Notifications
Clear all

Makita

Page 4 / 4
mnhjansson
(@mnhjansson)
New Member

@djibattworkshop 

Yes i'm aware of that option, but i took it more as a learning experience and was not ready to sacrifice a working battery for this purpose and as was mentioned in this topic, newer batteries have much better BMS and the lock-out is less common.
I was also interested in looking into what was possible to do with the 1-wire communication between the battery and charger and reverse engineering the firmware would make that possible but i don't have enough experience and time with disassembly to work that out.

ReplyQuote
Posted : 12/08/2023 11:41 am
DjiBattWorkshop
(@djibattworkshop)
Member Moderator
Posted by: @mnhjansson

I read the firmware a few years ago

 Which programmer did you use for this job ?.. 

 

ReplyQuote
Posted : 14/08/2023 7:33 pm
mnhjansson
(@mnhjansson)
New Member

@djibattworkshop 

I used a simple USB-UART bridge and used the ROM serial bootloader. For the software i used Renesas own program and my own python script.

ReplyQuote
Posted : 15/08/2023 2:13 pm
skyzoner
(@skyzoner)
New Member

@marsotica Can you support the software? thank 

ReplyQuote
Posted : 27/11/2023 4:36 am
petrb
(@petrb)
New Member

Hi guys!

Can you help me with the battery to charger communication decoding?

This I captured with logic analyser of a dead BL1815:

60 20 a1 42   1e 68 00 00   c1 c1 81 51   b2 02 01 13   e0 d0 8e 1a   9f 32 00 b3   01 02 1e 7e   10 b9 0f be

a dead BL1815N:

41 43 cb 95   1a 68 00 00   c1 c1 40 41   01 e0 02 13   f0 d0 8e be   5f 57 00 43   01 02 0e 0c   00 7a 0b 97

several live BL1850Bs:

f1 36 b6 c3   18 58 00 00   52 52 40 21   01 80 02 0f   43 d0 8e 1b   f0 6f 00 23   02 02 0e e0   00 90 00 95

f1 36 b6 c3   18 58 00 00   24 24 40 21   01 80 02 0e   43 d0 8e 1b   f0 6c 00 01   02 02 0e b0   00 00 0d a1

f1 26 bd 13   14 58 00 00   a3 a3 40 21   d0 80 02 0c   23 d0 8e 45   60 14 00 01   02 02 0e 00   00 00 00 21

The 9. and 10. byte should be temperature

0xc1 = 0b 1100 0001 swap nibbles ---> 0b 000111 00 ~ 7,00°C

0x24 = 0b 0010 0100  swap nibbles ---> 0b 010000 10 = 16,50°C

I'd like to se communication of 14,4V battery. It can help me to recognise bytes which determine the required voltage.

 

ReplyQuote
Posted : 16/12/2023 10:27 pm
Topper
(@romain-alvergnat)
New Member Customer

Hi,

Some interesting thread :

https://www.reddit.com/r/Makita/comments/19609zt/partially_solved_some_lxt_batteries_definitely/?sort=new

 

Plus some new Youtube video :

 

Does anyone have dig how to unbrick the Renesas RAJ240080 MCU/BMS ?

 

I have some bricked boards (flashing red with no dead cells) laying around to experiment, if anyone is interesting to help? I'll try to extract the firmware ( https://github.com/fail0verflow/rl78-debug/blob/master/rl78.py).

 

Best regards

This post was modified 4 months ago by Nicusor
ReplyQuote
Posted : 14/02/2024 10:40 am
MGrzanka
(@mgrzanka)
New Member Customer
Posted by: @romain-alvergnat

 

Does anyone have dig how to unbrick the Renesas RAJ240080 MCU/BMS ?

 

There is a Polish guy who cheated NIP Embedded team and found the method to unlock Makita batteries. He used this thread to get all the information about Makita batteries. NIP provided him the firmware of two Makita batteries using the Motorola HC908 controller. The agreement was to share the findings with NIP but after he got the solution he changed his mind and turned 360 degrees, he scammed NIP. He got the solution using the provided firmware.

This scammer guy has a business registered in Poland under "sokon" name. All details about him are public, picture, address, his house, everything Smile

People around the world are impressed by this story and are praying for prosperity and good health Smile Sometimes in this life, you can pay more than any Makita secret.

This post was modified 4 months ago by Nicusor
ReplyQuote
Posted : 15/02/2024 9:20 pm
Topper
(@romain-alvergnat)
New Member Customer

Ok understood.
Anyway i'm not in this mood, just want to make them work again and share the tips/procedure to unbrick.

Could you give me some help to figure it out ?

So far my attack vector :

-tring to connect via Serial 1Wire protocol (thow TOOL0 & Reset pins), no response from MCU so far.

-reverse engeenering the pcb to figure out where pins goes to

Next step will be tring the UART pins (TxD0/RxD0 and or TxD1/RxD1 pins).

 

Best regards

ReplyQuote
Posted : 21/02/2024 4:20 pm
mnhjansson
(@mnhjansson)
New Member

@mgrzanka 

If it is any consolation, there are to my knowledge three different unlocks depending on battery revision. He can unlock HC908 by pretty much mimic what the charger does at the end of the charge cycle (not quite). Depending on the error for F0513 that might work, but for errors such as software deciding to blow fuse, that wont work. Newer batteries based on RAJ and STM microcontrollers have yet another unlock that is protected with a passcode.

 

So let him have the HC908 if he thinks its worth it 😄

ReplyQuote
Posted : 03/05/2024 10:39 am
Page 4 / 4
Share: