Looking inside an iPhone 4/4S battery

A classmate of mine had a couple broken iPhones that he ‘relieved’ of their batteries and let me take a look at them. Being the curious type I peeled away the outer layers of tape to reveal the protection circuit. I spotted a current sense resistor, andย  that got me thinking…

… can it be? Yes, I found a bq27541 fuel gauge chip inside the battery! After fooling around with the battery, I found out that the battery is using the HDQ interface.

iphone battery pinoutThe HDQ bus, which stands for ‘High-speed Data Queue’, is a single-wire communications bus used by TI fuel gauges. It’s similar to Maxim’s 1-Wire protocol but runs with different protocols and timing. It operates at 7 kilobits per second (so much for ‘high speed’ right? ๐Ÿ˜› ) and a refresh of the data memory in the TI software can take almost half a minute. However, it’s good enough for occasional polling (like every minute or so) since it’s unlikely that the gauge will be read from every second.

The bq27541(labeled BQ 7541) in the iPhone battery runs an unusual firmware version. It’s running version 1.35 and doesn’t match with any release on TI’s website. The gas gauge is sealed so initially it seems like gaining access to the Data Flash memory would be impossible. However, in non-Apple fashion, the gauge’s passwords are left at the default; 0x36720414 and 0xFFFFFFFF for the unseal and full-access keys, respectively (and it’s not the first time Apple’s done this!). Since the firmware version is unknown, I told bqEVSW to treat the chip as if it were the bq27541-V200. I then saved only the calibration, capacity, resistance and lifetime data.

Updating the firmware over HDQ was a nightmare. It took over a dozen tries for each of the two batteries I had, and the update process took 45 minutes (!) to update the bq27541 to the V200 firmware. At one point, it seemed as if I bricked the chip, but a power-on reset of the chip by shorting the cell very quickly ๐Ÿ˜€ sent the device into ROM mode (ie. firmware-update mode). From there I used bqCONFIG to update the firmware, and it was successful! Now I could use GaugeStudio to interface with the gauge rather than the unsightly bqEVSW software.

bq27541 updated to version 2.00

bq27541 updated to version 2.00

Given how long it took for me to update the firmware of the gauge, I have doubts that iPhones will update their batteries’ firmware in-system. Hell, the iPhone OS ignores the bq27541’s State of Charge readings and substitutes its own. Nice going, Apple!

Now to start going through cell phone recycling bins to pull out dead iPhone batteries for their gauges…