BQ78350-R1: Unable to fetch Authentication Key

Hi Tapasendra,

The threads below may be helpful:

https://e2e.ti.com/support/power-management-group/power-management/f/power-management-forum/706663/bq78350-r1-bq78350-r1-reading-unseal-and-fullaccess-key-and-changing-them

https://e2e.ti.com/support/power-management-group/power-management/f/power-management-forum/714232/compiler-bq78350-r1-bq78350-r1

Best regards,

Matt

Hi Matt Sunna,

Thankyou for the reply,

This link is for seal or unseal the device but we requires authentication key, so please send details regarding that, as per datasheet we are passing 0037 to Manufacturing access() but still we are not getting 16byte authentication key.

Waiting for your kindly reply

Thanks & Regards

Tapasendra Datta

Hi Matt Sunna,

Thankyou for the reply,

Ok, but i don't want to create a new key just want to read it, to program BMS in host.

how to read the key?

Command 0X0037 for Authentication Key is not accepting in 0x00 ManufacturerAccess(), Is there any way to check it through 0X44 ManufacturerBlockAccess().

Matt Sunna,

please check, i'm having confusion with the bqstdio authentication technique.

I have attached a document that mya help you

thankyou

For changing authentication Key and verifying authentication code.

As per BQ78350-R1 Technical Reference
17.2.32 ManufacturerAccess() 0x0037 Authentication Key
This command enters a new authentication key into the device.
0x0037 AuthenticationKey(): This Manufacturer Access command allows users to change the
authentication key. Sending the new authentication key through ManufacturerBlockAccess() is
supported. Additionally, the gauge also supports the approach of updating the authentication keys by
sending the new keys to ManufacturerInput().

Verification ( As per BQ78350-R1 Technical Reference, Page no. 75)
1. Generate 160-bit message M using a random number generator that meets approved random number
generators described in FIPS PUB 140–2.
2. Generate SHA-1 input block B1 of 512 bytes (total input = 128-bit authentication key KD + 160-bit
message M + 1 + 159 0s + 100100000).
3. Generate SHA-1 hash HMAC1 using B1.
4. Generate SHA-1 input block B2 of 512 bytes (total input = 128-bit authentication key KD + 160-bit hash
HMAC1 + 1 + 159 0s + 100100000).
5. Generate SHA-1 hash HMAC2 using B2.
6. With no active ManufacturerInput() data waiting, write 160-bit message M to ManufacturerInput() in the
format 0xAABBCCDDEEFFGGHHIIJJKKLLMMNNOOPPQQRRSSTT, where AA is LSB.
7. Wait 250 ms, then read ManufacturerInput() for HMAC3.
8. Compare host HMAC2 with device HMAC3, and if it matches, both host and device have the same key
KD and the device is authenticated.

TEST 01
Our Authentication Key at write block 0x44= 37 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01

TI Battery Management Studio ( bqStudio )Version : 1.3.101 Build 1
Input Challenge through bqstdio write block 0x2F= C8 2C A3 CA 10 DE C7 26 8E 07 0A 7C F0 D1 FE 82 20 AA D3 B8 
Output= AD B2 D8 9D 38 F6 DF 5B 09 88 50 54 19 35 F8 4E C6 1E 0D B3 

https://www.pelock.com/products/hash-calculator
calculate using Hex String hash value
Verificatuion
M=C8 2C A3 CA 10 DE C7 26 8E 07 0A 7C F0 D1 FE 82 20 AA D3 B8 
total input= 
01000000000000000000000000000001C82CA3CA10DEC7268E070A7CF0D1FE8220AAD3B880000000000000000000000000000000000000000000000000000120
E9A752A18D502F52CAC4BBEBD284394B4480EE9F
01000000000000000000000000000001E9A752A18D502F52CAC4BBEBD284394B4480EE9F80000000000000000000000000000000000000000000000000000120
FEA2347299A215DB072EF4C2524BE994AF9CFFB1

Not the same...


TEST 02
Our Authentication Key at write block 0x44=  37 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01

TI Battery Management Studio
Input Challenge through bqstdio write block 0x2F= 33 32 31 30 2F 2E 2C 2D 2B 2A 29 28 27 26 25 24 23 22 21 20 
Output+ 60 2D F8 53 A8 09 BC 7F F9 DD BE 7C 7F B9 1C 2D 17 C2 61 ED 


https://www.pelock.com/products/hash-calculator
calculate using Hex String hash value
01000000000000000000000000000001333231302f2e2c2d2b2a2928272625242322212080000000000000000000000000000000000000000000000000000120
B386C98611DA291B7E32E85901B457A90B214071
01000000000000000000000000000001B386C98611DA291B7E32E85901B457A90B21407180000000000000000000000000000000000000000000000000000120
3AE076BCB7AF91617253F83C3F22F3AC3695B835

Not the same...

We follow this document also: "How to Implement SHA-1/HMAC Authentication for bq26100"

Tapas,

I am not familiar with this document. Are you not able to unseal the device after changing the authentication key? As I said before, you cannot read the key. Please help me understand what you are trying to do.

Thanks,

Matt

Hi,

we are able to unseal the device after changing the authentication key. Our job, programmatically we should send the 20byte message to bq78350-R1 and receive the generated SHA1 encrypted message as BMS software is doing. Now in our software also we should calculate the the same and compare with the receive one.

In this case, we are using the generic SHA 1 code and same exercise we are doing. But the output not same. 

So we want proper support in this SHA1 implementation.

Referring  "BQ78350-R1 Technical Reference, Page no. 75" and "How to Implement SHA-1/HMAC Authentication for bq26100 (Rev. A)" documents. 

Hi Wyatt,

Thank you for your nice reply. Its working.

One more doubt I have, programmatically how to transmit block data through SPI/UART channel?  

As we are using 2F address location for Authentication (BQ78350-R1). Now we are writing as block-write with " B8 D3 AA 20 82 FE D1 F0 7C 0A 07 8E 26 C7 DE 10 CA A3 2C C8 2F" / " 2F B8 D3 AA 20 82 FE D1 F0 7C 0A 07 8E 26 C7 DE 10 CA A3 2C C8 ". Bur not getting any data. Block read able to hndle, but block write unable to handle.

Hello Tapas,

Can you clarify your question? From the example it looks like both commands were successfully sent and received. Make sure you turn off the auto refresh and do not send any other commands for 4 seconds around authentication.

Sincerely,

Wyatt Keller

Hi Wyatt,

Actually my question on How to send Block-write command to BQ? We have made our own Power supply board (intelligent) which will talk another board (BQ chip present and third party board) through SMBus. Now requirement to authenticate the BQ device. In that case, we are writing Address and reading the data through SMBus. But for block-write, how to send? we are  not able to achieve.

Some sample shared,  Now we are writing as block-write with " B8 D3 AA 20 82 FE D1 F0 7C 0A 07 8E 26 C7 DE 10 CA A3 2C C8 2F" / " 2F B8 D3 AA 20 82 FE D1 F0 7C 0A 07 8E 26 C7 DE 10 CA A3 2C C8 "

Here "2F" is the address and  remaining's data.

Regards

Tapas 

Hello Tapas,

I am still not sure I understand your end goal, it looks like the write/read blocks are being sent successfully, you should be able to use the returned block data to authenticate the gauge with your key and message. Are you saying the returned data does not match the key you programmed previously?

Sincerely,

Wyatt Keller

Hi Wyatt,

Till date we are using pc software and writing data through EV2300 to BQ chip. Now I have to replace pc software and EV2300 with my embedded software which is running in another microcontroller. Now my embedded software will talk to BQ chip through SMBus line. With this configuration, we are writing to single address and reading the proper value. But when we want to write block (more than one byte) that time we are not receiving data. Sample block data like " B8 D3 AA 20 82 FE D1 F0 7C 0A 07 8E 26 C7 DE 10 CA A3 2C C8 2F" or " 2F B8 D3 AA 20 82 FE D1 F0 7C 0A 07 8E 26 C7 DE 10 CA A3 2C C8 " where 2F is the address, added in last or in first.

Thanks & regards

Tapas