Looking inside a (fake) iPhone 5S battery

Considering how popular the iPhone is, there’s always going to be some counterfeits out there. I’ve been out buying various iPhone batteries to build a database of each generation’s characteristics, but one model has eluded me so far: the iPhone 5S. The iPhone 5C’s battery that I bought appears to be genuine (but with its own issues), but none of the iPhone 5S batteries I’ve bought so far (4 of them at the time of writing this blog post) were genuine. All of these fakes look like a genuine battery at first glance, but all of them share a few common traits.

Battery teardown

The fake battery sports the usual iPhone battery information, complete with some dot-matrix printed data and a data-matrix barcode. It’s labeled with a capacity of 1560 mAh and 3.8 volts nominal voltage.

Comparison between real and fake iPhone 5S battery

Comparison between real and fake iPhone 5S battery

The connector itself has two points for soldering the connector to provide durability. However, with the fake batteries, they are not soldered down. The two spots on the ends of the connectors are dark with a small point visible inside it (that point is the reinforcement pin on the connector). If this connector is installed in an iPhone, it will probably not come out without either damaging the battery’s connector, or worse, leave the plastic connector piece inside the phone, requiring tweezers to remove.

Connector lifted off with a hobby knife

Connector lifted off with a hobby knife

iPhone 5S and 5C battery pinout

iPhone 5S and 5C battery pinout

Removing the black protective tape reveals an iPhone 4 battery fuel gauge board. The connector is soldered to this board, with four solder points visible.

iPhone 4 battery PCB with soldered-on flat flex connector

iPhone 4 battery PCB with soldered-on flat flex connector

Pulling out the PCB  reveals another characteristic of these fake batteries: the positive terminal is cut short, with another metal section being clumsily spot-welded to the stub on the cell.

Note how the battery tab is poorly welded to the PCB.

Note how the battery tab is poorly welded to the PCB.

Battery fuel gauge data

The battery fuel gauge requires proper programming to accurately indicate the battery’s charge status. Because of this, each iPhone battery generation has its own specific configuration.

The fake iPhone battery retains the programming for the iPhone 4’s battery, which is a designed capacity of 1420 mAh, using a bq27541 fuel gauge running version 1.25 firmware. The data inside it is often that of a used/recycled battery as well.

This data can be (partially) read out directly from the iPhone with a tool such as iBackupBot, but more data can be read if the battery is read with another tool. I have the EV2400 from Texas Instruments to read this out on a PC, but this data can be read out with a USB-to-TTL serial port, a logic gate (a logic inverter) and a small MOSFET transistor.

I created a small tool that uses this circuit to interface with the fuel gauge and read out its data. Check it out here.

Using my tool, this is the report for one of these fake batteries. Note how it is identified as an iPhone 4 battery. Don’t be fooled by the calculated state of health. It’s not accurate for this battery as the fuel gauge still thinks it’s still inside an iPhone 4 battery pack.


**** START OF HDQ BATTERY LOG REPORT ****
HDQ Gas Gauge Readout Tool version 0.9 by Jason Gin
Date: 9/30/2014
Time: 0:52:24
Serial port: COM26

Battery Identification
========================
DEVICE_TYPE = 0x0541, FW_VERSION = 0x0125, DESIGN_CAPACITY = 1420 mAh
Battery's configuration matches that of a standard iPhone 4 battery.

Basic Battery Information
===========================
Device = bq27541 v.1.25, hardware rev. 0x00B5, data-flash rev. 0x0000
Voltage = 3804 mV
Current = 0 mA
Power = 0 mW
State of charge = 45%
Reported state of health = 0%
Calculated state of health = 99.3%
Cycle count = 14 times
Time to empty = N/A (not discharging)
Temperature = 27.9 °C (80.3 °F) (3009 raw)
Designed capacity = 1420 mAh
Heavy load capacity = 628/1410 mAh
Light load capacity = 673/1455 mAh

Advanced Battery Information
==============================
Capacity discharged = 0 mAh
Depth of discharge at last OCV update = ~778 mAh (8768 raw)
Maximum load current = -200 mA
Impedance Track chemistry ID = 0x0163
Reset count = 11 times

Flags = 0x0180
Flag interpretation:
* Fast charging allowed
* Good OCV measurement taken
* Not discharging

Control Status = 0x6219
Control Status interpretation:
* SEALED security state
* SLEEP power mode
* Constant-power gauging
* Qmax update voltage NOT OK (Or in relax mode)
* Impedance Track enabled

Pack Configuration = 0x8931
Pack Configuration interpretation:
* No-load reserve capacity compensation enabled
* IWAKE, RSNS1, RSNS0 = 0x1
* SLEEP mode enabled
* Remaining Capacity is forced to Full Charge Capacity at end of charge
* Temperature sensor: External thermistor

Device name length = 7 bytes
Device name: bq27541

**** END OF HDQ BATTERY LOG REPORT ****

Reading out HDQ-equipped battery fuel gauges with a serial port

Battery fuel gauges are the unsung hero of the battery world. There’s more to it than just measuring the voltage on the battery terminals,. These little chips are microcontrollers (tiny computers, essentially) that sit inside the battery pack and keep tabs on the battery’s performance for the life of that battery pack.

Texas Instruments makes battery fuel gauges that are small enough to fit in the circuitry of a cell phone, and one of the most common ones that uses this technology are iPhone batteries. These batteries use a single-wire interface called HDQ (which stands for High-Speed Data Queue). It may sound similar to Dallas Semiconductors’ 1-Wire protocol, but the two are completely different and incompatible with each other.

Protocol details

The HDQ protocol can be emulated with a serial port and a little bit of external circuitry. The protocol can be emulated with a serial port at 57600 baud with 8 data bits, no parity bit and 2 stop bits. Because this is a bi-directional bus, an open-drain configuration is needed. Most TTL serial ports are not open-drain, so some circuitry is required to do this. TI’s application note suggests using a CMOS inverter and an N-channel MOSFET along with a 1 kOhm pull-up resistor, but this can be cut down with a 74HC07 open-drain buffer and pull-up resistor.

Schematic

Schematic

The HDQ protocol uses a short pulse to indicate a logic 1, with a longer pulse to indicate a logic 0. The data is sent LSB (least significant byte) first, with a 7-bit address and an eighth bit to indicate if the operation is a read or write (0 is read, 1 is write). If it is a read operation, the fuel gauge will respond with one byte of data. As you might think, this is a very slow means of communication; the typical bus speed is 5-7 kilobits per second, but the actual usable throughput will be less than this.

The hack in this is that the bit timing can be made by sending a specially crafted UART byte that meets the timing specifications. Each bit takes up one byte of UART buffer memory, with 24 bytes being enough to perform an HDQ read (the first 8 bytes are echoed back to the PC and need to be ignored by the software). TI’s application note goes into this with a bit more detail.

Windows HDQ utility

HDQ utility icon, in all its pixelated glory.

HDQ utility icon, in all its pixelated glory.

I have written a small Windows program that will read out the battery’s main data, identify as a certain iPhone battery model (with the iPhone 5S, 6 and 6 Plus being unknown), and save a copy of this data to a text file for safekeeping. This program requires the National Instruments LabWindows/CVI Runtime library to run, since I whipped this program up with the first available IDE on my college PC.

Screenshot of program

Screenshot of program

The source code is not yet available (translation: I’m too ashamed of my programming skills to share it with others); however, a Windows executable is available for download below.

You will need to download the National Instruments LabWindows/CVI Runtime to run this program.

https://www.dropbox.com/s/cd3esa5us6elfgr/HDQ%20Utility.zip?dl=0

 

So Phone Me Maybe: A list of iPhone batteries with gas gauge functionality

UPDATE: Turns out the iPhone 3G and 3GS do have gas gauges! I will add them to my list as I find out more about them.

Each iPhone generation since the iPhone 4 iPhone 3G uses a TI gas gauge and uses the HDQ bus (iOS refers to this as the SWI [single-wire interface]) to communicate with the outside world. For more information about the HDQ protocol, click here.

I’ve noticed that many of the iPhone 5S and 5C batteries that can be purchased online are reusing iPhone 4 circuits, which will cause a significant decrease in gauge accuracy (proper parameters need to be programmed into the gas gauge, and that information is chemistry dependent), and the protection circuits in the iPhone 4 battery PCB will kick into overvoltage protection mode at 4.25 volts, less than the 4.3 volts that the iPhone 5 (and newer) batteries need to charge fully.

Because I have been unable to find a list of information of each battery generation, I’m making one myself. Because nobody else has dug this deep into the fuel gauges that the iPhone uses, I have to get this information experimentally (that is, by buying various batteries from online shops; the iPhone 5S battery has been very difficult to get, besides the fake ones I mentioned earlier).

If anyone has any iPhone 5S, 5C or 6 batteries that they’d like to donate, give me a shout! :)

Model Gas Gauge Firmware Designed Capacity Default Unseal Key? Comments
iPhone 3G bq27541 ? ? Yes (0x37420414) Need more samples to confirm.
iPhone 3GS bq27541 1.17 1200 mAh Yes (0x36720414)
iPhone 4 bq27541 1.25 1420 mAh Yes (0x36720414)
iPhone 4S bq27541 1.35 1430 mAh Yes (0x36720414)
iPhone 5 bq27545 3.10 1430 mAh No (not yet known)
iPhone 5S bq27545 ? ? No (not yet known) Have not yet acquired a battery of this type. All of the ones I have received so far are counterfeit.
iPhone 5C bq27545 3.10 1550 mAh (not fully sure yet) No (not confident that this is consistent across different pack makers) Need more samples to confirm.
iPhone 6 ? ? ? ? Someone get me one of these, please :)
iPhone 6 Plus ? ? ? ? Ditto

Notes:

  1. All known iPhone battery models use custom firmware, so not all of the features that the mainstream gas gauge models use are available. For example, none of these gauges will calculate the battery’s State of Health percentage (it is basically the percentage of the battery’s full charge capacity (it degrades with use) versus its designed capacity.
  2. The iPhone 5C’s battery label indicates a designed capacity of 1510 mAh, but the battery I’ve received indicates a capacity of 1550 mAh. As I have only been able to get one of these batteries that seem to be genuine, I will need to get more batteries of this type to confirm that this information is correct.

An Easy Hook-Up: Creating breakout Power/HDQ breakout boards for iPhone smart batteries

Now that I’ve been amassing a greater and greater arsenal of iPhone batteries, it’s gotten to the point that it makes most sense to create a connector board that can bring out the Pack+/Pack- pins alongside the HDQ data pin so I can view the gauge’s status in GaugeStudio.

Why use iPhone batteries in DIY projects?

The benefit of using iPhone batteries (note they must be for the iPhone 4 or newer; older ones will lack the fuel gauge) in microcontroller-based projects, is that the fuel gauge allows the microcontroller’s program to read out its current battery level, power consumption, capacity and time-to-empty; you also get the usual built-in protection circuit to safeguard against short-circuits, overcharge/overdischarge and overcurrents.

Additionally, iPhone replacement batteries are easy to find online or in cell phone repair shops, making them cheap and plentiful.

What is this “HDQ” that I keep talking about?

HDQ is a communication bus originally made by Benchmarq (now a part of TI). It stands for “High-Speed Data Queue”, and is a serial bus that transmits data over a single wire. This, however, is not to be confused  with Dallas Semiconductor’s 1-Wire protocol. The basic idea is the same but they are completely incompatible with each other.

Board construction

The board was made up of an iPhone surface-mount connector, a 4-pin connector for HDQ data transfer, a 2-pin male header, and a 2-terminal screw terminal. As with many of my prototype boards, wiring of the board is done with thin, flat solar cell tabbing wire. It’s flat, pre-tinned, and can handle high currents easily.

The benefits of this sort of board is that it allows:

  • Easy, removable connections to the battery; no need to solder to the battery terminals directly
  • Access to the HDQ data pins and power terminals
  • Real-time monitoring of battery State-of-Charge (%), current (mA), voltage (mV), capacity (mAh) and also the remaining time-to-empty (minutes).
  • Adaptability for different connectors (either by making a separate board for that connector or by creating a single “universal” board)
  • HDQ protocol can be used by a microcontroller via either bit-banging the protocol, or using an on-chip UART. (subject to a separate post in the future)

Although I could have created one large breakout with all the available connectors populated, I wanted to be able to use multiple batteries at once for powering different devices. Additionally, the HDQ bus has no support for addressing multiple devices.

The iPhone 4, 4S and 5 batteries have an additional NTC thermistor pin, but I have left them disconnected since I can read out the battery temperature over HDQ anyways.

Safety

Keep in mind that not all Li-Ion batteries have the same charging voltage. The iPhone 4 and 4S batteries use a 3.7 volt cell, charging at 4.2 volts; but the iPhone 5, 5S and 5C batteries are 3.8 volts, charging at 4.3 volts. 4.3 volt cells can charge at 4.2 volts with a capacity reduction of 5-10%, but 4.2 volt cells must not be hooked up to a 4.3 volt charger. There is overcharge protection built into the battery but it should not be relied upon for regular charging. Apart from the usual risk of the battery catching fire (or even just puffing up like a balloon), you also permanently decrease the battery’s capacity and dramatically increase its internal resistance, essentially crippling the battery for life.

Looking inside an iPhone 5 battery

In the wake of my previous teardowns of the iPhone 4 and 4S batteries, I went onto eBay and Amazon (realizing that they finally have Amazon Prime student rates up in Canada) and bought a few iPhone 5 and 5S batteries. Although I was primarily interested in trying to get the gas gauge information out of the batteries, I had a secondary reason. The Nexxtech Slim Power Bank (a subject of a separate blog post) uses a pair of 3.8-volt Li-ion polymer batteries, and they seemed to be be suspiciously similar in size to what is used in the iPhone 5. But enough of that, we’re here for the iPhone 5 battery in particular!

Battery Casing

The iPhone 5 battery measures 3.7 mm in thickness, 3.2 cm in width and 9.1 cm in length. This particular model, made by Sony, has a model ID of US373291H, with the six digits corresponding to the cell’s dimensions. This cell has a labeled capacity of 1440 mAh at a nominal 3.8 volts, with a maximum charge voltage of 4.3 volts. I tried to read the data matrix barcode on the cell but my barcode scanning app on my phone refused to recognize it. I might try to scan and sharpen the barcode later but it’s not something that’s of a high priority to me.

Battery Teardown and Pinout

The board itself is rather interesting. The protection MOSFETs used to switch the battery’s power are chip-scale packages and are glued down with epoxy, same with the gas gauge itself. This means that I can’t easily replace it with a rework station if the need arises. The board includes the gas gauge, thermistors, protection circuitry and still has room for a polyfuse for extra over-current protection.

iPhone 5 battery PCB layout

iPhone 5 battery PCB layout

The pinout of the iPhone 5 battery is pretty much the same as of the iPhone 4 and 4S. You have Pack-, NTC Thermistor, HDQ and Pack+. In this particular model of battery, the gas gauge is a bq27545 (labeled SN27545), but has basically the same feature set as the iPhone 4/4S’ bq27541. With this information, I soldered to the small terminals on the connector (the actual connectors for this battery haven’t arrived yet since it takes so long to receive items from China on eBay), and hooked it up to my trusty Texas Instruments EV2400 box.

iPhone 5 battery pinout

iPhone 5 battery pinout

Battery Data

iphone 5 firmware versionAnd once again, we’re presented with an obscure firmware revision. The latest bq27545-G1 firmware is only version 2.24, but this chip has version 3.10. After forcing GaugeStudio to accept this gauge as a -G1 version, we’re once again presented with a sealed chip. Let’s try to unseal it with the default key…

... aaaaand nope. No dice with 0x36720414, unlike last time.

Nope. No dice with 0x36720414, unlike last time.

… and I get the dreaded “Unseal Key” prompt. Cue the dramatic Darth Vader “NOOOOO” here. Maybe Apple read my previous post and decided to change the default keys this time (Hey Apple, if you read this, make the iPhone 6’s gas gauge have the default keys again)! This means that not only can I not access any of the juicy details of this battery, but I cannot update its firmware to a more… conventional version either. I could try brute-forcing it, but trying to hack a key with a 32-bit address space over a 7 kbps bus… uh, no. That’s not going to happen. I’d probably have better luck reverse-engineering Apple’s battery code but I doubt they have any facility to do in-system firmware updates for the gas gauge.

Data captured from GaugeStudio

Data captured from GaugeStudio

Now for some rather… interesting details of what we can access. The design capacity of this battery, according to the gas gauge, is 1430 mAh, same as the iPhone 4S and also 100 mAh less than what’s written on the label. That, and the full charge capacity of this battery is 1397 mAh out of the gate. The gauge seems to be an insomniac (it won’t enter Sleep mode even when the battery is not hooked up to any load), and it seems to have less features despite having a higher firmware version (I’m sure the internal temperature isn’t 131 degrees C…), and the Pack Configuration register doesn’t bring up any sensible data.

Battery… conspiracy?

One thing that I haven’t confirmed is whether or not this battery had been tampered with before I received it. I bought this particular battery from eBay and it was listed as new. It had some adhesive residue but no obvious sign of being peeled off from another iPhone. The cycle count is set to 1, and because the gas gauge is sealed, I can’t read any other data like the lifetime data logs. There is a chance that this battery isn’t new and that the seller had somehow changed the data memory and sealed the chip with a non-default key, but I need to wait until some other batteries arrive in the mail and perhaps try reading out batteries taken out directly from some iPhone 5s. Until then, it’s only speculation as to why this chip is sealed with a different key.

The next victims specimens: an iPhone 5S battery, a “new” iPhone 4 battery, and an Amazon Kindle battery.

Review, teardown and analysis of Charging Essentials USB wall outlet

About a week ago I bought a set of wall outlets from Costco that integrate two USB charging ports into a standard Decora-type receptacle. It’s marketed to replace your traditional AC adapter, allowing other appliances to be plugged in while charging your portable electronics.

The outlet is made by Omee Electrical Company, but curiously enough this particular model, the OM-USBII, wasn’t listed on their site. The packaging itself bears the name Charging Essentials, with a logo that looks like a USB icon that’s had one Viagra too many. The packaging states that the outlet has:

  • “Two 5VDC 2.1A ports for more efficient charging in less time”
  • “Smarter USB charging with special chip designed to recognize and optimize the charging requirements of your device”
  • “Screw-free wall plate snaps into place for a more clean, modern appearance”

The second note is of particular importance to me. If it’s true, that means it might be using some USB charge port controller like TI’s TPS251x-series chips. But I’m not one to have blind faith in what’s written on the packaging. Let’s rip this sucker apart!

The outlet has a snap-on coverplate which may look sleek but could hamper removal of this outlet later on if needed. I was curious as to why one couldn’t just use a regular screw-on coverplate, and it turns out it’s because the mounting flange doesn’t have any tapped screw holes; you physically can’t use screws on this because the manufacturer didn’t want to go to the effort to make holes that can accept screws!

The casing is held together with four triangle-head screws in a weak attempt to prevent opening of the device. I had a security bit set on hand so this posed no hindrance to me. Upon removing the cover, the outlet seems rather well built. However, after removing the main outlet portion to reveal the AC-DC adapter inside, I quickly rescinded that thought.

The converter seems relatively well-built (at least relative to some crap Chinese power supplies out there). Some thought was put into the safe operation of this device, but there’s almost no isolation between the high and low voltage sides, and the DC side of this adapter is not grounded; the “ground” for the USB ports floats at 60 volts AC with respect to the mains earth pin. The Samxon brand caps are also pretty disappointing.

As for the USB portion of this device, I had to remove some hot glue holding the panel in place. After a few minutes of picking away at the rubbery blob, I was able to pull out the USB ports.

… and I found LIES! DIRTY LIES! There is no USB charge port controller, contrary to what the packaging claims. It just uses a set of voltage dividers to emulate the Apple charger standard, which could break compatibility with some smartphones. Ugh, well let’s put it back together and take a look at it from the performance side of things. At least the USB ports feel pretty solid…

To measure the voltage-current characteristic of the outlet, I rebuilt my bq27510-G3 Li-Ion gas gauge board so it had better handling of high current without affecting my current and voltage measurements. The reason I used this is because the gauge combines a voltmeter and ammeter in one chip, and by using the GaugeStudio software, I could create easy, breezy, beautiful V-I graphs.

Using a Re:load 2 constant-current load, I slowly ramped up the load current while logging the voltage and current data to a CSV file for analysis in Excel.

overall vi graphThis charger’s… okay. It has pretty good regulation up to 2.3 amps, after that point the AC-DC converter basically brickwalls and the voltage plummets to 3 volts. That said, this also means that this outlet is not a set of “two 2.1A USB ports”. You can charge one tablet but you won’t be able to charge a tablet along with another device simultaneously.

Bah, I’ve had it with this wall outlet. Looks like this one’s gonna be returned to Costco in the next few days. This outlet may be adequate for some people, but for me it’s a disappointment.

Pros:

  • Solid USB ports
  • Good voltage stability (up to 2.3 amps, enough to charge ONE tablet)
  • Apple device compatibility

Cons:

  • Annoying coverplate design
  • Does not meet rated current output, will not charge 2 tablets or 1 tablet + another device
  • Does NOT have a “smart charging chip” despite being stated on packaging, some devices (eg. BlackBerry) will refuse to charge from these ports
  • Power supply for USB seems cheap
  • USB port is not grounded – if a short-circuit happens inside the power supply it can be a shock hazard to you