SLUUBY2B September 2020 – May 2022 BQ76952
The BQ76952 device includes three security modes: SEALED, UNSEALED, and FULLACCESS, which can be used to limit the ability to view or change settings.
In SEALED mode, most data and status can be read using commands and subcommands, but only selected settings can be changed. Data memory settings cannot be read or changed directly.
UNSEALED mode includes SEALED functionality, and also adds the ability to execute additional subcommands and read data memory.
FULLACCESS mode allows capability to read and modify all device settings, including writing OTP memory.
Selected settings in the device can be modified while the device is in operation through supported commands and subcommands, but in order to modify all settings, the device must enter CONFIG_UPDATE mode (see Section 8.6), which stops device operation while settings are being updated. After the update is completed, device operation is restarted using the new settings. CONFIG_UPDATE mode is only available in FULLACCESS mode.
The BQ76952 device implements a key-access scheme to transition among SEALED, UNSEALED, and FULLACCESS modes. Each transition requires that a unique set of keys be sent to the device through the subcommand address (0x3E and 0x3F). The keys must be sent consecutively to 0x3E and 0x3F, with no other data written between the keys. Do not set the two keys to identical values. When in the SEALED mode, the 0x12 Battery Status()[SEC1, SEC0] bits are set to [1, 1]. When the UNSEAL keys are correctly received by the device, the bits will be set to [1, 0]. When the FULLACCESS keys are correctly received, then the bits will change to [0, 1]. The state [0, 0] is not valid, and only indicates that the state has not yet been loaded. The device must first transition from SEALED mode to UNSEALED mode before it can then transition to FULLACCESS mode.
The unseal keys are stored in data memory in Security:Keys:Unseal Key Step 1 and Security:Keys:Unseal Key Step 2. The FULLACCESS keys are stored in Security:Keys:Full Access Key Step 1 and Security:Keys:Full Access Key Step 2. The access keys are changed during operation using the 0x0035 SECURITY_KEYS() subcommand. This subcommand enables a R/W of the 4 key words (8 bytes). Each word is sent in big endian order using this subcommand, with the first two words being the unseal code and the remaining two words being the full access codes.
When using the codes by writing them to 0x3E and 0x3F, they must be sent in little endian order; therefore, if 0x1234 and 0x5678 are written as the unseal codes to 0x0035 SECURITY_KEYS(), then to unseal requires writing 0x34 and 0x12 to 0x3E and 0x3F, followed by writing 0x78 and 0x56 to 0x3E and 0x3F. The two codes must be written within 4 s of each other to succeed.
To read the keys:
To write the keys:
To set the device into SEALED mode when initially powering up, the Security:Settings:Security Settings[SEAL] configuration bit can be set. During operation, the device can be put into SEALED mode by sending the 0x0030 SEAL() subcommand.
The BQ76952 device includes additional means to limit further modification of device settings. If the Security:Settings:Security Settings[LOCK_CFG] configuration bit is set, the data memory settings can no longer be modified when the device is in CONFIG_UPDATE mode. If the Security:Settings:Security Settings[PERM_SEAL] bit is set, the device cannot be unsealed after it has been sealed.
The device provides additional checks which can be used to optimize system robustness:
The 0x0004 IROM_SIG() subcommand calculates a digital signature of the integrated instruction ROM, and the 0x0009 DROM_SIG() subcommand calculates a similar signature of the integrated data ROM (which contains the default values for the device). These signatures should never change for a particular product. If these were to change, it would indicate an error, either that the ROM had been corrupted, or the readback of the ROM or calculation of the signature experienced an error.
The 0x0005 STATIC_CFG_SIG() subcommand calculates a digital signature for the static configuration data (which excludes calibration values) and compares it to a stored value. If the result does not match the stored signature, the MSB returned is set.