logo elektroda
logo elektroda
X
logo elektroda
Advanced Search
logo elektroda

[BL602] How to flash Magic Home over WiFi without soldering

alwas 20775 90
ADVERTISEMENT
Treść została przetłumaczona polish » english Zobacz oryginalną wersję tematu
Report a violation of the law
Reply Cool? Ranking DIY | New topic
Notify about new articles
📢 Listen (AI):
  • These original devices (with BL602 chip) can be flashed via WiFi to OpenBeken without soldering.
    White WiFi LED controller with labels and QR code on housing
    This is done via manufacturer's OTA mechanism, but from your own server.
    Doing this step by step the procedure is as follows:

    0. Reset the device to factory settings - switch the controller on and off 4 times

    1. Download the firmware - via the project releases catalogue OpenBeken
    e.g. OpenBL602_1.17.553_OTA.bin.xz.ota - it is important to select the version for the BL602 chip and OTA


    2. Start your HTTP server on a free port (here 1111), on Linux (bash) it is such a command:
    Code: text Expand Select all Copy to clipboard
    {
    echo -ne "HTTP/1.0 200 OK\r\nContent-Length: "$(wc -c < OpenBL602_1.17.553_OTA.bin.xz.ota)"\r\n\r\n"
    cat OpenBL602_1.17.553_OTA.bin.xz.ota 
} | nc -l 1111


    3. In the second terminal we connect to the Access Point created by the device, all my drivers create SSID of the form LEDnetXXXXXXXXX , I'm using armbian on tvbox so I create configuration in file wpa_supplicantLED.conf:
    Code: text Expand Select all Copy to clipboard
    network={
    ssid="LEDnet0033290716"
    key_mgmt=NONE
}
    and I connect to the controller with the command:
    Code: text Expand Select all Copy to clipboard
    wpa_supplicant -i wlan0 -c wpa_supplicantLED.conf
    . Of course we can connect from the laptop using the graphical interface.

    4. After connection, the device assigns us the ip number 10.10.123.4, and our controller is located at 10.10.123.3. The controller has several open ports, the most interesting is the UDP port 48899, which supports the manufacturer's AT commands, we can e.g. check the version of the device by sending a UDP packet to the controller. We can e.g. check the version of the device by sending a UDP packet AT+LVER :
    Code: text Expand Select all Copy to clipboard
    echo -e "AT+LVER\r" | nc -u 10.10.123.3 48899
    to get the answer:
    Code: text Expand Select all Copy to clipboard
    +ok=33_48_20201219_ZG-BL


    5. Since everything works for us, we can invoke the command to download the firmware and install it on the device:

    Code: text Expand Select all Copy to clipboard
    echo -e "AT+UPURL=http://10.10.123.4:1111/update?version=33_48_20240418_OpenBeken&beta,pierogi" | nc -u 10.10.123.3 48899


    We will get back ok, and after about a minute you can reset the device and it will appear in the wifi network OpenBL602_XXXXXXXX and you can adapt it normally to your own installation.

    Note: when running the above command, it returned:
    Code: text Expand Select all Copy to clipboard
    +ok=


    Then after the flash was successful:
    Code: text Expand Select all Copy to clipboard
    +ok=up_success


    As a side project i made an Android version of this procedure, it is called mhflasher, source is available here
    https://github.com/kruzer/mhflasher. Apk's can be downloaded from releases folder
    Interface of the mhflasher app on Android showing connected device information.

    Cool? Ranking DIY
    About Author
    alwas
    Level 7  
    Offline 
    alwas wrote 37 posts with rating 20, helped 1 times. Been with us since 2019 year.
  • ADVERTISEMENT
  • #2 21059192
    natepalm
    Level 3  
    Posts: 3
    Rate: 1
    This is a translated version of the original and is missing the most important step #5. From the original:

    5. Since everything works for us, we can invoke the command to download the firmware and install it on the device:

    Code: text Expand Select all Copy to clipboard
    echo -e "AT+UPURL=http://10.10.123.4:1111/update?version=33_48_20240418_OpenBeken&beta,pierogi" | nc -u 10.10.123.3 48899


    We will get back ok, and after about a minute you can reset the device and it will appear in the wifi network OpenBL602_XXXXXXXX and you can adapt it normally to your own installation.

    Note: when running the above command, it returned:
    Code: text Expand Select all Copy to clipboard
    +ok=


    Then after the flash was successful:
    Code: text Expand Select all Copy to clipboard
    +ok=up_success


    I used a spare raspberrypi 3B+ for this. Configuration of device was then taken from https://www.elektroda.com/rtvforum/topic3889041.html
  • #3 21059644
    p.kaczmarek2
    Moderator Smart Home
    Posts: 14451
    Help: 650
    Rate: 12432
    Fair point. I updated first post.

    Anyway, good job on figuring out that method! Was it documented anywhere? Is this that "Sonoff update" one that I saw mentioned few months ago?
    Helpful post? Buy me a coffee.
  • #4 21061504
    alwas
    Level 7  
    Posts: 37
    Help: 1
    Rate: 20
    No, I didn't have any documentation, just a firmware dump, Ghidra, and logging. The console in this device allows for input and output; there are a few commands for viewing RAM or even swapping bytes in memory.


    All AT commands i found are available here
  • #5 21061525
    p.kaczmarek2
    Moderator Smart Home
    Posts: 14451
    Help: 650
    Rate: 12432
    I see, can you try the same for other devices, maybe for LN882H?
    https://github.com/openshwprojects/FlashDumps/tree/main/IoT/LN882H/LN-02-first
    Helpful post? Buy me a coffee.
  • #6 21061553
    alwas
    Level 7  
    Posts: 37
    Help: 1
    Rate: 20
    I don't have any device with this chip yet, but I'll look around. If the manufacturer has provided the possibility of updating the firmware vie web or mobile app, it is most likely doable.
  • ADVERTISEMENT
  • #7 21061690
    divadiow
    Level 38  
    Posts: 4882
    Help: 427
    Rate: 869
    this is me chancing it with an LN firmware and the APK.

    I don't think I have any Magic Home factory fw. This is with CozyLife which of course broadcasts a different SSID

    Screenshot of an app displaying connection details with a device over WiFi.

    uart output as AP is connected to by app

    Code: Text
    Log in, to see the code


    what does it check before it'll reveal the flash button? is it just based on the SSID name?
  • #8 21061703
    alwas
    Level 7  
    Posts: 37
    Help: 1
    Rate: 20
    divadiow wrote:
    what does it check before it'll reveal the flash button? is it just based on the SSID name?

    It tests udp communication on 48899 port first, and this device/firmware likely doesn't support this method.
    But i saw "CosyLife" logo in the firmware dump provided by @p.kaczmarek2 is this a LN882H device?
  • #9 21061720
    divadiow
    Level 38  
    Posts: 4882
    Help: 427
    Rate: 869
    it's not the firmware in the link. I have LN devices and firmwares already to try.

    Added after 1 [minutes]:

    im trying AT commands after setting up a Python http server. not getting anything interesting happen. The Cozylife AP is 192.168.4.1. I see port 5555 open on the AP IP, but sending AT command does nothing,

    Added after 51 [minutes]:

    Lmk if I should test anything specific

    Added after 8 [hours] 31 [minutes]:

    just adding that I've also played with a BK7231N SmartLife device AP but this requires SSL.

    Windows gets 192.168.176.100 and AP is 192.168.176.1

    nmap:

    Code: Text
    Log in, to see the code


    Screenshot of Packet Sender with settings for ASCII, HEX, IP address, and port.

    upon AT send this is the UART log out from the device

    Screenshot of an error log with information about a failed TLS connection.

    does your BL device come back with revers-ssl on nmap scan @alwas ?

    I haven't been able to get a working Magic Home dump flashed back to BL602 dev board yet

    Added after 47 [minutes]:

    same if using self-signed cert on https server too
  • #10 21062920
    alwas
    Level 7  
    Posts: 37
    Help: 1
    Rate: 20
    divadiow wrote:
    does your BL device come back with revers-ssl on nmap scan @alwas

    I can't check now, i've flashed OpenBeken on all my Magic Home devices, i'll will need to solder one of them to recover the factory firmware.

    no, Magic Home dump doesn't work on BL602 dev board, i am not sure why.
  • ADVERTISEMENT
  • #11 21062922
    divadiow
    Level 38  
    Posts: 4882
    Help: 427
    Rate: 869
    Ok no worries. Let me know if/how you manage to get a working BL factory dump on dev board
  • #12 21063102
    p.kaczmarek2
    Moderator Smart Home
    Posts: 14451
    Help: 650
    Rate: 12432
    Are all your devices using 2MB Flash? Is the dev board also using 2MB flash?

    There are multiple partition tables in BLDevCube, but I don't know the exact differences between them.
    Helpful post? Buy me a coffee.
  • #13 21063112
    divadiow
    Level 38  
    Posts: 4882
    Help: 427
    Rate: 869
    Dev is 4mb. All flashes I have are from 2mb devices. You think dumps probably include bootloader so I might need to trim or work out a way to flash with file offset?

    I've tried the different partition table files, devcube and blflash.

    Added after 51 [minutes]:

    hmm. seems I have already flashed a bin that I think doesn't need trimming - the Bl602Lamp-4th.bin file from your repo. I trimmed one of my own to start from 0x10000 and it has the same starting code as the lamp now. Still, no success yet

    Screenshot comparing two binary files with hexadecimal code.

    Added after 42 [minutes]:

    I took the plunge and decided to flash from 0x0 using the single download option using one my most recent factory dumps - the GRB MagicHome from https://www.elektroda.com/rtvforum/topic4024917-30.html#21040727

    User interface from a software screen for flashing a Magic Home LED Controller.

    it now boots and it's broadcasting the "LED..." AP as expected.

    Screenshot of an app for managing a WiFi device with connection details.

    you can even pair it successfully in the MagicHome app and control the onboard LEDs on the dev board. The blue LED also blinks when the device is in pairing mode.

    Screen showing connection attempt with device LEDnet0033D964D1 in a Wi-Fi setup app.

    Screenshot of the MagicHome app showing a list of devices and groups

    Added after 7 [minutes]:

    here is complete BLDC output from flashing MagicHome fw, rebooting, joining LED... AP with mhflasher, OTA flashing and finally OBK booting :)
    Attachments:
    • mhflasher.txt (119.62 KB) You must be logged in to download this attachment.
  • #14 21063222
    divadiow
    Level 38  
    Posts: 4882
    Help: 427
    Rate: 869
    bonus also we have a tested dump and restore method for putting any BL602 device back to factory.

    Added after 9 [minutes]:

    other BL factory firmwares also flashed and booting. CozyLife bulb - pairs in Tuya app too.

    Added after 8 [hours] 3 [minutes]:

    if anyone wants to try in Windows you can use PowerShell and the free app Packet Sender https://packetsender.com/download

    Get your MagicHome device into AP mode with 5 sequential resets. Connect to the LEDnetXXXXXX AP.

    Open PowerShell and run this, changing the path and filename to suit

    Code: Powershell
    Log in, to see the code


    set UDP, device IP and port then send this command in Packet Sender
    Code: Text
    Log in, to see the code


    You'll see the Packet Sender upload and OK

    Packet Sender application window showing UDP request details and packet transfer logs.

    when it's finished it'll reboot and run OpenBeken.

    If you're watching the uart log out you'll see the flash progress, completion and the reboot

    Code: Text
    Log in, to see the code
  • #15 21064020
    ferbulous
    Level 18  
    Posts: 419
    Help: 8
    Rate: 56
    @divadiow is the ota method specific for bl620 on the cozylife firmware?
    What about the ones running on ewelink?
  • #16 21064035
    divadiow
    Level 38  
    Posts: 4882
    Help: 427
    Rate: 869
    ive been trying them all!

    Not had any response to the same commands as with the MagicHome though. Cozylife and Ewelink use different ports/TCP. I've been trying to find the supported AT commands, but even what I see in the bin isn't giving me a response.

    for example, here's mention of AT+ commands inside the fw for an RMW002 BL602 Ewelink mini switch which broadcasts the Sonoff-like "ITEAD-XXXX" AP.

    Fragment of code with AT commands from documentation related to an Ewelink device.

    I will persist.

    Added after 2 [minutes]:

    divadiow wrote:
    bonus also we have a tested dump and restore method for putting any BL602 device back to factory.

    Added after 9 [minutes]:

    other BL factory firmwares also flashed and booting. CozyLife bulb - pairs in Tuya app too.


    this was a trail of thought/discovery regarding the flash of factory firmware back to a BL602 and it booting rather than anything relating to the OTA-OBK method specifically. I've had no success with the OTA method with Cozylife or Ewelink yet.
  • #17 21065002
    alwas
    Level 7  
    Posts: 37
    Help: 1
    Rate: 20
    p.kaczmarek2 wrote:
    I see, can you try the same for other devices, maybe for LN882H?

    I don't have this controller to try, but your FlashDump shows, that this firmware:
    - binds to tcp port 5555 and waits for connection
    - defines some control functions
    maybe someone could try to telnet to this port 5555 and try commands:
    Code: text Expand Select all Copy to clipboard
    
sn
info
ret
cmd
pv
timestamp
tcp_ip
tcp_port
bind_status
lib_device
uid

    if it gives any info back?
  • #18 21065177
    divadiow
    Level 38  
    Posts: 4882
    Help: 427
    Rate: 869
    alwas wrote:
    maybe someone could try to telnet to this port 5555 and try commands:


    hmm. no connection with PowerShell or Putty to 192.168.4.1:5555 on LN882H device.

    Screenshot of a PuTTY window with IP address 192.168.4.1.

    Added after 31 [minutes]:

    no luck with a SmartLife BK7231N on 192.168.176.1:6668 either

    Screenshot of attempted connections via Telnet and PuTTY to IP addresses.

    Added after 5 [minutes]:

    nor BL602 Ewelink 10.10.7.1:80 device

    Screenshot displaying a PuTTY window with address 10.10.7.1.
  • #19 21065603
    alwas
    Level 7  
    Posts: 37
    Help: 1
    Rate: 20
    divadiow wrote:
    hmm. no connection with PowerShell or Putty to 192.168.4.1:5555 on LN882H device.

    ok, maybe let's try json formatted string:
    Code: text Expand Select all Copy to clipboard
    {"cmd":0,"pv":0,"sn":"1714479677254","msg":{}}

    with a different endline - Enter or ctrl-d or ctrl-x at the end
  • #20 21065622
    p.kaczmarek2
    Moderator Smart Home
    Posts: 14451
    Help: 650
    Rate: 12432
    I still have LN8825 LED strip controller, maybe we can also check that one for some endpoints?
    LED strip controller LN8825 with visible wiring and integrated circuits.
    Helpful post? Buy me a coffee.
  • #21 21065654
    divadiow
    Level 38  
    Posts: 4882
    Help: 427
    Rate: 869
    that's true. my last attempt to flash back factory was unsuccessful though. Will try again. I have UART and jflash options with that device
  • #22 21066013
    alwas
    Level 7  
    Posts: 37
    Help: 1
    Rate: 20
    try this one
    Code: text Expand Select all Copy to clipboard
    echo '{"cmd":0,"pv":0,"sn":"1714479677254","msg":{}}' | nc -u  192.168.4.1 6095

    on LN882H and check if it gives any response
  • #23 21066032
    divadiow
    Level 38  
    Posts: 4882
    Help: 427
    Rate: 869
    Screenshot of the Packet Sender application showing details of sent and received network packets.

    no response

    Added after 2 [minutes]:

    alwas wrote:
    {"cmd":0,"pv":0,"sn":"1714479677254","msg":{}}


    Screenshot of Packet Sender application displaying data packets.

    alwas wrote:
    with a different endline - Enter or ctrl-d or ctrl-x at the end


    not sure what this means though
  • #24 21066039
    alwas
    Level 7  
    Posts: 37
    Help: 1
    Rate: 20
    try sending the same payload to UDP 6095
  • #25 21066044
    divadiow
    Level 38  
    Posts: 4882
    Help: 427
    Rate: 869
    alwas wrote:
    try sending the same payload to UDP 6095


    no reply
    Screenshot of the Packet Sender application showing UDP packet configuration to send to IP address 192.168.4.1 via port 6095.
  • #27 21066060
    divadiow
    Level 38  
    Posts: 4882
    Help: 427
    Rate: 869
    hmm. Can't quite remember the one I flashed. I reflash.

    6095 is open on this one

    Code: Text
    Log in, to see the code


    Added after 4 [minutes]:

    :(

    Screenshot of a Packet Sender program showing packet settings for sending to address 192.168.4.1 via UDP port 6095.
  • #28 21066065
    p.kaczmarek2
    Moderator Smart Home
    Posts: 14451
    Help: 650
    Rate: 12432
    @alwas maybe it listens only in specific circumstances? For example:
    a) only in AP mode
    b) only in STA mode when paired
    c) only in STA mode during pairing?
    Helpful post? Buy me a coffee.
  • ADVERTISEMENT
  • #29 21066071
    divadiow
    Level 38  
    Posts: 4882
    Help: 427
    Rate: 869
    I played with the command and now get a response

    Code: Text
    Log in, to see the code


    Screenshot of Packet Sender tool displaying network packet data.

    Code: Text
    Log in, to see the code
  • #30 21066089
    alwas
    Level 7  
    Posts: 37
    Help: 1
    Rate: 20
    divadiow wrote:
    I played with the command and now get a response

    cool, now we have the communication medium, the command to send is only the fragment - json string
    Code: text Expand Select all Copy to clipboard
    {"cmd":0,"pv":0,"sn":"1714479677254","msg":{}}

    now i will look for, a method to initiate ota download, it seems, that the functions to download and flash new firmware are included in that firmware

    Added after 10 [hours] 35 [minutes]:

    try sending this message
    Code: text Expand Select all Copy to clipboard
    {"cmd":5,"pv":0,"sn":"1714545365671","msg":{"url":"http://192.168.4.100/downloadFirmware"}}
    while listening on tcp port 80 on your pc for any incoming packets
Reply Cool? Ranking DIY | New topic
Notify about new articles
📢 Listen (AI):
Report a violation of the law

Topic summary

✨ The discussion focuses on flashing Magic Home devices equipped with the BL602 chip over WiFi without soldering, using the manufacturer's OTA mechanism redirected to a custom server. The procedure involves resetting the device to factory settings by cycling power, hosting the OpenBeken firmware OTA binary on a local HTTP server, and sending an AT command to the device to initiate the firmware download and installation. Users report success with this method on certain BL602 devices, notably Magic Home RGB controllers, using tools like netcat and PowerShell for serving the firmware and sending commands. Challenges include firmware version compatibility, with newer Zengge firmwares apparently patched against OTA flashing exploits, resulting in errors like "+ok=up_ErrType" or no response. Some devices require specific partition tables or flash size considerations (2MB vs 4MB flash). Debugging via UART logs is recommended to diagnose boot and WiFi AP startup issues. The community also explores similar flashing approaches for related chips such as LN882H, LN8825B, BK7231N, and XR809/XR872, noting differences in communication ports, protocols (JSON over UDP/TCP), and firmware architectures (RISC-V vs ARM). JSON-based command protocols on UDP/TCP ports (e.g., 5555, 6095) are used for device communication and OTA initiation in CozyLife and Ewelink devices. Some users successfully restored factory firmware dumps and then flashed OpenBeken firmware, achieving AP mode broadcasting. However, issues persist with saving settings post-flash and AP visibility. The latest OpenBL602 builds work on some devices but may require partition table adjustments. Overall, the OTA flashing method without soldering is feasible but depends heavily on device firmware version, chip variant, and correct command syntax. Physical flashing remains a fallback for patched or incompatible devices.
Generated by the language model.
Today's popular

FAQ

TL;DR: With 0 solder joints and "back ok" as the key success reply, this method lets Magic Home BL602 owners push an OpenBeken OTA file over the device’s own AP using UDP port 48899 and a local HTTP server. It suits users who want a faster no-solder path, but only on firmware that still accepts the vendor OTA trigger. [#21056057]

Why it matters: This gives BL602 Magic Home owners a real no-solder upgrade path, while also showing exactly where newer Zengge firmware blocks it.

Method Hardware access Main transport Typical result in thread Recovery path
Magic Home OTA exploit No UDP 48899 + local HTTP Works on some BL602 firmwares Restore dump or solder later
mhflasher on Android No Automates same OTA path Works on vulnerable devices Same limits as OTA exploit
UART / BLDevCube flashing Yes Serial flashing Most reliable overall Full dump restore possible
Factory dump restore Yes Serial flashing Confirmed working on 2 MB dumps Returns device to stock

Key insight: The no-solder path is real, but it is firmware-dependent. Older Magic Home BL602 builds can fetch and install an OTA image from your own server, while newer builds such as 33_227_20231220_ZG-BL return OTA errors and appear patched. [#21418610]

Quick Facts

  • Magic Home BL602 AP mode in the thread uses device IP 10.10.123.3, client IP 10.10.123.4, and listens for AT commands on UDP port 48899. [#21056057]
  • The Linux example serves the OTA file on HTTP port 1111, then triggers download with AT+UPURL=http://10.10.123.4:1111/...; users reported success after about 1 minute. [#21056057]
  • A confirmed vulnerable OTA session wrote about 427,676 bytes and then rebooted into OpenBeken; the UART log showed ota download is done! before reset. [#21063222]
  • Factory BL602 dumps discussed here are typically 2 MB, while some dev boards use 4 MB flash; that mismatch matters for restore tests and partition handling. [#21063112]
  • BL602 UART logs in the thread used 2,000,000 baud, and weak power from a USB-to-UART adapter was called out as a cause of missing AP behavior after flashing. [#21586157]

How do you flash a Magic Home BL602 controller to OpenBeken over WiFi without soldering using the manufacturer's OTA mechanism?

You reset the controller, join its AP, host the OTA file locally, and trigger the vendor OTA URL over UDP. 1. Power-cycle the device 4 times to factory reset, then connect to the LEDnetXXXXXXXXX AP. 2. Serve OpenBL602_...OTA.bin.xz.ota on a local HTTP server, often on port 1111. 3. Send AT+UPURL=http://10.10.123.4:1111/update?... to 10.10.123.3:48899. A working device replies back ok, then usually reboots after about 1 minute and appears as OpenBL602_XXXXXXXX. [#21056057]

Which OpenBeken file should I download for a BL602 WiFi-only flash, and why does it need to be the .ota build instead of the regular binary?

Download the BL602 OTA package, for example OpenBL602_1.17.553_OTA.bin.xz.ota, not the plain .bin. The OTA method calls the manufacturer’s updater, so it expects an OTA-formatted image rather than a raw UART-flash binary. The thread explicitly says to choose the version for the BL602 chip and OTA. A regular OpenBL602_...bin is used for wired flashing through tools like BLDevCube, not for the WiFi-only exploit path. [#21056057]

What do the BL602 Magic Home AT commands AT+LVER and AT+UPURL do, and how are they used during the WiFi flashing process?

AT+LVER reads the installed firmware version, and AT+UPURL tells the device where to fetch an update. In the working example, AT+LVER returned +ok=33_48_20201219_ZG-BL from UDP port 48899. AT+UPURL then pointed the device at a local HTTP URL on 10.10.123.4:1111 so it could download and install OpenBeken. "AT+UPURL is a device OTA trigger that makes the stock firmware fetch a new image from a supplied URL, using the vendor update path rather than UART flashing." [#21056057]

Why does a Magic Home BL602 device reply with +ok=up_ErrType, +ok=up_ErrHttp, or just a blank +ok= when I try the OTA exploit?

Those replies mean the OTA request was accepted syntactically but failed at validation, transport, or reboot stage. +ok=up_ErrType appeared on newer or incompatible Magic Home firmware, including 33_227_20231220_ZG-BL, and on a 35_162_20220801_ZG-BL-BP101 device that did not exploit. +ok=up_ErrHttp points to a fetch or URL issue. A blank +ok= can happen before reboot; one user saw it before disconnect, but the HTTP listener never received a request. Check firmware version, URL reachability, exact query format, and whether that device family still accepts custom OTA payloads. [#21245497]

What is mhflasher, and how does it automate the Magic Home BL602 OTA flashing procedure on Android?

mhflasher is an Android app that automates the same Magic Home BL602 OTA exploit described for Linux. It connects to the device AP, checks whether UDP communication works on port 48899, and sends the OTA trigger without needing manual terminal commands. The source code was shared publicly, and APKs were said to be in the releases folder. Later, an updated build was reported tested with OpenBL602 1.18.230 and confirmed to work on vulnerable Magic Home dumps. [#21787740]

How can I serve the OpenBL602 OTA file from Windows with PowerShell and send the UDP command with Packet Sender instead of using Linux netcat?

Use PowerShell as a one-shot HTTP listener and Packet Sender for the UDP packet. 1. Start an HttpListener on port 1111 and serve OpenBL602_...OTA.bin.xz.ota. 2. Connect your PC to the device AP, usually with the controller at 10.10.123.3 and your PC at 10.10.123.4. 3. In Packet Sender, send AT+UPURL=http://10.10.123.4:1111/update?version=...&beta,pierogi as UDP to port 48899. The thread reports you should see the upload, an OK, then a reboot into OpenBeken. [#21063222]

Why do some newer Zengge or Magic Home BL602 firmware versions like 33_227_20231220_ZG-BL appear patched against the OTA method?

They appear patched because the same OTA trigger that works on older builds fails early on newer ones. A tested device on 33_227_20231220_ZG-BL returned +ok=+ok=up_ErrType, and its UART log showed *system:ota fail after comparing the OpenBeken version string against stock values. Another user also suspected newer versions had been patched against custom firmware via OTA. The thread’s working pattern is clear: exploit success depends on firmware family and date, not just on using a BL602 chip. [#21418610]

What is BLDevCube, and how is it used to dump, restore, or flash factory firmware on BL602 devices?

BLDevCube is Bouffalo Lab’s serial flashing tool for BL602, used here for full-dump backup, factory restore, and wired OpenBeken flashing. Users restored 2 MB factory images, flashed raw OpenBL602 .bin files, and tested full-image writes from address 0x0 or app-region writes from 0x10000. One successful restore to a 4 MB dev board from a 2 MB Magic Home dump booted the stock LED... AP and even paired in the app. That made BLDevCube the main recovery tool when OTA failed. [#21063112]

How does the Magic Home BL602 OTA method compare with soldering and UART flashing in terms of reliability and recovery options?

The OTA method is faster and needs no soldering, but UART flashing is more reliable and easier to recover from. OTA works only when the stock firmware still accepts the vendor update trigger on UDP 48899. Wired flashing with BLDevCube can restore a full factory dump, write OpenBL602 directly, and recover devices that no longer expose an AP. If you have only 3 devices and a patched build, one user concluded it was quicker to use a soldering iron than keep spoofing OTA traffic. [#21418610]

What troubleshooting steps help when OpenBL602 flashes successfully but the OpenBL602_XXXXX AP never appears afterward?

Check power, boot wiring, partition layout, and UART logs before assuming the image is bad. The thread suggests using a stable 3.3 V supply instead of powering from a weak USB-to-UART adapter, disconnecting the BOOT pin after flashing, and capturing serial output at 2,000,000 baud. One responder also supplied a fixed 2 MB partition table for BL602 tests. "OpenBL602_XXXXX AP never appears" usually means the app booted incorrectly or the radio config is wrong, not that the flash write itself failed. [#21592996]

Why is the OpenBL602 firmware file much smaller than a full 2 MB factory dump, and what flash regions are intentionally left untouched?

The OpenBL602 file is smaller because it only replaces the application area, not the whole flash chip. A maintainer explained that full-chip overwrites would destroy RF calibration, MAC address data, Tuya GPIO config on supported platforms, and existing OpenBeken settings. That is why a release binary can be under 1 MB while the stock backup is 2 MB. The design is intentional, and it matches the goal of preserving board-specific data outside the main firmware partition. [#21586062]

How can I restore a BL602 device back to its factory firmware from a backup dump if OpenBeken flashing or configuration goes wrong?

Write the saved factory dump back with BLDevCube, then reboot and verify the original AP returns. The thread confirms a full 2 MB backup can restore a Magic Home BL602 to stock behavior, including the factory LEDnet... AP and normal app pairing. One user called this a tested dump-and-restore path for putting BL602 devices back to factory firmware. If OpenBeken config is broken, a full restore is the recommended reset path before trying another flash. [#21063222]

What is the CozyLife local JSON protocol on UDP 6065 and TCP 5555, and how is it different from the Magic Home AT-command method on UDP 48899?

CozyLife uses JSON messages on UDP 6065 and TCP 5555, while Magic Home uses plain-text AT commands on UDP 48899. A working CozyLife query looked like {"cmd":0,"pv":0,"sn":"...","msg":{}} and returned JSON with fields such as did, pid, mac, ip, and res. "CozyLife local JSON protocol is a device-control API that exchanges structured JSON commands and responses, unlike Magic Home’s short AT strings sent to the vendor pairing port." The thread also tied CozyLife cmd:5 to OTA experiments. [#21068684]

What should I try when a flashed Magic Home or OpenBL602 device disappears from both AP mode and my home WiFi after a failed setup?

First restore factory power-cycling, then inspect UART logs, and be ready to reflash from backup. A user who lost both the AP and home WiFi after setup was advised that AP mode may not recover with power cycling alone if the device crashes or stores bad settings. Another thread segment recommends watching serial logs, verifying power from the normal 5–28 V input, and restoring the original dump if needed. If the device stays silent, wired recovery is the practical next step. [#21264185]

How could the Sonoff DIY mode REST API or eWeLink update mechanism be investigated as a no-solder flashing path for BL602 Sonoff plugs and bulbs?

Investigate it by entering Sonoff DIY mode, capturing traffic, and testing whether its REST OTA endpoint accepts a local firmware URL. The thread mentions a BL602 smart plug exposing Sonoff DIY mode after holding the button for 5 seconds, with official documentation describing a RESTful API that includes OTA actions. eWeLink devices were also noted to use different ports and sometimes SSL, so packet capture and version checks are essential. The same no-solder idea may work, but the thread does not yet show a confirmed OpenBeken flash on Sonoff BL602 hardware. [#21188184]
Generated by the language model.
ADVERTISEMENT