Looking inside an iPhone 4/4S battery

A classmate of mine had a couple broken iPhones that he ‘relieved’ of their batteries and let me take a look at them. Being the curious type I peeled away the outer layers of tape to reveal the protection circuit. I spotted a current sense resistor, and  that got me thinking…

… can it be? Yes, I found a bq27541 fuel gauge chip inside the battery! After fooling around with the battery, I found out that the battery is using the HDQ interface.

iphone battery pinoutThe HDQ bus, which stands for ‘High-speed Data Queue’, is a single-wire communications bus used by TI fuel gauges. It’s similar to Maxim’s 1-Wire protocol but runs with different protocols and timing. It operates at 7 kilobits per second (so much for ‘high speed’ right? 😛 ) and a refresh of the data memory in the TI software can take almost half a minute. However, it’s good enough for occasional polling (like every minute or so) since it’s unlikely that the gauge will be read from every second.

The bq27541(labeled BQ 7541) in the iPhone battery runs an unusual firmware version. It’s running version 1.35 and doesn’t match with any release on TI’s website. The gas gauge is sealed so initially it seems like gaining access to the Data Flash memory would be impossible. However, in non-Apple fashion, the gauge’s passwords are left at the default; 0x36720414 and 0xFFFFFFFF for the unseal and full-access keys, respectively (and it’s not the first time Apple’s done this!). Since the firmware version is unknown, I told bqEVSW to treat the chip as if it were the bq27541-V200. I then saved only the calibration, capacity, resistance and lifetime data.

Updating the firmware over HDQ was a nightmare. It took over a dozen tries for each of the two batteries I had, and the update process took 45 minutes (!) to update the bq27541 to the V200 firmware. At one point, it seemed as if I bricked the chip, but a power-on reset of the chip by shorting the cell very quickly 😀 sent the device into ROM mode (ie. firmware-update mode). From there I used bqCONFIG to update the firmware, and it was successful! Now I could use GaugeStudio to interface with the gauge rather than the unsightly bqEVSW software.

bq27541 updated to version 2.00

bq27541 updated to version 2.00

Given how long it took for me to update the firmware of the gauge, I have doubts that iPhones will update their batteries’ firmware in-system. Hell, the iPhone OS ignores the bq27541’s State of Charge readings and substitutes its own. Nice going, Apple!

Now to start going through cell phone recycling bins to pull out dead iPhone batteries for their gauges…


Tearing down a Razer Orochi Bluetooth gaming mouse

Today, I randomly felt like I should take apart my Razer Orochi gaming mouse to see what’s inside. I figured that if I’m going to take it apart, I should document it.

So I did.

2013-05-12 16.26.39

The Razer Orochi is a laptop gaming mouse made by a company called Razer. They make a lot of gaming products like keyboards, mice and headsets. My brother has a bunch of Razer gaming devices (keyboard, headset and mouse) but this is my only Razer product that I own. The Orochi has a detachable micro-USB cord and also has Bluetooth support.

Looking inside, it appears that Razer definitely built this device to a price point. There are only 4 screws holding the device together (T6 Torx screws) and the rest are held together with plastic posts, with some components having the end posts melted to form a “weld” which might hamper repair efforts later if need be.

As for the electronics inside the mouse, there is a Freescale MC9S08JM60 8-bit HC08-architecture microcontroller, housing a 48 MHz CPU, 60 kB of program Flash memory, 4 kB of SRAM, 256 bytes of USB buffer RAM, a full-speed USB interface (12 Mbps), a real-time clock (I doubt that’s being used :)), an 8-pin keyboard interrupt module, and a few other peripherals expected of any general microcontroller (ADC, hardware serial interfaces, etc.). Bluetooth support is provided by a Broadcom BCM2042 module, which is advertised as being a single-chip device providing the HID (Human Interface Device) class and a full Bluetooth stack. It has its own 8051 8-bit CPU, 20 kB of internal SRAM, 8 kB of its own flash memory for configuration data, keyboard inputs, LED and LCD display drivers, quadrature decoders and a bunch of other features which are likely to be unused.

I was intending to replace the LEDs in the mouse (blue is such an ugly colour for LEDs) but it appears that the one on the mainboard is a red/blue bi-colour LED and the one in the scroll wheel is encased in plastic which has the end post melted in lieu of a screw.

Oh well, at least I was able to take a look inside this little piece of plastic and electronics.