[BL602] How to flash Magic Home over WiFi without soldering

alwas 20787 90

Treść została przetłumaczona

Zobacz oryginalną wersję tematu

Report a violation of the law

Reply Cool? Ranking DIY | New topic

Notify about new articles

📢 Listen (AI):

#61 21507933 05 Apr 2025 17:41

divadiow divadiow

Level 38

Posts: 4882

Help: 427

Rate: 869
Helpful post? (0)

Post #61
21507933 05 Apr 2025 17:41

>>21507396

as in your pin assignments in the config page aren't saving?
ADVERTISEMENT
#62 21585608 21 Jun 2025 16:44

kellerto kellerto

Level 5

Posts: 11
Helpful post? (0)

Post #62
21585608 21 Jun 2025 16:44

>>21418610 Any luck with 33_227_20231220_ZG-BL?
ADVERTISEMENT
#63 21585743 21 Jun 2025 20:29

divadiow divadiow

Level 38

Posts: 4882

Help: 427

Rate: 869
Helpful post? (0)

Post #63
21585743 21 Jun 2025 20:29

we could do with a backup of a 33_227_20231220_ZG-BL device firmware for the collection and to test mhflasher
#64 21585983 22 Jun 2025 09:08

kellerto kellerto

Level 5

Posts: 11
Helpful post? (0)

Post #64
21585983 22 Jun 2025 09:08

>>21585743 thank you for help. I was able to read (dump) the original Flash firmware. I was also able to run AT+LVER\r with packetsender app in order to find the version: 33_227_20231220_ZG-BL\r
I'm trying to flash MagicHome RGB controller without success. Tried by soldering approach accepts which seems to work but no AP appears (even after 5 power cycles) also firmeware installation via OTA by using AT+UPURL and powershell http listener on Port.1111

Here the original flash bin

Attachments:

flashBackup2.bin (2 MB) You must be logged in to download this attachment.

flash.bin (2 MB) You must be logged in to download this attachment.
#65 21586017 22 Jun 2025 10:04

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Posts: 14451

Help: 650

Rate: 12433
Helpful post? (0)

Post #65
21586017 22 Jun 2025 10:04

AP may not work if you power device from USB to UART converter. You need a good 3.3V power supply that can provide enough current.

You can just watch UART log output via UART to see if it crashes.

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
#66 21586037 22 Jun 2025 10:30

kellerto kellerto

Level 5

Posts: 11
Helpful post? (0)

Post #66
21586037 22 Jun 2025 10:30

Unfortunately problem exists even when I power up via regular DC 5….28V input socket (I used 12VDC)
ADVERTISEMENT
#67 21586041 22 Jun 2025 10:33

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Posts: 14451

Help: 650

Rate: 12433
Helpful post? (0)

Post #67
21586041 22 Jun 2025 10:33

Ok, so what is the debug log output?

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
#68 21586051 22 Jun 2025 10:48

kellerto kellerto

Level 5

Posts: 11
Helpful post? (0)

Post #68
21586051 22 Jun 2025 10:48

….don’t have a debug output handy. Removed UART while using the 12V Source. Will try to pull one this afternoon when I’m back home.
I’m also a bit irritated, BL602 bin file from https://github.com/openshwprojects/OpenBK7231T_App/releases/tag/1.18.123
is less than 1MB but my original dump(backup) is 2048 kB.
#69 21586062 22 Jun 2025 10:59

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Posts: 14451

Help: 650

Rate: 12433
Helpful post? (+1)

Post #69
21586062 22 Jun 2025 10:59

Why would you want it to be full size? We only overwrite main application, there is no need to overwrite full flash. I will say even more - we need to do this that way, otherwise we would:
- overwrite RF partition and lose calibration (get worse WiFi quality, known problem on Beken)
- overwrite MAC address and get MAC collisions (on some platforms)
- overwrite Tuya GPIO Config (which we can extract on Beken and use to configure device)
- overwrite your OBK config (only if you reflash)
So, we obviously provide only app section, not full flash, just like Tasmota does.

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
#70 21586076 22 Jun 2025 11:08

kellerto kellerto

Level 5

Posts: 11
Helpful post? (0)

Post #70
21586076 22 Jun 2025 11:08

Makes sense, thank you for clearing this thought.
#71 21586087 22 Jun 2025 11:17

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Posts: 14451

Help: 650

Rate: 12433
Helpful post? (0)

Post #71
21586087 22 Jun 2025 11:17

If you think that you may misconfigured your device and want to "refresh" it, then the recommended method is to rewrite full 2MB factory flash (assuming you have taken it), and then flash our firmware again.

Still, I'm saying that just for other readers, because in your case I am not sure if that's the problem... maybe something else is incorrect, let us know when you manage to take the debug log.

Btw, did you make sure to disconnect BOOT pin before trying?

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
#72 21586110 22 Jun 2025 11:35

kellerto kellerto

Level 5

Posts: 11
Helpful post? (0)

Post #72
21586110 22 Jun 2025 11:35

…was thinking the same. First instal the original backup, which I pulled at the beginning. Then instal the newest OpenBL602.bin
Which is exactly what I did at the beginning of this journey.
And get us the debug log. Hope debug log is possible with bouffalolab flasher.
#73 21586120 22 Jun 2025 11:41

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Posts: 14451

Help: 650

Rate: 12433
Helpful post? (0)

Post #73
21586120 22 Jun 2025 11:41

Any UART client can set debug log as long as you set valid baud rate

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
#74 21586157 22 Jun 2025 12:07

divadiow divadiow

Level 38

Posts: 4882

Help: 427

Rate: 869
Helpful post? (0)

Post #74
21586157 22 Jun 2025 12:07

for the record your backup does work and here is the debug log from that. 2000000 baud
Code: Text
Log in, to see the code

mhflasher OTA method fails, as you know. this is log for when pushing 'flash' button in mhflasher app
Code: Text
Log in, to see the code
#75 21586228 22 Jun 2025 13:21

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Posts: 14451

Help: 650

Rate: 12433
Helpful post? (0)

Post #75
21586228 22 Jun 2025 13:21

@divadiow can you try with older OBK binary? The one before we introduced size check with @insmod ?

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
#76 21586235 22 Jun 2025 13:28

insmod insmod

Level 31

Posts: 1356

Help: 161

Rate: 426
Helpful post? (0)

Post #76
21586235 22 Jun 2025 13:28

Size check only matters when OTA is performed from OBK, not to it.

Offtopic: did xr809 ota ever work? I get rtos scheduler shutting down when erasing, and if erase is skipped - when writing first payload. In that case it is either scheduler or hard fault.
Curiously, if flash debugging is enabled it goes a little further, but will still hang or crash.
ADVERTISEMENT
#77 21586245 22 Jun 2025 13:48

divadiow divadiow

Level 38

Posts: 4882

Help: 427

Rate: 869
Helpful post? (+1)

Post #77
21586245 22 Jun 2025 13:48

insmod wrote:
did xr809 ota ever work?

previous chats about it here https://www.elektroda.com/rtvforum/topic4055254.html#21131093

Added after 10 [minutes]:

p.kaczmarek2 wrote:
can you try with older OBK binary?

I have burnt user's backup and then flashed 1.18.100 as per:

4mb board. OpenBL AP broadcasts as expected. Not sure what that proves though because even with an entirely blank flash (erase whole chip- read back 4mb from 0x0 - all FF) BLDevCube seems to add/erase/carve all the needed bits up to make working flash

Code: Text
Log in, to see the code

eg
Code: Text
Log in, to see the code
#78 21586308 22 Jun 2025 14:48

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Posts: 14451

Help: 650

Rate: 12433
Helpful post? (0)

Post #78
21586308 22 Jun 2025 14:48

insmod wrote:

did xr809 ota ever work?.

XR809 OTA never worked for me. XR809 was the first IoT device I flashed (except ESP), then I flashed BK and backported XR809 support to OpenBK (that was the first non-BK platform supported).
I remember I was doing some debugging with printfs in XR809 OTA SDK code but failed to find anything, however, I know I was using the same binary I use for UART, which was most likely incorrect.
https://github.com/openshwprojects/OpenXR809/commit/3c964113f1be89f749e4619483590bf5e2842a6a
Recently we've looked into those XR872 cameras with @divadiow and I seemed to see more OTA code there, maybe OTA file generation.

@insmod how far have you managed with that, do you know how to build flash OTA file for XR?

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
#79 21586374 22 Jun 2025 16:36

insmod insmod

Level 31

Posts: 1356

Help: 161

Rate: 426
Helpful post? (+1)

Post #79
21586374 22 Jun 2025 16:36

>>21586308
From what i understood in the SDK code, the same binary that is used for UART is used for OTA.
And it probably works like two partition scheme on ESP.
I did some debugging, and it stops RTOS scheduler and disables XIP on flash opening. That is probably the problem, and i'm don't know how to solve it. And i'm not sure if it would affect LFS and EF.

Currently i separated pins for all XRs, added easyflash, LFS, and started using heap_4, not heap_stdlib.
Coded pwm, but it's not working yet. Also coded ADC, but can't test it for now.
Decided against updating freertos and lwip, binary size is already too much.
Will see if i manage to successfully enable compression, like tuya uses by default.
#80 21586388 22 Jun 2025 16:52

kellerto kellerto

Level 5

Posts: 11
Helpful post? (0)

Post #80
21586388 22 Jun 2025 16:52

…was thinking the same. First instal the original backup, which I pulled at the beginning. Then instal the newest OpenBL602.bin
Which is exactly what I did at the beginning of this journey.
And get us the debug log. Hope debug log is possible with bouffalolab flasher.
#81 21586431 22 Jun 2025 17:36

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Posts: 14451

Help: 650

Rate: 12433
Helpful post? (0)

Post #81
21586431 22 Jun 2025 17:36

Nice, which XR do you have, @insmod ? The first thing I would try to do for Xr809/XR806 is enabling the UART flashing method without pulling two pins down... it seems that XR872 has this possible via AT command (UPGRADE). Maybe we could also strip other AT commands to get more space.

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
#82 21586469 22 Jun 2025 17:54

insmod insmod

Level 31

Posts: 1356

Help: 161

Rate: 426
Helpful post? (0)

Post #82
21586469 22 Jun 2025 17:54

>>21586431
I have XR809 and testing everything there.
I also have XR872 doorbell with 4MB flash. But there are almost no pins wired out. Tried to find UART port, but no luck.
Got PWM and ADC working.
Binary size is already past 1024K limit, had to change it to 1056K. Currently at 1044 kb.

UART for XR809 is easy, there is one pin combination for UART0, and one for UART1.
But for XR806, one for UART0, 3 for UART1 and 3 for UART2.
#83 21586478 22 Jun 2025 17:59

divadiow divadiow

Level 38

Posts: 4882

Help: 427

Rate: 869
Helpful post? (0)

Post #83
21586478 22 Jun 2025 17:59

the toolchain updates saves 7kb or 9kb. any good?

https://github.com/openshwprojects/OpenBK7231T_App/pull/1619
#84 21586480 22 Jun 2025 18:02

insmod insmod

Level 31

Posts: 1356

Help: 161

Rate: 426
Helpful post? (0)

Post #84
21586480 22 Jun 2025 18:02

>>21586478
Didn't try it. Bot on W600 gcc-8 increased size by 3kb.
I will later try to use gcc-10.3

#85 21586571 22 Jun 2025 20:00

kellerto kellerto

Level 5

Posts: 11

Post #85

21586571 22 Jun 2025 20:00

>>21586157
I can confirm, original backup worked. It also opens an AP soon power supply is applied.


[0m
[17:49:11.452] -  [33;4m
sysTick:90127
7C3E82C16F17
10.10.123.3
fh:62544
st1:21 st2:0 st3:0
life:%100
repT:0s
pwr:0
wanT:0 lanT:0
ping:0 (0) 9999
rssi:-9999 (0) 9999

Test2: Installed OpenBL602_1.18.123.bin by using Single Download option

UART Log after disconnected boot resistor connecting to 12V source. No UART Logging received

[17:56:47.813] - serial type is general
[17:56:50.190] - Open COM5 Success

Test3: Installed OpenBL602_1.18.123.bin by using Firmware options
Note: As you mentioned this kind of installation messes with chip and wifi config. Just did it to compare with Test 1 and 2.
and please note, the IP Address listed in logfile is not mine and not related with my network. not sure where this setting is coming from. looks like build in into one of the other 3 firmware options (files) ?.

[19:49:31.413] - Starting bl602 now....
Booting BL602 Chip...
██████╗ ██╗      ██████╗  ██████╗ ██████╗
██╔══██╗██║     ██╔════╝ ██╔═████╗╚════██╗
██████╔╝██║     ███████╗
[19:49:31.413] -  ██║██╔██║ █████╔╝
██╔══██╗██║     ██╔═══██╗████╔╝██║██╔═══╝
██████╔╝███████╗╚██████╔╝╚██████╔╝███████╗
╚═════╝ ╚══════╝ ╚═════╝  ╚═════╝ ╚══════╝
------------------------------------------------------------
RISC-V Core Feature:RV32-ACFIMX
Build Version: release_bl_iot_sdk_1.6.39-238-gf5ba0a7ee
Build Date: Jun 21 2025
Build Time: 05:56:26
------------------------------------------------------------
blog init set power on level 2, 2, 2.
[IRQ] Clearing and Disable all the pending IRQ...
[         0][INFO: hal_boot2.c: 282] [HAL] [BOOT2] Active Partition[0] consumed 596 Bytes
[         0][INFO: hal_boot2.c:  82] ======= PtTable_Config @0x4200f250=======
[         0][INFO: hal_boot2.c:  83] magicCode 0x54504642; version 0x0000; entryCnt 7; age 0; crc32 0x12DF9A26
[         0][INFO: hal_boot2.c:  89] idx  type device activeIndex     name   Address[0]  Address[1]  Length[0]   Length[1]   age
[         0][INFO: hal_boot2.c:  91] [00]  00     0         0            FW  0x00010000  0x000e8000  0x000d8000  0x00088000  0
[         0][INFO: hal_boot2.c:  91] [01]  02     0         0           mfg  0x00170000  0x00000000  0x00032000  0x00000000  0
[         0][INFO: hal_boot2.c:  91] [02]  03     0         0         media  0x001a2000  0x00000000  0x00047000  0x00000000  0
[         0][INFO: hal_boot2.c:  91] [03]  04     0         0           PSM  0x001e9000  0x00000000  0x00008000  0x00000000  0
[         0][INFO: hal_boot2.c:  91] [04]  05     0         0           KEY  0x001f1000  0x00000000  0x00002000  0x00000000  0
[         0][INFO: hal_boot2.c:  91] [05]  06     0         0          DATA  0x001f3000  0x00000000  0x00005000  0x00000000  0
[         0][INFO: hal_boot2.c:  91] [06]  07     0         0       factory  0x001f8000  0x00000000  0x00007000  0x00000000  0
[         0][INFO: bl_flash.c: 391] ======= FlashCfg magiccode @0x42049c18=======
[         0][INFO: bl_flash.c: 392] mid       0x5E
[         0][INFO: bl_flash.c: 393] clkDelay    0x1
[         0][INFO: bl_flash.c: 394] clkInvert    0x1
[         0][INFO: bl_flash.c: 395] sector size   4KBytes
[         0][INFO: bl_flash.c: 396] page size   256Bytes
[         0][INFO: bl_flash.c: 397] ---------------------------------------------------------------
[         0][INFO: hal_board.c:1249] [MAIN] [BOARD] [FLASH] addr from partition is 001f8000, ret is 0
[         0][INFO: hal_board.c:1257] [MAIN] [BOARD] [XIP] addr from partition is 231e7000, ret is 0
[         0][INFO: hal_board.c: 208] MAC address mode length 3
[         0][INFO: hal_board.c: 212] MAC address mode is MBF
Read slot:0
[         0][INFO: hal_board.c: 187] Set MAC addrress 7C:3E:82:C1:6F:17
[         0][INFO: hal_board.c: 955] country_code : 86
[         0][INFO: hal_board.c: 342] xtal_mode is MF
Read slot:0
[         0][INFO: hal_board.c: 374] get xtal from M ready 31 31 1 60 60
[         0][INFO: hal_board.c: 846] pwr_table_11b :20 20 20 18
[         0][INFO: hal_board.c: 860] pwr_table_11g :18 18 18 18 18 18 14 14
[         0][INFO: hal_board.c: 878] pwr_table_11n :18 18 18 18 18 16 14 14
No written slot found
[         0][BUF: hal_board.c: 606]   0   0   0   0   0   0   0   0   0   0   0   0   0   0
[         0][INFO: hal_board.c: 902] set pwr_table_ble = 13 in dts
[         0][INFO: hal_board.c: 687] ap_ssid string[0] = bl_test_005, ap_ssid_len = 11
[
[19:49:31.429] -     0][INFO: hal_board.c: 698] ap_psk string[0] = 12345678, ap_psk_len = 8
[         0][INFO: hal_board.c: 707] ap_channel
[19:49:31.429] - = 11
[         0][INFO: hal_board.c: 635] [STA] ap_ssid string[0] = yourssid, ap_ssid_len = 8
[         0][INFO: hal_board.c: 646] [STA] ap_psk string[0] = yourapssword, ap_psk_len = 12
[         0][INFO: hal_board.c: 654] auto_connect_enable = 0
[         0][INFO: hal_board.c: 749] Troom_os = -1, lentmp = 4
[         0][INFO: hal_board.c: 758] linear_or_follow = 1, lentmp = 4
[         0][INFO: hal_board.c: 767] Tchannels:2412,2427,2442,2457,2472,
[         0][INFO: hal_board.c: 781] Tchannel_os:180,168,163,160,157,
[         0][INFO: hal_board.c: 795] Tchannel_os_low:199,186,170,165,160,
[         0][INFO: hal_board.c: 808] en_tcal = 0, lentmp = 4
[OS] Starting aos_loop_proc task...
[OS] Starting OS Scheduler...
[MTD] >>>>>> Hanlde info Dump >>>>>>
name PSM
id 0
offset 0x001e9000(2002944)
size 0x00008000(32Kbytes)
xip_addr 0x231d8000
[MTD] <<<<<< Hanlde info End <<<<<<
[EF] Found Valid PSM partition, XIP Addr 231d8000, flash addr 001e9000, size 32768
ENV AREA SIZE 32768, SECTOR NUM 8
*default_env_size = 0x00000001
ENV start address is 0x00000000, size is 32768 bytes.
[19:49:31.476] - EasyFlash V4.0.99 is initialize success.
You can get the latest version on https://github.com/armink/EasyFlash .
[MTD] >>>>>> Hanlde info Dump >>>>>>
name media
id 0
offset 0x001a200
[19:49:31.476] - 0(1712128)
size 0x00047000(284Kbytes)
xip_addr 0x23191000
[MTD] <<<<<< Hanlde info End <<<<<<
[        38][ERROR : bl_romfs.c: 158] romfs magic is NOT correct
[        39][INFO  : hosal_adc.c: 459] offset = 2132
[        39][INFO  : hosal_adc.c: 233] ADC freq: 284Hz. div:6
[OS] Starting proc_mian_entry task...
[OS] Starting TCP/IP Stack...
-------------------->>>>>>>> LWIP tcp_port 58301
[MTD] >>>>>> Hanlde info Dump >>>>>>
name PSM
id 0
offset 0x001e9000(2002944)
size 0x00008000(32Kbytes)
xip_addr 0x231d8000
[MTD] <<<<<< Hanlde info End <<<<<<
[EF] Found Valid PSM partition, XIP Addr 231d8000, flash addr 001e9000, size 32768
ENV AREA SIZE 32768, SECTOR NUM 8
*default_env_size = 0x00000001
EasyFlash V4.0.99 is initialize success.
You can get the latest version on https://github.com/armink/EasyFlash .
Start Wi-Fi fw @95ms
[19:49:31.554] - 1th channel,lo_vco_freq_cw=154
2th channel,lo_vco_freq_cw=153
3th channel,lo_vco_freq_cw=152
4th channel,lo_vco_freq_cw=151
5th channel,lo_vco_freq_cw=149
6th channel,lo_vco_freq_cw=148
7th channel,lo_vco
[19:49:31.554] - _freq_cw=147
8th channel,lo_vco_freq_cw=145
9th channel,lo_vco_freq_cw=144
10th channel,lo_vco_freq_cw=143
11th channel,lo_vco_freq_cw=141
12th channel,lo_vco_freq_cw=140
13th channel,lo_vco_freq_cw=139
14th channel,lo_vco_freq_cw=138
15th channel,lo_vco_freq_cw=136
16th channel,lo_vco_freq_cw=135
17th channel,lo_vco_freq_cw=134
18th channel,lo_vco_freq_cw=133
19th channel,lo_vco_freq_cw=132
20th channel,lo_vco_freq_cw=130
21th channel,lo_vco_freq_cw=129
0th channel,vco_idac_cw=7
1th channel,vco_idac_cw=6
2th channel,vco_idac_cw=6
3th channel,vco_idac_cw=6
4th channel,vco_idac_cw=6
5th channel,vco_idac_cw=6
6th channel,vco_idac_cw=6
7th channel,vco_idac_cw=6
8th channel,vco_idac_cw=6
9th channel,vco_idac_cw=6
10th channel,vco_idac_cw=5
11th channel,vco_idac_cw=5
12th channel,vco_idac_cw=5
13th channel,vco_idac_cw=5
14th channel,vco_idac_cw=5
15th channel,vco_idac_cw=6
16th channel,vco_idac_cw=5
17th channel,vco_idac_cw=5
18th channel,vco_idac_cw=5
19th channel,vco_idac_cw=5
20th channel,vco_idac_cw=5
LO locked 9 144
rosdac_i_gc3=27
rosdac_i_gc2=27
rosdac_i_gc1=27
rosdac_i_gc0=27
rosdac_q_gc3=33
rosdac_q_gc2=33
rosdac_q_gc1=33
rosdac_q_gc0=33
rbb_cap1_fc_i=30,rbb_cap2_fc_i=30,rbb_cap1_fc_q=30,rbb_cap2_fc_q=30
new rbb_cap1_fc_i=54,rbb_cap2_fc_i=54,rbb_cap1_fc_q=54,rbb_cap2_fc_q=54
LO locked 9 144
amp=128,step=32,adc_mean_i=85
amp=160,step=16,adc_mean_i=111
tmx_cs=0, tmxcs_pwr_avg=50712, tmxcs_pwr_avg>>10=49
tmx_cs=1, tmxcs_pwr_avg=57332, tmxcs_pwr_avg>>10=55
tmx_cs=2, tmxcs_pwr_avg=66924, tmxcs_pwr_avg>>10=65
tmx_cs=3, tmxcs_pwr_avg=81456, tmxcs_pwr_avg>>10=79
tmx_cs=4, tmxcs_pwr_avg=98581, tmxcs_pwr_avg>>10=96
tmx_cs=5, tmxcs_pwr_avg=112166, tmxcs_pwr_avg>>10=109
tmx_cs=6, tmxcs_pwr_avg=110187, tmxcs_pwr_avg>>10=107
tmx_cs=7, tmxcs_pwr_avg=95296, tmxcs_pwr_avg>>10=93
tmx_cs_max=5, tmxcs_pwr_max=112166, tmxcs_pwr_max>>10=109
amp=256,step=64,adc_mean_i=112
amp=320,step=32,adc_mean_i=228
tosdac_i=30,tosdac_q=44,tx_iq_gain_comp=1054,tx_iq_phase_comp=1
tosdac_i=28,tosdac_q=42,tx_iq_gain_comp=1042,tx_iq_phase_comp=5
tosdac_i=28,tosdac_q=44,tx_iq_gain_comp=1029,tx_iq_phase_comp=4
tosdac_i=31,tosdac_q=47,tx_iq_gain_comp=1040,tx_iq_phase_comp=2
tosdac_i=31,tosdac_q=47,tx_iq_gain_comp=1040,tx_iq_phase_comp=7
tosdac_i=29,tosdac_q=47,tx_iq_gain_comp=1032,tx_iq_phase_comp=2
tosdac_i=27,tosdac_q=48,tx_iq_gain_comp=1040,tx_iq_phase_comp=0
tosdac_i=27,tosdac_q=46,tx_iq_gain_comp=1042,tx_iq_phase_comp=-3
[WF] [KEY] [CFG] nVAP is 2, endidx 12, startidx 8
td_init
td_reset idx=0
td_reset idx=1
Start Wi-Fi fw is Done @169ms
[APP] [EVT] INIT DONE 118
[BL] Initi Wi-Fi with MAC #### 7C:3E:82:C1:6F:17 ####
hostname: OpenBL602_82c16f17
[WF] country code CN used, num of channel 13
-----------------------------------------------------
[IPC] [TX] Low level size 204, driver size 100, total size 304
Enable BMX IRQ
[WF] [KEY] [CFG] nVAP is 2, endidx 12, startidx 8
td_init
td_reset idx=0
td_reset idx=1
[version] lmac 5.4.0.0
[version] version_machw_1 000055FB
[version] version_machw_2 000001B3
[version] version_phy_1 00822111
[version] version_phy_2 00000000
[version] features 001089DF
[ME] HT supp 1, VHT supp 0
[WF][SM] reload tsen
[WF][SM] Exiting ifaceDown state
[WF][SM] State Action ###ifaceDown### --->>> ###idle###
[WF][SM] Entering idle state
[APP] [EVT] MGMR DONE 130, now 182ms
[19:49:32.017] - Entering initLog()...
Commands registered!
initLog() done!
[MTD] >>>>>> Hanlde info Dump >>>>>>
na
[19:49:32.017] - me PSM
id 0
offset 0x001e9000(2002944)
size 0x00008000(32Kbytes)
xip_addr 0x231d8000
[MTD] <<<<<< Hanlde info End <<<<<<
[EF] Found Valid PSM partition, XIP Addr 231d8000, flash addr 001e9000, size 32768
ENV AREA SIZE 32768, SECTOR NUM 8
*default_env_size = 0x00000001
EasyFlash V4.0.99 is initialize success.
You can get the latest version on https://github.com/armink/EasyFlash .
[19:49:32.050] - [       651][WARN  : bl_mtd.c: 205] addr@0x230a4d1c is xip flash, size 8
[19:49:32.150] - [MTD] >>>>>> Hanlde info Dump >>>>>>
name media
id 0
offset 0x001a2000(1712128)
size 0x00047000(284Kbytes)
xip_ad
[19:49:32.167] - dr 0x23191000
[MTD] <<<<<< Hanlde info End <<<<<<
Main_Init_Before_Delay done
Main_Init_Delay
Main_Init_Delay done
Info:MAIN:Main_Init_Before_Delay
Warn:CFG:CFG_InitAndLoad: Correct config has been loaded with 2 changes count.
Error:CMD:lfs is absent
Info:GEN:PIN_SetupPins pins have been set up.
Info:MAIN:Main_Init_Before_Delay done
Info:MAIN:Main_Init_Delay
Info:MAIN:Main_Init_Delay done
Info:MAIN:Main_Init_After_Delay
Info:MAIN:Using SSID []
Info:MAIN:Using Pass []
Error:HTTP:Created HTTP SV thread with (stack=2048)
Info:MQTT:MQTT_RegisterCallback called for bT obl82C16F17/ subT obl82C16F17/+/set
Info:MQTT:MQTT_RegisterCallback called for bT bl602s/ subT bl602s/+/set
Info:MQTT:MQTT_RegisterCallback called for bT cmnd/obl82C16F17/ subT cmnd/obl82C16F17/+
Info:MQTT:MQTT_RegisterCallback called for bT cmnd/bl602s/ subT cmnd/bl602s/+
Info:MQTT:MQTT_RegisterCallback called for bT obl82C16F17/ subT obl82C16F17/+/get
Info:CMD:CMD_StartScript: started @startup at the beginning
Error:CMD:LFS_ReadFile: lfs is absent
Info:CMD:CMD_StartScript: failed to get file autoexec.bat
Info:MAIN:Main_Init_After_Delay done
[19:49:33.051] - Info:MAIN:Time 1, idle 0/s, free 112736, MQTT 0(0), bWifi 0, secondsWithNoPing -1, socks 2/21
[19:49:34.005] - Info:MAIN:Time 2, idle 0/s, free 112736, MQTT 0(0), bWifi 0, secondsWithNoPing -1, socks 2/21
[19:49:34.975] - Info:MAIN:Time 3, idle 0/s, free 112736, MQTT 0(0), bWifi 0, secondsWithNoPing -1, socks 2/21
[19:49:35.928] - Info:MAIN:Time 4, idle 0/s, free 112736, MQTT 0(0), bWifi 0, secondsWithNoPing
[19:49:35.928] -  -1, socks 2/21
[19:49:36.900] - [lwip] netif status callback
IP: 192.168.11.1
MK: 255.255.255.0
GW: 0.0.0.0
[WF] MM_ADD_IF_REQ Sending: AP
td_start idx=0
[W
[19:49:36.900] - F] MM_ADD_IF_REQ Done
[WF] vif_index from LAMC is 0
[lwip] netif status callback
IP: 192.168.169.1
MK: 255.255.255.0
GW: 0.0.0.0
[DHCP] ip_start: [192.168.169.2]
[DHCP] ip_start: [192.168.169.254]
[WF][SM] start AP with ssid OpenBL602_82C16F17;
[WF][SM]               pwd  ;
[WF][SM]               channel  1;
[WF] APM_START_REQ Sending with vif_index 0
[WF] received APM Start apm_start_req_handler:74
[WF] return with other handler
[WF] APM_START_REQ Done
[WF] status is 00
[WF] vif_idx is 00
[WF] ch_idx is 00
[WF] bcmc_idx is 05
[WF][SM] stateGlobalGuard_AP: AP iface has started!
Info:MAIN:Time 5, idle 0/s, free 112736, MQTT 0(0), bWifi 0, secondsWithNoPing -1, socks 2/21
[APP] [EVT] Unknown code 11, 5706
[19:49:37.878] - [      6710][WARN  : bl_mtd.c: 205] addr@0x230a4d1c is xip flash, size 8
Info:MAIN:Time 6, idle 0/s, free 112424, MQTT 0(0), bWifi 0, secondsWithNoPing -1, socks 2/21
Info:MAIN:Boot complete time reached (5 seconds)
[19:49:38.816] - In
[19:49:38.832] - fo:MAIN:Time 7, idle 0/s, free 112424, MQTT 0(0), bWifi 0, secondsWithNoPing -1, socks 2/21
[19:49:39.801] - Info:MAIN:Time 8, idle 0/s, free 112424, MQTT 0(0), bWifi 0, secondsWithNoPing -1, socks 2/21
[19:49:40.754] - Info:MAIN:Time 9, idle 0/s, free 112424, MQTT 0(0), bWifi 0, secondsWithNoPing -1, socks 2/21
[19:49:41.722] - Info:MAIN:Time 10, idle 0/s, free 112424, MQTT 0(0), bWifi 0, secondsWithNoPing -1, socks 2/21
[19:49:42.682] - Info:MAIN:Time 11, idle 0/s, free 112424, MQTT 0(0), bWifi 0, secondsWithNoPing -1, socks 2/21
[19:49:43.096] - Close COM5 Success

Any hint or suggestions? Maybe the OpenBL602_1.18.123.bin is corrupt?

#86 21586581 22 Jun 2025 20:07

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Posts: 14451

Help: 650

Rate: 12433
Helpful post? (0)

Post #86
21586581 22 Jun 2025 20:07

Your log ends at:
Code: text Expand Select all Copy to clipboard
[19:49:42.682] - Info:MAIN:Time 11, idle 0/s, free 112424, MQTT 0(0), bWifi 0, secondsWithNoPing -1, socks 2/21

What happens later? Does it continue to run?

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
#87 21586660 22 Jun 2025 21:26

kellerto kellerto

Level 5

Posts: 11
Helpful post? (0)

Post #87
21586660 22 Jun 2025 21:26

In this Test3, I was using the firmware options together with OpenBL602_1.18.123.bin firmware.
log continues like this.
Since the IP address is not mine it will not reach my mqtt server nor my network.
It also does not open an AP access point.
I kept sweeping wifi but no AP like with original firmware ☹️
19:49:36.900] - F] MM_ADD_IF_REQ Done
[WF] vif_index from LAMC is 0
[lwip] netif status callback
IP: 192.168.169.1
MK: 255.255.255.0
GW: 0.0.0.0
[DHCP] ip_start: [192.168.169.2]
[DHCP] ip_start: [192.168.169.254]
[WF][SM] start AP with ssid OpenBL602_82C16F17;
#88 21589678 26 Jun 2025 00:26

kellerto kellerto

Level 5

Posts: 11
Helpful post? (0)

Post #88
21589678 26 Jun 2025 00:26

>>21586157 thank you for checking,
Backup will bring the device back to original state.
And then I installed latest OpenBL602.bin
But then device is not starting AP anymore and UART log is silent (no log)

I tried on a second new MagicHome controller but it behaves exactly the same.

Can someone confirm that lstest OpenBL602 bin works?
Or even confirm that it works on a Magic Home RGB Controller?
Helpful post

#89 21590554 26 Jun 2025 20:36

DeDaMrAz DeDaMrAz

Level 22

Posts: 600

Help: 34

Rate: 127
Helpful post? (+2)

Helpful post
Post #89
21590554 26 Jun 2025 20:36

Latest build is working on BL602 devices, see picture.

Can you change the partition table .toml file and use the attached one and report back? DTS and Boot2 remain the same.

Attachments:

partition_cfg_2M_FIX.rar (334 Bytes) You must be logged in to download this attachment.

If you like my work, support me at: https://paypal.me/openshwprojects

#90 21592996 29 Jun 2025 16:33

kellerto kellerto

Level 5

Posts: 11

Post #90

21592996 29 Jun 2025 16:33

>>21590554
Hi I'm back and thank you for the partition_cfg_2M_FIX file. Just reflashed the device us suggested.
There is still no "OpenBL602_82C12029 "AP starting.
Monitoring the log I observed some sections which caught my eyes. But not sure if this is the place to look.

1. According UART log, Wifi seems to start with country code "CN" --> Is this a probem?

2. Event Log says AP started and I keep scaning my Wifi but no such AP to see :-(

[16:02:47.930] - [lwip] netif status callback
IP: 192.168.11.1
MK: 255.255.255.0
GW: 0.0.0.0
[WF] MM_ADD_IF_REQ Sending: AP
td_start idx=0
[WF] MM_ADD_IF_REQ Done
[WF] vif_index from LAMC is 0
[lwip] netif status callback
IP: 192.168.169.1
MK: 255.255.255.0
GW: 0.0.0.0
[DHCP] i
[16:02:47.946] - p_start: [192.168.169.2]
[DHCP] ip_start: [192.168.169.254]
[WF][SM] start AP with ssid OpenBL602_82C12029;
[WF][SM]               pwd  ;
[WF][SM]               channel  1;
[WF] APM_START_REQ Sending with vif_index 0
[WF] received APM Start apm_start_req_handler:74
[WF] return with other handler
[WF] APM_START_REQ Done
[WF] status is 00
[WF] vif_idx is 00
[WF] ch_idx is 00
[WF] bcmc_idx is 05
[WF][SM] stateGlobalGuard_AP: AP iface has started!

3. searching logfile for lines with keyword error in it:

 
[        41][ERROR : bl_romfs.c: 158] romfs magic is NOT correct 
.....
Error:CMD:lfs is absent
.....
Error:HTTP:Created HTTP SV thread with (stack=2048)
.....
Error:CMD:LFS_ReadFile: lfs is absent

4. searching for warning message


[16:41:54.353] - [      6763][WARN  : bl_mtd.c: 205] addr@0x230a4d1c is xip flash, size 8

Complete logfile see txt file logfile_pa...2M_FIX.txt (26.03 kB)You must be logged in to download this attachment.

I don't want to give up, so I'm hope you can give me some hints to fix this.

Additional question: Is there a way, I can preset my Wifi parameter prior flashing?
greatings from Black Forrest

Create an account, log in here. You will receive points by participating in discussions.
Join this discussion.

Install Elektroda application

Reply Cool? Ranking DIY | New topic

Notify about new articles

📢 Listen (AI):

Report a violation of the law

Topic summary

✨ The discussion focuses on flashing Magic Home devices equipped with the BL602 chip over WiFi without soldering, using the manufacturer's OTA mechanism redirected to a custom server. The procedure involves resetting the device to factory settings by cycling power, hosting the OpenBeken firmware OTA binary on a local HTTP server, and sending an AT command to the device to initiate the firmware download and installation. Users report success with this method on certain BL602 devices, notably Magic Home RGB controllers, using tools like netcat and PowerShell for serving the firmware and sending commands. Challenges include firmware version compatibility, with newer Zengge firmwares apparently patched against OTA flashing exploits, resulting in errors like "+ok=up_ErrType" or no response. Some devices require specific partition tables or flash size considerations (2MB vs 4MB flash). Debugging via UART logs is recommended to diagnose boot and WiFi AP startup issues. The community also explores similar flashing approaches for related chips such as LN882H, LN8825B, BK7231N, and XR809/XR872, noting differences in communication ports, protocols (JSON over UDP/TCP), and firmware architectures (RISC-V vs ARM). JSON-based command protocols on UDP/TCP ports (e.g., 5555, 6095) are used for device communication and OTA initiation in CozyLife and Ewelink devices. Some users successfully restored factory firmware dumps and then flashed OpenBeken firmware, achieving AP mode broadcasting. However, issues persist with saving settings post-flash and AP visibility. The latest OpenBL602 builds work on some devices but may require partition table adjustments. Overall, the OTA flashing method without soldering is feasible but depends heavily on device firmware version, chip variant, and correct command syntax. Physical flashing remains a fallback for patched or incompatible devices.
Generated by the language model.

Home page
/
Forum
/
Smart Home
/
Smart Home IoT
/
Smart Home Guides
/
[BL602] How to flash Magic Home over WiFi without soldering

FAQ

TL;DR: With 0 solder joints and "back ok" as the key success reply, this method lets Magic Home BL602 owners push an OpenBeken OTA file over the device’s own AP using UDP port 48899 and a local HTTP server. It suits users who want a faster no-solder path, but only on firmware that still accepts the vendor OTA trigger. [#21056057]

Why it matters: This gives BL602 Magic Home owners a real no-solder upgrade path, while also showing exactly where newer Zengge firmware blocks it.

Method	Hardware access	Main transport	Typical result in thread	Recovery path
Magic Home OTA exploit	No	UDP 48899 + local HTTP	Works on some BL602 firmwares	Restore dump or solder later
mhflasher on Android	No	Automates same OTA path	Works on vulnerable devices	Same limits as OTA exploit
UART / BLDevCube flashing	Yes	Serial flashing	Most reliable overall	Full dump restore possible
Factory dump restore	Yes	Serial flashing	Confirmed working on 2 MB dumps	Returns device to stock

Key insight: The no-solder path is real, but it is firmware-dependent. Older Magic Home BL602 builds can fetch and install an OTA image from your own server, while newer builds such as 33_227_20231220_ZG-BL return OTA errors and appear patched. [#21418610]

Quick Facts

Magic Home BL602 AP mode in the thread uses device IP 10.10.123.3, client IP 10.10.123.4, and listens for AT commands on UDP port 48899. [#21056057]
The Linux example serves the OTA file on HTTP port 1111, then triggers download with AT+UPURL=http://10.10.123.4:1111/...; users reported success after about 1 minute. [#21056057]
A confirmed vulnerable OTA session wrote about 427,676 bytes and then rebooted into OpenBeken; the UART log showed ota download is done! before reset. [#21063222]
Factory BL602 dumps discussed here are typically 2 MB, while some dev boards use 4 MB flash; that mismatch matters for restore tests and partition handling. [#21063112]
BL602 UART logs in the thread used 2,000,000 baud, and weak power from a USB-to-UART adapter was called out as a cause of missing AP behavior after flashing. [#21586157]

How do you flash a Magic Home BL602 controller to OpenBeken over WiFi without soldering using the manufacturer's OTA mechanism?

You reset the controller, join its AP, host the OTA file locally, and trigger the vendor OTA URL over UDP. 1. Power-cycle the device 4 times to factory reset, then connect to the LEDnetXXXXXXXXX AP. 2. Serve OpenBL602_...OTA.bin.xz.ota on a local HTTP server, often on port 1111. 3. Send AT+UPURL=http://10.10.123.4:1111/update?... to 10.10.123.3:48899. A working device replies back ok, then usually reboots after about 1 minute and appears as OpenBL602_XXXXXXXX. [#21056057]

Which OpenBeken file should I download for a BL602 WiFi-only flash, and why does it need to be the .ota build instead of the regular binary?

Download the BL602 OTA package, for example OpenBL602_1.17.553_OTA.bin.xz.ota, not the plain .bin. The OTA method calls the manufacturer’s updater, so it expects an OTA-formatted image rather than a raw UART-flash binary. The thread explicitly says to choose the version for the BL602 chip and OTA. A regular OpenBL602_...bin is used for wired flashing through tools like BLDevCube, not for the WiFi-only exploit path. [#21056057]

What do the BL602 Magic Home AT commands AT+LVER and AT+UPURL do, and how are they used during the WiFi flashing process?

AT+LVER reads the installed firmware version, and AT+UPURL tells the device where to fetch an update. In the working example, AT+LVER returned +ok=33_48_20201219_ZG-BL from UDP port 48899. AT+UPURL then pointed the device at a local HTTP URL on 10.10.123.4:1111 so it could download and install OpenBeken. "AT+UPURL is a device OTA trigger that makes the stock firmware fetch a new image from a supplied URL, using the vendor update path rather than UART flashing." [#21056057]

Why does a Magic Home BL602 device reply with +ok=up_ErrType, +ok=up_ErrHttp, or just a blank +ok= when I try the OTA exploit?

Those replies mean the OTA request was accepted syntactically but failed at validation, transport, or reboot stage. +ok=up_ErrType appeared on newer or incompatible Magic Home firmware, including 33_227_20231220_ZG-BL, and on a 35_162_20220801_ZG-BL-BP101 device that did not exploit. +ok=up_ErrHttp points to a fetch or URL issue. A blank +ok= can happen before reboot; one user saw it before disconnect, but the HTTP listener never received a request. Check firmware version, URL reachability, exact query format, and whether that device family still accepts custom OTA payloads. [#21245497]

What is mhflasher, and how does it automate the Magic Home BL602 OTA flashing procedure on Android?

mhflasher is an Android app that automates the same Magic Home BL602 OTA exploit described for Linux. It connects to the device AP, checks whether UDP communication works on port 48899, and sends the OTA trigger without needing manual terminal commands. The source code was shared publicly, and APKs were said to be in the releases folder. Later, an updated build was reported tested with OpenBL602 1.18.230 and confirmed to work on vulnerable Magic Home dumps. [#21787740]

How can I serve the OpenBL602 OTA file from Windows with PowerShell and send the UDP command with Packet Sender instead of using Linux netcat?

Use PowerShell as a one-shot HTTP listener and Packet Sender for the UDP packet. 1. Start an HttpListener on port 1111 and serve OpenBL602_...OTA.bin.xz.ota. 2. Connect your PC to the device AP, usually with the controller at 10.10.123.3 and your PC at 10.10.123.4. 3. In Packet Sender, send AT+UPURL=http://10.10.123.4:1111/update?version=...&beta,pierogi as UDP to port 48899. The thread reports you should see the upload, an OK, then a reboot into OpenBeken. [#21063222]

Why do some newer Zengge or Magic Home BL602 firmware versions like 33_227_20231220_ZG-BL appear patched against the OTA method?

They appear patched because the same OTA trigger that works on older builds fails early on newer ones. A tested device on 33_227_20231220_ZG-BL returned +ok=+ok=up_ErrType, and its UART log showed *system:ota fail after comparing the OpenBeken version string against stock values. Another user also suspected newer versions had been patched against custom firmware via OTA. The thread’s working pattern is clear: exploit success depends on firmware family and date, not just on using a BL602 chip. [#21418610]

What is BLDevCube, and how is it used to dump, restore, or flash factory firmware on BL602 devices?

BLDevCube is Bouffalo Lab’s serial flashing tool for BL602, used here for full-dump backup, factory restore, and wired OpenBeken flashing. Users restored 2 MB factory images, flashed raw OpenBL602 .bin files, and tested full-image writes from address 0x0 or app-region writes from 0x10000. One successful restore to a 4 MB dev board from a 2 MB Magic Home dump booted the stock LED... AP and even paired in the app. That made BLDevCube the main recovery tool when OTA failed. [#21063112]

How does the Magic Home BL602 OTA method compare with soldering and UART flashing in terms of reliability and recovery options?

The OTA method is faster and needs no soldering, but UART flashing is more reliable and easier to recover from. OTA works only when the stock firmware still accepts the vendor update trigger on UDP 48899. Wired flashing with BLDevCube can restore a full factory dump, write OpenBL602 directly, and recover devices that no longer expose an AP. If you have only 3 devices and a patched build, one user concluded it was quicker to use a soldering iron than keep spoofing OTA traffic. [#21418610]

What troubleshooting steps help when OpenBL602 flashes successfully but the OpenBL602_XXXXX AP never appears afterward?

Check power, boot wiring, partition layout, and UART logs before assuming the image is bad. The thread suggests using a stable 3.3 V supply instead of powering from a weak USB-to-UART adapter, disconnecting the BOOT pin after flashing, and capturing serial output at 2,000,000 baud. One responder also supplied a fixed 2 MB partition table for BL602 tests. "OpenBL602_XXXXX AP never appears" usually means the app booted incorrectly or the radio config is wrong, not that the flash write itself failed. [#21592996]

Why is the OpenBL602 firmware file much smaller than a full 2 MB factory dump, and what flash regions are intentionally left untouched?

The OpenBL602 file is smaller because it only replaces the application area, not the whole flash chip. A maintainer explained that full-chip overwrites would destroy RF calibration, MAC address data, Tuya GPIO config on supported platforms, and existing OpenBeken settings. That is why a release binary can be under 1 MB while the stock backup is 2 MB. The design is intentional, and it matches the goal of preserving board-specific data outside the main firmware partition. [#21586062]

How can I restore a BL602 device back to its factory firmware from a backup dump if OpenBeken flashing or configuration goes wrong?

Write the saved factory dump back with BLDevCube, then reboot and verify the original AP returns. The thread confirms a full 2 MB backup can restore a Magic Home BL602 to stock behavior, including the factory LEDnet... AP and normal app pairing. One user called this a tested dump-and-restore path for putting BL602 devices back to factory firmware. If OpenBeken config is broken, a full restore is the recommended reset path before trying another flash. [#21063222]

What is the CozyLife local JSON protocol on UDP 6065 and TCP 5555, and how is it different from the Magic Home AT-command method on UDP 48899?

CozyLife uses JSON messages on UDP 6065 and TCP 5555, while Magic Home uses plain-text AT commands on UDP 48899. A working CozyLife query looked like {"cmd":0,"pv":0,"sn":"...","msg":{}} and returned JSON with fields such as did, pid, mac, ip, and res. "CozyLife local JSON protocol is a device-control API that exchanges structured JSON commands and responses, unlike Magic Home’s short AT strings sent to the vendor pairing port." The thread also tied CozyLife cmd:5 to OTA experiments. [#21068684]

What should I try when a flashed Magic Home or OpenBL602 device disappears from both AP mode and my home WiFi after a failed setup?

First restore factory power-cycling, then inspect UART logs, and be ready to reflash from backup. A user who lost both the AP and home WiFi after setup was advised that AP mode may not recover with power cycling alone if the device crashes or stores bad settings. Another thread segment recommends watching serial logs, verifying power from the normal 5–28 V input, and restoring the original dump if needed. If the device stays silent, wired recovery is the practical next step. [#21264185]

How could the Sonoff DIY mode REST API or eWeLink update mechanism be investigated as a no-solder flashing path for BL602 Sonoff plugs and bulbs?

Investigate it by entering Sonoff DIY mode, capturing traffic, and testing whether its REST OTA endpoint accepts a local firmware URL. The thread mentions a BL602 smart plug exposing Sonoff DIY mode after holding the button for 5 seconds, with official documentation describing a RESTful API that includes OTA actions. eWeLink devices were also noted to use different ports and sometimes SSL, so packet capture and version checks are essential. The same no-solder idea may work, but the thread does not yet show a confirmed OpenBeken flash on Sonoff BL602 hardware. [#21188184]

Generated by the language model.