![]() There are several partitions of flash mapped into RAM and I'm sure I haven't found all of them. Just writing to the appropriate address in ram (after the flash blocks have been erased) writes the flash memory which is convenient. ![]() #SANYO TOOL RESET BQ8030 DATASHEET HOW TO#Mapping Mapping out the protocol took a while especially because it doesn't correspond to standard SMBus protocol but I was eventually able to figure out how to read and write to RAM and erase blocks of memory-mapped flash. The write scan however reveals that the chip is actually exposing some real functionality on some of the commands and that a couple of them violate SMBus protocol. A deliberate attempt at confusing any would-be attacker perhaps? Scan range: 00 - ff Skipping: None - *snip* ACK, Byte writable ACK ACK ACK ACK ACK ACK ACK ACK ACK ACK, Byte writable, Word writable, Block writable ACK, Byte writable, Word writable, Block writable ACK, Byte writable, Word writable, Block writable, >Block writable ACK, Byte writable, Word writable, Block writable, >Block writable ACK ACK The chip was ACKing on every command. $ smbusb_scan -w 0x16 - smbusb_scan - SMBusb Firmware Version: 1.0.1 Scanning for command writability. Pulling Pin #4 (also connected to Test Point 1 on the other side of the PCB) low during reset gave me this. Next I wanted to see if there's something like a Boot pin that's going to get me a different mode when pulled either low or high during reset so I started up a continuous command scan and started poking at the pins again. It's also possible to rule out most pins through visual inspection and measurement. It should be possible to pull reset low through 1k resistor but unlikely on VCC and it shouldn't lead to a complete reset on an unrelated pin. I took a 1k resistor connected to ground and started poking the pins with it to find reset. ![]() 13-24 has many pins connected directly to 'high voltage' from the cells.37-48 appears to be mainly unused with a couple of pins at 3.3v, GPIO side?.25-36 is connected to current sensing and exposes various built-in voltage regulators.1-12 is the 'main microcontroller side' has the SMBus pins, VCC (and probably RESET and others).To summarize my findings after the first pass: ![]() Just going by logic I was expecting some sort of differentiation on the various sides of the chip. I started out by measuring voltages on all the pins. Sanyo Tool Reset Bq8030 Datasheet Archive. Master umbrae/reddit-top-2.5-million GitHub. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |