Tour de Force Battery Hacking

Lithium-Ion batteries are finicky little beasts. They can’t be overcharged, overdischarged, overheated, or even looked at funny without bursting into flames. Inside any laptop battery pack, a battery charge controller keeps watch over all the little cells, and prevents them from getting damaged.

Of course, any “smart” device will sometimes make the wrong choices, and then it’s up to us to dig inside its brains and fix it. When [Viktor] got a perfectly good battery pack with a controller that refused to charge the batteries, he started off on what would become an epic journey into battery controllers, and the result is not just a fixed battery, but a controller-reprogramming tool, software, and three reversed controller chips so far.

devbBattery controller chips speak SMBus, and [Viktor] started out by building a USB-SMBus tool. It’s a clever use of a cheap eBay development board for a Cypress CY7C68013A USB microcontroller. Flashed with [Viktor]’s firmware and running his software on the host computer, a SMBus scan is child’s play.

The rest of the story is good old-fashioned hacking: looking for datasheets, reading industry powerpoints, taking wild guesses, googling for passwords, and toggling the no-connect pins while booting the controllers up. We’re not going to argue with results: the bq8030, R2J240, and M37512 controllers have all given up their secrets, and tools to program them have been integrated into [Viktor]’s SMBusb tool.

In short, this is one of the nicest hard-core hacks we’ve seen in a while. Kudos [Viktor]! And thanks for the SMBus tool.

22 thoughts on “Tour de Force Battery Hacking

  1. I have lots of old laptop batteries that have 18550 cells (or are they 16550).

    I made an adapter that will plug into my laptop and connect to various batteries and downloaded an application that reads data from the battery like the wear leval etc.

    Not a hack lol but I thought I would mention that the software is out there.

    I still haven’t used any of them yet. I don’t like explosions! I am being lazy and waiting for ‘someone else’ to design a charge / buck boost module.

    1. I’m actually making one to go into an old laptop chassis. Biggest problem so far, was convincing the battery to charge. I had to sniff the smbus on a laptop with the same battery to get the value written to the undocumented vendor register.

      1. And the earlier chip didn’t have the higher baud rates of the 16550.

        What was the earlier chip? I seem to remember something like 1388.

        I remember the first FDC chips were FDC765 or something 765. But they could only do 5-1/4″ disks.

        Maybe I was thinking of the later FDC chips – 3765 ?

    2. i tend to repurpose used cells. most of the time i run them with no safety features at all and ive yet to see one burst into flames. mostly been using 2 cell packs, balanced with a hobby grade balance charger. but then i started building a pi tablet, with its assortment of gear, i noticed the dollar value was getting a little bit high to trust the innards to a dumb battery pack. it did have a ‘safety feature’ where the ubec would be unable to produce 5v long before the batteries got to their minimum discharge voltage, and the touchscreen would be the first thing to stop working (good job rpi foundation for using a 5v touchscreen controller ic on a 3v3 device). and this means the battery life leaves something to be desired.

      so i dropped some cash on a protection+balance circuit, and a charger board. going to bring it up to 3 cells so i can get down to full discharge before the ubec stops working. and il be able to charge it without shutting it down as well as run it off the wall if i need to (compiling).

  2. I bought a very cheap laptop replacement battery a couple of years ago.

    The controller’s is so buggy it’s not even funny. The “gauge” reported to Windows gets stuck randomly (or comms is completely broken, not sure) which a reboot might solve. If you’re not aware and just let it sit, it will deplete the battery waaay too much, hitting lvc in the controller making it impossible to charge that way. I use two resistors in the contact and a RC-charger to gently bring the pack back to life. Hacking this battery would not just be fun, but very useful.

    Problem is I’m guessing it has a very non-standard controller… But I will check it out I think. I happen to have a cypress board too, unused!

      1. It is not the question of LiIon batteries – they do not contain nitroglycerin :-)
        It is the question of buggy cgharge controllers. I have the same problem: Replacement battery for a Gericom Laptop from China. Not even really cheap. The main reason to buy it was, that most offered original packs were of the same build date as the Laptop itself. But I will not buy a 7 year old Battery pack.

        It stops charging every 1-2% of capacity and you have to disconnect/reconnect the PSU to continue charging. This quite some wear for the DC-plug! I also used a mains timer switch set to 15min on/15min off (the fastest cycle). When you manage to charge the pack then it runs the Laptop fine.
        I even sent it back to the vendor in china for warranty replacement once, but the new one was not really better and I had to pay for the shipping.

        1. I mean never buy cheap battery packs (i.e. with controllers). Because I am assuming that no one (which is not very expert) will buy a chinese battery (bad thing) with no controller.

          IMHO:
          – Buy quality battery packs
          – Buy quality Li-Ion cells when you build a battery pack
          – If you build a battery pack, you shall be an expert in the subject

          It is possible to make a perfect controller even if you are not an expert, but when something went wrong due to any failure, like a bug in the firmware, wrong capacitor’s dielectric choice ecc, you have an explosive thing. Even professionals fail, like some phones, tablet, laptops manufacturer. Sometimes in entire batches, sometimes on some parts of some users, due to tolerances that weren’t considered dusing the design. Sometime due to cell manufacturer.

    1. One thing I’ve thought of doing (this probably already exists) is just making the battery controller external and having it power the laptop through the power jack. I could still store some batteries in the laptop where they normally go, and leave a connector for additional external batteries, say all those RC batteries I have lying around.

      If no luck with that spare board, perhaps that would work.

  3. Haven’t read the article yet, but the summary reminded me of this guy’s hack of a bq20z65 to reset the cycle count. He used TI’s own USB-to-smbus bridge with their BQEASY software. I was amazed those tools are so freely available. I’ve been thinking about picking up one of the bridges (around $90 off eBay) but I wasn’t sure it supported the controller I wanted to hack. Sounds like this hack is a better way to go if I want to hack multiple controllers. (Plus I already have one of those fx2 dev boards!)
    http://transistor-man.com/armor_x7_battery_upgrade.html

  4. Just a bit of a PSA, if anyone wants 18650 cells cheapish and NOW, some of the dollar stores have had $3 cell battery backup chargers* that have an 18650 in.

    Now this is the TYPE of case used on those I have personally confirmed.. https://www.amazon.com/Digital-Energy-2600mah-Portable-Battery/dp/B00MNYCR2A/ref=pd_sim_sbs_86_3?ie=UTF8&psc=1&refRID=N40KZPZF8FRY17EG0EW9 but beware that some on amazon are empty case only, no 18650 in. With only a single review on this unit, I don’t know whether you should chance that it does include one.

    I have also seen them in convenience stores, gas stations etc.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s