[BL602] How to flash Magic Home over WiFi without soldering
These original devices (with BL602 chip) can be flashed via WiFi to OpenBeken without soldering.
This is done via manufacturer's OTA mechanism, but from your own server.
Doing this step by step the procedure is as follows:
0. Reset the device to factory settings - switch the controller on and off 4 times
1. Download the firmware - via the project releases catalogue OpenBeken
e.g. OpenBL602_1.17.553_OTA.bin.xz.ota - it is important to select the version for the BL602 chip and OTA
2. Start your HTTP server on a free port (here 1111), on Linux (bash) it is such a command:
3. In the second terminal we connect to the Access Point created by the device, all my drivers create SSID of the form LEDnetXXXXXXXXX , I'm using armbian on tvbox so I create configuration in file wpa_supplicantLED.conf:
and I connect to the controller with the command: . Of course we can connect from the laptop using the graphical interface.
4. After connection, the device assigns us the ip number 10.10.123.4, and our controller is located at 10.10.123.3. The controller has several open ports, the most interesting is the UDP port 48899, which supports the manufacturer's AT commands, we can e.g. check the version of the device by sending a UDP packet to the controller. We can e.g. check the version of the device by sending a UDP packet AT+LVER :
to get the answer:
5. Since everything works for us, we can invoke the command to download the firmware and install it on the device:
We will get back ok, and after about a minute you can reset the device and it will appear in the wifi network OpenBL602_XXXXXXXX and you can adapt it normally to your own installation.
Note: when running the above command, it returned:
Then after the flash was successful:
As a side project i made an Android version of this procedure, it is called mhflasher, source is available here
https://github.com/kruzer/mhflasher. Apk's can be downloaded from releases folder
This is done via manufacturer's OTA mechanism, but from your own server.
Doing this step by step the procedure is as follows:
0. Reset the device to factory settings - switch the controller on and off 4 times
1. Download the firmware - via the project releases catalogue OpenBeken
e.g. OpenBL602_1.17.553_OTA.bin.xz.ota - it is important to select the version for the BL602 chip and OTA
2. Start your HTTP server on a free port (here 1111), on Linux (bash) it is such a command:
{
echo -ne "HTTP/1.0 200 OK\r\nContent-Length: "$(wc -c < OpenBL602_1.17.553_OTA.bin.xz.ota)"\r\n\r\n"
cat OpenBL602_1.17.553_OTA.bin.xz.ota
} | nc -l 11113. In the second terminal we connect to the Access Point created by the device, all my drivers create SSID of the form LEDnetXXXXXXXXX , I'm using armbian on tvbox so I create configuration in file wpa_supplicantLED.conf:
network={
ssid="LEDnet0033290716"
key_mgmt=NONE
}wpa_supplicant -i wlan0 -c wpa_supplicantLED.conf4. After connection, the device assigns us the ip number 10.10.123.4, and our controller is located at 10.10.123.3. The controller has several open ports, the most interesting is the UDP port 48899, which supports the manufacturer's AT commands, we can e.g. check the version of the device by sending a UDP packet to the controller. We can e.g. check the version of the device by sending a UDP packet AT+LVER :
echo -e "AT+LVER\r" | nc -u 10.10.123.3 48899+ok=33_48_20201219_ZG-BL5. Since everything works for us, we can invoke the command to download the firmware and install it on the device:
echo -e "AT+UPURL=http://10.10.123.4:1111/update?version=33_48_20240418_OpenBeken&beta,pierogi" | nc -u 10.10.123.3 48899We will get back ok, and after about a minute you can reset the device and it will appear in the wifi network OpenBL602_XXXXXXXX and you can adapt it normally to your own installation.
Note: when running the above command, it returned:
+ok=Then after the flash was successful:
+ok=up_successAs a side project i made an Android version of this procedure, it is called mhflasher, source is available here
https://github.com/kruzer/mhflasher. Apk's can be downloaded from releases folder
Comments
This is a translated version of the original and is missing the most important step #5. From the original: 5. Since everything works for us, we can invoke the command to download the firmware and install... [Read more]
Fair point. I updated first post. Anyway, good job on figuring out that method! Was it documented anywhere? Is this that "Sonoff update" one that I saw mentioned few months ago? [Read more]
No, I didn't have any documentation, just a firmware dump, Ghidra, and logging. The console in this device allows for input and output; there are a few commands for viewing RAM or even swapping bytes in... [Read more]
I see, can you try the same for other devices, maybe for LN882H? https://github.com/openshwprojects/FlashDumps/tree/main/IoT/LN882H/LN-02-first [Read more]
I don't have any device with this chip yet, but I'll look around. If the manufacturer has provided the possibility of updating the firmware vie web or mobile app, it is most likely doable. [Read more]
this is me chancing it with an LN firmware and the APK. I don't think I have any Magic Home factory fw. This is with CozyLife which of course broadcasts a different SSID https://obrazki.elektroda.pl/4085981400_1714162559_thumb.jpg... [Read more]
It tests udp communication on 48899 port first, and this device/firmware likely doesn't support this method. But i saw "CosyLife" logo in the firmware dump provided by @pkaczmarek2 is this a LN882H d... [Read more]
it's not the firmware in the link. I have LN devices and firmwares already to try. Added after 1 [minutes]: im trying AT commands after setting up a Python http server. not getting anything interesting... [Read more]
I can't check now, i've flashed OpenBeken on all my Magic Home devices, i'll will need to solder one of them to recover the factory firmware. no, Magic Home dump doesn't work on BL602 dev board, i am... [Read more]
Ok no worries. Let me know if/how you manage to get a working BL factory dump on dev board [Read more]
Are all your devices using 2MB Flash? Is the dev board also using 2MB flash? There are multiple partition tables in BLDevCube, but I don't know the exact differences between them. [Read more]
Dev is 4mb. All flashes I have are from 2mb devices. You think dumps probably include bootloader so I might need to trim or work out a way to flash with file offset? I've tried the different partition... [Read more]
bonus also we have a tested dump and restore method for putting any BL602 device back to factory. Added after 9 [minutes]: other BL factory firmwares also flashed and booting. CozyLife bulb -... [Read more]
@divadiow is the ota method specific for bl620 on the cozylife firmware? What about the ones running on ewelink? [Read more]
ive been trying them all! Not had any response to the same commands as with the MagicHome though. Cozylife and Ewelink use different ports/TCP. I've been trying to find the supported AT commands, but... [Read more]
I don't have this controller to try, but your FlashDump shows, that this firmware: - binds to tcp port 5555 and waits for connection - defines some control functions maybe someone could try to telnet... [Read more]
hmm. no connection with PowerShell or Putty to 192.168.4.1:5555 on LN882H device. https://obrazki.elektroda.pl/1748471700_1714453343_thumb.jpg Added after 31 [minutes]: no luck with a... [Read more]
ok, maybe let's try json formatted string: {"cmd":0,"pv":0,"sn":"1714479677254","msg":{}} with a different endline... [Read more]
I still have LN8825 LED strip controller, maybe we can also check that one for some endpoints? https://obrazki.elektroda.pl/6789074400_1714481086_thumb.jpg [Read more]