The 18650 cell has become a ubiquitous standard in the lithium battery world. From power drills to early Tesla vehicles, these compact cells power all manner of portable devices. A particularly common use is in laptop batteries, where they’re often built into a pack using the Smart Battery System. This creates a smart battery that can communicate and report on its own status. PackProbe is a software tool built to communicate with these batteries, and you might just find it comes in handy.
The code runs on the WiFi-enabled Arduino Yún by default, but can be easily modified to suit other Arduino platforms. Communicating over SMBus using the Arduino’s I2C hardware, it’s capable of working with the vast majority of laptop batteries out there which comply with the Smart Battery System. With that standard being minted in 1994, it’s spread far and wide these days.
It’s a great way to harvest not only the specifications and manufacturing details of your laptop battery pack, but also to check on the health of the battery. This can give a clear idea over whether the battery is still usable, as well as whether the cells are worth harvesting for those in the recycling business.
You’ve no doubt heard about the “hardware implants” which were supposedly found on some server motherboards, which has led to all sorts of hand-wringing online. There’s no end of debate about the capabilities of such devices, how large they would need to be, and quite frankly, if they even exist to begin with. We’re through the looking-glass now, and there’s understandably a mad rush to learn as much as possible about the threat these types of devices represent.
[Nicolas Oberli] of Kudelski Security wanted to do more than idly speculate, so he decided to come up with a model of how an implanted hardware espionage device could interact with the host system. He was able to do this with off the shelf hardware, meaning anyone who’s so inclined can recreate this “Hardware Implant Playset” in their own home lab for experimentation. Obviously this is not meant to portray a practical attack in terms of the hardware itself, but gives some valuable insight into how such a device might function.
One of the most obvious attack vectors for hardware implants is what’s known as the Baseboard Management Controller (BMC). This is a chip used on modern motherboards to allow for remote control and monitoring of the system’s hardware, and promises to be a ripe target for attackers. There are a few sideband channels which can be used by the BMC chip to talk to other chips. To keep things simple [Nicolas] focused on the older I2C-derived SMBus (rather than the newer and more complex NC-SI), demonstrating what can be done once you have control of that bus.
Only problem was, he didn’t have a motherboard with a BMC to experiment with. After a little research, the answer came in the form of the Intel EXPI9301CTBLK network card, which features the 82574L SMBus chip. This allows for experimenting with a subset of SMBus functionality on any machine with a PCI-E slot. Even better, the card has an SMBus header on the top to plug into. [Nicolas] describes in detail how he enabled the SMBus interface by modifying the card’s EEPROM, which then allowed him to detect it with his HydraBus.
With the hardware setup, the rest of the write-up focuses on what you can do with direct control of SMBus on the network card. [Nicolas] demonstrates not only creating and sending Ethernet packets, but also intercepting an incoming packet. In both cases, a running instance of tcpdump on the host computer fails to see the packets even exist.
He goes on to explain that since SMBus is very similar to I2C and only requires four wires, the techniques shown could easily be moved from the Hydrabus dev board used in the demo, to a small microcontroller like the ATtiny85. But you would still need to find a way to add that microcontroller directly onto the network card without it being obvious to the casual observer.
It’s not something you often give a lot of thought to, but the modern consumer laptop battery is a pretty advanced piece of technology. Not only does it pack several dozen watt-hours of energy into a relatively small and lightweight package, but it features integrated diagnostic capability to make sure all those temperamental lithium cells are kept in check. Widely available and extremely cheap thanks to the economies of scale (unless you try to get them from the OEM, anyway), they’re a very compelling option for powering your projects.
Of course, it also helps if, like [teliot] you have a bunch of the things lying around. For reasons we won’t get into, he’s got a whole mess of Acer AL12x32 battery packs which he wanted to use for something other than collecting dust. He had the idea of hooking one up to a solar panel and using it as a power supply for some ESP8266 projects but wanted to be able to talk to the battery for status and diagnostic information. After studying the Smart Battery System (SBS) protocol the batteries use, he was able to come up with some code that lets him pull 37 separate fields of information from the pack’s onboard electronics using his ESP8266.
It took some fiddling with a multimeter to figure out which pin did what on the eight pin interface of the battery. Two of the pins need to be shorted to enable the dual 12 VDC pins to kick in. Technically that’s all you really need to do if you want to utilize the battery in a low-tech sort of way. But to actually get some information from the battery, [teliot] had to identify the two pins which are for the System Management Bus (SMBus) interface where the SBS data lives.
Once he knew which pins to talk to the battery on, the rest was fairly easy. SBS is well documented, and the SMBus interface is very similar to I2C. Like all the cool kids are doing these days, his code publishes the battery info to MQTT where he can plot it and get finely grained info on the performance of his solar power system.
A few months ago, [Matt] realized he needed another battery for his Thinkpad X230T. The original battery would barely last 10 minutes, and he wanted a battery that would last an entire plane flight. When his new battery arrived, he installed it only to find a disturbing message displayed during startup: “The system does not support batteries that are not genuine Lenovo-made or authorized.” The battery was chipped, and now [Matt] had to figure out a way around this.
Most recent laptop batteries have an integrated controller that implements the Smart Battery Specification (SBS) over the SMBus, an I2C-like protocol with data and clock pins right on the battery connector. After connecting a USBee logic analyser to the relevant pins, [Matt] found the battery didn’t report itself correctly to the Thinkpad’s battery controller.
With the problem clearly defined, [Matt] had a few options open to him. The first was opening both batteries, and replacing the cells in the old (genuine) battery with the cells in the newer (not genuine) battery. If you’ve ever taken apart a laptop battery, you’ll know this is the worst choice. There are fiddly bits of plastic and glue, and if you’re lucky enough to get the battery apart in a reasonably clean matter, you’re not going to get it back together again. The second option was modifying the firmware on the non-genuine battery. [Charlie Miller] has done a bit of research on this, but none of the standard SBS commands would work on the non-genuine battery, meaning [Matt] would need to take the battery apart to see what’s inside. The third option is an embedded controller that taps into the SMBus on the charger connector, but according to [Matt], adding extra electronics to a laptop isn’t ideal. The last option is modifying the Thinkpad’s embedded controller firmware. This last option is the one he went with.
There’s an exceptionally large community dedicated to Thinkpad firmware hacks, reverse engineering, and generally turning Thinkpads into the best machines they can be. With the schematics for his laptop in hand, [Matt] found the embedded controller responsible for battery charging, and after taking a few educated guesses had some success. He ran into problems, though, when he discovered some strangely encrypted code in the software image. A few Russian developers had run into the same problem, and by wiring up a JTAG to the embedded controller chip, this dev had a fully decrypted Flash image of whatever was on this chip.
[Matt]’s next steps are taking the encrypted image and building new firmware for the embedded controller that will allow him to charge is off-brand, and probably every other battery on the planet. As far as interesting mods go, this is right at the top, soon to be overshadowed by a few dozen comments complaining about DRM in batteries.