You can even buy a Sanyo battery reset tool, but don't have 3200usd to spare. Software Sanyo Reset on Device EV2. Manufacturer: Ok Computer Plus. 2 MONTHSDescription: Ok Computer Plus With. Video Reset BQ9000 Sanyo - Duration. VIDEO BQ8050 BQ8030 BQ8030A BQ8011 BQ80201 M37512 R2J240 SANYO NEW-2013 - Duration. Buy Stanley 201-Piece Mechanic's Tool Set, STMT71654, Stanley 123-Piece Black Chrome Socket Set. Sanyo Tool Reset Bq8030 download free software. Hacking the bq8030 with SANYO firmware. Apparently they sell this tool for them. But maybe pulling some pin high or low during reset will get me somewhere. SANYO Tool - Made in Sanyo. As mentioned in the previous article the bq. If you bought some from Aliexpress they'd come up with the TI Boot ROM and you could use the flashing tool included in SMBusb to upload firmware and eeprom(data flash) to it. Lots of Google. Apparently they sell this tool for them: :Now with a SPECIAL! WHAT AN AMAZING DEAL!!! I gathered everything I could find about this device and while it wasn't much it did provide clues that came in handy later on in the process. Especially this screenshot of the software that comes with it: There was no way I could figure everything out based on just that but I did take notice of the function bar on the bottom. Those could very well be SMBus commands right there. Not really expecting much I tried a word write of 0x. So I moved on to poking at other things but eventually came back for a second look and that's when I realized: Command scan starting at 0x. Reading it returns: $ smbusb. Having found slides from a TI presentation revealing the connection between the BQ8. I opened up the datasheet for the latter (since there's no public datasheet for the former). No obvious BOOT pin as one would expect with a device that's not meant to be tampered with.
But maybe pulling some pin high or low during reset will get me somewhere. After the first pass no, not really. So maybe we have to set multiple pins into multiple states for it to work. Or maybe there's no such combination at all. One-Push-Reset for M37512 based batteries. BQ20Z90, BQ20Z95, M37512, BQ8030 (Sony, Sanyo), BQ20Z451 (MacBook).How about I try to abuse N/C pins instead. I have no logical explanation as to why I came to this decision. Maybe I saw a presentation somewhere about blackbox chips and N/C pins years and years and years ago but I could just be imagining things. Either way, about 5 minutes of poking at PIN #2. RESET at random intervals while running a continuous command scan: $ smbusb? It's at this point that I coded up the flash tool to try and read the flash contents. Apparently we can corrupt (ideally just) the first couple of blocks of flash if we bully PIN #2. Could it just have been the erratic resetting of the chip that triggered the malfunction? Did I short VCELL+ to Pin. Was there high voltage on VCELL+? Was it just ESD? No idea. But I did manage to reproduce the result on another chip using the same procedure. So when in doubt and you have nothing to lose, act like a caveman, I guess? The only good thing about this method is that even if you have 0 knowledge about whether there even IS a method for entering the Boot ROM in the firmware let alone what it is there's still a high chance that you'll get in. How much of the firmware survives is another question. Disassembly. A couple of hours of staring at unfamiliar assembly code later, here are the relevant parts for entering the Boot ROM with annotations: cmd. It's the one that we saw in the screenshot above 0x. It sets an access flag that gets checked later on. Basically if (smb. Slave. Recv. Word(0x. It can set two access flags based on whatever (i. A) and (i. 3,0x. 1B) are. Well I don't know what those are and can't find where they're set so let's assume the first jeq will not jump once we've given the correct first password because it would make sense. We can also see that it checks the word we send against those mystery bytes somehow and if it likes what it sees it sets access flag 0x. A little bit further up we find the entry point for the Boot ROM: cmd? Profit. And we've made the educated guess that Step 2 is really ? Which is..*drumroll*0x. FDC3. After realizing that the first unlocked command is important (why else would they have made it mandatory otherwise) it's not that surprising that when adding the number returned by it (0x. So to sum it all up: 1. Read Word X from 0x. Send (0x. 10. 00. X) to 0x. 71. 4. Send 0x. Actually, sending the correct word in Step 3 will unlock several extra commands not just 0x. Boot. ROM entry but they all disappear as soon as you send an unrelated command much the same way as 0x. We don't really care about those though because we already have what we wanted: $ smbusb! Reading eeprom(data) flash.......................... Done! It contains all the data set by the manufacturer that never changes during the lifetime of the battery. Design capacity/voltage, serial and model numbers, default settings, etc. This part is protected by a checksum somewhere which you'll need to find and fix if you want to modify anything in there. The second part contains the dynamic data. There's no checksum on the dynamic area so you are free to modify this section all you want. Repeat until desired outcome is reached. That's what I did. Some helpful tips: On my specific battery the log starts at 0x. Battery capacity is stored as the remaining capacity reported through SBS divided by 2. Cycle count is stored as Cycle. Count- 1 (eg.: SBS value: 2. Eeprom byte: 2. 22)Remaining Capacity Alarm is stored as- is. A good place to start mapping. It's a good idea to reset the cycle counter. I don't want to start conspiracy theories but.. Probably, but it can't hurt. Please don't ask me to fix eeprom dumps : -) Good luck! This particular battery lasts 2 hours on constant high CPU load after external recharging and clearing of the fail flag. Not bad for a 1. 0 year old battery in a 1. THROW IT AWAY AND BUY A NEW ONE I consider this a win : ).
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
January 2017
Categories |