On 21.04.2016 09:39, Denis 'GNUtoo' Carikli wrote: > On Wed, 20 Apr 2016 18:50:30 +0200 > Joerg Albert <[email protected]> wrote: >> This depends on the hardware. With Lenovo Thinkpads the i2c (aka >> SMBus) of the battery is connected to the embedded controller only >> (H8S in older models), which also controls charging and is powered as >> soon as the DC power supply is attached. > Indeed, the issue is rather how to access that bus without the > proprietary implementation in the BIOS's SMM. > > Practically speaking, I don't even see an easy way to trace what that > SMM code is doing. > > Maybe I would need to run the BIOS and dump the SMM code. > I know the SMM region is supposed to be locked, but there are still > many ways to dump it. I guess this SMM code accesses the EC, e.g. to implement upper/lower limits on the battery charge. BTW, for both the old EC (H8S) and the one in the T430/X230/... Thinkpad series (MEC1619) some efforts have be made to disassemble the firmware. > Since the LAPIC remapping attack has only been public around 2015 and > that the Lenovo X60 started selling near 2006, it probably works. > >> I guess you don't want more control over the battery but over the >> charger, e.g. to implement upper and lower limits for the battery >> charge. > I assumed the battery had a gauge and a charger chip, I'll verify if > that's actually true. > That's true, the battery has a gauge and a charger chip, which implement the smart battery interface [1] plus some vendor specific extension, which is e.g. used to detect genuine batteries in the T430 and its cousins.
Cheers, Joerg [1] http://sbs-forum.org/specs/sbdat110.pdf
