TI battery gauges use the security modes SEAL/UNSEAL/FULL ACCESS in order to help protect the flash memory of the gauge from third parties reading the gauge’s configuration memory. This prevents any copying of the gauge or BMS system. The mode information can be found in the OperationStatus()[SEC0,SEC1] bit locations.
SEALED mode means there is limited access to data flash contents and most interactions are through the SBS commands. Usually the gauge is sealed as the last step of production.
UNSEALED mode means the data flash can be viewed and modified, but it can’t enter ROM mode which would allow access to change the instruction flash.
FULL ACCESS mode means that all data flash can be modified and the gauge can enter ROM mode for programming the Flash Stream file or SREC.
In order to successfully allow the gauge to go from SEALED->UNSEALED or UNSEALED->FULL ACCESS there must be a 4 second wait before sending the first command. The state machine runs on a 4 second timer and if the UNSEAL or FULL ACCESS command is sent before the 4 second wait time, the gauge may fail to change modes, if there was communication within the 4 second window before the key was sent. The two halves of the key must be sent within 4 seconds of each other.
First half of the unseal process:
Second half of the unseal process:
Sequence to unseal:
- Block write device address (0x0B, 7 bit)
- ManufacturerBlockAccess() (0x44)
- Number of bytes to write (0x02)
- First word of key in little endian (0x14, 0x04)
- PEC Byte (0x73)
- Repeat steps 1-5 for second word of unseal key
Never set the leading values of the unseal or full access keys to 0x00, the gauge will misinterpret the command and the gauge will become bricked.