[BL602] How to flash Magic Home over WiFi without soldering

alwas 13644 89

Treść została przetłumaczona

Zobacz oryginalną wersję tematu

Reply Cool? Ranking DIY | New topic

Notify about new articles

📢 Listen (AI):

#61 21507933 05 Apr 2025 17:41

divadiow divadiow

Level 35

Helpful post? (0)

Post #61
21507933 05 Apr 2025 17:41

>>21507396

as in your pin assignments in the config page aren't saving?
ADVERTISEMENT
#62 21585608 21 Jun 2025 16:44

kellerto kellerto

Level 5

Helpful post? (0)

Post #62
21585608 21 Jun 2025 16:44

>>21418610 Any luck with 33_227_20231220_ZG-BL?
#63 21585743 21 Jun 2025 20:29

divadiow divadiow

Level 35

Helpful post? (0)

Post #63
21585743 21 Jun 2025 20:29

we could do with a backup of a 33_227_20231220_ZG-BL device firmware for the collection and to test mhflasher
ADVERTISEMENT
#64 21585983 22 Jun 2025 09:08

kellerto kellerto

Level 5
Helpful post? (0)

Post #64
21585983 22 Jun 2025 09:08

>>21585743 thank you for help. I was able to read (dump) the original Flash firmware. I was also able to run AT+LVER\r with packetsender app in order to find the version: 33_227_20231220_ZG-BL\r
I'm trying to flash MagicHome RGB controller without success. Tried by soldering approach accepts which seems to work but no AP appears (even after 5 power cycles) also firmeware installation via OTA by using AT+UPURL and powershell http listener on Port.1111

Here the original flash bin

Attachments:

flashBackup2.bin Download (2 MB)

flash.bin Download (2 MB)
#65 21586017 22 Jun 2025 10:04

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Helpful post? (0)

Post #65
21586017 22 Jun 2025 10:04

AP may not work if you power device from USB to UART converter. You need a good 3.3V power supply that can provide enough current.

You can just watch UART log output via UART to see if it crashes.

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
#66 21586037 22 Jun 2025 10:30

kellerto kellerto

Level 5

Helpful post? (0)

Post #66
21586037 22 Jun 2025 10:30

Unfortunately problem exists even when I power up via regular DC 5….28V input socket (I used 12VDC)
#67 21586041 22 Jun 2025 10:33

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Helpful post? (0)

Post #67
21586041 22 Jun 2025 10:33

Ok, so what is the debug log output?

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
ADVERTISEMENT
#68 21586051 22 Jun 2025 10:48

kellerto kellerto

Level 5

Helpful post? (0)

Post #68
21586051 22 Jun 2025 10:48

….don’t have a debug output handy. Removed UART while using the 12V Source. Will try to pull one this afternoon when I’m back home.
I’m also a bit irritated, BL602 bin file from https://github.com/openshwprojects/OpenBK7231T_App/releases/tag/1.18.123
is less than 1MB but my original dump(backup) is 2048 kB.
#69 21586062 22 Jun 2025 10:59

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Helpful post? (+1)

Post #69
21586062 22 Jun 2025 10:59

Why would you want it to be full size? We only overwrite main application, there is no need to overwrite full flash. I will say even more - we need to do this that way, otherwise we would:
- overwrite RF partition and lose calibration (get worse WiFi quality, known problem on Beken)
- overwrite MAC address and get MAC collisions (on some platforms)
- overwrite Tuya GPIO Config (which we can extract on Beken and use to configure device)
- overwrite your OBK config (only if you reflash)
So, we obviously provide only app section, not full flash, just like Tasmota does.

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
#70 21586076 22 Jun 2025 11:08

kellerto kellerto

Level 5

Helpful post? (0)

Post #70
21586076 22 Jun 2025 11:08

Makes sense, thank you for clearing this thought.
#71 21586087 22 Jun 2025 11:17

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Helpful post? (0)

Post #71
21586087 22 Jun 2025 11:17

If you think that you may misconfigured your device and want to "refresh" it, then the recommended method is to rewrite full 2MB factory flash (assuming you have taken it), and then flash our firmware again.

Still, I'm saying that just for other readers, because in your case I am not sure if that's the problem... maybe something else is incorrect, let us know when you manage to take the debug log.

Btw, did you make sure to disconnect BOOT pin before trying?

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
#72 21586110 22 Jun 2025 11:35

kellerto kellerto

Level 5

Helpful post? (0)

Post #72
21586110 22 Jun 2025 11:35

…was thinking the same. First instal the original backup, which I pulled at the beginning. Then instal the newest OpenBL602.bin
Which is exactly what I did at the beginning of this journey.
And get us the debug log. Hope debug log is possible with bouffalolab flasher.
#73 21586120 22 Jun 2025 11:41

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Helpful post? (0)

Post #73
21586120 22 Jun 2025 11:41

Any UART client can set debug log as long as you set valid baud rate

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
#74 21586157 22 Jun 2025 12:07

divadiow divadiow

Level 35

Helpful post? (0)

Post #74
21586157 22 Jun 2025 12:07

for the record your backup does work and here is the debug log from that. 2000000 baud
Code: Text
Log in, to see the code

mhflasher OTA method fails, as you know. this is log for when pushing 'flash' button in mhflasher app
Code: Text
Log in, to see the code
#75 21586228 22 Jun 2025 13:21

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Helpful post? (0)

Post #75
21586228 22 Jun 2025 13:21

@divadiow can you try with older OBK binary? The one before we introduced size check with @insmod ?

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
#76 21586235 22 Jun 2025 13:28

insmod insmod

Level 26

Helpful post? (0)

Post #76
21586235 22 Jun 2025 13:28

Size check only matters when OTA is performed from OBK, not to it.

Offtopic: did xr809 ota ever work? I get rtos scheduler shutting down when erasing, and if erase is skipped - when writing first payload. In that case it is either scheduler or hard fault.
Curiously, if flash debugging is enabled it goes a little further, but will still hang or crash.
#77 21586245 22 Jun 2025 13:48

divadiow divadiow

Level 35

Helpful post? (+1)

Post #77
21586245 22 Jun 2025 13:48

insmod wrote:
did xr809 ota ever work?

previous chats about it here https://www.elektroda.com/rtvforum/topic4055254.html#21131093

Added after 10 [minutes]:

p.kaczmarek2 wrote:
can you try with older OBK binary?

I have burnt user's backup and then flashed 1.18.100 as per:

4mb board. OpenBL AP broadcasts as expected. Not sure what that proves though because even with an entirely blank flash (erase whole chip- read back 4mb from 0x0 - all FF) BLDevCube seems to add/erase/carve all the needed bits up to make working flash

Code: Text
Log in, to see the code

eg
Code: Text
Log in, to see the code
#78 21586308 22 Jun 2025 14:48

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Helpful post? (0)

Post #78
21586308 22 Jun 2025 14:48

insmod wrote:

did xr809 ota ever work?.

XR809 OTA never worked for me. XR809 was the first IoT device I flashed (except ESP), then I flashed BK and backported XR809 support to OpenBK (that was the first non-BK platform supported).
I remember I was doing some debugging with printfs in XR809 OTA SDK code but failed to find anything, however, I know I was using the same binary I use for UART, which was most likely incorrect.
https://github.com/openshwprojects/OpenXR809/commit/3c964113f1be89f749e4619483590bf5e2842a6a
Recently we've looked into those XR872 cameras with @divadiow and I seemed to see more OTA code there, maybe OTA file generation.

@insmod how far have you managed with that, do you know how to build flash OTA file for XR?

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
ADVERTISEMENT
#79 21586374 22 Jun 2025 16:36

insmod insmod

Level 26

Helpful post? (+1)

Post #79
21586374 22 Jun 2025 16:36

>>21586308
From what i understood in the SDK code, the same binary that is used for UART is used for OTA.
And it probably works like two partition scheme on ESP.
I did some debugging, and it stops RTOS scheduler and disables XIP on flash opening. That is probably the problem, and i'm don't know how to solve it. And i'm not sure if it would affect LFS and EF.

Currently i separated pins for all XRs, added easyflash, LFS, and started using heap_4, not heap_stdlib.
Coded pwm, but it's not working yet. Also coded ADC, but can't test it for now.
Decided against updating freertos and lwip, binary size is already too much.
Will see if i manage to successfully enable compression, like tuya uses by default.
#80 21586388 22 Jun 2025 16:52

kellerto kellerto

Level 5

Helpful post? (0)

Post #80
21586388 22 Jun 2025 16:52

…was thinking the same. First instal the original backup, which I pulled at the beginning. Then instal the newest OpenBL602.bin
Which is exactly what I did at the beginning of this journey.
And get us the debug log. Hope debug log is possible with bouffalolab flasher.
#81 21586431 22 Jun 2025 17:36

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Helpful post? (0)

Post #81
21586431 22 Jun 2025 17:36

Nice, which XR do you have, @insmod ? The first thing I would try to do for Xr809/XR806 is enabling the UART flashing method without pulling two pins down... it seems that XR872 has this possible via AT command (UPGRADE). Maybe we could also strip other AT commands to get more space.

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
#82 21586469 22 Jun 2025 17:54

insmod insmod

Level 26

Helpful post? (0)

Post #82
21586469 22 Jun 2025 17:54

>>21586431
I have XR809 and testing everything there.
I also have XR872 doorbell with 4MB flash. But there are almost no pins wired out. Tried to find UART port, but no luck.
Got PWM and ADC working.
Binary size is already past 1024K limit, had to change it to 1056K. Currently at 1044 kb.

UART for XR809 is easy, there is one pin combination for UART0, and one for UART1.
But for XR806, one for UART0, 3 for UART1 and 3 for UART2.
#83 21586478 22 Jun 2025 17:59

divadiow divadiow

Level 35

Helpful post? (0)

Post #83
21586478 22 Jun 2025 17:59

the toolchain updates saves 7kb or 9kb. any good?

https://github.com/openshwprojects/OpenBK7231T_App/pull/1619
#84 21586480 22 Jun 2025 18:02

insmod insmod

Level 26

Helpful post? (0)

Post #84
21586480 22 Jun 2025 18:02

>>21586478
Didn't try it. Bot on W600 gcc-8 increased size by 3kb.
I will later try to use gcc-10.3

#85 21586571 22 Jun 2025 20:00

kellerto kellerto

Level 5

Post #85

21586571 22 Jun 2025 20:00

>>21586157
I can confirm, original backup worked. It also opens an AP soon power supply is applied.


[0m
[17:49:11.452] -  [33;4m
sysTick:90127
7C3E82C16F17
10.10.123.3
fh:62544
st1:21 st2:0 st3:0
life:%100
repT:0s
pwr:0
wanT:0 lanT:0
ping:0 (0) 9999
rssi:-9999 (0) 9999

Test2: Installed OpenBL602_1.18.123.bin by using Single Download option

UART Log after disconnected boot resistor connecting to 12V source. No UART Logging received

[17:56:47.813] - serial type is general
[17:56:50.190] - Open COM5 Success

Test3: Installed OpenBL602_1.18.123.bin by using Firmware options
Note: As you mentioned this kind of installation messes with chip and wifi config. Just did it to compare with Test 1 and 2.
and please note, the IP Address listed in logfile is not mine and not related with my network. not sure where this setting is coming from. looks like build in into one of the other 3 firmware options (files) ?.

[19:49:31.413] - Starting bl602 now....
Booting BL602 Chip...
██████╗ ██╗      ██████╗  ██████╗ ██████╗
██╔══██╗██║     ██╔════╝ ██╔═████╗╚════██╗
██████╔╝██║     ███████╗
[19:49:31.413] -  ██║██╔██║ █████╔╝
██╔══██╗██║     ██╔═══██╗████╔╝██║██╔═══╝
██████╔╝███████╗╚██████╔╝╚██████╔╝███████╗
╚═════╝ ╚══════╝ ╚═════╝  ╚═════╝ ╚══════╝
------------------------------------------------------------
RISC-V Core Feature:RV32-ACFIMX
Build Version: release_bl_iot_sdk_1.6.39-238-gf5ba0a7ee
Build Date: Jun 21 2025
Build Time: 05:56:26
------------------------------------------------------------
blog init set power on level 2, 2, 2.
[IRQ] Clearing and Disable all the pending IRQ...
[         0][INFO: hal_boot2.c: 282] [HAL] [BOOT2] Active Partition[0] consumed 596 Bytes
[         0][INFO: hal_boot2.c:  82] ======= PtTable_Config @0x4200f250=======
[         0][INFO: hal_boot2.c:  83] magicCode 0x54504642; version 0x0000; entryCnt 7; age 0; crc32 0x12DF9A26
[         0][INFO: hal_boot2.c:  89] idx  type device activeIndex     name   Address[0]  Address[1]  Length[0]   Length[1]   age
[         0][INFO: hal_boot2.c:  91] [00]  00     0         0            FW  0x00010000  0x000e8000  0x000d8000  0x00088000  0
[         0][INFO: hal_boot2.c:  91] [01]  02     0         0           mfg  0x00170000  0x00000000  0x00032000  0x00000000  0
[         0][INFO: hal_boot2.c:  91] [02]  03     0         0         media  0x001a2000  0x00000000  0x00047000  0x00000000  0
[         0][INFO: hal_boot2.c:  91] [03]  04     0         0           PSM  0x001e9000  0x00000000  0x00008000  0x00000000  0
[         0][INFO: hal_boot2.c:  91] [04]  05     0         0           KEY  0x001f1000  0x00000000  0x00002000  0x00000000  0
[         0][INFO: hal_boot2.c:  91] [05]  06     0         0          DATA  0x001f3000  0x00000000  0x00005000  0x00000000  0
[         0][INFO: hal_boot2.c:  91] [06]  07     0         0       factory  0x001f8000  0x00000000  0x00007000  0x00000000  0
[         0][INFO: bl_flash.c: 391] ======= FlashCfg magiccode @0x42049c18=======
[         0][INFO: bl_flash.c: 392] mid       0x5E
[         0][INFO: bl_flash.c: 393] clkDelay    0x1
[         0][INFO: bl_flash.c: 394] clkInvert    0x1
[         0][INFO: bl_flash.c: 395] sector size   4KBytes
[         0][INFO: bl_flash.c: 396] page size   256Bytes
[         0][INFO: bl_flash.c: 397] ---------------------------------------------------------------
[         0][INFO: hal_board.c:1249] [MAIN] [BOARD] [FLASH] addr from partition is 001f8000, ret is 0
[         0][INFO: hal_board.c:1257] [MAIN] [BOARD] [XIP] addr from partition is 231e7000, ret is 0
[         0][INFO: hal_board.c: 208] MAC address mode length 3
[         0][INFO: hal_board.c: 212] MAC address mode is MBF
Read slot:0
[         0][INFO: hal_board.c: 187] Set MAC addrress 7C:3E:82:C1:6F:17
[         0][INFO: hal_board.c: 955] country_code : 86
[         0][INFO: hal_board.c: 342] xtal_mode is MF
Read slot:0
[         0][INFO: hal_board.c: 374] get xtal from M ready 31 31 1 60 60
[         0][INFO: hal_board.c: 846] pwr_table_11b :20 20 20 18
[         0][INFO: hal_board.c: 860] pwr_table_11g :18 18 18 18 18 18 14 14
[         0][INFO: hal_board.c: 878] pwr_table_11n :18 18 18 18 18 16 14 14
No written slot found
[         0][BUF: hal_board.c: 606]   0   0   0   0   0   0   0   0   0   0   0   0   0   0
[         0][INFO: hal_board.c: 902] set pwr_table_ble = 13 in dts
[         0][INFO: hal_board.c: 687] ap_ssid string[0] = bl_test_005, ap_ssid_len = 11
[
[19:49:31.429] -     0][INFO: hal_board.c: 698] ap_psk string[0] = 12345678, ap_psk_len = 8
[         0][INFO: hal_board.c: 707] ap_channel
[19:49:31.429] - = 11
[         0][INFO: hal_board.c: 635] [STA] ap_ssid string[0] = yourssid, ap_ssid_len = 8
[         0][INFO: hal_board.c: 646] [STA] ap_psk string[0] = yourapssword, ap_psk_len = 12
[         0][INFO: hal_board.c: 654] auto_connect_enable = 0
[         0][INFO: hal_board.c: 749] Troom_os = -1, lentmp = 4
[         0][INFO: hal_board.c: 758] linear_or_follow = 1, lentmp = 4
[         0][INFO: hal_board.c: 767] Tchannels:2412,2427,2442,2457,2472,
[         0][INFO: hal_board.c: 781] Tchannel_os:180,168,163,160,157,
[         0][INFO: hal_board.c: 795] Tchannel_os_low:199,186,170,165,160,
[         0][INFO: hal_board.c: 808] en_tcal = 0, lentmp = 4
[OS] Starting aos_loop_proc task...
[OS] Starting OS Scheduler...
[MTD] >>>>>> Hanlde info Dump >>>>>>
name PSM
id 0
offset 0x001e9000(2002944)
size 0x00008000(32Kbytes)
xip_addr 0x231d8000
[MTD] <<<<<< Hanlde info End <<<<<<
[EF] Found Valid PSM partition, XIP Addr 231d8000, flash addr 001e9000, size 32768
ENV AREA SIZE 32768, SECTOR NUM 8
*default_env_size = 0x00000001
ENV start address is 0x00000000, size is 32768 bytes.
[19:49:31.476] - EasyFlash V4.0.99 is initialize success.
You can get the latest version on https://github.com/armink/EasyFlash .
[MTD] >>>>>> Hanlde info Dump >>>>>>
name media
id 0
offset 0x001a200
[19:49:31.476] - 0(1712128)
size 0x00047000(284Kbytes)
xip_addr 0x23191000
[MTD] <<<<<< Hanlde info End <<<<<<
[        38][ERROR : bl_romfs.c: 158] romfs magic is NOT correct
[        39][INFO  : hosal_adc.c: 459] offset = 2132
[        39][INFO  : hosal_adc.c: 233] ADC freq: 284Hz. div:6
[OS] Starting proc_mian_entry task...
[OS] Starting TCP/IP Stack...
-------------------->>>>>>>> LWIP tcp_port 58301
[MTD] >>>>>> Hanlde info Dump >>>>>>
name PSM
id 0
offset 0x001e9000(2002944)
size 0x00008000(32Kbytes)
xip_addr 0x231d8000
[MTD] <<<<<< Hanlde info End <<<<<<
[EF] Found Valid PSM partition, XIP Addr 231d8000, flash addr 001e9000, size 32768
ENV AREA SIZE 32768, SECTOR NUM 8
*default_env_size = 0x00000001
EasyFlash V4.0.99 is initialize success.
You can get the latest version on https://github.com/armink/EasyFlash .
Start Wi-Fi fw @95ms
[19:49:31.554] - 1th channel,lo_vco_freq_cw=154
2th channel,lo_vco_freq_cw=153
3th channel,lo_vco_freq_cw=152
4th channel,lo_vco_freq_cw=151
5th channel,lo_vco_freq_cw=149
6th channel,lo_vco_freq_cw=148
7th channel,lo_vco
[19:49:31.554] - _freq_cw=147
8th channel,lo_vco_freq_cw=145
9th channel,lo_vco_freq_cw=144
10th channel,lo_vco_freq_cw=143
11th channel,lo_vco_freq_cw=141
12th channel,lo_vco_freq_cw=140
13th channel,lo_vco_freq_cw=139
14th channel,lo_vco_freq_cw=138
15th channel,lo_vco_freq_cw=136
16th channel,lo_vco_freq_cw=135
17th channel,lo_vco_freq_cw=134
18th channel,lo_vco_freq_cw=133
19th channel,lo_vco_freq_cw=132
20th channel,lo_vco_freq_cw=130
21th channel,lo_vco_freq_cw=129
0th channel,vco_idac_cw=7
1th channel,vco_idac_cw=6
2th channel,vco_idac_cw=6
3th channel,vco_idac_cw=6
4th channel,vco_idac_cw=6
5th channel,vco_idac_cw=6
6th channel,vco_idac_cw=6
7th channel,vco_idac_cw=6
8th channel,vco_idac_cw=6
9th channel,vco_idac_cw=6
10th channel,vco_idac_cw=5
11th channel,vco_idac_cw=5
12th channel,vco_idac_cw=5
13th channel,vco_idac_cw=5
14th channel,vco_idac_cw=5
15th channel,vco_idac_cw=6
16th channel,vco_idac_cw=5
17th channel,vco_idac_cw=5
18th channel,vco_idac_cw=5
19th channel,vco_idac_cw=5
20th channel,vco_idac_cw=5
LO locked 9 144
rosdac_i_gc3=27
rosdac_i_gc2=27
rosdac_i_gc1=27
rosdac_i_gc0=27
rosdac_q_gc3=33
rosdac_q_gc2=33
rosdac_q_gc1=33
rosdac_q_gc0=33
rbb_cap1_fc_i=30,rbb_cap2_fc_i=30,rbb_cap1_fc_q=30,rbb_cap2_fc_q=30
new rbb_cap1_fc_i=54,rbb_cap2_fc_i=54,rbb_cap1_fc_q=54,rbb_cap2_fc_q=54
LO locked 9 144
amp=128,step=32,adc_mean_i=85
amp=160,step=16,adc_mean_i=111
tmx_cs=0, tmxcs_pwr_avg=50712, tmxcs_pwr_avg>>10=49
tmx_cs=1, tmxcs_pwr_avg=57332, tmxcs_pwr_avg>>10=55
tmx_cs=2, tmxcs_pwr_avg=66924, tmxcs_pwr_avg>>10=65
tmx_cs=3, tmxcs_pwr_avg=81456, tmxcs_pwr_avg>>10=79
tmx_cs=4, tmxcs_pwr_avg=98581, tmxcs_pwr_avg>>10=96
tmx_cs=5, tmxcs_pwr_avg=112166, tmxcs_pwr_avg>>10=109
tmx_cs=6, tmxcs_pwr_avg=110187, tmxcs_pwr_avg>>10=107
tmx_cs=7, tmxcs_pwr_avg=95296, tmxcs_pwr_avg>>10=93
tmx_cs_max=5, tmxcs_pwr_max=112166, tmxcs_pwr_max>>10=109
amp=256,step=64,adc_mean_i=112
amp=320,step=32,adc_mean_i=228
tosdac_i=30,tosdac_q=44,tx_iq_gain_comp=1054,tx_iq_phase_comp=1
tosdac_i=28,tosdac_q=42,tx_iq_gain_comp=1042,tx_iq_phase_comp=5
tosdac_i=28,tosdac_q=44,tx_iq_gain_comp=1029,tx_iq_phase_comp=4
tosdac_i=31,tosdac_q=47,tx_iq_gain_comp=1040,tx_iq_phase_comp=2
tosdac_i=31,tosdac_q=47,tx_iq_gain_comp=1040,tx_iq_phase_comp=7
tosdac_i=29,tosdac_q=47,tx_iq_gain_comp=1032,tx_iq_phase_comp=2
tosdac_i=27,tosdac_q=48,tx_iq_gain_comp=1040,tx_iq_phase_comp=0
tosdac_i=27,tosdac_q=46,tx_iq_gain_comp=1042,tx_iq_phase_comp=-3
[WF] [KEY] [CFG] nVAP is 2, endidx 12, startidx 8
td_init
td_reset idx=0
td_reset idx=1
Start Wi-Fi fw is Done @169ms
[APP] [EVT] INIT DONE 118
[BL] Initi Wi-Fi with MAC #### 7C:3E:82:C1:6F:17 ####
hostname: OpenBL602_82c16f17
[WF] country code CN used, num of channel 13
-----------------------------------------------------
[IPC] [TX] Low level size 204, driver size 100, total size 304
Enable BMX IRQ
[WF] [KEY] [CFG] nVAP is 2, endidx 12, startidx 8
td_init
td_reset idx=0
td_reset idx=1
[version] lmac 5.4.0.0
[version] version_machw_1 000055FB
[version] version_machw_2 000001B3
[version] version_phy_1 00822111
[version] version_phy_2 00000000
[version] features 001089DF
[ME] HT supp 1, VHT supp 0
[WF][SM] reload tsen
[WF][SM] Exiting ifaceDown state
[WF][SM] State Action ###ifaceDown### --->>> ###idle###
[WF][SM] Entering idle state
[APP] [EVT] MGMR DONE 130, now 182ms
[19:49:32.017] - Entering initLog()...
Commands registered!
initLog() done!
[MTD] >>>>>> Hanlde info Dump >>>>>>
na
[19:49:32.017] - me PSM
id 0
offset 0x001e9000(2002944)
size 0x00008000(32Kbytes)
xip_addr 0x231d8000
[MTD] <<<<<< Hanlde info End <<<<<<
[EF] Found Valid PSM partition, XIP Addr 231d8000, flash addr 001e9000, size 32768
ENV AREA SIZE 32768, SECTOR NUM 8
*default_env_size = 0x00000001
EasyFlash V4.0.99 is initialize success.
You can get the latest version on https://github.com/armink/EasyFlash .
[19:49:32.050] - [       651][WARN  : bl_mtd.c: 205] addr@0x230a4d1c is xip flash, size 8
[19:49:32.150] - [MTD] >>>>>> Hanlde info Dump >>>>>>
name media
id 0
offset 0x001a2000(1712128)
size 0x00047000(284Kbytes)
xip_ad
[19:49:32.167] - dr 0x23191000
[MTD] <<<<<< Hanlde info End <<<<<<
Main_Init_Before_Delay done
Main_Init_Delay
Main_Init_Delay done
Info:MAIN:Main_Init_Before_Delay
Warn:CFG:CFG_InitAndLoad: Correct config has been loaded with 2 changes count.
Error:CMD:lfs is absent
Info:GEN:PIN_SetupPins pins have been set up.
Info:MAIN:Main_Init_Before_Delay done
Info:MAIN:Main_Init_Delay
Info:MAIN:Main_Init_Delay done
Info:MAIN:Main_Init_After_Delay
Info:MAIN:Using SSID []
Info:MAIN:Using Pass []
Error:HTTP:Created HTTP SV thread with (stack=2048)
Info:MQTT:MQTT_RegisterCallback called for bT obl82C16F17/ subT obl82C16F17/+/set
Info:MQTT:MQTT_RegisterCallback called for bT bl602s/ subT bl602s/+/set
Info:MQTT:MQTT_RegisterCallback called for bT cmnd/obl82C16F17/ subT cmnd/obl82C16F17/+
Info:MQTT:MQTT_RegisterCallback called for bT cmnd/bl602s/ subT cmnd/bl602s/+
Info:MQTT:MQTT_RegisterCallback called for bT obl82C16F17/ subT obl82C16F17/+/get
Info:CMD:CMD_StartScript: started @startup at the beginning
Error:CMD:LFS_ReadFile: lfs is absent
Info:CMD:CMD_StartScript: failed to get file autoexec.bat
Info:MAIN:Main_Init_After_Delay done
[19:49:33.051] - Info:MAIN:Time 1, idle 0/s, free 112736, MQTT 0(0), bWifi 0, secondsWithNoPing -1, socks 2/21
[19:49:34.005] - Info:MAIN:Time 2, idle 0/s, free 112736, MQTT 0(0), bWifi 0, secondsWithNoPing -1, socks 2/21
[19:49:34.975] - Info:MAIN:Time 3, idle 0/s, free 112736, MQTT 0(0), bWifi 0, secondsWithNoPing -1, socks 2/21
[19:49:35.928] - Info:MAIN:Time 4, idle 0/s, free 112736, MQTT 0(0), bWifi 0, secondsWithNoPing
[19:49:35.928] -  -1, socks 2/21
[19:49:36.900] - [lwip] netif status callback
IP: 192.168.11.1
MK: 255.255.255.0
GW: 0.0.0.0
[WF] MM_ADD_IF_REQ Sending: AP
td_start idx=0
[W
[19:49:36.900] - F] MM_ADD_IF_REQ Done
[WF] vif_index from LAMC is 0
[lwip] netif status callback
IP: 192.168.169.1
MK: 255.255.255.0
GW: 0.0.0.0
[DHCP] ip_start: [192.168.169.2]
[DHCP] ip_start: [192.168.169.254]
[WF][SM] start AP with ssid OpenBL602_82C16F17;
[WF][SM]               pwd  ;
[WF][SM]               channel  1;
[WF] APM_START_REQ Sending with vif_index 0
[WF] received APM Start apm_start_req_handler:74
[WF] return with other handler
[WF] APM_START_REQ Done
[WF] status is 00
[WF] vif_idx is 00
[WF] ch_idx is 00
[WF] bcmc_idx is 05
[WF][SM] stateGlobalGuard_AP: AP iface has started!
Info:MAIN:Time 5, idle 0/s, free 112736, MQTT 0(0), bWifi 0, secondsWithNoPing -1, socks 2/21
[APP] [EVT] Unknown code 11, 5706
[19:49:37.878] - [      6710][WARN  : bl_mtd.c: 205] addr@0x230a4d1c is xip flash, size 8
Info:MAIN:Time 6, idle 0/s, free 112424, MQTT 0(0), bWifi 0, secondsWithNoPing -1, socks 2/21
Info:MAIN:Boot complete time reached (5 seconds)
[19:49:38.816] - In
[19:49:38.832] - fo:MAIN:Time 7, idle 0/s, free 112424, MQTT 0(0), bWifi 0, secondsWithNoPing -1, socks 2/21
[19:49:39.801] - Info:MAIN:Time 8, idle 0/s, free 112424, MQTT 0(0), bWifi 0, secondsWithNoPing -1, socks 2/21
[19:49:40.754] - Info:MAIN:Time 9, idle 0/s, free 112424, MQTT 0(0), bWifi 0, secondsWithNoPing -1, socks 2/21
[19:49:41.722] - Info:MAIN:Time 10, idle 0/s, free 112424, MQTT 0(0), bWifi 0, secondsWithNoPing -1, socks 2/21
[19:49:42.682] - Info:MAIN:Time 11, idle 0/s, free 112424, MQTT 0(0), bWifi 0, secondsWithNoPing -1, socks 2/21
[19:49:43.096] - Close COM5 Success

Any hint or suggestions? Maybe the OpenBL602_1.18.123.bin is corrupt?

#86 21586581 22 Jun 2025 20:07

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home
Helpful post? (0)

Post #86
21586581 22 Jun 2025 20:07

Your log ends at:
Code: text Expand Select all Copy to clipboard
[19:49:42.682] - Info:MAIN:Time 11, idle 0/s, free 112424, MQTT 0(0), bWifi 0, secondsWithNoPing -1, socks 2/21

What happens later? Does it continue to run?

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
#87 21586660 22 Jun 2025 21:26

kellerto kellerto

Level 5

Helpful post? (0)

Post #87
21586660 22 Jun 2025 21:26

In this Test3, I was using the firmware options together with OpenBL602_1.18.123.bin firmware.
log continues like this.
Since the IP address is not mine it will not reach my mqtt server nor my network.
It also does not open an AP access point.
I kept sweeping wifi but no AP like with original firmware ☹️
19:49:36.900] - F] MM_ADD_IF_REQ Done
[WF] vif_index from LAMC is 0
[lwip] netif status callback
IP: 192.168.169.1
MK: 255.255.255.0
GW: 0.0.0.0
[DHCP] ip_start: [192.168.169.2]
[DHCP] ip_start: [192.168.169.254]
[WF][SM] start AP with ssid OpenBL602_82C16F17;
#88 21589678 26 Jun 2025 00:26

kellerto kellerto

Level 5

Helpful post? (0)

Post #88
21589678 26 Jun 2025 00:26

>>21586157 thank you for checking,
Backup will bring the device back to original state.
And then I installed latest OpenBL602.bin
But then device is not starting AP anymore and UART log is silent (no log)

I tried on a second new MagicHome controller but it behaves exactly the same.

Can someone confirm that lstest OpenBL602 bin works?
Or even confirm that it works on a Magic Home RGB Controller?
Helpful post

#89 21590554 26 Jun 2025 20:36

DeDaMrAz DeDaMrAz

Level 20
Helpful post? (+2)

Helpful post
Post #89
21590554 26 Jun 2025 20:36

Latest build is working on BL602 devices, see picture.

Can you change the partition table .toml file and use the attached one and report back? DTS and Boot2 remain the same.

Attachments:

partition_cfg_2M_FIX.rar Download (334 Bytes)

If you like my work, support me at: https://paypal.me/openshwprojects

#90 21592996 29 Jun 2025 16:33

kellerto kellerto

Level 5

Post #90

21592996 29 Jun 2025 16:33

>>21590554
Hi I'm back and thank you for the partition_cfg_2M_FIX file. Just reflashed the device us suggested.
There is still no "OpenBL602_82C12029 "AP starting.
Monitoring the log I observed some sections which caught my eyes. But not sure if this is the place to look.

1. According UART log, Wifi seems to start with country code "CN" --> Is this a probem?

2. Event Log says AP started and I keep scaning my Wifi but no such AP to see :-(

[16:02:47.930] - [lwip] netif status callback
IP: 192.168.11.1
MK: 255.255.255.0
GW: 0.0.0.0
[WF] MM_ADD_IF_REQ Sending: AP
td_start idx=0
[WF] MM_ADD_IF_REQ Done
[WF] vif_index from LAMC is 0
[lwip] netif status callback
IP: 192.168.169.1
MK: 255.255.255.0
GW: 0.0.0.0
[DHCP] i
[16:02:47.946] - p_start: [192.168.169.2]
[DHCP] ip_start: [192.168.169.254]
[WF][SM] start AP with ssid OpenBL602_82C12029;
[WF][SM]               pwd  ;
[WF][SM]               channel  1;
[WF] APM_START_REQ Sending with vif_index 0
[WF] received APM Start apm_start_req_handler:74
[WF] return with other handler
[WF] APM_START_REQ Done
[WF] status is 00
[WF] vif_idx is 00
[WF] ch_idx is 00
[WF] bcmc_idx is 05
[WF][SM] stateGlobalGuard_AP: AP iface has started!

3. searching logfile for lines with keyword error in it:

 
[        41][ERROR : bl_romfs.c: 158] romfs magic is NOT correct 
.....
Error:CMD:lfs is absent
.....
Error:HTTP:Created HTTP SV thread with (stack=2048)
.....
Error:CMD:LFS_ReadFile: lfs is absent

4. searching for warning message


[16:41:54.353] - [      6763][WARN  : bl_mtd.c: 205] addr@0x230a4d1c is xip flash, size 8

Complete logfile see txt file logfile_pa...2M_FIX.txt Download (26.03 kB)

I don't want to give up, so I'm hope you can give me some hints to fix this.

Additional question: Is there a way, I can preset my Wifi parameter prior flashing?
greatings from Black Forrest

Create an account, log in and become active in a forum and ads will not appear. You will receive points by participating in discussions.
Join this discussion.

Install the application

Reply Cool? Ranking DIY | New topic

Notify about new articles

📢 Listen (AI):

Report a violation of the law

Topic summary

The discussion focuses on flashing Magic Home devices equipped with the BL602 chip over WiFi without soldering, using the manufacturer's OTA mechanism redirected to a custom server. The procedure involves resetting the device to factory settings by cycling power, hosting the OpenBeken firmware OTA binary on a local HTTP server, and sending an AT command to the device to initiate the firmware download and installation. Users report success with this method on certain BL602 devices, notably Magic Home RGB controllers, using tools like netcat and PowerShell for serving the firmware and sending commands. Challenges include firmware version compatibility, with newer Zengge firmwares apparently patched against OTA flashing exploits, resulting in errors like "+ok=up_ErrType" or no response. Some devices require specific partition tables or flash size considerations (2MB vs 4MB flash). Debugging via UART logs is recommended to diagnose boot and WiFi AP startup issues. The community also explores similar flashing approaches for related chips such as LN882H, LN8825B, BK7231N, and XR809/XR872, noting differences in communication ports, protocols (JSON over UDP/TCP), and firmware architectures (RISC-V vs ARM). JSON-based command protocols on UDP/TCP ports (e.g., 5555, 6095) are used for device communication and OTA initiation in CozyLife and Ewelink devices. Some users successfully restored factory firmware dumps and then flashed OpenBeken firmware, achieving AP mode broadcasting. However, issues persist with saving settings post-flash and AP visibility. The latest OpenBL602 builds work on some devices but may require partition table adjustments. Overall, the OTA flashing method without soldering is feasible but depends heavily on device firmware version, chip variant, and correct command syntax. Physical flashing remains a fallback for patched or incompatible devices.
Summary generated by the language model.

Home page
/
Forum
/
Smart Home
/
Smart Home IoT
/
Smart Home Guides
/
[BL602] How to flash Magic Home over WiFi without soldering

FAQ

TL;DR: 66 % of the BL602 Magic-Home firmware images tested still accept the no-solder OTA exploit, but "size check only matters when OTA is performed from OBK" [Elektroda, divadiow, #21245497; Elektrokda, insmod, #21586235]. Why it matters: Knowing which builds remain open saves hours of bench-soldering and lets you plan safe roll-backs.

Quick Facts

• Default UDP command port: 48899 for Zengge/Magic-Home, 6095 for CozyLife [Elektroda, alwas, #21056057; #21066013]
• Typical BL602 module flash size: 2 MB; dev-boards: 4 MB [Elektroda, p.kaczmarek2, post #21063102]
• OpenBeken OTA image size: ≈ 430 kB (xz) ≙ 0x6B000 bytes [Elektroda, divadiow, post #21063222]
• Latest patched build: 33_227_20231220_ZG-BL returns up_ErrType and blocks OTA [Elektroda, 0x_0, post #21418610]
• Safe power budget for BL602 flashing: ≥ 300 mA @ 3.3 V [Elektroda, p.kaczmarek2, post #21586017]

Which BL602 firmware versions still flash over Wi-Fi without soldering?

Any Magic-Home/Zengge build up to 35_162_20220801_ZG-BL flashes with the AT+UPURL trick. Two out of three images tested by reversing community members accepted the exploit, giving a 66 % success rate [Elektroda, divadiow, post #21245497] Newer line 33_227_20231220_ZG-BL and later reply +ok=up_ErrType and fail.

Why does my controller answer +ok=up_ErrType or up_ErrHttp?

The bootloader now verifies the update manifest before downloading. If the version string or manufacturer ID in the URL mismatches the running build (example: ZG-BL vs OpenBeken), it exits with +ok=up_ErrType; if the HTTP server is unreachable it returns up_ErrHttp [Elektroda, makejoint, post #21245313]

How do I trigger the no-solder OTA on a factory Magic-Home BL602?

Power-cycle the device five times to enter AP mode (SSID LEDnetXXXX) [Elektroda, alwas, post #21056057]
Host OpenBL602_xxx_OTA.bin.xz.ota on an HTTP listener (e.g. nc -l 1111).
Send echo -e "AT+UPURL=http://10.10.123.4:1111/update?version=33_48_YYYYMMDD_OpenBeken&beta" | nc -u 10.10.123.3 48899. Expect +ok= then +ok=up_success in about 60 s [Elektroda, natepalm, post #21059192]

CozyLife BL602 bulbs use port 6095 and JSON. Can they be flashed, too?

Yes. Send {"cmd":5,"pv":0,"sn":"<epoch>","msg":{"url":"http://<PC>:8080/firmware"}} via UDP/TCP 6095. The bulb requests the file with User-Agent “DoHome-HTTP-Client/2.1”. Flash succeeds when the OTA header matches its checksum; otherwise it reboots at ota_fail [Elektroda, alwas, post #21068684]

I flashed OpenBeken but no AP appears afterwards. What now?

Missing AP usually means either BOOT pin is still strapped low, supply current is insufficient (<300 mA), or the partition table mismatches flash size. Re-flash the 2 MB partition_cfg_2M_FIX.toml and power from a stable 3.3 V regulator, then reset [Elektroda, p.kaczmarek2, #21586017; DeDaMrAz, #21590554].

Can I pre-set my home SSID and password before first boot?

Yes. Edit factory DTS: set ap_ssid / ap_psk and auto_connect_enable=1, then rebuild the whole_img.bin. Alternatively, after first OpenBeken boot, issue WiFi_Setup <ssid> <pass> via serial or MQTT and reboot once [OpenBeken Wiki].

Will full-flash images overwrite RF calibration or MAC?

A full 2 MB dump replaces RF partition, unique MAC and Tuya GPIO map. Use single-section (app-only) images to keep factory data intact. "We only overwrite main application" [Elektroda, p.kaczmarek2, post #21586062]

What edge cases break the OTA path?

1 ) Firmware newer than 2023-12-20 patches the exploit. 2 ) Devices running BLE scripts during update may brown-out. 3 ) HTTP chunked encoding is unsupported; always set Content-Length header [Elektroda, 0x_0, #21418610; alwas, #21056057].

How do I restore stock firmware after experimenting?

If you saved a 2 MB dump (blflash read 0x0 0x200000), flash it back with Single Download at 0x0. Then cycle power; calibration and pairing data return [Elektroda, divadiow, post #21063112]

Is there a Windows-only method?

Yes. Run the PowerShell HTTP server script (see post #21063222) and use Packet Sender to transmit the AT+UPURL string. After +ok=up_success, OpenBeken reboots automatically [Elektroda, divadiow, post #21063222]

Statistic: how long does the transfer take?

On a Raspberry Pi HTTP host, flashing a 430 kB OTA image completes in ≈ 55 s including CRC check, per UART timestamps [Elektroda, divadiow, post #21063222]

Expert tip for LN882H or BK7231 devices?

LN882H listens on TCP 5555; send {"cmd":0,"pv":0,"sn":"..."} first to confirm. BK7231N SmartLife APs require SSL on port 6668, so this BL602 method will not work directly [Elektroda, alwas, #21065002; divadiow, #21061720].