EEVblog Electronics Community Forum
General => General Technical Chat => Topic started by: Fraser on September 28, 2019, 01:43:27 pm
-
Dear All,
I am more commonly found helping in the Thermal Imaging sub forum but I have come out into ‘General Population’ to ask for some help for a change.
This post relates to replacing cells in laptop and tablet battery packs that are using the various Texas Instruments BQ series battery management chips. For those unaware, the TI BQ chips come in many types and with varying features. What is common to all is the ‘battery lockout’ feature that basically disconnects the battery supply terminal if an imbalance or failure of a cell in the pack is detected. This is a safety feature and not a bad idea as it prevents overheating cells ! Sadly the BQ chips have evolved over the years. Whilst early versions were quite ‘dumb’ and could be persuaded to reconnect the battery to the outside world if the fault condition was corrected, later versions are more sophisticated and can permanently lock-out the battery terminals unless the BQ chip is ‘unsealed’ and ten the fault flag reset after new cells are fitted. Even accidentally disconnecting good cells in such a battery can cause a lock-out and effective loss of the battery from use. I am all for safety where Lithium cells are concerned but sadly the battery ‘lock-out’ feature has expanded to cover not only faults, but also charge/discharge cycles ! So in theory, perfectly healthy cells are placed beyond use by an arbitrary charge count. Now the killer..... to unseal a modern BQ chip to change its settings is lock-out status you need a password ! And, you guessed it, many manufacturers set their own password and even use custom firmware in the TI BQ chips. If you get lucky, the default TI password is used but such is not to be expected these days.
So the situation that faces me is having several different modern Lithium Ion battery packs that are in Lock-out, likely due to long term storage as they are almost new. I can buy new Lithium Ion cells for them without difficulty but I suspect the TI BQ chip will hamper or even prevent my plan to fit new cells in the packs. These tablet and laptop batteries are uncommon Military types so I cannot just buy new ones.
So, to the topic of this post. Has anyone else had experiences, good, or bad, when trying to fit new cells into a battery that is in ‘Lock-out’ and contains a BQ series battery management chip. Any and all experiences are welcomed. Does anyone know any BQ chip passwords ? Sharing those might help others who read this post. I am dealing with Samwell, Itronix (General Instruments) and Getac batteries but Dell, HP and other makes are also of interest to me.
I just bought the official Texas Instruments EV2400 USB interface unit to communicate with the batteries via their normal SMBus I/O path so that side of things is covered.
Regards to all
Fraser
-
Are the typical implementations generic enough that you could just replace the chip and use your own generic settings rather than any customized firmware, etc.?
Pardon my ignorance, I have no experience with these particular chips. :)
i do have a few battery packs around here that are just "confused" though, so I always find these kinds of discussions interesting and informative. I simply haven't had enough time to delve into these ones as projects here to try to decipher what battery management they use or what is wrong beyond checking for obvious blown fuses, mosfets, etc. Once it's not obvious and classed as "will need to talk to the chip," it ens up on the "investigate later" shelf to gather dust. :)
-
Drussell,
Much seems to depend on the particular BQ series chip used. The early models could often be ‘tricked’ into re-enabling the battery by charging the cell pack with a lab power supply to bring the cell p.d’s above the low voltage failure detection threshold of the chip. Some needed the battery output to the management board to be briefly connected to the supply output of the management board, effectively supplying battery full output voltage to the locked-out side of the battery and bypassing the Power MOSFET(S). This has worked many times for me but you should fit new cells if their p.d. is well below the manufacturers safe minimum voltage. It is claimed by the manufacturers that charging a cell that is below that minimum voltage can be risky due to claimed chemistry changes within the cell. That is a topic of much debate however ! Not really applicable to this post though.
BQ series Chips can have flash memory dedicated to OEM use and that can be used by the host computer to detect the type of battery pack fitted and its provenance. It can be used in a basic attempt to reduce clone battery production but is not effective. What it can mean is that if a new BQ chip is fitted, the OEM ID information needs to be programmed into the OEM flash area of the chip. Whether that data can be read from a locked-out battery I do not know.
Fraser
-
I just pulled the datasheet for the BQ 20Z70 chip used in some scrap HP laptop batteries that I have.
This datasheet will give an insight into the common activities and protection systems found in a relatively modern chip.
http://www.ti.com/lit/er/sluu250a/sluu250a.pdf (http://www.ti.com/lit/er/sluu250a/sluu250a.pdf)
Fraser
-
The not-entirely-serious answer is "learn Vietnamese"! There's a few Viet forums that specialise in this "recelling" of battery packs, and they have a lot of detailed information, but unfortunately not in English. I don't remember the URLs but I've come across them before while searching for related information.
There's also this: http://be2works.com/ (http://be2works.com/) "Any password for BQ20Zxx and BQ208x in 5 seconds." suggests they've found a way to bruteforce it. The password is only 32 bits, which is 4GB in linear terms, and someone with plenty of time can just wait; but I suspect there's some sort of timing difference (AFAIK it's an 8-bit CPU, and they might've done the "dumb" thing of comparing a byte at a time with early-out) that makes it easier to get it a byte at a time.
Another interesting article:
http://www.karosium.com/2016/08/hacking-bq8030-with-sanyo-firmware.html (http://www.karosium.com/2016/08/hacking-bq8030-with-sanyo-firmware.html)
-
Amyk,
Many thanks :-+ :)
Fraser
-
I had this issue with a design based on the BQ27541, the easiest, brute force solution was to re-flash the firmware (A -V200 can be updated to -G1 even though TI says its impossible). This might not be possible with all of the BQs. The internal MCU is an MSP430F2xx variant. Also, some of the older tools (not BQSTUDIO) might have the unlock option enabled, it has been a while since I touched this design.
-
Thank you :-+
Interestingly, BQ Studio is available for download but the older configuration software is only available upon request and its approval. My request was declined for reasons that are not clear from the response I received. It is almost as though that older software is deliberately controlled due to its capabilities ? I understand that the common BQ 20Zxxx and 30Zxxx chips require that older software as BQStudio does not support them. Of course the chip that I am just experimenting with from a HP battery is a darned BQ 20Zxxx ... Sod’s law !
Fraser
-
Which tool are you looking for specifically?
-
Hi AMYK,
It was titled BQEVSW and is apparently the BQ Evaluation Software that predates BQStudio. I have also read of GaugeStudio but that may be BQStudio under an earlier name ?
Upon reading some comments in the TI support forums it seemed to be suggested that a specific version of BQEVSW was needed for each BQ series chip and even for a specific firmware ? All a bit over complex if true.
Regards
Fraser
-
Upon reading some comments in the TI support forums it seemed to be suggested that a specific version of BQEVSW was needed for each BQ series chip and even for a specific firmware ? All a bit over complex if true.
That is true. Each device was released with its companion software, which had a very specific set of features but they didn't aggregate newer devices to the existing platform - instead they simply rebuilt the entire GUI with different settings. Yeah, quite confusing, especially given the GUI had the same name across the different device variants...
I suspect a request would be cleared if it comes from a new product developer, not for repair... :(
-
Rsjsouza,
Many thanks. The whole battery management chip situation appears a bit of a nightmare for anyone wanting to rebuild an obsolete battery. Such a PITA !
Best Wishes
Fraser
-
It's supposed to be a nightmare. The more or less correct term is DRM. It's there to prevent you from doing it.
-
Agreed,
I understand the OEM desire to discourage clone batteries or users taking risks by rebuilding a battery with inappropriate experience or cells, but sadly that sometimes means a piece of portable equipment effectively becomes obsolete through the simple failure of a battery pack that is no longer available :( I knew I was likely facing this situation when I saw so little on the internet about successes in replacing cells in batteries that contain these darned Management chips.
I know the laptop battery market has a thriving 3rd party supply from China, so common laptops are not too badly effected. It is the specialist portable kit that takes a hit. Such a pity :(
Fraser
-
If it is a pack side controller, you might be able to remove the protection by simulating a new battery connection, I had some luck with protection ICs unlocking when a 3.7V source was connected instead of the battery.
-
You can find quite a few versions of the bqEVSW by trawling the e2e.ti.com forums. There's at least one person on there who appears to work for TI and will give you the software if you ask nicely; but don't bother asking him for the following, because he's already uploaded various versions of those there:
bq20z45
bq20z65
bq20z75
bq20z80
bq30z55
bq30423
bq3060
bq34z950
They all vary in size, which suggests to me that the package contains lots of firmwares too.
Another relevant article worth reading, goes more into the malicious side of things but has some more details if you want to RE the controller deeply: https://media.blackhat.com/bh-us-11/Miller/BH_US_11_Miller_Battery_Firmware_Public_WP.pdf
-
If your design contains the BQ29330, you should try to clear the fault condition, as it is latched. See page 12 of the datasheet.
-
Hello i am also trying to access a battery chip.. a Texas Instruments BQ30Z55. It is in a DJI drone battery. I have hooked up a USB to SMBUS board and can read some battery info with some software I downloaded Eeprom Works 4.31 but it doesn't list the BQ30Z55 chip so I've gone about as far as I can go. Can anyone put me on the right track? Thankyou.
-
https://e2e.ti.com/cfs-file/__key/communityserver-discussions-components-files/196/4113.bqEVSWSetup00.09.80_5F00_bq30z55v0.32.exe
-
Thankyou, do you think that only works with TI's own USB interface? The interface I have is this https://www.ebay.co.uk/itm/192919272417 (https://www.ebay.co.uk/itm/192919272417)
-
Hello guys,
Working with BQ30z55 chip is not so simple. This family is probably the most secured gas gauge chip from TI. You can't change any parameter inside its data flash unless you unseal it first. The unseal mechanism works like this: You send a GetSeed request to the chip. The chip will send you 160 bit seed. Then you need to compute a SHA1 160bit key then send it to the chip for authentication. Battery EEPROM works is a very very old software, it can work maybe with some very old chips that used external eeprom. Since about 15 years ago almost all batteries use chips with built in DataFlash.
It's a waste of time if you don't have SHA1 algo and passwords to generate keys.
There are 2-3 guys in the world that can unseal such chips.
-
Hello guys,
Working with BQ30z55 chip is not so simple. This family is probably the most secured gas gauge chip from TI. You can't change any parameter inside its data flash unless you unseal it first. The unseal mechanism works like this: You send a GetSeed request to the chip. The chip will send you 160 bit seed. Then you need to compute a SHA1 160bit key then send it to the chip for authentication. Battery EEPROM works is a very very old software, it can work maybe with some very old chips that used external eeprom. Since about 15 years ago almost all batteries use chips with built in DataFlash.
It's a waste of time if you don't have SHA1 algo and passwords to generate keys.
There are 2-3 guys in the world that can unseal such chips.
That is supposing it is resistant to power analysis/clock glitching or timing analysis, or doesn't have any simple bugs like buffer overflows in the firmware to exploit; and seeing how some dedicated crypto modules are susceptible to such attacks, I don't think a battery DRM chip would be more secure.
-
Guys does anyone have BQEVSW for BQ30z55 R3 or R1. I made multiple requests to obtain it trough TI but they blabbing about that they can't provide it to civilians. Ilke it's something top secret. |O
-
I linked it above...
-
Yes i installed that, but it supports only until firmware version 0.32v and bq30z55 r3 that is the cost common in laptop batteries has firmware version 0.35 and 0.36. So this version of BQEVSW is not compatible unfortunately.
-
'Safety' my 'ass!!!'... I smell a rat, as big as an Aussie Wombat!!!
Bloody ruse, to take away home servicing possibilities.
-
https://e2e.ti.com/cfs-file/__key/communityserver-discussions-components-files/196/bqEVSWSetup00.09.92_5F00_bq30z55v0.36R3c.exe
(Found while searching the TI site - download and archive quickly, I suspect they may not be too keen on these being shared.)
-
Thank you, i downloaded and installed it. I was seraching the TI website and forums for a long time but i missed this one. Unfortunately the chip that i have is some different version that is not supported by this version of BQEVSW. So i still have to find the right one. Does anyone know what exactly is the version of this chip so i can search for the version of BQEVSW that works with it.
[attachimg=1]
-
Have any of you had any success unsealing a TI BQ20Z451 gas gauge chip?
In September 2020, my 2014 MacBook Pro 15" Retina A1398 battery cells started swelling. The computer's long out of AppleCare, so getting an original part isn't an option.
I bought a third-party replacement battery, but that broke the logic board.
The fake battery has an idle voltage of 12V, compared to the original which idles at 2V and "wakes up" to 12V. This is important because there can be voltage spikes during power state changes.
I tried replacing the cells, but in the process I disconnected power, and now the PF flag is set due to an undervoltage error.
Charlie Miller's research was helpful, but his hack only works on the BQ20Z80, an older model.
https://www.youtube.com/watch?v=_9ErnoLVxCA (https://www.youtube.com/watch?v=_9ErnoLVxCA)
https://docplayer.net/19923167-Battery-firmware-hacking-inside-the-innards-of-a-smart-battery-charlie-miller-accuvant-labs-charlie-miller-com-twitter-0xcharlie.html (https://docplayer.net/19923167-Battery-firmware-hacking-inside-the-innards-of-a-smart-battery-charlie-miller-accuvant-labs-charlie-miller-com-twitter-0xcharlie.html)
I'm using Charlie's code to write a fuzzer for an unseal code of 8 hex digits, but I guess this won't work if the code is in fact 160 bits SHA-1.
Be2Works can't unlock TI BQ20Z45x firmwares newer than v5 (mine is 702).
http://be2works.com/ (http://be2works.com/)
Can any of you help me figure out what to try next? Any advice would be helpful! I'm willing to try voltage glitching, but wouldn't that just trigger the PFF again?
And if any of you know how I can get batteries shipped to New Zealand, I could also buy that. iFixit and OWC won't even send batteries to here (though rumour has it that their batteries are the same as the one that broke mine).
https://www.ifixit.com/Answers/View/670587/A1398+-+New+Simplo+battery+-+System+dead+after+3+days. (https://www.ifixit.com/Answers/View/670587/A1398+-+New+Simplo+battery+-+System+dead+after+3+days.)
-
Apple offered a battery replacement battery deal on my iPad Air2 at a cost of £80 and they gave me a brand new iPad Air2. For me, that was a good deal. Have you asked your local Apple service centre what they charge fir battery replacement on your MAC ? I see that in the UK the price appears to be £129 or £199 depending upon model of MAC PRO. It may be worth investigating ? A decent quality replacement battery could easily cost £80 so £129, including labour, did not sound too bad to me.
Apple appear to be aware of the bad publicity that battery failure in Apple products has attracted in the past and seem to have offered reasonable solutions at reasonable cost for such failures.
https://support.apple.com/en-gb/mac/repair/service
Fraser
-
The TI bqEVSW does not contain the custom chip plugins. It contains only the plugins for the public chips.
As far as I know, Apple uses in their latest batteries an old TI chip bq20z451 but with different firmware version, V5.xx, V7.xx, V10.xx. Be2works program does not support these firmwares. I found a tool which seems to be an all-in-on device to repair laptop batteries: https://www.laptopu.ro/product/professional-laptop-battery-analyzer-nlba1/ (https://www.laptopu.ro/product/professional-laptop-battery-analyzer-nlba1/)
Here is the supported list for laptop battery chip reset: https://www.laptopu.ro/product/chip-reset-repair-laptop-battery/ (https://www.laptopu.ro/product/chip-reset-repair-laptop-battery/) it supports the bq20z451 apple up to V5 firmware.
I contacted them and they said that they can unseal Apple firmware version higher than V5 remotely but it requires to have their NLBA1 device.
Does anyone has NLBA1 device ? I don't want to pay 249$ just to repair one battery.
-
Can any of you help me figure out what to try next? Any advice would be helpful! I'm willing to try voltage glitching, but wouldn't that just trigger the PFF again?
Power/timing analysis.
Like picking a lock, you want to change one byte or even bit at a time on each try, and observe the effects that has on the current draw and timing.
-
Apple offered a battery replacement battery deal on my iPad Air2 at a cost of £80 and they gave me a brand new iPad Air2. For me, that was a good deal. Have you asked your local Apple service centre what they charge fir battery replacement on your MAC ? I see that in the UK the price appears to be £129 or £199 depending upon model of MAC PRO. It may be worth investigating ? A decent quality replacement battery could easily cost £80 so £129, including labour, did not sound too bad to me.
Apple appear to be aware of the bad publicity that battery failure in Apple products has attracted in the past and seem to have offered reasonable solutions at reasonable cost for such failures.
https://support.apple.com/en-gb/mac/repair/service
Fraser
Unsealing Apple bq20z451 newer firmwares V5, V7, V10 requires not sending a simple 2 x 32 bits password like on most bq20zxxx chips. The firmware is Apple and unsealing means sending about 150-200 commands, yes, a lot of commands. Unsealing algorithm is like a chain of pairs challenge and response. It is very difficult to figure out how the algo is implemented. If you have EV2300 I can unseal your battery for free. Just install AnyDesk or TeamViewer and contact me in private.
-
The TI bqEVSW does not contain the custom chip plugins. It contains only the plugins for the public chips.
As far as I know, Apple uses in their latest batteries an old TI chip bq20z451 but with different firmware version, V5.xx, V7.xx, V10.xx. Be2works program does not support these firmwares. I found a tool which seems to be an all-in-on device to repair laptop batteries: https://www.laptopu.ro/product/professional-laptop-battery-analyzer-nlba1/ (https://www.laptopu.ro/product/professional-laptop-battery-analyzer-nlba1/)
Here is the supported list for laptop battery chip reset: https://www.laptopu.ro/product/chip-reset-repair-laptop-battery/ (https://www.laptopu.ro/product/chip-reset-repair-laptop-battery/) it supports the bq20z451 apple up to V5 firmware.
I contacted them and they said that they can unseal Apple firmware version higher than V5 remotely but it requires to have their NLBA1 device.
Does anyone has NLBA1 device ? I don't want to pay 249$ just to repair one battery.
I'm using the NLBA device already 1 month and i'm quite impressed to be honest. Definetely worth every cent. Basically you can use it in 2 ways as a battery charger/discharger for calibration & testing and the most important it has chip reset features. The list of supported chips in quite good. I managed to reset many BQ20zxx chips, also bq9000 & even the newest ones like 40z55/55 it unlocks them in 2-3 seconds. I dont't know how they do it? Maybe they know the master passwords? A few days ago i had a Macbook Pro Battery with BQ20Z451 chip V7 which is not officially supported so i contacted the developers and they said no problem we can reset it over Anydesk, it took around 5-6 minutes i saw them typing all kinds of crazy commands which i didin't understand but in the end the job was done chip was unsealed and reset. I highly reccomend it for any computer shop. I have also Be2Works but it's absolute garbage!
-
Have you paid extra for Macbook battery remote unseal ?
It looks like an all-in-one device but mainly for those who are repairing more batteries. I have only one. Do you know if these guys can repair my battery with CP2112 ?
-
I did not pay anything extra for the remote unlocking since i bought the NLBA device. The support is great. Basically they said it does not matter how many batteries you will repair. Im sure they will help you even if you have only 1 just like in your case. They said they can use any device that supports arduino for remote reset so that should include also CP2112 (i'm not sure). If you like you can tell me what is the battery model that you want to reset and i can ask them how they can help you. I'm pretty sure they will get the job done.
-
Unsealing Apple bq20z451 newer firmwares V5, V7, V10 requires not sending a simple 2 x 32 bits password like on most bq20zxxx chips. The firmware is Apple and unsealing means sending about 150-200 commands, yes, a lot of commands. Unsealing algorithm is like a chain of pairs challenge and response. It is very difficult to figure out how the algo is implemented.
There's an investigation from a "hacker" perspective a few years ago which is either already linked in this thread or posted here before, basically Apple itself needs to update the firmware so you can RE the algorithm from the firmware updater.
I managed to reset many BQ20zxx chips, also bq9000 & even the newest ones like 40z55/55 it unlocks them in 2-3 seconds. I dont't know how they do it? Maybe they know the master passwords? A few days ago i had a Macbook Pro Battery with BQ20Z451 chip V7 which is not officially supported so i contacted the developers and they said no problem we can reset it over Anydesk, it took around 5-6 minutes i saw them typing all kinds of crazy commands which i didin't understand but in the end the job was done chip was unsealed and reset. I highly reccomend it for any computer shop. I have also Be2Works but it's absolute garbage!
A $5 logic analyser will easily reveal what they're doing... I suspect they're just trying a small hardcoded list of passwords that they got from bruteforcing or timing/power analysis.
-
I managed to reset many BQ20zxx chips, also bq9000 & even the newest ones like 40z55/55 it unlocks them in 2-3 seconds. I dont't know how they do it? Maybe they know the master passwords? A few days ago i had a Macbook Pro Battery with BQ20Z451 chip V7 which is not officially supported so i contacted the developers and they said no problem we can reset it over Anydesk, it took around 5-6 minutes i saw them typing all kinds of crazy commands which i didin't understand but in the end the job was done chip was unsealed and reset. I highly reccomend it for any computer shop. I have also Be2Works but it's absolute garbage!
A $5 logic analyser will easily reveal what they're doing... I suspect they're just trying a small hardcoded list of passwords that they got from bruteforcing or timing/power analysis.
[/quote]
No, there is another method. They are using backdoor algorithm. You can't unseal any chip within few seconds based on password dictionary. Note that you have to wait 4000ms after each wrong password sent. The backdoor algorithm gives you direct access in FAS (Full Access Mode) so both Unseal and FAS keys could be unknown if the backdoor key is used.
As I already mentioned, Unsealing BQ20z451 Apple firmware V5, V7, V10 (batteries newer than 2012) does not require just a simple pair of 2 x 32 bit key. The authentication algorithm is completely different, it is an algorithm that requires in general to exchange about 150-200 security pairs (challenge and response) but the current response is in relation with the previous response.
-
It is possible (safe?) to desolder a BQ20Z451 chip from an A1406 battery pack (7.3V) and put it onto a PCB for an A1494 battery pack (11.26V)?
The reason I'm considering this route is because the chip in the A1406 is running firmware 406, and can be unsealed. I got it from the scrap at a third-party Mac repair shop.
I also have an EV2300, Saleae logic analyser, MacBook Pro 2007 battery connector for SMBus, Charlie Miller's code modified for unseal code fuzzing, and am hoping to receive a CP2112 soon.
-
Hi,
I just made my own PCB BMS design with BQ30Z55 that chip bought from aliexpress. But as you might guess chips came blank so i need firmware for BQ30Z55. I have EV2300/2400 and BQEVSW to program it. Device is in TI boot mode right now. Does anyone have any version of firmware?(*.senc file)