Just "adding" because this battery controller is already public. You have the datasheet(pdf) which tells you the pin combination to enter the Boot ROM and most of the command set (how was the actual read command missed? weird). Then there are open-source flasher tools like this one. You can also use Google to find the passwords because you WILL need passwords (at least with this firmware) and that is after you set the correct pins to the correct states to enter the boot rom. Overkill? Yeah, overkill.
But since it's all out there it's just a matter of coding up a tool for SMBusb.
Quote:
"Normal microcomputer mode is entered when the microcomputer is reset with pulling CNVSS pin low. In this case, the CPU starts operating using the control program in the User ROM area. When the microcomputer is reset by pulling the P24/SDA2/RXD pin high, the CNVss pin high, the CPU starts operating using the control program in the Boot ROM area"
After setting the pins to desired state and resetting the chip you get:
Going at this blind would've been pretty terrible. This chip is waiting for the correct passwords and ACKing literally everything until it gets them.
Entering the correct passwords scoured from the internet:
It still ACKs every command but it's exposing the documented Boot ROM inteface now. Just don't scan it too much because writing the wrong thing to the wrong command will hang the controller and/or the entire bus which the SMBusb won't like too much either. (The Boot ROM in this chip has zero error handling.)
Some coding later:
The tool is now a part of SMBusb.
I haven't done research into modification or resetting for this controller yet. Maybe in the future!
But since it's all out there it's just a matter of coding up a tool for SMBusb.
Quote:
"Normal microcomputer mode is entered when the microcomputer is reset with pulling CNVSS pin low. In this case, the CPU starts operating using the control program in the User ROM area. When the microcomputer is reset by pulling the P24/SDA2/RXD pin high, the CNVss pin high, the CPU starts operating using the control program in the Boot ROM area"
After setting the pins to desired state and resetting the chip you get:
$ smbusb_scan -w 0x16
------------------------------------
smbusb_scan
------------------------------------
SMBusb Firmware Version: 1.0.1
Scanning for command writability..
Scan range: 00 - ff
Skipping: None
------------------------------------
[0] ACK, Byte writable, Word writable, Block writable, >Block writable
[1] ACK, Byte writable, Word writable, Block writable, >Block writable
[2] ACK, Byte writable, Word writable, Block writable, >Block writable
[3] ACK, Byte writable, Word writable, Block writable, >Block writable
[4] ACK, Byte writable, Word writable, Block writable, >Block writable
[5] ACK, Byte writable, Word writable, Block writable, >Block writable
[6] ACK, Byte writable, Word writable, Block writable, >Block writable
*repeat for all commands*
------------------------------------
smbusb_scan
------------------------------------
SMBusb Firmware Version: 1.0.1
Scanning for command writability..
Scan range: 00 - ff
Skipping: None
------------------------------------
[0] ACK, Byte writable, Word writable, Block writable, >Block writable
[1] ACK, Byte writable, Word writable, Block writable, >Block writable
[2] ACK, Byte writable, Word writable, Block writable, >Block writable
[3] ACK, Byte writable, Word writable, Block writable, >Block writable
[4] ACK, Byte writable, Word writable, Block writable, >Block writable
[5] ACK, Byte writable, Word writable, Block writable, >Block writable
[6] ACK, Byte writable, Word writable, Block writable, >Block writable
*repeat for all commands*
Going at this blind would've been pretty terrible. This chip is waiting for the correct passwords and ACKing literally everything until it gets them.
Entering the correct passwords scoured from the internet:
$ smbusb_comm -a 0x16 -c 0xFF -w CDAB -b
$ smbusb_comm -a 0x16 -c 0xCF -w 3412 -b
$ smbusb_scan -w 0x16 -e 10
------------------------------------
smbusb_scan
------------------------------------
SMBusb Firmware Version: 1.0.1
Scanning for command writability..
Scan range: 00 - 10
Skipping: None
------------------------------------
[0] ACK, Byte writable, Word writable, Block writable, >Block writable
[1] ACK
[2] ACK
[3] ACK
[4] ACK
[5] ACK
*snip*
$ smbusb_comm -a 0x16 -c 0xCF -w 3412 -b
$ smbusb_scan -w 0x16 -e 10
------------------------------------
smbusb_scan
------------------------------------
SMBusb Firmware Version: 1.0.1
Scanning for command writability..
Scan range: 00 - 10
Skipping: None
------------------------------------
[0] ACK, Byte writable, Word writable, Block writable, >Block writable
[1] ACK
[2] ACK
[3] ACK
[4] ACK
[5] ACK
*snip*
It still ACKs every command but it's exposing the documented Boot ROM inteface now. Just don't scan it too much because writing the wrong thing to the wrong command will hang the controller and/or the entire bus which the SMBusb won't like too much either. (The Boot ROM in this chip has zero error handling.)
Some coding later:
$ smbusb_m37512flasher -w b0 -p b0
------------------------------------
smbusb_m37512flasher
------------------------------------
SMBusb Firmware Version: 1.0.1
------------------------------------
Erasing flash block starting at 0xe000 ...
Done!
Writing memory 0xe000-0xffff ...
Done!
Verifying 0xe000-0xffff ...
Verified OK!
------------------------------------
smbusb_m37512flasher
------------------------------------
SMBusb Firmware Version: 1.0.1
------------------------------------
Erasing flash block starting at 0xe000 ...
Done!
Writing memory 0xe000-0xffff ...
Done!
Verifying 0xe000-0xffff ...
Verified OK!
The tool is now a part of SMBusb.
I haven't done research into modification or resetting for this controller yet. Maybe in the future!
Some tools manage to write without setting pins.
ReplyDeleteThinkpad T61, battery IBM-42T4653 (LGC).
ReplyDeleteSuccessfully reset by filling ba and bb memory blocks with 0xFF.
Hello! Lenovo x201 with m37512 fc035 on it. I managed to read all the flash data, i found full charge capacity, charge cycle, battery name and serial number, but i can’t find design capacity :( i build my battery pack with 3 extra cells and higher capacity cells. It is around 10500mah :) but i cant get the laptop to charge it. It dont have the “funny” fuse, so thats not the problem, with the new cells it charged but didnt used the whole capacity, after i flashed with fcc value and charge cycle changed its said battery is failed due to normal wear :D
ReplyDeleteCan somebody help me what im doing wrong?
Thank you
Powy
Hello! Lenovo x201 with m37512 fc035 on it. I managed to read all the flash data, i found full charge capacity, charge cycle, battery name and serial number, but i can’t find design capacity :( i build my battery pack with 3 extra cells and higher capacity cells. It is around 10500mah :) but i cant get the laptop to charge it. It dont have the “funny” fuse, so thats not the problem, with the new cells it charged but didnt used the whole capacity, after i flashed with fcc value and charge cycle changed its said battery is failed due to normal wear :D
ReplyDeleteCan somebody help me what im doing wrong?
Thank you
Powy
Hi,
DeleteI have Sony VGP-BPS9A battery with M37512 FC026 chip. Can you please help me to read the flash data. I have USB board mentioned in http://www.karosium.com/p/smbusb.html and I am able to read Lenovo BQ chip battery.
Thinkpad T61, battery IBM-42P1133 (Panasonic)
ReplyDeleteBoth my 2 PCBAs can not back to work, after fill BA and BB with FF, actually BA is already all FF, only BB needs to reset to FF, then all cycle time and Full Charge Capacity had reseted, but it wont charge nor discharge in usage with T61, though battery condition shows healthy green without warming,
pls see a four-pin fuse and correct short it.
Delete