dji-firmware-tools
dji-firmware-tools copied to clipboard
o-gs
Dji spark battery repair
I saw a tutorial on youtube on how to fix a mavic air battery using your (excellent) tools. A commenter said that it worked on his spark batteries. So i bought a raspberry pi and set everything up but when i tried to unseal, it didnt work. Is there any way to make it work? Thank you for the amazing software.
With Mavic Pro batteries, I had to enable line sampling on RPI to make the unseal work. I can't remember if it was the same with Spark.
Watch my tutorial for details: https://www.youtube.com/watch?v=P5PNOO2GebY
FWIW - I get no errors when unsealing a Spark battery but it doesn't actually work (security mode remains equal to 3).
With Mavic Pro batteries, I had to enable line sampling on RPI to make the unseal work. I can't remember if it was the same with Spark.
Watch my tutorial for details: https://www.youtube.com/watch?v=P5PNOO2GebY
Thank you very much, i will try it and inform you of the results!
FWIW - I get no errors when unsealing a Spark battery but it doesn't actually work (security mode remains equal to 3).
Same here
With Mavic Pro batteries, I had to enable line sampling on RPI to make the unseal work. I can't remember if it was the same with Spark.
Watch my tutorial for details: https://www.youtube.com/watch?v=P5PNOO2GebY
It was your tutorial i was following (mavic pro), thanks for the help, dont know if enabling sampling was in the video, i think it was and it still wouldnt unseal. Is that the sudo pigpiod -s 2 command? Could it be that i have to use a different interval?
Could it be that i have to use a different interval?
Unlikely. This interval is already very small. Maybe your battery just doesn't use the default password?
Try using the Windows tool shared is some threads here. Some tools can use special features made by DJI to skip the password, though I don't know which ones or any details.
Yeah, that was my guess too - something auth related. Unfortunately I'm not in a position to test the windows stuff - no windows and no adapter - pi only.
I've seen someone do this with a TRB / EV2300 setup https://www.youtube.com/watch?v=M2wbo2IdIJY - so we know it's possible.
I ordered the cp2112 and will try the other tools after it arrives, probably 2 months from now. Thanks again mate.
@mefistotelis in the mean-time, any advice on how to debug this? These other devices/softwares aren't magic - they just know something we don't!
SMBus is very easy to sniff. That's probably why there are so many such tools.
It's not that this is hard, sniffing or just figuring out by experiments. I didn't finished with support of newer batteries mostly because I just got bored of this subject.
Read the SBS spec of similar chip, and it should be easy to start trying stuff. DJI FW has few modifications to TIs original, but it mostly adds new commands, it doesn't change the existing ones (besides a few which seem to have been unintentionally skewed).
@mefistotelis in the mean-time, any advice on how to debug this? These other devices/softwares aren't magic - they just know something we don't!
I too thought about looking into the code for a different default password or sth, but as mefistotelis said, its different tricks that they use to bypass it. My knowledge is severely lacking so its best to wait for the tool to arrive.
I read the contents of ManufacturerAccess.SecurityKey, and from what I can tell from docs for similar chips, this is actually the unseal key. Can I be right about this? If so, then we are not currently sending the right key during unseal - we are sending the default. Similarly for FullAccess.
"The unseal key can be read and changed via the MAC SecurityKey() command when in the FULL ACCESS mode."
Yes, the docs are right. And yes, by default the tool sends the default key, obviously.
OK, thanks. I assumed we'd read/write the key automatically if this were possible. In any case, the only reason I mention it is because it also doesn't seem to work when I use the MAC SecurityKey, and thought maybe I was screwing something up.
You can use CP2112 + DJI BK to unseal and full option for DJI Spark battery. https://youtu.be/XsoB7Mjrtho the Spark battery is using BQ9003 chip.
Thanks @mjnhchj - I have a raspberry pi, and I can talk i2c/smbus to it, so ideally I'd like to get it going like this. I don't really want to buy anything or run windows (or some random exe on it). Thanks again though.
Some useful context from that video though perhaps:
Thanks @mjnhchj - I have a raspberry pi, and I can talk i2c/smbus to it, so ideally I'd like to get it going like this. I don't really want to buy anything or run windows (or some random exe on it). Thanks again though.
Hello, do you have any success with unsealing BQ9003 using comm_sbs_bqctrl.py ?? Thanks
Sorry for noob question! May I ask if the spark battery will ever response to (no matter CP2112/Rpi/arduino) via I2C port if it had runout of battery and stayed for a very long time?
p.s. It shows NO led light lid when I clicked the only button on all of my 3 spark batteries but all 3 will lights up 1 LED when I put them into original DJI battery charging hub.
@DIYlover yes it will. You can provide 11.4v @ 0.5A to the power/ground pins of the battery and it will show up in the tool of your choice. I did this using the pins from the hub battery charger power supply to the battery itself. Unfortunately it looks like comm_sbs_bqctrl.py doesn't support the DJI Spark as of now. I was able to execute the unseal command once (despite running it dozens of times) but it still appears as sealed.
dji-firmware-tools $ ./comm_sbs_bqctrl.py -vvv --bus "i2c:3" --dev_address 0x0b --chip BQ40z50 sealing Unseal
Opening i2c:3
Importing comm_sbs_chips/BQ40z50.py
Store ManufacturerAccess.SecKeyWord0: 00 WORD=0x414
Write ManufacturerAccess: CMD=00 WORD=14 04
Store ManufacturerAccess.SecKeyWord1: 00 WORD=0x3672
Write ManufacturerAccess: CMD=00 WORD=72 36
Reading write_word_subcommand command at addr=0xb, cmd=0x0, type=uint16, opts={'subcmd': <MANUFACTURER_ACCESS_CMD_BQ40.OperationStatus: 84>}
Query ManufacturerAccess.OperationStatus: 00 WORD=0x54
Write ManufacturerAccess: CMD=00 WORD=54 00
Raw ManufacturerAccess.OperationStatus response: 04 80 77 00 00 14
MA.OperationStatus: 0x00007780 bitfields Operational Status bits
SYS_PRESENT_LOW: 0=Inactive [PRES] System present input state low
DSG_FET_STATUS: 0=Inactive [DSG] Discharge FET status
CHG_FET_STATUS: 0=Inactive [CHG] Charge FET Status
PCHG_FET_STATUS: 0=Inactive [PCHG] Precharge FET Status
FUSE_STATUS: 0=Inactive [FUSE] FUSE input status
TRIP_POINT_INTR: 1=Active [BTPI] Battery Trip Point Interrupt
SECURITY_MODE: 3=Sealed [SEC] Security Mode
SHUTDOWN_LOW_VOLT: 1=Active [SDV] Shutdown triggered via low pack voltage
SAFETY_STATUS: 0=Inactive [SS] Safety mode status
PERMANENT_FAILURE: 1=Active [PF] Permanent Failure mode status
DISCHARGING_DISABLED: 1=Active [XDSG] Discharging Disabled
CHARGING_DISABLED: 1=Active [XCHG] Charging Disabled
SLEEP_MODE: 0=Inactive [SLEEP] Sleep mode condition met
SHUTDOWN_BY_MA: 0=Inactive [SDM] Shutdown activated by SMBus command
LED_DISPLAY: 0=Off [LED] LED Display state
AUTH_ONGOING: 0=Inactive [AUTH] Authentication ongoing
AUTO_CC_OFFS_CALIB: 0=Cal Done [ACALM] Auto CC offset calibration by SMBus cmd
RAW_ADC_CC_OUTPUT: 0=Inactive [CALOC] Raw ADC/CC data calibration output
RAW_CCOFFS_OUTPUT: 0=Inactive [CALOO] Raw CC offset data calibration output
XLOW_SPEED_STATE: 0=Inactive [XL] 400 kHz transmission SMBus mode
SLEEP_BY_MA: 0=Inactive [SLEPM] SLEEP mode activated by SMBus command
INIT_AFTER_RESET: 0=Inactive [INIT] Initialization after full reset
SMB_CAL_ON_LOW: 0=Not in Cal [SLCAL] Auto CC calibration when the bus is low
ADC_MEAS_IN_SLEEP: 0=Inactive [SLPAD] ADC Measurement in SLEEP mode
CC_MEAS_IN_SLEEP: 0=Inactive [SLPCC] Current Check measurement in SLEEP mode
CELL_BALANCING: 0=Inactive [CB] Cell balancing status
EMERGENCY_SHUTDOWN: 0=Inactive [EMSHT] Emergency Shutdown
@DIYlover yes it will. You can provide 11.4v @ 0.5A to the power/ground pins of the battery and it will show up in the tool of your choice. I did this using the pins from the hub battery charger power supply to the battery itself. Unfortunately it looks like comm_sbs_bqctrl.py doesn't support the DJI Spark as of now. I was able to execute the unseal command once (despite running it dozens of times) but it still appears as sealed.
dji-firmware-tools $ ./comm_sbs_bqctrl.py -vvv --bus "i2c:3" --dev_address 0x0b --chip BQ40z50 sealing Unseal Opening i2c:3 Importing comm_sbs_chips/BQ40z50.py Store ManufacturerAccess.SecKeyWord0: 00 WORD=0x414 Write ManufacturerAccess: CMD=00 WORD=14 04 Store ManufacturerAccess.SecKeyWord1: 00 WORD=0x3672 Write ManufacturerAccess: CMD=00 WORD=72 36 Reading write_word_subcommand command at addr=0xb, cmd=0x0, type=uint16, opts={'subcmd': <MANUFACTURER_ACCESS_CMD_BQ40.OperationStatus: 84>} Query ManufacturerAccess.OperationStatus: 00 WORD=0x54 Write ManufacturerAccess: CMD=00 WORD=54 00 Raw ManufacturerAccess.OperationStatus response: 04 80 77 00 00 14 MA.OperationStatus: 0x00007780 bitfields Operational Status bits SYS_PRESENT_LOW: 0=Inactive [PRES] System present input state low DSG_FET_STATUS: 0=Inactive [DSG] Discharge FET status CHG_FET_STATUS: 0=Inactive [CHG] Charge FET Status PCHG_FET_STATUS: 0=Inactive [PCHG] Precharge FET Status FUSE_STATUS: 0=Inactive [FUSE] FUSE input status TRIP_POINT_INTR: 1=Active [BTPI] Battery Trip Point Interrupt SECURITY_MODE: 3=Sealed [SEC] Security Mode SHUTDOWN_LOW_VOLT: 1=Active [SDV] Shutdown triggered via low pack voltage SAFETY_STATUS: 0=Inactive [SS] Safety mode status PERMANENT_FAILURE: 1=Active [PF] Permanent Failure mode status DISCHARGING_DISABLED: 1=Active [XDSG] Discharging Disabled CHARGING_DISABLED: 1=Active [XCHG] Charging Disabled SLEEP_MODE: 0=Inactive [SLEEP] Sleep mode condition met SHUTDOWN_BY_MA: 0=Inactive [SDM] Shutdown activated by SMBus command LED_DISPLAY: 0=Off [LED] LED Display state AUTH_ONGOING: 0=Inactive [AUTH] Authentication ongoing AUTO_CC_OFFS_CALIB: 0=Cal Done [ACALM] Auto CC offset calibration by SMBus cmd RAW_ADC_CC_OUTPUT: 0=Inactive [CALOC] Raw ADC/CC data calibration output RAW_CCOFFS_OUTPUT: 0=Inactive [CALOO] Raw CC offset data calibration output XLOW_SPEED_STATE: 0=Inactive [XL] 400 kHz transmission SMBus mode SLEEP_BY_MA: 0=Inactive [SLEPM] SLEEP mode activated by SMBus command INIT_AFTER_RESET: 0=Inactive [INIT] Initialization after full reset SMB_CAL_ON_LOW: 0=Not in Cal [SLCAL] Auto CC calibration when the bus is low ADC_MEAS_IN_SLEEP: 0=Inactive [SLPAD] ADC Measurement in SLEEP mode CC_MEAS_IN_SLEEP: 0=Inactive [SLPCC] Current Check measurement in SLEEP mode CELL_BALANCING: 0=Inactive [CB] Cell balancing status EMERGENCY_SHUTDOWN: 0=Inactive [EMSHT] Emergency Shutdown
Thx for confirmation 🙏🏻
Thanks @mjnhchj - I have a raspberry pi, and I can talk i2c/smbus to it, so ideally I'd like to get it going like this. I don't really want to buy anything or run windows (or some random exe on it). Thanks again though.
Some useful context from that video though perhaps:
can you send me this version of dji ba ttery killer ? thanks
Did anyone find a fix for Spark battery unlocking on a Raspberry Pi? Thank you
Did anyone find a fix for Spark battery unlocking on a Raspberry Pi? Thank you
i was able to unlock my spark batteries with this command ./comm_sbs_bqctrl.py --dev_address 0x0b sealing --i32key 0xCCDF7EE0 Unseal
I finally resolved this after realising Raspberry Pi 3B+ actually has i2c onboard (didn't need that cp2112 which doesn't seem to have a driver in the kernel so I wasted an evening figuring that one out and a lot of head scratching and cable aligning!).
Firstly a big thanks to others on this thread for your shared wisdom above especially @dev8edss - thank you! Then thanks to this site and the person who recorded the video here - https://wiki.dji-rev.com/howto/comm_sbs_bqctrl
Here is what I did that worked with my DJI Spark Batteries - USE AT YOUR OWN RISK:
Connect pin2, pin3 and pin5 of the Raspberry Pi to SDA, SCL and GND - i.e. the corresponding Spark battery terminals (far left pin is SCL and far right pin is SDA.
SCL | - | + | + | GND | SDA
I found I didn't have any suitable crocodile clips to connect to the "Fly More Combo" charger so I figured out using a PP3 9V battery was enough to power the logic board via the other - and one of the +.
Downloaded just the comm_sbs_bqctrl.py and created the comm_sbs_chips directory and its contents.
./comm_sbs_bqctrl.py -vvv --chip BQ40z50 monitor BQStatusBitsMA
Following the helpful video you will find that this shows if you have something more serious but in my case I just had PF (permanent failure) and under-voltage. The video is for a Mavic but the commands are the same. Please don't deconstruct your battery like he had to do!
Then unseal the battery to allow you to make changes:
./comm_sbs_bqctrl.py -vvv --chip BQ40z50 sealing --i32key 0xCCDF7EE0 Unseal
Then reset the PF flag (do this at your own risk!)
./comm_sbs_bqctrl.py -vvv --chip BQ40z50 trigger ManufacturerAccess.PermanentFailDataReset
Note: I found I had to run this command several times to see the PF flag clear.
When you get it working then seal the battery again:
./comm_sbs_bqctrl.py -vvv --chip BQ40z50 sealing --i32key 0xCCDF7EE0 Seal
Now disconnect the battery carefully and put it on to a charger. I suggest you keep an eye on the battery and charger just to be safe i.e. don't go to bed or go out until you are confident it is charging safely - call me old fashioned but I don't trust LiPos.
Note: If a command fails (or errors) try it again but be sure to check your connections.
That's it! Success thanks again to those who pointed me in the right direction! I've charged the batteries, ran the the Spark for a while and recharged them and all still good.
I finally resolved this after realising Raspberry Pi 3B+ actually has i2c onboard (didn't need that cp2112 which doesn't seem to have a driver in the kernel so I wasted an evening figuring that one out and a lot of head scratching and cable aligning!).
Firstly a big thanks to others on this thread for your shared wisdom above especially @dev8edss - thank you! Then thanks to this site and the person who recorded the video here - https://wiki.dji-rev.com/howto/comm_sbs_bqctrl
Here is what I did that worked with my DJI Spark Batteries - USE AT YOUR OWN RISK:
Connect pin2, pin3 and pin5 of the Raspberry Pi to SDA, SCL and GND - i.e. the corresponding Spark battery terminals (far left pin is SCL and far right pin is SDA.
SCL | - | + | + | GND | SDA
I found I didn't have any suitable crocodile clips to connect to the "Fly More Combo" charger so I figured out using a PP3 9V battery was enough to power the logic board via the other - and one of the +.
Downloaded just the comm_sbs_bqctrl.py and created the comm_sbs_chips directory and its contents.
./comm_sbs_bqctrl.py -vvv --chip BQ40z50 monitor BQStatusBitsMAFollowing the helpful video you will find that this shows if you have something more serious but in my case I just had PF (permanent failure) and under-voltage. The video is for a Mavic but the commands are the same. Please don't deconstruct your battery like he had to do!Then unseal the battery to allow you to make changes:
./comm_sbs_bqctrl.py -vvv --chip BQ40z50 sealing --i32key 0xCCDF7EE0 UnsealThen reset the PF flag (do this at your own risk!)
./comm_sbs_bqctrl.py -vvv --chip BQ40z50 trigger ManufacturerAccess.PermanentFailDataResetNote: I found I had to run this command several times to see the PF flag clear.
When you get it working then seal the battery again:
./comm_sbs_bqctrl.py -vvv --chip BQ40z50 sealing --i32key 0xCCDF7EE0 SealNow disconnect the battery carefully and put it on to a charger. I suggest you keep an eye on the battery and charger just to be safe i.e. don't go to bed or go out until you are confident it is charging safely - call me old fashioned but I don't trust LiPos.
Note: If a command fails (or errors) try it again but be sure to check your connections.
That's it! Success thanks again to those who pointed me in the right direction! I've charged the batteries, ran the the Spark for a while and recharged them and all still good.
Many thanks for posting this. To get it to work I had to crack the Batteries open and indavidualy charge each cell with a TP4056 and add the i2c address into the commands but now have re cycled two batteries.
I really didn't want to deconstruct the batteries so I wonder if you had a different series of battery.
I can confirm that @whiteduck22's guide worked for my Spark batteries, I was successfully able to reset the permanent failure flag and they're working perfectly. I had to power the pack by supplying ~10V. The pack drew <10mA (I suppose the BMS has disconnected the cells and only the BMS is being powered). A 9V alkaline battery might work in a pinch.
Thanks so much @whiteduck22!
I can confirm that @whiteduck22's guide worked for my Spark batteries, I was successfully able to reset the permanent failure flag and they're working perfectly. I had to power the pack by supplying ~10V. The pack drew <10mA (I suppose the BMS has disconnected the cells and only the BMS is being powered). A 9V alkaline battery might work in a pinch.
Thanks so much @whiteduck22!
Hi @jayemel , can you indicate where exactly you connect the 10V ? do you connect previously to the pask before connecting to the Raspberry to charge a bit the cells or simultaneously ?
thanks in advance, kind regards, Domi.
@gosymbian Domi in my original post I connected a 9V battery to the other - and + which was enough to power the logic board and for a single LED to light up.