DerFetzerJul 7, 2024

Trying to figure out how my #ThinkPad Edge #E531 does the detection that it has a "genuine" battery.

Of course it has to be implemented inside the EC firmware.

It is an ENE KB9012. I have the datasheet as well as a dump of its firmware and the schematics for the laptop. But I cannot find where it writes to or reads from the right #SMBus registers.

Does anyone know where I can get in contact with the right people in this domain?

#reverseengineering #followerpower #firmware #hacking #8051

Show thread8051 enthusiast
@DerFetzer at least on my ideapad laptop it does a sha-1 challange response (https://8051enthusiast.github.io/2021/07/05/001-EC_legacy.html#a-cryptic-piece-of-code), maybe it could be something similar in your case? there's also https://zmatt.net/unlocking-my-lenovo-laptop-part-3/ that deals with the same problem
The Embedded Controller and Its Legacy

Jul 7, 2024 at 9:54pmWeb
Show threadDerFetzerJul 7, 2024

@8051enthusiast Thank you very much for the links!
I can see those 20 Bytes challenges in my SMBus traces!

The SHA-1 constants from your firmware are not in mine so it might be another algorithm. But I am not that much interested in the specific algorithm but rather how to disable the check completely.

I finally managed to find code that reads from the SMBus data registers in a strange way that's why I did not find it in the first place.

It is starting to make more sense!