Unlocking Thinkpad Batteries

A few months ago, [Matt] realized he needed another battery for his Thinkpad X230T. The original battery would barely last 10 minutes, and he wanted a battery that would last an entire plane flight. When his new battery arrived, he installed it only to find a disturbing message displayed during startup: “The system does not support batteries that are not genuine Lenovo-made or authorized.” The battery was chipped, and now [Matt] had to figure out a way around this.

Most recent laptop batteries have an integrated controller that implements the Smart Battery Specification (SBS) over the SMBus, an I2C-like protocol with data and clock pins right on the battery connector. After connecting a USBee logic analyser to the relevant pins, [Matt] found the battery didn’t report itself correctly to the Thinkpad’s battery controller.

With the problem clearly defined, [Matt] had a few options open to him. The first was opening both batteries, and replacing the cells in the old (genuine) battery with the cells in the newer (not genuine) battery. If you’ve ever taken apart a laptop battery, you’ll know this is the worst choice. There are fiddly bits of plastic and glue, and if you’re lucky enough to get the battery apart in a reasonably clean matter, you’re not going to get it back together again. The second option was modifying the firmware on the non-genuine battery. [Charlie Miller] has done a bit of research on this, but none of the standard SBS commands would work on the non-genuine battery, meaning [Matt] would need to take the battery apart to see what’s inside. The third option is an embedded controller that taps into the SMBus on the charger connector, but according to [Matt], adding extra electronics to a laptop isn’t ideal. The last option is modifying the Thinkpad’s embedded controller firmware. This last option is the one he went with.

There’s an exceptionally large community dedicated to Thinkpad firmware hacks, reverse engineering, and generally turning Thinkpads into the best machines they can be. With the schematics for his laptop in hand, [Matt] found the embedded controller responsible for battery charging, and after taking a few educated guesses had some success. He ran into problems, though, when he discovered some strangely encrypted code in the software image. A few Russian developers had run into the same problem, and by wiring up a JTAG to the embedded controller chip, this dev had a fully decrypted Flash image of whatever was on this chip.

[Matt]’s next steps are taking the encrypted image and building new firmware for the embedded controller that will allow him to charge is off-brand, and probably every other battery on the planet. As far as interesting mods go, this is right at the top, soon to be overshadowed by a few dozen comments complaining about DRM in batteries.

61 thoughts on “Unlocking Thinkpad Batteries

  1. This type of BS is just the thing that made me stop getting Lenovo’s after being a loyal Think Pad customer since the late 90’s Lets not forget the Bios lockdown and slipping quality. Way to go Lenovo!

    1. I feel companies like Lenovo are quite often very bad at communicating the reasons for these actions.
      For example: The bios lockdown many manufacturers choose to use is actually forced on them by FCC regulations (and similar regulations in most countries). Not just the wifi adapter but the combination of adapter and antenna needs to be certified. Because of this, adapters for which the manufacturer has a certification in combination with the antenna are whitelisted, the others won’t work unless you perform a (rather easy) bios patch.

      As for the batteries: Li-* batteries are incendiary bombs, plain and simple. When a consumer buys a cheap Chinese battery and his house burns down because the laptop caught fire, it’s going to be Lenovo who is blamed by the media. Lenovo who is sued and Lenovo who needs to prove the burned remains actually contained an aftermarket battery.

      If these companies were really evil: Why aren’t the memory cards locked? Why am I able to replace my hdd with a random ssd? Why can I replace my dvd drive with a secondary hdd? Why isn’t everything in my laptop glued down? Why don’t they use pentalobe screws?

          1. I know, right? I mean it’s not like they’re going to drm everything, like kitty litter, coffee, cars (tractors), printer ink (or filament for the 3D kind), “anti-aging” (LOL!) light masks… That’d be silly!

            http://hackaday.com/2015/01/19/cracking-litter-box-drm/
            http://hackaday.com/2014/12/16/drm_protection_removed_for_coffee/
            http://hackaday.com/2015/05/12/ask-hackaday-fixing-your-tractor-could-land-you-behind-bars/
            http://hackaday.com/2014/04/10/resetting-drm-on-3d-printer-filament/
            http://hackaday.com/2015/03/16/beating-drm-to-extend-the-life-of-an-anti-ageing-therapy-light-mask/

            “Just because you’re paranoid, doesn’t mean they aren’t after you.”

          2. Hardly, if consumers stand for these sort of things companies will do them, do you think Apple prefers you to go to a third party repair shop or to an Apple store? If we allow companies to lock down our hardware they will do it. And besides this is hack a day, isn’t it supposed to be about making our hardware do what we want it to do instead of what the manufactures let us to do with it?

        1. The latest versions of USB-C spec have controllers in the cable itself, because someone decided that telling which way it goes in is hard and time-consuming – and apparently the cable needs active components to figure it out on its own and switch the signals. [Benson Leung] already had his laptop fried by a cheaply made cable.

          1. I have a hard time believing that you seriously think having a rotationally symmetrical plug that isn’t reversible is a good design.

            In any case, marginally higher cost for cables is literally the only downside for USB C over A, B, mini, or micro. It’s not even that big a cost difference. We’re only having problems now because the first smartphone on the market with a C port used a dumbshit non-standard implementation that cable makers proceeded to clone rather than paying attention to the actual spec.

        2. Some even do the printer cartridge trick. They count how long they’ve charged for and after a preset number of hours they die. Even if the batteries inside are fine, the controller says, no, sorry I can’t let you do that Dave.

      1. “If these companies were really evil: Why aren’t the memory cards locked? Why am I able to replace my hdd with a random ssd? Why can I replace my dvd drive with a secondary hdd? Why isn’t everything in my laptop glued down? Why don’t they use pentalobe screws?”

        Funny, the iMac actually checks almost all those all those boxes… Replacing the HDD/SSD with a non-apple device causes the fan control circuitry to stop working and pushed the fans to 100% constantly (which causes the proprietary fans to break faster). The DVD drive is a proprietary shape, so a normal HDD wouldn’t even fit in the slot properly, assuming that you get passed the firmware restrictions for the SATA port. Pretty much everything inside the thing is glued to the display panel and everything else is affixed using those idiotic pentalobe screws…

        I have to service a bunch of those damn things, I’ve been volunteering my time to run IT for a small school. We needed new machines, so some 1% d-bag stepped in and donated a couple million for our IT budget, but specified that the machines must be from Apple. So now our network is twice as big and staff still have to use the fleet of P-4 machines we had because the grading and student management software only runs on Windows. I’m just glad that I still have my pile of Dual p3-Xeon boxes the local big corporation donated to us; they donated 240 of the things, I managed to assemble 120 with 2x 1.3 Ghz chips, 4GB RAM, 2x 10/100 NICs, and a pair of 72 GB disks while a couple of the machine getting 2x 14-bay Storage arrays attached filled with 300-GB disks in a RAID-6. I have enough spare parts to run the machines until the end of time and the power company gives us electricity for free, so until OpenBSD stops supporting the things, I can hold out until we find a benefactor that doesn’t want me to replace real servers with trashcans.

    2. Why are Laptop batteries not designed with a new more useful setup? For instance like a usb type C device so I can remove my laptop battery and connect it to a phone or charge it by usb C. Most laptop batteries use 18650 batteries, tons of tape and glue as well as a thermistors. The charging circuit may as well be a tp4056. Then I could just mix and match hardware. I’m tired of propritary BS and 90’s printer cartridge style lockdown of what I buy

      1. Probably because there are close to none 3.7 batteries, which is ruling out usb charging, and most of them are multi cell, which require special PCB. Now charging phone from them is cool, bit not most practical in the age of cheap powerbanks, which are more practical.

  2. One has to wonder if there is market research that shows that the loss of goodwill is offset by the gains this sort of anti consumer tactics, like chipping otherwise generic parts, bricking devices with non-OEM repairs and so on?

    1. By the time people need a new battery, the amount of brand-steering they do is probably not that important to companies. (My experience is that finding a reputable supplier even for supposedly OEM batteries has become increasingly difficult. Or perhaps I just read too many negative reviews.)

    2. I can assure you it is self-defeating in the long-run, like every other method adopted Big Business. It bumps up the bottom line for a couple of quarters, until more layoffs/closures/outsourcing can happen to maintain the unreasonable growth expectations. This is, of course, unsustainable as the actual capital of the company is just turned in to cash holdings which are funnelled into off-shore accounts until there are no tangible assets left, and the company can be carved up an sold off in pieces.

    3. I think these companies look at it through the eyes of the average consumer. The average consumer would buy the cheapest battery they could find, and then be upset at their Thinkpad because the batter dies so quick. This methodology provides a positive experience for those people, who see the message and simply think ‘oops, I bought the wrong battery, better return it and get the correct one.’ Thus ensuring they have a positive experience with their brand. It only generates negative feelings in technical people, who know they bought an off brand battery, and expect the computer to just do as its told.

      So they may not be trying to brand lock us, just control how we think and feel.

      I’m not sure that’s better.

      1. It’s not just this item, obviously chipping cartridges in printers for example, is right in the face of all but the stupidest of consumers, everybody understands very clearly what is being done and why. I’m not so sure that they wouldn’t understand with batteries either, or having their phone bricked at an update. Some of this has been subtle it’s true, and most wouldn’t make the connection, but the two components I just mentioned are well within broader understanding.

      2. These cheap batteries, in most cases, can hold longer than the genuine ones. Look at the DELL batteries which are bricked few weeks after warranty (at 98% nominal capacity of all cells). Even my genuine Acer battery seems to work in 4.11-3.95V (+-0.01V) per cell range, instead of 4.2-3.0, giving me only 15 minutes (isn’t it bricked ?).

        1. I think this is less about forcing people to buy expensive batteries but about avoiding liability. The average person has no clue, buys a cheapo battery, the battery catches fire and burns the house down. The average Joe promptly sues.

          Considering the amount of lithium batteries in consumer electronics catching fire, exploding and what not in the recent years, it would be difficult to blame them for doing this. It is a corporate CYA, nothing more, really.

          Comparing it with chipped printer inks or filaments is not really apples to apples comparison – if you buy random cheapo ink or filament, in the worst case it will ruin your print. Nobody is going to sue over that. But people did lose homes because of cheapo batteries.

          1. +1 … You “get it” !

            The question of the day is: Would you want to have a counterfeit battery left in the bedroom, charging, in the home of your loved one ?

          2. That’s why you have battery controller that protects from overvoltage, overcurrent, undervoltage, undercurrent and overheating. It also balances cells and keeps them happy. But to keep company happy, battery is programmed for limited number of cycles (500 for example), even if cells will last 1000 cycles without change in capacity…
            Imagine car industry doing this by making ECU programmed to decrease top speed by 0,1% every time you start your car, until you end up with top speed of 20mph. And they charge you to replace perfectly good engine “for safety”…

          3. @Deep Space Seven
            Not all 3rd party batteries are counterfeit. You know a counterfeit product is one with a logo and/or brand that was not produced by or with permission from the brand owner, do you? A battery that fits in place of original battery is not counterfeit just because it’s compatible. And not just batteries.

          4. I tend to agree with J on this one. Whose interest is it to make you think of anything that is merely compatible as being counterfeit? When did that line move so close?

        2. My HP battery died after little bit over 2 years.
          The ebay battery I replaced it with has lasted over 4 years, and while capacity is down, it’s still going strong.

          Planned obsolescence at its best.

          Funny enough it complained for a few startups that it was a non-original battery, but kept it’s proverbial mouth shut after third time.
          That’s how it should be done instead of “average customer is a bumbling idiot, let’s nanny nag them to death”.

      3. They can do that without preventing the battery from functioning. They could have a “press F1 to continue” thing, or a setting in the BIOS to override. That way, lusers will still do the “right thing”, and power users can do whatever after agreeing to a disclaimer.

  3. Idea about replacing cells in the old battery is not so good as it seems. There is EEPROM inside that keeps count how many times battery was charged, discharged, tracks condition, etc. So if you put new cells controller still thinks it’s the old battery and it may refuse to work correctly. Maybe this could be fixed via SMBUS by uploading new battery’s EEPROM contents into old one.
    I once had problem with Lenovo/IBM, after updating power management drivers battery stopped working. Driver just displays message that battery is bad and should be replaced. It probably decided it based on the number of cycles. It even “bricked” it in some way, setting the flag “I am dead” in EEPROM so battery wouldn’t work with older drivers or in laptops that hadn’t that newer PM driver.
    Luckily i had another one and replaced, disassembled “old” one, and found out that cells are still quite usable, maybe at about the half capacity but that only means that battery wouldn’t last for 4 hours but 1-2, still good enough for me. It wasn’t overheating. But driver decided that I shouldn’t use it and bricked it in some way. Pretty nasty business.

    1. I disassembled many batteries, and in most cases cells are not dead at all. Just charge controller counted too many cycles and arbitrarily decided that battery has 10% of capacity. It can be fixed in some cases, in other it’s not so easy. Newer battery controllers use internal flash memory to store all values, and one can’t access it without password. For other chips available datasheets won’t show memory map and meanings of “magic numbers”, because of NDA. Still in other cases the only way to edit external EEPROM is to dismantle the entire battery and directly tap into chip. And it’s true that most batteries can’t be reassembled. My best suggestion: avoid laptops and netbooks.

      I’m currently working on small project: turning a battery controller and some cells into a powerbank that could be charged by laptop charger. Maybe with added microcontroller that would reset the EEPROM on demand…

  4. Honors to [zmatt] as his work is DAMN important! OEM’s are now moving toward the integrated battery tech as a business model.

    No wonder Job’s was buried in a undisclosed location. I’ll like to drive a few hundred wooden stakes in his heart.

    1. I believe it was on HaD I read several years ago about the ability to store a virus in the processor of a Sony laptop battery. Scrubbing/replacing the hard drive, of course, had no effect on getting rid of it.

  5. “Most recent laptop batteries have an integrated controller…”
    Say what? I had a 386 laptop (by now it would be over 20 years old) with a greyscale screen that had a managed battery, you simply need to know how much energy resides in it to avoid a hard shutdown when it finally discharges completely…
    That need has been there for pretty much all x86 compatible laptops and even before, and was the cause why you couldn’t just replace the cells in most packs…
    Pack “DRM” is just a logical step (can’t really say forward, more like backwards), since there already is a fairly complicated device in it which is crucial to it’s operation. Most manufacturers will welcome ways to keep OEMs out of the spare parts circle…

    1. Considering that many devices (even laptops!) don’t even have a user replaceable battery in the first place and an average person would have to rely on a service anyway, I don’t see this as that big deal. It is certainly not nice for us who like to repair and not throw away stuff, but I think it is more about avoiding liability because of the Li-ion fires. The “DRM” aspect is a pretty minor thing in that respect, IMO.

  6. liability?!
    would you sue, say lenovo, for swapping the battery with an aftermarket one after the house has burned down?
    are consumers really that stupid?
    if you ask me they are, as they keep paying for everything and never considering their rights.
    Big Business always tells that they do what they do just for your safety, relax Joe !!!

    1. I wouldn’t. But I know my neighbours would.

      Imagine average Joe goes to his local computer store because his laptop “doesn’t work after half an hour”. The store will order him a new battery which is due to come in in about 3 weeks. That’ll be $139 including installation (clicking it in place).

      2 months later Joe is luckily waked by his fire alarm. His house is ruined and the fire department tells him the fire started with his laptop. A local TV crew comes by, takes some footage of the laptop and shows the manufacturers name is just visible. “LENOVO”.

      Now, who do you think is blamed? Lenovo? Or the Chinese manufacturer of the off-brand battery manufactured by children with whatever parts where cheapest on the local Shenzhen market? Joe doesn’t even know the shop screwed him over.

      This isn’t even a case of liability, it’s pure public relations.

      1. I’m sry here in Europe if a house burns down there’s some investigation before telling to the television crew where the monster that killed bunnies was..
        Btw your house is in high risk just because Samsung original batteries, or cheap chinese chargers that are being sold everywhere; even apple’s lipo bags go frenzy and inflate…
        https://goo.gl/Q4gpxH
        they use paranoia attacks to achieve the worried customers and sell you infinite (imo useless) protections; just notice medium laptop prices how they evolved since say Sandy Bridge..
        Plus I don’t want to pay for Joe’s incapacity. :)

      2. When joe’s house burns down and they say “did you replace the battery with a cheap dangerous one?”, he’s not going to say “yes because I’m a cheapskate and don’t care about my family”, is he? He’s going to claim it was genuine. And he’ll tell the same to the insurance company…

    1. You never had a Dell.

      I have a Dell Inspiron laptop with a three pin socket sneakily disguised as a two pin. One day, my puppy chewed my cord. I attempted a fix (not realizing the cable had a single seperate strand down the center). While I could feed power to the laptop, it refused to charge and ran at reduced speed. Fed up, I ordered a new power supply direct from Dell for too much money. It worked great for some monrhs when it failed. Same thing, refused to charge and ran at reduced speed.

      A bit of Googling and I find out that the center pin was actually for DRM and the barrel jack carried the polarity. The DRM was a single strand down the center. Once that one strand breaks the Laptop can’t negotiate with the DRM.

      Miffed at spending another three digits (price went up!l and leery of the cheap Chinese clones I searched Google. I eventually found a PIC hex file online to emulate the function but the author couldn’t be bothered with the source code. Wasn’t in much of a mood to reverse engineer this crap. I wanted my laptop back.

      I went back to the dog chewed PSU, traced the leads until I found the DRM EEPROM and transplanted it along with the supporting circuitry directly into my laptop. DRM crap quickly sidestepped.

      1. The Dell PSUs use a 1-Wire ROM to communicate their power specification to the laptop. Others have identified that it carries the max wattage, the voltage and the max current of the PSU together with the PSU serial number. Given the potential failure modes of an overloaded PSU, I’m not sure I’d call that DRM crap. You could have read the data out of the ROM still on the PSU and written it to a DS2431 or similar 1-Wire EEPROM.

        If it were DRM, I would expect to see a crypto challenge to ensure that the charger was in possession of a shared secret before accepting communications. The Dell case is simply informational, rather than DRM.

        Having played with various phone batteries, it is surprising how many third party batteries don’t come with /any/ kind of battery protection circuitry, even when manufacturer’s original batteries do – especially when contacts are exposed. I can see why manufacturers might not want to support third party batteries on their devices, given there’s plenty of third party manufacturers who frankly don’t give a toss if their battery starts a fire.

  7. Considering the brainpower here, I have a simple question for everyone, a little off the article – Do you think they will ever get to a point where the battery is replaced altogether by a super capacitor with some sort of capacitive gel? Maybe bypassing the whole charge cycling limitation business, or simplifying the process in itself? I’m serious by the way.

    1. Eventually, we will solve energy storage. Might be something like a capacitor, might be something like a battery, might be a superconducting inductor or a fuel cell or a tiny engine or who knows what.

      But that’s probably way off in the future. I think cap-powered laptops exist, but we have no reason to think they’ll last more than a few tens of minutes on a charge, anytime in the near future.

      So, yes, but speculating is all but useless.

  8. A couple of days ago my mother’s Nobis NB7850 S tablet was perfectly fine. She had used it then laid it on a table. The next day she found it split open, the battery inflated. Fortunately this tablet has a pretty hefty aluminum back plate so the table was saved from the heat.

    I finished removed the back, cut the battery wires to different lengths (shorting protection) then used a nylon spatula shaped tool to carefully finish prying the bloated battery off the front of the tablet. I plugged in my phone charger to the USB port and the tablet booted up.

    Looks like I’m going to have to see if I can call a human at bidwell to see if they’ll do anything about this.

  9. IBM has been at this battery bricking thing a long time. Used to be a couple of the contacts were used for a charge counter and unbricking it was as simple as covering those two contacts with a piece of tape. The laptop couldn’t monitor the charge level to know when it was at an alarm/shutdown point, but laptops didn’t have (or need) very sophisticated charge controllers for MiMH batteries.

  10. Thumbs up those who have a genuine Lenovo battery which is recognized as “non-genuine”.

    One more thing – 3400mAh cells are in the market for what – 8 years already? Why are they keep putting 2600mAh cells inside? All the vendors do. What’s so wrong if a user suddenly gets +25% capacity for the same weight and is keen on paying for this?

    Within lenovo battery (which cannot be disassembled w/o damaging its case, because its a welded plastic) there is:
    bq29330 charge controller
    bq80300 EEPROM

  11. I replaced a battery in a X201 with a cheap replacement battery, it worked well for over a year, until it set it self in fire while charging, I actually filmed it after I put a fire blanket over it, and already called the firemen. Everything ended ok, had the have a part of the living room floor replaced and a lot of cleaning. After that experience, I’m much more careful about batteries, I’m done with cheap chinese batteries, and would consider buying am oem battery, even though the price is high (perhaps too high) don’t buy a replacement from eBay, if there are good replacement batteries from reputable companies with non Chinese no-brand cells, then I would consider it. RC batteries etc. Has all been moved to a shed.

  12. The range and amount of knowledge that went into this hack is completely mind-blowing. Various architectures, disassembling, assembling, debugging on software side, hardware side, sniffing, cracking, understanding, cryptography… holy shit.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s