• State TI Thinks Resolved
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 63 subscribers
  • Views 819 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

Original question:

BQ34110: Bytes reported by MACDataLen()

BQ34110: SECURITY_KEYS write format

Elder Costa17
Expert 2825 points
Part Number: BQ34110
Other Parts Discussed in Thread: BQSTUDIO

While trying understanding how to access BQ34110 read and write functions, I changed the security keys from the default values and inadvertently sealed it. Because of that, I could not access the security keys themselves as well as calibration data (in my test software). Using BQStudio, I learned I could not access the data memory at all.

After a lot of trial and error, I was able to find the correct sequence and key to unseal the BQ. I tried to restore the default SECURITY_KEYS values, i.e. 0x36720414 (UNSEAL) and 0xFFFFFFFF (UNSEAL FULL ACCESS), following the directions on 3.2.24 of the TRM, quoted below (section 4.3 has the same information along with some other details):

3.2.24 SECURITY_KEYS: 0x0035
This is a read/write command that changes the Unseal and Full Access Keys.
To read the keys, do the following:
1. Send the Securitykeys() subcommand to the Control() or ManufacturerAccessControl().
2. Write 0x35 0x00 to either Control(0x00, 0x01) or ManufacturerAccessControl(0x3E, 0x3F).
3. Read back 8 bytes at MACData(0x40–0x47).
To write the keys, do the following:
1. Write 0x35 0x00 to either Control(0x00, 0x01) or ManufacturerAccessControl(0x3E, 0x3F).
2. Write the data in big endian format to MACData(0x40–0x47).
3. Write the checksum to MACDataSum(0x60). The checksum is the complement of the sum of the data
and command bytes.
4. Write the length of 0x08 to MACDataLen(0x61). The length includes the command, data, checksum,
and length bytes.

So, I wrote the command (0x35 0x00) followed by the key values in big endian (0x36 0x72 0x04 0x14 0xFF 0xFF 0xFF 0xFF) and set the checksum and length accordingly.

Back to BQStudio, I tried to unseal the BQ using the command buttons and they did not work. I then modified my software to unseal the BQ inverting the sequence, i.e. sending the sequences 0x00 0x36 0x72 followed by 0x00 0x04 0x14 and it worked (unsealed the BQ).

I then wrote the security keys in LITTLE ENDIAN format (0x14 0x04 0x72 0x36 0xFF 0xFF 0xFF 0xFF) and after that I was able to unseal the BQ with BQStudio.

So, my understanding is that the keys should be written in LITTLE ENDIAN format, not BIG as stated in the TRM. Am I missing something?

Another thing that is not clear in the TRM is that to have full access restored (it is needed for reading back the security keys), one needs to send UNSEAL keys followed by UNSEAL FULL ACCESS  in that order.