• State TI Thinks Resolved
  • Locked Locked
  • Replies 1 reply
  • Answers 1 answer
  • Subscribers 63 subscribers
  • Views 990 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

Original question:

BQ76952: TS2 setting and Full Access mode question

BQ76952: Can't leave SEALED mode.

Harmander Sihra
Prodigy 30 points
Part Number: BQ76952
Other Parts Discussed in Thread: BQSTUDIO

Hello, we've been trying to put our BQ chips into FULLACCESS mode so that we can write to the OTP flash but we're having issues. We're using the default keys (this was confirmed by reading their values from the BQ) and following the procedure on page 71 of the Technical Reference Manual:

When using the codes by writing them to 0x3E and 0x3F, they must be sent in little endian order; therefore, if 0x1234 and 0x5678 are written as the unseal codes to 0x0035 SECURITY_KEYS(), then to unseal requires writing 0x34 and 0x12 to 0x3E and 0x3F, followed by writing 0x78 and 0x56 to 0x3E and 0x3F. The two codes must be written within 4 s of each other to succeed.

We're verifying the mode of the BQ by reading the SEC 1:0 bits in the Battery Status (0x12) register. We are writing 0x14 to 0x3E (actually 0xBE with the write bit) and 0x04 to 0x3F, then we write the CRC and data length. We then repeat this with 0x72 going to 0x3E and 0x36 to 0x3F within around 40 ms. When we read the SEC 1:0 bits again, there's no change and it shows that we're still in SEALED mode.

Do you think there's anything we could be missing?

  • 0
    TI__Mastermind 42060 points

    Hello Harmander,

    I have a few comments/questions about this:

    • Are you using I2C or SPI? Using BQSTUDIO?
    • Something that was not explained too well in the TRM, is that in order to go into FULLACCESS, you first have to go into UNSEAL mode.
      • So SEAL>UNSEAL>FULLACCESS.
    • There is no length to be sent with CRC, I believe you are confusing checksum with CRC, they are different. I would recommend you read CRC section of the BQ769x2 Software Development Guide (Rev. B). You have to send the CRC every byte of data.
    • You should be able to write twice to 0x3E without needing to use 0x3F.

    The UNSEAL data sequence (in I2C with CRC), assuming a default unseal key, would go something like:

    • [W]0x10
    • 0x3E
    • 0x14
    • CRC Calculation
    • 0x04
    • CRC Calculation
    • [W]0x10
    • 0x3E
    • 0x72
    • CRC Calculation
    • 0x36
    • CRC Calculation

    You can similarly then reach FULLACCESS mode using the same method and the default FULLACCESS key (0xFFFFFFFF).

    We may revise the TRM in the future to make UNSEAL/FULLACCESS instructions clearer.

    Best Regards,

    Luis Hernandez Salomon