This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

BQ27Z561-R2: Device Security - Authentication function with secure key

Part Number: BQ27Z561-R2
Other Parts Discussed in Thread: BQ9035, , BQPRODUCTION, SHA-256, EV2400, BQ27Z561-R1

I would have the following questions about managing the authentication function with the secure key:

1) Does "bqkey programmer" release 1.0.9 support the BQ27Z561-R2 device? the device is not selectable but in the release note it seems to correspond to the bq9035 device. In any case, I am unable to load the Secure key.

2) Why are there 4 securety key slots? What can they be used for?
3) Can the sw "bqproduction smart battery" also write the golden image and the secure key?
4) why the "bqkey packager" and "bqkey programmer" softwares have the wording "TEST" at start-up, this indicates that they are software still in the test phase and therefore not usable in production?

  • Hello Maurizio,

    1. You are right. Choose bq9035 for use with bq27z561-R2. I believe the keys needs to be generated correctly first. See section 8.2 SHA-256 Authentication in the TRM for information on how to generate the key.

    2. There are 4 slots that are supported by the hardware but currently only one key is used.

    3. As far as i know bqProduction does not support bq27z561-R2

    4. The "TEST" designation usually means that the software is released for the purpose of testing/evaluation and not intended to be used for production. It should not be confused with quality level. Please review the software license agreement to figure out if production use is allowed.

  • Hi Shirish,
    Thank you for your answer.
    Points 3 and 4 are ok for me.

    I would like to deepen points 1 and 2.

    For point 1, I am sending below the image relating to the use of the sw "bqkey packager" with the settings used:

    With the generated file I tried to load the secure key with the "bqkey programmer" but I got the following error message:

    What could be the problem?
    I use the EV2400 device.

    For point 2 if I have not misunderstood, once a slot has been written with the secure key (slot 0 by default) it will no longer be possible to change the secure key even if I write to another slot? So it's like the other slots no longer exist?

  • Would it be possible to have an example of how to write the Authentication Key?
    in the manual I find the following explanation:

    The operations I need to perform should be the following:

    check if OperationStatusA () [SEC1, SEC0] = 0.1
    I write in 0x3E 0x37
    I write in 0x3F 0x00
    where AA is LSB. In addition to this information, the
    checksum + length data block is required.

    It is not clear to me if I have to wait for certain conditions before doing certain operations.
    Shouldn't the secure key be set up before setting the start of the operation?

  • Hello Maurizio,

    Just wanted to let you know that I think the method with AltManufacturerAccess 0x0037 is not present in the firmware even though it is in the TRM. Don't be surprised if it does not work. I will also try to check.

  • Hi Shirish,
    thank you for your answers.

    It is important to know whether the BQ27Z561-R2 device supports the authentication function with "Authentication key" or not.

    For the 0x0037 command, in the manual it describes a 128-bit key, but in the sw "bqkey pachager" and "bqkey programmer" the authentication key is 256 bits. What is the right size?

    I cannot load the key even with the use of the "bqkey pachager" and "bqkey programmer" software.
    The settings used with "bqkey pachager" are as follows:

    With the generated file I tried to load the secure key with the "bqkey programmer" but I got the following error message:

    What could be the issue?
    I use the EV2400 device.

    If BQ27Z561-R2 does not support authentication, are there alternative functions to achieve the same purpose?

  • According to the TRM it uses SHA-256 authentication.

    The random number should be a 32-byte random number generated from the host processor system. Once this number is generated, it is used to generate the HMAC value using the random number as the message and the secure key as the secret key for SHA-256.

    It is not clear whether this procedure is for programming the key.

  • I would like to know if the BQ27Z561-R2 device supports the authentication function with the use of the "authentication key".

  • Hello Maurizio,

    There is a bug report filed regarding section 13.8.20 of TRM that states that the device firmware does not currently support AltManufacturerAccess() 0x0037 Authentication key command.

    There is no information on whether future firmware versions will support this command or whether the TRM will be changed.

  • Hi Shirish,
    thanks for this important information.
    I have the following questions to try to solve the issue:
    1) If the bug is only about writing the authentication key, is there an alternative way to the 0x0037 command to write it?
    2) Is the bug present only in the fw BQ27Z561-R2? can we use the fw BQ27Z561-R1 without problems? if so, where can I download the BQ27Z561-R1 fw?
    3) If the bug is also present in the BQ27Z561-R1 fw, is there an equivalent device that supports 256-bit key authentication?
    4) Are there any other workarounds to handle 256-bit authentication? For example, Texas Instrument can provide BQ27Z561-R2 devices with our authentication key already loaded?

  • Hello Maurizio,

    The "bug" is a mismatch between firmware and TRM and therefore exists on all firmware versions. There is no available documentation about alternative ways. I will try to find out more.

  • Hi Shirish,
    if I have not misunderstood,
    there is not a firmware version that works adequately to carry out the authentication procedure?
    But does this apply to all devices or just the BQ27Z561-R1/R2 device?

  • Hello Maurizio,

    The firmware supports authentication functionality. The only problem is that command 0x37 mentioned in the TRM does not work for BQ27Z561-R1 and R2.

  • Hi Shirish,
    I summarize the points left open:
    1) For the BQ27Z561-R2 device, is there an alternative way to the 0x0037 command to write the authentication key (for example other commands that can write in the affected memory area)?
    2) Is there a device equivalent to BQ27Z561-R2 that uses a 256 bit authentication key?

  • 1. I am checking into this

    2 It appears that there is no direct replacement

  • ok, thanks, we'll update