Monthly Archives: May 2015

Hacking a 2D 1002 EEPROM

Last week, a friend of mine came to me with a problem that his dentist friend was having. This dentist friend uses a teeth whitening machine, which  allows for 4 x 15 minute sessions when you insert a small PCB, with a small IC on it, in the machine. After these 4 sessions, he needs to purchase a new card, which costs a lot (at least in this country).

2D 1002

2D 1002 my ass…

The IC on the little PCB is labeled 2D 1002 013B1, whose datasheet is nonexistent on the Net. After hours of Google’ing, and Google Translating Russian, Slovenian, German, Polish, and Czech sites for information, I realized that no one had a solution. One Russian site stated that it was a DS2430, which was wrong (DS2430 has one 256 bit memory page, and DS2431 has 4 x 256 bit memory pages – different addressing modes helped me see the difference), but it got me started. With only two active pins connected to the IC, 1-wire communication was obvious.

My Bus Pirate was on my desk for the rescue, and this Hackaday post also provided great help. I used a 1K resistor to pull up the MOSI line, since BP Wiki recommends a value below 2K for parasitic power devices. I got the 5V power from my Bus Pirate by entering W at the prompt, after entering m and 2 to enter 1-wire mode. I use screen /dev/ttyUSB0 115200 for accessing the Bus Pirate console. By the way, the 1-wire family code you get when you read the ROM with a Bus Pirate 1-wire macro (you can list them with (0)) is 0xAD, which is also nowhere to be found on the Net. You can refer to the OWFS web site for future uses.

DS1002 BP

So glad to have a Bus Pirate v3.b. That red croc clip is there to hold the resistor in place.

My first writing attempts failed miserably. Later on, when I finally dumped the whole EEPROM array with (85)(1) 0xf0 0x00 0x00 r:144 (thanks to the DS2431 datasheet), and observed the contents, I realized that the memory pages were all set to EPROM mode, which ANDs the incoming data with its contents (and they were all 0x00, except for a few).

The first two bytes of the last memory page was filled with some values, also the last 8 bytes here contained other information, such as a copy of the protect control bytes, manufacturer ID, etc. which actually reside in the last 2 bytes of the EEPROM (total EEPROM array is 18 x 8 = 144 bytes, 128 is reserved for user data). And I managed to overwrite them all with zeros.

BP Console

Here’s the BP console with the necessary steps to read the 1-wire EEPROM.

Here‘s a text file containing the EEPROM data, before I altered it. The output is from the Bus Pirate console, with my comments and extra information added.

So, the next step is to get an unused card and observe the data in it, then get a fresh DS2431 and write it the same way, and give it a try on the machine. We’ll see how it turns out this week.

Update: After seeing a couple hacks for sale on ebay and such, I realized this was not a matter of just rewriting the EEPROM. People used MCU’s, probably to emulate the EEPROM anyway they liked. So, I would need an actual working machine to tap the com and see what’s really going on. Naaah, screw it…

Rumi

There are many winds full of anger,
and lust and greed. They move the rubbish
around, but the solid mountain of true nature
stays where it’s always been.

Rumi