-
Notifications
You must be signed in to change notification settings - Fork 52
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Documentation for BQ8050 #11
Comments
@youxiaojie hello I've seen you wer active around here and you're from china - would you be so kind to download it from docin.com I linked above and share it with me/us/here so it can be downloaded without registering? I cannot register there because I don't understand a thing 😞 |
Excellent find, thank you! These documents seem to be behind a paywall but I have found a bypass here: Enter link at the top and press the button: Pages are loading slowly and new page is rendered when you scroll all the way down. There's no PDF download but I'll make one from the images and upload it soon. |
Glad I could help - I've got a battery with this exact chip currently and was digging into it using what you've explained in your blog. What I didn't get yet from there is - were you able to extract eeprom? |
|
From a quick glance there is information where each memory regions are, how SHA1 authorization works and default key is also provided (although unlikely to be that?). What boggles my mind is how SMBus maps to these memory regions and if it does at all since this is handled by the firmware (or is it?). It is not that simple to just ask for given region through smbus and it just returns it - is it? I'm just beginning the hacking journey so I might miss some fundamental pieces |
Well, reading memory blocks seems to be easy even in sealed mode:
With these registers you can read ROM bytes. The Read ROM button in the GUI uses these registers and 3 distinct intervals to read from. When I ordered my replacement battery (not BQ8050) it came in unsealed (possibly full access) mode and I saw and saved all the security keys, which were all default ones. So I wouldn't be surprised if pack makers would leave default keys untouched. Only way to find out is to go through the authentication procedure, give the chip a random challenge, assume default encryption keys and see if in theory the chips response can be decrypted with said default keys. |
Thank you very much for detailed information - if I work anything out I'll be adding more information here :) |
I've read your blog on your attempt on BQ8050
https://boundarycondition.home.blog/2020/01/18/the-repairing-and-hacking-of-a-dell-j1knd-bq8050-laptop-battery/
And I dig through baidu and found this - do you think it might be any helpful?
http://www.docin.com/p-859124464.html
I honestly have no idea how to download it
The text was updated successfully, but these errors were encountered: