Battery Firmware Hacking - Hacker Halted

More documents

Recommendations

Info

Case 0xf - 0x10 This sets up then reads from hardware and sends response (in different basic block) Sunday, October 2, 11
We redirect to cases 1b-1c int worked = patch_firmware(0xdbb1, (unsigned char *) "\xf3\xc5\x0e\x95\xb6\x33", 6, 0); Patching row 0x249 at offset 0x51 Sunday, October 2, 11
Page 1 and 2:
Battery Firmware Hacking Charlie Mi
Page 3 and 4:
About me Former US National Securit
Page 5 and 6:
Spoiler I didn’t blow up batterie
Page 7 and 8:
Smart battery “Safety is a primar
Page 9 and 10:
Possible Battery Attacks Brick batt
Page 11 and 12:
How to start I suck at hardware, so
Page 13 and 14:
AppleSmartBattery Is part of PowerM
Page 15 and 16:
One odd thing What’s up with 0x36
Page 17 and 18:
Double win! We now know its some ki
Page 19 and 20:
Double win! We now know its some ki
Page 21 and 22:
Data flash signature SubclassID:byt
Page 23 and 24:
Page 25 and 26:
Page 27 and 28:
Step 2 Sunday, October 2, 11
Page 29 and 30:
Step 4 Chips and stuff Sunday, Octo
Page 31 and 32:
Thx: Travis Goodspeed Sunday, Octob
Page 33 and 34:
Sunday, October 2, 11
Page 35 and 36:
Digression We now know what kind of
Page 37 and 38:
Using the API Sunday, October 2, 11
Page 39 and 40:
Lots to do! There are many interest
Page 41 and 42:
Different modes Sealed Unsealed Ful
Page 43 and 44:
Unsealed Access to Data Flash space
Page 45 and 46:
Configuration mode By issuing SMBus
Page 47 and 48:
Other calibrations? Sunday, October
Page 49 and 50:
Other calibrations? Yes, I’m a pr
Page 51 and 52:
q20z80evm-001 An evaluation system
Page 53 and 54:
The software Sunday, October 2, 11
Page 55 and 56:
Data flash Sunday, October 2, 11
Page 57 and 58:
EVM It can flash the firmware with
Page 59 and 60:
Introspection Wrote a PyDbg script
Page 61 and 62:
Google again Googling these types o
Page 63 and 64:
Boot ROM - mostly ok See how to wri
Page 65 and 66:
Let’s ask TI! Sunday, October 2,
Page 67 and 68:
Plz! Sunday, October 2, 11
Page 69 and 70:
Intellectual property - Here I come
Page 71 and 72:
Intellectual property - Here I come
Page 73 and 74: 3 byte aligned Probably 3 byte alig
Page 75 and 76: 3 byte aligned Probably 3 byte alig
Page 77 and 78: The end Ends in 23 ff ff Then lots
Page 85 and 86: Back to google Sunday, October 2, 1
Page 87 and 88: CoolRISC 816 8-bit micro controller
Page 89 and 90: Instruction set Sunday, October 2,
Page 91 and 92: IDA! Create a few small sections, o
Page 93 and 94: More IDA Initial disassembly doesn
Page 95 and 96: Boot ROM Problems Now can dump and
Page 97 and 98: Battery wasteland Sunday, October 2
Page 99 and 100: Try an off-market knockoff Actually
Page 101 and 102: Problem 2 If you patch a few bytes
Page 103 and 104: Checksum checker (old) Sunday, Octo
Page 105 and 106: Disable checksum Older: Set stored
Page 107 and 108: Patch it! patch_firmware function p
Page 109 and 110: Sniffing SMBus Bought some (more) h
Page 111 and 112: Spaghetti wire fail Sunday, October
Page 113 and 114: Pop the keyboard Sunday, October 2,
Page 115 and 116: i2c decoding Write, SBS command 0x8
Page 117 and 118: Beagle data Sunday, October 2, 11
Page 119 and 120: Implications Brick the battery Chan
Page 121 and 122: Firmware changes It might be intere
Page 123: SMBus MITM Remaining Capacity (0xf)
Page 127 and 128: Re-sniffing Shows all values querie
Page 129 and 130: Deal breaker? MU092X Thermal cutoff
Page 131 and 132: Fuzzing the SMBus Options Write a f
Page 133 and 134: Caulkgun source - guts #include #i
Page 135 and 136: More info Tools, slides, whitepaper
show all

Battery Firmware Hacking - Hacker Halted

Create successful ePaper yourself

Delete template?

Save as template?