Monthly Archives: September 2014

Looking inside a (fake) iPhone 5S battery

Posted on by
18

Considering how popular the iPhone is, there’s always going to be some counterfeits out there. I’ve been out buying various iPhone batteries to build a database of each generation’s characteristics, but one model has eluded me so far: the iPhone 5S. The iPhone 5C’s battery that I bought appears to be genuine (but with its own issues), but none of the iPhone 5S batteries I’ve bought so far (4 of them at the time of writing this blog post) were genuine. All of these fakes look like a genuine battery at first glance, but all of them share a few common traits.

Battery teardown

The fake battery sports the usual iPhone battery information, complete with some dot-matrix printed data and a data-matrix barcode. It’s labeled with a capacity of 1560 mAh and 3.8 volts nominal voltage.

Comparison between real and fake iPhone 5S battery

Comparison between real and fake iPhone 5S battery

The connector itself has two points for soldering the connector to provide durability. However, with the fake batteries, they are not soldered down. The two spots on the ends of the connectors are dark with a small point visible inside it (that point is the reinforcement pin on the connector). If this connector is installed in an iPhone, it will probably not come out without either damaging the battery’s connector, or worse, leave the plastic connector piece inside the phone, requiring tweezers to remove.

Connector lifted off with a hobby knife

Connector lifted off with a hobby knife

iPhone 5S and 5C battery pinout

iPhone 5S and 5C battery pinout

Removing the black protective tape reveals an iPhone 4 battery fuel gauge board. The connector is soldered to this board, with four solder points visible.

iPhone 4 battery PCB with soldered-on flat flex connector

iPhone 4 battery PCB with soldered-on flat flex connector

Pulling out the PCB  reveals another characteristic of these fake batteries: the positive terminal is cut short, with another metal section being clumsily spot-welded to the stub on the cell.

Note how the battery tab is poorly welded to the PCB.

Note how the battery tab is poorly welded to the PCB.

Battery fuel gauge data

The battery fuel gauge requires proper programming to accurately indicate the battery’s charge status. Because of this, each iPhone battery generation has its own specific configuration.

The fake iPhone battery retains the programming for the iPhone 4’s battery, which is a designed capacity of 1420 mAh, using a bq27541 fuel gauge running version 1.25 firmware. The data inside it is often that of a used/recycled battery as well.

This data can be (partially) read out directly from the iPhone with a tool such as iBackupBot, but more data can be read if the battery is read with another tool. I have the EV2400 from Texas Instruments to read this out on a PC, but this data can be read out with a USB-to-TTL serial port, a logic gate (a logic inverter) and a small MOSFET transistor.

I created a small tool that uses this circuit to interface with the fuel gauge and read out its data. Check it out here.

Using my tool, this is the report for one of these fake batteries. Note how it is identified as an iPhone 4 battery. Don’t be fooled by the calculated state of health. It’s not accurate for this battery as the fuel gauge still thinks it’s still inside an iPhone 4 battery pack.


**** START OF HDQ BATTERY LOG REPORT ****
HDQ Gas Gauge Readout Tool version 0.9 by Jason Gin
Date: 9/30/2014
Time: 0:52:24
Serial port: COM26

Battery Identification
========================
DEVICE_TYPE = 0x0541, FW_VERSION = 0x0125, DESIGN_CAPACITY = 1420 mAh
Battery's configuration matches that of a standard iPhone 4 battery.

Basic Battery Information
===========================
Device = bq27541 v.1.25, hardware rev. 0x00B5, data-flash rev. 0x0000
Voltage = 3804 mV
Current = 0 mA
Power = 0 mW
State of charge = 45%
Reported state of health = 0%
Calculated state of health = 99.3%
Cycle count = 14 times
Time to empty = N/A (not discharging)
Temperature = 27.9 °C (80.3 °F) (3009 raw)
Designed capacity = 1420 mAh
Heavy load capacity = 628/1410 mAh
Light load capacity = 673/1455 mAh

Advanced Battery Information
==============================
Capacity discharged = 0 mAh
Depth of discharge at last OCV update = ~778 mAh (8768 raw)
Maximum load current = -200 mA
Impedance Track chemistry ID = 0x0163
Reset count = 11 times

Flags = 0x0180
Flag interpretation:
* Fast charging allowed
* Good OCV measurement taken
* Not discharging

Control Status = 0x6219
Control Status interpretation:
* SEALED security state
* SLEEP power mode
* Constant-power gauging
* Qmax update voltage NOT OK (Or in relax mode)
* Impedance Track enabled

Pack Configuration = 0x8931
Pack Configuration interpretation:
* No-load reserve capacity compensation enabled
* IWAKE, RSNS1, RSNS0 = 0x1
* SLEEP mode enabled
* Remaining Capacity is forced to Full Charge Capacity at end of charge
* Temperature sensor: External thermistor

Device name length = 7 bytes
Device name: bq27541

**** END OF HDQ BATTERY LOG REPORT ****

Reading out HDQ-equipped battery fuel gauges with a serial port

Posted on by
78

Battery fuel gauges are the unsung hero of the battery world. There’s more to it than just measuring the voltage on the battery terminals,. These little chips are microcontrollers (tiny computers, essentially) that sit inside the battery pack and keep tabs on the battery’s performance for the life of that battery pack.

Texas Instruments makes battery fuel gauges that are small enough to fit in the circuitry of a cell phone, and one of the most common ones that uses this technology are iPhone batteries. These batteries use a single-wire interface called HDQ (which stands for High-Speed Data Queue). It may sound similar to Dallas Semiconductors’ 1-Wire protocol, but the two are completely different and incompatible with each other.

Protocol details

The HDQ protocol can be emulated with a serial port and a little bit of external circuitry. The protocol can be emulated with a serial port at 57600 baud with 8 data bits, no parity bit and 2 stop bits. Because this is a bi-directional bus, an open-drain configuration is needed. Most TTL serial ports are not open-drain, so some circuitry is required to do this. TI’s application note suggests using a CMOS inverter and an N-channel MOSFET along with a 1 kOhm pull-up resistor, but this can be cut down with a 74HC07 open-drain buffer and pull-up resistor.

[EDIT: June 13, 2015 – Corrected schematic]

The HDQ protocol uses a short pulse to indicate a logic 1, with a longer pulse to indicate a logic 0. The data is sent LSB (least significant byte) first, with a 7-bit address and an eighth bit to indicate if the operation is a read or write (0 is read, 1 is write). If it is a read operation, the fuel gauge will respond with one byte of data. As you might think, this is a very slow means of communication; the typical bus speed is 5-7 kilobits per second, but the actual usable throughput will be less than this.

The hack in this is that the bit timing can be made by sending a specially crafted UART byte that meets the timing specifications. Each bit takes up one byte of UART buffer memory, with 24 bytes being enough to perform an HDQ read (the first 8 bytes are echoed back to the PC and need to be ignored by the software). TI’s application note goes into this with a bit more detail.

Windows HDQ utility

HDQ utility icon, in all its pixelated glory.

HDQ utility icon, in all its pixelated glory.

I have written a small Windows program that will read out the battery’s main data, identify as a certain iPhone battery model (most iPhone batteries are supported), and save a copy of this data to a text file for safekeeping. This program requires the National Instruments LabWindows/CVI Runtime library to run, since I whipped this program up with the first available IDE on my college PC.

fdd82eef8d

Screenshot of HDQ Utility version 0.96

The source code is not yet available (translation: I’m too ashamed of my programming skills to share it with others); however, a Windows executable is available for download below.

You will need to download the National Instruments LabWindows/CVI Runtime to run this program.

Current version (0.96): https://www.dropbox.com/s/pf0vszgfei7s8ly/HDQ%20Utility%200.96.zip?dl=0

Version 0.95: https://www.dropbox.com/s/7xdurbh9qibdftl/HDQ%20Utility%200.95.zip?dl=0
Version 0.9: https://www.dropbox.com/s/cd3esa5us6elfgr/HDQ%20Utility.zip?dl=0

Contributions are always accepted! Email me if you would like to send in a battery for me to analyze, or you can buy me a coffee through PayPal:


[EDIT – July 28, 2016] Welp, looks like the PayPal button’s broken (or was it never working to begin with…?). If you’d like to send anything to me, just give me a shout at ginbot86@gmail.com!

[EDIT – August 2, 2016] Whoops, looks like I never had the button working in the first place. Hopefully it works this time.

 

So Phone Me Maybe: A list of iPhone/iPad batteries with gas gauge functionality

Posted on by
43

Looking for my HDQ Utility to read out your own batteries? Click here!

UPDATE: Turns out the iPhone 3G and 3GS do have gas gauges! I will add them to my list as I find out more about them.

Each iPhone generation since the iPhone 4 iPhone 3G uses a TI gas gauge and uses the HDQ bus (iOS refers to this as the SWI [single-wire interface]) to communicate with the outside world. For more information about the HDQ protocol, click here.

I’ve noticed that many of the iPhone 5S and 5C batteries that can be purchased online are reusing iPhone 4 circuits, which will cause a significant decrease in gauge accuracy (proper parameters need to be programmed into the gas gauge, and that information is chemistry dependent), and the protection circuits in the iPhone 4 battery PCB will kick into overvoltage protection mode at 4.25 volts, less than the 4.3 volts that the iPhone 5 (and newer) batteries need to charge fully.

Because I have been unable to find a list of information of each battery generation, I’m making one myself. Because nobody else has dug this deep into the fuel gauges that the iPhone uses, I have to get this information experimentally (that is, by buying various batteries from online shops; the iPhone 5S battery has been very difficult to get, besides the fake ones I mentioned earlier).

So far I’m in need of an iPhone 3G (not the 3GS) battery, as well as all iPad batteries (or, if you have my program on hand, what model the battery is intended for, the fuel gauge device (eg. bq27541, bq27545), firmware version and designed capacity.

Model Gas Gauge Firmware Designed Capacity Default Unseal Key? Comments
iPhone 3G bq27541 ? ? Yes (0x36720414) Need to acquire one of these.
iPhone 3GS bq27541 1.17 1200 mAh Yes (0x36720414) Limited feature set. My utility will throw “No response” errors when reading this battery.
iPhone 4 bq27541 1.25 1420 mAh Yes (0x36720414)
iPhone 4S bq27541 1.35 1430 mAh Yes (0x36720414)
iPhone 5 bq27545 3.10 1430 mAh No (0x52695035) Many thanks to Yann B. for finding the unseal key!
iPhone 5S bq27545 3.10 1550 mAh No (0x84966864)
iPhone 5C bq27545 3.10 1500 mAh No (0x84966864)
iPhone 6 sn27545-A4 (note 4) 5.02 1751 mAh No (0x65441236)
iPhone 6 Plus sn27545-A4 (note 4) 5.02 2855 mAh No (0x18794977)
iPhone 6S sn27546-A5 (note 5) 6.01 1690 mAh No (0x90375994)
iPhone 6S Plus sn27546-A5 (note 5) 6.01 2725 mAh No (0x11022669)
iPhone SE Unrecognized (note 6, 7) (A1141/0x1141) 1.03 1560 mAh No (unknown) (See note 6)
Apple Watch (38mm) sn27545-A4 5.02 235 mAh No (0x09130978)
Apple Watch (42mm) sn27545-A4 5.02 245 mAh No (unknown) If anyone has one that reads “FULL ACCESS” in my program, please send it to me! 🙂
iPad (3rd gen) bq27541 1.35 11560 mAh Yes (0x36720414)

Notes:

  1. All known iPhone battery models use custom firmware, so not all of the features that the mainstream gas gauge models use are available. For example, none of these gauges will calculate the battery’s State of Health percentage (it is basically the percentage of the battery’s full charge capacity (it degrades with use) versus its designed capacity.
  2. The iPhone 5C’s battery label indicates a designed capacity of 1510 mAh, but the battery I’ve received indicates a capacity of 1550 mAh. As I have only been able to get one of these batteries that seem to be genuine, I will need to get more batteries of this type to confirm that this information is correct.
  3. The iPhone 5’s battery label indicates a designed capacity of 1440 mAh, but the fuel gauge reports 1430 mAh. The 5S battery reports 1550 mAh, but is labeled 1560 mAh. The 5C reports 1500 mAh, but is labeled 1510 mAh.
  4. The iPhone 6 and 6 Plus use a special firmware that is identified in TI’s battery software (except the very latest releases where such data was removed), and it has a very extensive feature set, and a lot of data logging features.
  5. The iPhone 6S/6S Plus use a firmware version similar to the iPhone 6/6 Plus, but with a newer chip and some features trimmed out. I’m reasonably confident that the chip is an sn27546-A5 but have no idea if it’s the official part designator.
  6. The iPhone SE battery seems to have a unique custom chip, but has gone back to a DFN-based package (similar to bq27541) rather than a BGA like the bq27545/546. It is marked “A1141” and does not respond to my HDQ adapter, only the official TI EV2300/EV2400. I have only one in my possession, so I am not 100% sure whether this is true for this series of batteries.
  7. Come to think of it, I might have been ripped off with the battery I received, and it could very well be that I just have a counterfeit that uses a non-TI gauge.