[BL602] How to flash Magic Home over WiFi without soldering

alwas 19671 90

Treść została przetłumaczona

Zobacz oryginalną wersję tematu

Report a violation of the law

Reply Cool? Ranking DIY | New topic

Notify about new articles

📢 Listen (AI):

#91 21787740 22 Dec 2025 18:45

divadiow divadiow

Level 38
Helpful post? (0)

Post #91
21787740 22 Dec 2025 18:45

I updated and rebuilt mhflasher. Tested OTA exploit worked OK to vulnerable MagicHome dump. Packaged with OpenBL602 1.18.230. Unsigned debug build.

Attachments:

mhflasher-debug.zip (8.02 MB) You must be logged in to download this attachment.
ADVERTISEMENT
Create an account, log in here. You will receive points by participating in discussions.
Join this discussion.

Install Elektroda application

Reply Cool? Ranking DIY | New topic

Notify about new articles

📢 Listen (AI):

Report a violation of the law

Topic summary

✨ The discussion focuses on flashing Magic Home devices equipped with the BL602 chip over WiFi without soldering, using the manufacturer's OTA mechanism redirected to a custom server. The procedure involves resetting the device to factory settings by cycling power, hosting the OpenBeken firmware OTA binary on a local HTTP server, and sending an AT command to the device to initiate the firmware download and installation. Users report success with this method on certain BL602 devices, notably Magic Home RGB controllers, using tools like netcat and PowerShell for serving the firmware and sending commands. Challenges include firmware version compatibility, with newer Zengge firmwares apparently patched against OTA flashing exploits, resulting in errors like "+ok=up_ErrType" or no response. Some devices require specific partition tables or flash size considerations (2MB vs 4MB flash). Debugging via UART logs is recommended to diagnose boot and WiFi AP startup issues. The community also explores similar flashing approaches for related chips such as LN882H, LN8825B, BK7231N, and XR809/XR872, noting differences in communication ports, protocols (JSON over UDP/TCP), and firmware architectures (RISC-V vs ARM). JSON-based command protocols on UDP/TCP ports (e.g., 5555, 6095) are used for device communication and OTA initiation in CozyLife and Ewelink devices. Some users successfully restored factory firmware dumps and then flashed OpenBeken firmware, achieving AP mode broadcasting. However, issues persist with saving settings post-flash and AP visibility. The latest OpenBL602 builds work on some devices but may require partition table adjustments. Overall, the OTA flashing method without soldering is feasible but depends heavily on device firmware version, chip variant, and correct command syntax. Physical flashing remains a fallback for patched or incompatible devices.

Home page
/
Forum
/
Smart Home
/
Smart Home IoT
/
Smart Home Guides
/
[BL602] How to flash Magic Home over WiFi without soldering

FAQ

TL;DR: 66 % of the BL602 Magic-Home firmware images tested still accept the no-solder OTA exploit, but "size check only matters when OTA is performed from OBK" [Elektroda, divadiow, #21245497; Elektrokda, insmod, #21586235]. Why it matters: Knowing which builds remain open saves hours of bench-soldering and lets you plan safe roll-backs.

Quick Facts

• Default UDP command port: 48899 for Zengge/Magic-Home, 6095 for CozyLife [Elektroda, alwas, #21056057; #21066013] • Typical BL602 module flash size: 2 MB; dev-boards: 4 MB [Elektroda, p.kaczmarek2, post #21063102] • OpenBeken OTA image size: ≈ 430 kB (xz) ≙ 0x6B000 bytes [Elektroda, divadiow, post #21063222] • Latest patched build: 33_227_20231220_ZG-BL returns up_ErrType and blocks OTA [Elektroda, 0x_0, post #21418610] • Safe power budget for BL602 flashing: ≥ 300 mA @ 3.3 V [Elektroda, p.kaczmarek2, post #21586017]

Which BL602 firmware versions still flash over Wi-Fi without soldering?

Any Magic-Home/Zengge build up to 35_162_20220801_ZG-BL flashes with the AT+UPURL trick. Two out of three images tested by reversing community members accepted the exploit, giving a 66 % success rate [Elektroda, divadiow, post #21245497] Newer line 33_227_20231220_ZG-BL and later reply +ok=up_ErrType and fail.

Why does my controller answer +ok=up_ErrType or up_ErrHttp?

The bootloader now verifies the update manifest before downloading. If the version string or manufacturer ID in the URL mismatches the running build (example: ZG-BL vs OpenBeken), it exits with +ok=up_ErrType; if the HTTP server is unreachable it returns up_ErrHttp [Elektroda, makejoint, post #21245313]

How do I trigger the no-solder OTA on a factory Magic-Home BL602?

Power-cycle the device five times to enter AP mode (SSID LEDnetXXXX) [Elektroda, alwas, post #21056057]
Host OpenBL602_xxx_OTA.bin.xz.ota on an HTTP listener (e.g. nc -l 1111).
Send echo -e "AT+UPURL=http://10.10.123.4:1111/update?version=33_48_YYYYMMDD_OpenBeken&beta" | nc -u 10.10.123.3 48899. Expect +ok= then +ok=up_success in about 60 s [Elektroda, natepalm, post #21059192]

CozyLife BL602 bulbs use port 6095 and JSON. Can they be flashed, too?

Yes. Send {"cmd":5,"pv":0,"sn":"<epoch>","msg":{"url":"http://<PC>:8080/firmware"}} via UDP/TCP 6095. The bulb requests the file with User-Agent “DoHome-HTTP-Client/2.1”. Flash succeeds when the OTA header matches its checksum; otherwise it reboots at ota_fail [Elektroda, alwas, post #21068684]

I flashed OpenBeken but no AP appears afterwards. What now?

Missing AP usually means either BOOT pin is still strapped low, supply current is insufficient (<300 mA), or the partition table mismatches flash size. Re-flash the 2 MB partition_cfg_2M_FIX.toml and power from a stable 3.3 V regulator, then reset [Elektroda, p.kaczmarek2, #21586017; DeDaMrAz, #21590554].

Can I pre-set my home SSID and password before first boot?

Yes. Edit factory DTS: set ap_ssid / ap_psk and auto_connect_enable=1, then rebuild the whole_img.bin. Alternatively, after first OpenBeken boot, issue WiFi_Setup <ssid> <pass> via serial or MQTT and reboot once [OpenBeken Wiki].

Will full-flash images overwrite RF calibration or MAC?

A full 2 MB dump replaces RF partition, unique MAC and Tuya GPIO map. Use single-section (app-only) images to keep factory data intact. "We only overwrite main application" [Elektroda, p.kaczmarek2, post #21586062]

What edge cases break the OTA path?

1 ) Firmware newer than 2023-12-20 patches the exploit. 2 ) Devices running BLE scripts during update may brown-out. 3 ) HTTP chunked encoding is unsupported; always set Content-Length header [Elektroda, 0x_0, #21418610; alwas, #21056057].

How do I restore stock firmware after experimenting?

If you saved a 2 MB dump (blflash read 0x0 0x200000), flash it back with Single Download at 0x0. Then cycle power; calibration and pairing data return [Elektroda, divadiow, post #21063112]

Is there a Windows-only method?

Yes. Run the PowerShell HTTP server script (see post #21063222) and use Packet Sender to transmit the AT+UPURL string. After +ok=up_success, OpenBeken reboots automatically [Elektroda, divadiow, post #21063222]

Statistic: how long does the transfer take?

On a Raspberry Pi HTTP host, flashing a 430 kB OTA image completes in ≈ 55 s including CRC check, per UART timestamps [Elektroda, divadiow, post #21063222]

Expert tip for LN882H or BK7231 devices?

LN882H listens on TCP 5555; send {"cmd":0,"pv":0,"sn":"..."} first to confirm. BK7231N SmartLife APs require SSL on port 6668, so this BL602 method will not work directly [Elektroda, alwas, #21065002; divadiow, #21061720].