Sucking PIC Firmware Out Of An Old APC Battery Backup

reverse-engineering-pic-firmware-of-APC-power-supply

Looking at this huge Uninterruptible Power Supply we are a little envious. It’s meant to hang on the wall of a utility room and power your critical devices. [Radek Hvizdos] has had it in service for quite some time, and when he started thinking of replacing the internal battery he decided to see if he could also extend the functionality. To do so he needed to get at the firmware of the chip controlling the device. And so began his adventure of dumping the firmware from the read-protected PIC 18F452.

The challenge of dumping code from a write-protected chip is in itself a fun project. But [Radek] was actually interested in fixing bugs and adding features. The wishlist feature we’d be most interested in is a kind of triage for shutting down devices as the internal battery starts to run low. Nice! But starting from scratch with the firmware is a no-go. You can see the two places where he connected to the PCB. The upper is for using a PIC programmer. The lower is an I2C connection used to dump the EEPROM with an improvised Bus Pirate.

In the end it was improper lock bit settings that opened the door to grabbing the firmware. The bootloader section of the PIC is not locked, and neither is the ability to read from FLASH at run-time. These two combined allowed him to write his own code which, when flashed to the bootloader section, dumps the rest of the firmware so that it may be combined into a complete file afterward. Since posting this fascinating article he has made a follow-up about disassembling the code.

30 thoughts on “Sucking PIC Firmware Out Of An Old APC Battery Backup

      1. “lithium iron phosphate”

        Search-fu that string. There’s a bunch of “drop-in” batteries on the market of that chemistry that work where people use gel lead-acid. They’re lighter, and claim to have a greater cycle life, but currently are more expensive. The manufactures claim they’re cost effective today, but I don’t see a big switchover in the industry yet like we’re beginning to see with LED lighting.

        1. Not only are lithium iron phosphate batteries perfectly happy to sit for months and months at 100% SoC, but many now come with built-in protection circuits that prevent overcharging and over-discharging.

          1. Over-discharging of lithium batteries is prevented by a latch circuit that isolates the battery cells when the voltage drops below a set point. When that happens, the controller basically bricks the battery, because you cannot recharge it – it is deemed dead because the electrodes undergo a chemical change below a certain voltage that may cause hydrogen to be produced and upon recharge the battery may develop pressure and burst.

            It is possible to reset the controller by shoving current into the cells directly, but you risk a battery fire later on.

        2. I designed my own firmware based charger from scratch (as in writing PID
          for proper CC/CV and charge termination), so I am aware of charging
          algorithm and battery chemistry. I also previously worked in commercial
          projects that uses Pb, NiCd and Ultracap USP designs, so I looked very
          hard at the alternatives.

          There is *nothing* the “protection” PCB in battery pack would protect
          long term battery damages as they only handle over/under voltage and
          short circuit protection. So unless these one that comes with built-in
          SoC also have built-in chargers, they won’t prevent overcharging.

          They also tell you specifically to not leave them in a charger after
          they are charged. The damage is related to how long the battery is
          exposed to the 4.2V stress during charging and that’s pretty much the
          wearout mechanism. You would also need to design the UPS with the intend
          specifically for Li type of chemistry.

          BTW As for LiFePO I am very aware of it since A123 and its RC
          followings. I am using 1 of them in my camera to replace 2 NiMH AA. It
          works very well, but the datasheet still warns you about overcharging.

          I would not be quoting Battery University if my google Fu isn’t there.

      2. There is no “overcharge” for lithium batteries. They are simply held at a constant voltage, and the current they draw is equal to the leakage of the battery.

        If you attempt to trickle charge one by constantly pushing in a small current, the battery will burst into flame. An overflow shunt is typically placed across the battery to prevent this from happening.

        1. But just leaving the battery at the constant voltage (even if it is getting no net charge) stresses the battery. This is why they would do only charge it when it drops below a threshold.

          http://batteryuniversity.com/learn/article/charging_lithium_ion_batteries
          >If a lithium-ion battery must be left in the charger for operational readiness, some chargers apply a brief topping charge to compensate for the small self-discharge the battery and its protective circuit consume. The charger may kick in when the open-circuit voltage drops to 4.05V/cell and turn off again at a high 4.20V/cell. Chargers made for operational readiness, or standby mode, often let the battery voltage drop to 4.00V/cell and recharge to only 4.05V/cell instead of the full 4.20V/cell. This reduces voltage-related stress and prolongs battery life.

          1. That depends on what constant voltage you leave it at.

            The flaw of the argument is that whether or not the battery is connected to a voltage from an external circuit, an internal potential difference still exists and works exactly the same way. Of course if there’s current going in, that counts as “cycling” the battery, but the same happens due to the self-discharge anyways.

            What really matters is that the leakage and self-degradiation rate of a lithium battery increases somewhat exponentially the higher the state of charge you have, so the difference between maintaining a battery at 4.2 volts versus 3.8 or 4.0 volts makes a huge difference.

            And again, since there is actually no voltage when the lithium battery is offically full – it can be charged higher and higher all the way up to combustion – it’s your job as the circuit designed to define what voltage you want full charge to mean. You can choose that level based on how long you want your batteries to last.

          2. They are better off applying hysteresis in some standby mode.

            You said “simply held at a constant voltage” (without the disclaimer of charge level vs lifetime) while technical correct and be very misleading to newbies who might read that as CV at 4.2V forever is fine.

            Pretty much most Li charger would cut off charging when the charge current is at 1/10 to 1/20, so they don’t reach the point of just canceling the losses at all. So your previous description does not match real life usage.

            Not sure if you are back paddling to CYA…

  1. I never hacked one of these units beyond connecting them to much larger battery packs to extend the run time.
    This is a very cool hack, especially if you get some auto shutdown feature out of it.
    MORE POWER TO YOU!

    1. > connecting them to much larger battery packs to extend the run time

      That’s a very bad idea.

      The chargers on these UPSes are barely adequate for the built-in battery. If you connect a larger battery the charger will not be able to deliver the required charge current, which means your battery will inevitably get sulphated after a few discharge/charge cycles, and eventually the battery will die.

      1. Ya, no. Lead acid batteries love to be trickle-charged. Overcharging them is a big no-no. People have been attaching huge external batteries to APC units since the beginning of time.

      2. I have never heard of anything bad happening to a battery because you charged it too slowly. The warnings I see about lead-acid say “make sure you charge it all the way to prevent sulfation”.

  2. Anyway, third try.

    Great write up. I love that he build the Bus Pirate himself rather than order one.

    The PIC 18Fxx2 series can be read out by a number of means. I can’t seem to post links, but the attack used in this post is essentially the same one documented in the “Heart of Darkness” paper documenting the read out of keys from HID iClass readers using these micros.

    There is also another attack which uses the high voltage in-circuit-programming interface. Google “dumping iclass keys” and it should be right near the top.

  3. APC and many others manufacture UPS but with incredibly short (5m) battery run time. You can extend the run time by bringing the battery connections outside and using a much larger battery. For instance, running 50W worth of your modem, router and NAS loads for a few hours with a 12V, 17 AHr battery. Just a couple important things to consider…. Full recharge can take more than 24 hours and is usually OK for the charger. But the biggest danger is that the battery charger and the battery posts are not isolated from dangerous voltages referenced to ground. Referenced to ground, my UPS has 57VAC on the battery terminals. The battery is happy as it only has 13.7V across its terminals. The original battery is protected from your fingers and user shock while it is *inside* the UPS case. If you substitute a larger battery, please carefully consider your insulated connectors and battery terminals.

  4. Super, but how was reallocated bootloader ? I understood that original bootloader was rewrote by 0x0000 (NOP), but new BTL has other start address. So CPU is NOPing (jumping old BTL) until he read first usefull instructions (new BTL) ?

Leave a Reply to stithyoshiCancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.