ve noticed more and more companies using them instead. actually i’ve not even seen any nvram buttons for use with any security type situations around here. heck even arcade games use the secure ones, look at megatouch games, the use the secure buttons to determine which version of their software the machine is able to run.

  3. j says:

    Remember that the person who has given you the iButton has most likely recorded your serial number and probably checks the audit records of who’s buying what and how much and how much money they actually pay in. You may just find yourself looking at something a lot more expensive if they figure out someone’s been messing with (read stealing from) their vending system.

  4. CaitSith2 says:

    True that they may audit serial numbers and that stuff, but if there are self serve recharge machines, and you can just buy any DS1992 buttons from another source, and load $10 on one of them, then it would be a lot harder to track down.

    The epic fail is the replay attack working, because of no tracking whatsoever, between vending machines, or even on the one machine itself.

  5. Simbo says:

    As I remember each ibutton has a unique 64-bit id number so if the vending machine does log each transactions with the time and date then it would be only a waiting game before you were caught on CCTV once they realised what was going on!

  6. DarkFader says:

    Nonsecure iButtons work great as a key (until they get skimmed of course).
    Anyway, You can buy an iButton-to-RJ11 cable off-the-shelf and hook up an emulator for more fun.

  7. farthead says:

    They did not hack an iButton. The company that uses the damn thing were morons and used a cheap non protected ibutton. They “hacked” a moron system.

    it’s not hacking if the maker was a bag of retards and used a standard ibutton instead of a crypto one.

    Call me when they actually hack an ibutton instead of something that some idiot screwed up.

  8. sam says:

    it’s sad to see that spammers are getting on this website now :[

  9. localroger says:

    This is what happens when you depend on security through not all that obscurity.

  10. cde says:

    Where are these ibuttons being used?

    And they probably arn’t monitoring the logs until after they notice a big difference in money/product. After all, they probably think these things are 100% secure, or not common knowledge like the coke soda trick.

  11. KNfLrPn says:

    These are used as keys at my apartments, but I’m almost certain that they use the iButtons that only contain a fixed number. They claim that they’re unduplicatable. I want to prove them wrong, but I doubt they would appreciate my white-hat endeavors.

  12. Marco says:

    It’s worth noting that maxim is very generous with sending out free sample parts, including many items from their ibutton line. check their website for details.

  13. furrtek says:

    About those used as keys: we are also building an even simpler device that can emulate a DS1990 with any serial number. So yes, they’re very easily duplicatable.

  14. kingpin says:

    @jan: The DS1991 was broken years ago and, AFAIK, has not been fixed… http://tinyurl.com/nwz54v

  15. Ahmed says:

    I am looking for emulator of Dallas DS1990 , please whoever know source for it to advise me

  16. Big-Oh says:

    i need to hack the i-button on my e-range key in order to get free golf range balls at the local course so I can practice for free. How do I go about this?

  17. bill says:

    same here i wish there was a hack to get free range balls out of that machine with my e-range key

  18. El Tipo says:

    If you need a device to emulate the DS1990, contact us at etipo01@gmail.com.
    For educational use only!

  19. El Tipo says:

    We still have it!
    DS1990 simulator.
    Micro-controller based unit.

  20. GEORGI says:

    **DS1990A and DS1990R

  21. gso says:

    I have a ds ibutton 1991 and 9091 b adapter, only that he has a password ibutton I can copy it?

  22. andy says:

    Is ther anyone out there that can help me hack a DS1971-F5 i button
    I had a break in and the i button coder was stolen.
    I hope someone out there can help.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Get every new post delivered to your Inbox.

Join 98,361 other followers