Capture logic analyzer while unseal command

[Retro-Fitt]

Hi,

I have same bq20z70 controller on my battery and it works fine but i want to "unseal" it and as you might know i need password for it.Could you please sniff i2c bus while unlocking via ti tool?I need bus address and password.

I have tried this tutorial but it is for bq20z90

http://www.karosium.com/2016/08/hacking-bq8030-with-sanyo-firmware.html

Here is some info about my battery:

root@raspberrypi:/home/pi# smbusb_sbsreport
SMBusb Firmware Version: 1.0.1
-------------------------------------------------
Manufacturer Name:          Sony Corp.
Device Name:                CFSOTX
Device Chemistry:           LION
Serial Number:              4096
Manufacture Date:           2012.09.18

Manufacturer Access:        0000
Remaining Capacity Alarm:   420 mAh(/10mWh)
Remaining Time Alarm:       10 min
Battery Mode:               6001
At Rate:                    0 mAh(/10mWh)
At Rate Time To Full:       65535 min
At Rate Time To Empty:      65535 min
At Rate OK:                 1
Temperature:                27.45 degC
Voltage:                    11249 mV
Current:                    0 mA
Average Current:            0 mA
Max Error:                  1 %
Relative State Of Charge    63 %
Absolute State Of Charge    58 %
Remaining Capacity:         2419 mAh(/10mWh)
Full Charge Capacity:       3847 mAh(/10mWh)
Run Time To Empty:          65535 min
Average Time To Empty:      65535 min
Average Time To Full:       65535 min
Charging Current:           2750 mA
Charging Voltage:           12600 mV
Battery Status:             00c0
Cycle Count:                14
Design Capacity:            4200 mAh(/10mWh)
Design Voltage:             11100 mV
Specification Info:         0021
Manufacturer Data: 60 01 a7 00 d6 00 00
root@raspberrypi:/home/pi#

As you can see i can read all information with cypress logic analyzer and karosiums tool.

Here is my unseal process but no luck so far:

root@raspberrypi:/home/pi# smbusb_scan -w 0x16 -b 0x70
------------------------------------
             smbusb_scan
------------------------------------
Success. SMBusb Firmware Version: 1.0.1
Scanning for command writability..
Scan range: 70 - ff
Skipping: None
------------------------------------
[70] ACK, Byte writable, Word writable, Block writable
[71] ACK, Byte writable, Word writable
[77] ACK, Byte writable, Word writable
[78] ACK, Byte writable, Word writable, Block writable
root@raspberrypi:/home/pi# smbusb_comm -a 16 -c 77 -r 2
0000
root@raspberrypi:/home/pi# smbusb_comm -a 16 -c 71 -w 0214
root@raspberrypi:/home/pi# smbusb_comm -a 16 -c 77 -r 2
0000
root@raspberrypi:/home/pi# smbusb_comm -a 16 -c 71 -w f000
root@raspberrypi:/home/pi# smbusb_comm -a 16 -c 70 -w 0517
root@raspberrypi:/home/pi# smbusb_bq8030flasher -p prg.bin -e eep.bin
------------------------------------
        smbusb_bq8030flasher
------------------------------------
SMBusb Firmware Version: 1.0.1
PEC is ENABLED
Error communicating with the Boot ROM.
Chip is running firmware
Note that there's no universal way to enter the Boot ROM on a programmed chip.
The command(s) and password(s) vary by make and model of the pack.

Great work!Thanks in advance!

[omarKmekkawy]

Hi @bra1nslayer ,
I have created the "Security" section with the sealing, unsealing procedures and the sniffed data on your request. Kindly see the link down below:
https://github.com/rxtxinv/Reverse_Engineering_BQ20z70_Laptop_BMS#security-of-the-bq20z70
I hope that my documentation help you.

I also have the same cypress kit used with the karosiums tool and also I remember that I have seen this tool before (But I don't have much time to try it ) maybe I will try it later.

You are welcome.
BR,

[Retro-Fitt]

Hi again @rxtxinv
Wow great info and news!Many thanks for your reply.You inspired me to keep going.

I have successfully unsealed bq20z70 without any special tools except VGA cable.I know this sounds weird and confusing but let me explain what i have done:)
First off as you know i have been experimenting with my cypress and karosium's code.I have no luck with it.Tried sending passwords to 0x71 0414 and 3672 and reading 0x54 changed some data but no luck unsealing it.

I have connected bms to my raspberry pi and used dji firmware tools (https://github.com/o-gs/dji-firmware-tools) comm_sbs_bqctl and started poking.As you might expect this tool is not designed for bq20z70.It was designed for bq30z50 and 55.I was able to read basic functions.But i taught these chips are similiar with each other and i overrided command with -c BQ30Z55 and tried unsealing it.

Here is the result:

root@raspberrypi:/home/pi/dji-firmware-tools# ./comm_sbs_bqctrl.py -vvv --bus "i2c:1" --dev_address 0x0b -c BQ30z55 sealing Unseal
Opening i2c:1
Importing comm_sbs_chips/BQ30z554.py
Write ManufacturerAccess: CMD=00 WORD=31 00
Raw ManufacturerAccess.UnSealDevice response: 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f5
Prepared ManufacturerAccess.UnSealDevice B1=0123456789abcdeffedcba98765432100000000000000000000000000000000000000000
Computed ManufacturerAccess.UnSealDevice HMAC1=01c412453ea230afef22b14db3bff347526e6c57
Computed ManufacturerAccess.UnSealDevice HMAC2=2fa27ceb5b616484620fe32217c29b0a8e3cf3f0
Write ManufacturerAccess.UnSealDevice: CMD=2f BLOCK=f0 f3 3c 8e 0a 9b c2 17 22 e3 0f 62 84 64 61 5b eb 7c a2 2f
Reading write_word_subcommand command at addr=0xb, cmd=0x0, type=uint16, opts={'subcmd': <MANUFACTURER_ACCESS_CMD_BQ30.OperationStatus: 84>}
Query ManufacturerAccess.OperationStatus: 00 WORD=0x54
Write ManufacturerAccess: CMD=00 WORD=54 00
Raw ManufacturerAccess.OperationStatus response: 07 60 01 a7 00 d6 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
MA.OperationStatus:	0x00a70160	bitfields	Operational Status bits
      SYS_PRESENT_LOW:	0=Inactive	[PRES]	System present input state low
       DSG_FET_STATUS:	0=Inactive	[DSG]	DSG FET status
       CHG_FET_STATUS:	0=Inactive	[CHG]	CHG FET Status
      PCHG_FET_STATUS:	0=Inactive	[PCHG]	PCHG FET Status
      GPOD_FET_STATUS:	0=Inactive	[GPOD]	GPOD FET Status
          FUSE_STATUS:	1=Active	[FUSE]	FUSE input status
       CELL_BALANCING:	1=Active	[CB]	Cell Balancing
           LED_ENABLE:	0=Inactive	[LED]	LED Enable
        **SECURITY_MODE:	1=Full Access	[SEC]	Security Mode**
       CAL_RAW_ADC_CC:	0=Inactive	[CAL]	Calibration Raw ADC/CC output active
        SAFETY_STATUS:	0=Inactive	[SS]	Safety Status
    PERMANENT_FAILURE:	0=Inactive	[PF]	Permanent Failure
 DISCHARGING_DISABLED:	0=Inactive	[XDSG]	Discharging Disabled
    CHARGING_DISABLED:	0=Inactive	[XCHG]	Charging Disabled
           SLEEP_MODE:	0=Inactive	[SLEEP]	Sleep mode condition met
       SHUTDOWN_BY_MA:	1=Active	[SDM]	Shutdown activated by ManufacturerAccess()
      SHIP_MODE_BY_MA:	1=Active	[SHPM]	SHIP mode activated with ManufacturerAccess()
         AUTH_ONGOING:	1=Active	[AUTH]	Authentication ongoing
    AFE_WATCHDOG_FAIL:	0=Inactive	[AWD]	AFE Watchdog failure
    FAST_VOLTAGE_SAMP:	0=Inactive	[FVS]	Fast Voltage Sampling
    RAW_ADC_CC_OUTPUT:	1=Active	[CALO]	Raw ADC/CC offset calibration output
  SHUTDOWN_BY_VOLTAGE:	0=Inactive	[SDV]	SHUTDOWN activated by voltage
          SLEEP_BY_MA:	1=Active	[SLEPM]	SLEEP mode activated by ManufacturerAccess()
     INIT_AFTER_RESET:	0=Inactive	[INIT]	Initialization after full reset
       SMB_CAL_ON_LOW:	0=Cal starts	[SLCAL]	Auto CC offset calibration on low
 QMAX_UPDATE_IN_SLEEP:	0=Inactive	[SLEPQM]	QMax update in SLEEP mode
 CURRENT_CHK_IN_SLEEP:	0=Inactive	[SLEPC]	Checking current in SLEEP mode
     XLOW_SPEED_STATE:	0=Inactive	[XLSBS]	Fast Mode
root@raspberrypi:/home/pi/dji-firmware-tools# 

You can see that "SECURITY_MODE: 1=Full Access [SEC] Security Mode" with full access:)For my luck it was default password i believe.

Then i read BatteryStatus from it:

I have cleared error codes

And error code is green now.

Here is poor man's i2c-VGA solution.(Please be care if you use this method.I have some old laptop that i don't care much.You can damage VGA port if you exceed voltage levels.Before connecting anyhting i have measured both bms and VGA-i2c outputs with osciloscope.I am working on a solution to protect this i2c-VGA bus with some resistors and zener diodes.)

According to this blog we can use VGA port as i2c bus http://vogelchr.blogspot.com/2019/01/i2c-on-your-unusedlegacy-vga-output.html on linux.I already have Linux Mint on my old laptop and VGA port which i haven't been using about 7-8 years.

So i made a cable according to here:

Used this command to find out which i2c is VGA port:

$ grep "" /sys/bus/i2c/devices/i2c-*/name
/sys/bus/i2c/devices/i2c-0/name:SMBus I801 adapter at 0580
/sys/bus/i2c/devices/i2c-1/name:i915 gmbus ssc
/sys/bus/i2c/devices/i2c-2/name:i915 gmbus vga
/sys/bus/i2c/devices/i2c-3/name:i915 gmbus panel
/sys/bus/i2c/devices/i2c-4/name:i915 gmbus dpc
/sys/bus/i2c/devices/i2c-5/name:i915 gmbus dpb
/sys/bus/i2c/devices/i2c-6/name:i915 gmbus dpd
/sys/bus/i2c/devices/i2c-7/name:DPDDC-B
/sys/bus/i2c/devices/i2c-8/name:DPDDC-C

And connected to bms.

Probed it with i2cdetect -y 2 (number 2 is in my case vga name and voila!

I have checked Voltage and BatteryStats etc.

You can add this method your wiki or page if you want.

Maybe arduino brute force password cracker will be useful.I have many bms boards with different models of bq chips.I can test and contrubute if you will.

I hope it helps someone and you.Thanks for your again, effort to sniffing and reply.

[rapi3]

I have one Lenovo battery for T410 that now my laptop refuse it to charge and it have no +V on terminal, fuse it is ok,
here are the information I got using I2C on VGA port, at this moment I did not succed to fix this battery...

Strange but It looks like I can't Seal it ?!?

sudo python3 bat_report.py 2 0b
-------------------------------------------------

Manufacturer Name: Panasonic
Device Name: LNV-42T4793
Device Chemistry: LION
Serial Number: 0x407f
Manufacture Date: 2010.05.09
Manufacturer Access: 0x5001
Remaining Capacity Alarm: 562 mAh(/10mWh)
Remaining Time Alarm: 10 min
Battery Mode: 0x8000
At Rate: 0 mAh(/10mWh)
At Rate Time To Full: 65535 min
At Rate Time To Empty: 65535 min
At Rate OK: 65535
Temperature: 21.950000000000045 degC
Voltage: 11784 mV
Current: 0 mA
Average Current: 0 mA
Max Error: 0 %
Relative State Of Charge: 71 %
Absolute State Of Charge: 31 %
Remaining Capacity: 1726 mAh(/10mWh)
Full Charge Capacity: 2417 mAh(/10mWh)
Run Time To Empty: 65535 min
Average Time To Empty: 65535 min
Average Time To Full: 65535 min
Charging Current: 0 mA
Charging Voltage: 0 mV
Battery Status: 0xc0
Cycle Count: 703
Manufacturer Data: 
Cells voltage: 3936 3920 0 3928 mV

sudo python3 comm_sbs_bqctrl.py -vvv --bus "i2c:2" --dev_address 0x0b -c BQ40z50 sealing Unseal
Opening i2c:2
Importing comm_sbs_chips/BQ40z50.py
Store ManufacturerAccess.SecKeyWord0: 00 WORD=0x414
Write ManufacturerAccess: CMD=00 WORD=14 04
Store ManufacturerAccess.SecKeyWord1: 00 WORD=0x3672
Write ManufacturerAccess: CMD=00 WORD=72 36
Reading write_word_subcommand command at addr=0xb, cmd=0x0, type=uint16, opts={'subcmd': <MANUFACTURER_ACCESS_CMD_BQ40.OperationStatus: 84>}
Query ManufacturerAccess.OperationStatus: 00 WORD=0x54
Write ManufacturerAccess: CMD=00 WORD=54 00
Raw ManufacturerAccess.OperationStatus response: 0e 42 21 00 b1 5f 0f 50 0f 00 00 58 0f 07 00 10 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
MA.OperationStatus:	0xb1002142	bitfields	Operational Status bits
      SYS_PRESENT_LOW:	0=Inactive	[PRES]	System present input state low
       DSG_FET_STATUS:	1=Active	[DSG]	Discharge FET status
       CHG_FET_STATUS:	0=Inactive	[CHG]	Charge FET Status
      PCHG_FET_STATUS:	0=Inactive	[PCHG]	Precharge FET Status
          FUSE_STATUS:	0=Inactive	[FUSE]	FUSE input status
            RESERVED6:	1=Active	[Res6]	Reserved (Cell Balancing)
      TRIP_POINT_INTR:	0=Inactive	[BTPI]	Battery Trip Point Interrupt
        SECURITY_MODE:	1=Full Access	[SEC]	Security Mode
    SHUTDOWN_LOW_VOLT:	0=Inactive	[SDV]	Shutdown triggered via low pack voltage
        SAFETY_STATUS:	0=Inactive	[SS]	Safety mode status
    PERMANENT_FAILURE:	0=Inactive	[PF]	Permanent Failure mode status
 DISCHARGING_DISABLED:	1=Active	[XDSG]	Discharging Disabled
    CHARGING_DISABLED:	0=Inactive	[XCHG]	Charging Disabled
           SLEEP_MODE:	0=Inactive	[SLEEP]	Sleep mode condition met
       SHUTDOWN_BY_MA:	0=Inactive	[SDM]	Shutdown activated by SMBus command
          LED_DISPLAY:	0=Off	[LED]	LED Display state
         AUTH_ONGOING:	0=Inactive	[AUTH]	Authentication ongoing
   AUTO_CC_OFFS_CALIB:	0=Cal Done	[ACALM]	Auto CC offset calibration by SMBus cmd
    RAW_ADC_CC_OUTPUT:	0=Inactive	[CALOC]	Raw ADC/CC data calibration output
    RAW_CCOFFS_OUTPUT:	0=Inactive	[CALOO]	Raw CC offset data calibration output
     XLOW_SPEED_STATE:	0=Inactive	[XL]	400 kHz transmission SMBus mode
          SLEEP_BY_MA:	0=Inactive	[SLEPM]	SLEEP mode activated by SMBus command
     INIT_AFTER_RESET:	1=Active	[INIT]	Initialization after full reset
       SMB_CAL_ON_LOW:	0=Not in Cal	[SLCAL]	Auto CC calibration when the bus is low
    ADC_MEAS_IN_SLEEP:	0=Inactive	[SLPAD]	ADC Measurement in SLEEP mode
     CC_MEAS_IN_SLEEP:	0=Inactive	[SLPCC]	Current Check measurement in SLEEP mode
       CELL_BALANCING:	1=Active	[CB]	Cell balancing status
   EMERGENCY_SHUTDOWN:	1=Active	[EMSHT]	Emergency Shutdown
           RESERVED31:	1=Active	[ResU]	Reserved bit 31

sudo python3 comm_sbs_bqctrl.py -vvv --bus "i2c:2" --dev_address 0x0b -c BQ30z50 read BatteryStatus
Opening i2c:2
Importing comm_sbs_chips/BQ40z50.py
Reading simple command at addr=0xb, cmd=0x16, type=uint16, opts={'subcmd': None}
Raw BatteryStatus response: c0 00 33
BatteryStatus:	0x00c0	bitfields	Battery's Alarm and Status bit flags
                ERROR_CODE:	0=OK	[EC]	Function error code
          FULLY_DISCHARGED:	0=Not fully	[FD]	Battery capacity is depleted
             FULLY_CHARGED:	0=Not fully	[FC]	Battery is full
               DISCHARGING:	1=Yes	[DSG]	Battery is discharging
               INITIALIZED:	1=Recalibrate	[INIT]	State of calibration/configuration
      REMAINING_TIME_ALARM:	0=Inactive	[RTA]	Remaining time to depletion alarm tripped
  REMAINING_CAPACITY_ALARM:	0=Inactive	[RCA]	Remaining capacity alarm tripped
 TERMINATE_DISCHARGE_ALARM:	0=Inactive	[TDA]	Battery capacity is depleted
     OVERTEMPERATURE_ALARM:	0=Inactive	[OTA]	Temperature is above pre-set limit
    TERMINATE_CHARGE_ALARM:	0=Inactive	[TCA]	Charging should be suspended
        OVER_CHARGED_ALARM:	0=Inactive	[OCA]	Battery is fully charged

sudo python3 comm_sbs_bqctrl.py -vvv --bus "i2c:2" --dev_address 0x0b -c BQ40z50 read ManufacturerAccess.ChargingStatus
Opening i2c:2
Importing comm_sbs_chips/BQ40z50.py
Reading write_word_subcommand command at addr=0xb, cmd=0x0, type=uint16, opts={'subcmd': <MANUFACTURER_ACCESS_CMD_BQ40.ChargingStatus: 85>}
Query ManufacturerAccess.ChargingStatus: 00 WORD=0x55
Write ManufacturerAccess: CMD=00 WORD=55 00
Raw ManufacturerAccess.ChargingStatus response: 0e 42 21 00 b1 5f 0f 50 0f 00 00 58 0f 07 00 10 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
MA.ChargingStatus:	0x002142	bitfields	Charging Status bits
       UNDER_TEMPERATURE:	0=Inactive	[UT]	Under Temperature Region
         LOW_TEMPERATURE:	1=Active	[LT]	Low Temperature Region
     STD_TEMPERATURE_LOW:	0=Inactive	[STL]	Standard Temperature Low Region
 RECOMMENDED_TEMPERATURE:	0=Inactive	[RT]	Recommended Temperature Region
    STD_TEMPERATURE_HIGH:	0=Inactive	[STH]	Standard Temperature High Region
        HIGH_TEMPERATURE:	0=Inactive	[HT]	High Temperature Region
        OVER_TEMPERATURE:	1=Active	[OT]	Over Temperature Region
       PRECHARGE_VOLTAGE:	1=Active	[PV]	Precharge Voltage Region
             LOW_VOLTAGE:	0=Inactive	[LV]	Low Voltage Region
             MID_VOLTAGE:	0=Inactive	[MV]	Mid Voltage Region
            HIGH_VOLTAGE:	0=Inactive	[HV]	High Voltage Region
          CHARGE_INHIBIT:	0=Inactive	[IN]	Charge Inhibit
      MAINTENANCE_CHARGE:	1=Active	[MCHG]	Maintenance charge
      CHARGE_TERMINATION:	0=Inactive	[VCT]	Valid Charge Termination
   CHARGING_CURRENT_RATE:	0=Inactive	[CCR]	Charging Current Rate of Change
   CHARGING_VOLTAGE_RATE:	0=Inactive	[CVR]	Charging Voltage Rate of Change
 CHARGING_CURRENT_COMPNS:	0=Inactive	[CCC]	Charging Current Loss Compensation

sudo python3 comm_sbs_bqctrl.py -vvv --bus "i2c:2" --dev_address 0x0b -c BQ30z50 --short monitor BQStatusBitsMA
Opening i2c:2
Importing comm_sbs_chips/BQ30z554.py
Reading write_word_subcommand command at addr=0xb, cmd=0x0, type=uint16, opts={'subcmd': <MANUFACTURER_ACCESS_CMD_BQ30.SafetyAlert: 80>}
Query ManufacturerAccess.SafetyAlert: 00 WORD=0x50
Write ManufacturerAccess: CMD=00 WORD=50 00
Raw ManufacturerAccess.SafetyAlert response: 0e 42 21 00 b1 5f 0f 50 0f 00 00 57 0f 07 00 c2 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
MA.SafetyAlert:    	0xb1002142	bitfields	Safety Alert bits
[ ResU=1][ ResT=0][ ResS=1][ ResR=1][ ResQ=0][ ResP=0][ ResO=0][ CHGV=1] 
[ CHGC=0][   OC=0][ CTOS=0][  CTO=0][ PTOS=0][  PTO=0][  HWD=0][  OTF=0] 
[ ResF=0][ CUVC=0][  OTD=1][  OTC=0][ ResB=0][  SCD=0][ Res9=0][  SCC=1] 
[ Res7=0][  OLD=1][ OCD2=0][ OCD1=0][ OCC2=0][ OCC1=0][  COV=1][  CUV=0] 
Reading write_word_subcommand command at addr=0xb, cmd=0x0, type=uint16, opts={'subcmd': <MANUFACTURER_ACCESS_CMD_BQ30.SafetyStatus: 81>}
Query ManufacturerAccess.SafetyStatus: 00 WORD=0x51
Write ManufacturerAccess: CMD=00 WORD=51 00
Raw ManufacturerAccess.SafetyStatus response: 0e 42 21 00 b1 5f 0f 50 0f 00 00 57 0f 07 00 c2 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
MA.SafetyStatus:   	0xb1002142	bitfields	Safety Status bits
[ ResU=1][ ResT=0][ ResS=1][ ResR=1][ ResQ=0][ ResP=0][ ResO=0][ CHGV=1] 
[ CHGC=0][   OC=0][ ResK=0][  CTO=0][ ResI=0][  PTO=0][  HWD=0][  OTF=0] 
[ ResF=0][ CUVC=0][  OTD=1][  OTC=0][ SCDL=0][  SCD=0][ SCCL=0][  SCC=1] 
[ OLDL=0][  OLD=1][ OCD2=0][ OCD1=0][ OCC2=0][ OCC1=0][  COV=1][  CUV=0] 
Reading write_word_subcommand command at addr=0xb, cmd=0x0, type=uint16, opts={'subcmd': <MANUFACTURER_ACCESS_CMD_BQ30.PFAlert: 82>}
Query ManufacturerAccess.PFAlert: 00 WORD=0x52
Write ManufacturerAccess: CMD=00 WORD=52 00
Raw ManufacturerAccess.PFAlert response: 0e 42 21 00 b1 5f 0f 50 0f 00 00 57 0f 07 00 c2 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
MA.PFAlert:        	0xb1002142	bitfields	Permanent Fail Alert bits
[ ResU=1][ ResT=0][ ResS=1][ ResR=1][ ResQ=0][ ResP=0][OCECO=0][ ResN=1] 
[ ResM=0][ 2LVL=0][ AFEC=0][ AFER=0][ FUSE=0][THERM=0][ DFET=0][CFETF=0] 
[ ResF=0][ ResE=0][ ResD=1][ VIMA=0][ VIMR=0][   CD=0][  IMP=0][   CB=1] 
[  QIM=0][  OTF=1][ Res5=0][ OTCE=0][ Res3=0][CUDEP=0][  COV=1][  CUV=0] 
Reading write_word_subcommand command at addr=0xb, cmd=0x0, type=uint16, opts={'subcmd': <MANUFACTURER_ACCESS_CMD_BQ30.PFStatus: 83>}
Query ManufacturerAccess.PFStatus: 00 WORD=0x53
Write ManufacturerAccess: CMD=00 WORD=53 00
Raw ManufacturerAccess.PFStatus response: 0e 42 21 00 b1 5f 0f 50 0f 00 00 57 0f 07 00 c2 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
MA.PFStatus:       	0xb1002142	bitfields	Permanent Fail Status bits
[ ResU=1][ ResT=0][ ResS=1][ ResR=1][ ResQ=0][  DFW=0][OCECO=0][  IFC=1] 
[  PTC=0][ 2LVL=0][ AFEC=0][ AFER=0][ FUSE=0][THERM=0][ DFET=0][CFETF=0] 
[ ResF=0][ ResE=0][ ResD=1][ VIMA=0][ VIMR=0][   CD=0][  IMP=0][   CB=1] 
[  QIM=0][  OTF=1][ Res5=0][ OTCE=0][ Res3=0][CUDEP=0][  COV=1][  CUV=0] 
Reading write_word_subcommand command at addr=0xb, cmd=0x0, type=uint16, opts={'subcmd': <MANUFACTURER_ACCESS_CMD_BQ30.OperationStatus: 84>}
Query ManufacturerAccess.OperationStatus: 00 WORD=0x54
Write ManufacturerAccess: CMD=00 WORD=54 00
Raw ManufacturerAccess.OperationStatus response: 0e 42 21 00 b1 5f 0f 50 0f 00 00 57 0f 07 00 c2 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
MA.OperationStatus:	0xb1002142	bitfields	Operational Status bits
[ ResU=1][ ResT=0][ ResS=1][XLSBS=1][SLEPC=0][SLEPQM=0][SLCAL=0][ INIT=1] 
[SLEPM=0][  SDV=0][ CALO=0][  FVS=0][  AWD=0][ AUTH=0][ SHPM=0][  SDM=0] 
[SLEEP=0][ XCHG=0][ XDSG=1][   PF=0][   SS=0][  CAL=0][           SEC=1] 
[  LED=0][   CB=1][ FUSE=0][ GPOD=0][ PCHG=0][  CHG=0][  DSG=1][ PRES=0] 
Reading write_word_subcommand command at addr=0xb, cmd=0x0, type=uint16, opts={'subcmd': <MANUFACTURER_ACCESS_CMD_BQ30.ChargingStatus: 85>}
Query ManufacturerAccess.ChargingStatus: 00 WORD=0x55
Write ManufacturerAccess: CMD=00 WORD=55 00
Raw ManufacturerAccess.ChargingStatus response: 0e 42 21 00 b1 5f 0f 50 0f 00 00 57 0f 07 00 c2 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
MA.ChargingStatus: 	0x002142	bitfields	Charging Status bits
[ ResN=0][ ResM=0][ ResL=0][ ResK=0][ ResJ=0][ MCHG=0][ ResH=0][  VCT=0] 
[  CCC=0][  CVR=0][  CCR=1][   SU=0][   IN=0][   HV=0][   MV=0][   LV=1] 
[   PV=0][   OT=1][   HT=0][  STH=0][   RT=0][  STL=0][   LT=1][   UT=0] 
Reading write_word_subcommand command at addr=0xb, cmd=0x0, type=uint16, opts={'subcmd': <MANUFACTURER_ACCESS_CMD_BQ30.GaugingStatus: 86>}
Query ManufacturerAccess.GaugingStatus: 00 WORD=0x56
Write ManufacturerAccess: CMD=00 WORD=56 00
Raw ManufacturerAccess.GaugingStatus response: 0e 42 21 00 b1 5f 0f 50 0f 00 00 57 0f 07 00 c2 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
MA.GaugingStatus:  	0x2142	bitfields	Gauging Status bits
[LPFRlx=0][  TCA=0][  TDA=1][OCVFR=0][ LDMD=0][   RX=0][ QMax=0][  VDQ=1] 
[ NSFM=0][   FC=1][   FD=0][  QEN=0][  VOK=0][   RU=0][  DSG=1][RESTD0=0] 
Reading write_word_subcommand command at addr=0xb, cmd=0x0, type=uint16, opts={'subcmd': <MANUFACTURER_ACCESS_CMD_BQ30.ManufacturingStatus: 87>}
Query ManufacturerAccess.ManufacturingStatus: 00 WORD=0x57
Write ManufacturerAccess: CMD=00 WORD=57 00
Raw ManufacturerAccess.ManufacturingStatus response: 0e 42 21 00 b1 5f 0f 50 0f 00 00 57 0f 07 00 c2 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
MA.ManufacturingStatus:	0x2142	bitfields	Manufacturing Status bits
[  CAL=0][ ResE=0][ ResD=1][ ResC=0][ ResB=0][ ResA=0][  LED=0][ FUSE=1] 
[  BBR=0][   PF=1][   LF=0][  FET=0][GAUGE=0][  DSG=0][  CHG=1][ PCHG=0]