Success!
Both files are the same, but i tried to flash this Magic Home device:
And it successfully booted, and i am able to establish wifi connection.
It is a completely different architecture BL602 : RiscV vs LN882H:Arm, but the part related to remote control and OTA process in CosyLife may work in the same way.
Finding solution to remote flash OpenBeken on this device, should solve the problem with LN882H device, i hope.
Communication with CozyLife is based on json.
This firmware listens on ports UDP 6065 and TCP 5555.
Command syntax:
Code: JSON
Log in, to see the code
where:
cmd - accept values 0,1,2,3,4,5,9 (5 is related to OTA)
sn - timestamp, where 999999999 has a special meaning - it is has a dedicated path in the code
pv - always 0
msg -placeholder for additional command parameters, i found "udp_log", "save", "factory_hard", "reset"
in response we receive a json object, where an additional attribute "res" represents an error nr, res = 0 means success.
Example command:
Code: Bash
Log in, to see the code
response:
Code: JSON
Log in, to see the code
To start an OTA procedure i tried this command:
Code: Bash
Log in, to see the code
and got response:
Code: JSON
Log in, to see the code
and a http server on port 8080 noticed a request from this device:
Code: Text
Log in, to see the code
and OTA started, but failed, in the serial log on my device the problem is reported:
Code: Text
Log in, to see the code
And i don't know it is related to the OpenBeken binary i serve for this process (it is OpenBL602_1.17.452_OTA.bin.xz.ota - maybe it is not compatible with this OTA procedure), or my device is not dedicated for CozyLife (it is flashed with CozyLife but originally it came with MagicHome flash)
very interesting. is it possible to serve up an OTA update other than OpenBeken's? cut the code out of a full dump and offer that as a _OTA.bin.xz.ota?
Added after 2 [minutes]:
we could do with an old CozyLife BL602 device factory dump that we know has an update available to it so we can watch where the device pulls the update from. I've never had a BL602 device that's had an update available in the official app though
Hello and I have a question if it would be possible to flash soonoff bulbs without soldering ? Apparently in apple eWelink there is a check for updates for them.... I'm writing about the ones in this video -> https://www.youtube.com/watch?v=f5l7eNOuAZM there is a BL602 there too. I someone will check what and when to send then I can help in app development ->https://github.com/kruzer/mhflasher
and wherever you're hosting the binary to upload is accessible by the device and the file downloads from your host if you enter full address in a standard browser?
I hope I don't need to reach phisically the modules and find the glitch of the OTA procedure on this particular module. Might it be that the AT string is not right for the currend ZENGGE firmware?
I appear to only have 3 Magic Home BL602 firmwares to play with
AK001-ZJ21411 - 35_162_20220801_ZG-BL-BP101 does not respond to mhflasher exploit and is also giving me +ok=up_ErrType\r with whatever AT command I try to send it.
watching the UART logs from the device as the commands are sent gives *system:ota fail responses
devices AK001-ZJ21410 and AK001-ZJ21419 do exploit OK.
this is the point at which mhflasher uploaded to AK001-ZJ21419 and began flashing
Code: Text
Log in, to see the code
none of this helps you with your devices though. maybe @alwas can comment
Maybe Zengge patched the firmware.
I'll put AK001-ZJ21411 through mitmrouter/certmitm/wireshark to see if anything interesting shows
Added after 8 [minutes]:
looks like the Magic Home app reaches out to here to look for updates when you open the paired device and check device info
Hello I have updated my RGBW controller via WiFi app from the first post and everything was working until I have tried to connect the controller to my home WiFi but without success. Now I can't see AP from the controller and I can't connect to my home WiFi also so can't reach it... I have tried to cycle power 5 times to reset it to AP mode but no luck. Is there other way to put it back to AP mode?
I am curious if this method still works? I tried it on a device I get a =ok response when I attempt to upload the fi;le and the light goes red and nothing until I do a reset on the device
I think it might depend on the firmware version on the device. I've definitely gone through all the BL602 Zengge firmwares I could find once to check. I'm sure at least one wouldn't OTA.
And running "AT+UPURL=http://10.10.123.4:1111/update?version=[anything]" returns:
+ok=+ok=up_ErrType
Guess I could try a pcap and attempt a spoof, however as I'm only doing 3 it'll probably be quicker to grab my soldering iron and get it flashed the manual way
The discussion focuses on flashing the Magic Home devices equipped with the BL602 chip over WiFi without soldering, utilizing the OpenBeken firmware. The process involves resetting the device, downloading the appropriate firmware, and setting up an HTTP server to facilitate the OTA update. Key steps include using specific AT commands to initiate the firmware download and addressing issues related to different firmware versions and device compatibility. Users share experiences with various devices, including CozyLife and Ewelink, and explore methods for restoring factory firmware and troubleshooting connection problems. The conversation highlights the importance of understanding the firmware architecture and communication protocols for successful flashing. Summary generated by the language model.
![[ZIGBEE] 20A Zigbee socket with energy metering (Tuya TS011F_plug_3)](https://obrazki.elektroda.pl/1000454900_1749493372_thumb.jpg)
![[W600 / TW-03] Door Sensor - Bootloop on 1.18.110/109 Firmware](https://obrazki.elektroda.pl/5552096400_1749191730_thumb.jpg)
