-
Notifications
You must be signed in to change notification settings - Fork 47
Basics
The 32-bit UnsealKey needs to be written in 2 parts to the ManufacturerAccess (00) register. The elapsed time between the 2 writes needs to be less than 4 seconds. Failed attempt locks out further attempts for 4 seconds.
Along the way the OperationStatus (54) register lets us know if unsealing was successful or not.
There are two ways of reading this register:
- directly from the 54 register, or
- indirectly using an extended SBS command, by writing 0054 to ManufacturerAccess (00), then reading a word from it.
Example:
54 read word
or
00 0054 write word
00 read word
Result:
FFFF = 1111 1111 1111 1111
YX
X-bit: 1 - sealed
0 - unsealed
Y-bit: 1 - full access mode disabled
0 - full access mode enabled
Unsealing example:
54 read word
FFFF: sealed, full access mode disabled
00 1234 write word
00 5678 write word
54 read word
C001: unsealed, full access mode disabled
In unsealed mode some registers become writable and you can change parameters there by simply writing words to said registers.
- Send Unseal (0031) or Full Access (0032) command to ManufacturerAccess (00).
- Read 160-bit message M from ManufacturerInput (2F) in the format 0xAABBCCDDEEFFGGHHIIJJKKLLMMNNOOPPQQRRSSTT, where AA is LSB.
- Generate SHA-1 input block B1 of 512 bits (total input = 128-bit unseal/full access key KD + 160 bit message M + 1 + 159 0s + zero padded 64-bit representation of the decimal number 288).
- Generate SHA-1 hash HMAC1 using B1.
- Generate SHA-1 input block B2 of 512 bits (total input = 128-bit unseal/full access key KD + 160 bit hash HMAC1 + 1 + 159 0s + zero padded 64-bit representation of the decimal number 288).
- Generate SHA-1 hash HMAC2 using B2.
- Write 160-bit hash HMAC2 to ManufacturerInput (2F) in the format 0xAABBCCDDEEFFGGHHIIJJKKLLMMNNOOPPQQRRSSTT, where AA is LSB.
- Device compares hash HMAC2 with internal calculated hash HMAC3. If it matches, device allows UNSEALED/FULL ACCESS mode indicated with the OperationStatus (54) [SEC1],[SEC0] flags.
First the battery needs to be unsealed before proceeding further.
The 32-bit FullAccessKey needs to be written in 2 parts to the ManufacturerAccess (00) register. The elapsed time between the 2 writes needs to be less than 4 seconds. Failed attempt locks out further attempts for 4 seconds.
Enable full access mode example:
54 read word
C001: unsealed, full access mode disabled
00 2234 write word
00 5678 write word
54 read word
8001: unsealed, full access mode enabled
In full access mode some more protected registers become writable and you can change parameters there by simply writing words to said registers.
Also in this mode default security keys can me changed by block writing their registers:
[60] UnSealKey
[61] FullAccessKey
[62] PFKey
[63] AuthenKey3
[64] AuthenKey2
[65] AuthenKey1
[66] AuthenKey0
Refer to the same steps described in the "How to unseal" part.
In either security mode the 32-bit PFKey needs to be written in 2 parts to the ManufacturerAccess (00) register. The elapsed time between the 2 writes needs to be less than 4 seconds. Failed attempt locks out further attempts for 4 seconds.
Example goes on like unsealing, only the key is different. Check corresponding registers afterwards to see if failure flags were cleared.
TODO
To reduce security access write 0020 to ManufacturerAccess (00) register.
00 0020 write word
54 read word
FFFF: sealed, full access mode disabled
Battery pack makers usually don't bother changing default security keys.
Here are a few examples worth trying.
[60] UnSealKey: 1234 5678 or 0414 3672
[61] FullAccessKey: 2234 5678 or FFFF FFFF
[62] PFKey: 3234 5678 or 2673 1712
[63] AuthenKey3: 7654 3210
[64] AuthenKey2: FEDC BA98
[65] AuthenKey1: 89AB CDEF
[66] AuthenKey0: 0123 4567
Note that for SHA-1 authentication different keys are used.
From the BQ8050 datasheet the only known 128-bit authentication key:
CBA4CBA4CBA4CBA4C317C317C317C317
Usually battery controllers handle the byte-order inside a word in a reversed manner (LSB). The keys shown above contain the bytes in regular order (MSB), so they need to be reversed either by hand or by software.
Example:
UnsealKey: 0414 3672 -> 1404 7236
regular reversed