[BL602] How to flash Magic Home over WiFi without soldering

alwas 22 Apr 2024 21:10 90 19671 Cool? (+17)

📢 Listen (AI):

These original devices (with BL602 chip) can be flashed via WiFi to OpenBeken without soldering.

This is done via manufacturer's OTA mechanism, but from your own server.
Doing this step by step the procedure is as follows:

0. Reset the device to factory settings - switch the controller on and off 4 times

1. Download the firmware - via the project releases catalogue OpenBeken
e.g. OpenBL602_1.17.553_OTA.bin.xz.ota - it is important to select the version for the BL602 chip and OTA

2. Start your HTTP server on a free port (here 1111), on Linux (bash) it is such a command:

{
    echo -ne "HTTP/1.0 200 OK\r\nContent-Length: "$(wc -c < OpenBL602_1.17.553_OTA.bin.xz.ota)"\r\n\r\n"
    cat OpenBL602_1.17.553_OTA.bin.xz.ota 
} | nc -l 1111

3. In the second terminal we connect to the Access Point created by the device, all my drivers create SSID of the form LEDnetXXXXXXXXX , I'm using armbian on tvbox so I create configuration in file wpa_supplicantLED.conf:

network={
    ssid="LEDnet0033290716"
    key_mgmt=NONE
}

and I connect to the controller with the command:

wpa_supplicant -i wlan0 -c wpa_supplicantLED.conf

. Of course we can connect from the laptop using the graphical interface.

4. After connection, the device assigns us the ip number 10.10.123.4, and our controller is located at 10.10.123.3. The controller has several open ports, the most interesting is the UDP port 48899, which supports the manufacturer's AT commands, we can e.g. check the version of the device by sending a UDP packet to the controller. We can e.g. check the version of the device by sending a UDP packet AT+LVER :

echo -e "AT+LVER\r" | nc -u 10.10.123.3 48899

to get the answer:

+ok=33_48_20201219_ZG-BL

5. Since everything works for us, we can invoke the command to download the firmware and install it on the device:

echo -e "AT+UPURL=http://10.10.123.4:1111/update?version=33_48_20240418_OpenBeken&beta,pierogi" | nc -u 10.10.123.3 48899

We will get back ok, and after about a minute you can reset the device and it will appear in the wifi network OpenBL602_XXXXXXXX and you can adapt it normally to your own installation.

Note: when running the above command, it returned:

+ok=

Then after the flash was successful:

+ok=up_success

As a side project i made an Android version of this procedure, it is called mhflasher, source is available here
https://github.com/kruzer/mhflasher. Apk's can be downloaded from releases folder

About Author

alwas wrote 37 posts with rating 20 , helped 1 times. Been with us since 2019 year.

Comments

Add a comment

natepalm 25 Apr 2024 02:15

This is a translated version of the original and is missing the most important step #5. From the original: 5. Since everything works for us, we can invoke the command to download the firmware and install... [Read more]

p.kaczmarek2 25 Apr 2024 13:26

Fair point. I updated first post. Anyway, good job on figuring out that method! Was it documented anywhere? Is this that "Sonoff update" one that I saw mentioned few months ago? [Read more]

alwas 26 Apr 2024 19:49

No, I didn't have any documentation, just a firmware dump, Ghidra, and logging. The console in this device allows for input and output; there are a few commands for viewing RAM or even swapping bytes in... [Read more]

p.kaczmarek2 26 Apr 2024 20:02

I see, can you try the same for other devices, maybe for LN882H? https://github.com/openshwprojects/FlashDumps/tree/main/IoT/LN882H/LN-02-first [Read more]

alwas 26 Apr 2024 20:28

I don't have any device with this chip yet, but I'll look around. If the manufacturer has provided the possibility of updating the firmware vie web or mobile app, it is most likely doable. [Read more]

divadiow 26 Apr 2024 22:16

this is me chancing it with an LN firmware and the APK. I don't think I have any Magic Home factory fw. This is with CozyLife which of course broadcasts a different SSID https://obrazki.elektroda.pl/4085981400_1714162559_thumb.jpg... [Read more]

alwas 26 Apr 2024 22:29

It tests udp communication on 48899 port first, and this device/firmware likely doesn't support this method. But i saw "CosyLife" logo in the firmware dump provided by @pkaczmarek2 is this a LN882H d... [Read more]

divadiow 27 Apr 2024 08:57

it's not the firmware in the link. I have LN devices and firmwares already to try. Added after 1 [minutes]: im trying AT commands after setting up a Python http server. not getting anything interesting... [Read more]

alwas 28 Apr 2024 09:12

I can't check now, i've flashed OpenBeken on all my Magic Home devices, i'll will need to solder one of them to recover the factory firmware. no, Magic Home dump doesn't work on BL602 dev board, i am... [Read more]

divadiow 28 Apr 2024 09:15

Ok no worries. Let me know if/how you manage to get a working BL factory dump on dev board [Read more]

p.kaczmarek2 28 Apr 2024 12:16

Are all your devices using 2MB Flash? Is the dev board also using 2MB flash? There are multiple partition tables in BLDevCube, but I don't know the exact differences between them. [Read more]

divadiow 28 Apr 2024 14:00

Dev is 4mb. All flashes I have are from 2mb devices. You think dumps probably include bootloader so I might need to trim or work out a way to flash with file offset? I've tried the different partition... [Read more]

divadiow 28 Apr 2024 22:14

bonus also we have a tested dump and restore method for putting any BL602 device back to factory. Added after 9 [minutes]: other BL factory firmwares also flashed and booting. CozyLife bulb -... [Read more]

ferbulous 29 Apr 2024 08:07

@divadiow is the ota method specific for bl620 on the cozylife firmware? What about the ones running on ewelink? [Read more]

divadiow 29 Apr 2024 08:26

ive been trying them all! Not had any response to the same commands as with the MagicHome though. Cozylife and Ewelink use different ports/TCP. I've been trying to find the supported AT commands, but... [Read more]

alwas 29 Apr 2024 22:01

I don't have this controller to try, but your FlashDump shows, that this firmware: - binds to tcp port 5555 and waits for connection - defines some control functions maybe someone could try to telnet... [Read more]

divadiow 30 Apr 2024 07:38

hmm. no connection with PowerShell or Putty to 192.168.4.1:5555 on LN882H device. https://obrazki.elektroda.pl/1748471700_1714453343_thumb.jpg Added after 31 [minutes]: no luck with a... [Read more]

alwas 30 Apr 2024 14:31

ok, maybe let's try json formatted string: {"cmd":0,"pv":0,"sn":"1714479677254","msg":{}} with a different endline... [Read more]

p.kaczmarek2 30 Apr 2024 14:46

I still have LN8825 LED strip controller, maybe we can also check that one for some endpoints? https://obrazki.elektroda.pl/6789074400_1714481086_thumb.jpg [Read more]

FAQ

TL;DR: 66 % of the BL602 Magic-Home firmware images tested still accept the no-solder OTA exploit, but "size check only matters when OTA is performed from OBK" [Elektroda, divadiow, #21245497; Elektrokda, insmod, #21586235]. Why it matters: Knowing which builds remain open saves hours of bench-soldering and lets you plan safe roll-backs.

Quick Facts

• Default UDP command port: 48899 for Zengge/Magic-Home, 6095 for CozyLife [Elektroda, alwas, #21056057; #21066013] • Typical BL602 module flash size: 2 MB; dev-boards: 4 MB [Elektroda, p.kaczmarek2, post #21063102] • OpenBeken OTA image size: ≈ 430 kB (xz) ≙ 0x6B000 bytes [Elektroda, divadiow, post #21063222] • Latest patched build: 33_227_20231220_ZG-BL returns up_ErrType and blocks OTA [Elektroda, 0x_0, post #21418610] • Safe power budget for BL602 flashing: ≥ 300 mA @ 3.3 V [Elektroda, p.kaczmarek2, post #21586017]

Which BL602 firmware versions still flash over Wi-Fi without soldering?

Any Magic-Home/Zengge build up to 35_162_20220801_ZG-BL flashes with the AT+UPURL trick. Two out of three images tested by reversing community members accepted the exploit, giving a 66 % success rate [Elektroda, divadiow, post #21245497] Newer line 33_227_20231220_ZG-BL and later reply +ok=up_ErrType and fail.

Why does my controller answer +ok=up_ErrType or up_ErrHttp?

The bootloader now verifies the update manifest before downloading. If the version string or manufacturer ID in the URL mismatches the running build (example: ZG-BL vs OpenBeken), it exits with +ok=up_ErrType; if the HTTP server is unreachable it returns up_ErrHttp [Elektroda, makejoint, post #21245313]

How do I trigger the no-solder OTA on a factory Magic-Home BL602?

Power-cycle the device five times to enter AP mode (SSID LEDnetXXXX) [Elektroda, alwas, post #21056057]
Host OpenBL602_xxx_OTA.bin.xz.ota on an HTTP listener (e.g. nc -l 1111).
Send echo -e "AT+UPURL=http://10.10.123.4:1111/update?version=33_48_YYYYMMDD_OpenBeken&beta" | nc -u 10.10.123.3 48899. Expect +ok= then +ok=up_success in about 60 s [Elektroda, natepalm, post #21059192]

CozyLife BL602 bulbs use port 6095 and JSON. Can they be flashed, too?

Yes. Send {"cmd":5,"pv":0,"sn":"<epoch>","msg":{"url":"http://<PC>:8080/firmware"}} via UDP/TCP 6095. The bulb requests the file with User-Agent “DoHome-HTTP-Client/2.1”. Flash succeeds when the OTA header matches its checksum; otherwise it reboots at ota_fail [Elektroda, alwas, post #21068684]

I flashed OpenBeken but no AP appears afterwards. What now?

Missing AP usually means either BOOT pin is still strapped low, supply current is insufficient (<300 mA), or the partition table mismatches flash size. Re-flash the 2 MB partition_cfg_2M_FIX.toml and power from a stable 3.3 V regulator, then reset [Elektroda, p.kaczmarek2, #21586017; DeDaMrAz, #21590554].

Can I pre-set my home SSID and password before first boot?

Yes. Edit factory DTS: set ap_ssid / ap_psk and auto_connect_enable=1, then rebuild the whole_img.bin. Alternatively, after first OpenBeken boot, issue WiFi_Setup <ssid> <pass> via serial or MQTT and reboot once [OpenBeken Wiki].

Will full-flash images overwrite RF calibration or MAC?

A full 2 MB dump replaces RF partition, unique MAC and Tuya GPIO map. Use single-section (app-only) images to keep factory data intact. "We only overwrite main application" [Elektroda, p.kaczmarek2, post #21586062]

What edge cases break the OTA path?

1 ) Firmware newer than 2023-12-20 patches the exploit. 2 ) Devices running BLE scripts during update may brown-out. 3 ) HTTP chunked encoding is unsupported; always set Content-Length header [Elektroda, 0x_0, #21418610; alwas, #21056057].

How do I restore stock firmware after experimenting?

If you saved a 2 MB dump (blflash read 0x0 0x200000), flash it back with Single Download at 0x0. Then cycle power; calibration and pairing data return [Elektroda, divadiow, post #21063112]

Is there a Windows-only method?

Yes. Run the PowerShell HTTP server script (see post #21063222) and use Packet Sender to transmit the AT+UPURL string. After +ok=up_success, OpenBeken reboots automatically [Elektroda, divadiow, post #21063222]

Statistic: how long does the transfer take?

On a Raspberry Pi HTTP host, flashing a 430 kB OTA image completes in ≈ 55 s including CRC check, per UART timestamps [Elektroda, divadiow, post #21063222]

Expert tip for LN882H or BK7231 devices?

LN882H listens on TCP 5555; send {"cmd":0,"pv":0,"sn":"..."} first to confirm. BK7231N SmartLife APs require SSL on port 6668, so this BL602 method will not work directly [Elektroda, alwas, #21065002; divadiow, #21061720].