Treat your Sanyo appliances to genuine OEM replacement parts when they begin to wear.Trust Heritage Parts to deliver the Right Part, Right Time, Every Time8482.
Please place this order and all future international orders there. Sign into your partstown.com account or create a new one its easy to do. Profit And weve made the educated guess that Step 2 is really Send 0x to 0x71 so were pretty much done with the disassembly as 16 bits is way within the realm of bruteforceability and since I had another sacrificial board as well as a battery pack running SANYO firmware I had everything I needed to attempt it. As mentioned in the previous article the bq8030 is the blank version of the bq20z90. If you bought some from Aliexpress theyd come up with the TI Boot ROM and you could use the flashing tool included in SMBusb to upload firmware and eeprom(data flash) to it. Theoretically you could turn it into a bq20z90 by downloading the firmware from one and uploading that. The procedure for accessing the Boot ROM on those chips is documented in datasheets and application notes.). Sanyo Tool Reset Bq8030 Datasheet4U Software That ComesEspecially this screenshot of the software that comes with it. Not really expecting much I tried a word write of 0x0214 to command 0x71 aand. So I moved on to poking at other things but eventually came back for a second look and thats when I realized: Command scan starting at 0x70 before sending command. Brick wall meet impatience I couldnt really get any further with just that information so I started looking at the hardware instead. No obvious BOOT pin as one would expect with a device thats not meant to be tampered with. But maybe pulling some pin high or low during reset will get me somewhere. So maybe we have to set multiple pins into multiple states for it to work. I have no logical explanation as to why I came to this decision. Maybe I saw a presentation somewhere about blackbox chips and NC pins years and years and years ago but I could just be imagining things. Either way, about 5 minutes of poking at PIN 28 with a resistor connected to 3.3v in hand and triggering RESET at random intervals while running a continuous command scan. Is the chip fried Its at this point that I coded up the flash tool to try and read the flash contents. I wasnt really bothered by the chip dying as this was one of 2 sacrificial controller boards I kept just for messing around with.) And the results Apparently we can corrupt (ideally just) the first couple of blocks of flash if we bully PIN 28 while the chip is trying to start up. Did messing with Pin 28 even have an effect Could it just have been the erratic resetting of the chip that triggered the malfunction Did I short VCELL to Pin28 while messing about Was there high voltage on VCELL Was it just ESD No idea. But I did manage to reproduce the result on another chip using the same procedure. So when in doubt and you have nothing to lose, act like a caveman, I guess The only good thing about this method is that even if you have 0 knowledge about whether there even IS a method for entering the Boot ROM in the firmware let alone what it is theres still a high chance that youll get in. Disassembly A couple of hours of staring at unfamiliar assembly code later, here are the relevant parts for entering the Boot ROM with annotations. Basically if (smbSlaveRecvWord(0x71) 0x0214) accesslevel 0x80; But wait. It can set two access flags based on whatever (i3,0x1A) and (i3,0x1B) are. Sanyo Tool Reset Bq8030 Datasheet4U Password Because ItHrmm. Well I dont know what those are and cant find where theyre set so lets assume the first jeq will not jump once weve given the correct first password because it would make sense. We can also see that it checks the word we send against those mystery bytes somehow and if it likes what it sees it sets access flag 0x40 and the mystery bytes to 0. A little bit further up we find the entry point for the Boot ROM.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |