Battery Firmware Hacking - Hacker Halted

More documents

Recommendations

Info

Something different http://www.youtube.com/watch?v=jjAtBiTSsKY Sunday, October 2, 11
Spoiler I didn’t blow up batteries Didn’t do too much twiddling of parameters in my house Would like to continue to take my laptop on airplanes Might be able to take this work and do it Sunday, October 2, 11
Page 1 and 2: Battery Firmware Hacking Charlie Mi
Page 3: About me Former US National Securit
Page 7 and 8: Smart battery “Safety is a primar
Page 9 and 10: Possible Battery Attacks Brick batt
Page 11 and 12: How to start I suck at hardware, so
Page 13 and 14: AppleSmartBattery Is part of PowerM
Page 15 and 16: One odd thing What’s up with 0x36
Page 17 and 18: Double win! We now know its some ki
Page 19 and 20: Double win! We now know its some ki
Page 21 and 22: Data flash signature SubclassID:byt
Page 27 and 28: Step 2 Sunday, October 2, 11
Page 29 and 30: Step 4 Chips and stuff Sunday, Octo
Page 31 and 32: Thx: Travis Goodspeed Sunday, Octob
Page 33 and 34: Sunday, October 2, 11
Page 35 and 36: Digression We now know what kind of
Page 37 and 38: Using the API Sunday, October 2, 11
Page 39 and 40: Lots to do! There are many interest
Page 41 and 42: Different modes Sealed Unsealed Ful
Page 43 and 44: Unsealed Access to Data Flash space
Page 45 and 46: Configuration mode By issuing SMBus
Page 47 and 48: Other calibrations? Sunday, October
Page 49 and 50: Other calibrations? Yes, I’m a pr
Page 51 and 52: q20z80evm-001 An evaluation system
Page 53 and 54: The software Sunday, October 2, 11
Page 55 and 56:
Data flash Sunday, October 2, 11
Page 57 and 58:
EVM It can flash the firmware with
Page 59 and 60:
Introspection Wrote a PyDbg script
Page 61 and 62:
Google again Googling these types o
Page 63 and 64:
Boot ROM - mostly ok See how to wri
Page 65 and 66:
Let’s ask TI! Sunday, October 2,
Page 67 and 68:
Plz! Sunday, October 2, 11
Page 69 and 70:
Intellectual property - Here I come
Page 71 and 72:
Intellectual property - Here I come
Page 73 and 74:
3 byte aligned Probably 3 byte alig
Page 75 and 76:
3 byte aligned Probably 3 byte alig
Page 77 and 78:
The end Ends in 23 ff ff Then lots
Page 79 and 80:
Page 81 and 82:
Page 83 and 84:
Page 85 and 86:
Back to google Sunday, October 2, 1
Page 87 and 88:
CoolRISC 816 8-bit micro controller
Page 89 and 90:
Instruction set Sunday, October 2,
Page 91 and 92:
IDA! Create a few small sections, o
Page 93 and 94:
More IDA Initial disassembly doesn
Page 95 and 96:
Boot ROM Problems Now can dump and
Page 97 and 98:
Battery wasteland Sunday, October 2
Page 99 and 100:
Try an off-market knockoff Actually
Page 101 and 102:
Problem 2 If you patch a few bytes
Page 103 and 104:
Checksum checker (old) Sunday, Octo
Page 105 and 106:
Disable checksum Older: Set stored
Page 107 and 108:
Patch it! patch_firmware function p
Page 109 and 110:
Sniffing SMBus Bought some (more) h
Page 111 and 112:
Spaghetti wire fail Sunday, October
Page 113 and 114:
Pop the keyboard Sunday, October 2,
Page 115 and 116:
i2c decoding Write, SBS command 0x8
Page 117 and 118:
Beagle data Sunday, October 2, 11
Page 119 and 120:
Implications Brick the battery Chan
Page 121 and 122:
Firmware changes It might be intere
Page 123 and 124:
SMBus MITM Remaining Capacity (0xf)
Page 125 and 126:
We redirect to cases 1b-1c int work
Page 127 and 128:
Re-sniffing Shows all values querie
Page 129 and 130:
Deal breaker? MU092X Thermal cutoff
Page 131 and 132:
Fuzzing the SMBus Options Write a f
Page 133 and 134:
Caulkgun source - guts #include #i
Page 135 and 136:
More info Tools, slides, whitepaper
show all

Battery Firmware Hacking - Hacker Halted

Create successful ePaper yourself

Delete template?

Save as template?