Laptop battery pack cell replacement.

[amyk]

Are the existing safety measures broken, or are people just reverse engineering and creating packs with the existing parts in the marketplace.

It's probably the latter. Some of these people "recell" packs as a business, and if their products have a reputation for going up in flames, it isn't long before they'll have no more business.

I know of at least two major recalls of battery packs by major computer manufacturers here in the US.  HP had a major recall, where the people I know in the industry believed the issue was a wire abrading and shorting out over time.  Even at their cost for the packs, this had to be in the millions of dollars.  I know Dell had a recall, where it was believed that small metal fragments from a cell winding machine were wound into the cell, and were causing punctures in the seperator.  Again, millions of dollars in cost to fix those concerns.  Perhaps you are too young to remember the several incidents with metallic lithium cells.  There was one fairly famous one where the battery pack in a mobile radio exploded and burned the face of someone in ASIA.  In the world today, if you are a corporation with deep pockets, having safety failures in the 0.01% area could put you out of business very quickly, but that certainly fits your small percentage that we don't need to worry about.  For a small business, they are often forced to just shut the doors.  I have seen this happen to several smaller battery pack manufacturers in ASIA.

I remember those recalls, and that was due to manufacturing flaws in the cells. They had to recall them, because they were certain to short sooner or later.

An 18650 cell is capable of delivering currents of 100A into a good short.  It is quite easy to cause a short with these cells, and start a fire.  In my career I have performed abuse testing on hundreds of cells, and given feedback to manufacturers that has helped to reduce risks.  If you choose to ignore the risks and operate packs with no safety features in place, or choose not to abide by pack manufacturers best practices, I can only hope you don't experience first hand the failures that not only can, but do occur.

Go ahead and believe the risks are not real, or that you are immune.  Just remember that you were warned.

If anything, the ones rebuilding packs are going to know the most about shorts (and given how many they work with, have probably experienced more than a few) and how to avoid them. I'm not saying to ignore the risks, but to assess them in relation to other things -- especially since just about everything you do these days seems to have a chance of killing you. Most people won't refuse to fly just because of that 1 in ~10 million chance of dying.

[SgtRock]

Greetings EEVBees:

--Indeed Amryk was correct, the information on how to defeat the smart battery pack is indeed out there in cyberspace and not just in Thai. Please see the below link to an article by Mathew J. Schwartz from Information Week of July, 2011 titled "Apple Laptop Batteries Hacked By Researcher" -- "Attackers could use a password weakness to render your laptop's battery useless--or overcharge it to start a fire, researcher warns."

http://www.informationweek.com/news/security/vulnerabilities/231002536

--This article is about Laptop Battery Hacking work by Doctor Charles Miller, who formerly worked at the National Security Agency. I am also an alumnus of the Puzzle Palace, but of a much more humble station than the prestigious Dr. Miller.  Now, indeed I am not sure just how likely any of these scenarios are but, but over the years, malicious hackers have done a lot of damage by using manufacturers default passwords. A case in point would be what happened in the UK when the Government Telephone Service Authority decided all cell phone voice mail would have a default password of 1234. Bob's your uncle, and we know whose knickers he is eying.

--Also please see below the PDF file, by Dr. Miller, explaining how reprogram to your battery (includes pictures). This is the information that was promised in the Information Week article.

http://media.blackhat.com/bh-us-11/Miller/BH_US_11_Miller_Battery_Firmware_Public_WP.pdf

--Also I just found Dr. Miller's YouTube Tutorial on Smart Battery Hacking. and as soon as I hit the post button I am going to finish watching it.



--They even sell software to do this sort of thing, like "Battery EEPROM Works" - See below link where you can download a demo, and if you like you can buy for $10.

http://be2works.com/download.html

--It claims to support darn near every smart battery chip ever made including the Maxim's mentioned on the Thai site, that Amryk provided.

--Please keep in mind, that I am not advocating that anyone do this, but I do believe that more information is better than less.

"I have had my results for a long time: but I do not yet now how I am to arrive at them."
Carl Friedrich Gauss 1777 1855
 

[bfritz]

Thanks for those presentations SgtRock.

I was aware that Apple was using the default keys.  In my opinion, the engineers there are a little full of themselves.  I actually talked with them a couple times, and they thought there was no need for security, as nobody will ever figure this stuff out.  LOL

So yes, Apple is what I would call the "Low Hanging Fruit".  The truth is, that even given full knowledge of how the firmware works, you would be unable to cause a safety problem.  But that doesn't mean a hacker couldn't cause some damage!

The issue is that there is a secondary protection IC, (TI, Maxim, Mitsumi, and Seiko make them) that if the pack ever gets close to an overvoltage condition, it will blow the Permanent Failure (PF) fuse.  I think the part that Apple doesn't get, is that a hacker could easily go in, and change the charging voltage requested by the pack in the Smart Battery Gauge (Since they foolishly used the default sealing password), and change the overvoltage thresholds for the primary protection provided by the Smart Battery Gauge.

The charger is not a true Level 2 or 3 SMBus charger, so it actually pays no attention to the charge voltage requested, and is hardwired to put out the correct value.  But by changing the primary protection thresholds, and disabling any cell balancing, a hacker could cause a cell voltage imbalance, which results in an overvoltage on a cell, that then triggers the secondary protection.  The secondary protection would then blow the PF Fuse, which disables the pack.  This will likely take many charges to occur, but since there is no real security as Apple uses the default password given by TI, it is quite possible to write a virus that could cause batteries to eventually blow their PF fuses.

I have seen the other manufacturers be more rigorous in their approach.  The HP, Dell, Lenovo, and other major laptop packs I have seen, do bother to implement a real password.  I have yet to see examples of those passwords get hacked.

I have seen an example of a RIM battery pack for a mobile phone that was very hackable, even though it was using a password.  It used a very simple CRC, actually two seperate 16 bit CRC style passwords.  The issue is that the security chip they chose, actually offers a way to attack them one at a time, which along with the hardware knowledge of how the CRC works, made the password very crackable.  I know RIM was looking at getting away from that security scheme, but don't know if they did or not.

I found the "Battery E2Prom Works" software to be interesting, but of no real threat.  They are just repackaging what you can get in an EV-Kit from TI or Maxim.  (I didn't even see where they said it worked with the Maxim parts.)  It did say that if the battery gauge IC came back reported as "sealed" you needed to assume the part was "Dead" and replace the part.  So, this makes it possible to rework a pack, but you would need to replace the IC.  I know that Dell also implements some other items in the pack, that if the values are not programmed correctly for that model, the Dell will refuse to charge that battery pack.  I didn't see any special mention for Dell, so I assume that software doesn't know the requirements for the different models, and will not work with those Dell packs.  (This is a fairly recent change, about the last year, so wouldn't be surprised to have software like that not yet dealt with such packs.)

So, I am interested in anyone who does have an example of a laptop pack that actually implemented a non-default password, that has been cracked.  I would be interested in seeing such information, in case anyone here does know of those.

But, the links to some of the stuff that people have shown, is a good example of why the manufacturers are worried... at least those who don't have Apple's, "We Are Gods", attitude.  LOL

[amyk]

This will likely take many charges to occur, but since there is no real security as Apple uses the default password given by TI, it is quite possible to write a virus that could cause batteries to eventually blow their PF fuses.

Since SMbus access is restricted to administrator, it would either have to rely on a privilege escalation exploit or clever social engineering. And once someone has that privilege, it's relatively easy to cause hardware damage via other means than the battery: forcing the fans off and pushing CPU and RAM voltages beyond safe limits, for example. Or more obnoxiously, erasing the BIOS. However, malware writers don't choose to do that, as it is far more beneficial for them to steal user information secretly instead of destroy hardware.

I found the "Battery E2Prom Works" software to be interesting, but of no real threat.  They are just repackaging what you can get in an EV-Kit from TI or Maxim.  (I didn't even see where they said it worked with the Maxim parts.)  It did say that if the battery gauge IC came back reported as "sealed" you needed to assume the part was "Dead" and replace the part.  So, this makes it possible to rework a pack, but you would need to replace the IC.  I know that Dell also implements some other items in the pack, that if the values are not programmed correctly for that model, the Dell will refuse to charge that battery pack.  I didn't see any special mention for Dell, so I assume that software doesn't know the requirements for the different models, and will not work with those Dell packs.  (This is a fairly recent change, about the last year, so wouldn't be surprised to have software like that not yet dealt with such packs.)

The basic principle of that software is to clone the entire state of the IC, so unless it's not possible to read and clone the Dell-specific stuff (but... how else would the laptop check otherwise if it couldn't read it), I think it's a generic solution. I do know that Dell has been known for some rather sneaky tricks with their AC adapters.

So, I am interested in anyone who does have an example of a laptop pack that actually implemented a non-default password, that has been cracked.  I would be interested in seeing such information, in case anyone here does know of those.

It seems in many cases it's cheaper to just replace the IC, but maybe for some cases there is an incentive to dig in and reverse-engineer -- and that's one thing you'll find a lot over in Asia. Chip decaps / live EEPROM reading (even from "secured" chips) is relatively common practice. There really isn't much they can't do.

But, the links to some of the stuff that people have shown, is a good example of why the manufacturers are worried... at least those who don't have Apple's, "We Are Gods", attitude.  LOL

That's also partly why those who know this stuff don't tend to easily disclose the information to the public. It's a similar situation with things like inkjet cartridge chips (there are of course some notable exceptions.)