Battery Firmware Hacking

Presented at DerbyCon 1.0 (2011), Oct. 2, 2011, 9 a.m. (50 minutes)

Ever wonder how your laptop battery knows when to stop charging when it is plugged into the wall, but the computer is powered off? Modern computers are no longer just composed of a single processor. Computers possess many other embedded microprocessors. Researchers are only recently considering the security implications of multiple processors, multiple pieces of embedded memory, etc. This paper takes an in depth look at a common embedded controller used in Lithium Ion and Lithium Polymer batteries, in particular, this controller is used in a large number of MacBook, MacBook Pro, and MacBook Air laptop computers. In this talk, I will demonstrate how the embedded controller works. I will reverse engineer the firmware and the firmware flashing process for a particular smart battery controller. In particular, I will show how to completely reprogram the smart battery by modifying the firmware on it. Also, I will show how to disable the firmware checksum so you can make changes. I present a simple API that can be used to read values from the smart battery as well as reprogram the firmware. Being able to control the working smart battery and smart battery host may be enough to cause safety issues, such as overcharging or fire.


  • Charlie Miller
    Charlie Miller is a Principal Research Consultant at Accuvant Labs. Dr Miller was a Global Network Exploitation Analyst at the National Security Agency (NSA) for 5 years. He was the first person to find a public remote exploit for both the iPhone and the G1 Android phone. He has won the CanSecWest Pwn2Own competition for the last four years in row. Popular Mechanics listed him as a Top 10 Hacker in 2008 and he was selected by Channel Web as a 2010 Security Superstar. He has authored two information security books and holds a PhD from the University of Notre Dame. He also has a CISSP and GCFA.

Similar Presentations: