Winner Micro W803-E400 in RMW002 Smart Mini Switch: TW-803 Module, CozyLife Firmware & Boot Log

divadiow 19 Aug 2025 23:11 1 522 Cool? (+6)

📢 Listen (AI):

This device is another one of those 16A "DIY" mini switch/breakers that has been seen with quite a few different MCUs, modules and PCB layouts. Without high expectations it was ordered in the off-chance something new and interesting was inside. This time there was!

A Winner Micro W803-E400 chip on a TW-803 module. I've never received a production device with a W80x in. I have W800/W801 dev boards only - the Hi-Link HLK-W800-Kit, HLK-W801-Kit, HLK-W806-Kit and a HLK-B36 module.

It's the same CSKY/XuanTie XT804/CK804 architecture as the others. This family of chips is sometimes seen referred to as W80X.

At the moment we only have one W800 device in the device list (though it doesn't appear to have any pin assignments) - a WX300P RGB Strip Controller in the W800 flashing and development topic.

The TW-* module naming is reminiscent of the TW-02/03 labelling of the ThingsTurn W600 modules, but I've yet to find any official documentation to confirm a relation - only the ThingsTurn logo on this Taobao listing https://world.taobao.com/item/688026122927.htm

ThingsTurn TW-803 Wi-Fi module with embedded W800 chip and Chinese labeling

And it seems there is a W803Pico board https://doc.winnermicro.net/w800/en/latest/get_started/w803_pico.html from which chip pins can be seen

Pinout diagram for W803-Pico module showing microcontroller W803 wiring

De-soldered module

TW-803 V2.0 electronic module with WinnerMicro chip on blue mat

TW-803 electronic module with labeled pins, placed on a blue anti-static surface

and from TX0 (PB19) we get the CozyLife boot log at 115200 baud

Before I flash OpenW800, erasing the factory firmware, I'd like to give my Python/W80x stub flash reader a go to see if I can take a backup. I've had no success getting a working device flashing these images back, but the read at least looks (mostly) sound.

The CK-Link method is an option too but only PA1 is routed out to a pad, PA4 would need to be a pogo pin or needle job.

Using python w800_flash_read_crc_flush_double.py (attached) and with RX0 (PA20) and TX0 (PA19) soldered up and connected to USB-TTL adaptor, I can read flash. Quick RST to ground for the script to catch and upload stub

2mb flash.

w800_flash_read.zip contains stub, script and my backup.

My initial finding in the backup is that it appears a factory SSID "CozyLife_Upgrade" is searched for and connected to with password "12345678". Interesting, maybe it'll then be open to OTA exploitation.

With that SSID available, it does indeed connect

Wi-Fi settings screenshot for CozyLife_Upgrade showing password and MAC address details.

on TX0 we see it listing SSIDs and stopping at CozyLife_Upgrade

Wireshark doesn't seem to suggest it tries to do anything on connection

Wireshark capture showing DHCP sequence and ARP packet with MAC c8:58:6a:2e:cf:a0

nmap

Similarly with "CozyLife_CC" broadcasting:

I do not see any AT commands in plain text in the fw backup.

There's probably more to investigate before the one-way trip to OpenW800

oh and Tuya still have these as downloads

https://airtake-public-data-1254153901.cos.ap...qcloud.com/smart/embed/pruduct/w803_0.0.1.zip
https://airtake-public-data-1254153901.cos.ap...qcloud.com/smart/embed/pruduct/w803_0.0.2.zip

UPDATE. Device was from Ali Express 20A option https://www.aliexpress.com/item/1005009631991603.html

About Author

divadiow wrote 3742 posts with rating 638 , helped 314 times. Live in city Bristol. Been with us since 2023 year.

Comments

Add a comment

divadiow 20 Aug 2025 23:42

With an STM32 running CK-Link Lite firmware and cabled as: https://obrazki.elektroda.pl/9844991400_1746439164_bigthumb.jpg PA4 pin connected using sewing needle held in place. https://obrazki.elektroda.pl/3034334300_1755725194_bigthumb.jpg... [Read more]

FAQ

TL;DR: RMW002 hides a Winner Micro W803‑E400 with 2 MB flash; "I can read flash" via UART and a Python stub. CozyLife firmware seeks "CozyLife_Upgrade" (12345678) but exposes little; flashing OpenW800 looks one‑way today. [Elektroda, divadiow, post #21639312]

Why it matters: This FAQ helps tinkerers safely back up, probe, and reflash W803‑based mini switches without losing recoverability.

Quick facts:

MCU/module: Winner Micro W803‑E400 on a TW‑803 module; CSKY/XuanTie XT804/CK804 class. Seen inside a 16A mini switch. [Elektroda, divadiow, post #21639312]
Flash: Detected size 2 MB; flash ID reported as "EB,15" during dump. [Elektroda, divadiow, post #21639312]
UART/boot: Boot log at 115200. Stub ran up to 2,000,000 baud; bootloader triggered via AT+Z + RTS + ESC flood. [Elektroda, divadiow, post #21639312]
Firmware: CozyLife SDK 0.6.0, FW 2.1.5 (2025‑03‑05). Joins SSID "CozyLife_Upgrade" with key 12345678; "CozyLife_CC" enters factory scan. [Elektroda, divadiow, post #21639312]
Debugging: CK‑Link possible, but only PA1 is on a pad; PA4 needs pogo/needle access. [Elektroda, divadiow, post #21639312]

Quick Facts

- MCU/module: Winner Micro W803‑E400 on a TW‑803 module; CSKY/XuanTie XT804/CK804 class. Seen inside a 16A mini switch. [Elektroda, divadiow, post #21639312]
- Flash: Detected size 2 MB; flash ID reported as "EB,15" during dump. [Elektroda, divadiow, post #21639312]
- UART/boot: Boot log at 115200. Stub ran up to 2,000,000 baud; bootloader triggered via AT+Z + RTS + ESC flood. [Elektroda, divadiow, post #21639312]
- Firmware: CozyLife SDK 0.6.0, FW 2.1.5 (2025‑03‑05). Joins SSID "CozyLife_Upgrade" with key 12345678; "CozyLife_CC" enters factory scan. [Elektroda, divadiow, post #21639312]
- Debugging: CK‑Link possible, but only PA1 is on a pad; PA4 needs pogo/needle access. [Elektroda, divadiow, post #21639312]

What’s inside the RMW002 mini switch?

A TW‑803 module carrying a Winner Micro W803‑E400. The unit runs CozyLife firmware and reports both Wi‑Fi and BLE MACs. The board appears in a 16A “DIY” mini switch form factor. This mix makes it an attractive alternative to ESP or BK‑based devices for custom firmware work. Photos and serial logs confirm the module and firmware family. [Elektroda, divadiow, post #21639312]

How do I capture the CozyLife boot log?

Connect a USB‑TTL adapter to the module’s UART0 and set 115200 baud. Use the TX0 pad for output and ground the reset briefly to restart logging. You’ll see CozyLife versions, MACs, Wi‑Fi scans, and domain settings in clear text. Keep mains disconnected when probing UART on an in‑wall device. [Elektroda, divadiow, post #21639312]

How can I back up the factory firmware before flashing OpenW800?

Use the author’s Python stub method.

Wire RX0, TX0, and GND to a USB‑TTL adapter; open the provided script.
Reset the module; let the script trigger bootloader and upload the stub.
Switch to 2,000,000 baud when prompted; save the 2 MB dump (ID EB,15). Expect a dump even if CRC verification mismatches. [Elektroda, divadiow, post #21639312]

What flash size and ID does the TW‑803 use?

The flash probe returned “FID:EB,15” and a detected size of 2,048 KB (2 MB). The script logs show a full read at high speed after the stub handshake. This capacity is typical for compact Wi‑Fi switch modules and is ample for alternative firmware images and backups. [Elektroda, divadiow, post #21639312]

How do I trigger the W803 bootloader over UART?

The provided script floods AT+Z with RTS and ESC to coax bootloader mode. Watch for “CCC” to confirm entry and proceed with the stub. “Stub confirmed ready after baud switch.” Once you see that, reads at 2,000,000 baud are reliable. Keep reset timing tight so the stub loads. [Elektroda, divadiow, post #21639312]

Does CK‑Link work on this board, and which pins are available?

Yes, CK‑Link is an option. However, only PA1 is routed to a convenient pad on this PCB. PA4 is not exposed, so you’ll need a pogo pin or needle to access it. That makes repeated CK‑Link sessions fiddly compared with UART, which is already proven for reading flash. [Elektroda, divadiow, post #21639312]

What Wi‑Fi behavior should I expect from the CozyLife firmware?

It passively scans, then connects to a factory SSID. With “CozyLife_Upgrade” and key 12345678 available, it associates and gets an IP. With “CozyLife_CC” present, logs show factory mode messages like “ZC FAC” and “found factory ssid.” The boot log also notes UDPlog disabled and a doiting.com API domain. [Elektroda, divadiow, post #21639312]

Are there open network ports after it joins CozyLife_Upgrade?

Yes. An nmap scan reported 5555/tcp open and 6095/udp open|filtered. Packet capture did not show immediate traffic on connect. That suggests the factory SSID path may be used as a quiet provisioning mode rather than an automatic OTA attempt. Treat any exposed services cautiously during further probing. [Elektroda, divadiow, post #21639312]

Can I revert to stock firmware after flashing OpenW800?

Treat flashing as a one‑way trip for now. The author can read flash, but restoring images has not worked. Even clean reads showed a CRC mismatch at the end. Keep a backup, but do not rely on it for recovery until a proven write‑back method exists. [Elektroda, divadiow, post #21639312]

Is TW‑803 related to ThingsTurn W600 modules (TW‑02/03)?

The TW‑* naming looks similar. The author only found a ThingsTurn logo on a Taobao listing and no official confirmation. Without vendor documentation linking the families, assume TW‑803 is independent. Avoid pin‑for‑pin assumptions from W600 modules when planning hardware mods. [Elektroda, divadiow, post #21639312]

Where can I find official pin references for W803?

See Winner Micro’s W803 Pico documentation. The page shows chip pin assignments you can use to infer UART and GPIO options during bring‑up. Cross‑check against your module since carrier boards route pins differently. Use this as a chip‑level, not module‑level, reference. “W803 Pico — Get Started”

What’s the CozyLife firmware version on this unit?

Boot logs show CozyLife SDK Version 0.6.0 and device firmware 2.1.5, both built on 2025‑03‑05. The product ID is kHFvFr, and the API domain resolves to api‑us.doiting.com. BLE and Wi‑Fi MACs are consecutive, indicating a shared OUI. These details help match firmware images or cloud endpoints. [Elektroda, divadiow, post #21639312]

Where can developers download W803 resources or SDKs mentioned?

The thread links Tuya’s public W803 zip packages (w803_0.0.1.zip and w803_0.0.2.zip). They remain downloadable at the time noted. Combine those with your dump for analysis, strings searches, and potential OTA vectors. Always verify hashes and provenance before flashing anything derived from third‑party archives. [Elektroda, divadiow, post #21639312]