• State TI Thinks Resolved
  • Locked Locked
  • Replies 16 replies
  • Answers 7 answers
  • Subscribers 64 subscribers
  • Views 1653 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

Original question:

BQ40Z80: BQ40Z80 Chem ID

BQ40Z80: BQ40z80 gauge

Links
Genius 12000 points
Part Number: BQ40Z80
Other Parts Discussed in Thread: BQSTUDIO, BQ30Z55, BQ9003

Hi Team

How to work with the BQ40Z80 chip using ECC to get FAS? I know only how check authenticate with BQStudio

I did not find any instructions on this  website

Best regards,
William

  • 0
    TI__Guru** 105870 points

    Hello William,

    Have you enabled the ECC authentication? Section 19.2.1.4 Auth Config has some important settings for encryption that must be set for ECC.

    Sincerely,

    Wyatt Keller

  • 0 in reply to Wyatt Keller
    TI__Genius 12000 points

    Hi  Wyatt

    Thanks for your information! how to get Full Access using ECC authorization method? Could you describe in detail what to send to the chip, which commands, which keys to use, by which algorithm to calculate the response, etc. That is, the whole procedure for obtaining Full Access access from start to finish. If you have a traffic log of the exchange during the receipt of FAS, captured by the logic analyzer, then this is generally super.

    Best Regards,
    William

  • 0 in reply to Links
    TI__Genius 12000 points

    add;

    Why do I need this? For example, in the chip now I have installed Unseal key 0x0000 0x00000 and FAS key x00000 x0000. But, if these passwords are unknown (there was a case of information loss), I want to have a second way to access the chip.

  • 0 in reply to Links
    TI__Guru** 105870 points

    Hello William,

    I am checking if we have a guide similar to your request. The ECC/SHA-1 authentication is really intended for high volume or at risk of counterfeit BMS applications, most of the time just sealing the gauge is sufficient.

    Sincerely,

    Wyatt Keller 

  • 0 in reply to Wyatt Keller
    TI__Genius 10370 points

    Jiahui,

    a few things from reading this thread

    1) Are you saying you changed the unseal keys from default to 0's? This will make it so you are never able to unseal the device. The leading number in the unseal command cannot be 0' because the gauge will process that as a separate command and not call the unseal sequence. Please change the keys to something else. 

    2) The ECC and Sha and no function other than verifying the pack from a host identifying a counterfeit pack. These functions do not unseal the device in anyways. To use these feature you write a challenge of 20-32 bytes to the Auth() commands. then read the response from the gauge. You having known the keys will be able to tell if the proper gauge is connected by the response. 

    Does this help address your questions? 

    Thanks,

    Eric Vos

  • 0 in reply to Vos
    TI__Genius 12000 points

    Hi Eric

    1) Are you saying you changed the unseal keys from default to 0's? This will make it so you are never able to unseal the device. The leading number in the unseal command cannot be 0' because the gauge will process that as a separate command and not call the unseal sequence. Please change the keys to something else.
    -
    Yes, I changed the keys values from the default to 0x0000 0x0000 0x0000 0x0000 and Unseal and FAS works! But of course I did it just for demonstration here. Actually I have other keys other than zeros.

    2) The ECC and Sha and no function other than verifying the pack from a host identifying a counterfeit pack. These functions do not unseal the device in anyways. To use these feature you write a challenge of 20-32 bytes to the Auth() commands. then read the response from the gauge. You having known the keys will be able to tell if the proper gauge is connected by the response.
    -
    Could you describe the procedure for obtaining FAS when using ECC authorization in BQ40Z80? Since this information is not in TRM www.ti.com/.../sluubt5c.pdf
    For example, I currently know how to check ECC Authentication using the BQStudio. From the gauge, I get the Public key and host using a random number, and the Public key checks the 42 byte response from gauge, which the chip creates using the ECC algorithm. But how to get FAS access when Unseal keys have been changed or lost? And is there only Public key and Private key for ECC Authentication?

    BR

    William

  • 0 in reply to Links
    TI__Guru** 105870 points

    Hello William,

    If the keys are lost the gauge is basically bricked. As Eric mentioned the authentication is separate for the host to identify if the battery pack is correct, it doesn't have anything to do with the unseal keys or FAS. If the host challenges the gauge and it doesn't report the ECC correctly then the the host must stop communication with the pack and give a warning.

    Sincerely,

    Wyatt Keller 

  • 0 in reply to Wyatt Keller
    TI__Genius 12000 points

    Hi Wyatt.

    It is not true. If the Unseal and / or FAS keys are lost, the gauge works, but it becomes impossible to make any corrections to the firmware. Therefore, I am looking for another way to get FAS in this gauge, I know that this way exists, regardless of which Unseal / FAS keys are installed. For example, in the old BQ30Z55, it was possible to get FAS access if the Digest was correctly calculated from 16 bytes of the key and the random message 20 bytes that the host receives from the gauge. Why can't I do the same in this gauge using the ECC algorithm?

    BR

    William

  • 0 in reply to Links
    TI__Guru** 105870 points

    Hello William,

    Yes you can still read from the gauge, but there is no data memory access and nothing can be modified. It is not usable any longer if you are trying to setup a sealed gauge and the keys are lost.

    I am not as familiar with the BQ30Zxx family, but the authentication should not let you get access to FAS, it is only for verification that the gauge is not counterfeit. 

    Sincerely,

    Wyatt Keller

  • 0 in reply to Wyatt Keller
    TI__Genius 12000 points

    Hi Keller

    I was never given an answer - how can I get FAS when the UNSEAl\FAS keys are unknown :(

    Or how can I find out Unseal \ FAS keys using SHA \ ECC authorization?

    BR

    William

  • 0 in reply to Links
    TI__Guru** 105870 points

    Hello William,

    If the unseal and full access keys are lost you will not be able to modify anything in the gauge. You will need to use another gauge you know the keys for if you're trying to edit dataflash.

    You can't find the keys using the authentication, they are 2 separate features.

    Sincerely,

    Wyatt Keller

  • 0 in reply to Links
    TI__Genius 10370 points

    William,

    If you do not know the keys to unseal there is no way to unseal the device. If TI had a way to bypass a customers custom unseal keys that would be a huge liability for TI. This cannot be done. 

    The bq30z product did have the Sha tied to the unseal mechanism, but that is no longer true for the bq40z series. 

    Thanks,

    Eric Vos

  • 0 in reply to Vos
    TI__Genius 12000 points

    Hi Eric

    Please see the video how can find out the UNSEAL \ FAS keys in bq9003_fas.mp4

    sn_customerservice_case_a97fe9e71b0bf0d4fd3b2022b24bcbbb_attachments.zip

    BR

    William

  • 0 in reply to Links
    TI__Guru** 105870 points

    Hello William,

    We tested on our side using bqStuido with an EVM, it is not possible to read the keys when the gauge is sealed. See the log below (Eric may have shared already.)

    When we attempt to read the keys while sealed it's not possible, data returned is not correct.

    Fullscreen bq40z80_seal_write.log Download 
    Advance Comm SMBus Transaction Log

TimeStamp , Address , Operation , Command , Length , Data , Status , 
2021-10-21 12:34:22 028 , 17 , Wr Block , 44 , 2 , 35 00  , Success
2021-10-21 12:34:22 835 , 17 , Rd Block , 44 , 10 , 35 00 14 04 72 36 FF FF FF FF  , Success
2021-10-21 12:35:46 166 , 17 , Wr Block , 44 , 2 , 35 00  , Success
2021-10-21 12:35:47 160 , 17 , Rd Block , 44 , 6 , 77 00 0E 0F 2E 22  , Success
2021-10-21 12:38:28 375 , 17 , Wr Block , 44 , 10 , 35 00 11 11 11 11 22 22 22 22  , Success
2021-10-21 12:38:30 019 , 17 , Rd Block , 44 , 6 , 77 00 0E 0F 2E 22  , Success

    Sincerely,

    Wyatt Keller

  • 0 in reply to Wyatt Keller
    TI__Genius 12000 points

    Dear Wyatt Keller

    where did you get the idea that this program reads the keys when the chip is sealed using the commands Wr Block, 44, 2, 35 00 and then Rd Block, 44? The video shows that at first the program reads the keys when the chip is scattered using the commands: Wr Block, 44, 2, 35 00 and then Rd Block, 44, 10, 35 00 14 04 72 36 FF FF FF FF. Then we change the keys to a random one and seal the chip. The program then reads these keys from the sealed chip. How the program does this, I would like to ask you. I'm sure there is some way to read these keys. These keys are in the IFIB. Maybe there is a way to read the IFIB when the chip is sealed?

    BR

    William

  • 0 in reply to Links
    TI__Genius 10370 points

    Jiahui,

    I re-watched the video. The issue I have in using it as proof if that when you click the "seal" button you do not verify the device is actually sealed. Can you please repeat your procedure using the TI tools and monitor the SEC1,SEC0 bits. 

    Like Wyatt showed above we tested this locally on our EVM and do not see an issue. I suspect you are not actually sealing the device in your test. 

    Thanks,

    Eric Vos