Battery firmware

[notsolowki]

i notice the battery firmware is not encrypted. i wonder what could be done to the battery controller so aftermarket batteries could be connected

[0r10nV]

Looks like they do for battery as well because consumables sales give them good income. After one well known blogger showed on his channel how to unlock deep-discharged Mavic Air battery using Drone update they released v620 anti-rollback firmware with patched battery module and that method no longer effective. When he showed how to change 2500mAh 18650 cells for 3000 VTC6 to get 35' flight time on Mavic Mini they released one after another several battery updates and closed possibility to change the cells. Also they care too much about preventing replication of their batteries. While the very first DJI drones models could evenly work on the aftermarket batteries the next models start to use authentication scheme between drone and battery to check if they are genuine. As soon as the very first SHA1 scheme was cracked and copy battery appeared on the market they introduced ECC1 in new drone models like M.Pro, P4, I2 etc. After about one year it was found the method of emulating this scheme and thus knock-ff batteries appeared. Since 2017 they changed it to ECC2 which is still neither cracked nor emulated. So no full-feature copy batteries available on the market for drones like Mavic Air, M2Pro, Mini etc. The only way to use DIY mods for those models is to enable 'non-DJI battery' option via Assistent and debugging console otherwise drone will not allow to take off. Since release of Mini 2 it looks like they closed even this option.

[grayuk]

Great work mefistotelis used your script on 3 dead mavic pro batts and worked on all of them even though they were third party batts, I had a Mavic air battery that had gone dead and would not light up led's or charge etc and took it apart and charged cells back up to around storage and then bypassed the fets to get it to power the quad and the dji app said battery firmware was out of date and updated it and then battery worked as normal with jump wires removed. So am I right in guessing the battery firmware dji push on a old out of date battery actually resets the battery chip flags?

[mefistotelis]

So am I right in guessing the battery firmware dji push on a old out of date battery actually resets the battery chip flags?

Yes, updating the battery FW seem to also clear flags in Data Space. Though from what I've heard, DJI already "fixed" that - on latest firmware, and on newer drones, PFF2 flags cannot be cleared this way.

Anyway, I already have a plan on how to do that using my tool, just need to confirm the specifics and implement it. I'm now waiting for some damaged batteries to arrive.

[grayuk]

Awesome work mefistotelis and good luck with your tool resetting your damaged batts. Very much look forward to how you get on. Cant seem to buy Spark batts anymore as they permanently out of stock on dji's uk store and I have a old one at present that I can read okay with your script, but obviously cant reset the flags at present.

[OlliDXD]

Been using the BQ script for diagnostics, and I've found myself a very annoying loop on one of my batteries. If I short reset to ground the battery will startup and run normal for a while with no unusual flags, but after a while it shuts down and the following flags are set:

-CUV Cell Undervoltage -DSG Discharge Detected -FD Fully Discharged -XDSG Discharging Disabled -XCHG Charging Disabled -SDV Shutdown By Voltage

PF is never set. Cells are perfectly balanced. Clearing PF or grounding reset fixes this temporairly, but it returns to the exact same state again after a bit. Currently at a dead end.

[mefistotelis]

From chip reference:

Condition: Min(Cell Voltage in Voltages()) continuous < Shutdown Voltage for Shutdown Time Action: The device disables everything and turns off.

Check values of the parameters used in "condition" and you'll know what's wrong.

[OlliDXD]

Tried finding those params earlier, but had trouble finding them. Where to look? Specific command?

[mefistotelis]

Shutdown Voltage and Shutdown Time are only available through Data Flash. See the reference PDF for details.

[0r10nV]

but after a while it shuts down

All push-button controlled DJI batteries auto-switched OFF after about 20min of inactivity. One should apply small charging or discharging current (I > I detect_threshold) to keep it ON for longer time.

[OlliDXD]

All push-button controlled DJI batteries auto-switched OFF after about 20min of inactivity.

It's less than 20 min, and trigger is CUV. Will need to check PCB for damage or faulty resistors. Pack is fine.

[0r10nV]

Then verify DMM individual voltage readout with values measured by chip and reported on SMBUS, registers 0x3f, 0x3e, 0x3d for Cell Voltage 1, 2 and 3 accordingly. If there is big discrepancy then PCB has hardware fault. Most probably ceramic capacitor in RC-filter or balancing FET in the AFE has leakage.

[OlliDXD]

Most probably ceramic capacitor in RC-filter or balancing FET in the AFE has leakage.

That's my theory, I'll check the bits.

[rsrmdp]

The controller is assembled on two chips: MSP430 and bq30z55.

MSP430 is a core processor that handles communication between the bq30z55 and the helicopter.

Connection 2300

The ev2300 can be connected to the bq30z55 chip through the corresponding contacts (test points) on the controller board.

Note that the connection is made in parallel to the bus. Those. there will be one SLAVE device (bq30z55) and two MASTER devices (MSP430 and ev2300) on the bus.

This connection is allowed, but only if both masters do not interfere with each other, that is, it will work with bq30z55 in turn.

In view of this, it is necessary to strictly observe the rule:

Any read-write of the bq30z55 chip must be done with the MSP430 OFF (the battery is turned off with the control button, the indicators do not light)

But! If you need to read the SBS data from the battery when it is on, you can do so by reducing the bus read speed to the minimum (main program window, SBS tab, bottom left of slider - move left).

[mixeysan]

Hi guys. I dumped the I2C communication between the battery and the drone during a firmware update. I also have some batteries from the Mavic 2 Pro for experiments. If you need any help, I will be happy to help.

[mixeysan]

https://user-images.githubusercontent.com/81270595/112294055-7a068800-8c9b-11eb-8ed5-251ed06b976f.mp4

What's in 0x67 ?

[mefistotelis]

Interesting. So you're searching for non-standard commands, or did you found it the dump from FW update?

[mixeysan]

I analyze the dump of the communication between the battery and the drone from the very beginning (turning on the drone) to turning off. After turning on DJi Go asked to update battery firmware and I also dumped i2C during battery firmware update.

[mixeysan]

[mixeysan]

https://user-images.githubusercontent.com/81270595/112304622-5e54af00-8ca6-11eb-84c4-e277910079b3.mp4

[mefistotelis]

Can you share that in hex? For example here I have the beginning of reading Data Flash from the battery in bootloader mode, in hex form:

170d16
0d009200f0
1709004094
170c77
0c20722f06c02ebf753a6240e4b280490000400000000000000000ff00ff000001000028
170920403a
170c77
0c200000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffff000b
17094040cf
170c77
0c202020321e140a666768696a6b6c6d6e6f70717273747576777a787930313233340077
1709604061
170c77
0c2002040000006700006b3a00005a4f5700035344490000000000000000000000000099

[mixeysan]

Of course. I extracted the piece of data from my LA dump when the firmware update was taking place. Maybe I didn't start extracting from the very beginning fw update and missed a few 32-byte data packets. I will upload a dump in LA format, also in text form and a bin file that I received after extracting the data. rename *. zip to 7z Mavic_2_PRO_sn_bat_0P2AG9U53500CT_fw_update_LOG.7z.zip

[mefistotelis]

Thanks; this can be converted into the format I use:

cat decoder--210320-225249_drone+bat_53500KG_33percent_bat_update_2_times_reboot.txt | cut -d \, -f 3 | tr -d '\n' | tr -d '\r' | sed 's/\(Start\|Start repeat\)/\n/g' | sed 's/\(Stop\|Data read:\|Data write:\)//g' | sed 's/[N]\?ACK//g' | sed 's/WriteAddress write: 0B/17/' | sed 's/ReadAddress read: 0B/  /' > decoder--210320-225249_drone+bat_53500KG_33percent_bat_update_2_times_reboot-cmd.txt

[mefistotelis]

I see DJI implemented a lot of their own commands; but fortunately they can mostly be ignored in regard to modding.

17 DA   # read Unknown command
   01 00 89
17 D5   # read Unknown command
   00 00 4E
17 D3 00 00 81
17 18   # read DesignCapacity
   0A 0F B5
17 17   # read CycleCount
   01 00 DD
17 19   # read DesignVoltage
   28 3C BE
17 1B   # read ManufactureDate
   37 4F 58
17 1C   # read SerialNumber
   4F 00 DA
17 20   # read ManufacturerName
   07 41 54 4C 20 4E 56 54 37 37 37 37 37 37 37 37 37 37 37 37 37 37
17 21   # read DeviceName
   0D 57 4D 32 34 30 42 41 54 54 45 52 59 31 CA CA CA CA CA CA CA CA
17 8D   # read Unknown command
   10 57 4D 32 34 30 42 41 54 54 45 52 59 31 00 00 00 CF
17 6A   # WAT??
17 6B   # WAT??
17 00 51 00 0A  # output ManufacturerAccess.SafetyStatus
17 23   # read ManufacturerData
   04 00 00 00 00 54
17 00 53 00 20  # output ManufacturerAccess.PFStatus
17 23   # read ManufacturerData
   04 00 00 00 00 54
17 00 54 00 4B  # output ManufacturerAccess.OperationStatus
17 23   # read ManufacturerData
   04 06 03 04 00 C9
17 00 55 00 5E  # output ManufacturerAccess.ChargingStatus
17 23   # read ManufacturerData
   02 04 04 31 31 31
17 09   # read Voltage
   DC 3A 8B
17 0A   # read Current
   E0 F7 D9
17 10   # read FullChargeCapacity
   92 0E 4B
17 0F   # read RemainingCapacity
   D4 05 EA
17 08   # read Temperature
   79 0B 53
17 0D   # read AverageCurrent
   28 00 35
17 51   # read Unknown command
   04 00 00 00 00 DA
17 D2   # read Unknown command
   00 00 2C
17 7B   # read Unknown command
   95 0E FF
17 79   # read Unknown command
   D5 05 B9
17 7C   # read Unknown command
   00 00 17
17 81   # read Unknown command
   20 01 43
17 7A   # read Unknown command
   BF 08 D7
17 84   # read Unknown command
   01 00 B1
17 7F   # read Unknown command
   0C 25 2A
...

[mixeysan]

[mixeysan]

[mixeysan]

So, how else can I help with dji mavic 2 pro batteries? :)

[gabdsg]

So, how else can I help with dji mavic 2 pro batteries? :)

Hi, not with mavic.. but do you know if the phantom 3 battery uses i2s too? Thanks

[pawelsky]

P3 battery uses serial externally (115200 baud) I probably still have some of the messages decoded somewhere.

[gabdsg]

Anything can help

[pawelsky]

@gabdsg Help with what exactly? What are you trying to achieve?

[gabdsg]

@pawelsky I need to power a phantom 3 with a power supply, without the battery

[mefistotelis]

You have Wireshark dissectors for Ph3 battery packets in this repo. Capture serial communication and look at it inside Wireshark. This should allow you to re-create the comm using any serial interface.

[gabdsg]

You have Wireshark dissectors for Ph3 battery packets in this repo. Capture serial communication and look at it inside Wireshark. This should allow you to re-create the comm using any serial interface.

I hadn't seen that, it's what I need. Thanks

[pawelsky]

You mean like that? ;) https://www.youtube.com/watch?v=inKlEuTi9cA

[gabdsg]

You mean like that? ;) https://www.youtube.com/watch?v=inKlEuTi9cA

YES!!! Exactly like that!

[pawelsky]

Then I believe this is the code I've used for the video (on Teensy). Not sure if it still works, haven't touched it since 2016. Phantom3BatteryAdapter.zip

[gabdsg]

That's awesome!! Thank you!

[svarteld]

Hope you can help me with this, written here before, thanks for all the great info.

I’m going to re-cell 6x Inspire TB47 batteries. I know the BMS will let me change cells without setting irreversible flags. But according to some, it seems to figure out if the capacity is wrong in the long run, and cause problems.

I wonder if there’s a problem with using 2850 mAh cells (TB48) instead of 2250 (TB47); almost same price, and if the TB47 BMS will only fill the TB48 cells up to about TB47 voltage, since the difference might be LiPo vs LiHV? It’s been discussed here before.

If not a voltage difference, guess there’s a risk the BMS find out they’re too large in capacity and cause trouble.

[svarteld]

Planning on using these:

2250mAh: https://www.aliexpress.com/item/4001099936130.html?

2850mAh: https://www.aliexpress.com/item/4001099879617.html?

Any opinions?

Thanks /P

[0r10nV]

TB47 board preprogrammed to 4.35V cells, me have pasted screenshots above with battery parameters. So TB48 cells will be charged to full there. The charger is common for both batteries types and it's LiPoHV charger.

But according to some, it seems to figure out if the capacity is wrong in the long run, and cause problems

This battery model not have capacity based "anti-recell" protection, it was introduced much later in DJI Mavic Mini on latest firmwares. So you could recell with no warry about it. The only disadvantage is SoC% calculation error, which will not allow you to drain full charge from the TB48 cells. At 0% it still have some charge to fly, but drone will request force landing. From another side it's even good because you are protected against empty fuel tank. But if you still want precise calculation and get benefit from HiCap cells you should consider chip reprogramming.

[svarteld]

@0r10nV thanks! I'll try the 2850mAh then.

The RTH/forced landing is no problem; can be disabled in firmware, and it's OK to have; will be a good idea to land anyways :-)

[rokz12]

Wow very impressed with you guys...have a lot tb47/48 that would love to fix.

[EspenT]

I have this p4pro battery with what appears to be a BQ30Z55 chip. Where do I connect my raspberry? And what software are recommended to to reset? @mefistotelis your software does support this chip? Where do I find the latest version?Has been stored a bit to long, but would like to see if there is any life left in it. Thank you for all the work you guys put in to reverse engineering everything.

[mefistotelis]

@mefistotelis your software does support this chip?

Yes. Read the script to see supported chips.

Where do I find the latest version?

Here in the repo.

[svarteld]

Guys, Need your opinion again, if you've got the time.

I'm realising LiIon battery technology have reached the point it's becoming a real alternative even for quads. I'll be building Bataflight drone to try this out, 18650 and 20700 versions. It just struck me, 18650 cells actually fit inside the Inspire 1 LiPo cage; exactly as many as needed to reach the Ampere needed, this by coincidence is also 6s2p, just like the original LiPos.

I know it's not supposed to work but: could the TB47 BMS possibly handle LiIon cells instead of LiPo? They're pretty similar in voltage etc:

TB47 LiPo single cell vs Sony Murata VCT5A LiIon:

Nominal 3,7V vs 3,6V Full 4,2V vs 4,2V 12x full charge 4500mAh vs 5200mAh, 100Wh vs 112Wh 12x max cont current 45A (10C calculated) vs 70A 12x weight 570g vs 564g (latter without case though) 12x price 80€ (China) vs 60€ (Europe, where I live)

Biggest difference is perhaps drained voltage; lower on a LiIon than LiPo. Should not make this less safe, but the other way around. But, it will leave some in the tank then BMS think it's empty.

Thoughts? Respect your opinion.

[mefistotelis]

Non-polymer Li-Ion cells are heavier.

The BMS chip can be reconfigured for any cell type you want, so you'd just have to read details of setting up battery from scratch, selecting values, loading chemistry characteristics etc.

[svarteld]

Guess I have some reading up to do, thanks.

I was thinking, without reconfiguring the BMS.

[0r10nV]

without reconfiguring and using standard Dji Charger there is a risk of overcharging 18650 to unsafe 4.35v as VTC6 are designed as 4.2v at full charge. But if you will use external Li-Ion charger for 6S battery then it should be Ok, except bms could not detect End-of-Charge event and will treat fully charged battery as about 90% filled.

[OlliDXD]

I was looking at the Phantom 3 batteries earlier, and they have about the same setup as the newer batteries. I was thinking about if there is any support to externally trigger discharge and limit charging to only charge up to nominal/storage charge, like on the Phantom 4 batteries with their hub. Do we know anything about this?

[mefistotelis]

On that note, the reference manual is curiously shy about the self-discharge feature. It is mentioned only one time in most specs.