Czy wolisz polską wersję strony elektroda?
Nie, dziękuję Przekieruj mnie tambl602 tuya backup
bflb-mcu-tool / blflash over a 3.3 V USB-to-UART adapter, starting at address 0x0000 for the length of the flash (typically 0x100000 for 1 MiB, 0x200000 for 2 MiB, 0x400000 for 4 MiB). Key points
• Identify TX, RX, GND, VDD and BOOT (IO8) pins on the Tuya module (WB2L, WB3L, TYWE2L, etc.).
• Hold BOOT high, reset the module, connect at 2 000 000 baud (fall back to 115 200 baud if unstable).
• In DevCube: IOT tab ➜ “Read Flash” 0x0–flash_size; in CLI:
bflb-mcu-tool --chipname bl602 --port COMx --baudrate 2000000 --firmware read --addr 0 --len 0x200000 --file backup.bin
• Verify checksum, duplicate the file, and store it offline.
System architecture
• BL602 integrates a RISC-V core; firmware actually lives in external QSPI flash (SOIC-8 part close to the SoC).
• The on-chip mask-ROM boot-loader always allows UART download unless it has been fuse-locked (rare on Tuya SKUs).
Boot-mode strapping
• GPIO8 high → UART download (boot-loader)
• GPIO8 low → normal XIP boot from flash
• Pull BOOT high with a 10 kΩ resistor or by holding the module’s “BOOT” key (if present) during power-up/reset.
UART mapping in common Tuya modules
(Always verify with the module’s datasheet/silk screen; Tuya frequently remaps pins.)
| Module | UART-TX | UART-RX | Notes |
|---|---|---|---|
| WB2L | GPIO16 | GPIO7 | 26-pin stamp module |
| WB3L | GPIO14 | GPIO15 | BL602 ref. mapping |
| TYWE2L | GPIO14 | GPIO15 | Early BL602 dev-boards |
Software options
a. Bouffalo Lab DevCube (GUI, Windows/Linux) – easiest for occasional use.
b. bflb-mcu-tool / bflb-iot-tool (Python) – cross-platform command line, scriptable.
c. blflash (Rust, open-source, 2023) – maintained by community, integrates with blflash-loader for RISC-V debugging.
d. OpenOCD-JTAG – possible if the module exposes SWD/JTAG pads; not needed for plain backup.
Flash organisation (Tuya shipping layout, 2 MiB device)
| Address | Size | Partition | Relevance |
|---|---|---|---|
| 0x0000 | 0x2000 | Boot2 | BL’s 2nd-stage loader |
| 0x2000 | 0x1000 | PT (JSON) | Holds partition table |
| 0x3000 | 0xD000 | RF-cal | Wi-Fi/BLE trim data |
| 0x10000 | … | app |
Tuya application |
| 0x1Fxxxx | 4 kB | Key/Certs | UUID, product key |
➜ All areas must be preserved; losing RF-cal or keys bricks cloud connectivity.
Electrical precautions
• Voltage: strict 3.3 V (BL602 is not 5 V tolerant).
• Current: do not power the whole device through the UART adapter if it also drives LEDs/relays—supply 3.3 V externally.
• ESD protection and short 30 AWG wires recommended.
Verification strategy
• Compare file length with expected flash size.
• Run sha256sum and store checksum in a text log.
• Spot-check the bin in a hex editor for non-0xFF data and readable ASCII (e.g. “tuya-wifi”).
• DevCube 2.0.4 (2024-Q1) added automatic flash-size detection and CRC verification.
• Community tool blflash v1.1 (May 2024) supports batch-dumping multiple modules and integrates with Sigrok logic-analyser traces for failure analysis.
• Some Tuya SKUs manufactured after late-2023 enable flash-encryption (AES-CTR) and/or read-protection eFuses; backup still produces a file but it is not useful on another device.
• Open-source alternatives such as OpenBeken (OpenBK7231T_App) are being ported to BL602; hence clean factory dumps become more relevant for warranty reverts.
• Why BOOT is pulled HIGH (not LOW): unlike ESP32, BL602 uses STRAP[0] logic 1 to enter the “download image from UART” branch.
• Baud rate: mask-ROM supports up to 2 M bps; signal integrity on bread-boarded wires above 30 cm often fails—drop to 921 600 or 115 200 bps if necessary.
• Flash sizes: W25Q80 (1 MB), W25Q16 (2 MB), P25Q32 (4 MB). The identifier is printed on the chip; 80/16/32 represent megabits.
• The Tuya firmware is proprietary; backing it up for personal recovery is usually permissible under “fair use” in many jurisdictions but redistribution is not.
• Device credentials (UUID, local keys, Wi-Fi SSID/password) are stored in clear-text—handle backups as personal-data under GDPR/CCPA.
• If the product bears a certification (UL, CE Radio), re-flashing non-certified firmware may void compliance.
Restoration (if needed): same wiring, BOOT high, DevCube “Single Download”, choose backup.bin, start = 0x0, click “Create & Download”.
Common pitfalls & fixes
• Handshake failed → swap TX/RX, check GND.
• Read full of FFh → flash not detected; lower baud; ensure BOOT held high before reset.
• DevCube crashes on Linux Wayland → run via QT_QPA_PLATFORM=xcb ./BLDevCube.
• If eFuse SEC_CFG1[0] (RDP) is programmed, DevCube will read 0 xFF. There is no way to bypass without chip-decap.
• Some very small Tuya sensors use BL606P (internal flash); the procedure is similar but chipname changes and flash size ≤ 512 kB.
• Clones of CH340 with bad crystal may drop bytes at high speed—use genuine parts.
• Reverse-engineering Tuya partition layout to extract only calibration and credentials, enabling clean open-source firmware flashes.
• Investigate OpenOCD with RISC-V JTAG → gdb-stub for real-time debug of Tuya application.
• Explore secure element integration; BL702/BL616 successors add TrustZone-M.
• Track Bouffalo’s upcoming BL628 (Wi-Fi 6) – backup workflow should remain identical but encryption defaults may change.
Backing up a Tuya device based on the BL602 involves:
Follow correct voltage levels, respect legal limitations, and keep the backup secure; this procedure guarantees you can always return the device to its original Tuya firmware after experimentation or custom firmware flashes.