BQ28Z610: [FAQ] BQ28Z610 authentication flow

BQ28z610 Authentication Guidance:

Authentication flow:

1. Host writes 0x00 to 0x3E
2. Host writes 0x00 to 0x3F
3. Host writes the random challenge in a 20-byte block to address 0x40
4. Host writes the checksum to 0x60
5. Host writes the length (0x18) to 0x61
6. Wait 200ms
7. Host reads 20-byte data from 0x40, and that is SHA-1 result 
8. Check whether the 20-byte data matches host expected answer, if yes, the gauge bq28z610 is authenticated.

 Note: The response that host receives from bq28z610 is in the format: 0xAABBCCDDEEFFGGHHIIJJKKLLMMNNOOPPQQRRSSTT, where AA is LSB. Hence, in below example, the correct results are 2F A2 7C EB 5B 61 64 84 62 0F E3 22 17 C2 9B 0A 8E 3C F3 F0

SHA1 TI-HMAC code:

The SHA1 HMAC implemented in BQ28z610 is not the standard HMAC, and we could call it TI-HMAC to avoid confusion. The TI-HMAC function has two passes of the SHA1 algorithm where the second uses the key and output of the first pass together.

For example:

key = 0123456789abcdeffedcba9876543210

challenge = 00112233445566778899aabbccddeeff11223344

So input (key + challenge): 0123456789abcdeffedcba987654321000112233445566778899aabbccddeeff11223344

Result: 743d18ed77c7a60260c44d029a8aae067f4b5523

So then doing step 2 (key + result from first one), the input is: 0123456789abcdeffedcba9876543210743d18ed77c7a60260c44d029a8aae067f4b5523

And the result is: 0f83ec417cb4dbd2442af5f51c61abbef061685f