Tuesday, August 30, 2016

Adding the M37512 with Panasonic/IBM firmware

Just "adding" because this battery controller is already public. You have the datasheet(pdf) which tells you the pin combination to enter the Boot ROM and most of the command set (how was the actual read command missed? weird). Then there are open-source flasher tools like this one. You can also use Google to find the passwords because you WILL need passwords (at least with this firmware) and that is after you set the correct pins to the correct states to enter the boot rom. Overkill? Yeah, overkill.

But since it's all out there it's just a matter of coding up a tool for SMBusb.




Quote:
 "Normal microcomputer mode is entered when the microcomputer is reset with pulling CNVSS pin low. In this case, the CPU starts operating using the control program in the User ROM area. When the microcomputer is reset by pulling the P24/SDA2/RXD pin high, the CNVss pin high, the CPU starts operating using the control program in the Boot ROM area"

After setting the pins to desired state and resetting the chip you get:

$ smbusb_scan -w 0x16
------------------------------------
             smbusb_scan
------------------------------------
SMBusb Firmware Version: 1.0.1
Scanning for command writability..
Scan range: 00 - ff
Skipping: None
------------------------------------
[0] ACK, Byte writable, Word writable, Block writable, >Block writable
[1] ACK, Byte writable, Word writable, Block writable, >Block writable
[2] ACK, Byte writable, Word writable, Block writable, >Block writable
[3] ACK, Byte writable, Word writable, Block writable, >Block writable
[4] ACK, Byte writable, Word writable, Block writable, >Block writable
[5] ACK, Byte writable, Word writable, Block writable, >Block writable
[6] ACK, Byte writable, Word writable, Block writable, >Block writable
*repeat for all commands*


Going at this blind would've been pretty terrible. This chip is waiting for the correct passwords and ACKing literally everything until it gets them.
Entering the correct passwords scoured from the internet:


$ smbusb_comm -a 0x16 -c 0xFF -w CDAB -b
$ smbusb_comm -a 0x16 -c 0xCF -w 3412 -b
$ smbusb_scan -w 0x16 -e 10
------------------------------------
             smbusb_scan
------------------------------------
SMBusb Firmware Version: 1.0.1
Scanning for command writability..
Scan range: 00 - 10
Skipping: None
------------------------------------
[0] ACK, Byte writable, Word writable, Block writable, >Block writable
[1] ACK
[2] ACK
[3] ACK
[4] ACK
[5] ACK
*snip*


It still ACKs every command but it's exposing the documented Boot ROM inteface now. Just don't scan it too much because writing the wrong thing to the wrong command will hang the controller and/or the entire bus which the SMBusb won't like too much either. (The Boot ROM in this chip has zero error handling.)

Some coding later:


$ smbusb_m37512flasher -w b0 -p b0
------------------------------------
        smbusb_m37512flasher
------------------------------------
SMBusb Firmware Version: 1.0.1
------------------------------------
Erasing flash block starting at 0xe000 ...
Done!
Writing memory 0xe000-0xffff ...
Done!
Verifying 0xe000-0xffff ...
Verified OK!

The tool is now a part of SMBusb.

I haven't done research into modification or resetting for this controller yet. Maybe in the future!

No comments:

Post a Comment