Firmware config from bq8030 battery

[pc2005]

Hello,

Few months ago I've got some dead R61. One of the problem was dead battery pack. I think I've managed to fix the hardware (blown fuse, discharged cells), but the firmware doesn't want to enable the charging/discharging mosfets.

After some intensive research ( http://www.karosium.com/2016/08/smbusb- ... eries.html and http://www.karosium.com/2016/08/hacking ... mware.html) I've managed to create (= glue together) a simulator of the internal chips. But even with the simulator I cannot find the correct code path which enables the charge and discharge. The mosfets are fine, I can control the mosfets manually (with normal debug commands).

Can somebody experienced with sanyo cells make an eeprom dump (perhaps code, ram and IO dump too) of the working pack? It should be possible with karosium/smbusb software or I can upload somewhere my generic linux i2c-tools scripts.

The battery pack seems to be vanilla sanyo IBM-42T4513 from R61 with combo chips bq8030/bq29330. The same pack can be probably found in T6x, R60 and other compatible thinkpads too.

[atagunov]

Heh, I probably have the hardware, and have had it for months but feel soooo lazy to actually use it.. BTW have you tried the free version of http://be2works.com ? If you do try it could you please report success/failure? (be2works supposedly needs CP2112. It's advisable to "lock" USB ids before using CP2112. It's done via some tool from the original designers of CP2112. It is advisable to do so because at least some versions of be2works are known to override them thus making CP2112 unusable with either be2works or otherwise).

[pc2005]

I know about be2works, but I don't have the compatible adapter and the application probably won't work in linux. Do you think be2works can restart battery which had a blown fuse and with firmware which doesn't want to enable charge/discharge? I'm thinking about purchasing the adapter, but I would have no use otherwise.

I'm just using generic i2c-tools in linux together with some generic i2c controller (3.3V signal levels). For now it is i2c on vocore2 board.

Anyway if you have linux and linux i2c-dev (driver) and i2c-tools compatible adapter. I've uploaded shell scripts for the access https://repo.or.cz/cr816-sim.git/tree/HEAD:/tools .

I would be grateful if you try to download the flash image either with my scripts, be2works or karosium software .

The instructions how to obtain flashdump with my generic i2c scripts (shouldn't upset the firmware, general instruction in README):

• Code: Select all

  modprobe i2c-dev

  loads kernel driver for userspace access

• Code: Select all

  i2cdetect -l

  lists all i2c/smb adapter in system

• Code: Select all

  i2cdump -y $ADAPTER 11

  should show classic register map of bq8030
• change variable

  Code: Select all

  SMB_IFACE

  from

  Code: Select all

  i2c_config.sh

  for your adapter
• save hexdump from multiple runs (may mismatch few times)

  Code: Select all

  bq_norm_data_dump 0x4000 0x800 | xxd -g 1 

  .. or just a binary (without xxd)
• theoretically would be interesting to see RAM map (area 0x0000 0x800) if there are some factory-only written variables, but I think flash should be enough

edit: scripts are renamed in new commit

[atagunov]

I know about be2works, but I don't have the compatible adapter and the application probably won't work in linux.

You're right be2works is windows-only. I do run Windows 10 in KVM VM on T520 though and it works ok. It is my understanding it should work with an adapter like this, though I haven't tried. That's the CP2112. This costs a few $$ but the official adapter from makers of the bq8030 chips is super-expensive. Just lock those ids on CP2112 like I mentioned earlier.

Do you think be2works can restart battery which had a blown fuse and with firmware which doesn't want to enable charge/discharge?

That's exactly what it has been written for. It has been written by somebody experienced in repairing batteries for other people repairing batteries. The problem is that the person who had written it - and it looks like a singular individual to me - wants lots of money for it. Around $300 if I remember correctly. That would make sense for a shop repairing batteries 10 years ago. It doesn't make sense for us now.

The controllers need to have a secret "password" to make them cooperative - when running on unmodified firmware. Perhaps some of them require some more advanced form of cajoling to put them into a mode when they'll allow you to reset them. So the free version of be2works will have very little in this department. Still worth a try if it happens to work on your chip with whichever firmware it's got. However it's the for-money version that has those tricks for talking to the lesser cooperative chips protected by better non-default passwords..

If you do somehow manage to put the battery controller in that unlocked state (don't remember what it's properly called) then even the free version of be2works should be quite helpful. It will be able to reset the error flags set new cell capacity, run recalibration after that. It should be pretty useful - if it manages to unlock the controller or if you manage to unlock it otherwise.

BTW there are many error flags that can be set after a blown fuse.. I previously watched some youtube video related to be2works which shows its operating screens.. man, it's not trivial

As for doing the dumps myself.. well maybe.. in another life.. don't know how soon I find time to use the huge pile of hardware that I got here..

[pc2005]

lots of money for it. Around $300

yeah exactly, I'm playing with the bq8030 just because it is an interesting reverse engineering challenge, new battery costs like $30

If you do somehow manage to put the battery controller in that unlocked state

I was able to reverse engineer the firmware and switch to some kind of "offline" mode, where the only ADC and coloumb counters are activated and you can access the second bq chip. That's probably calibration mode.

BTW there are many error flags that can be set after a blown fuse.. I previously watched some youtube video related to be2works which shows its operating screens.. man, it's not trivial

Yeah exactly, but only place where bq8030 can store that information is in data flash (unless it has OTP bits itself). So theoretically the data flash image of a working unit should make it work.

As for doing the dumps myself.. well maybe.. in another life.. don't know how soon I find time to use the huge pile of hardware that I got here..

.. OK I know I have no time as well