Backup & Restore of Xradiotech/Allwinner XR806/XR809 Flash in Windows: Guide & Demonstration
Here I will demonstrate how the internal flash of the Xradiotech/Allwinner XR806 (and XR809 - see note at bottom) can be read to file in Windows. Although there is not yet an OpenXR806 cloud-free alternative firmware to use on devices that have the XR806 at heart, flash firmware backups are useful in development and research and for general backup purposes.
One Tuya module seen in the wild based on XR806 is the WXU (T103C-HL). Also available as WXU-IPEX - datasheets attached.
To date on Elektroda XR806 has been spotted in:
Avatto TRV16-WIFI radiator valve
Avatto SWT60 Smart Watering Timer
Allwinner development board
Also: QOTO QT-08W Solar Power Smart Water Valve
XR806 uses 5mm x 5mm QFN40 package and 4mm x 4mm QFN32 packages for different feature lists.
To get into UART download mode PB02 needs to be pulled to ground at power-on.
on the WXU PB02 is the 3rd pad up from the bottom on the right-hand side of the module as you look at the top
or from the bottom:
and again from the top with WXU shown mounted on PCB from TRV16, which I will also use to demonstrate flash backup
Soldering can be performed direct to WXU contacts or, in the case of this WXU on PCB from TRV16, I have chosen to solder to the breakout pads instead for all but PB02.
USB-TTL RX -> XR806 TX
USB-TTL TX -> XR806 RX
3.3V -> XR806 VBAT
USB-TTL GND -> PSU GND -> XR806 GND
Flash writing and reading is performed in the PhoenixMC program, available from https://github.com/openshwprojects/FlashTools/tree/main/XRadioTech-AllWinner
Main text areas are in Chinese, so here are some translations to aid navigation
Connect XR806 as above and power on. Set appropriate baud on the main page (this may need to be lower if your wires are too long or you're using pogo pins), open the Debug menu. It should communicate with the XR806 and unlock the text fields. Change the length box text to 200000 and click Read.
Animated read image
Flash backup will be saved to file called flash_A_0x0_L_0x200000.bin in the PhoenixMC root folder
In this mode you can also read the flash ID. eg:
which looks to be Winbond W25Q16JV or W25Q16DV in my case.
To restore a backup simply rename your backup file extension from .bin to .img (or change the filtering in the open dialog box to *.*) and flash back with the blue Update button. eg:
This process is identical for the XR809 except for the need to ground both PB02 and PB03. Original XR809-specific guide: https://www.elektroda.com/rtvforum/topic3806769.html
Your backup may contain your wifi credentials so backup should be done prior to pairing device with cloud platforms or pair/unpair with test AP. Please share your backup files for analysis and archive in the collection https://github.com/openshwprojects/FlashDumps/tree/main/IoT
Alternatively, PM me the file and I'll happily flash/pair to test AP/unpair and take new backup.
One Tuya module seen in the wild based on XR806 is the WXU (T103C-HL). Also available as WXU-IPEX - datasheets attached.
To date on Elektroda XR806 has been spotted in:
Avatto TRV16-WIFI radiator valve
Avatto SWT60 Smart Watering Timer
Allwinner development board
Also: QOTO QT-08W Solar Power Smart Water Valve
XR806 uses 5mm x 5mm QFN40 package and 4mm x 4mm QFN32 packages for different feature lists.
To get into UART download mode PB02 needs to be pulled to ground at power-on.
on the WXU PB02 is the 3rd pad up from the bottom on the right-hand side of the module as you look at the top
or from the bottom:
and again from the top with WXU shown mounted on PCB from TRV16, which I will also use to demonstrate flash backup
Soldering can be performed direct to WXU contacts or, in the case of this WXU on PCB from TRV16, I have chosen to solder to the breakout pads instead for all but PB02.
USB-TTL RX -> XR806 TX
USB-TTL TX -> XR806 RX
3.3V -> XR806 VBAT
USB-TTL GND -> PSU GND -> XR806 GND
Flash writing and reading is performed in the PhoenixMC program, available from https://github.com/openshwprojects/FlashTools/tree/main/XRadioTech-AllWinner
Main text areas are in Chinese, so here are some translations to aid navigation
Connect XR806 as above and power on. Set appropriate baud on the main page (this may need to be lower if your wires are too long or you're using pogo pins), open the Debug menu. It should communicate with the XR806 and unlock the text fields. Change the length box text to 200000 and click Read.
Animated read image
Flash backup will be saved to file called flash_A_0x0_L_0x200000.bin in the PhoenixMC root folder
In this mode you can also read the flash ID. eg:
which looks to be Winbond W25Q16JV or W25Q16DV in my case.
To restore a backup simply rename your backup file extension from .bin to .img (or change the filtering in the open dialog box to *.*) and flash back with the blue Update button. eg:
This process is identical for the XR809 except for the need to ground both PB02 and PB03. Original XR809-specific guide: https://www.elektroda.com/rtvforum/topic3806769.html
Your backup may contain your wifi credentials so backup should be done prior to pairing device with cloud platforms or pair/unpair with test AP. Please share your backup files for analysis and archive in the collection https://github.com/openshwprojects/FlashDumps/tree/main/IoT
Alternatively, PM me the file and I'll happily flash/pair to test AP/unpair and take new backup.
divadiow wrote 4322 posts with
rating 763 , helped 375 times.
Live in city Bristol.
Been with us since 2023 year.
Comments
With our recent research and development, it seems increasingly likely that it's also possible to flash XR chips without grounding extra pins, as long as the firmware is built with command line enabled... [Read more]
we need more real XR806 backups to test. The TRV XR806 one we have does not appear to support it but it is trying to do TuyaMCU comms on the flashing UART, so maybe theyre getting in the way. If you... [Read more]
Hi, Thank you @divadiow for your instructions, I was able to dump factory firmware of my XR806 based Salcar TRV801W thermostatic radiator head. BTW, I've already open a pull request with that firmware... [Read more]
This shouldn't happen, and unfortunately i don't know the reason. And i can't test it myself, since i don't have any XR806 module. For now, try https://github.com/openshwprojects/OpenBK7231T_App/r... [Read more]
Boot log from 1.18.128 looks almost the same as 1.18.207, there is only one difference, last number in one line before the last, which is now 0x2200d0. Added after 34 [minutes]: For those who may... [Read more]
Hmm. It's been a while since I flashed an XR806, I'll try when home later. I have an XR806 dev board and also, obviously, the WXU from probably the same TRV. I never did put the WXU back into the TRV to... [Read more]
before proceeding @divadiow could you please try with the factory firmware that I added to the FlashDumps repo? Maybe results from booting it on your module can shed more light on the issue with my... [Read more]
Yep, I added that note. I was just about to post that I killed a board with the other dump there. It must be coded for that DC mode that eats the Allwinner boards. I could maybe try on 3.3v WXU instead... [Read more]
So for me it looks like my device's factory firmware, despite being built with SDK v1.2.1, is using DCDC, and that can be dangerous to other devices. [Read more]
interesting. This is the device I have from which WXU came from. It shows LDO used in this boot log of factory app post #7 https://www.elektroda.com/rtvforum/topic4118139.html Added after 15 [minutes]:... [Read more]
There is no separate WiFi module in my device, everything except an external LED dispaly is located on one and the same PCB, can be seen on the picture I posted. So my device may be very different from... [Read more]
yes indeed. do you know what your XR806 is fed with voltage-wise if powered normally as if unopened? [Read more]
I'm able to power up the device from batteries even when disassembled, however, I would be afraid of touching XR806 chip pins with a probe. Those are so tiny, so close one to another, so I can't be sure... [Read more]
You could build a DCDC version of OpenXR806 to see if that works. I don't know if that's a good idea or not. [Read more]
I guess you mean you don't know if that's safe for the device, don't you? [Read more]
Pretty much yes. But if yours is DCDC now it sounds like it'd be ok. Depends on whether you want to take any risks I guess. Or wait until someone who knows more chimes in [Read more]
Hi, I've decided to try with a custom DCDC build. Following the guide, I've submitted a pull request and the image has been built. Can you please have a look at https://github.com/openshwprojects/OpenBK7231T_App/pull/1893... [Read more]
I think that's all I'd do, toggle LDO off/DCDC on, see what works. Added after 2 [minutes]: but I don't want to be leading you down a path if it means killing the chip. I just know what I'd fiddle... [Read more]
Assuming my attempt to configure a custom DCDC image was successful, I can see no difference when trying to boot it on my device, compared to the default OpenXR806 image. Boot log looks exactly the same... [Read more]