Any experience with Mini 3/4 Pro aftermarket batteries based on SH366000 chip? #416
Comments
|
Unsealing method is clearly different - 2x 16-bit number is the key/password in original, in the clone you have 4x 16-bit number. You also initiate the unseal differently - in original you just send the password (which means the password cannot be the same as existing commands) and it works. Here, you send 0x08FF and then the password (in following 8 bytes). The implementation in the unofficial tool is here: Anyway, I don't have any experience with this chip. Have you tried "typical value" from the spec? "0xaa 0xbb 0xcc 0xdd"? Also worth checking simple values following the same scheme as default key, like "12 34 56 78". |
True, but it also imitates a lot of functionality and messages of the bq40z307 so as mentioned I've tired it both the bq40z307 unseal as well as the SH366000 one
Yes, I've tried a couple of 'possible' passwords, but none of them worked. BTW The SH366000 unseal method requires words not bytes, but I've tried "0xaaaa 0xbbbb 0xcccc 0xdddd", "0x6161 0x6262 0x6363 0x6464" (ASCII for aa bb cc dd from the PDF), "0x4141 0x4242 0x4343 0x4444" (ASCII of the uppercase variant AA BB CC DD), "0x0123 0x4567 0x89AB 0xCDEF" (because why not), various combinations of the known bq40z307 passwords (unseal and full access ones combined have the length required) and some other random ones that came to my mind. |
|
Just noticed that the SH366000 has almost identical Manufacturer commands as the bq2084. Wonder if if there are other similarities...
|
Hi does anyone (@mefistotelis? @mixeysan?) have any experience with Mini 3/4 Pro aftermarket batteries based on SH366000 chip that imitates bq40z307?
Couple of months ago a firmware update made these batteries 'unflyable' which is a pity. I've done some experiments and managed to figure out that (as it happened in the past) the aftermarket battery serial numbers are blacklisted, and when the serial number (the one that can be read with D8 command) is replaced with a known good one during the I2C communication, then the battery is considered good again by the firmware.
The problem is that I'm unable to replace to permanently replace the number in the battery itself as it seems to be sealed. Tried some known unseal keys but with no luck. The battery firmware seems to imitate the bq40z307 firmware well enough, but no luck with unsealing (tried using both the standard bq40z307 unseal commands as well as SH366000 specific ones (using this tool))
Did anybody have any experience with the SH366000 chip before?
Here is the the battery itself
And here are the internals (not the exact same battery, image borrowed from someone else's teardown).
Here is the basic datasheet for SH366000 (in Chinese but can be easily Google-translated)
SH366000 User Guide CV0.6.pdf
The text was updated successfully, but these errors were encountered: