search

laszlodaniel / SmartBatteryHack

Arduino based hacking tool for smart batteries using SMBus.
GNU General Public License v3.0
149 stars 54 forks source link

Again on BQ3050 - SN8765 #22

Open boiparide opened 2 years ago

boiparide commented 2 years ago

Hi! I read all your work and I need to thank and congratulate you, it's amazing.

I rebuilt an aftermarket battery pack of Asus N56VZ, controlled by SN8765 which seems to be our old friend BQ3050. I used your software and your GUI and, because of it was in full access mode, I was able to write in some registers to revive my battery pack. It works as long as a full discharge happens, and all values change to default or random. Doing some other tests, I see that every time a reset command is sent (00 41) all values change. I will post the dump of registers after the reset and the modified ones:

[INFO] Connecting to COM3

[<-TX] Handshake request (COM3)
3D 00 02 01 00 03

[RX->] Handshake response
3D 00 08 81 00 53 42 48 41 43 4B 35

[INFO] Handshake OK: SBHACK

[INFO] Device connected (COM3)

[RX->] Device settings
3D 00 05 83 01 03 00 00 8C

[INFO] Word byte-order: reverse read/write

[INFO] Design voltage: 0,0 V

[<-TX] Scan SMBus
3D 00 02 02 02 06

[RX->] Scan SMBus address result
3D 00 03 82 02 0B 92

[INFO] SMBus device(s): 0B

[<-TX] SMBus register dump request
3D 00 04 02 03 00 40 49

[RX->] SMBus register dump (00-40)
3D 00 C7 82 03 00 40 00 00 00 01 01 B8 02 00 0A 03 60 81 04 00 00 05 FF FF 06 FF FF 07 00 01 08 
0B B4 09 2A 7C 0A 00 00 0B 00 00 0C 00 64 0D 00 64 0E 03 FD 0F FF 38 10 FF 38 11 FF FF 12 FF FF 
13 FF FF 14 09 C4 15 31 38 16 02 C0 17 00 02 18 19 00 19 2B 5C 1A 00 31 1B 50 99 1C 83 6E 1D 83 
6E 1E 83 6E 1F 83 6E 20 41 0A 21 4E 07 22 4C 04 23 00 0E 24 00 0E 25 00 0E 26 00 0E 27 00 0E 28 
00 0E 29 00 0E 2A 00 0E 2B 00 0E 2C 00 0E 2D 00 0E 2E 00 0E 2F 00 14 30 00 14 31 00 14 32 00 14 
33 00 14 34 00 14 35 00 14 36 00 14 37 00 14 38 00 14 39 00 14 3A 00 14 3B 00 14 3C 00 00 3D 0E 
2D 3E 0E 25 3F 0E 2A 40 17 17 CA

[INFO] SMBus register dump details (00-40):
[00]: 00 00 // ManufacturerAccess: 00 00
[01]: 01 B8 // RemainingCapacityAlarm: 440 mAh
[02]: 00 0A // RemainingTimeAlarm: 10 minutes
[03]: 60 81 // BatteryMode: 0110000010000001
[04]: 00 00 // AtRate: 0 minutes
[05]: FF FF // AtRateTimeToFull: 65535 minutes
[06]: FF FF // AtRateTimeToEmpty: 65535 minutes
[07]: 00 01 // AtRateOK: true
[08]: 0B B4 // Temperature: 27,23°C
[09]: 2A 7C // Voltage: 10,876 V
[0A]: 00 00 // Current: 0 A
[0B]: 00 00 // AverageCurrent: 0 A
[0C]: 00 64 // MaxError: 100%
[0D]: 00 64 // RelativeStateOfCharge: 100%
[0E]: 03 FD // AbsoluteStateOfCharge: 1021%
[0F]: FF 38 // RemainingCapacity: 65336 mAh
[10]: FF 38 // FullChargeCapacity: 65336 mAh
[11]: FF FF // RunTimeToEmpty: 65535 minutes
[12]: FF FF // AverageTimeToEmpty: 65535 minutes
[13]: FF FF // AverageTimeToFull: 65535 minutes
[14]: 09 C4 // ChargingCurrent: 2,5 A
[15]: 31 38 // ChargingVoltage: 12,6 V
[16]: 02 C0 // BatteryStatus: 0000001011000000
[17]: 00 02 // CycleCount: 2
[18]: 19 00 // DesignCapacity: 6400 mAh
[19]: 2B 5C // DesignVoltage: 11,1 V
[1A]: 00 31 // SpecificationInfo: 0000000000110001
[1B]: 50 99 // ManufactureDate: 2020.04.25
[1C]: 83 6E // SerialNumber: 83 6E
[1D]: 83 6E // 83 6E
[1E]: 83 6E // 83 6E
[1F]: 83 6E // 83 6E
[20]: 41 0A // ManufacturerName: 41 0A
[21]: 4E 07 // DeviceName: 4E 07
[22]: 4C 04 // DeviceChemistry: 4C 04
[23]: 00 0E // ManufacturerData: 00 0E
[24]: 00 0E // 00 0E
[25]: 00 0E // 00 0E
[26]: 00 0E // 00 0E
[27]: 00 0E // 00 0E
[28]: 00 0E // 00 0E
[29]: 00 0E // 00 0E
[2A]: 00 0E // 00 0E
[2B]: 00 0E // 00 0E
[2C]: 00 0E // 00 0E
[2D]: 00 0E // 00 0E
[2E]: 00 0E // 00 0E
[2F]: 00 14 // 00 14
[30]: 00 14 // 00 14
[31]: 00 14 // 00 14
[32]: 00 14 // 00 14
[33]: 00 14 // 00 14
[34]: 00 14 // 00 14
[35]: 00 14 // 00 14
[36]: 00 14 // 00 14
[37]: 00 14 // 00 14
[38]: 00 14 // 00 14
[39]: 00 14 // 00 14
[3A]: 00 14 // 00 14
[3B]: 00 14 // 00 14
[3C]: 00 00 // 00 00
[3D]: 0E 2D // 0E 2D
[3E]: 0E 25 // 0E 25
[3F]: 0E 2A // 0E 2A
[40]: 17 17 // 17 17

[<-TX] Write word data
3D 00 05 05 02 01 02 80 8F

[RX->] Word data write response
3D 00 06 85 02 01 02 80 02 12

[INFO] Reg.: 01
       Data: 02 80
       # of bytes written: 02

[<-TX] Read word data
3D 00 03 04 02 01 0A

[RX->] Word data received
3D 00 05 84 02 01 02 80 0E

[INFO] Reg.: 01
       Data: 02 80

[<-TX] Read word data
3D 00 03 04 02 0F 18

[RX->] Word data received
3D 00 05 84 02 0F FF 38 D1

[INFO] Reg.: 0F
       Data: FF 38

[<-TX] Write word data
3D 00 05 05 02 0F 03 C0 DE

[RX->] Word data write response
3D 00 06 85 02 0F 03 C0 02 61

[INFO] Reg.: 0F
       Data: 03 C0
       # of bytes written: 02

[<-TX] Read word data
3D 00 03 04 02 0F 18

[RX->] Word data received
3D 00 05 84 02 0F FF 38 D1

[INFO] Reg.: 0F
       Data: FF 38

[<-TX] Write word data
3D 00 05 05 02 10 19 00 35

[RX->] Word data write response
3D 00 06 85 02 10 19 00 02 B8

[INFO] Reg.: 10
       Data: 19 00
       # of bytes written: 02

[<-TX] Read word data
3D 00 03 04 02 10 19

[RX->] Word data received
3D 00 05 84 02 10 19 00 B4

[INFO] Reg.: 10
       Data: 19 00

[<-TX] Read word data
3D 00 03 04 02 0F 18

[RX->] Word data received
3D 00 05 84 02 0F 03 C0 5D

[INFO] Reg.: 0F
       Data: 03 C0

[<-TX] SMBus register dump request
3D 00 04 02 03 00 40 49

[RX->] SMBus register dump (00-40)
3D 00 C7 82 03 00 40 00 00 00 01 02 80 02 00 0A 03 60 81 04 00 00 05 FF FF 06 FF FF 07 00 01 08 
0B AE 09 2A 7A 0A 00 00 0B 00 00 0C 00 64 0D 00 0F 0E 00 0F 0F 03 C0 10 19 00 11 FF FF 12 FF FF 
13 FF FF 14 09 C4 15 31 38 16 00 C0 17 00 02 18 19 00 19 2B 5C 1A 00 31 1B 50 99 1C 83 6E 1D 83 
6E 1E 83 6E 1F 83 6E 20 41 0A 21 4E 07 22 4C 04 23 00 0E 24 00 0E 25 00 0E 26 00 0E 27 00 0E 28 
00 0E 29 00 0E 2A 00 0E 2B 00 0E 2C 00 0E 2D 00 0E 2E 00 0E 2F 00 14 30 00 14 31 00 14 32 00 14 
33 00 14 34 00 14 35 00 14 36 00 14 37 00 14 38 00 14 39 00 14 3A 00 14 3B 00 14 3C 00 00 3D 0E 
2C 3E 0E 25 3F 0E 2A 40 17 17 B0

[INFO] SMBus register dump details (00-40):
[00]: 00 00 // ManufacturerAccess: 00 00
[01]: 02 80 // RemainingCapacityAlarm: 640 mAh = 7104 mWh
[02]: 00 0A // RemainingTimeAlarm: 10 minutes
[03]: 60 81 // BatteryMode: 0110000010000001
[04]: 00 00 // AtRate: 0 minutes
[05]: FF FF // AtRateTimeToFull: 65535 minutes
[06]: FF FF // AtRateTimeToEmpty: 65535 minutes
[07]: 00 01 // AtRateOK: true
[08]: 0B AE // Temperature: 27,17°C
[09]: 2A 7A // Voltage: 10,874 V
[0A]: 00 00 // Current: 0 A
[0B]: 00 00 // AverageCurrent: 0 A
[0C]: 00 64 // MaxError: 100%
[0D]: 00 0F // RelativeStateOfCharge: 15%
[0E]: 00 0F // AbsoluteStateOfCharge: 15%
[0F]: 03 C0 // RemainingCapacity: 960 mAh
[10]: 19 00 // FullChargeCapacity: 6400 mAh
[11]: FF FF // RunTimeToEmpty: 65535 minutes
[12]: FF FF // AverageTimeToEmpty: 65535 minutes
[13]: FF FF // AverageTimeToFull: 65535 minutes
[14]: 09 C4 // ChargingCurrent: 2,5 A
[15]: 31 38 // ChargingVoltage: 12,6 V
[16]: 00 C0 // BatteryStatus: 0000000011000000
[17]: 00 02 // CycleCount: 2
[18]: 19 00 // DesignCapacity: 6400 mAh
[19]: 2B 5C // DesignVoltage: 11,1 V
[1A]: 00 31 // SpecificationInfo: 0000000000110001
[1B]: 50 99 // ManufactureDate: 2020.04.25
[1C]: 83 6E // SerialNumber: 83 6E
[1D]: 83 6E // 83 6E
[1E]: 83 6E // 83 6E
[1F]: 83 6E // 83 6E
[20]: 41 0A // ManufacturerName: 41 0A
[21]: 4E 07 // DeviceName: 4E 07
[22]: 4C 04 // DeviceChemistry: 4C 04
[23]: 00 0E // ManufacturerData: 00 0E
[24]: 00 0E // 00 0E
[25]: 00 0E // 00 0E
[26]: 00 0E // 00 0E
[27]: 00 0E // 00 0E
[28]: 00 0E // 00 0E
[29]: 00 0E // 00 0E
[2A]: 00 0E // 00 0E
[2B]: 00 0E // 00 0E
[2C]: 00 0E // 00 0E
[2D]: 00 0E // 00 0E
[2E]: 00 0E // 00 0E
[2F]: 00 14 // 00 14
[30]: 00 14 // 00 14
[31]: 00 14 // 00 14
[32]: 00 14 // 00 14
[33]: 00 14 // 00 14
[34]: 00 14 // 00 14
[35]: 00 14 // 00 14
[36]: 00 14 // 00 14
[37]: 00 14 // 00 14
[38]: 00 14 // 00 14
[39]: 00 14 // 00 14
[3A]: 00 14 // 00 14
[3B]: 00 14 // 00 14
[3C]: 00 00 // 00 00
[3D]: 0E 2C // 0E 2C
[3E]: 0E 25 // 0E 25
[3F]: 0E 2A // 0E 2A
[40]: 17 17 // 17 17

ps keys should be: [60]: 14 04 // 14 04 [61]: FF 04 // FF 04 [62]: 73 04 // 73 04 [63]: 10 04 // 10 04 [64]: 98 04 // 98 04 [65]: EF 04 // EF 04 [66]: 67 04 // 67 04

Any idea to solve this situation? I think I need to write values in flash memory and not in what seem to be output registers. I checked BQ3050 Technical Reference , but it explains how to read/write flash but does not provide flash address (row and offset)