Sony have a relatively long history of putting expensive 'smart' batteries in their products - I remember having to buy stupidly expensive 'infoLithium' batteries for my Sony camera. The packaging claimed that the battery communicated its own estimates of remaining lifetime (based on charge level and present load) and other operating conditions. It always seemed a bit pointless to me to put that in the battery rather than the camera, but whatever.
Incidentally, I have a few spare third-party PSP batteries (Datel, I think) and I've noticed that they do behave differently under some circumstances than the Sony batteries. For instance, it seems that they need to be bootstrapped in some way by charging in the PSP, before charging in the Datel charger will work correctly. Also I've found them to be much more liable to display the "oh crap, my PSP is bricked" symptoms when the charge level is low.
Service mode by power supply pins?
Got a v2.0-v2.80 firmware PSP? Download the eLoader here to run homebrew on it!
The PSP Homebrew Database needs you!
The PSP Homebrew Database needs you!
-
Dr. Vegetable
- Posts: 171
- Joined: Mon Nov 14, 2005 1:32 am
- Location: Boston, Massachusetts
- Contact:
Art: Thank you for "stating the obvious" and then taking the opportunity to question my intelligence and discourage further study of the battery communications. I sincerely apologize for flaming you and your hidden agenda, and I promise to the admins that I will never use the word "G*m*B*y" on this forum ever again.
Back on topic, my crappy little Windows program measured timing of the RS-232 packets to the millisecond. When I made this post, I clustered communication bursts into packets and rounded all times to the second, because the times were all numbers like 2.013 or 10.022 seconds. The communications from the PSP appear to be timed around whole-second-multiple heartbeat intervals, with the extra small timing overhead for communications.
Art, you seem to imply that a PC program would be incapable of responding to the PSP in a timely fashion, and that a dedicated micro would be required for proper analysis of this port. Would you care to share whatever information you have that makes you believe this?
Some may consider it to be unimportant, but I would like to understand how these battery messages are formatted, and how they convey the obvious information from the battery to the PSP. Unless you can tell me exactly what is in each of these messages, please don't try to tell me what isn't in them.
If anyone can figure out how to decipher these packets, please share. Thank you.
Back on topic, my crappy little Windows program measured timing of the RS-232 packets to the millisecond. When I made this post, I clustered communication bursts into packets and rounded all times to the second, because the times were all numbers like 2.013 or 10.022 seconds. The communications from the PSP appear to be timed around whole-second-multiple heartbeat intervals, with the extra small timing overhead for communications.
Art, you seem to imply that a PC program would be incapable of responding to the PSP in a timely fashion, and that a dedicated micro would be required for proper analysis of this port. Would you care to share whatever information you have that makes you believe this?
Some may consider it to be unimportant, but I would like to understand how these battery messages are formatted, and how they convey the obvious information from the battery to the PSP. Unless you can tell me exactly what is in each of these messages, please don't try to tell me what isn't in them.
If anyone can figure out how to decipher these packets, please share. Thank you.
This somehow lead me to assume you were using a terminal program, but it seems now you are emulating the PSPI did some experimentation by breaking the line and echoing back and forth using two COM ports on a PC
to see what came from where. It gets pretty tricky to fake everyone out this way
and battery. My mistake.
There is nothing at all hidden about my agenda, I don't mean to deter you. If you are determined in your goal,
and discover something, we will likely all find out. I still believe it's a wasted effort. I'm entitled to
share my opinion in an adult manner. If you are prepared to do the work and share your findings, great.
I will keep checking the thread.
I may have owned the same, or similar model camera, but will never again buy a Sony camera (long story).I remember having to buy stupidly expensive 'infoLithium' batteries for my Sony camera.
The packaging claimed that the battery communicated its own estimates of remaining lifetime
(based on charge level and present load) and other operating conditions. It always seemed a bit pointless
to me to put that in the battery rather than the camera, but whatever.
There is a possibility that long term data is stored in the pack that would only be pertinent to that battery
derived from data obtained over it's lifetime of use/abuse.
With a one year warranty on the PSP, it probably didn't matter where the PCB was since we pay the same anyway.
Art.
-
Dr. Vegetable
- Posts: 171
- Joined: Mon Nov 14, 2005 1:32 am
- Location: Boston, Massachusetts
- Contact:
Actually, I am tapping off of the COM line and simply eavesdropping on regular, uninterrupted traffic between a PSP and its battery. The initial log (where the PSP received no response from the battery) was with this line disconnected between PC and battery, which tells us (a) which side initiates the conversation, and (b) how to recognize which messages came from which side.Art wrote:This somehow lead me to assume you were using a terminal program, but it seems now you are emulating the PSP and battery. My mistake.Dr. Vegetable wrote:I did some experimentation by breaking the line and echoing back and forth using two COM ports on a PC
to see what came from where. It gets pretty tricky to fake everyone out this way
Mighty gracious of you.Art wrote:There is nothing at all hidden about my agenda, I don't mean to deter you. If you are determined in your goal, and discover something, we will likely all find out. I still believe it's a wasted effort. I'm entitled to share my opinion in an adult manner. If you are prepared to do the work and share your findings, great. I will keep checking the thread.
New battery charge controller chips actually "learn" the characteristics of the individual battery and take this information into account when monitoring the state of the battery pack. This knowledge would have to live in the battery pack because each pack needs to track its own state, and packs may be swapped between devices by the customer. I am not surprised that the PSP battery pack would have responsibility for tracking and reporting this data, but I am surprised that they use such a complicated protocol to communicate information that ought to fit into a handful of payload bytes.Art wrote:I may have owned the same, or similar model camera, but will never again buy a Sony camera (long story).Fanjita wrote:I remember having to buy stupidly expensive 'infoLithium' batteries for my Sony camera. The packaging claimed that the battery communicated its own estimates of remaining lifetime (based on charge level and present load) and other operating conditions. It always seemed a bit pointless to me to put that in the battery rather than the camera, but whatever.
There is a possibility that long term data is stored in the pack that would only be pertinent to that battery derived from data obtained over it's lifetime of use/abuse.
1-wire
I tried to buy a battery today to do some study, but it seems in Adelaide the PSP is
regarded as "too new" for anyone to supply replacements. Against good marital judgement, and the
lack of patience to wait for an ebayed one, I split the case. It was actually quite easy and you
cant even tell I split it... unless you look... It was quite interesting inside, very different
to the pic posted by shine.
Bare with me if I have anything fubar... i am learning as fast as I can :)
I haven't seen anyone refer to the interface as what I believe it to be: a "1-wire" interface (not I2C).
It could use I2C inside the battery, then get converted to 1-wire.
inside, a chip that could support this is:
2480B - possibly equiv to the Maxim DS2480B Serial 1-Wire Line Driver with Load Sensor
(it could be a 2450B - DS2450B 1-Wire Quad A/D Converter but I think it is 2480B)
There is a L02 wich I think would be a 24Lc02 256byte serial eeprom commonly used in I2C to save settings. In DVD players to save region codes, user settings etc.
I would say the 2480B is used as a serial bridge between the psp and the L02(holding battery data in the eeprom).
There are some great appnotes at the maxim website: DS2480B
A very interesting one is App Note 1097: White Paper 2: Using the 1-Wire Public-Domain Kit - DS2450:
Oh, and lots of test points too.
the pics link to high res versions. These are the clearest pictures Ive ever managed. Hope they help someone.
As disassembled:
Battery pack flipped 180 degrees:
Battery pack top view:
PCB top view closeup:
lifted PCB up, bottom of PCB:
The PCB sits right at the top of the battery and for the last picture I bent the PCB upwards for the photo.
Once I get another battery I will try and see whats in the L02, and do some more testing of battery-PSP comms.
Im also wondering what the I2C routines are for if not used by the battery? Unless they just get sent transparently through the 1-wire bridge? I need to do alot more research on this to bring everything Ive learned today together.
Dr V, could you send me a PM on your method for grabbing the data please?
Oh, and some reasons for the pcb being in the battery is because they need calibration data stored in them, there are OEM batteries and also different batteries with different mAh.
1-wire supports multiple devices at different addresses (over 30 devices by dallas alone, going by the maxim website). This could be where a "special" sony battery comes in. a different device on the same bus.
regarded as "too new" for anyone to supply replacements. Against good marital judgement, and the
lack of patience to wait for an ebayed one, I split the case. It was actually quite easy and you
cant even tell I split it... unless you look... It was quite interesting inside, very different
to the pic posted by shine.
Bare with me if I have anything fubar... i am learning as fast as I can :)
I haven't seen anyone refer to the interface as what I believe it to be: a "1-wire" interface (not I2C).
It could use I2C inside the battery, then get converted to 1-wire.
inside, a chip that could support this is:
2480B - possibly equiv to the Maxim DS2480B Serial 1-Wire Line Driver with Load Sensor
(it could be a 2450B - DS2450B 1-Wire Quad A/D Converter but I think it is 2480B)
There is a L02 wich I think would be a 24Lc02 256byte serial eeprom commonly used in I2C to save settings. In DVD players to save region codes, user settings etc.
I would say the 2480B is used as a serial bridge between the psp and the L02(holding battery data in the eeprom).
There are some great appnotes at the maxim website: DS2480B
A very interesting one is App Note 1097: White Paper 2: Using the 1-Wire Public-Domain Kit - DS2450:
I haven't yet found out what the 780102h IC on the top of the PCB is, but Im guessing it is the microcontroller.APPLICATION NOTE 1097
White Paper 2: Using the 1-Wire Public-Domain Kit
This document describes how to use the 1-Wire Public-Domain (PD) Kit. The kit is a completely open source portable 'C' library to create a 1-Wire master using a DS2480B or custom 1-Wire interface. The kit also includes numerous example applications covering a variety of 1-Wire and iButton devices. This document explains how to combine the files in the kit to form applications on supported and unsupported operating systems.
Oh, and lots of test points too.
the pics link to high res versions. These are the clearest pictures Ive ever managed. Hope they help someone.
As disassembled:
Battery pack flipped 180 degrees:
Battery pack top view:
PCB top view closeup:
lifted PCB up, bottom of PCB:
The PCB sits right at the top of the battery and for the last picture I bent the PCB upwards for the photo.
Once I get another battery I will try and see whats in the L02, and do some more testing of battery-PSP comms.
Im also wondering what the I2C routines are for if not used by the battery? Unless they just get sent transparently through the 1-wire bridge? I need to do alot more research on this to bring everything Ive learned today together.
Dr V, could you send me a PM on your method for grabbing the data please?
Oh, and some reasons for the pcb being in the battery is because they need calibration data stored in them, there are OEM batteries and also different batteries with different mAh.
1-wire supports multiple devices at different addresses (over 30 devices by dallas alone, going by the maxim website). This could be where a "special" sony battery comes in. a different device on the same bus.
-
Dr. Vegetable
- Posts: 171
- Joined: Mon Nov 14, 2005 1:32 am
- Location: Boston, Massachusetts
- Contact:
It's fairly straightforward once you've opened the battery case. You will need an SIO cable (or equivalent) to shift the line level up to the standard RS-232 voltage.HaQue wrote:Dr V, could you send me a PM on your method for grabbing the data please?
Just tack a pair of light-gauge wires onto the battery PCB, connected to the middle pin and to GND. On my battery there were test points right near the 3-pin connector that worked well. Then connect the middle pin to the RS-232 RX line and GND to GND. I say "RX" as seen by the PC - you want to receive the bi-directional data on the line into the PC's COM port. The PC's TX line is not used, and can remain unconnected.
Then I ran a program I wrote which logs all traffic on the COM port at 19200 baud, no parity, 8 bits, 1 stop. The program tracks the time interval between incoming bytes and logs the length of any delay above a certain threshold, ~0.5 second IIRC. I'll have to dig out the code and see what kind of shape it's in, but I will post it ASAP.
While you are examining your battery board, you might look for a component labelled "TH01" and encased in foam, located near the geometric center of the main PCB. This appears to be the thermistor that measures the internal temperature of the battery pack.
-
Dr. Vegetable
- Posts: 171
- Joined: Mon Nov 14, 2005 1:32 am
- Location: Boston, Massachusetts
- Contact:
Looking at your pictures, it looks like they've shrunk the whole circuit down considerably. Anyway, I can see the thermistor on your pack - could be something to heat/cool while monitoring COM traffic to watch for changing data values.Dr. Vegetable wrote: While you are examining your battery board, you might look for a component labelled "TH01" and encased in foam, located near the geometric center of the main PCB. This appears to be the thermistor that measures the internal temperature of the battery pack.
->Viper8896 - it's eg. there to tell the charging circuit to back off if the battery's too hot
possible chip link
http://www.necel.com/micro/english/prod ... neral.html
Jim
possible chip link
http://www.necel.com/micro/english/prod ... neral.html
Jim
It doesn't look like a 24Lxx EEPROM to me, at least the ones I've seen.There is a L02 wich I think would be a 24Lc02
If I were sure, I'd open my battery pack and read it since the 24lxx /
24LCxx family cannot be code protected.
Microchip brand devices carry the logo, but there are other brands of
compatible devices.
If you could read the contents of the EEPROM out of a new battery pack
and produce new EEPROMS, perhaps you could change the inner expired battery pack after the warranty period was over.
I'll bet Sony make you send your whole PSP in to them for warranty cover of the battery :rolleyes:
making it more desirable to be able to fix them yourself since there is no warranty period for many of us.
Damn!, now I have to open one.
I have one more battery than PSPs.
I have a programmer... If it would read in-circuit, I can try to read it. Otherwise I can de-solder it after I get a new battery. I saw today KMart sells an aftermarket one for the PSP.
I will have a look at the pinouts and see if the way it is used on the PSP battery supports the 24Lxx theory.
BTW, it looks like the 780102H could well be of the type suggested. Thanks!
There seem to be plenty of resources for that IC at NEC website.
HaQue
I will have a look at the pinouts and see if the way it is used on the PSP battery supports the 24Lxx theory.
BTW, it looks like the 780102H could well be of the type suggested. Thanks!
There seem to be plenty of resources for that IC at NEC website.
HaQue
I have two weeks holiday on my hands right now, and plans for about one week. I might get to opening the battery right now.
I hope I have a simple one.
HaQue, and I are both Australians, any tricks performed here might not help
anyone else in the world.
Ok,
I tried to pick the easiest of three battery packs to open.
They all have the same type of label (what appears to be the Aussie one).
I couldn't pull any apart easily with my hands, so I wrecked the case to
remove the guts of the most used one (which is still newish because my PSP is
wall powered most of the time).
It has the more overworked guts which at least still ran the PSP at the time
that I removed it from it's case.
The only chip I thought looked like a 24Lxx family EEPROM looks to be marked
2740B, which Google returns a Maxim/Dallas (this company has come up a lot)
DS2740 High-Precision Coulomb Counter (whatever that may be), but it includes
as it's first listed feature 15-Bit BiDirectional Current Measurement.
BTW there are only two leads to the battery pack, but I think the square
hole in the PCB with glue through it may conduct heat to a sensor on the
board.
Art.
Ok, I'm going to forget about that chip for now, and look elsewhere on the PCB later.
I hope I have a simple one.
HaQue, and I are both Australians, any tricks performed here might not help
anyone else in the world.
Ok,
I tried to pick the easiest of three battery packs to open.
They all have the same type of label (what appears to be the Aussie one).
I couldn't pull any apart easily with my hands, so I wrecked the case to
remove the guts of the most used one (which is still newish because my PSP is
wall powered most of the time).
It has the more overworked guts which at least still ran the PSP at the time
that I removed it from it's case.
The only chip I thought looked like a 24Lxx family EEPROM looks to be marked
2740B, which Google returns a Maxim/Dallas (this company has come up a lot)
DS2740 High-Precision Coulomb Counter (whatever that may be), but it includes
as it's first listed feature 15-Bit BiDirectional Current Measurement.
BTW there are only two leads to the battery pack, but I think the square
hole in the PCB with glue through it may conduct heat to a sensor on the
board.
Art.
Ok, I'm going to forget about that chip for now, and look elsewhere on the PCB later.
There doesnt seem to be anymore development on this. Last night my computer MB blew some caps and caused me to transfer my files to my laptop. In the process I found a folder containg some smart battery tools, one in particular called "Smart Battery Workshop" http://sbworkshop.com/ I dont have the time in the next few days to do any hacking, but I thought it may be useful for someone.. Im not even sure it can be used with the PSP, but the site could have some docs or other info that puts a peice in the puzzle.
>If I were you, I would lock this thread :-) But a continuity tester reveals, >that there is nothing magic about these pins (check against + and GND).
>Right, it's been confirmed that the 2 pads are the same as the power supply >jack. But I'm not convinced that you couldn't use the power supply to send >and receive data...
hey don't forget, just because a continuity tester says they're connected,
it doesn't mean they are. After all, such a tester just puts a voltage across
two terminals and measures whether current flowed through. If the two terminals are connected to e.g. a CMOS chip, you're likely to drive part of a gate and give the impression of continuity.
has anyone observed the traces on the board to confirm the connections?
>Right, it's been confirmed that the 2 pads are the same as the power supply >jack. But I'm not convinced that you couldn't use the power supply to send >and receive data...
hey don't forget, just because a continuity tester says they're connected,
it doesn't mean they are. After all, such a tester just puts a voltage across
two terminals and measures whether current flowed through. If the two terminals are connected to e.g. a CMOS chip, you're likely to drive part of a gate and give the impression of continuity.
has anyone observed the traces on the board to confirm the connections?
I asked this over at QJ, and TeamOverload suggested that I ask here.
The other night, I had to remove my battery in my PSP (psp1001-FW 2.6). Under the battery, I saw two copper (colored) pins, with a sticker over it stating the usual "warantee void if removed". The pins are not touching anything on the battery, itself, as they're located near the bottom of the battery.
I was curious, since I'm pretty sure all of you are talking about the pins next to the power jack, are the pins under the battery connected to those pins, or is it something completely different?
Just curious. Thanks.
The other night, I had to remove my battery in my PSP (psp1001-FW 2.6). Under the battery, I saw two copper (colored) pins, with a sticker over it stating the usual "warantee void if removed". The pins are not touching anything on the battery, itself, as they're located near the bottom of the battery.
I was curious, since I'm pretty sure all of you are talking about the pins next to the power jack, are the pins under the battery connected to those pins, or is it something completely different?
Just curious. Thanks.
I'm not a hardware guy, but something tells me it IS the battery.
The first thing they do to a PSP is actually open up the battery compartment, and then take out the battery to see the warrenty sticker.
Then a SONY worker sticks in a special adapter connected to a computer with a PSP battery style shape, and then flips on the switch.
The battery sends a long signal to the PSP, and the PSP initiates SERVICE mode.
Looking at a normal battery itself won't get you nowhere, cause the battery will be only be sending the usual stuff, and not the keys needing to be sent to unlock the secret mode.
Best bet is to attach a chip which records the signals on this port coming into the PSP, and send the modified PSP to SONY claiming it to be bricked. They see that the Warrenty sticker is intact (which could be pulled off if one's careful) and then they start flashing. The PSP returns with a log of what SONY did. +1 for homebrew, 0 For Sony
Btw, you said something about a *break* command every 30 seconds... how long does it take for a bricked PSP to shut off anyways?
But it's all rumour and fantasy nonetheless, and oh yeah, one of the people among you is a SONY spy
The first thing they do to a PSP is actually open up the battery compartment, and then take out the battery to see the warrenty sticker.
Then a SONY worker sticks in a special adapter connected to a computer with a PSP battery style shape, and then flips on the switch.
The battery sends a long signal to the PSP, and the PSP initiates SERVICE mode.
Looking at a normal battery itself won't get you nowhere, cause the battery will be only be sending the usual stuff, and not the keys needing to be sent to unlock the secret mode.
Best bet is to attach a chip which records the signals on this port coming into the PSP, and send the modified PSP to SONY claiming it to be bricked. They see that the Warrenty sticker is intact (which could be pulled off if one's careful) and then they start flashing. The PSP returns with a log of what SONY did. +1 for homebrew, 0 For Sony
Btw, you said something about a *break* command every 30 seconds... how long does it take for a bricked PSP to shut off anyways?
But it's all rumour and fantasy nonetheless, and oh yeah, one of the people among you is a SONY spy
Where did this information come from?SANiK wrote:The first thing they do to a PSP is actually open up the battery compartment, and then take out the battery to see the warrenty sticker.
Then a SONY worker sticks in a special adapter connected to a computer with a PSP battery style shape, and then flips on the switch.
The battery sends a long signal to the PSP, and the PSP initiates SERVICE mode.
i wouldnt like to be the poor flash tech, that has to flash a 15 odd meg file over 1 - wire / i2c .. hell even serial ..
well unless i get paid by the hour.
while i agree posibly it could be used to trigger some sort of service mode, then letting some other device flash .. usb ... flash jig via test points .. but doing it through this port alone would honestly be a painfull way.
but then again this is sony :)
well unless i get paid by the hour.
while i agree posibly it could be used to trigger some sort of service mode, then letting some other device flash .. usb ... flash jig via test points .. but doing it through this port alone would honestly be a painfull way.
but then again this is sony :)
Perhaps they only flash certian files via it, to the extent that they can run an update file via the XMB...?Zianna123 wrote:i wouldnt like to be the poor flash tech, that has to flash a 15 odd meg file over 1 - wire / i2c .. hell even serial ..
well unless i get paid by the hour.
while i agree posibly it could be used to trigger some sort of service mode, then letting some other device flash .. usb ... flash jig via test points .. but doing it through this port alone would honestly be a painfull way.
but then again this is sony :)
They way I heard the rumour is that the battery is used to put the PSP in service mode and the firmware is reflashed from a 'special' memorystick. From what SANiK said about the long signal it's not impossible that the PSP loads some low-level routines to RAM from the "battery" and then uses those to do some inits, diags and gain access to the memorystick and crypto hardware. It can then load everything it needs from there.Gymnos wrote:Perhaps they only flash certian files via it, to the extent that they can run an update file via the XMB...?
The reason I mention the crypto engine is that the rumour also said that when there was a firmware update, both the battery and the memorystick needed to be exchanged. It'd make more sense that this is because Sony ties the memorystick to the battery using encryption (i.e. the "battery" also contains the keys needed to decrypt what's on the memorystick) than they would need to update the bootstrap every time.
I doubt service mode would boot into XMB.
I guess that unless someone gets their hands (legally) on a battery/memorystick pair or someone at a service center starts talking (never signed an NDA?), these will just stay rumours.
Just to make sure the record is straight in the places where it matters...
This effort was much more than simply the Noobz team. See the readme / release post for more details.
This effort was much more than simply the Noobz team. See the readme / release post for more details.
Got a v2.0-v2.80 firmware PSP? Download the eLoader here to run homebrew on it!
The PSP Homebrew Database needs you!
The PSP Homebrew Database needs you!
Did someone know what is the sequense writed inside the battery by Noobz team battery program, or someone dump the communication between modified battery and psp ? (like Dr. Vegetable post)
In other world what's _magic_ sequence in the battery set 9bit to 1 @0xbe240004 ?
if ((*(u32 *)0xbe240004) & 0x10)
{
use memory stick ipl routines;
}
else
{
use nand ipl routines;
}
ref: http://forums.ps2dev.org/viewtopic.php?t=8850
Great jobs for all poster, specialy Noobz team ;)
In other world what's _magic_ sequence in the battery set 9bit to 1 @0xbe240004 ?
if ((*(u32 *)0xbe240004) & 0x10)
{
use memory stick ipl routines;
}
else
{
use nand ipl routines;
}
ref: http://forums.ps2dev.org/viewtopic.php?t=8850
Great jobs for all poster, specialy Noobz team ;)
Dr. Vegetable wrote:This is the data stream sent from the PSP to the battery when it is inserted. In this case, the battery's COM pin was disconnected, so it did not respond, and the PSP refuses to power up:
This time, the battery was inserted with the COM port connected through to the PSP:Code: Select all
[00] <BREAK> [5A]Z[00] [0B] [26]&[FD] [5A]Z[01] [0B] [26]&[FD] [5A]Z[09] [0B] [26]&[FD] [5A]Z[09] [0B] [26]&[FD] [5A]Z[09] [0B] [26]&[FD] [5A]Z[09] [0B] [26]&[FD] [5A]Z[09] [0B] [26]&[FD] [5A]Z[09] [0B] [26]&[FD] [5A]Z[01] [0B] [26]&[FD] [5A]Z[01] [0B] [26]&[FD] [5A]Z[01] [0B] [26]&[FD] [5A]Z[01] [0B] [26]&[FD] [5A]Z[00] [0B] [26]&[FD] [5A]Z[09] [0B] [26]&[FD] [5A]Z[09] [0B] [26]&[FD] [5A]Z[01] [0B] [26]&[FD] [5A]Z[01] [0B] [26]&[FD] [5A]Z[01] [0B] [26]&[FD] [5A]Z[01] [0B] [26]&[FD] [5A]Z[00] [0B] [26]&[FD] [5A]Z[01] [0B] [26]&[FD] [5A]Z[01] [0B] [26]&[FD] [5A]Z[01] [0B] [26]&[FD] [5A]Z[09] [0B] [26]&[FD] [5A]Z[01] [0B] [26]&[FD] [5A]Z[09] [0B] [26]&[FD] [5A]Z[00] [0B] [26]&[FD] [5A]Z[00] [0B] [26]&[FD] [5A]Z[01] [0B] [26]&[FD] [5A]Z[01] [0B] [26]&[FD] [5A]Z[01] [0B] [26]&[FD] [00] <BREAK>
...Then the link went quiet. After about 10-15 seconds I turned on the PSP...Code: Select all
[00] <BREAK> [5A]Z[09] [0B] [24]$[FD] [A5] [15] [32]2[08] [4C]L[B3] [20] [C2] [5A]Z[09] [63]c[70]p[FE] [A5] [19] [32]2[88] [41]A[21]![23]#[AA] [F4] [5A]Z[0D] [03] [06] [10] [B9] [4A]J[C2] [D4] [30]0[7D]}[92] [53]S[0E] [FC] [A5] [49]I[32]2[48]H[97] [74]t[2E].[66]f[D2] [F2] [80] [E7] [0D] [19] [BD] [16] [4E]N[5C]\[4D]M[97] [28]([43]C [5A]Z[00] [0A] [95] [5F]_[B3] [0C] [17] [28]([46]F[56]V[63]c[F3] [A5] [29])[32]2[08] [87] [AB] [32]2[57]W[D1] [77]w[99] [E7] [FD] [FF] [5A]Z[09] [0B] [24]$[FD] [A5] [15] [32]2[08] [90] [66]f[81] [18] [5A]Z[04] [03] [07] [10] [2C],[2F]/[00] [E7] [1E] [CB] [99] [00] [4D]M[FE] [A5] [49]I[32]2[C8] [BB] [CD] [CF] [5E]^[47]G[D3] [9E] [AB] [CC] [09] [5B][[CA] [6D]m[19] [AB] [A9] [2F]/[F3] [5A]Z[01] [0A] [E5] [AD] [2C],[67]g[FA] [33]3[17] [61]a[AD] [24]$[FD] [A5] [29])[32]2[E8] [CD] [6E]n[B4] [D1] [A8] [22]"[DD] [79]y[FF] [00] <BREAK>
And then the battery connection fell out.Code: Select all
[5A]Z[09] [0B] [26]&[FD] [5A]Z[09] [0B] [26]&[FD] [A5] [15] [32]2[08] [4C]L[B3] [20] [C2] [5A]Z[09] [63]c[74]t[FE] [A5] [19] [32]2[88] [41]A[21]![23]#[AA] [F4] [5A]Z[0D] [03] [07] [90] [ED] [DA] [4D]M[D6] [3C]<[5F]_[4A]J[92] [0C] [A5] [49]I[32]2[88] [1D] [2C],[E6] [A0] [AF] [7D]}[62]b[30]0[29])[6D]m[FB] [03] [0D] [5D]][5F]_[E9] [39]9[75]u [5A]Z[00] [0A] [F5] [59]Y[AA] [64]d[27]' [5A]Z[23]#[0F] [5B][[AA] [FF] [A5] [29])[32]2[48]H[7A]z[36]6[D3] [2C],[55]U[58]X[FA] [FC] [31]1
From this, it looks like commands sent from the PSP to the battery start with 0x5A and the responses sent from the battery to the PSP start with 0xA5.
I have other logs of the normal powered-up operation. The communication occurs in bursts spaced 5 seconds apart, in a larger pattern that seems to cycle every 30 seconds:
That was about as far as I got in understanding this protocol. Does anyone else see more of a pattern?Code: Select all
<PSP turned on, 10 seconds of silence> [5A]Z[00] [0B] [26]&[FD] [5A]Z[09] [0B] [26]&[FD] [A5] [15] [32]2[08] [4C]L[B3] [20] [C2] [5A]Z[00] [63]c[74]t[FE] [A5] [19] [32]2[88] [41]A[21]![23]#[AA] [F4] [5A]Z[5B][[06] [1C] [20] [AF] [61]a[B8] [94] [0B] [B5] [25]%[14] [AD] [A5] [49]I[32]2[E8] [AE] [31]1[25]%[0E] [26]&[7E]~[D2] [F9] [5A]Z[E9] [32]2[1F] [0B] [4A]J[2A]*[EA] [B0] [5A]Z[29])[0A] [F5] [3C]<[50]P[0E] [27]'[F8] [D2] [1D] [06] [1D] [FF] [A5] [29])[32]2[88] [54]T[6F]o[BE] [77]w[3F]?[BD] [22]"[2A]*[4A]J[E1] <1 second of silence> [5A]Z[09] [0B] [26]&[FD] [A5] [15] [32]2[08] [90] [66]f[81] [18] [5A]Z[09] [3B];[C6] [FA] [A5] [11] [33]3[08] [D8] [B0] [90] [5A]Z[01] [4B]K[A4] [FA] [A5] [11] [33]3[E8] [0A] [A0] [D6] [5A]Z[00] [13] [16] [FD] [A5] [0D] [32]2[48]H[EC] [F3] [5A]Z[09] [23]#[EC] [FA] [A5] [11] [33]3[C8] [FF] [4D]M[FE] [5A]Z[00] [1B] [04] [F5] [A5] [11] [33]3[E8] [D2] [90] [DF] <5 seconds of silence> [5A]Z[09] [0B] [26]&[FD] [A5] [15] [32]2[08] [90] [B2] [81] [12] <5 seconds of silence> [5A]Z[00] [3B];[C6] [FA] [A5] [11] [33]3[08] [D8] [B0] [90] <5 seconds of silence> [5A]Z[01] [4B]K[A4] [FA] [A5] [11] [33]3[48]H[16] [58]X[F8] <5 seconds of silence> [5A]Z[09] [13] [2C],[FD] [A5] [0D] [32]2[48]H[EC] [F3] <5 seconds of silence> [5A]Z[09] [23]#[EC] [FA] [A5] [11] [33]3[C8] [FE] [54]T <2 seconds of silence> [5A]Z[09] [0B] [26]&[FD] [A5] [15] [32]2[08] [50]P[B2] [81] [C9] [5A]Z[05] [03] [07] [B0] [7E]~[FC] [36]6[6B]k[49]I[6B]k[44]D[79]y[D3] [FE] [A5] [49]I[32]2[28]([11] [6D]m[1C] [68]h[D2] [9C] [00] [63]c[C5] [FC] [89] [4D]M[C5] [68]h[B7] [61]a[6E]n[E8] [5A]Z[29])[0A] [65]e[93] [DD] [28]([E6] [9A] [E4] [0C] [33]3[27]' [A5] [29])[32]2[88] [46]F[75]u[48]H[A2] [5B][[7E]~[E8] [F4] [36]6[FF] <2 seconds of silence> [5A]Z[09] [16] [08] [F5] [A5] [11] [33]3[48]H[D2] [D0] [FF] <10 seconds of silence> [5A]Z[00] [0B] [26]&[FD] [A5] [15] [32]2[08] [10] [A2] [81] [93] <5 seconds of silence> [5A]Z[09] [3B];[C6] [FA] [A5] [11] [33]3[08] [D8] [B0] [90] <5 seconds of silence> [5A]Z[09] [4B]K[A4] [FA] [A5] [11] [33]3[28]([16] [98] [F8] <5 seconds of silence> [5A]Z[01] [13] [16] [FD] [A5] [0D] [32]2[48]H[EC] [F3] <2 seconds of silence> [5A]Z[00] [0B] [26]&[FD] [A5] [15] [32]2[08] [90] [44]D[81] [28]( [5A]Z[05] [03] [07] [10] [53]S[3D]=[00] [AA] [DF] [D6] [3C]<[2D]-[20] [A5] [49]I[32]2[48]H[AE] [F6] [37]7[50]P[B9] [8D] [EE] [56]V[BD] [9A] [97] [17] [5B][[38]8[A7] [C5] [9C] [AB] [5A]Z[01] [0A] [95] [13] [5B][[22]"[CD] [52]R[02] [C5] [1A] [EE] [FF] [A5] [29])[32]2[A8] [1F] [6E]n[4C]L[2B]+[E7] [09] [63]c[BC] [AB] <2 seconds of silence> [5A]Z[01] [23]#[F6] [FA] [A5] [11] [33]3[E8] [F9] [53]S[FF] <5 seconds of silence> [5A]Z[01] [1B] [04] [F5] [A5] [11] [33]3[48]H[D2] [D0] [FF] <10 seconds of silence> [5A]Z[09] [0B] [26]&[FD] [A5] [15] [32]2[08] [10] [62]b[81] [3A]: <5 seconds of silence> [5A]Z[09] [3B];[8C] [FA] [A5] [11] [33]3[08] [D8] [B0] [90] <5 seconds of silence> [5A]Z[09] [4B]K[A4] [FA] [A5] [11] [33]3[48]H[2C],[B0] [E3] <2 seconds of silence> [5A]Z[09] [0B] [26]&[FD] [A5] [15] [32]2[08] [90] [58]X[20] [8F] [5A]Z[2D]-[03] [06] [90] [BE] [45]E[D2] [7F][E1] [0D] [08] [52]R[28]([FF] [A5] [49]I[32]2[48]H[6B]k[AF] [40]@[95] [F2] [C2] [45]E[16] [5E]^[BC] [BF] [98] [F3] [11] [B0] [38]8[06] [FF] [5A]Z[09] [0A] [C5] [6A]j[9B] [64]d[D7] [C2] [03] [51]Q[30]0[C5] [FE] [A5] [29])[32]2[28]([9F] [5F]_[F1] [C7] [25]%[F6] [99] [B3] [A9] [FA] <2 seconds of silence> [5A]Z[09] [13] [2C],[FD] [A5] [0D] [32]2[48]H[EC] [F3] <5 seconds of silence> [5A]Z[01] [23]#[F6] [FA] [A5] [11] [33]3[88] [9F] [66]f[FF] <5 seconds of silence> [5A]Z[09] [1B] [00] [F5] [A5] [11] [33]3[88] [92] [98]