Reset HP SB03XL battery with BQ30z55 - Can't unseal

[deividAlfa]

Edit: The checksum errors where caused by my Arduino!

• The current issue is FullAccess / Unseal commands not working.
• DJI battery killer app works, so I attached some logic captures showing the differences between the two programs here, to hopefully improve it.

---

Hi! I'm trying to unseal this battery.

First I manually charged the cells in series with 12V @ 500mA, they charged slowly and very well balanced, with less than 50mV between cells.

The SBS is dead unless I apply 12V externally.

I used a small arduino board as USB-I2C bridge. Thanks, @Cleric-K!: #243 (comment)

But, I only received wrong PEC checksum.

I used a logic analyzer to make sure the bus was working, indeed it was! For example:

python comm_sbs_bqctrl.py -vvv --dev_address 0xb --chip BQ30z55 read ManufacturerAccess.Voltages

The captured response frame (Including dev. address) was:

17 0C E4 0E F6 0E 00 00 00 00 4E 1C 8D 31 09

CRC-8-CCITT matches the last crc byte, 09, but the first CRC seems to be wrong or use a different algo.

I bypassed all raise ValueError("Received {} from command {} with wrong PEC checksum" errors, and the output looked quite meaningful:

Opening i2c:1
Serial port COM6 opened
Importing comm_sbs_chips/BQ30z554.py
Reading write_word_subcommand command at addr=0xb, cmd=0x0, type=uint16, opts={'subcmd': <MANUFACTURER_ACCESS_CMD_BQ30.Voltages: 113>}
Query ManufacturerAccess.Voltages: 00 WORD=0x71
Write ManufacturerAccess: CMD=00 WORD=71 00
Raw ManufacturerAccess.Voltages response: 0c e4 0e f6 0e 00 00 00 00 4e 1c 8d 31 09
MA.Voltages:    hex:e40ef60e000000004e1c8d31    struct  Outputs voltage data values
 CellVoltage0:  3812    mV      Cell Voltage 0
 CellVoltage1:  3830    mV      Cell Voltage 1
 CellVoltage2:  0       mV      Cell Voltage 2
 CellVoltage3:  0       mV      Cell Voltage 3
   BATVoltage:  7246    mV      BAT Voltage
  PACKVoltage:  1268500 mV      PACK Voltage

Readings on Cell2, Cell3 and PACK looks strange...
This is a 3S battery, I've manually measured around 3.8V on each cell.

If I remove external power, I have few seconds before the SBS turns off, Pack voltage reads normal in this instant:

Raw ManufacturerAccess.Voltages response: 0c e3 0e f2 0e 00 00 00 00 2a 1c 7b 00 ca
MA.Voltages:    hex:e30ef20e000000002a1c7b00    struct  Outputs voltage data values
 CellVoltage0:  3811    mV      Cell Voltage 0
 CellVoltage1:  3826    mV      Cell Voltage 1
 CellVoltage2:  0       mV      Cell Voltage 2
 CellVoltage3:  0       mV      Cell Voltage 3
   BATVoltage:  7210    mV      BAT Voltage
  PACKVoltage:  12300   mV      PACK Voltage

---

The battery only has 422 cycles, which is not that much!
But no surprise these batteries fail quickly, they don't have balancing circuitry!

python comm_sbs_bqctrl.py -vvv --dev_address 0xb --chip BQ30z55 read CycleCount

Raw CycleCount response: a6 01 d5
CycleCount:     422     cycles  Number of cycles the battery has experienced

---

python comm_sbs_bqctrl.py -vvv --dev_address 0xb --chip BQ30z55 monitor BQStatusBitsMA

Raw ManufacturerAccess.SafetyAlert response: 04 00 00 00 00 ce
MA.SafetyAlert:         0x00000000      bitfields       Safety Alert bits
      CELL_UNDERVOLTAGE:        0=Inactive      [CUV]   Cell Undervoltage
       CELL_OVERVOLTAGE:        0=Inactive      [COV]   Cell Overvoltage
  OVERCURRENT_CHG_TIER1:        0=Inactive      [OCC1]  Overcurrent in Charge 1st Tier
  OVERCURRENT_CHG_TIER2:        0=Inactive      [OCC2]  Overcurrent in Charge 2nd Tier
  OVERCURRENT_DIS_TIER1:        0=Inactive      [OCD1]  Overcurrent in Discharge 1st Tier
  OVERCURRENT_DIS_TIER2:        0=Inactive      [OCD2]  Overcurrent in Discharge 2nd Tier
           OVERLOAD_DIS:        0=Inactive      [OLD]   Overload in discharge
      SHORT_CIRCUIT_CHG:        0=Inactive      [SCC]   Short circuit in charge
      SHORT_CIRCUIT_DIS:        0=Inactive      [SCD]   Short circuit in discharge
    OVERTEMPERATURE_CHG:        0=Inactive      [OTC]   Overtemperature in charge
    OVERTEMPERATURE_DIS:        0=Inactive      [OTD]   Overtemperature in discharge
     IR_COMPENSATED_CUV:        0=Inactive      [CUVC]  I*R compensated CUV
    FET_OVERTEMPERATURE:        0=Inactive      [OTF]   FET overtemperature
  HOST_WATCHDOG_TIMEOUT:        0=Inactive      [HWD]   SBS Host watchdog timeout
    PRECHARGING_TIMEOUT:        0=Inactive      [PTO]   Pre-charging timeout
 PRECHG_TIMEOUT_SUSPEND:        0=Inactive      [PTOS]  Pre-charging timeout suspend
       CHARGING_TIMEOUT:        0=Inactive      [CTO]   Charging timeout
    CHG_TIMEOUT_SUSPEND:        0=Inactive      [CTOS]  Charging timeout suspend
             OVERCHARGE:        0=Inactive      [OC]    Overcharge
  CHG_CURRENT_ABOVE_REQ:        0=Inactive      [CHGC]  Charging Current higher than requested
  CHG_VOLTAGE_ABOVE_REQ:        0=Inactive      [CHGV]  Charging Voltage higher than requested
Reading write_word_subcommand command at addr=0xb, cmd=0x0, type=uint16, opts={'subcmd': <MANUFACTURER_ACCESS_CMD_BQ30.SafetyStatus: 81>}
Query ManufacturerAccess.SafetyStatus: 00 WORD=0x51
Write ManufacturerAccess: CMD=00 WORD=51 00
Raw ManufacturerAccess.SafetyStatus response: 04 01 00 00 00 d8
MA.SafetyStatus:        0x00000001      bitfields       Safety Status bits
     CELL_UNDERVOLTAGE: 1=Detected      [CUV]   Cell Undervoltage
      CELL_OVERVOLTAGE: 0=Inactive      [COV]   Cell Overvoltage
 OVERCURRENT_CHG_TIER1: 0=Inactive      [OCC1]  Overcurrent in Charge 1st Tier
 OVERCURRENT_CHG_TIER2: 0=Inactive      [OCC2]  Overcurrent in Charge 2nd Tier
 OVERCURRENT_DIS_TIER1: 0=Inactive      [OCD1]  Overcurrent in Discharge 1st Tier
 OVERCURRENT_DIS_TIER2: 0=Inactive      [OCD2]  Overcurrent in Discharge 2nd Tier
          OVERLOAD_DIS: 0=Inactive      [OLD]   Overload in discharge
    OVERLOAD_DIS_LATCH: 0=Inactive      [OLDL]  Overload in discharge latch
     SHORT_CIRCUIT_CHG: 0=Inactive      [SCC]   Short circuit in charge
  SHORT_CIRC_CHG_LATCH: 0=Inactive      [SCCL]  Short circuit in charge latch
     SHORT_CIRCUIT_DIS: 0=Inactive      [SCD]   Short circuit in discharge
  SHORT_CIRC_DIS_LATCH: 0=Inactive      [SCDL]  Short circuit in discharge latch
   OVERTEMPERATURE_CHG: 0=Inactive      [OTC]   Overtemperature in charge
   OVERTEMPERATURE_DIS: 0=Inactive      [OTD]   Overtemperature in discharge
    IR_COMPENSATED_CUV: 0=Inactive      [CUVC]  I*R compensated CUV
   FET_OVERTEMPERATURE: 0=Inactive      [OTF]   FET overtemperature
 HOST_WATCHDOG_TIMEOUT: 0=Inactive      [HWD]   SBS Host watchdog timeout
   PRECHARGING_TIMEOUT: 0=Inactive      [PTO]   Pre-charging timeout
      CHARGING_TIMEOUT: 0=Inactive      [CTO]   Charging timeout
            OVERCHARGE: 0=Inactive      [OC]    Overcharge
 CHG_CURRENT_ABOVE_REQ: 0=Inactive      [CHGC]  Charging Current higher than requested
 CHG_VOLTAGE_ABOVE_REQ: 0=Inactive      [CHGV]  Charging Voltage higher than requested
Reading write_word_subcommand command at addr=0xb, cmd=0x0, type=uint16, opts={'subcmd': <MANUFACTURER_ACCESS_CMD_BQ30.PFAlert: 82>}
Query ManufacturerAccess.PFAlert: 00 WORD=0x52
Write ManufacturerAccess: CMD=00 WORD=52 00
Raw ManufacturerAccess.PFAlert response: 04 00 00 00 00 ce
MA.PFAlert:             0x00000000      bitfields       Permanent Fail Alert bits
      CELL_UNDERVOLTAGE:        0=Inactive      [CUV]   Cell Undervoltage
       CELL_OVERVOLTAGE:        0=Inactive      [COV]   Cell Overvoltage
      COPPER_DEPOSITION:        0=Inactive      [CUDEP] Copper deposition
        OVERTEMPERATURE:        0=Inactive      [OTCE]  Overtemperature in charge
    OVERTEMPERATURE_FET:        0=Inactive      [OTF]   Overtemperature of FET
         QMAX_IMBALANCE:        0=Inactive      [QIM]   QMAX Imbalance
         CELL_BALANCING:        0=Inactive      [CB]    Cell balancing
         CELL_IMPEDANCE:        0=Inactive      [IMP]   Cell impedance
 CAPACITY_DETERIORATION:        0=Inactive      [CD]    Capacity Deterioration
 VOLTAGE_IMBALANCE_REST:        0=Inactive      [VIMR]  Voltage imbalance at Rest
 VOLTAGE_IMBALANCE_ACTV:        0=Inactive      [VIMA]  Voltage imbalance at Active
             CHARGE_FET:        0=Inactive      [CFETF] Charge FET
          DISCHARGE_FET:        0=Inactive      [DFET]  Discharge FET
             THERMISTOR:        0=Inactive      [THERM] Thermistor
                   FUSE:        0=Inactive      [FUSE]  Fuse
           AFE_REGISTER:        0=Not avail.    [AFER]  AFE Register
      AFE_COMMUNICATION:        0=Inactive      [AFEC]  AFE Communication
 FUSE_TRIGGER_2ND_LEVEL:        0=Inactive      [2LVL]  FUSE input trigger by external protection
               OPEN_VCX:        0=Not avail.    [OCECO] Open VCx
Reading write_word_subcommand command at addr=0xb, cmd=0x0, type=uint16, opts={'subcmd': <MANUFACTURER_ACCESS_CMD_BQ30.PFStatus: 83>}
Query ManufacturerAccess.PFStatus: 00 WORD=0x53
Write ManufacturerAccess: CMD=00 WORD=53 00
Raw ManufacturerAccess.PFStatus response: 04 04 08 00 00 c7
MA.PFStatus:            0x00000804      bitfields       Permanent Fail Status bits
      CELL_UNDERVOLTAGE:        0=Inactive      [CUV]   Cell Undervoltage
       CELL_OVERVOLTAGE:        0=Inactive      [COV]   Cell Overvoltage
      COPPER_DEPOSITION:        1=Detected      [CUDEP] Copper deposition
        OVERTEMPERATURE:        0=Inactive      [OTCE]  Overtemperature in charge
    OVERTEMPERATURE_FET:        0=Inactive      [OTF]   Overtemperature of FET
         QMAX_IMBALANCE:        0=Inactive      [QIM]   QMAX Imbalance
         CELL_BALANCING:        0=Inactive      [CB]    Cell balancing
         CELL_IMPEDANCE:        0=Inactive      [IMP]   Cell impedance
 CAPACITY_DETERIORATION:        0=Inactive      [CD]    Capacity Deterioration
 VOLTAGE_IMBALANCE_REST:        1=Active        [VIMR]  Voltage imbalance at Rest
 VOLTAGE_IMBALANCE_ACTV:        0=Inactive      [VIMA]  Voltage imbalance at Active
             CHARGE_FET:        0=Inactive      [CFETF] Charge FET
          DISCHARGE_FET:        0=Inactive      [DFET]  Discharge FET
             THERMISTOR:        0=Inactive      [THERM] Thermistor
                   FUSE:        0=Inactive      [FUSE]  Value of the FUSE pin, designed to ignite the chemical fuse if one of the various safety criteria is violated
           AFE_REGISTER:        0=Not avail.    [AFER]  AFE Register
      AFE_COMMUNICATION:        0=Inactive      [AFEC]  AFE Communication
 FUSE_TRIGGER_2ND_LEVEL:        0=Inactive      [2LVL]  FUSE input trigger by external protection
             PTC_BY_AFE:        0=Inactive      [PTC]   Detected overtemperature using Positive Temperature Coefficient resistor connected to AFE PTC pin
               OPEN_VCX:        0=Not avail.    [OCECO] Open VCx
Reading write_word_subcommand command at addr=0xb, cmd=0x0, type=uint16, opts={'subcmd': <MANUFACTURER_ACCESS_CMD_BQ30.OperationStatus: 84>}
Query ManufacturerAccess.OperationStatus: 00 WORD=0x54
Write ManufacturerAccess: CMD=00 WORD=54 00
Raw ManufacturerAccess.OperationStatus response: 04 21 7b 50 00 91
MA.OperationStatus:     0x00507b21      bitfields       Operational Status bits
      SYS_PRESENT_LOW:  1=Active        [PRES]  System present input state low
       DSG_FET_STATUS:  0=Inactive      [DSG]   DSG FET status
       CHG_FET_STATUS:  0=Inactive      [CHG]   CHG FET Status
      PCHG_FET_STATUS:  0=Inactive      [PCHG]  PCHG FET Status
      GPOD_FET_STATUS:  0=Inactive      [GPOD]  GPOD FET Status
          FUSE_STATUS:  1=Active        [FUSE]  FUSE input status
       CELL_BALANCING:  0=Inactive      [CB]    Cell Balancing
           LED_ENABLE:  0=Inactive      [LED]   LED Enable
        SECURITY_MODE:  3=Sealed        [SEC]   Security Mode
       CAL_RAW_ADC_CC:  0=Inactive      [CAL]   Calibration Raw ADC/CC output active
        SAFETY_STATUS:  1=Active        [SS]    Safety Status
    PERMANENT_FAILURE:  1=Active        [PF]    Permanent Failure
 DISCHARGING_DISABLED:  1=Active        [XDSG]  Discharging Disabled
    CHARGING_DISABLED:  1=Active        [XCHG]  Charging Disabled
           SLEEP_MODE:  0=Inactive      [SLEEP] Sleep mode condition met
       SHUTDOWN_BY_MA:  0=Inactive      [SDM]   Shutdown activated by ManufacturerAccess()
      SHIP_MODE_BY_MA:  0=Inactive      [SHPM]  SHIP mode activated with ManufacturerAccess()
         AUTH_ONGOING:  0=Inactive      [AUTH]  Authentication ongoing
    AFE_WATCHDOG_FAIL:  0=Inactive      [AWD]   AFE Watchdog failure
    FAST_VOLTAGE_SAMP:  1=Active        [FVS]   Fast Voltage Sampling
    RAW_ADC_CC_OUTPUT:  0=Inactive      [CALO]  Raw ADC/CC offset calibration output
  SHUTDOWN_BY_VOLTAGE:  1=Active        [SDV]   SHUTDOWN activated by voltage
          SLEEP_BY_MA:  0=Inactive      [SLEPM] SLEEP mode activated by ManufacturerAccess()
     INIT_AFTER_RESET:  0=Inactive      [INIT]  Initialization after full reset
       SMB_CAL_ON_LOW:  0=Cal starts    [SLCAL] Auto CC offset calibration on low
 QMAX_UPDATE_IN_SLEEP:  0=Inactive      [SLEPQM]        QMax update in SLEEP mode
 CURRENT_CHK_IN_SLEEP:  0=Inactive      [SLEPC] Checking current in SLEEP mode
     XLOW_SPEED_STATE:  0=Inactive      [XLSBS] Fast Mode
Reading write_word_subcommand command at addr=0xb, cmd=0x0, type=uint16, opts={'subcmd': <MANUFACTURER_ACCESS_CMD_BQ30.ChargingStatus: 85>}
Query ManufacturerAccess.ChargingStatus: 00 WORD=0x55
Write ManufacturerAccess: CMD=00 WORD=55 00
Raw ManufacturerAccess.ChargingStatus response: 03 00 00 00 21
MA.ChargingStatus:      0x000000        bitfields       Charging Status bits
       UNDER_TEMPERATURE:       0=Inactive      [UT]    Under Temperature Range
         LOW_TEMPERATURE:       0=Inactive      [LT]    Low Temperature Range
     STD_TEMPERATURE_LOW:       0=Inactive      [STL]   Standard Temperature Low Range
 RECOMMENDED_TEMPERATURE:       0=Inactive      [RT]    Recommended Temperature Range
    STD_TEMPERATURE_HIGH:       0=Inactive      [STH]   Standard Temperature High Range
        HIGH_TEMPERATURE:       0=Inactive      [HT]    High Temperature Range
        OVER_TEMPERATURE:       0=Inactive      [OT]    Over Temperature Range
       PRECHARGE_VOLTAGE:       0=Inactive      [PV]    Precharge Voltage Range
             LOW_VOLTAGE:       0=Inactive      [LV]    Low Voltage Range
             MID_VOLTAGE:       0=Inactive      [MV]    Mid Voltage Range
            HIGH_VOLTAGE:       0=Inactive      [HV]    High Voltage Range
          CHARGE_INHIBIT:       0=Inactive      [IN]    Charge Inhibit
          CHARGE_SUSPEND:       0=Inactive      [SU]    Charge Suspend
   CHARGING_CURRENT_RATE:       0=Inactive      [CCR]   ChargingCurrent() Rate
   CHARGING_VOLTAGE_RATE:       0=Inactive      [CVR]   ChargingVoltage() Rate
 CHARGING_CURRENT_COMPNS:       0=Inactive      [CCC]   ChargingCurrent() Compensation
  VALID_CHARGE_TERMINATN:       0=Inactive      [VCT]   Valid Charge Termination
      MAINTENANCE_CHARGE:       0=Inactive      [MCHG]  Maintenance charge
Reading write_word_subcommand command at addr=0xb, cmd=0x0, type=uint16, opts={'subcmd': <MANUFACTURER_ACCESS_CMD_BQ30.GaugingStatus: 86>}
Query ManufacturerAccess.GaugingStatus: 00 WORD=0x56
Write ManufacturerAccess: CMD=00 WORD=56 00
Raw ManufacturerAccess.GaugingStatus response: 02 32 28 d8
MA.GaugingStatus:       0x2832  bitfields       Gauging Status bits
    OCV_QMAX_UPDATED:   0=Not upd.      [RESTD0]        OCV and QMax Updated
  DISCHARGE_DETECTED:   1=Discharging   [DSG]   Discharge Detected
   RESISTANCE_UPDATE:   0=Inactive      [RU]    Resistance update
 VOLTAGE_OK_FOR_QMAX:   0=Inactive      [VOK]   Cell Voltage OK for QMax
        QMAX_UPDATES:   1=Enabled       [QEN]   QMax updates
    FULLY_DISCHARGED:   1=Enabled       [FD]    Fully Discharged Detected by gauge algorithm
       FULLY_CHARGED:   0=Disabled      [FC]    Fully Charged Detected by gauge algorithm
    NEG_SCALE_FACTOR:   0=Disabled      [NSFM]  Negative scale factor mode
 DISCHARGE_QUALIFIED:   0=Disabled      [VDQ]   Discharge qualified for learning
      QMAX_UPDATED_T:   0=Toggle0       [QMax]  QMax updated toggle
 RESISTANCE_UPDATE_T:   0=Disabled      [RX]    Resistance update toggle
           LOAD_MODE:   1=C.Power       [LDMD]  Load Mode, constant current or power
     OCV_FLAT_REGION:   0=Outside       [OCVFR] OCV in flat region
 TERMNT_DISCHG_ALARM:   1=Enabled       [TDA]   Terminate Discharge Alarm
 TERMNT_CHARGE_ALARM:   0=Disabled      [TCA]   Terminate Charge Alarm
     LIPH_RELAX_MODE:   0=Disabled      [LPFRlx]        LiPh Relax Mode
Reading write_word_subcommand command at addr=0xb, cmd=0x0, type=uint16, opts={'subcmd': <MANUFACTURER_ACCESS_CMD_BQ30.ManufacturingStatus: 87>}
Query ManufacturerAccess.ManufacturingStatus: 00 WORD=0x57
Write ManufacturerAccess: CMD=00 WORD=57 00
Raw ManufacturerAccess.ManufacturingStatus response: 02 f8 01 68
MA.ManufacturingStatus: 0x01f8  bitfields       Manufacturing Status bits
    PCHG_FUNCTION:      0=Disabled      [PCHG]  PCHG Function, only available with FET=0
          CHG_FET:      0=Disabled      [CHG]   CHG FET, only available with FET=0
          DSG_FET:      0=Disabled      [DSG]   DSG FET, only available with FET=0
          GAUGING:      1=Enabled       [GAUGE] Gauging
       FET_ACTION:      1=Enabled       [FET]   FET action
 LIFETIME_DT_COLL:      1=Enabled       [LF]    Lifetime data collection
   PERMANENT_FAIL:      1=Enabled       [PF]    Permanent Failure functionality
    BLACK_BOX_REC:      1=Enabled       [BBR]   Black box recorder
      FUSE_ACTION:      1=Enabled       [FUSE]  FUSE action
      LED_DISPLAY:      0=Disabled      [LED]   LED Display
 CAL_ADC_CC_ON_MD:      0=Disabled      [CAL]   CAL ADC or CC output on ManufacturerData()

---

python comm_sbs_bqctrl.py -vvv --dev_address 0xb --chip BQ30z55 sealing Unseal

Opening i2c:1
Serial port COM6 opened
Importing comm_sbs_chips/BQ30z554.py
Write ManufacturerAccess: CMD=00 WORD=31 00
Raw ManufacturerAccess.UnSealDevice response: 02 1d 8d c7 c7 c7 c7 c7 c7 c7 c7 c7 c7 c7 c7 c7 c7 c7 c7 c7 c7 c7
Error: ValueError: Algorithm broken, length of challenge message M is 2 instead of 20 bytes

The output is different everytime, here're few more :

Raw ManufacturerAccess.UnSealDevice response: 02 96 02 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42
Raw ManufacturerAccess.UnSealDevice response: 02 d8 b1 df df df df df df df df df df df df df df df df df df df
Raw ManufacturerAccess.UnSealDevice response: 02 03 4e 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01
Raw ManufacturerAccess.UnSealDevice response: 02 97 03 50 50 50 50 50 50 50 50 50 50 50 50 50 50 50 50 50 50 50
Raw ManufacturerAccess.UnSealDevice response: 02 02 af bd bd bd bd bd bd bd bd bd bd bd bd bd bd bd bd bd bd bd

---

This makes nothing:

python comm_sbs_bqctrl.py -vvv --dev_address 0xb --chip BQ30z55 trigger ManufacturerAccess.PermanentFailDataReset

Writing write_word_subcommand command at addr=0xb, cmd=0x0, type=uint16, v=b'', opts={'subcmd': <MANUFACTURER_ACCESS_CMD_BQ30.PermanentFailDataReset: 41>}
Store ManufacturerAccess.PermanentFailDataReset: 00 WORD=0x29
Write ManufacturerAccess: CMD=00 WORD=29 00
MA.PermanentFailDataReset:      trigger SUCCESS Trigger switch write accepted

[mefistotelis]

Here's BQ30z55 Technical Reference chapter:

As to why your response does not meet the specification - I suspect you can think of the same possible reasons I can.

[deividAlfa]

I disabled the checks, here's the output:

python comm_sbs_bqctrl.py -vvv --dev_address 0xb --chip BQ30z50 sealing Unseal

Opening i2c:1
Serial port COM6 opened
Importing comm_sbs_chips/BQ30z554.py
Write ManufacturerAccess: CMD=00 WORD=31 00
Raw ManufacturerAccess.UnSealDevice response: 04 b5 fe b2 d5 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18
Prepared ManufacturerAccess.UnSealDevice B1=0123456789abcdeffedcba9876543210d5b2feb5
Computed ManufacturerAccess.UnSealDevice HMAC1=809722d33cde3ac9fe4d615bae925b94d8d0c1bb
Computed ManufacturerAccess.UnSealDevice HMAC2=9a3d12e4c88129e02f7a153a438d739d9e279377
Write ManufacturerAccess.UnSealDevice: CMD=2f BLOCK=77 93 27 9e 9d 73 8d 43 3a 15 7a 2f e0 29 81 c8 e4 12 3d 9a
Reading write_word_subcommand command at addr=0xb, cmd=0x0, type=uint16, opts={'subcmd': <MANUFACTURER_ACCESS_CMD_BQ30.OperationStatus: 84>}
Query ManufacturerAccess.OperationStatus: 00 WORD=0x54
Write ManufacturerAccess: CMD=00 WORD=54 00
Raw ManufacturerAccess.OperationStatus response: 04 21 7b 50 00 91
MA.OperationStatus:     0x00507b21      bitfields       Operational Status bits
      SYS_PRESENT_LOW:  1=Active        [PRES]  System present input state low
       DSG_FET_STATUS:  0=Inactive      [DSG]   DSG FET status
       CHG_FET_STATUS:  0=Inactive      [CHG]   CHG FET Status
      PCHG_FET_STATUS:  0=Inactive      [PCHG]  PCHG FET Status
      GPOD_FET_STATUS:  0=Inactive      [GPOD]  GPOD FET Status
          FUSE_STATUS:  1=Active        [FUSE]  FUSE input status
       CELL_BALANCING:  0=Inactive      [CB]    Cell Balancing
           LED_ENABLE:  0=Inactive      [LED]   LED Enable
        SECURITY_MODE:  3=Sealed        [SEC]   Security Mode
       CAL_RAW_ADC_CC:  0=Inactive      [CAL]   Calibration Raw ADC/CC output active
        SAFETY_STATUS:  1=Active        [SS]    Safety Status
    PERMANENT_FAILURE:  1=Active        [PF]    Permanent Failure
 DISCHARGING_DISABLED:  1=Active        [XDSG]  Discharging Disabled
    CHARGING_DISABLED:  1=Active        [XCHG]  Charging Disabled
           SLEEP_MODE:  0=Inactive      [SLEEP] Sleep mode condition met
       SHUTDOWN_BY_MA:  0=Inactive      [SDM]   Shutdown activated by ManufacturerAccess()
      SHIP_MODE_BY_MA:  0=Inactive      [SHPM]  SHIP mode activated with ManufacturerAccess()
         AUTH_ONGOING:  0=Inactive      [AUTH]  Authentication ongoing
    AFE_WATCHDOG_FAIL:  0=Inactive      [AWD]   AFE Watchdog failure
    FAST_VOLTAGE_SAMP:  1=Active        [FVS]   Fast Voltage Sampling
    RAW_ADC_CC_OUTPUT:  0=Inactive      [CALO]  Raw ADC/CC offset calibration output
  SHUTDOWN_BY_VOLTAGE:  1=Active        [SDV]   SHUTDOWN activated by voltage
          SLEEP_BY_MA:  0=Inactive      [SLEPM] SLEEP mode activated by ManufacturerAccess()
     INIT_AFTER_RESET:  0=Inactive      [INIT]  Initialization after full reset
       SMB_CAL_ON_LOW:  0=Cal starts    [SLCAL] Auto CC offset calibration on low
 QMAX_UPDATE_IN_SLEEP:  0=Inactive      [SLEPQM]        QMax update in SLEEP mode
 CURRENT_CHK_IN_SLEEP:  0=Inactive      [SLEPC] Checking current in SLEEP mode
     XLOW_SPEED_STATE:  0=Inactive      [XLSBS] Fast Mode

[Cleric-K]

@deividAlfa Does your logic analyzer show the start, stop, and repeated start conditions of i2c?

When writing the bridge I had checksum problems but finally found out that it is due to the way the PEC is calculated. Normally, when there's a read request, first there's the write operation for the address to be read and then there's the read operation for the values. When there's repeated start between the two operations, SMBus specifies that the checksum is calculated over the whole stream, that is, over both the write and the read operations. Initially, my code accidentally placed normal stop and start conditions which interrupted the stream and thus the BQZ checksum was calculated only over the read operation, while comm_sbs_bqctrl.py expects one over both operations. The code has been fixed but just in case can you confirm that there's repeated start between the two operations?

[deividAlfa]

I'll check in the afternoon!

Edit: But, if this was the case, the last CRC byte would be wrong.
That one is correct, it's the 1st one which seem to be wrong

[deividAlfa]

Here's the capture for
python comm_sbs_bqctrl.py -vvv --dev_address 0xb --chip BQ30z55 read ManufacturerAccess.Voltages

Capture file: (Updated) logic.zip

View it in Sigrok Pulseview: https://sigrok.org/wiki/Downloads

Waveform picture (Time gaps stripped):

[deividAlfa]

python comm_sbs_bqctrl.py -vvv --dev_address 0xb --chip BQ30z55 sealing FullAccess

(Updated) seal_fullaccess.zip

[Cleric-K]

Interesting, it seems it issues stop conditions. Last time everything worked in my case. I'll have to check again but I'm not sure when I'll be able to do so. Meanwhile a test can be done in the Arduino sketch. At line 84 it can be forced to bool is_stop = false; This will generally break things but maybe we can at least see whether there will be repeated starts in the trace. This will tell if Arduino messes up or something before that.

BTW the attached traces seem not to contain the actual data. Only definitions of channels.

[deividAlfa]

What? The attached traces clearly show the decoded i2c transaction?

[deividAlfa]

I tried running this simple frame to a i2c memory:
AA a0 01 00 55 aa a1 81 55

AA a0 01 00 55  -> Write 00 to device address 50h (A0), generate a restart
AA A1 81 55     -> Read one byte from device address 50h (A1), generate a stop

I modified the code slighly to output some debug info:

addr: 50h    rd: 0    len: 1    stop: 0
addr: 50h    rd: 1    len: 1    stop: 1

Yet, it keeps sending stops.

After checking the code, I'm pretty sure it's a bug in PY32duino library!

[deividAlfa]

Bingo! It was the stupid Arduino library.
So, I made my own in Low Level libs. Working as it should now! No more checksum errors.

Leaving the code, should easily adapt to most Cortex MCUs (STM32, etc).
I used this with a PY32F002A + IOsetting libs

Thanks for pointing it out @Cleric-K, I would have never noticed that!

main.c

#include "main.h"

ErrorStatus res;
cmd_state_t state;
uint8_t i2c_bf[BFSZ], addr, i, len, stop, *op_bf;
uint16_t out;
i2c_op_t i2c_op;
volatile uint8_t rx_bf[BFSZ], in, count, bad_data;
volatile uint32_t tick;

uint32_t getTick(void){
  return tick;
}

void init_i2c(void){
  LL_APB1_GRP1_DisableClock(LL_APB1_GRP1_PERIPH_I2C1);
  LL_APB1_GRP1_ForceReset(LL_APB1_GRP1_PERIPH_I2C1);
  LL_APB1_GRP1_ReleaseReset(LL_APB1_GRP1_PERIPH_I2C1);
  LL_APB1_GRP1_EnableClock(LL_APB1_GRP1_PERIPH_I2C1);
  LL_I2C_Init(I2C1, &(LL_I2C_InitTypeDef){LL_I2C_MAX_SPEED_STANDARD, LL_I2C_DUTYCYCLE_16_9, 0, LL_I2C_NACK});
}

void sysInit(void){
  LL_RCC_HSI_Enable();
  LL_RCC_HSI_SetCalibFreq(LL_RCC_HSICALIBRATION_24MHz);
  while(LL_RCC_HSI_IsReady() != 1);
  LL_RCC_SetAHBPrescaler(LL_RCC_SYSCLK_DIV_1);
  LL_RCC_SetSysClkSource(LL_RCC_SYS_CLKSOURCE_HSISYS);
  while(LL_RCC_GetSysClkSource() != LL_RCC_SYS_CLKSOURCE_STATUS_HSISYS);
  LL_FLASH_SetLatency(LL_FLASH_LATENCY_0);
  LL_RCC_SetAPB1Prescaler(LL_RCC_APB1_DIV_1);
  LL_SetSystemCoreClock(24000000);
  SysTick_Config(24000);
  NVIC_SetPriority(SysTick_IRQn, 0);
  LL_IOP_GRP1_EnableClock(LL_IOP_GRP1_PERIPH_GPIOA | LL_IOP_GRP1_PERIPH_GPIOB | LL_IOP_GRP1_PERIPH_GPIOF);
  LL_GPIO_Init(RED_Port, &(LL_GPIO_InitTypeDef){ RED_Pin, LL_GPIO_MODE_OUTPUT, LL_GPIO_SPEED_FREQ_VERY_HIGH, LL_GPIO_OUTPUT_PUSHPULL, LL_GPIO_PULL_NO });
  LL_GPIO_Init(RX_Port, &(LL_GPIO_InitTypeDef){ RX_Pin, LL_GPIO_MODE_ALTERNATE, LL_GPIO_SPEED_FREQ_VERY_HIGH, LL_GPIO_OUTPUT_PUSHPULL, LL_GPIO_PULL_NO, RX_AF });
  LL_GPIO_Init(TX_Port, &(LL_GPIO_InitTypeDef){ TX_Pin, LL_GPIO_MODE_ALTERNATE, LL_GPIO_SPEED_FREQ_VERY_HIGH, LL_GPIO_OUTPUT_PUSHPULL, LL_GPIO_PULL_NO, TX_AF });
  LL_APB1_GRP2_EnableClock(LL_APB1_GRP2_PERIPH_USART1);
  LL_USART_Init(USART1, &(LL_USART_InitTypeDef){ 115200, 8, 1, LL_USART_PARITY_NONE, LL_USART_DIRECTION_TX_RX, LL_USART_HWCONTROL_NONE, LL_USART_OVERSAMPLING_16 });
  LL_USART_ClearFlag_TC(USART1);
  NVIC_SetPriority(USART1_IRQn,0);
  NVIC_EnableIRQ(USART1_IRQn);
  LL_USART_EnableIT_RXNE(USART1);
  LL_USART_Enable(USART1);
  LL_GPIO_Init(SCL_Port, &(LL_GPIO_InitTypeDef){ SCL_Pin, LL_GPIO_MODE_ALTERNATE, LL_GPIO_SPEED_FREQ_VERY_HIGH, LL_GPIO_OUTPUT_OPENDRAIN, LL_GPIO_PULL_UP, SCL_AF });
  LL_GPIO_Init(SDA_Port, &(LL_GPIO_InitTypeDef){ SDA_Pin, LL_GPIO_MODE_ALTERNATE, LL_GPIO_SPEED_FREQ_VERY_HIGH, LL_GPIO_OUTPUT_OPENDRAIN, LL_GPIO_PULL_UP, SDA_AF });
  init_i2c();
}

void put_uart(uint8_t d){
  while(!LL_USART_IsActiveFlag_TXE(USART1));
  LL_USART_TransmitData8(USART1, d);
}
void put_uart_s(char *s){
  while(*s++)
    put_uart((uint8_t)*s);
}
void put_uart_data(uint8_t *d, uint16_t l){
  while(l--)
    put_uart(*d++);
}

void UsartISR(void){
  if(LL_USART_IsActiveFlag_RXNE(USART1)){
      rx_bf[in] = LL_USART_ReceiveData8(USART1);
      if(bad_data)
        return;
      if(++in>=BFSZ)
        in=0;
      if(++count>BFSZ)
        bad_data=1;
  }
}

ErrorStatus I2C1_MasterOperation(uint8_t DevAddress, uint8_t *pData, uint16_t Size, i2c_op_t op, uint8_t stop)
{
  ErrorStatus status = SUCCESS;
  LL_I2C_GenerateStartCondition(I2C1);
  while(LL_I2C_IsActiveFlag_SB(I2C1) != 1);
  LL_I2C_TransmitData8(I2C1, DevAddress);
  while(!LL_I2C_IsActiveFlag_ADDR(I2C1)){
    if(LL_I2C_IsActiveFlag_AF(I2C1)){
      LL_I2C_ClearFlag_AF(I2C1);
      LL_I2C_GenerateStopCondition(I2C1);
      return ERROR;
    }
  }
  LL_I2C_ClearFlag_ADDR(I2C1);
  if(op==i2c_read)
    LL_I2C_AcknowledgeNextData(I2C1, LL_I2C_ACK);
  while(Size--){
    if(op==i2c_write){
      while(!LL_I2C_IsActiveFlag_TXE(I2C1));
      LL_I2C_TransmitData8(I2C1, *pData++);
    }
    else{
      while(!LL_I2C_IsActiveFlag_RXNE(I2C1));
      *pData++ = LL_I2C_ReceiveData8(I2C1);
    }
  }
  if(op==i2c_read)
    LL_I2C_AcknowledgeNextData(I2C1, LL_I2C_NACK);
  if(stop || status==ERROR){
    LL_I2C_GenerateStopCondition(I2C1);
    while(LL_I2C_IsActiveFlag_MSL(I2C1) != 0);
  }
  return status;
}

void handle_frame(void){
  if(bad_data){             // Overflow or bad data, clear everything
    state=cmd_start;
    in = out = count = 0;
    bad_data = 0;
  }
  if (count){
    switch(state){
        case cmd_start:
            if(rx_bf[out] == 0xAA){
                state=cmd_adr;
            }
            else{
              if(rx_bf[out] == '\r' || rx_bf[out] == '\n')  // Ignore newline chars
                break;

              bad_data=1;                                   // Else, we got bad data
            }
            break;

        case cmd_adr:
            addr = rx_bf[out];
            i2c_op = (addr&1) ? i2c_read : i2c_write;
            state=cmd_len;
            break;

        case cmd_len:
            len = rx_bf[out] & 0x7F;
            stop = (rx_bf[out] & 0x80) == 0x80;
            state = cmd_process;
            if(len==0){
              bad_data=1;
              return;
            }
            break;

        case cmd_process:
            if(i2c_op==i2c_write){
              if(count<=len) return;                  // Wait until the data arrives
              if( rx_bf[out+len] != 0x55 ){            // Missing frame termination
                bad_data=1;
                return;
              }
              op_bf = (uint8_t*)&rx_bf[out];
              out += len;
              __disable_irq();
              count -= len;
              __enable_irq();
            }
            else{
              if( rx_bf[out] != 0x55 ){                // Missing frame termination
                bad_data=1;
                return;
              }
              op_bf = i2c_bf;
            }
            setLED(RED, SET);
            res = I2C1_MasterOperation(addr, op_bf, len, i2c_op, stop);
            if(stop){       // We just finished transaction
              init_i2c();   // Reset I2C peripheral because for some reason that son of a beach read garbage in the next transaction
              stop=0;
            }
            put_uart(0xAA);
            if(res==SUCCESS){
              if(i2c_op == i2c_write){
                put_uart(0x00);
              }
              else{
                put_uart(len);
                put_uart_data(i2c_bf, len);
              }
            }
            else{
              put_uart(0xFF);
            }
            put_uart(0x55);
            setLED(RED, RESET);
            state=cmd_start;
            break;
    }
    __disable_irq();
    count--;
    __enable_irq();
    if(++out >= BFSZ)
      out -= BFSZ;      // Reset circular buffer
  }
}    

int main(void)
{
  sysInit();
  setLED(RED, SET);
  while(getTick()<100);
  setLED(RED, RESET);
  while (1)
  {
    handle_frame();
  }
}

main.h

#define BFSZ  256

typedef enum { cmd_start, cmd_adr, cmd_len, cmd_process } cmd_state_t;
typedef enum { i2c_read, i2c_write } i2c_op_t;
extern volatile uint32_t tick;

#define CON2(a,b)       a##b
#define WritePin(p,o)   CON2(p,_Port->BSRR) = CON2(p,_Pin)<<(o ? 0 : 16)
#define ReadPin(p)      ((CON2(p,_Port->IDR) & CON2(p,_Pin)) && 1)
#define TogglePin(p)    CON2(p,_Port->ODR) ^= CON2(p,_Pin)
#define setLED(l,s)     WritePin(l,!s)

#define RED_Port        GPIOB
  #define RED_Pin       LL_GPIO_PIN_0

#define SCL_Port        GPIOF
  #define SCL_Pin       LL_GPIO_PIN_1
  #define SCL_AF        LL_GPIO_AF12_I2C
#define SDA_Port        GPIOA
  #define SDA_Pin       LL_GPIO_PIN_7
  #define SDA_AF        LL_GPIO_AF12_I2C

#define TX_Port         GPIOA
  #define TX_Pin        LL_GPIO_PIN_2
  #define TX_AF         LL_GPIO_AF1_USART1
#define RX_Port         GPIOA
  #define RX_Pin        LL_GPIO_PIN_3
  #define RX_AF         LL_GPIO_AF1_USART1

void UsartISR(void);

stm32xxx_it.c

#include "main.h"
#include "stm32xxx_it.h"

/******************************************************************************/
/*          Cortex-M0+ Processor Interruption and Exception Handlers          */
/******************************************************************************/
/**
  * @brief This function handles Non maskable interrupt.
  */
void NMI_Handler(void)
{
}

/**
  * @brief This function handles Hard fault interrupt.
  */
void HardFault_Handler(void)
{
  while (1)
  {
  }
}

/**
  * @brief This function handles System service call via SWI instruction.
  */
void SVC_Handler(void)
{
}

/**
  * @brief This function handles Pendable request for system service.
  */
void PendSV_Handler(void){
}

void SysTick_Handler(void){
  tick++;
}

void USART1_IRQHandler(void)
{
  UsartISR();
}

[deividAlfa]

This is the output now:

---

python comm_sbs_bqctrl.py --dev_address 0xb --c BQ30z55 monitor BQStatusBitsMA

Serial port COM6 opened
MA.SafetyAlert:         0x00000000      bitfields       Safety Alert bits
      CELL_UNDERVOLTAGE:        0=Inactive      [CUV]   Cell Undervoltage
       CELL_OVERVOLTAGE:        0=Inactive      [COV]   Cell Overvoltage
  OVERCURRENT_CHG_TIER1:        0=Inactive      [OCC1]  Overcurrent in Charge 1st Tier
  OVERCURRENT_CHG_TIER2:        0=Inactive      [OCC2]  Overcurrent in Charge 2nd Tier
  OVERCURRENT_DIS_TIER1:        0=Inactive      [OCD1]  Overcurrent in Discharge 1st Tier
  OVERCURRENT_DIS_TIER2:        0=Inactive      [OCD2]  Overcurrent in Discharge 2nd Tier
           OVERLOAD_DIS:        0=Inactive      [OLD]   Overload in discharge
      SHORT_CIRCUIT_CHG:        0=Inactive      [SCC]   Short circuit in charge
      SHORT_CIRCUIT_DIS:        0=Inactive      [SCD]   Short circuit in discharge
    OVERTEMPERATURE_CHG:        0=Inactive      [OTC]   Overtemperature in charge
    OVERTEMPERATURE_DIS:        0=Inactive      [OTD]   Overtemperature in discharge
     IR_COMPENSATED_CUV:        0=Inactive      [CUVC]  I*R compensated CUV
    FET_OVERTEMPERATURE:        0=Inactive      [OTF]   FET overtemperature
  HOST_WATCHDOG_TIMEOUT:        0=Inactive      [HWD]   SBS Host watchdog timeout
    PRECHARGING_TIMEOUT:        0=Inactive      [PTO]   Pre-charging timeout
 PRECHG_TIMEOUT_SUSPEND:        0=Inactive      [PTOS]  Pre-charging timeout suspend
       CHARGING_TIMEOUT:        0=Inactive      [CTO]   Charging timeout
    CHG_TIMEOUT_SUSPEND:        0=Inactive      [CTOS]  Charging timeout suspend
             OVERCHARGE:        0=Inactive      [OC]    Overcharge
  CHG_CURRENT_ABOVE_REQ:        0=Inactive      [CHGC]  Charging Current higher than requested
  CHG_VOLTAGE_ABOVE_REQ:        0=Inactive      [CHGV]  Charging Voltage higher than requested
MA.SafetyStatus:        0x00000001      bitfields       Safety Status bits
     CELL_UNDERVOLTAGE: 1=Detected      [CUV]   Cell Undervoltage
      CELL_OVERVOLTAGE: 0=Inactive      [COV]   Cell Overvoltage
 OVERCURRENT_CHG_TIER1: 0=Inactive      [OCC1]  Overcurrent in Charge 1st Tier
 OVERCURRENT_CHG_TIER2: 0=Inactive      [OCC2]  Overcurrent in Charge 2nd Tier
 OVERCURRENT_DIS_TIER1: 0=Inactive      [OCD1]  Overcurrent in Discharge 1st Tier
 OVERCURRENT_DIS_TIER2: 0=Inactive      [OCD2]  Overcurrent in Discharge 2nd Tier
          OVERLOAD_DIS: 0=Inactive      [OLD]   Overload in discharge
    OVERLOAD_DIS_LATCH: 0=Inactive      [OLDL]  Overload in discharge latch
     SHORT_CIRCUIT_CHG: 0=Inactive      [SCC]   Short circuit in charge
  SHORT_CIRC_CHG_LATCH: 0=Inactive      [SCCL]  Short circuit in charge latch
     SHORT_CIRCUIT_DIS: 0=Inactive      [SCD]   Short circuit in discharge
  SHORT_CIRC_DIS_LATCH: 0=Inactive      [SCDL]  Short circuit in discharge latch
   OVERTEMPERATURE_CHG: 0=Inactive      [OTC]   Overtemperature in charge
   OVERTEMPERATURE_DIS: 0=Inactive      [OTD]   Overtemperature in discharge
    IR_COMPENSATED_CUV: 0=Inactive      [CUVC]  I*R compensated CUV
   FET_OVERTEMPERATURE: 0=Inactive      [OTF]   FET overtemperature
 HOST_WATCHDOG_TIMEOUT: 0=Inactive      [HWD]   SBS Host watchdog timeout
   PRECHARGING_TIMEOUT: 0=Inactive      [PTO]   Pre-charging timeout
      CHARGING_TIMEOUT: 0=Inactive      [CTO]   Charging timeout
            OVERCHARGE: 0=Inactive      [OC]    Overcharge
 CHG_CURRENT_ABOVE_REQ: 0=Inactive      [CHGC]  Charging Current higher than requested
 CHG_VOLTAGE_ABOVE_REQ: 0=Inactive      [CHGV]  Charging Voltage higher than requested
MA.PFAlert:             0x00000000      bitfields       Permanent Fail Alert bits
      CELL_UNDERVOLTAGE:        0=Inactive      [CUV]   Cell Undervoltage
       CELL_OVERVOLTAGE:        0=Inactive      [COV]   Cell Overvoltage
      COPPER_DEPOSITION:        0=Inactive      [CUDEP] Copper deposition
        OVERTEMPERATURE:        0=Inactive      [OTCE]  Overtemperature in charge
    OVERTEMPERATURE_FET:        0=Inactive      [OTF]   Overtemperature of FET
         QMAX_IMBALANCE:        0=Inactive      [QIM]   QMAX Imbalance
         CELL_BALANCING:        0=Inactive      [CB]    Cell balancing
         CELL_IMPEDANCE:        0=Inactive      [IMP]   Cell impedance
 CAPACITY_DETERIORATION:        0=Inactive      [CD]    Capacity Deterioration
 VOLTAGE_IMBALANCE_REST:        0=Inactive      [VIMR]  Voltage imbalance at Rest
 VOLTAGE_IMBALANCE_ACTV:        0=Inactive      [VIMA]  Voltage imbalance at Active
             CHARGE_FET:        0=Inactive      [CFETF] Charge FET
          DISCHARGE_FET:        0=Inactive      [DFET]  Discharge FET
             THERMISTOR:        0=Inactive      [THERM] Thermistor
                   FUSE:        0=Inactive      [FUSE]  Fuse
           AFE_REGISTER:        0=Not avail.    [AFER]  AFE Register
      AFE_COMMUNICATION:        0=Inactive      [AFEC]  AFE Communication
 FUSE_TRIGGER_2ND_LEVEL:        0=Inactive      [2LVL]  FUSE input trigger by external protection
               OPEN_VCX:        0=Not avail.    [OCECO] Open VCx
MA.PFStatus:            0x00000804      bitfields       Permanent Fail Status bits
      CELL_UNDERVOLTAGE:        0=Inactive      [CUV]   Cell Undervoltage
       CELL_OVERVOLTAGE:        0=Inactive      [COV]   Cell Overvoltage
      COPPER_DEPOSITION:        1=Detected      [CUDEP] Copper deposition
        OVERTEMPERATURE:        0=Inactive      [OTCE]  Overtemperature in charge
    OVERTEMPERATURE_FET:        0=Inactive      [OTF]   Overtemperature of FET
         QMAX_IMBALANCE:        0=Inactive      [QIM]   QMAX Imbalance
         CELL_BALANCING:        0=Inactive      [CB]    Cell balancing
         CELL_IMPEDANCE:        0=Inactive      [IMP]   Cell impedance
 CAPACITY_DETERIORATION:        0=Inactive      [CD]    Capacity Deterioration
 VOLTAGE_IMBALANCE_REST:        1=Active        [VIMR]  Voltage imbalance at Rest
 VOLTAGE_IMBALANCE_ACTV:        0=Inactive      [VIMA]  Voltage imbalance at Active
             CHARGE_FET:        0=Inactive      [CFETF] Charge FET
          DISCHARGE_FET:        0=Inactive      [DFET]  Discharge FET
             THERMISTOR:        0=Inactive      [THERM] Thermistor
                   FUSE:        0=Inactive      [FUSE]  Value of the FUSE pin, designed to ignite the chemical fuse if one of the various safety criteria is violated
           AFE_REGISTER:        0=Not avail.    [AFER]  AFE Register
      AFE_COMMUNICATION:        0=Inactive      [AFEC]  AFE Communication
 FUSE_TRIGGER_2ND_LEVEL:        0=Inactive      [2LVL]  FUSE input trigger by external protection
             PTC_BY_AFE:        0=Inactive      [PTC]   Detected overtemperature using Positive Temperature Coefficient resistor connected to AFE PTC pin
               OPEN_VCX:        0=Not avail.    [OCECO] Open VCx
MA.OperationStatus:     0x00507b21      bitfields       Operational Status bits
      SYS_PRESENT_LOW:  1=Active        [PRES]  System present input state low
       DSG_FET_STATUS:  0=Inactive      [DSG]   DSG FET status
       CHG_FET_STATUS:  0=Inactive      [CHG]   CHG FET Status
      PCHG_FET_STATUS:  0=Inactive      [PCHG]  PCHG FET Status
      GPOD_FET_STATUS:  0=Inactive      [GPOD]  GPOD FET Status
          FUSE_STATUS:  1=Active        [FUSE]  FUSE input status
       CELL_BALANCING:  0=Inactive      [CB]    Cell Balancing
           LED_ENABLE:  0=Inactive      [LED]   LED Enable
        SECURITY_MODE:  3=Sealed        [SEC]   Security Mode
       CAL_RAW_ADC_CC:  0=Inactive      [CAL]   Calibration Raw ADC/CC output active
        SAFETY_STATUS:  1=Active        [SS]    Safety Status
    PERMANENT_FAILURE:  1=Active        [PF]    Permanent Failure
 DISCHARGING_DISABLED:  1=Active        [XDSG]  Discharging Disabled
    CHARGING_DISABLED:  1=Active        [XCHG]  Charging Disabled
           SLEEP_MODE:  0=Inactive      [SLEEP] Sleep mode condition met
       SHUTDOWN_BY_MA:  0=Inactive      [SDM]   Shutdown activated by ManufacturerAccess()
      SHIP_MODE_BY_MA:  0=Inactive      [SHPM]  SHIP mode activated with ManufacturerAccess()
         AUTH_ONGOING:  0=Inactive      [AUTH]  Authentication ongoing
    AFE_WATCHDOG_FAIL:  0=Inactive      [AWD]   AFE Watchdog failure
    FAST_VOLTAGE_SAMP:  1=Active        [FVS]   Fast Voltage Sampling
    RAW_ADC_CC_OUTPUT:  0=Inactive      [CALO]  Raw ADC/CC offset calibration output
  SHUTDOWN_BY_VOLTAGE:  1=Active        [SDV]   SHUTDOWN activated by voltage
          SLEEP_BY_MA:  0=Inactive      [SLEPM] SLEEP mode activated by ManufacturerAccess()
     INIT_AFTER_RESET:  0=Inactive      [INIT]  Initialization after full reset
       SMB_CAL_ON_LOW:  0=Cal starts    [SLCAL] Auto CC offset calibration on low
 QMAX_UPDATE_IN_SLEEP:  0=Inactive      [SLEPQM]        QMax update in SLEEP mode
 CURRENT_CHK_IN_SLEEP:  0=Inactive      [SLEPC] Checking current in SLEEP mode
     XLOW_SPEED_STATE:  0=Inactive      [XLSBS] Fast Mode
MA.ChargingStatus:      0x000000        bitfields       Charging Status bits
       UNDER_TEMPERATURE:       0=Inactive      [UT]    Under Temperature Range
         LOW_TEMPERATURE:       0=Inactive      [LT]    Low Temperature Range
     STD_TEMPERATURE_LOW:       0=Inactive      [STL]   Standard Temperature Low Range
 RECOMMENDED_TEMPERATURE:       0=Inactive      [RT]    Recommended Temperature Range
    STD_TEMPERATURE_HIGH:       0=Inactive      [STH]   Standard Temperature High Range
        HIGH_TEMPERATURE:       0=Inactive      [HT]    High Temperature Range
        OVER_TEMPERATURE:       0=Inactive      [OT]    Over Temperature Range
       PRECHARGE_VOLTAGE:       0=Inactive      [PV]    Precharge Voltage Range
             LOW_VOLTAGE:       0=Inactive      [LV]    Low Voltage Range
             MID_VOLTAGE:       0=Inactive      [MV]    Mid Voltage Range
            HIGH_VOLTAGE:       0=Inactive      [HV]    High Voltage Range
          CHARGE_INHIBIT:       0=Inactive      [IN]    Charge Inhibit
          CHARGE_SUSPEND:       0=Inactive      [SU]    Charge Suspend
   CHARGING_CURRENT_RATE:       0=Inactive      [CCR]   ChargingCurrent() Rate
   CHARGING_VOLTAGE_RATE:       0=Inactive      [CVR]   ChargingVoltage() Rate
 CHARGING_CURRENT_COMPNS:       0=Inactive      [CCC]   ChargingCurrent() Compensation
  VALID_CHARGE_TERMINATN:       0=Inactive      [VCT]   Valid Charge Termination
      MAINTENANCE_CHARGE:       0=Inactive      [MCHG]  Maintenance charge
MA.GaugingStatus:       0x2837  bitfields       Gauging Status bits
    OCV_QMAX_UPDATED:   1=Updated       [RESTD0]        OCV and QMax Updated
  DISCHARGE_DETECTED:   1=Discharging   [DSG]   Discharge Detected
   RESISTANCE_UPDATE:   1=Active        [RU]    Resistance update
 VOLTAGE_OK_FOR_QMAX:   0=Inactive      [VOK]   Cell Voltage OK for QMax
        QMAX_UPDATES:   1=Enabled       [QEN]   QMax updates
    FULLY_DISCHARGED:   1=Enabled       [FD]    Fully Discharged Detected by gauge algorithm
       FULLY_CHARGED:   0=Disabled      [FC]    Fully Charged Detected by gauge algorithm
    NEG_SCALE_FACTOR:   0=Disabled      [NSFM]  Negative scale factor mode
 DISCHARGE_QUALIFIED:   0=Disabled      [VDQ]   Discharge qualified for learning
      QMAX_UPDATED_T:   0=Toggle0       [QMax]  QMax updated toggle
 RESISTANCE_UPDATE_T:   0=Disabled      [RX]    Resistance update toggle
           LOAD_MODE:   1=C.Power       [LDMD]  Load Mode, constant current or power
     OCV_FLAT_REGION:   0=Outside       [OCVFR] OCV in flat region
 TERMNT_DISCHG_ALARM:   1=Enabled       [TDA]   Terminate Discharge Alarm
 TERMNT_CHARGE_ALARM:   0=Disabled      [TCA]   Terminate Charge Alarm
     LIPH_RELAX_MODE:   0=Disabled      [LPFRlx]        LiPh Relax Mode
MA.ManufacturingStatus: 0x01f8  bitfields       Manufacturing Status bits
    PCHG_FUNCTION:      0=Disabled      [PCHG]  PCHG Function, only available with FET=0
          CHG_FET:      0=Disabled      [CHG]   CHG FET, only available with FET=0
          DSG_FET:      0=Disabled      [DSG]   DSG FET, only available with FET=0
          GAUGING:      1=Enabled       [GAUGE] Gauging
       FET_ACTION:      1=Enabled       [FET]   FET action
 LIFETIME_DT_COLL:      1=Enabled       [LF]    Lifetime data collection
   PERMANENT_FAIL:      1=Enabled       [PF]    Permanent Failure functionality
    BLACK_BOX_REC:      1=Enabled       [BBR]   Black box recorder
      FUSE_ACTION:      1=Enabled       [FUSE]  FUSE action
      LED_DISPLAY:      0=Disabled      [LED]   LED Display
 CAL_ADC_CC_ON_MD:      0=Disabled      [CAL]   CAL ADC or CC output on ManufacturerData()

---

python comm_sbs_bqctrl.py -vvv --dev_address 0xb -c BQ30z55 sealing Unseal

Opening i2c:1
Serial port COM6 opened
Importing comm_sbs_chips/BQ30z554.py
Write ManufacturerAccess: CMD=00 WORD=31 00
Raw ManufacturerAccess.UnSealDevice response: 14 b9 12 13 55 6b 44 ad 43 b2 2a 0f 10 53 6a 37 b2 45 b4 9f 10 cf
Prepared ManufacturerAccess.UnSealDevice B1=0123456789abcdeffedcba9876543210109fb445b2376a53100f2ab243ad446b551312b9
Computed ManufacturerAccess.UnSealDevice HMAC1=805e4522f9a312496e4c95755e38f44bda804089
Computed ManufacturerAccess.UnSealDevice HMAC2=38e472781389680bb2bf2a3012499a6769aec8cb
Write ManufacturerAccess.UnSealDevice: CMD=2f BLOCK=cb c8 ae 69 67 9a 49 12 30 2a bf b2 0b 68 89 13 78 72 e4 38
Reading write_word_subcommand command at addr=0xb, cmd=0x0, type=uint16, opts={'subcmd': <MANUFACTURER_ACCESS_CMD_BQ30.OperationStatus: 84>}
Query ManufacturerAccess.OperationStatus: 00 WORD=0x54
Write ManufacturerAccess: CMD=00 WORD=54 00
Raw ManufacturerAccess.OperationStatus response: 04 21 7b 50 00 0b
MA.OperationStatus:     0x00507b21      bitfields       Operational Status bits
      SYS_PRESENT_LOW:  1=Active        [PRES]  System present input state low
       DSG_FET_STATUS:  0=Inactive      [DSG]   DSG FET status
       CHG_FET_STATUS:  0=Inactive      [CHG]   CHG FET Status
      PCHG_FET_STATUS:  0=Inactive      [PCHG]  PCHG FET Status
      GPOD_FET_STATUS:  0=Inactive      [GPOD]  GPOD FET Status
          FUSE_STATUS:  1=Active        [FUSE]  FUSE input status
       CELL_BALANCING:  0=Inactive      [CB]    Cell Balancing
           LED_ENABLE:  0=Inactive      [LED]   LED Enable
        SECURITY_MODE:  3=Sealed        [SEC]   Security Mode
       CAL_RAW_ADC_CC:  0=Inactive      [CAL]   Calibration Raw ADC/CC output active
        SAFETY_STATUS:  1=Active        [SS]    Safety Status
    PERMANENT_FAILURE:  1=Active        [PF]    Permanent Failure
 DISCHARGING_DISABLED:  1=Active        [XDSG]  Discharging Disabled
    CHARGING_DISABLED:  1=Active        [XCHG]  Charging Disabled
           SLEEP_MODE:  0=Inactive      [SLEEP] Sleep mode condition met
       SHUTDOWN_BY_MA:  0=Inactive      [SDM]   Shutdown activated by ManufacturerAccess()
      SHIP_MODE_BY_MA:  0=Inactive      [SHPM]  SHIP mode activated with ManufacturerAccess()
         AUTH_ONGOING:  0=Inactive      [AUTH]  Authentication ongoing
    AFE_WATCHDOG_FAIL:  0=Inactive      [AWD]   AFE Watchdog failure
    FAST_VOLTAGE_SAMP:  1=Active        [FVS]   Fast Voltage Sampling
    RAW_ADC_CC_OUTPUT:  0=Inactive      [CALO]  Raw ADC/CC offset calibration output
  SHUTDOWN_BY_VOLTAGE:  1=Active        [SDV]   SHUTDOWN activated by voltage
          SLEEP_BY_MA:  0=Inactive      [SLEPM] SLEEP mode activated by ManufacturerAccess()
     INIT_AFTER_RESET:  0=Inactive      [INIT]  Initialization after full reset
       SMB_CAL_ON_LOW:  0=Cal starts    [SLCAL] Auto CC offset calibration on low
 QMAX_UPDATE_IN_SLEEP:  0=Inactive      [SLEPQM]        QMax update in SLEEP mode
 CURRENT_CHK_IN_SLEEP:  0=Inactive      [SLEPC] Checking current in SLEEP mode
     XLOW_SPEED_STATE:  0=Inactive      [XLSBS] Fast Mode

---

python comm_sbs_bqctrl.py -vvv --dev_address 0xb -c BQ30z55 trigger ManufacturerAccess.PermanentFailDataReset

  Serial port COM6 opened
  MA.PermanentFailDataReset:      trigger SUCCESS Trigger switch write accepted

---

python comm_sbs_bqctrl.py --dev_address 0xb --chip BQ30z55 monitor StatusBits

Serial port COM6 opened
BatteryMode:    0x6001  bitfields       Battery modes and capabilities
 INTERNAL_CHARGE_CONTROLLER:    1=Supported     [ICC]   Internal Charge Controller circuit available
    PRIMARY_BATTERY_SUPPORT:    0=No support    [PBS]   Ability to act as primary or secondary battery
             CONDITION_FLAG:    0=No need       [CF]    Battery requests a conditioning cycle
  CHARGE_CONTROLLER_ENABLED:    0=Disabled      [CC]    Battery pack's internal charge controller state
            PRIMARY_BATTERY:    0=Secondary     [PB]    Operate as the pri/sec battery in a system
                 ALARM_MODE:    1=Tx disabled   [AM]    Don't master the SMBus and send AlarmWarning()
               CHARGER_MODE:    1=Tx disabled   [ChgM]  Don't send ChargingCurrent() and ChargingVoltage()
              CAPACITY_MODE:    0=Report in mAh [CapM]  Capacity reporting unit, mA/mAh or 10mW/10mWh
BatteryStatus:  0x4ad7  bitfields       Battery's Alarm and Status bit flags
                ERROR_CODE:     7=Unknown Error [EC]    Function error code
          FULLY_DISCHARGED:     1=Fully [FD]    Battery capacity is depleted
             FULLY_CHARGED:     0=Not fully     [FC]    Battery is full
               DISCHARGING:     1=Yes   [DSG]   Battery is discharging
               INITIALIZED:     1=Recalibrate   [INIT]  State of calibration/configuration
      REMAINING_TIME_ALARM:     0=Inactive      [RTA]   Remaining time to depletion alarm tripped
  REMAINING_CAPACITY_ALARM:     1=Active        [RCA]   Remaining capacity alarm tripped
 TERMINATE_DISCHARGE_ALARM:     1=Active        [TDA]   Battery capacity is depleted
     OVERTEMPERATURE_ALARM:     0=Inactive      [OTA]   Temperature is above pre-set limit
    TERMINATE_CHARGE_ALARM:     1=Active        [TCA]   Charging should be suspended
        OVER_CHARGED_ALARM:     0=Inactive      [OCA]   Battery is fully charged

---

[Cleric-K]

What? The attached traces clearly show the decoded i2c transaction?

The attached files contain only the .pvs (no .sr) which is only the session metadata. But anyway, the screenshots were sufficient.

Bingo! It was the stupid Arduino library. So, I made my own in Low Level libs. Working as it should now! No more checksum errors.

Wow :) Quite a work you've put into this. Great job! Wouldn't it have been easier to get a regular Arduino? :D

Thanks for pointing it out @Cleric-K, I would have never noticed that!

Yeah, I also got that almost accidentally. I don't remember the exact scenario, I think I have been testing in parallel with CP2112 and narrowed it down to a single request which worked in one case not in the other. Analyzing the logic traces revealed that the stop conditions were the only difference. Then GPT hinted about the way PEC is calculated with or without repeated start.

So in the end did you manage to revive the battery?

In my case I'm trying to resurrect Mavic Pro batteries. Everything worked fine, I manually charged them, the unsealing worked fine, clearing PF too. Now they charge normally, however, the Mavic does not recognize them as genuine batteries and refuses to arm (there's a way to allow that but smart functions like calculating the needed battery for a return to home no longer work). As far as I could research it, it seems that this is no longer a problem in the BQZ chip but in the MSP430 mc, which seems to have triggered its own flags. But if anyone knows how this could be a matter of BQZ settings, I'm all ears.

[deividAlfa]

My bad, it seems I saved the wrong thing...

That's why I hate Arduino so much, loose documentation, issues, bugs...
Sometimes you end spending more time than doing yourself!
Also, Arduino optimization is terrible, your simple sketch used a lot of flash, mine only uses 3KB flash and 300B RAM, mainly on the buffers.

Well, I fixed the 3rd cell showing 0mV, the battery pad was splitted so you can solder the cell safely and join them together later on.
Now all the cells are reading 3800mV +-5mV.

But, unsealing doesn't work at all.
Changing the sha1 to random numbers give the same result, so probably the key is wrong.

Can the key be tested whether it's correct or not?

[Cleric-K]

Can the key be tested whether it's correct or not?

I don't know. Maybe you can try FullAccess instead of Unseal.