General > General Technical Chat
Experiences with TI BQ management IC’s when re-building laptop batteries ?
torture:
I did not pay anything extra for the remote unlocking since i bought the NLBA device. The support is great. Basically they said it does not matter how many batteries you will repair. Im sure they will help you even if you have only 1 just like in your case. They said they can use any device that supports arduino for remote reset so that should include also CP2112 (i'm not sure). If you like you can tell me what is the battery model that you want to reset and i can ask them how they can help you. I'm pretty sure they will get the job done.
amyk:
--- Quote from: azzido on July 03, 2021, 08:51:22 am ---Unsealing Apple bq20z451 newer firmwares V5, V7, V10 requires not sending a simple 2 x 32 bits password like on most bq20zxxx chips. The firmware is Apple and unsealing means sending about 150-200 commands, yes, a lot of commands. Unsealing algorithm is like a chain of pairs challenge and response. It is very difficult to figure out how the algo is implemented.
--- End quote ---
There's an investigation from a "hacker" perspective a few years ago which is either already linked in this thread or posted here before, basically Apple itself needs to update the firmware so you can RE the algorithm from the firmware updater.
--- Quote from: torture on July 03, 2021, 04:25:44 pm --- I managed to reset many BQ20zxx chips, also bq9000 & even the newest ones like 40z55/55 it unlocks them in 2-3 seconds. I dont't know how they do it? Maybe they know the master passwords? A few days ago i had a Macbook Pro Battery with BQ20Z451 chip V7 which is not officially supported so i contacted the developers and they said no problem we can reset it over Anydesk, it took around 5-6 minutes i saw them typing all kinds of crazy commands which i didin't understand but in the end the job was done chip was unsealed and reset. I highly reccomend it for any computer shop. I have also Be2Works but it's absolute garbage!
--- End quote ---
A $5 logic analyser will easily reveal what they're doing... I suspect they're just trying a small hardcoded list of passwords that they got from bruteforcing or timing/power analysis.
azzido:
--- Quote from: torture on July 03, 2021, 04:25:44 pm --- I managed to reset many BQ20zxx chips, also bq9000 & even the newest ones like 40z55/55 it unlocks them in 2-3 seconds. I dont't know how they do it? Maybe they know the master passwords? A few days ago i had a Macbook Pro Battery with BQ20Z451 chip V7 which is not officially supported so i contacted the developers and they said no problem we can reset it over Anydesk, it took around 5-6 minutes i saw them typing all kinds of crazy commands which i didin't understand but in the end the job was done chip was unsealed and reset. I highly reccomend it for any computer shop. I have also Be2Works but it's absolute garbage!
--- End quote ---
A $5 logic analyser will easily reveal what they're doing... I suspect they're just trying a small hardcoded list of passwords that they got from bruteforcing or timing/power analysis.
[/quote]
No, there is another method. They are using backdoor algorithm. You can't unseal any chip within few seconds based on password dictionary. Note that you have to wait 4000ms after each wrong password sent. The backdoor algorithm gives you direct access in FAS (Full Access Mode) so both Unseal and FAS keys could be unknown if the backdoor key is used.
As I already mentioned, Unsealing BQ20z451 Apple firmware V5, V7, V10 (batteries newer than 2012) does not require just a simple pair of 2 x 32 bit key. The authentication algorithm is completely different, it is an algorithm that requires in general to exchange about 150-200 security pairs (challenge and response) but the current response is in relation with the previous response.
peterburk:
It is possible (safe?) to desolder a BQ20Z451 chip from an A1406 battery pack (7.3V) and put it onto a PCB for an A1494 battery pack (11.26V)?
The reason I'm considering this route is because the chip in the A1406 is running firmware 406, and can be unsealed. I got it from the scrap at a third-party Mac repair shop.
I also have an EV2300, Saleae logic analyser, MacBook Pro 2007 battery connector for SMBus, Charlie Miller's code modified for unseal code fuzzing, and am hoping to receive a CP2112 soon.
whitepawn:
Hi,
I just made my own PCB BMS design with BQ30Z55 that chip bought from aliexpress. But as you might guess chips came blank so i need firmware for BQ30Z55. I have EV2300/2400 and BQEVSW to program it. Device is in TI boot mode right now. Does anyone have any version of firmware?(*.senc file)
Navigation
[0] Message Index
[*] Previous page
Go to full version