Revenue And weve made the informed figure that Phase 2 is certainly really Send 0x to 0x71 therefore were fairly much done with the disassembly as 16 pieces is way within the realm of bruteforceability ánd since I acquired another sacrificial board as properly as a battery pack pack running SANYO firmware I had everything I needed to attempt it.As pointed out in the prior post the bq8030 is certainly the blank version of the bq20z90.If you purchased some from Aliexpress theyd come up with the TI Boot ROM and you could use the blinking tool incorporated in SMBusb to upload firmware and eeprom(data adobe flash) to it.
In theory you could switch it into á bq20z90 by getting the firmware fróm one and posting that. The method for accessing the Shoe ROM on those chips is noted in datasheets and application records.). Sanyo Tool Reset Bq8030 Datasheet 555 Ic Software Program ThatEspecially this screenshot of the software program that arrives with it. Not actually expecting much I attempted a word write of 0x0214 to command 0x71 aand. So I shifted on to poking at other points but eventually came back for a 2nd appearance and thats when I noticed: Command word scan starting at 0x70 before delivering command. Brick walls meet eagerness I couldnt actually get any more with just that details so I started looking at the equipment instead. Having found glides from a TI display disclosing the connection between thé BQ8030 and bq20z90 I opened up up the datashéet for the other (since theres no public datasheet for the former). No obvious BOOT flag as one would expect with a device thats not really intended to end up being tampered with. But maybe pulling some pin number high or low during reset to zero will obtain me somewhere. So maybe we have to established several pins into multiple claims for it to work. I have no reasonable description as to why I arrived to this choice. Maybe I noticed a demonstration somewhere about blackbox chips and NC pins yrs and yrs and yrs back but I could just be picturing things. Either way, about 5 minutes of poking at Flag 28 with a resistor linked to 3.3v in hand and triggering Reset to zero at random intervals while working a constant command check out. Can be the nick fried It is at this point that I codéd up the display tool to try out and examine the flash contents. I wasnt really troubled by the chip passing away as this has been one of 2 sacrificial control boards I kept simply for playing around with.) And the results Apparently we can corrupt (ideally just) the very first few of hindrances of flash if we bully Pin number 28 while the chip is attempting to begin up. The good news though (If were lucky) We get 99 of the firmware, and thanks a lot to Charlie Miller we possess a disassembler (zip) for it. Did playing with Pin number 28 actually have an effect Could it just have long been the unpredictable resetting of the nick that prompted the failure Do I quick VCELL to Pin28 while playing about Had been there higher voltage on VCELL Was it simply ESD No idea. But I do manage to duplicate the result on another chip using the exact same procedure. So when in doubt and you possess nothing at all to lose, take action like a caveman, I speculate The only good issue about this method will be that actually if you possess 0 information about whether there even IS a technique for entering the Boot ROM in the firmware let on your own what it is definitely theres still a high possibility that youll get in. ![]() Fundamentally if (smbSlaveRecvWord(0x71) 0x0214) accesslevel 0x80; But wait. It can set two entry flags based on whatéver (i3,0x1A) and (i3,0x1B) are. Sanyo Tool Reset Bq8030 Datasheet 555 Ic Password Because ItHrmm. Properly I dont know what those are usually and cant look for where theyre established so permits presume the first jeq will not jump once weve provided the correct first password because it would create sense. We can also find that it bank checks the phrase we send against those secret bytes somehow ánd if it enjoys what it sees it pieces access flag 0x40 and the secret bytes to 0. A little little bit more up we discover the admittance stage for the Shoe ROM.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |