Author Topic: Experiences with TI BQ management IC’s when re-building laptop batteries ?  (Read 20190 times)

0 Members and 1 Guest are viewing this topic.

Offline GlennSprigg

  • Super Contributor
  • ***
  • Posts: 1259
  • Country: au
  • Medically retired Tech. Old School / re-learning !
'Safety' my 'ass!!!'...  I smell a rat, as big as an Aussie Wombat!!!
Bloody ruse, to take away home servicing possibilities.
Diagonal of 1x1 square = Root-2. Ok.
Diagonal of 1x1x1 cube = Root-3 !!!  Beautiful !!
 

Offline amyk

  • Super Contributor
  • ***
  • Posts: 8526
https://e2e.ti.com/cfs-file/__key/communityserver-discussions-components-files/196/bqEVSWSetup00.09.92_5F00_bq30z55v0.36R3c.exe

(Found while searching the TI site - download and archive quickly, I suspect they may not be too keen on these being shared.)
 

Offline torture

  • Newbie
  • Posts: 5
  • Country: bg
Thank you, i downloaded and installed it. I was seraching the TI website and forums for a long time but i missed this one. Unfortunately the chip that i have is some different version that is not supported by this version of BQEVSW. So i still have to find the right one. Does anyone know what exactly is the version of this chip so i can search for the version of BQEVSW that works with it.

« Last Edit: March 15, 2021, 02:26:24 pm by torture »
 

Offline peterburk

  • Newbie
  • Posts: 2
  • Country: nz
Have any of you had any success unsealing a TI BQ20Z451 gas gauge chip?

In September 2020, my 2014 MacBook Pro 15" Retina A1398 battery cells started swelling. The computer's long out of AppleCare, so getting an original part isn't an option.
I bought a third-party replacement battery, but that broke the logic board.
The fake battery has an idle voltage of 12V, compared to the original which idles at 2V and "wakes up" to 12V. This is important because there can be voltage spikes during power state changes.
I tried replacing the cells, but in the process I disconnected power, and now the PF flag is set due to an undervoltage error.

Charlie Miller's research was helpful, but his hack only works on the BQ20Z80, an older model.

https://docplayer.net/19923167-Battery-firmware-hacking-inside-the-innards-of-a-smart-battery-charlie-miller-accuvant-labs-charlie-miller-com-twitter-0xcharlie.html
I'm using Charlie's code to write a fuzzer for an unseal code of 8 hex digits, but I guess this won't work if the code is in fact 160 bits SHA-1.

Be2Works can't unlock TI BQ20Z45x firmwares newer than v5 (mine is 702).
http://be2works.com/

Can any of you help me figure out what to try next? Any advice would be helpful! I'm willing to try voltage glitching, but wouldn't that just trigger the PFF again?

And if any of you know how I can get batteries shipped to New Zealand, I could also buy that. iFixit and OWC won't even send batteries to here (though rumour has it that their batteries are the same as the one that broke mine).
https://www.ifixit.com/Answers/View/670587/A1398+-+New+Simplo+battery+-+System+dead+after+3+days.


 
The following users thanked this post: Alex Eisenhut

Online FraserTopic starter

  • Super Contributor
  • ***
  • Posts: 13524
  • Country: gb
Apple offered a battery replacement battery deal on my iPad Air2 at a cost of £80 and they gave me a brand new iPad Air2. For me, that was a good deal. Have you asked your local Apple service centre what they charge fir battery replacement on your MAC ? I see that in the UK the price appears to be £129 or £199 depending upon model of MAC PRO. It may be worth investigating ? A decent quality replacement battery could easily cost £80 so £129, including labour, did not sound too bad to me.

Apple appear to be aware of the bad publicity that battery failure in Apple products has attracted in the past and seem to have offered reasonable solutions at reasonable cost for such failures.

https://support.apple.com/en-gb/mac/repair/service

Fraser
« Last Edit: May 20, 2021, 01:29:07 pm by Fraser »
If I have helped you please consider a donation : https://gofund.me/c86b0a2c
 

Offline azzido

  • Newbie
  • Posts: 5
  • Country: ro
The TI bqEVSW does not contain the custom chip plugins. It contains only the plugins for the public chips.

As far as I know, Apple uses in their latest batteries an old TI chip bq20z451 but with different firmware version, V5.xx, V7.xx, V10.xx. Be2works program does not support these firmwares. I found a tool which seems to be an all-in-on device to repair laptop batteries: https://www.laptopu.ro/product/professional-laptop-battery-analyzer-nlba1/
Here is the supported list for laptop battery chip reset: https://www.laptopu.ro/product/chip-reset-repair-laptop-battery/ it supports the bq20z451 apple up to V5 firmware.
I contacted them and they said that they can unseal Apple firmware version higher than V5 remotely but it requires to have their NLBA1 device.

Does anyone has NLBA1 device ? I don't want to pay 249$ just to repair one battery.
 

Offline amyk

  • Super Contributor
  • ***
  • Posts: 8526
Can any of you help me figure out what to try next? Any advice would be helpful! I'm willing to try voltage glitching, but wouldn't that just trigger the PFF again?
Power/timing analysis.

Like picking a lock, you want to change one byte or even bit at a time on each try, and observe the effects that has on the current draw and timing.
 

Offline azzido

  • Newbie
  • Posts: 5
  • Country: ro
Apple offered a battery replacement battery deal on my iPad Air2 at a cost of £80 and they gave me a brand new iPad Air2. For me, that was a good deal. Have you asked your local Apple service centre what they charge fir battery replacement on your MAC ? I see that in the UK the price appears to be £129 or £199 depending upon model of MAC PRO. It may be worth investigating ? A decent quality replacement battery could easily cost £80 so £129, including labour, did not sound too bad to me.

Apple appear to be aware of the bad publicity that battery failure in Apple products has attracted in the past and seem to have offered reasonable solutions at reasonable cost for such failures.

https://support.apple.com/en-gb/mac/repair/service

Fraser

Unsealing Apple bq20z451 newer firmwares V5, V7, V10 requires not sending a simple 2 x 32 bits password like on most bq20zxxx chips. The firmware is Apple and unsealing means sending about 150-200 commands, yes, a lot of commands. Unsealing algorithm is like a chain of pairs challenge and response. It is very difficult to figure out how the algo is implemented. If you have EV2300 I can unseal your battery for free. Just install AnyDesk or TeamViewer and contact me in private.
 

Offline torture

  • Newbie
  • Posts: 5
  • Country: bg
The TI bqEVSW does not contain the custom chip plugins. It contains only the plugins for the public chips.

As far as I know, Apple uses in their latest batteries an old TI chip bq20z451 but with different firmware version, V5.xx, V7.xx, V10.xx. Be2works program does not support these firmwares. I found a tool which seems to be an all-in-on device to repair laptop batteries: https://www.laptopu.ro/product/professional-laptop-battery-analyzer-nlba1/
Here is the supported list for laptop battery chip reset: https://www.laptopu.ro/product/chip-reset-repair-laptop-battery/ it supports the bq20z451 apple up to V5 firmware.
I contacted them and they said that they can unseal Apple firmware version higher than V5 remotely but it requires to have their NLBA1 device.

Does anyone has NLBA1 device ? I don't want to pay 249$ just to repair one battery.

I'm using the NLBA device already 1 month and i'm quite impressed to be honest. Definetely worth every cent. Basically you can use it in 2 ways as a battery charger/discharger for calibration & testing and the most important it has chip reset features. The list of supported chips in quite good. I managed to reset many BQ20zxx chips, also bq9000 & even the newest ones like 40z55/55 it unlocks them in 2-3 seconds. I dont't know how they do it? Maybe they know the master passwords? A few days ago i had a Macbook Pro Battery with BQ20Z451 chip V7 which is not officially supported so i contacted the developers and they said no problem we can reset it over Anydesk, it took around 5-6 minutes i saw them typing all kinds of crazy commands which i didin't understand but in the end the job was done chip was unsealed and reset. I highly reccomend it for any computer shop. I have also Be2Works but it's absolute garbage!
 

Offline azzido

  • Newbie
  • Posts: 5
  • Country: ro
Have you paid extra for Macbook battery remote unseal ?

It looks like an all-in-one device but mainly for those who are repairing more batteries. I have only one. Do you know if these guys can repair my battery with CP2112 ?
 

Offline torture

  • Newbie
  • Posts: 5
  • Country: bg
I did not pay anything extra for the remote unlocking since i bought the NLBA device. The support is great. Basically they said it does not matter how many batteries you will repair. Im sure they will help you even if you have only 1 just like in your case. They said they can use any device that supports arduino for remote reset so that should include also CP2112 (i'm not sure). If you like you can tell me what is the battery model that you want to reset and i can ask them how they can help you. I'm pretty sure they will get the job done.
 

Offline amyk

  • Super Contributor
  • ***
  • Posts: 8526
Unsealing Apple bq20z451 newer firmwares V5, V7, V10 requires not sending a simple 2 x 32 bits password like on most bq20zxxx chips. The firmware is Apple and unsealing means sending about 150-200 commands, yes, a lot of commands. Unsealing algorithm is like a chain of pairs challenge and response. It is very difficult to figure out how the algo is implemented.
There's an investigation from a "hacker" perspective a few years ago which is either already linked in this thread or posted here before, basically Apple itself needs to update the firmware so you can RE the algorithm from the firmware updater.
I managed to reset many BQ20zxx chips, also bq9000 & even the newest ones like 40z55/55 it unlocks them in 2-3 seconds. I dont't know how they do it? Maybe they know the master passwords? A few days ago i had a Macbook Pro Battery with BQ20Z451 chip V7 which is not officially supported so i contacted the developers and they said no problem we can reset it over Anydesk, it took around 5-6 minutes i saw them typing all kinds of crazy commands which i didin't understand but in the end the job was done chip was unsealed and reset. I highly reccomend it for any computer shop. I have also Be2Works but it's absolute garbage!
A $5 logic analyser will easily reveal what they're doing... I suspect they're just trying a small hardcoded list of passwords that they got from bruteforcing or timing/power analysis.
« Last Edit: July 04, 2021, 01:42:20 am by amyk »
 

Offline azzido

  • Newbie
  • Posts: 5
  • Country: ro

I managed to reset many BQ20zxx chips, also bq9000 & even the newest ones like 40z55/55 it unlocks them in 2-3 seconds. I dont't know how they do it? Maybe they know the master passwords? A few days ago i had a Macbook Pro Battery with BQ20Z451 chip V7 which is not officially supported so i contacted the developers and they said no problem we can reset it over Anydesk, it took around 5-6 minutes i saw them typing all kinds of crazy commands which i didin't understand but in the end the job was done chip was unsealed and reset. I highly reccomend it for any computer shop. I have also Be2Works but it's absolute garbage!
A $5 logic analyser will easily reveal what they're doing... I suspect they're just trying a small hardcoded list of passwords that they got from bruteforcing or timing/power analysis.
[/quote]
No, there is another method. They are using backdoor algorithm. You can't unseal any chip within few seconds based on password dictionary. Note that you have to wait 4000ms after each wrong password sent. The backdoor algorithm gives you direct access in FAS (Full Access Mode) so both Unseal and FAS keys could be unknown if the backdoor key is used.

As I already mentioned, Unsealing BQ20z451 Apple firmware V5, V7, V10 (batteries newer than 2012) does not require just a simple pair of 2 x 32 bit key. The authentication algorithm is completely different, it is an algorithm that requires in general to exchange about 150-200 security pairs (challenge and response) but the current response is in relation with the previous response.
 

Offline peterburk

  • Newbie
  • Posts: 2
  • Country: nz
It is possible (safe?) to desolder a BQ20Z451 chip from an A1406 battery pack (7.3V) and put it onto a PCB for an A1494 battery pack (11.26V)?

The reason I'm considering this route is because the chip in the A1406 is running firmware 406, and can be unsealed. I got it from the scrap at a third-party Mac repair shop.

I also have an EV2300, Saleae logic analyser, MacBook Pro 2007 battery connector for SMBus, Charlie Miller's code modified for unseal code fuzzing, and am hoping to receive a CP2112 soon.
« Last Edit: July 12, 2021, 05:45:27 am by peterburk »
 

Offline whitepawn

  • Newbie
  • Posts: 3
  • Country: 00
Hi,

I just made my own PCB BMS design with BQ30Z55 that chip bought from aliexpress. But as you might guess chips came blank so i need firmware for BQ30Z55. I have EV2300/2400 and BQEVSW to program it. Device is in TI boot mode right now. Does anyone have any version of firmware?(*.senc file)
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf