Experiences with TI BQ management IC’s when re-building laptop batteries ?

[Fraser]

Dear All,

I am more commonly found helping in the Thermal Imaging sub forum but I have come out into ‘General Population’ to ask for some help for a change.

This post relates to replacing cells in laptop and tablet battery packs that are using the various Texas Instruments BQ series battery management chips. For those unaware, the TI BQ chips come in many types and with varying features. What is common to all is the ‘battery lockout’ feature that basically disconnects the battery supply terminal if an imbalance or failure of a cell in the pack is detected. This is a safety feature and not a bad idea as it prevents overheating cells ! Sadly the BQ chips have evolved over the years. Whilst early versions were quite ‘dumb’ and could be persuaded to reconnect the battery to the outside world if the fault condition was corrected, later versions are more sophisticated and can permanently lock-out the battery terminals unless the BQ chip is ‘unsealed’ and ten the fault flag reset after new cells are fitted. Even accidentally disconnecting good cells in such a battery can cause a lock-out and effective loss of the battery from use. I am all for safety where Lithium cells are concerned but sadly the battery ‘lock-out’ feature has expanded to cover not only faults, but also charge/discharge cycles ! So in theory, perfectly healthy cells are placed beyond use by an arbitrary charge count. Now the killer..... to unseal a modern BQ chip to change its settings is lock-out status you need a password ! And, you guessed it, many manufacturers set their own password and even use custom firmware in the TI BQ chips. If you get lucky, the default TI password is used but such is not to be expected these days.

So the situation that faces me is having several different modern Lithium Ion battery packs that are in Lock-out, likely due to long term storage as they are almost new. I can buy new Lithium Ion cells for them without difficulty but I suspect the TI BQ chip will hamper or even prevent my plan to fit new cells in the packs. These tablet and laptop batteries are uncommon Military types so I cannot just buy new ones.

So, to the topic of this post. Has anyone else had experiences, good, or bad, when trying to fit new cells into a battery that is in ‘Lock-out’ and contains a BQ series battery management chip. Any and all experiences are welcomed. Does anyone know any BQ chip passwords ? Sharing those might help others who read this post. I am dealing with Samwell, Itronix (General Instruments) and Getac batteries but Dell, HP  and other makes are also of interest to me.

I just bought the official Texas Instruments EV2400 USB interface unit to communicate with the batteries via their normal SMBus I/O path so that side of things is covered.

Regards to all

Fraser

[drussell]

Are the typical implementations generic enough that you could just replace the chip and use your own generic settings rather than any customized firmware, etc.?

Pardon my ignorance, I have no experience with these particular chips. 

i do have a few battery packs around here that are just "confused" though, so I always find these kinds of discussions interesting and informative.  I simply haven't had enough time to delve into these ones as projects here to try to decipher what battery management they use or what is wrong beyond checking for obvious blown fuses, mosfets, etc.  Once it's not obvious and classed as "will need to talk to the chip," it ens up on the "investigate later" shelf to gather dust. 

[Fraser]

Drussell,

Much seems to depend on the particular BQ series chip used. The early models could often be ‘tricked’ into re-enabling the battery by charging the cell pack with a lab power supply to bring the cell p.d’s above the low voltage failure detection threshold of the chip. Some needed the battery output to the management board to be briefly connected to the supply output of the management board, effectively supplying battery full output voltage to the locked-out side of the battery and bypassing the Power MOSFET(S). This has worked many times for me but you should fit new cells if their p.d. is well below the manufacturers safe minimum voltage. It is claimed by the manufacturers that charging a cell that is below that minimum voltage can be risky due to claimed chemistry changes within the cell. That is a topic of much debate however ! Not really applicable to this post though.

BQ series Chips can have flash memory dedicated to OEM use and that can be used by the host computer to detect the type of battery pack fitted and its provenance. It can be used in a basic attempt to reduce clone battery production but is not effective. What it can mean is that if a new BQ chip is fitted, the OEM ID information needs to be programmed into the OEM flash area of the chip. Whether that data can be read from a locked-out battery I do not know.

Fraser

[Fraser]

I just pulled the datasheet for the BQ 20Z70 chip used in some scrap HP laptop batteries that I have.

This datasheet will give an insight into the common activities and protection systems found in a relatively modern chip.

http://www.ti.com/lit/er/sluu250a/sluu250a.pdf

Fraser

[amyk]

The not-entirely-serious answer is "learn Vietnamese"! There's a few Viet forums that specialise in this "recelling" of battery packs, and they have a lot of detailed information, but unfortunately not in English. I don't remember the URLs but I've come across them before while searching for related information.

There's also this: http://be2works.com/ "Any password for BQ20Zxx and BQ208x in 5 seconds." suggests they've found a way to bruteforce it. The password is only 32 bits, which is 4GB in linear terms, and someone with plenty of time can just wait; but I suspect there's some sort of timing difference (AFAIK it's an 8-bit CPU, and they might've done the "dumb" thing of comparing a byte at a time with early-out) that makes it easier to get it a byte at a time.

Another interesting article:
http://www.karosium.com/2016/08/hacking-bq8030-with-sanyo-firmware.html

[Fraser]

Amyk,

Many thanks   

Fraser

[Gribo]

I had this issue with a design based on the BQ27541, the easiest, brute force solution was to re-flash the firmware (A -V200 can be updated to -G1 even though TI says its impossible). This might not be possible with all of the BQs. The internal MCU is an MSP430F2xx variant. Also, some of the older tools (not BQSTUDIO) might have the unlock option enabled, it has been a while since I touched this design.

[Fraser]

Thank you 

Interestingly, BQ Studio is available for download but the older configuration software is only available upon request and its approval. My request was declined for reasons that are not clear from the response I received. It is almost as though that older software is deliberately controlled due to its capabilities ? I understand that the common BQ 20Zxxx and 30Zxxx chips require that older software as BQStudio does not support them. Of course the chip that I am just experimenting with from a HP battery is a darned BQ 20Zxxx ... Sod’s law !

Fraser

[amyk]

Which tool are you looking for specifically?

[Fraser]

Hi AMYK,

It was titled BQEVSW and is apparently the BQ Evaluation Software that predates BQStudio. I have also read of GaugeStudio but that may be BQStudio under an earlier name ?

Upon reading some comments in the TI support forums it seemed to be suggested that a specific version of BQEVSW was needed for each BQ series chip and even for a specific firmware ? All a bit over complex if true.

Regards

Fraser

[rsjsouza]

Upon reading some comments in the TI support forums it seemed to be suggested that a specific version of BQEVSW was needed for each BQ series chip and even for a specific firmware ? All a bit over complex if true.

That is true. Each device was released with its companion software, which had a very specific set of features but they didn't aggregate newer devices to the existing platform - instead they simply rebuilt the entire GUI with different settings. Yeah, quite confusing, especially given the GUI had the same name across the different device variants...

I suspect a request would be cleared if it comes from a new product developer, not for repair... 

[Fraser]

Rsjsouza,

Many thanks. The whole battery management chip situation appears a bit of a nightmare for anyone wanting to rebuild an obsolete battery. Such a PITA !

Best Wishes

Fraser

[Siwastaja]

It's supposed to be a nightmare. The more or less correct term is DRM. It's there to prevent you from doing it.

[Fraser]

Agreed,

I understand the OEM desire to discourage clone batteries or users taking risks by rebuilding a battery with inappropriate experience or cells, but sadly that sometimes means a piece of portable equipment effectively becomes obsolete through the simple failure of a battery pack that is no longer available  I knew I was likely facing this situation when I saw so little on the internet about successes in replacing cells in batteries that contain these darned Management chips.

I know the laptop battery market has a thriving 3rd party supply from China, so common laptops are not too badly effected. It is the specialist portable kit that takes a hit. Such a pity 

Fraser

[Gribo]

If it is a pack side controller, you might be able to remove the protection by simulating a new battery connection, I had some luck with protection ICs unlocking when a 3.7V source was connected instead of the battery.

[amyk]

You can find quite a few versions of the bqEVSW by trawling the e2e.ti.com forums. There's at least one person on there who appears to work for TI and will give you the software if you ask nicely; but don't bother asking him for the following, because he's already uploaded various versions of those there:

Code: [Select]

bq20z45
bq20z65
bq20z75
bq20z80
bq30z55
bq30423
bq3060
bq34z950
They all vary in size, which suggests to me that the package contains lots of firmwares too.

Another relevant article worth reading, goes more into the malicious side of things but has some more details if you want to RE the controller deeply: https://media.blackhat.com/bh-us-11/Miller/BH_US_11_Miller_Battery_Firmware_Public_WP.pdf

[Gribo]

If your design contains the BQ29330, you should try to clear the fault condition, as it is latched. See page 12 of the datasheet.

[datsuncogs]

Hello i am also trying to access a battery chip.. a Texas Instruments BQ30Z55. It is in a DJI drone battery. I have hooked up a USB to SMBUS board and can read some battery info with some software I downloaded Eeprom Works 4.31  but it doesn't list the BQ30Z55 chip so I've gone about as far as I can go. Can anyone put me on the right track? Thankyou.

[amyk]

https://e2e.ti.com/cfs-file/__key/communityserver-discussions-components-files/196/4113.bqEVSWSetup00.09.80_5F00_bq30z55v0.32.exe

[datsuncogs]

Thankyou, do you think that only works with TI's own USB interface? The interface I have is this https://www.ebay.co.uk/itm/192919272417

[azzido]

Hello guys,

Working with BQ30z55 chip is not so simple. This family is probably the most secured gas gauge chip from TI. You can't change any parameter inside its data flash unless you unseal it first. The unseal mechanism works like this: You send a GetSeed request to the chip. The chip will send you 160 bit seed. Then you need to compute a SHA1 160bit key then send it to the chip for authentication. Battery EEPROM works is a very very old software, it can work maybe with some very old chips that used external eeprom. Since about 15 years ago almost all batteries use chips with built in DataFlash.

It's a waste of time if you don't have SHA1 algo and passwords to generate keys.
There are 2-3 guys in the world that can unseal such chips.

[amyk]

Hello guys,

Working with BQ30z55 chip is not so simple. This family is probably the most secured gas gauge chip from TI. You can't change any parameter inside its data flash unless you unseal it first. The unseal mechanism works like this: You send a GetSeed request to the chip. The chip will send you 160 bit seed. Then you need to compute a SHA1 160bit key then send it to the chip for authentication. Battery EEPROM works is a very very old software, it can work maybe with some very old chips that used external eeprom. Since about 15 years ago almost all batteries use chips with built in DataFlash.

It's a waste of time if you don't have SHA1 algo and passwords to generate keys.
There are 2-3 guys in the world that can unseal such chips.

That is supposing it is resistant to power analysis/clock glitching or timing analysis, or doesn't have any simple bugs like buffer overflows in the firmware to exploit; and seeing how some dedicated crypto modules are susceptible to such attacks, I don't think a battery DRM chip would be more secure.

[torture]

Guys does anyone have BQEVSW for BQ30z55 R3 or R1. I made multiple requests to obtain it trough TI but they blabbing about that they can't provide it to civilians. Ilke it's something top secret. 

[amyk]

I linked it above...

[torture]

Yes i installed that, but it supports only until firmware version 0.32v  and bq30z55 r3 that is the cost common in laptop batteries has firmware version 0.35 and 0.36. So this version of BQEVSW is not compatible unfortunately.