Log in

Stay classy (and smart), Apple. - Adventures in Engineering
The wanderings of a modern ronin.

Ben Cantrick
  Date: 2011-07-29 16:12
  Subject:   Stay classy (and smart), Apple.
  Music:50 Cent - Be A Gentleman

What he found is that the batteries are shipped from the factory in a state called "sealed mode" and that there's a four-byte password that's required to change that. By analyzing a couple of updates that Apple had sent to fix problems in the batteries in the past, Miller found that password and was able to put the battery into "unsealed mode."

From there, he could make a few small changes to the firmware, but not what he really wanted. So he poked around a bit more and found that a second password was required to move the battery into full access mode, which gave him the ability to make any changes he wished. That password is a default set at the factory and it's not changed on laptops before they're shipped. Once he had that, Miller found he could do a lot of interesting things with the battery.

"That lets you access it at the same level as the factory can," he said. "You can read all the firmware, make changes to the code, do whatever you want. And those code changes will survive a reinstall of the OS, so you could imagine writing malware that could hide on the chip on the battery. You'd need a vulnerability in the OS or something that the battery could then attack, though."


Making your batteries a different size and/or shape than others? Probably had a good reason for it.

Making a customized connector for your batteries? That's starting to get a little silly, but maybe it was to lower cost, or enable the flow of more watts between battery and computer.

Adding extra expense and extra complexity to both the battery and the driver software by putting not one but two layers of password lockout... on a damn battery??

That's not evil, monopolistic or specifically designed to avoid interoperability and guarantee your ability to price-gouge your customers, Apple. Nope. Not at all. Stay classy, you guys. And by all means, continue this kind of behavior. You're doing a stellar job of niche-marketing yourself right into oblivion.

The fact that such added complexity provides a potential opening for BIOS viruses that can't be detected by normal means and will survive an OS reinstall? That's just the icing on the cake. Memo to geniuses: Haven't you guys ever heard of a fuse? If you don't want customers (or viruses) casually messing with your battery's firmware, then you should have put a twenty cent chip fuse on your $100 battery, and blow it as the last step of the factory QC process. Then nobody can change your device's factory settings without at least having to take it apart.

(Yeah, I know: "So sorry - we can't hear you over the sound of our thousand-foot high piles of cash!" -Apple. Yeah, well, you guys be sure to let me know when you find your thousand-foot high pile of brains! What's that? You say you don't have one of those? Well then...)
Post A Comment | 2 Comments | Share | Link

  User: (Anonymous)
  Date: 2011-08-05 12:56 (UTC)
  Subject:   You are aware...
Apparently you were unaware that all lithium ion batteries have a controller with password protected firmware, and that Charlie found the password because it's the default password that is in the documentation for the controller... Apple's sin wasn't adding the layers of password protection, it was that they didn't change the fricking password.
Reply | Thread | Link

Ben Cantrick
  User: mackys
  Date: 2011-08-08 16:55 (UTC)
  Subject:   Re: You are aware...
> all lithium ion batteries have a controller with password protected firmware

I seriously doubt it. I even doubt that all li-ion charge controller ICs have password protection. Much less all li-ion batteries made.
Reply | Parent | Thread | Link

May 2015