I started out by measuring voltages on all the pins. Just going by logic I was expecting some sort of differentiation on the various sides of the chip. To summarize my findings after the first pass: • 1-12 is the 'main microcontroller side' has the SMBus pins, VCC (and probably RESET and others) • 25-36 is connected to current sensing and exposes various built-in voltage regulators • 37-48 appears to be mainly unused with a couple of pins at 3.3v, GPIO side?

Spellbinding mythical short stories. Sanyo Tool Reset Bq 8030. So the battery of my DELL XPS17 L702X suddenly died and that really sucks. Dell wants to get 150+ € for a new one and i don't have that money as a student at the moment. Reset uk adu m37512 z aku toshiba elektrodapl. Pin sony bps5. Pin sony bps9. Pin toshiba l800. Laptop battery repair software batterychipsadaptor.

• 13-24 has many pins connected directly to 'high voltage' from the cells. I took a 1k resistor connected to ground and started poking the pins with it to find reset. It should be possible to pull reset low through 1k resistor but unlikely on VCC and it shouldn't lead to a complete reset on an unrelated pin. It's also possible to rule out most pins through visual inspection and measurement.

So long story short: Pin #12 is Reset. Next I wanted to see if there's something like a Boot pin that's going to get me a different mode when pulled either low or high during reset so I started up a continuous command scan and started poking at the pins again.

Pulling Pin #4 (also connected to Test Point 1 on the other side of the PCB) low during reset gave me this. $ smbusb_scan -w 0x16 ------------------------------------ smbusb_scan ------------------------------------ SMBusb Firmware Version: 1.0.1 Scanning for command writability. Scan range: 00 - ff Skipping: None ------------------------------------ *snip* [f0] ACK, Byte writable [f1] ACK [f2] ACK [f3] ACK [f4] ACK [f5] ACK [f6] ACK [f7] ACK [f8] ACK [f9] ACK [fa] ACK, Byte writable, Word writable, Block writable [fb] ACK, Byte writable, Word writable, Block writable [fc] ACK, Byte writable, Word writable, Block writable, >Block writable [fd] ACK, Byte writable, Word writable, Block writable, >Block writable [fe] ACK [ff] ACK The chip was ACKing on every command. A deliberate attempt at confusing any would-be attacker perhaps? The write scan however reveals that the chip is actually exposing some real functionality on some of the commands and that a couple of them violate SMBus protocol. Pin #4 appears to be BOOT (active-low). Mapping Mapping out the protocol took a while especially because it doesn't correspond to standard SMBus protocol but I was eventually able to figure out how to read and write to RAM and erase blocks of memory-mapped flash.

Just writing to the appropriate address in ram (after the flash blocks have been erased) writes the flash memory which is convenient. There are several partitions of flash mapped into RAM and I'm sure I haven't found all of them.

The ones I did are included as address&length presets in the flasher tool. $ smbusb_r2j240flasher -d eep2.bin -p df2 ------------------------------------ smbusb_r2j240flasher ------------------------------------ SMBusb Firmware Version: 1.0.1 ------------------------------------ Dumping memory 0x3400-0x37ff.

Website Review of guardindustrie.ru: SEO, traffic, visitors and competitors of www.guardindustrie.ru.

$ xxd eep2.bin 0000000: 0000 0000 0000 0000 0000 ffff ffff ffff. 0000010: 4c4e 562d 3432 5434 3739 3700 0000 0000 LNV-42T4797. *snip* $ smbusb_r2j240flasher -d eep3.bin -p df3 ------------------------------------ smbusb_r2j240flasher ------------------------------------ SMBusb Firmware Version: 1.0.1 ------------------------------------ Dumping memory 0xc000-0xdfff. $ xxd eep3.bin 0000000: 0100 0700 b801 b801 1100 0203 0201 01e3.