Looking inside a (fake) iPhone 5S battery

Considering how popular the iPhone is, there’s always going to be some counterfeits out there. I’ve been out buying various iPhone batteries to build a database of each generation’s characteristics, but one model has eluded me so far: the iPhone 5S. The iPhone 5C’s battery that I bought appears to be genuine (but with its own issues), but none of the iPhone 5S batteries I’ve bought so far (4 of them at the time of writing this blog post) were genuine. All of these fakes look like a genuine battery at first glance, but all of them share a few common traits.

Battery teardown

The fake battery sports the usual iPhone battery information, complete with some dot-matrix printed data and a data-matrix barcode. It’s labeled with a capacity of 1560 mAh and 3.8 volts nominal voltage.

Comparison between real and fake iPhone 5S battery

Comparison between real and fake iPhone 5S battery

The connector itself has two points for soldering the connector to provide durability. However, with the fake batteries, they are not soldered down. The two spots on the ends of the connectors are dark with a small point visible inside it (that point is the reinforcement pin on the connector). If this connector is installed in an iPhone, it will probably not come out without either damaging the battery’s connector, or worse, leave the plastic connector piece inside the phone, requiring tweezers to remove.

Connector lifted off with a hobby knife

Connector lifted off with a hobby knife

iPhone 5S and 5C battery pinout

iPhone 5S and 5C battery pinout

Removing the black protective tape reveals an iPhone 4 battery fuel gauge board. The connector is soldered to this board, with four solder points visible.

iPhone 4 battery PCB with soldered-on flat flex connector

iPhone 4 battery PCB with soldered-on flat flex connector

Pulling out the PCB  reveals another characteristic of these fake batteries: the positive terminal is cut short, with another metal section being clumsily spot-welded to the stub on the cell.

Note how the battery tab is poorly welded to the PCB.

Note how the battery tab is poorly welded to the PCB.

Battery fuel gauge data

The battery fuel gauge requires proper programming to accurately indicate the battery’s charge status. Because of this, each iPhone battery generation has its own specific configuration.

The fake iPhone battery retains the programming for the iPhone 4’s battery, which is a designed capacity of 1420 mAh, using a bq27541 fuel gauge running version 1.25 firmware. The data inside it is often that of a used/recycled battery as well.

This data can be (partially) read out directly from the iPhone with a tool such as iBackupBot, but more data can be read if the battery is read with another tool. I have the EV2400 from Texas Instruments to read this out on a PC, but this data can be read out with a USB-to-TTL serial port, a logic gate (a logic inverter) and a small MOSFET transistor.

I created a small tool that uses this circuit to interface with the fuel gauge and read out its data. Check it out here.

Using my tool, this is the report for one of these fake batteries. Note how it is identified as an iPhone 4 battery. Don’t be fooled by the calculated state of health. It’s not accurate for this battery as the fuel gauge still thinks it’s still inside an iPhone 4 battery pack.


**** START OF HDQ BATTERY LOG REPORT ****
HDQ Gas Gauge Readout Tool version 0.9 by Jason Gin
Date: 9/30/2014
Time: 0:52:24
Serial port: COM26

Battery Identification
========================
DEVICE_TYPE = 0x0541, FW_VERSION = 0x0125, DESIGN_CAPACITY = 1420 mAh
Battery's configuration matches that of a standard iPhone 4 battery.

Basic Battery Information
===========================
Device = bq27541 v.1.25, hardware rev. 0x00B5, data-flash rev. 0x0000
Voltage = 3804 mV
Current = 0 mA
Power = 0 mW
State of charge = 45%
Reported state of health = 0%
Calculated state of health = 99.3%
Cycle count = 14 times
Time to empty = N/A (not discharging)
Temperature = 27.9 °C (80.3 °F) (3009 raw)
Designed capacity = 1420 mAh
Heavy load capacity = 628/1410 mAh
Light load capacity = 673/1455 mAh

Advanced Battery Information
==============================
Capacity discharged = 0 mAh
Depth of discharge at last OCV update = ~778 mAh (8768 raw)
Maximum load current = -200 mA
Impedance Track chemistry ID = 0x0163
Reset count = 11 times

Flags = 0x0180
Flag interpretation:
* Fast charging allowed
* Good OCV measurement taken
* Not discharging

Control Status = 0x6219
Control Status interpretation:
* SEALED security state
* SLEEP power mode
* Constant-power gauging
* Qmax update voltage NOT OK (Or in relax mode)
* Impedance Track enabled

Pack Configuration = 0x8931
Pack Configuration interpretation:
* No-load reserve capacity compensation enabled
* IWAKE, RSNS1, RSNS0 = 0x1
* SLEEP mode enabled
* Remaining Capacity is forced to Full Charge Capacity at end of charge
* Temperature sensor: External thermistor

Device name length = 7 bytes
Device name: bq27541

**** END OF HDQ BATTERY LOG REPORT ****

Advertisements

Reading out HDQ-equipped battery fuel gauges with a serial port

Battery fuel gauges are the unsung hero of the battery world. There’s more to it than just measuring the voltage on the battery terminals,. These little chips are microcontrollers (tiny computers, essentially) that sit inside the battery pack and keep tabs on the battery’s performance for the life of that battery pack.

Texas Instruments makes battery fuel gauges that are small enough to fit in the circuitry of a cell phone, and one of the most common ones that uses this technology are iPhone batteries. These batteries use a single-wire interface called HDQ (which stands for High-Speed Data Queue). It may sound similar to Dallas Semiconductors’ 1-Wire protocol, but the two are completely different and incompatible with each other.

Protocol details

The HDQ protocol can be emulated with a serial port and a little bit of external circuitry. The protocol can be emulated with a serial port at 57600 baud with 8 data bits, no parity bit and 2 stop bits. Because this is a bi-directional bus, an open-drain configuration is needed. Most TTL serial ports are not open-drain, so some circuitry is required to do this. TI’s application note suggests using a CMOS inverter and an N-channel MOSFET along with a 1 kOhm pull-up resistor, but this can be cut down with a 74HC07 open-drain buffer and pull-up resistor.

[EDIT: June 13, 2015 – Corrected schematic]

The HDQ protocol uses a short pulse to indicate a logic 1, with a longer pulse to indicate a logic 0. The data is sent LSB (least significant byte) first, with a 7-bit address and an eighth bit to indicate if the operation is a read or write (0 is read, 1 is write). If it is a read operation, the fuel gauge will respond with one byte of data. As you might think, this is a very slow means of communication; the typical bus speed is 5-7 kilobits per second, but the actual usable throughput will be less than this.

The hack in this is that the bit timing can be made by sending a specially crafted UART byte that meets the timing specifications. Each bit takes up one byte of UART buffer memory, with 24 bytes being enough to perform an HDQ read (the first 8 bytes are echoed back to the PC and need to be ignored by the software). TI’s application note goes into this with a bit more detail.

Windows HDQ utility

HDQ utility icon, in all its pixelated glory.

HDQ utility icon, in all its pixelated glory.

I have written a small Windows program that will read out the battery’s main data, identify as a certain iPhone battery model (most iPhone batteries are supported), and save a copy of this data to a text file for safekeeping. This program requires the National Instruments LabWindows/CVI Runtime library to run, since I whipped this program up with the first available IDE on my college PC.

fdd82eef8d

Screenshot of HDQ Utility version 0.96

The source code is not yet available (translation: I’m too ashamed of my programming skills to share it with others); however, a Windows executable is available for download below.

You will need to download the National Instruments LabWindows/CVI Runtime to run this program.

Current version (0.96): https://www.dropbox.com/s/pf0vszgfei7s8ly/HDQ%20Utility%200.96.zip?dl=0

Version 0.95: https://www.dropbox.com/s/7xdurbh9qibdftl/HDQ%20Utility%200.95.zip?dl=0
Version 0.9: https://www.dropbox.com/s/cd3esa5us6elfgr/HDQ%20Utility.zip?dl=0

Contributions are always accepted! Email me if you would like to send in a battery for me to analyze, or you can buy me a coffee through PayPal:


[EDIT – July 28, 2016] Welp, looks like the PayPal button’s broken (or was it never working to begin with…?). If you’d like to send anything to me, just give me a shout at ginbot86@gmail.com!

[EDIT – August 2, 2016] Whoops, looks like I never had the button working in the first place. Hopefully it works this time.

 

Looking inside an iPhone 5 battery

In the wake of my previous teardowns of the iPhone 4 and 4S batteries, I went onto eBay and Amazon (realizing that they finally have Amazon Prime student rates up in Canada) and bought a few iPhone 5 and 5S batteries. Although I was primarily interested in trying to get the gas gauge information out of the batteries, I had a secondary reason. The Nexxtech Slim Power Bank (a subject of a separate blog post) uses a pair of 3.8-volt Li-ion polymer batteries, and they seemed to be be suspiciously similar in size to what is used in the iPhone 5. But enough of that, we’re here for the iPhone 5 battery in particular!

Battery Casing

The iPhone 5 battery measures 3.7 mm in thickness, 3.2 cm in width and 9.1 cm in length. This particular model, made by Sony, has a model ID of US373291H, with the six digits corresponding to the cell’s dimensions. This cell has a labeled capacity of 1440 mAh at a nominal 3.8 volts, with a maximum charge voltage of 4.3 volts. I tried to read the data matrix barcode on the cell but my barcode scanning app on my phone refused to recognize it. I might try to scan and sharpen the barcode later but it’s not something that’s of a high priority to me.

Battery Teardown and Pinout

The board itself is rather interesting. The protection MOSFETs used to switch the battery’s power are chip-scale packages and are glued down with epoxy, same with the gas gauge itself. This means that I can’t easily replace it with a rework station if the need arises. The board includes the gas gauge, thermistors, protection circuitry and still has room for a polyfuse for extra over-current protection.

iPhone 5 battery PCB layout

iPhone 5 battery PCB layout

The pinout of the iPhone 5 battery is pretty much the same as of the iPhone 4 and 4S. You have Pack-, NTC Thermistor, HDQ and Pack+. In this particular model of battery, the gas gauge is a bq27545 (labeled SN27545), but has basically the same feature set as the iPhone 4/4S’ bq27541. With this information, I soldered to the small terminals on the connector (the actual connectors for this battery haven’t arrived yet since it takes so long to receive items from China on eBay), and hooked it up to my trusty Texas Instruments EV2400 box.

iPhone 5 battery pinout

iPhone 5 battery pinout

Battery Data

iphone 5 firmware versionAnd once again, we’re presented with an obscure firmware revision. The latest bq27545-G1 firmware is only version 2.24, but this chip has version 3.10. After forcing GaugeStudio to accept this gauge as a -G1 version, we’re once again presented with a sealed chip. Let’s try to unseal it with the default key…

... aaaaand nope. No dice with 0x36720414, unlike last time.

Nope. No dice with 0x36720414, unlike last time.

… and I get the dreaded “Unseal Key” prompt. Cue the dramatic Darth Vader “NOOOOO” here. Maybe Apple read my previous post and decided to change the default keys this time (Hey Apple, if you read this, make the iPhone 6’s gas gauge have the default keys again)! This means that not only can I not access any of the juicy details of this battery, but I cannot update its firmware to a more… conventional version either. I could try brute-forcing it, but trying to hack a key with a 32-bit address space over a 7 kbps bus… uh, no. That’s not going to happen. I’d probably have better luck reverse-engineering Apple’s battery code but I doubt they have any facility to do in-system firmware updates for the gas gauge.

Data captured from GaugeStudio

Data captured from GaugeStudio

Now for some rather… interesting details of what we can access. The design capacity of this battery, according to the gas gauge, is 1430 mAh, same as the iPhone 4S and also 100 mAh less than what’s written on the label. That, and the full charge capacity of this battery is 1397 mAh out of the gate. The gauge seems to be an insomniac (it won’t enter Sleep mode even when the battery is not hooked up to any load), and it seems to have less features despite having a higher firmware version (I’m sure the internal temperature isn’t 131 degrees C…), and the Pack Configuration register doesn’t bring up any sensible data.

Battery… conspiracy?

One thing that I haven’t confirmed is whether or not this battery had been tampered with before I received it. I bought this particular battery from eBay and it was listed as new. It had some adhesive residue but no obvious sign of being peeled off from another iPhone. The cycle count is set to 1, and because the gas gauge is sealed, I can’t read any other data like the lifetime data logs. There is a chance that this battery isn’t new and that the seller had somehow changed the data memory and sealed the chip with a non-default key, but I need to wait until some other batteries arrive in the mail and perhaps try reading out batteries taken out directly from some iPhone 5s. Until then, it’s only speculation as to why this chip is sealed with a different key.

The next victims specimens: an iPhone 5S battery, a “new” iPhone 4 battery, and an Amazon Kindle battery.