Skip to content

Firmware m1100

mefistotelis edited this page Jun 7, 2023 · 18 revisions

Table of Contents

Target
Purpose
Versions
Structure
Boot process
OS and Libraries
Flashing
Interfaces

Target

The module contains battery firmware. Depending on hardware generation, the module programs either the Battery Management System chip itself, or application part of a small micro-controller connected to the BMS chip.

When a platform supports several types of batteries, or firmware for both BMS and uC is provided, then more m11?? modules can exist.

Location of target chip:

Purpose

The Battery Management System chip monitors the battery, gathers information about its state and statistics, controls its turning on an off, as well as controls the charging process and cells balancing.

To allow turning the battery on and off, the BMS is connected to high power MOSFET transistors which allow to switch access to battery cells. When the battery is switched on, or when charging voltage is detected and the cells can accept charge, the BMS closes the MOSFETs. When there is danger of over-discharge, or measured values suggest that the battery is damaged - BMS will open the MOSFETs, cutting off power (it register either recoverable failure or permanent failure when doing so).

To help with monitoring battery state, temperature sensor touches the cells. Based on it, and current flow measurements, BMS chip estimates temperatures of single cells, as well as temperature of electronics. The temperature status is shared with the connected device, and when temperature reaches dangerous levels, BMS chip cuts off the power.

To make the battery cells store the same amounts of charge, a balancer circuit is also included. It forces the cells to charge evenly, by routing some of the charging current outside of cells which report highest voltage.

To limit the amount of hydrogen released from electrolyte of lithium-polymer cells, such batteries also have a discharge circuit. When the battery is kept fully charged for too long, the BMS chip connects internal load to the battery, discharging it to 50%.

To share battery state and statistics, the BMS chip sends reports to its SMBus interface. These include active alarms, current state of charge, but also long-term usage statistics like the amount of discharges since the battery was produced.

Depending on platform, SMBus interface is either directly accessible on battery contacts, or the state and statistics information is sent to small micro-controller which on request routes the data further to the flight controller via serial interface.

Versions

There are multiple versions, always unencrypted.

Marking Packages Timestamp Overview
00.01.0797 MATRICE600_FW_V01.00.00.27_nw 2016-08-18
00.01.0799 MATRICE600_FW_V01.00.00.28 2016-05-05
00.01.0801 MATRICE600PRO_FW_V01.00.00.01 MATRICE600PRO_FW_V01.00.00.51 MATRICE600PRO_FW_V01.00.00.53 MATRICE600PRO_FW_V01.00.00.54 MATRICE600PRO_FW_V01.00.00.55 MATRICE600_FW_V01.00.00.39 MATRICE600_FW_V01.00.00.39_nw MATRICE600_FW_V01.00.00.42 MATRICE600_FW_V01.00.00.43 MATRICE600_FW_V01.00.00.44 MATRICE600_FW_V01.00.00.51 MATRICE600_FW_V01.00.00.53 MATRICE600_FW_V01.00.00.54 MATRICE600_FW_V01.00.0090 MATRICE600_FW_V02.00.00.21 MATRICE600_FW_V02.00.00.95(polar) 2016-06-08 ... 2016-11-20
01.01.0783 MATRICE600_FW_V01.00.00.27 2016-04-18
01.01.0802 MATRICE600_FW_V01.00.00.56 2016-12-06
01.01.0803 MATRICE600PRO_FW_V01.00.00.60 MATRICE600PRO_FW_V01.00.00.61 MATRICE600PRO_FW_V01.00.00.62 MATRICE600PRO_FW_V01.00.00.63 MATRICE600PRO_FW_V01.00.00.64 MATRICE600PRO_FW_V01.00.00.80 MATRICE600_FW_V01.00.00.60 MATRICE600_FW_V01.00.00.80 2016-12-14 ... 2017-01-04
01.06.0000 P3C_FW_V01.00.0014_Beta P3S_FW_V01.01.0008 P3S_FW_V01.01.0009 P3S_FW_V01.02.0007 P3S_FW_V01.02.0008 P3X_FW_V01.01.0006 P3X_FW_V01.01.0008 P3X_FW_V01.01.0009 P3X_FW_V01.01.1003 P3X_FW_V01.01.1007 P3X_FW_V01.02.0006 2015-04-30 ... 2015-07-21
01.07.0000 P3C_FW_V01.00.0017_Beta P3C_FW_V01.00.0020 P3C_FW_V01.01.0030 P3C_FW_V01.02.0040 P3S_FW_V01.03.0020 P3S_FW_V01.04.0010 P3S_FW_V01.05.0030 P3XW_FW_V01.01.0000 P3X_FW_V01.03.0020 P3X_FW_V01.04.0005 P3X_FW_V01.04.0010 P3X_FW_V01.05.0030 2015-07-24 ... 2015-12-15
01.07.3841 P3S_FW_V01.06.0040 P3S_FW_V01.07.0060 P3S_FW_V01.08.0080 P3X_FW_V01.06.0040 P3X_FW_V01.07.0043_beta P3X_FW_V01.07.0060 P3X_FW_V01.08.0080 2015-12-22 ... 2016-04-05
01.08.0000 P3C_FW_V01.03.0050 P3C_FW_V01.04.0060 P3C_FW_V01.04.0060 P3C_FW_V01.05.0070 P3C_FW_V01.05.0074 P3C_FW_V01.06.0083 P3C_FW_V01.06.0086 P3C_FW_V01.07.0082 P3C_FW_V01.07.0084 P3C_FW_V01.07.0086 P3C_FW_V01.07.0090 P3S_FW_V01.09.0060 P3S_FW_V01.10.0090 P3XW_FW_V01.02.0010 P3XW_FW_V01.03.0020 P3XW_FW_V01.04.0030 P3XW_FW_V01.04.0036 P3XW_FW_V01.05.0040 P3X_FW_V01.09.0060 P3X_FW_V01.10.0090 2015-12-21 ... 2016-11-08
02.54.63081 MG1S_FW_V01.00.00.02 2016-11-29
03.08.3844 MATRICE100_FW_V01.02.00.60 MATRICE100_FW_V01.02.00.70 MATRICE100_FW_V01.02.00.80 MATRICE100_FW_V01.02.00.90 2016-02-18 ... 2016-04-01
03.09.0000 MATRICE100_FW_V01.03.01.00_pc MATRICE100_FW_V01.03.02.55_pc WM610_FC350Z_FW_V01.09.01.40 WM610_FC550_FW_V01.08.00.92 WM610_FW_V01.08.00.92 2016-03-24 ... 2016-11-09

Structure

Platforms which have BMS firmware unmodified (as released by Texas Instruments), use an additional micro-controller to introduce DJI-specific behaviors to the battery. Since Spark, DJI introduces such changes directly to BMS firmware, so additional micro-controller is rarely required.

Structure of BMS firmware

The unencrypted firmware data consists of 34-byte packets which update the Instruction Flash of BMS using SMBus. Each packet has 5-byte header and 1-byte footer, the rest is the data actually written.

Structure of uC firmware

The unencrypted firmware is a memory image of a native binary. During startup, it is being loaded into memory at chip-specific address and executed. Such memory images are usually prepared by first linking the file with all libraries, and then using objcopy -O binary to get the final file without ELF header. The ELF header can be re-created if the address and boundaries of sections are known.

The binary was most likely generated using IAR Embedded Workbench.

Boot process

No analysis of the booting procedure were performed.

OS and Libraries

Different software is used within MBS chip and the additional uC.

OS and Libs in BMS firmware

The firmware is based on SDK provided by Texas Instruments. Platforms which do not use additional uC, have some new SMBus commands added and some functionalities altered. The BQ firmware SDK is provided by TI only to selected business partners under strict NDA.

OS and Libs in uC firmware

The firmware uses Kinetis Software Development Kit v1.2.0. It incorporated drivers for KL26Z4 clock, UART, TPM and PIT driver.

Flashing

TODO

Interfaces

The connections to other components are listed below.

Li-Po Cells interface

Each Lithium-Polymer battery cell is connected to an ADC which reads voltage during operation, and provides balancing capabilities when the battery is being charged. There is also a current sensing ADC.

Serial interface to FC

The batteries which include additional uC separate from BMS, the battery communicates with the Flight Controller via serial interface. The transmission parameters are 115200 8N1, and the messages are sent as binary packets, similar to DUML.

Specific products which work this way:

SMBus interface

The batteries which contain the BMS without additional uC, are communicating with the Flight Controller using the SMBus protocol. The messages are in large part SBS packets, though with some minor DJI-specific extensions.

Batteries which do contain additional uC are using the SBS comms over SMBus as well, just internally - this is the mode of communication between the BMS and the uC. But the SMBus signal is not available on the battery connector in such cases, and access to it requires soldering to test pads inside the battery.

Temperature sensor interface

This interface isn't well known.

Clone this wiki locally