Sanyo Tool Reset Bq8030 Datasheet. Battery capacity is stored as the remaining capacity reported through SBS divided by 2. Cycle count is stored as Cycle. Count- 1 (eg.: SBS value: 2. Eeprom byte: 2. 22)Remaining Capacity Alarm is stored as- is. A good place to start mapping. It's a good idea to reset the cycle counter.
$ smbusb_comm -a 16 -c 71 -w 0x0214 $ smbusb_scan -w 0x16 -b 0x70 ------------------------------------ smbusb_scan ------------------------------------ SMBusb Firmware Version: 1.0.0 Scanning for command writability. Scan range: 70 - ff Skipping: None ------------------------------------ [71] ACK, Byte writable, Word writable [72] ACK [73] ACK So this actually unlocks an extra command which disappears again when an SBS command is issued (or when doing a full command scan starting from 0.) The command however is not writable. Reading it returns.
Ok, nothing straightforward. No obvious BOOT pin as one would expect with a device that's not meant to be tampered with. But maybe pulling some pin high or low during reset will get me somewhere.
After the first pass no, not really. So maybe we have to set multiple pins into multiple states for it to work. Or maybe there's no such combination at all. How about I try to abuse N/C pins instead. I have no logical explanation as to why I came to this decision. Maybe I saw a presentation somewhere about blackbox chips and N/C pins years and years and years ago but I could just be imagining things. Either way, about 5 minutes of poking at PIN #28 with a resistor connected to 3.3v in hand and triggering RESET at random intervals while running a continuous command scan.
$ smbusb_scan -w 0x16 ------------------------------------ smbusb_scan ------------------------------------ SMBusb Firmware Version: 1.0.1 Scanning for command writability. Scan range: 00 - ff Skipping: None ------------------------------------ [0] ACK, Byte writable, Word writable, Block writable [1] ACK [2] ACK [3] ACK [4] ACK, Byte writable, Word writable, Block writable [5] ACK, Byte writable, Word writable, Block writable [6] ACK, Byte writable, Word writable [7] ACK, Byte writable, Word writable [8] ACK [9] ACK, Byte writable, Word writable [a] ACK, Byte writable, Word writable Wow, that worked? Let's just reset for now. $ smbusb_sbsreport SMBusb Firmware Version: 1.0.1 ------------------------------------------------- Manufacturer Name: ERROR Device Name: ERROR Device Chemistry: ERROR Serial Number: Manufacture Date: 1980.00.00 Uh-oh.
Improvements, enhancements and support for future ionCube 24 features. All ionCube 24 users are strongly encouraged to update to this version. 2018-11-13 10.3.0-beta Beta ionCube Loaders for PHP 7.3 on Linux and FreeBSD 11. Ioncube decoder download. This is the newest ioncube decoder and probably the most attractive because it can decode ioncube v7.4 nulled. Now all you need to do is to grab the download url you can achieve that by copying the url once the download dialog box appears.5.
Well that's not good! It seems we're stuck in the Boot ROM. Is the chip fried? It's at this point that I coded up the flash tool to try and read the flash contents.
(I wasn't really bothered by the chip dying as this was one of 2 sacrificial controller boards I kept just for messing around with.) And the results? Apparently we can corrupt (ideally just) the first couple of blocks of flash if we bully PIN #28 while the chip is trying to start up.
The good news though? (If we're lucky) We get 99% of the firmware, and thanks to we have a (zip) for it. Did messing with Pin #28 even have an effect? Could it just have been the erratic resetting of the chip that triggered the malfunction? Did I short VCELL+ to Pin28 while messing about?
- Author: admin
- Category: Category
Sanyo Tool Reset Bq8030 Datasheet. Battery capacity is stored as the remaining capacity reported through SBS divided by 2. Cycle count is stored as Cycle. Count- 1 (eg.: SBS value: 2. Eeprom byte: 2. 22)Remaining Capacity Alarm is stored as- is. A good place to start mapping. It's a good idea to reset the cycle counter.
$ smbusb_comm -a 16 -c 71 -w 0x0214 $ smbusb_scan -w 0x16 -b 0x70 ------------------------------------ smbusb_scan ------------------------------------ SMBusb Firmware Version: 1.0.0 Scanning for command writability. Scan range: 70 - ff Skipping: None ------------------------------------ [71] ACK, Byte writable, Word writable [72] ACK [73] ACK So this actually unlocks an extra command which disappears again when an SBS command is issued (or when doing a full command scan starting from 0.) The command however is not writable. Reading it returns.
Ok, nothing straightforward. No obvious BOOT pin as one would expect with a device that's not meant to be tampered with. But maybe pulling some pin high or low during reset will get me somewhere.
After the first pass no, not really. So maybe we have to set multiple pins into multiple states for it to work. Or maybe there's no such combination at all. How about I try to abuse N/C pins instead. I have no logical explanation as to why I came to this decision. Maybe I saw a presentation somewhere about blackbox chips and N/C pins years and years and years ago but I could just be imagining things. Either way, about 5 minutes of poking at PIN #28 with a resistor connected to 3.3v in hand and triggering RESET at random intervals while running a continuous command scan.
$ smbusb_scan -w 0x16 ------------------------------------ smbusb_scan ------------------------------------ SMBusb Firmware Version: 1.0.1 Scanning for command writability. Scan range: 00 - ff Skipping: None ------------------------------------ [0] ACK, Byte writable, Word writable, Block writable [1] ACK [2] ACK [3] ACK [4] ACK, Byte writable, Word writable, Block writable [5] ACK, Byte writable, Word writable, Block writable [6] ACK, Byte writable, Word writable [7] ACK, Byte writable, Word writable [8] ACK [9] ACK, Byte writable, Word writable [a] ACK, Byte writable, Word writable Wow, that worked? Let's just reset for now. $ smbusb_sbsreport SMBusb Firmware Version: 1.0.1 ------------------------------------------------- Manufacturer Name: ERROR Device Name: ERROR Device Chemistry: ERROR Serial Number: Manufacture Date: 1980.00.00 Uh-oh.
Improvements, enhancements and support for future ionCube 24 features. All ionCube 24 users are strongly encouraged to update to this version. 2018-11-13 10.3.0-beta Beta ionCube Loaders for PHP 7.3 on Linux and FreeBSD 11. Ioncube decoder download. This is the newest ioncube decoder and probably the most attractive because it can decode ioncube v7.4 nulled. Now all you need to do is to grab the download url you can achieve that by copying the url once the download dialog box appears.5.
Well that's not good! It seems we're stuck in the Boot ROM. Is the chip fried? It's at this point that I coded up the flash tool to try and read the flash contents.
(I wasn't really bothered by the chip dying as this was one of 2 sacrificial controller boards I kept just for messing around with.) And the results? Apparently we can corrupt (ideally just) the first couple of blocks of flash if we bully PIN #28 while the chip is trying to start up.
The good news though? (If we're lucky) We get 99% of the firmware, and thanks to we have a (zip) for it. Did messing with Pin #28 even have an effect? Could it just have been the erratic resetting of the chip that triggered the malfunction? Did I short VCELL+ to Pin28 while messing about?