Selling power banks these days isn’t easy, as you can only stretch the reasonable limits of capacity and output wattage so far. Fortunately there is now a new game in town, with ‘smart’ power banks, like the Anker one that [Aaron Christophel] recently purchased for reverse-engineering. It features Bluetooth (BLE), a ‘smart app’ and a rather fancy screen on the front with quite a bit of information. This also means that there’s a lot to hack here beyond basic battery management system (BMS) features.
As detailed on the GitHub project page, after you get past the glue-and-plastic-clip top, you will find inside a PCB with a GD32F303 MCU, a Telink TLSR8253 BLE IC and the 240×240 ST7789 LCD in addition to a few other ICs to handle BMS functions, RTC and such. Before firmware version 1.6.2 you can simply overwrite the firmware, but Anker added a signature check to later firmware updates.
The BLE feature is used to communicate with the Anker app, which the official product page advertises as being good for real-time stats, smart charging and finding the power bank by making a loud noise. [Aaron] already reverse-engineered the protocol and offers his own alternative on the project page. Naturally updating the firmware is usually also done via BLE.
Although the BLE and mobile app feature is decidedly a gimmick, hacking it could allow for some interesting UPS-like and other features. We just hope that battery safety features aren’t defined solely in software, lest these power banks can be compromised with a nefarious or improper firmware update.
Thanks Maya! Sometimes a news is extremely informative what companies to avoid. I’m also pointing at a certain 3d-printer company. Rossmann was right.
I wouldn’t say a signature for a firmware update is a bad thing, I wouldn’t want anyone with a bluetooth device to be able to change the firmware on my large lithium battery pack. That said, I’d want to be able to override that lock out when I’m actually holding the device, or when I’m the device’s registered admin user or something.
If someone somehow figures out a way to easily modify a specific (and dangerous) product like a power bank to release some funny smoke on a flight, that product would be banned from flights worldwide in no time.
Okay I didn’t intend to explode my own comment and I cannot possibly reply to all. My assumptions are: If implemented correctly, bluetooth is encrypted and pairing requires user approval. So hackers getting in is unreasonable in the scope unless you find the n-th BT 0day (and get rich).
The other assumption was, that most BMS and batteries have protections, some even in the cells themselves, also on a plane I would assume the imaginary hacker hopefully has a sense of self preservation.
https://hackaday.com/2017/09/25/diy-lipo-protectors/
If you’re only doing it in code, you might not be doing it at all.
“…to release some funny smoke on a flight, that product would be banned from flights worldwide in no time.”
But not the first time a bunch went at once. Also most “security” infrastructure is very laggy about device update problems since there are more than a few layers and randomization would play havoc with tracking it down – I can’t imagine TSA’s handling of this. A simple example of failure are the Nest thermostats that petered out and left people (actually) cold on the whole proposition, though that just killed the batteries and not the users.
That’s the point. If updating the firmware required authentication, specifically your authentication, it wouldn’t need to fail when lacking signature validation.
Yes, having a signature is fine, it’s the fail to apply without a valid signature that’s the problem.
It’s done specifically so that your authentication of what firmware to load is prevented, only the manufacturer can do that in your stead, almost by definition against your wishes.
We know from experience the manufacturer isn’t doing any of this in good faith. That makes it exceptionally difficult to take any devils advocate arguments in good faith either.
You have to see that adding a signature validation is far simpler than adding user authentication. Previously there was no validation, now there is some validation, that is an improvement. If the improvements stop here it’s somewhat of a backwards step for the hacker community and I don’t want that, but nor do I want a load of maliciously hacked batteries in people’s hands, and importantly nor do Anker.
What we know from experience is that companies will try to earn money up to, and treading the line of, the law, but this isn’t subscribe to charge, this is basic security that we would rightly be criticising Anker for not implementing otherwise.
You have to see that signature validation and acting upon that validation are two different things, right?
I’d argue it is simpler to validate the signature and simply display the results (Yes its from acme or no it isn’t) is simpler than doing that exact same thing plus rejecting the firmware due to failing validation.
I own the thing, it’s my choice what to do with it, not the manufacturers.
If anyone can cause a firmware update against my will, manufacturer or hacker alike, that’s a huge problem.
If the manufacturer doesn’t want people to buy (thus own) the thing, they shouldn’t be selling it. If they wish to retain ownership, they can rent the thing out instead. That’s 100% their mistake and frankly not my problem to worry about.
@D
“validate the signature and simply display the results”
That doesn’t stop a malicious actor, they’d just press “accept”.
“If anyone can cause a firmware update against my will, manufacturer or hacker alike, that’s a huge problem.”
You’re so close to understanding the problem.
“If the manufacturer doesn’t want people to buy (thus own) the thing, they shouldn’t be selling it”
I agree that the owner of an item should be able to do what they will with their item, but expecting an item to be user programmable just because part of it is software is nonsense.
I used to agree with you, until I started to work for a company that sells a piece of hardware that if misused can cause physical harm to humans. The signature on the firmware is one way for us to try prevent that from happening, and remove our liability in the eyes of the law. EU cyber resilience act and related legislation
A powerbank needs to be a dumb brick with charge indicator. No BLE please.
Yeah, I don’t understand the need for this nonsense at all.
I remember a time when Ridgid started adding Bluetooth to its power tool batteries. I never did see a real use case for it. And I think Bluetooth is amazing and wonderful tech! But why does it need to be in every product???
I’ve a half dozen tool batteries in my tool box. Being able to check the charge on all of them from an app at the end of the day, and beep / flash the low ones? I’d use that.
I don’t mind Bluetooth etc features that are optional – they cost nearly nothing to implement and they have usec ases for some people even if that isn’t necessarily me. I hate it when using the app is necessary for basic features
I have actually used, and enjoy, the Bluetooth Ridgid batteries. Two things that are helpful is the ability to lockout your batteries so randos can’t just walk up and use your tool or battery, and making the battery beep when it’s buried in your car somewhere and you can’t find it. Actually useful features. It will also notify me when the battery is finished charging, so I can toss the next one on.
Some of that was put in to enable theft protection. I don’t know if Home Depot actually rolled it out, but a few years ago it was covered on Hackaday. The idea was your tool won’t work until you activate it, linked with an anti-theft system at retailer. Ridgid at least still has location tracking and theft disable features from the app in some of their tools.
If it’s basically an airtag built into my power pack, which it sounds like it is, I’d consider it useful to me. I’ve at least 4 high capacity power banks in my flat right now, but I can only find one of them
Nowadays, a bad combination of devices plugged to the outputs, can lead to super slow charging. Sometimes a legacy USB-A 5V device pulls down an adjacent USB-C to the same 5V. A quick look at the possible combinations in the datasheet of a modern multi output charger is nightmare fuel. Thus an indication of the provided power/voltage/current is indeed appreciated, not sure about the BLE part if there is already a perfectly fine display.
I wonder what it even does? I’m morbidly curious. But same, I don’t want things to be broadcasting if they don’t have to.
That PC board is way more complicated than I would have expected. A discrete MCU+BLE chip solution with LCD for a power bank of all things! I would have expected a lot smaller board with a no-marking ASIC which handled everything
What utility is the MCU providing? I doubt its handling switching/feedback or anything like that
What useful thingy could one build with the parts?
For example, a liquid laundry detergent dispenser, that is put into the washing drum and has WiFi access and such.
And then we could vote for the most stupid IoT product of the year111
I’ve lost all trust in Anker after their batteries starting giving up after a few recharge cycles and they gave their customers the finger or 10% discount. Search for 737 won’t charge on Reddit. I came to realize this when my own battery stopped charging after 34 cycles. Battery health 100% according to the display. $130 in the recycle bin.
Putting BTE in the battery won’t change quality issues and bad customer service.
If you’re in the EU then you’ve a statutory right to a refund. Maybe in the US too, though you’d need to go to small claims to enforce it
first i thought jokingly to start a thread about the stupidest thing to put bluetooth in, but then I realized people might just put that thing on the market…
They’ve already put bluetooth / “smart” into every ridiculous thing you can possibly imagine, that train has sailed.
Would those stats allow one to catch any faults in either the battery or devices connected?
ASCIs are cheap to make, but expensive to design… so building an ASIC is only done when the volumes justify it (or the FPGA you’re replacing is that expensive. But FPGAs are easy to update in the field when you first release hardware. Once it’s stable, you go the ASIC route so you can save money, because you still sell the system at the original price and pocket the difference. :-)
For you Bluetooth bashers, I was hesitant to add the app and connect via Bluetooth. This power bank can be used without it. However, once I downloaded the app and connected, there are a lot of very useful features. By default, both USBC ports are BOTH inputs and outputs. In other words, both can be used for giving and receiving a charge. Using both as inputs at same time will make the power bank charge very quickly. If you need to get it charged and go in a hurry, it’s great. If you wish to change the ports so that one is an output only or make other changes, you can. You can change the screen to “theme 2” which allows you to see not only how many watts are coming in and/or going out, but you can also see how many volts and amps are making up those watts. You can give the power bank a name and you can see the internal temperature in both F and C.
You can see all of the information on your phone screen which is easier to read than from the power bank screen. Once you get old enough to require reading glasses like me, you will appreciate it (I am 56). While receiving a charge, the power bank screen will display the time of day, date and day of the week. This comes in handy for me at times. Using the BT feature will NOT interfere with using BT speakers, headphones or earbuds. I use my BT speakers and headphones while using the BT feature on the power bank all the time with no problem.
So, while a lot of you might not see the value in all of this, for a man like me who prefers to know all of what’s going on, it’s very helpful. If you really don’t want the BT feature and the benefits therewith, you might want to get the Anker 737. It’s slightly smaller and more basic than 250 watt model.
A custom name would sure be handy if I was charging my Bluetooth power bank from a second Bluetooth power bank. And a calendar, so I know if I’m accidentally charging on a Saturday.
Sure. Chinese apps, what could possibly go wrong…
Does it have CCC certification?
I wish I knew what chip was used for BMS. I’ve been searching for i2c BMS chips and most seem “safe” – some are data out only, others allow switching between certain presets but still have hard voltage limits. So our hypothetical BLE hacker will have a hard time overcharging the batteries.
A powerbank with an app? What in the Louis Rossman have we got these days ☠️? A powerbank should only provide poser and wont need a stupid app and that gd32 mcu is probably way to overkill. I have an anker powerbank with a screen on it but no app and it does its job. No need for bluetooth or an app. Sure its a niche addon but not needed. And i can already see in the future that just like insta360 they will eventually turn to the dark side and require an app or account to even use the product.
I can modify the FW and deploy it remotely over BLE, so next time you plug it into your phone and unlock the screen, I inject malware into your device and gain access to everything your own.
what’s the attack vector once you’re connected to BLE? I only know BT-stack exploit like BlueBorne and that’s above my skill level. On Android I don’t know of any “rubber ducky” USB HID style attack.