We have a Medical device using a vendors product that uses the BQ20z95 gauge. We want to use PEC as SMBus data verification in our SMBus host device acting as master requesting data from the BQ20z95 as a slave device.
PEC seemed to work fine until we tried to validate the implementation using fault injection. We are using an SMBus analyzer to capture the messages and a simulator device to attempt to inject bus faults by driving bytes in the middle of the SMBus packet to zero during the data transfer. As long as the expected bytes of the returned SMBus message are non-zero, we expect to see PEC fail, which would prove that PEC would catch bus faults or random errors on the bus.
If we do this in the command byte, the first data byte or the PEC byte, the packet seems to fail the PEC validation, as expected with the fault injection.
However, if we inject the fault into a middle byte of the packet, we see a valid PEC calculated for the faulty data, even though the fault injection creates a message that is different than the known internal BQ20z95 data.
This appears to us to be a bug in the method used to calculate PEC on this device. Does anyone know how PEC is implemented on this device? Is this a bug or are we thinking of this wrong?