![]() RESET at random intervals while running a continuous command scan: $ smbusb? It's at this point that I coded up the flash tool to try and read the flash contents. Either way, about 5 minutes of poking at PIN #2. Maybe I saw a presentation somewhere about blackbox chips and N/C pins years and years and years ago but I could just be imagining things. I have no logical explanation as to why I came to this decision. How about I try to abuse N/C pins instead. Or maybe there's no such combination at all. ![]() So maybe we have to set multiple pins into multiple states for it to work. No obvious BOOT pin as one would expect with a device that's not meant to be tampered with.īut maybe pulling some pin high or low during reset will get me somewhere. I opened up the datasheet for the latter (since there's no public datasheet for the former). Having found slides from a TI presentation revealing the connection between the BQ8. So I moved on to poking at other things but eventually came back for a second look and that's when I realized: Command scan starting at 0x. Not really expecting much I tried a word write of 0x. Those could very well be SMBus commands right there. Especially this screenshot of the software that comes with it: There was no way I could figure everything out based on just that but I did take notice of the function bar on the bottom. WHAT AN AMAZING DEAL!!! I gathered everything I could find about this device and while it wasn't much it did provide clues that came in handy later on in the process. ![]() Apparently they sell this tool for them: :Now with a SPECIAL! If you bought some from Aliexpress they'd come up with the TI Boot ROM and you could use the flashing tool included in SMBusb to upload firmware and eeprom(data flash) to it. As mentioned in the previous article the bq. Well that's not good! It seems we're stuck in the Boot ROM.Hacking the bq. ![]() $ smbusb_sbsreport SMBusb Firmware Version: 1.0.1 - Manufacturer Name: ERROR Device Name: ERROR Device Chemistry: ERROR Serial Number: Manufacture Date: 1980.00.00 Uh-oh. Scan range: 00 - ff Skipping: None - ACK, Byte writable, Word writable, Block writable ACK ACK ACK ACK, Byte writable, Word writable, Block writable ACK, Byte writable, Word writable, Block writable ACK, Byte writable, Word writable ACK, Byte writable, Word writable ACK ACK, Byte writable, Word writable ACK, Byte writable, Word writable Wow, that worked? Let's just reset for now. $ smbusb_scan -w 0x16 - smbusb_scan - SMBusb Firmware Version: 1.0.1 Scanning for command writability. Either way, about 5 minutes of poking at PIN #28 with a resistor connected to 3.3v in hand and triggering RESET at random intervals while running a continuous command scan. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |