SLUAAW0 May   2025 BQ41Z50

 

  1.   1
  2.   Abstract
  3.   Trademarks
  4. 1Introduction
  5. 2Authentication Scheme Comparison
  6. 3ECC Key Programming Within the Pack Manufacturing Flow
  7. 4Gauge Authentication Flow of the BQ41z50 Product Family
  8. 5Host Authentication Flow of the BQ41z50 Product Family
  9. 6Authentication Flow in BQSTUDIO
  10. 7Summary
  11. 8References

5 Host Authentication Flow of the BQ41z50 Product Family

To better secure access to the device the gauge can also be used to authenticate the host allowing the gauge to change security states and unlock the gauge allowing the host to update the gauge. In order to perform this function, the host must first program an authorized public key. The public key must be written when the gauge is in a 'full access' state by sending the 30 byte compressed public key to MAC subcommand 0x0034. This same command must be read to confirm the currently programmed public key for host authentication.

When there is no public key is programmed, the old 'security keys' unseal operation is used. Once a public key is programmed however, the old unseal commands are disabled.

Note: Make sure to read the public key after programming to confirm the value was stored correctly before sending the SEAL command. There is no way to recover a device that in the SEALED state without the corresponding private key.

The procedure must follow the Figure 5-1 diagram using the SMBus ManufacturerAccess( ) (MAC) commands to the gauge.

An overview of the flow is:

  1. Host sends MAC subcommand 0x003a with data using one of the following data blocks:
    • To request UNSEAL access action, use data block 0x14, 0x04, 0x72, 0x36
    • To request FULL_ACCESS access action, use data block 0xff, 0xff, 0xff, 0xff
  2. Host reads the MAC result using 0x003a to receive the generated 8-byte challenge code.
  3. Host combines the 8-byte challenge and the command into a message, and signs the message with the private key generating a 30-byte r, and 30-bytes.
    • For example, if the gauge generated the challenge 0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, then the full message string to sign for an UNSEAL operation is 0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x14, 0x04, 0x72, 0x36
  4. Host writes the resulting r and s to the gauge.
    • The ECC_R (0x003c) subcommand accepts either the 30-byte r value, OR the full 60-byte r, s value.
    • The ECC_S (0x003d) subcommand accepts the 30-byte s value, written after the r value has been sent to the gauge.
  5. Once the gauge has both r and s, the gauge validates the signature.
  6. If the signature is valid, the action requested by the command is executed.
Host Authentication Overview Figure 5-1 Host Authentication Overview

A more detailed implementation flow chart is shown in Figure 5-2.

Host Authentication Flow Chart Figure 5-2 Host Authentication Flow Chart