BQ40Z50-R2 security mode introduction and password modification method
[Copy link]
This post was last edited by qwqwqw2088 on 2019-6-25 08:36
Author: Zhu Mingwu (Mingmo)
The fuel gauge has three security modes: SEALED (locked), UNSEALED (unlocked), and FULL ACCESS (full access). Different security passwords are required to switch between different security modes. The following uses BQ40Z50-R2 as an example ( applicable to BQ40Z50-R1 / R2 / R3 ) to introduce the differences between the three security modes, how to switch modes, how to read the password, and how to modify the password.
1. The difference between the three-layer security model
The information access permissions of the fuel gauge are different in different security modes.
In SEALED (locked) mode, standard SBS commands (Command) can be accessed, some extended commands (Extended Command) cannot be used, Data Memory parameters cannot be read and written (GG files cannot be exported or imported), CHEM ID cannot be burned, and firmware (FW) cannot be burned or exported. For specific SBS command access rights, please refer to the Technical Reference Manual of the Electricity Meter (Technical Reference Manual), in which the Available in SEALED Mode in the ManufacturerAccess() Command List table marks whether it can be accessed.
In UNSEALED mode, standard SBS commands (Command) can be accessed, some extended commands (Extended Command) cannot be used, Data Memory parameters can be read and written (GG files can be exported and imported), CHEM ID can be burned, and firmware (FW) cannot be burned or exported.
In FULL ACCESS mode, all SBS commands can be accessed, Data Memory parameters can be read and written (GG files can be exported and imported), CHEM ID can be burned, but firmware (FW) cannot be burned or exported. BQ40Z50-R2 is shipped from TI in FULL ACCESS mode by default.
2. How to switch between three-layer security modes
2.1 Entering SEALED from FULL ACCESS or UNSEALED
Sending the command 0x0030 to ManufacturerAccess() will put the BQ40Z50-R2 into SEALED (locked) mode. By checking the flag OperationStatus()[SEC1, SEC0] = 1,1., it can be determined that the fuel gauge is in SEALED (locked) mode.
Note that if the SREC firmware of the fuel gauge has been locked, sending a reset command or exporting the SREC firmware in FULL ACCESS or UNSEALED mode will lock the fuel gauge and enter SEALED mode.
2.2 From SEALED to UNSEALED
To go from SEALED to UNSEALED, you need to send a two-word UNSEAL KEY password to ManufacturerAccess(). The default UNSEAL KEY first word is 0x0414, and the second word is 0x3672. Send the first word first, then send the second word within 4 seconds, and there can be no other commands to read or write the fuel gauge in between. By checking the flag OperationStatus()[SEC1, SEC0] = 1,0., you can determine that the fuel gauge is in UNSEALED (unlocked) mode.
2.3 Entering FULL ACCESS from UNSEALED
To enter FULL ACCESS from UNSEALED, you need to send a two-word FULL ACCESS KEY password to ManufacturerAccess(). The default FULL ACCESS KEY first word is 0xFFFF, and the second word is 0xFFFF. Send the first word first, then send the second word within 4 seconds. No other commands can be used to read and write the fuel gauge in between. By checking the flag OperationStatus()[SEC1, SEC0] = 0,1., you can determine that the fuel gauge is in FULL ACCESS mode.
3. How to read the security password
In unlock mode, use the ManufacturerAccess() 0x0035 command to read the security keys.
First, open the Advanced Comm SMB interface of bqStudio , configure Target Addr = 16 (Hex); enter 44 (Hex) in the Write Block location, enter 35 00 in Block, and then click the Write Block button.
Then, enter 44 (Hex) in the Read Block position and click the Read Block button to read the security password of the fuel gauge. The returned data is displayed in little-endian order, that is, the low byte is in front and the high byte is in the back. For example, in Figure 1 below, 14 04 72 36 FF FF FF FF is returned, where 0414 is the first byte of the UNSEAL KEY, 3672 is the second byte of the UNSEAL KEY, FFFF is the first byte of the FULL ACCESS KEY, and the last group of FFFF is the second byte of the FULL ACCESS KEY.
 Figure 1 Read password
4. How to change the security password
In unlock mode, use the ManufacturerAccess() 0x0035 command to change the security keys. The following example changes the default UNSEAL KEY password of BQ40Z50-R2 from 0x0414, 0x3672 to 0x1234, 0x5678, leaving the FULL ACCESS KEY (default 0xFFFF, 0xFFFF) unchanged.
Open the Advanced Comm SMB interface of bqStudio , configure Target Addr = 16 (Hex); enter 44 (Hex) in the Write Block location, enter 35 00 34 12 78 56 FF FF FF FF in Block, and then click the Write Block button, as shown in Figure 2. The Transaction Log shows green, indicating that the bytes have been successfully sent to the fuel gauge.
Figure 2 Change password
According to the secure password reading method described in Section 3, read back the password to verify whether the password has been modified correctly. As shown in Figure 3, when Read Block returns 35 00 34 12 78 56 FF FF FF FF, it means that the password has been modified successfully.
 Figure 3 Confirm password
When creating a password, please note that the first byte of the UNSEAL KEY cannot be the same as the first byte of the FULL ACCESS KEY. For example, the first byte of the UNSEAL KEY 0x1234, 0x5678 and the FULL ACCESS KEY 0x1234, 0xFFFF are the same, which is 0x1234. Therefore, this is not a valid password.
| 
提升卡
变色卡
千斤顶
No one has given this kind of stuff a thumbs up, so I'll give it a thumbs up
京公网安备 11010802033920号
