tag:blogger.com,1999:blog-3030619748984253626.post1313596193053280598..comments2024-02-27T05:20:14.553-08:00Comments on Karosium: Hacking the R2J240 with LGC firmwareUnknownnoreply@blogger.comBlogger53125tag:blogger.com,1999:blog-3030619748984253626.post-26123057892647490502024-01-27T01:12:41.486-08:002024-01-27T01:12:41.486-08:00Hi, I got here a power tool battery pack with the ...Hi, I got here a power tool battery pack with the R2J240-10F020 in a QFN48 package. Unfortunately I have no clue to which pins I have to connect the smbus lines on the chip. Could you maybe provide the pin numbers for CLK and Data.sl13https://www.blogger.com/profile/02089268863864956975noreply@blogger.comtag:blogger.com,1999:blog-3030619748984253626.post-80526060726987716312024-01-23T07:27:54.153-08:002024-01-23T07:27:54.153-08:00Is it possible to change Manufacture Date: 2012.02...Is it possible to change Manufacture Date: 2012.02.03 ?VitaliyKhttps://www.blogger.com/profile/10471074979630054972noreply@blogger.comtag:blogger.com,1999:blog-3030619748984253626.post-14860174625959013932024-01-20T13:08:41.051-08:002024-01-20T13:08:41.051-08:00Hi, I used a smbusb_2021-01 + FX2LP for windows XP...Hi, I used a smbusb_2021-01 + FX2LP for windows XP/ Windows 10 to take a dump R2J240-20F020 microprocessor.<br /> <br /> Unfortunately, In a Boot mode: smbusb_r2j240flasher.exe -d eep2.bin -p df2, I received a * Error: libusb error: Pipe error *. Does any had the same and solved this error ? <br /><br />Thank you.solarishttps://www.blogger.com/profile/03862576508188819367noreply@blogger.comtag:blogger.com,1999:blog-3030619748984253626.post-29102670046025404722024-01-09T04:03:34.004-08:002024-01-09T04:03:34.004-08:00Here is the report:
E:\Battery unlock\smbusb-maste...Here is the report:<br />E:\Battery unlock\smbusb-master\RELEASE_WIN64>smbusb_sbsreport.exe<br />SMBusb Firmware Version: 1.0.1<br />-------------------------------------------------<br />Manufacturer Name: LGC<br />Device Name: LNV-42T4969<br />Device Chemistry: LION<br />Serial Number: 1793<br />Manufacture Date: 2012.02.03<br /><br />Manufacturer Access: 1002<br />Remaining Capacity Alarm: 936 mAh(/10mWh)<br />Remaining Time Alarm: 10 min<br />Battery Mode: e080<br />At Rate: 0 mAh(/10mWh)<br />At Rate Time To Full: 65535 min<br />At Rate Time To Empty: 65535 min<br />At Rate OK: 1<br />Temperature: 23.65 degC<br />Voltage: 12528 mV<br />Current: 0 mA<br />Average Current: 0 mA<br />Max Error: 0 %<br />Relative State Of Charge 0 %<br />Absolute State Of Charge 0 %<br />Remaining Capacity: 0 mAh(/10mWh)<br />Full Charge Capacity: 0 mAh(/10mWh)<br />Run Time To Empty: 65535 min<br />Average Time To Empty: 65535 min<br />Average Time To Full: 65535 min<br />Charging Current: 0 mA<br />Charging Voltage: 0 mV<br />Battery Status: 0690<br />Cycle Count: 378<br />Design Capacity: 8658 mAh(/10mWh)<br />Design Voltage: 11100 mV<br />Specification Info: 0031<br />Cell 0 voltage: 4209 mV<br />Cell 1 voltage: 4211 mV<br />Cell 2 voltage: 4108 mV<br />Cell 3 voltage: 0 mVVitaliyKhttps://www.blogger.com/profile/10471074979630054972noreply@blogger.comtag:blogger.com,1999:blog-3030619748984253626.post-17022403155107934132024-01-07T06:44:04.794-08:002024-01-07T06:44:04.794-08:00Hi. Have another issue with same battery (Manufact...Hi. Have another issue with same battery (Manufacturer Name: LGC<br />Device Name: LNV-42T4969). After I fix cell issue it was working for year and half and now Lenovo says battery is too old, cannot charge, replace it. That is all Lenovo :(<br />What can be done to reanimate it?<br />VitaliyKhttps://www.blogger.com/profile/10471074979630054972noreply@blogger.comtag:blogger.com,1999:blog-3030619748984253626.post-52380686799906637932023-12-26T23:20:49.725-08:002023-12-26T23:20:49.725-08:00No this support only linux, you can watch my video...No this support only linux, you can watch my video if you want to know more about the linux and cp2112<br /><br />https://youtu.be/7r17ZuEgyTU?si=k4uUCrl0DiQ83_duAnandakrishna Sudhakaranhttps://www.blogger.com/profile/10565028123657996377noreply@blogger.comtag:blogger.com,1999:blog-3030619748984253626.post-54794191373775921422023-12-26T23:19:17.578-08:002023-12-26T23:19:17.578-08:00This comment has been removed by the author.Anandakrishna Sudhakaranhttps://www.blogger.com/profile/10565028123657996377noreply@blogger.comtag:blogger.com,1999:blog-3030619748984253626.post-56984886585885482462023-12-26T11:22:03.667-08:002023-12-26T11:22:03.667-08:00Hi VIktor, Does the smbusb_2021-01_windows release...Hi VIktor, Does the smbusb_2021-01_windows release working with CP2112 Debug Board, please? I have R2J240-20F020 chip. *Ваша программа версии под windows будет работать с платой С2112 ? У меня пишет, что чип не найден. Pin #12 is Reset Pin #4 BOOT .solarishttps://www.blogger.com/profile/03862576508188819367noreply@blogger.comtag:blogger.com,1999:blog-3030619748984253626.post-13935587694718074522023-11-22T20:38:10.376-08:002023-11-22T20:38:10.376-08:00This comment has been removed by the author.Man-Eating Monkeyhttps://www.blogger.com/profile/02955605596896845622noreply@blogger.comtag:blogger.com,1999:blog-3030619748984253626.post-72567461742207816762023-11-22T03:03:22.269-08:002023-11-22T03:03:22.269-08:00For a Lenovo 42T4856 with an R2J240-20F020 BOOT is...For a Lenovo 42T4856 with an R2J240-20F020 BOOT is also Pin #10. RESET is still #Pin 12. My PF flag was at address 0x18B of DF1 (also with a value of 17) that I cleared to 00.Man-Eating Monkeyhttps://www.blogger.com/profile/02955605596896845622noreply@blogger.comtag:blogger.com,1999:blog-3030619748984253626.post-70708615578895695792023-11-22T03:00:41.620-08:002023-11-22T03:00:41.620-08:00I should clarify that's address 0x38B of DF2.I should clarify that's address 0x38B of DF2.Man-Eating Monkeyhttps://www.blogger.com/profile/02955605596896845622noreply@blogger.comtag:blogger.com,1999:blog-3030619748984253626.post-78313282883969880042023-11-22T02:57:56.060-08:002023-11-22T02:57:56.060-08:00For a Lenovo L09L6Y02 with an R2J240-20F020 BOOT i...For a Lenovo L09L6Y02 with an R2J240-20F020 BOOT is Pin #10. RESET is #Pin 12. Both normally high, need to be pulled low. Pull both down together, release RESET and then keep holding BOOT low for another second or two.<br /><br />My PF flag was at address 0x38B (with value of 17) that I cleared to 00.Man-Eating Monkeyhttps://www.blogger.com/profile/02955605596896845622noreply@blogger.comtag:blogger.com,1999:blog-3030619748984253626.post-7581740027733591412023-10-14T17:02:51.340-07:002023-10-14T17:02:51.340-07:00Hi, I am not sure I understand the sequence to ent...Hi, I am not sure I understand the sequence to enter boot mode. Are the following steps correct?<br /><br />1. Pull Pin #12 low<br />2. Pull Pin #4 low<br />3. Release Pin #12<br />4. Release Pin #4<br />5. Send flash commandMan-Eating Monkeyhttps://www.blogger.com/profile/02955605596896845622noreply@blogger.comtag:blogger.com,1999:blog-3030619748984253626.post-69832936550766927662023-02-27T00:24:01.443-08:002023-02-27T00:24:01.443-08:00maybe ladisav has made more progress, but as far a...maybe ladisav has made more progress, but as far as I know you have to physically short the pins on the chip in order to enter boot mode, because we don't have the commands/passworddanandrei96https://www.blogger.com/profile/14314926855826557359noreply@blogger.comtag:blogger.com,1999:blog-3030619748984253626.post-58251190189152650112023-02-03T05:27:27.814-08:002023-02-03T05:27:27.814-08:00Hi, everyone, thanks for the work!
@danandrei96 I...Hi, everyone, thanks for the work!<br /><br />@danandrei96 I'm now in the process of replacing 4.3v cells and I found the address for the cell voltage in the static section / df3 - 0x2BE: 2 bytes (signed short) <br /><br />Here are my notes so far hope it helps someone:<br />```<br /> DF3:<br />00000000: 0100 3600 0001 fb01 3600 0206 0201 02e3 ..6.....6.......<br />00000010: e6fe e3a9 7000 e0ac 0dc8 0076 2fe0 1595 ....p......v/...<br />00000020: 1f30 2a4c 4743 0031 3100 0000 0000 0000 .0*LGC.11.......<br />00000030: 0000 0000 0000 0000 0000 0000 0000 0000 ................<br />00000040: 0000 0053 7469 6c6c 2041 6c69 7665 0000 ...Still Alive..<br />00000050: 0000 0000 0000 0000 0000 0000 0000 0000 ................<br />00000060: 0000 004c 494f 4e03 3201 3290 07fa 1031 ...LION.2.2....1<br />...<br />00000230: 0328 e9aa 053c 3ce8 1cf0 0aac 0d78 0578 .(...<<......x.x<br />00000240: 0500 0000 0096 0088 136c 07be 0a78 0578 .........l...x.x<br />...<br />000002b0: 6810 2c01 109a 102c 0164 6400 fa32 6810 h.,....,.dd..2h.<br />...<br />00001ff0: ffff ffff ffff ffff ffff ffff f476 c939 .............v.9<br /><br /><br />16-bit:<br />0x017: ??? # was the same value as reported Charging Current<br />0x01B: Charging voltage # Reported total value, no electrical effect<br />0x01F: Design Capacity<br />0x021: Design Voltage # Reported value<br />0x023: Manufacturer name # (untested)<br />0x043: Device name<br />0x063: Device Chemistry<br />0x23B: ??? # was the same value as reported Charging Current<br />0x24B: Charging Current # Reported value (electrical effect untested)<br />0x2BE: Cel Voltage # Actual cell charging voltage<br /><br /> DF1:<br />00000000: 00ff ffff ffff ffff ffff ffff ffff ffff ................<br />00000010: 5374 696c 6c20 416c 6976 6500 0000 0000 Still Alive.....<br />00000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................<br />00000030: ffff ffff ffff ffff ffff ffff ffff ffff ................<br />00000040: 3002 6e02 0a00 00e0 7d04 2a04 0200 ca42 0.n.....}.*....B<br />00000050: 4b46 5333 334e 3032 5a00 0021 0014 00f6 KFS33N02Z..!....<br />00000060: 5ee2 00e6 4114 00e4 e472 0003 203f 00e1 ^...A....r.. ?..<br />00000070: 0201 0000 0000 c808 384e c841 8c8b 0700 ........8N.A....<br />00000080: 0000 f910 8513 850c 1c01 0000 0000 0000 ................<br />00000090: ffff ffff ffff ffff ffff ffff ffff ffff ................<br />...<br /><br />8-bit lock Flags at 0x6B: #Locks battery / changes Manufacturer Access<br />0x6B = 0x03: OK #MF.Access: 0018 (same as working battery)<br />0x6B = 0x07: seems OK #MF.Access: 0010 (not tested in laptop)<br />0x6B = 0x17: Locked #MF.Access: 2002 (appears dead)<br /><br />0x16-bit:<br />0x10: Device Name #no effect<br />0x42: Remaining Capacity Alarm #idk<br />0x44: Remaining Time Alarm #idk<br />0x46: Battery mode #idk<br />0x48: Full Charge Capacity #<br />0x4C: Cycle count #works<br />```ladislavhttps://www.blogger.com/profile/00668301332592855165noreply@blogger.comtag:blogger.com,1999:blog-3030619748984253626.post-2040833754091539512022-11-09T16:29:10.766-08:002022-11-09T16:29:10.766-08:00@danandrei96 sorry, I don't know. Sounds like,...@danandrei96 sorry, I don't know. Sounds like, this information at the "signed" section. I didn't deal with it.h4tr3dhttps://www.blogger.com/profile/15624454337851899082noreply@blogger.comtag:blogger.com,1999:blog-3030619748984253626.post-45232987035061044552022-10-09T09:11:40.948-07:002022-10-09T09:11:40.948-07:00Hi hope you are well, congratulations on your work...Hi hope you are well, congratulations on your work and your findings, I was planning to document the pins of the 51F51 as well but you beat me to it. Do you know how to change the chemistry or cutoff voltage for the LGC firmware? I have a battery which had originally 4.3v cells, but I recelled it using 4.2v which are more commonly available. I can flash dumps from a 6-cell to adjust the voltages, but then the capacity is very, very wrong. Thanksdanandrei96https://www.blogger.com/profile/14314926855826557359noreply@blogger.comtag:blogger.com,1999:blog-3030619748984253626.post-8359067853943650232022-09-10T07:55:15.222-07:002022-09-10T07:55:15.222-07:00@VitaliyK, look into my research above. Maybe it w...@VitaliyK, look into my research above. Maybe it will be helpful.h4tr3dhttps://www.blogger.com/profile/15624454337851899082noreply@blogger.comtag:blogger.com,1999:blog-3030619748984253626.post-45190557846656583142022-09-10T07:47:59.925-07:002022-09-10T07:47:59.925-07:00My changes adopting software for working with Linu...My changes adopting software for working with Linux i2c-dev: https://github.com/h4tr3d/smbusb, tested with CP2112.<br /><br />@Viktor, changes adopted to work both with FX2LP and i2c-dev: device can be pointed via command line `--device` argument. If omitted, FX2LP device tries to open by default. So, if you want, I can submit PR to you. h4tr3dhttps://www.blogger.com/profile/15624454337851899082noreply@blogger.comtag:blogger.com,1999:blog-3030619748984253626.post-72113710273494160082022-09-06T02:28:47.321-07:002022-09-06T02:28:47.321-07:00Last update: I start my controller! :-)
0x60-0x63...Last update: I start my controller! :-)<br /><br />0x60-0x63 - affect "Relative state of Charge", "Absolute state of Charge" and "Remain Capacity" in unknown way. Don't touch.<br /><br />0x6b - sounds like contains flag, that lock/unlock battery. My value is 0x17. Replace it to 0x03 change "Manufacturer Access" code from 1002 to 0018, switch "Charging Current" from zero to 3500 mA and "Charging Voltage" from zero to 13050 mV. Sounds like bit 4 is a lock bit.<br /><br />Also, FCC value must be filled as is and it in mWh, so, just multiply mAh capacity to the design voltage divided to 10: 6000 mAh * 1.11.<br /><br />Also, useful link for Linux users: https://www.buggycoder.com/thinkpad-battery-calibration/h4tr3dhttps://www.blogger.com/profile/15624454337851899082noreply@blogger.comtag:blogger.com,1999:blog-3030619748984253626.post-43054157917363435852022-09-04T17:26:30.847-07:002022-09-04T17:26:30.847-07:00Also, I updated original Victor's tools to wo...Also, I updated original Victor's tools to work with i2c-dev under Linux. Generally it work well with CP2112 :-) Functions SMBWrite()/SMBRead() can't work in such setup by design and must be reworked. Currently I implement SMBTransfer that work well with i2c-dev design. Will publish ASAP.<br /><br />Also, for 51F51 reading of register CMD_READ_CLEAR_STATUS_REG fails always with timeout. But erase works, just wait. Will do some WA.h4tr3dhttps://www.blogger.com/profile/15624454337851899082noreply@blogger.comtag:blogger.com,1999:blog-3030619748984253626.post-84261548355055537932022-09-04T17:15:55.170-07:002022-09-04T17:15:55.170-07:00Too late, but... Update about BOOT and RESET for T...Too late, but... Update about BOOT and RESET for TSSOP38:<br />Pin 3 - VCC, 3.3V<br />Pin 10 - BOOT, 4.7K pull-up to VCC. Active LOW.<br />Pin 13 - RESET, 5.6K pull-up to VCC. Active LOW.<br /><br />I have two same controller for original and after-market battery (after market didn't charged, Thermal Fuse omitted. IC3 omitted also).<br /><br />On my board:<br />BOOT routed to the TP1 (as mentioned above by @Вета) test point at the bottom of the front controller side<br />RESET routed to the TP14 test point at the top of the back side<br /><br />(Need update) 51F51 revision has next founded mapping (all little endian):<br />0x40, 2 bytes - Remain Capacity Alarm, in mAh<br />0x44, 2 bytes - Remaining Time Alarm, in minutes<br />0x48, 2 bytes - FCC. TBD: example dump above map this value as-is in mAh, but I need 6000 mAh multiply to 1.78 to gen ~6000mAh in the report output. Need investigate.<br />0x46, 2 bytes - Battery Mode<br />0x4C, 2 bytes - Cycle Count, maps as is (TBD)<br /><br />I have "Charging Current:" and "Charging Voltage:" set to zero. Worked dump shows 3500mAh and 13050mV accordingly.<br />h4tr3dhttps://www.blogger.com/profile/15624454337851899082noreply@blogger.comtag:blogger.com,1999:blog-3030619748984253626.post-87146919503851559022022-07-12T05:46:21.689-07:002022-07-12T05:46:21.689-07:00Any update about this chip? What pins BOOT and RES...Any update about this chip? What pins BOOT and RESET?VitaliyKhttps://www.blogger.com/profile/10471074979630054972noreply@blogger.comtag:blogger.com,1999:blog-3030619748984253626.post-27229737743412392342022-06-23T04:26:01.317-07:002022-06-23T04:26:01.317-07:00What number should be "At Rate OK"?What number should be "At Rate OK"?VitaliyKhttps://www.blogger.com/profile/10471074979630054972noreply@blogger.comtag:blogger.com,1999:blog-3030619748984253626.post-84044470073451482772022-06-23T04:19:40.027-07:002022-06-23T04:19:40.027-07:00I just "FF" 1-5 parts and worked with #6...I just "FF" 1-5 parts and worked with #6. Corrected all I needed. Now I will copy it to 1-5 and try on laptop. Do I need to change Battery mode and battery status? What do they show?VitaliyKhttps://www.blogger.com/profile/10471074979630054972noreply@blogger.com