How to read and backup flash of BL602/BL702/etc device with BLDevCube? Burning tutorial, pinout

p.kaczmarek2 3549 14

TL;DR

BL602 and BL702 flash backup, readout, and restoration with Bouffalo Lab DevCube, including pinout and UART wiring.
Connect GPIO16 TX, GPIO7 RX, GPIO8 BOOT through 10k to 3.3V, plus VDD and common GND, then use the Flash tab in BLDevCube.
For the 2MB flash version, read from 0x0 with length 0x1FFFFF; 200000 baud worked, while the default 2000000 baud was too fast.
Using the corrected settings, flash.bin and efuse.bin were read successfully from a BL602 module, and the tool reported All Success.
Keep 3.3V power reliable, use short wires, disconnect mains first, and power-cycle between operations; do not pull BOOT directly to 3.3V.

Generated by the language model.

Report a violation of the law

Reply Cool? Ranking DIY | New topic

Notify about new articles

📢 Listen (AI):

Post #1

21455894 25 Feb 2025 17:53

BL602 is a WiFi+Bluetooth 32-bit SoC found in some Sonoff and eWeLink devices. It comes in 2MB and 1MB flash versions, but here I will focus on 2MB one. BL702, on the other hand, is a Zigbee chip. They both can be read and flashed with BLDevCube, here are the connection details and step by step guide for flash read.

Hardware setup
Let's start by considering the GPIO pinout of BL602 and determine which signals we will need to read and write flash.

Remember that dot marks the first pin!
Required connections are:
- GPIO16 (TX) - connect to USB to UART converter in 3.3V mode (like CH340, etc)
- GPIO7 (RX) - connect to USB to UART converter in 3.3V mode (like CH340, etc)
- GPIO8 (Boot) - must be connected to 3.3V via 10k resistor
- VDD (3.3V)
- GND - ground of power supply and USB to UART converter must be common
The 3.3V power supply must be reliable, it may not be enough to power it from USB to UART converter. It may fail to flash or bootloop on AP creation/connect. Wires should be short. Do not connect boot directly to 3.3V. Make sure to do power off/on cycle between each flash operation, just like on ESP.

Disconnect device from mains before doing any operations on it!!!

Hardware setup - example BL602
Here's BW2L module, as desoldered from eWeLink E14 candle RGBCW bulb. It has no pin markings, so we have to determine which pin is which. Luckily, we have our GPIO diagram, the one I made in previous section.

Interior of a smart LED bulb with visible diodes and electronic components.

Now we can use multimeter to test which pad connects where.
Here are my connections:

Breadboard with mounted electronic components and multicolored wires.

Breadboard with connected colorful wires.

Prototype with a breadboard, wires, and electronic components.

Close-up of a breadboard with a capacitor, wires, and a resistor.

Please note few things:
- UART wires are relatively short
- on the proto board, there is a 3.3V LDO powered from 5V, so we can get good 3.3V for WiFi module. I am using TC1264, but you can use AMS1117 or any other, or get 3.3V from NodeMCU or Arduino
- the 10k resistor for BOOT is clearly visible
- when in doubt, swap RX and TX

Hardware setup - example BL702
Here's second hardware sample, this time with Zigbee chip. This time silkscreen with markings was present, so there was no guessing involved.

Small green circuit board held by a metal tool on a white background.

Small green circuit board with labels and electronic components.

Electronic breadboard with multicolored wires and components.

Close-up of a small electronic module with soldered wires.

Small green electronic board with connected wires.

Not much extra commentary is required here, as the process is the same as for BL602.

Flash read - Bouffalo Lab DevCube v1.9.0
v1.9.0 is the newer version of Bouffalo Labs BLDevCube.exe, get it from here:
https://github.com/openshwprojects/FlashTools
Unpack, and first select chip type:

Enable advanced view:

Screenshot of Bouffalo Lab Dev Cube 1.9.0 with the View menu open and the Show Advanced Page option checked.

Open Flash Tab:

User interface of Bouffalo Lab Dev Cube application with the Flash tab.

Select your com port, enter start offset (0x0) and read length (0x1FFFFF). Use "read flash", do not press "erase"!

Screenshot of Bouffalo Lab Dev Cube 1.9.0 interface with flash memory settings.

If you are getting:


[16:56:43.375] - Read operation
[16:56:43.376] - ========= flash read =========
[16:56:47.406] - Read data error,maybe not get excepted length
[16:56:47.406] - Retry
[16:56:49.408] - ack is b''
[16:56:49.409] - Not ack OK

Then lower baud. 200000 is ok, default 2000000 is too high.
For flash size, make sure that you are entering 0x1FFFFF. If you enter 0x200000, you will get:


[16:40:29.599] - ========= flash read jedec ID =========
[16:40:29.602] - Read flash jedec ID
[16:40:29.603] - flash jedec id: ef401580
[16:40:29.603] - Finished
[16:40:29.608] - get flash size: 0x00200000
[16:40:29.609] - Read operation
[16:40:29.609] - read flash end addr 0x00200000 was overflow with flash size 0x00200000
[16:40:29.609] - ErrorCode: 0045, ErrorMsg: BFLB FLASH SIZE OVER FLOW
[16:40:29.609] - Burn Retry
[16:40:29.610] - 0
[16:40:29.610] - Burn return with retry fail

So enter 0x1FFFFF as a work around, it's just one byte less than 0x00200000 .
Now flash read should work, wait patiently:

Progress bar filled to 47% on a blue background with log lines below.

Flash read should be successful:

User interface with a Success message on a green background and operation logs.

Here is successful flash read log:


[16:41:08.465] - Save as flash.bin
[16:41:08.467] - Version: eflash_loader_v2.5.1
[16:41:08.467] - Program Start
[16:41:08.467] - ========= eflash loader cmd arguments =========
[16:41:08.467] - Config file: W:\GIT\FlashTools\BouffaloLabs\BouffaloLabDevCube-v1.9.0\chips\bl602\eflash_loader\eflash_loader_cfg.ini
[16:41:08.469] - serial port is COM4
[16:41:08.470] - cpu_reset=False
[16:41:08.470] - chiptype: bl602
[16:41:08.470] - ========= Interface is uart =========
[16:41:08.470] - com speed: 200000
[16:41:08.470] - Eflash load helper file: W:\GIT\FlashTools\BouffaloLabs\BouffaloLabDevCube-v1.9.0\chips\bl602\eflash_loader/eflash_loader_40m.bin
[16:41:08.470] - ========= load eflash_loader.bin =========
[16:41:08.471] - Load eflash_loader.bin via uart
[16:41:08.471] - ========= image load =========
[16:41:08.701] - Not ack OK
[16:41:08.701] - FL
[16:41:08.701] - result: FL
[16:41:08.981] - tx rx and power off, press the machine!
[16:41:08.981] - cutoff time is 0.1
[16:41:09.089] - power on tx and rx
[16:41:09.904] - reset cnt: 0, reset hold: 0.005, shake hand delay: 0.1
[16:41:09.905] - clean buf
[16:41:09.906] - send sync
[16:41:10.133] - ack is 4f4b
[16:41:10.165] - shake hand success
[16:41:10.180] - get_boot_info
[16:41:10.183] - data read is b'0100000000000000030004002127eaedbb281700'
[16:41:10.183] - ========= chipid: 28bbedea2721 =========
[16:41:10.183] - last boot info: None
[16:41:10.183] - sign is 0 encrypt is 0
[16:41:10.184] - segcnt is 1
[16:41:10.192] - segdata_len is 38592
[16:41:10.277] - 4080/38592
[16:41:10.362] - 8160/38592
[16:41:10.447] - 12240/38592
[16:41:10.531] - 16320/38592
[16:41:10.616] - 20400/38592
[16:41:10.701] - 24480/38592
[16:41:10.786] - 28560/38592
[16:41:10.871] - 32640/38592
[16:41:10.955] - 36720/38592
[16:41:10.995] - 38592/38592
[16:41:10.997] - Run img
[16:41:11.108] - Load helper bin time cost(ms): 2636.855712890625
[16:41:11.216] - Flash load shake hand
[16:41:11.226] - default set DTR high
[16:41:11.338] - clean buf
[16:41:11.339] - send sync
[16:41:11.572] - ack is 4f4b
[16:41:11.619] - Read mac addr
[16:41:11.623] - macaddr: 2127eaedbb28
[16:41:11.623] - flash set para
[16:41:11.624] - ========= flash read jedec ID =========
[16:41:11.626] - Read flash jedec ID
[16:41:11.627] - flash jedec id: ef401580
[16:41:11.627] - Finished
[16:41:11.633] - get flash size: 0x00200000
[16:41:11.633] - Read operation
[16:41:11.633] - ========= flash read =========
[16:41:11.952] - Read 2048/2097152
Read 4096/2097152
Read 6144/2097152
[16:41:12.271] - Read 8192/2097152
Read 10240/2097152
Read 12288/2097152
[16:41:12.590] - Read 14336/2097152
(...)
[16:43:00.474] - Read 2091008/2097152
Read 2093056/2097152
Read 2095104/2097152
[16:43:00.581] - Read 2097152/2097152
[16:43:00.582] - Flash read time cost(ms): 108947.57373046875
[16:43:00.583] - Finished
[16:43:00.585] - All time cost(ms): 112118.49609375
[16:43:00.701] - close interface
[16:43:00.701] - [All Success]

File will appear where BLDevCube is:

Screenshot of a file explorer window showing the BouffaloLabs folder containing various files.

You can also read eFuse:


[16:41:08.465] - Save as flash.bin
[16:41:08.467] - Version: eflash_loader_v2.5.1
[16:41:08.467] - Program Start
[16:41:08.467] - ========= eflash loader cmd arguments =========
[16:41:08.467] - Config file: W:\GIT\FlashTools\BouffaloLabs\BouffaloLabDevCube-v1.9.0\chips\bl602\eflash_loader\eflash_loader_cfg.ini
[16:41:08.469] - serial port is COM4
[16:41:08.470] - cpu_reset=False
[16:41:08.470] - chiptype: bl602
[16:41:08.470] - ========= Interface is uart =========
[16:41:08.470] - com speed: 200000
[16:41:08.470] - Eflash load helper file: W:\GIT\FlashTools\BouffaloLabs\BouffaloLabDevCube-v1.9.0\chips\bl602\eflash_loader/eflash_loader_40m.bin
[16:41:08.470] - ========= load eflash_loader.bin =========
[16:41:08.471] - Load eflash_loader.bin via uart
[16:41:08.471] - ========= image load =========
[16:41:08.701] - Not ack OK
[16:41:08.701] - FL
[16:41:08.701] - result: FL
[16:41:08.981] - tx rx and power off, press the machine!
[16:41:08.981] - cutoff time is 0.1
[16:41:09.089] - power on tx and rx
[16:41:09.904] - reset cnt: 0, reset hold: 0.005, shake hand delay: 0.1
[16:41:09.905] - clean buf
[16:41:09.906] - send sync
[16:41:10.133] - ack is 4f4b
[16:41:10.165] - shake hand success
[16:41:10.180] - get_boot_info
[16:41:10.183] - data read is b'0100000000000000030004002127eaedbb281700'
[16:41:10.183] - ========= chipid: 28bbedea2721 =========
[16:41:10.183] - last boot info: None
[16:41:10.183] - sign is 0 encrypt is 0
[16:41:10.184] - segcnt is 1
[16:41:10.192] - segdata_len is 38592
[16:41:10.277] - 4080/38592
[16:41:10.362] - 8160/38592
[16:41:10.447] - 12240/38592
[16:41:10.531] - 16320/38592
[16:41:10.616] - 20400/38592
[16:41:10.701] - 24480/38592
[16:41:10.786] - 28560/38592
[16:41:10.871] - 32640/38592
[16:41:10.955] - 36720/38592
[16:41:10.995] - 38592/38592
[16:41:10.997] - Run img
[16:41:11.108] - Load helper bin time cost(ms): 2636.855712890625
[16:41:11.216] - Flash load shake hand
[16:41:11.226] - default set DTR high
[16:41:11.338] - clean buf
[16:41:11.339] - send sync
[16:41:11.572] - ack is 4f4b
[16:41:11.619] - Read mac addr
[16:41:11.623] - macaddr: 2127eaedbb28
[16:41:11.623] - flash set para
[16:41:11.624] - ========= flash read jedec ID =========
[16:41:11.626] - Read flash jedec ID
[16:41:11.627] - flash jedec id: ef401580
[16:41:11.627] - Finished
[16:41:11.633] - get flash size: 0x00200000
[16:41:11.633] - Read operation
[16:41:11.633] - ========= flash read =========
[16:41:11.952] - Read 2048/2097152
Read 4096/2097152
Read 6144/2097152
[16:41:12.271] - Read 8192/2097152
Read 10240/2097152
Read 12288/2097152
[16:41:12.590] - Read 14336/2097152
[16:42:51.861] - Read 1925120/2097152
Read 1927168/2097152
Read 1929216/2097152
[16:42:52.180] - Read 1931264/2097152
Read 1933312/2097152
Read 1935360/2097152
[16:42:52.499] - Read 1937408/2097152
Read 1939456/2097152
Read 1941504/2097152
[16:42:52.819] - Read 1943552/2097152
Read 1945600/2097152
Read 1947648/2097152
[16:42:53.139] - Read 1949696/2097152
Read 1951744/2097152
Read 1953792/2097152
[16:42:53.457] - Read 1955840/2097152
Read 1957888/2097152
Read 1959936/2097152
[16:42:53.775] - Read 1961984/2097152
Read 1964032/2097152
Read 1966080/2097152
[16:42:54.094] - Read 1968128/2097152
Read 1970176/2097152
Read 1972224/2097152
[16:42:54.413] - Read 1974272/2097152
Read 1976320/2097152
Read 1978368/2097152
[16:42:54.732] - Read 1980416/2097152
Read 1982464/2097152
Read 1984512/2097152
[16:42:55.050] - Read 1986560/2097152
Read 1988608/2097152
Read 1990656/2097152
[16:42:55.369] - Read 1992704/2097152
Read 1994752/2097152
Read 1996800/2097152
[16:42:55.688] - Read 1998848/2097152
Read 2000896/2097152
Read 2002944/2097152
[16:42:56.007] - Read 2004992/2097152
Read 2007040/2097152
Read 2009088/2097152
[16:42:56.326] - Read 2011136/2097152
Read 2013184/2097152
Read 2015232/2097152
[16:42:56.645] - Read 2017280/2097152
Read 2019328/2097152
Read 2021376/2097152
[16:42:56.964] - Read 2023424/2097152
Read 2025472/2097152
Read 2027520/2097152
[16:42:57.282] - Read 2029568/2097152
Read 2031616/2097152
Read 2033664/2097152
[16:42:57.601] - Read 2035712/2097152
Read 2037760/2097152
Read 2039808/2097152
[16:42:57.921] - Read 2041856/2097152
Read 2043904/2097152
Read 2045952/2097152
[16:42:58.242] - Read 2048000/2097152
Read 2050048/2097152
Read 2052096/2097152
[16:42:58.561] - Read 2054144/2097152
Read 2056192/2097152
Read 2058240/2097152
[16:42:58.881] - Read 2060288/2097152
Read 2062336/2097152
Read 2064384/2097152
[16:42:59.200] - Read 2066432/2097152
Read 2068480/2097152
Read 2070528/2097152
[16:42:59.518] - Read 2072576/2097152
Read 2074624/2097152
Read 2076672/2097152
[16:42:59.837] - Read 2078720/2097152
Read 2080768/2097152
Read 2082816/2097152
[16:43:00.155] - Read 2084864/2097152
Read 2086912/2097152
Read 2088960/2097152
[16:43:00.474] - Read 2091008/2097152
Read 2093056/2097152
Read 2095104/2097152
[16:43:00.581] - Read 2097152/2097152
[16:43:00.582] - Flash read time cost(ms): 108947.57373046875
[16:43:00.583] - Finished
[16:43:00.585] - All time cost(ms): 112118.49609375
[16:43:00.701] - close interface
[16:43:00.701] - [All Success]
[16:44:45.474] - Save as efuse.bin
[16:44:45.475] - Version: eflash_loader_v2.5.1
[16:44:45.476] - Program Start
[16:44:45.476] - ========= eflash loader cmd arguments =========
[16:44:45.476] - Config file: W:\GIT\FlashTools\BouffaloLabs\BouffaloLabDevCube-v1.9.0\chips\bl602\eflash_loader\eflash_loader_cfg.ini
[16:44:45.477] - serial port is COM4
[16:44:45.477] - cpu_reset=False
[16:44:45.478] - chiptype: bl602
[16:44:45.478] - ========= Interface is uart =========
[16:44:45.478] - com speed: 2000000
[16:44:45.478] - Eflash load helper file: W:\GIT\FlashTools\BouffaloLabs\BouffaloLabDevCube-v1.9.0\chips\bl602\eflash_loader/eflash_loader_40m.bin
[16:44:45.478] - ========= load eflash_loader.bin =========
[16:44:45.478] - Load eflash_loader.bin via uart
[16:44:45.479] - ========= image load =========
[16:44:45.695] - Not ack OK
[16:44:45.696] - FL
[16:44:45.696] - result: FL
[16:44:45.973] - tx rx and power off, press the machine!
[16:44:45.974] - cutoff time is 0.1
[16:44:46.082] - power on tx and rx
[16:44:46.898] - reset cnt: 0, reset hold: 0.005, shake hand delay: 0.1
[16:44:46.899] - clean buf
[16:44:46.900] - send sync
[16:44:47.132] - ack is 4f4b
[16:44:47.177] - shake hand success
[16:44:47.193] - get_boot_info
[16:44:47.196] - data read is b'ffffffff00000000030004002127eaedbb281700'
[16:44:47.196] - ========= chipid: 28bbedea2721 =========
[16:44:47.197] - last boot info: None
[16:44:47.198] - eflash loader present
[16:44:47.198] - Error: Image load fail
[16:44:47.198] - shakehand with eflash loader found
[16:44:47.198] - Load helper bin time cost(ms): 1718.669189453125
[16:44:47.198] - ErrorCode: 0003, ErrorMsg: BFLB LOAD HELP BIN FAIL
[16:44:47.199] - Burn Retry
[16:44:47.199] - 0
[16:44:47.199] - Burn return with retry fail
[16:44:53.939] - Save as efuse.bin
[16:44:53.940] - Version: eflash_loader_v2.5.1
[16:44:53.940] - Program Start
[16:44:53.941] - ========= eflash loader cmd arguments =========
[16:44:53.942] - Config file: W:\GIT\FlashTools\BouffaloLabs\BouffaloLabDevCube-v1.9.0\chips\bl602\eflash_loader\eflash_loader_cfg.ini
[16:44:53.943] - serial port is COM4
[16:44:53.943] - cpu_reset=False
[16:44:53.943] - chiptype: bl602
[16:44:53.946] - ========= Interface is uart =========
[16:44:53.946] - com speed: 2000000
[16:44:53.947] - Eflash load helper file: W:\GIT\FlashTools\BouffaloLabs\BouffaloLabDevCube-v1.9.0\chips\bl602\eflash_loader/eflash_loader_40m.bin
[16:44:53.947] - ========= load eflash_loader.bin =========
[16:44:53.947] - Load eflash_loader.bin via uart
[16:44:53.947] - ========= image load =========
[16:44:54.177] - Not ack OK
[16:44:54.177] - FL
[16:44:54.178] - result: FL
[16:44:54.461] - tx rx and power off, press the machine!
[16:44:54.462] - cutoff time is 0.1
[16:44:54.572] - power on tx and rx
[16:44:55.391] - reset cnt: 0, reset hold: 0.005, shake hand delay: 0.1
[16:44:55.391] - clean buf
[16:44:55.394] - send sync
[16:44:55.622] - ack is 4f4b
[16:44:55.669] - shake hand success
[16:44:55.684] - get_boot_info
[16:44:55.687] - data read is b'0100000000000000030004002127eaedbb281700'
[16:44:55.688] - ========= chipid: 28bbedea2721 =========
[16:44:55.688] - last boot info: None
[16:44:55.688] - sign is 0 encrypt is 0
[16:44:55.689] - segcnt is 1
[16:44:55.697] - segdata_len is 38592
[16:44:55.782] - 4080/38592
[16:44:55.867] - 8160/38592
[16:44:55.952] - 12240/38592
[16:44:56.037] - 16320/38592
[16:44:56.122] - 20400/38592
[16:44:56.207] - 24480/38592
[16:44:56.292] - 28560/38592
[16:44:56.377] - 32640/38592
[16:44:56.461] - 36720/38592
[16:44:56.501] - 38592/38592
[16:44:56.504] - Run img
[16:44:56.613] - Load helper bin time cost(ms): 2666.262939453125
[16:44:56.722] - Flash load shake hand
[16:44:56.733] - default set DTR high
[16:44:56.846] - clean buf
[16:44:56.848] - send sync
[16:44:57.080] - ack is 4f4b
[16:44:57.127] - Read mac addr
[16:44:57.128] - macaddr: 2127eaedbb28
[16:44:57.129] - Read operation
[16:44:57.132] - Read efuse
[16:44:57.133] - Finished
[16:44:57.134] - All time cost(ms): 3194.5458984375
[16:44:57.248] - close interface
[16:44:57.249] - [All Success]

Screenshot of the Bouffalo Lab Dev Cube 1.9.0 application interface with various settings and logs.

Flash read - Bouffalo Lab DevCube v1.4.8
This version also seem to work good - no extra commentary is required here.

User interface of Bouffalo Lab Dev Cube 1.4.8 software with Flash Utils tab, displaying various settings and flash memory control options.

Both BlDevCubes work good for me.

Flash write - Bouffalo Lab DevCube v1.4.8
We already have some guides for firmware write process, so you can check them out first:

Still, the process is very similar to flash read, just use different flash section and select the Partition Table and Boot2 bin and Firmware Bin as we've shown on our screenshot:

Bouffalo Lab Dev Cube 1.4.8 user interface with successful process completion.

Remember to get our binary from Releases:
https://github.com/openshwprojects/OpenBK7231T_App
It should flash and create OBK access point as soon as you disconnect BOOT from resistor and do power off/on cycle:

Wi-Fi network icon with the name OpenBL602_EDEA2721.

But that's not the scope of this topic, so I'll finish here.

Summary
This way you can backup and restore flash of BL602/BL702 device or similar. Make sure to use 10k resistor while pulling BOOT pin high. Don't forget to do power off/on cycle (or reset via reset pin...) between each flash operation, just like you'd do with ESP8266.
If you manage to read some flash of device that has not been yet paired with Tuya, consider flashing it with us:
https://github.com/openshwprojects/FlashDumps
That's all for now, let us know if you have managed to flash any BL devices, we can also help you with flashing process and guide you step by step if you want. Let's run our devices without the cloud!

PS: Flashing OBK to 1MB version of BL602 requires some different configuration, we will cover it in another topic

Cool? Ranking DIY

Helpful post? Buy me a coffee.

About Author

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Offline

p.kaczmarek2 wrote 14451 posts with rating 12429, helped 650 times. Been with us since 2014 year.

ADVERTISEMENT
#2 21456605 26 Feb 2025 09:01

divadiow divadiow

Level 38

Posts: 4882

Help: 427

Rate: 869
Helpful post? (0)

Post #2
21456605 26 Feb 2025 09:01

that's cool. I hadn't considered dumping the efuse on BL. I hadn't seen a BW2L module before either. Seems like it's pin-compatible with at least:

TYWE2L, CB2L, DT-BL200, TYWE2L, WB2L, WBR2L, WR2L, ESP8685-WROOM-05, ESP8684-WROOM-05, DT-ESP-C05, DMP-L1

Similar: https://www.elektroda.com/rtvforum/topic4039283.html

Zengge, as well as Sonoff/ITEAD/eWeLink seem to be a big fan on BL602s.
#3 21456657 26 Feb 2025 09:46

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Posts: 14451

Help: 650

Rate: 12429
Topic author Helpful post? (0)

Post #3
21456657 26 Feb 2025 09:46

I still didn't figure out the remaining pinout of the BW2L module, but maybe it's the same as in DT-BL200?

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
#4 21469989 07 Mar 2025 13:55

divadiow divadiow

Level 38

Posts: 4882

Help: 427

Rate: 869
Helpful post? (0)

Post #4
21469989 07 Mar 2025 13:55

Maybe. Did you trace each pin in the end?

Look what came today
#5 21470262 07 Mar 2025 17:56

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Posts: 14451

Help: 650

Rate: 12429
Topic author Helpful post? (0)

Post #5
21470262 07 Mar 2025 17:56

Are you able to flash it? I may be posting flashing guide for this device soon, so if you manage to flash it on time, you could also add your experience there.

And I still haven't figured out which pin is which, but I already have template for that bulb. It was not had, with GPIO Doctor...

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
ADVERTISEMENT
#6 21470306 07 Mar 2025 18:42

divadiow divadiow

Level 38

Posts: 4882

Help: 427

Rate: 869
Helpful post? (0)

Post #6
21470306 07 Mar 2025 18:42

p.kaczmarek2 wrote:
Are you able to flash it? I may be posting flashing guide for this device soon, so if you manage to flash it on time, you could also add your experience there.

I have not done anything to it yet, I will note my experiences, with pics, when the time comes.

Added after 6 [minutes]:

I was about to say surely the assignments are mentioned in the updated, verbose firmware for the E14 BW2L https://www.elektroda.com/rtvforum/topic4107260.html#21468963

but the output contains everything but the pins, it seems.
ADVERTISEMENT
#7 21473922 10 Mar 2025 16:10

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Posts: 14451

Help: 650

Rate: 12429
Topic author Helpful post? (0)

Post #7
21473922 10 Mar 2025 16:10

It seems that I got the same bulb as you. So now I have E14 with BW2L and E27 with BW2L.
https://github.com/openshwprojects/FlashDumps/commit/e44fbdfe8a41e4c0fdee07cb1c6a98e4eb5e290d

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
#8 21474153 10 Mar 2025 18:41

divadiow divadiow

Level 38

Posts: 4882

Help: 427

Rate: 869
Helpful post? (0)

Post #8
21474153 10 Mar 2025 18:41

cool. they both seem to be v1.1.1 and then offer update to v1.5.0

eWeLink-C3009-EW-E14-BWL2-bulb_(FWLED-CK0205PWM-LIGHT-BL602L_v1.5.0).bin was added to dumps to sit alongside your original E14
#9 21474391 10 Mar 2025 21:02

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Posts: 14451

Help: 650

Rate: 12429
Topic author Helpful post? (0)

Post #9
21474391 10 Mar 2025 21:02

Have you added all your BW2L dumps?

Btw, did you know that C3009 marking is present on all three bulbs I have - two BW2L based from eWeLink and the Tuya one as well?

The meaningful marking is the prefix, for eWeLink I have, for example, EW-E14, and for Tuya, TY-E14...

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
#10 21474413 10 Mar 2025 21:17

divadiow divadiow

Level 38

Posts: 4882

Help: 427

Rate: 869
Helpful post? (0)

Post #10
21474413 10 Mar 2025 21:17

yes. these two anyway. 1.5.0 not done yet. I guess our EW-A60-15Ws will be the same.

eWeLink-C3009-EW-E27-BW2L-RGBCW-EW-A60-15W_(FWLED-CK0205PWM-LIGHT-BL602L_v1.1.1)_divadiow.bin
eWeLink-C3009-EW-E27-BW2L-RGBCW-EW-A60-15W_(FWLED-CK0205PWM-LIGHT-BL602L_v1.1.1)_efuse_divadiow.bin

Also interesting is that the E27 ota file is identical to the E14, so maybe there's some config part of the firmware that has device-specific schema or whatever for each type

Added after 3 [minutes]:

our backups aren't identical but they look essentially the same
ADVERTISEMENT
#11 21474440 10 Mar 2025 21:25

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Posts: 14451

Help: 650

Rate: 12429
Topic author Helpful post? (0)

Post #11
21474440 10 Mar 2025 21:25

I've copied my OBK template from E14 version to E27 and it works just fine, so PWM roles are 100% the same. Still, it would be nice to find out where GPIOs are stored for BL602 eWeLink devices.

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
#12 21474444 10 Mar 2025 21:27

divadiow divadiow

Level 38

Posts: 4882

Help: 427

Rate: 869
Helpful post? (0)

Post #12
21474444 10 Mar 2025 21:27

p.kaczmarek2 wrote:
I've copied my OBK template from E14 version to E27 and it works just fine, so PWM roles are 100% the same.

Ah. makes sense. of course there doesn't have to be anything device-specific if theyre wired the same way.

Config extraction from eWeLink would be nice...
#13 21474569 10 Mar 2025 23:04

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Posts: 14451

Help: 650

Rate: 12429
Topic author Helpful post? (0)

Post #13
21474569 10 Mar 2025 23:04

It has some string references like cw_power...

Have you tried to load this binary in Ghidra or any other tool like that?

Added after 43 [seconds]:

Added after 11 [minutes]:

@divadiow https://www.youtube.com/watch?v=3Ikn8Y775Lk

Added after 16 [minutes]:

I'm trying to find code that refers to those strings but Ghidra fails to find references:

Added after 3 [minutes]:

Data section?

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
#14 21474627 10 Mar 2025 23:34

divadiow divadiow

Level 38

Posts: 4882

Help: 427

Rate: 869
Helpful post? (0)

Post #14
21474627 10 Mar 2025 23:34

Interesting. I'm also wondering if we can use what looks like the pin assignments in some BL602 boot logs as a reference point. eg

https://www.elektroda.com/rtvforum/topic3945435.html#20987133

Code: Text
Log in, to see the code

I'm guessing 200 = not assigned or something.

but where's it actually retrieving the values from?
#15 21474640 10 Mar 2025 23:54

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Posts: 14451

Help: 650

Rate: 12429
Topic author Helpful post? (0)

Post #15
21474640 10 Mar 2025 23:54

I'm able to find those strings in Ghidra, but when I search for code referencing them, it finds nothing. There is something wrong with the way I import BL602 dump.

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
Create an account, log in here. You will receive points by participating in discussions.
Join this discussion.

Install Elektroda application

Didn't find an answer? Ask Artificial Intelligence

*I agree to send the question to OpenAI, Anthropic PBC, Perplexity AI, Inc., Kagi Inc., Google LLC - owners of language models in order to prepare the best response. The companies may monitor and log information entered into the form.

*I agree to publicly display my question and answer. The question and answer will be publicly available to everyone. The process may take a few minutes. Upon completion, you will be redirected to the page with the answer.

Wait...(2min)

Reply Cool? Ranking DIY | New topic

Notify about new articles

📢 Listen (AI):

Report a violation of the law

Topic summary

✨ The discussion focuses on reading and backing up the flash memory of BL602 and BL702 devices using BLDevCube. The BL602 is a WiFi+Bluetooth SoC utilized in Sonoff and eWeLink products, available in 1MB and 2MB flash versions, while the BL702 is a Zigbee chip. Participants share detailed GPIO pinout connections necessary for flashing, including TX, RX, Boot, VDD, and GND connections. There are mentions of various modules compatible with BL602, such as TYWE2L and DT-BL200. Users discuss their experiences with flashing these devices, sharing insights on firmware versions and pin assignments, and express interest in extracting configuration data from eWeLink firmware.
Generated by the language model.

FAQ

TL;DR: For BL602/BL702 owners who need a safe backup before flashing, BLDevCube can dump a 2MB flash over 3.3V UART. The practical fix is simple: "200000 is ok" for baud, use 0x1FFFFF length, and pull BOOT high through 10k before each power cycle. [#21455894]

Why it matters: A verified flash dump and eFuse backup let you recover BL602-based bulbs and switches before testing OpenBK7231T_App or other firmware.

Option	Works for flash read	Noted difference	Practical takeaway
BLDevCube v1.9.0	Yes	Needs lower baud such as 200000 on problem setups	Best documented in the thread
BLDevCube v1.4.8	Yes	No extra commentary or workaround notes were needed	Also reliable for dumping
Flash read vs flash write	Both discussed	Write needs Partition Table, Boot2, and Firmware files	Read first, write second

Key insight: Most BL602 read failures in this thread came from setup details, not locked chips. A stable 3.3V supply, BOOT via 10k, short UART wires, and a full power cycle between operations were the decisive fixes. [#21455894]

Quick Facts

Required BL602 dump wiring in the thread was GPIO16 TX, GPIO7 RX, GPIO8 BOOT, 3.3V VDD, and GND, all on a common ground with the USB-to-UART adapter. [#21455894]
The documented 2MB read settings were start offset 0x0 and length 0x1FFFFF; entering 0x200000 triggered a flash-size overflow message in BLDevCube. [#21455894]
The thread’s working baud rate was 200000, while the default 2000000 caused "Read data error" and "Not ack OK" on at least one setup. [#21455894]
A full 2MB dump shown in the log completed in about 108947.57 ms for flash read and 112118.50 ms total runtime. [#21455894]
BW2L was discussed as pin-compatible with modules including TYWE2L, CB2L, DT-BL200, WB2L, WBR2L, WR2L, ESP8685-WROOM-05, ESP8684-WROOM-05, DT-ESP-C05, and DMP-L1. [#21456605]

How do I read and back up the flash of a BL602 or BL702 device with Bouffalo Lab BLDevCube step by step?

Use BLDevCube in UART boot mode and read the whole flash to a file. 1. Wire TX, RX, BOOT, 3.3V, and GND, then power-cycle the chip into boot mode. 2. In BLDevCube, select the correct chip, enable advanced view, open the Flash tab, choose your COM port, set start offset to 0x0 and length to 0x1FFFFF. 3. Click Read Flash, wait for completion, and keep the resulting flash.bin as your backup before any write operation. [#21455894]

What wiring do I need between a BL602 module and a 3.3V USB-to-UART adapter to enter boot mode and dump flash safely?

You need five core connections and one resistor. Connect BL602 GPIO16 to the adapter RX, GPIO7 to the adapter TX, GPIO8 BOOT to 3.3V through a 10k resistor, VDD to a reliable 3.3V source, and GND to common ground. Keep UART wires short, use the adapter in 3.3V mode, and never connect BOOT directly to 3.3V. Disconnect the device from mains before touching the board. [#21455894]

Why does BLDevCube show "Read data error, maybe not get excepted length" or "Not ack OK" when reading a BL602, and how do I fix it?

Those errors usually mean the UART link or boot entry is unstable. The thread’s direct fix was to lower baud from the default 2000000 to 200000, shorten the wires, and use a stronger 3.3V supply than some USB-to-UART boards provide. Also confirm BOOT is pulled high through 10k and do a full power off/on cycle before retrying. Those changes turned failed reads into successful dumps in the posted log. [#21455894]

Why do I have to enter 0x1FFFFF instead of 0x200000 when reading a 2MB BL602 flash in BLDevCube?

You enter 0x1FFFFF because BLDevCube treated 0x200000 as an end address that overflowed a 2MB flash. The posted log showed: read end addr 0x00200000 overflow with flash size 0x00200000, then error code 0045. Using 0x1FFFFF avoids that boundary issue while still reading essentially the full 2MB device, just one byte short of 0x200000. [#21455894]

Where does BLDevCube save the dumped flash.bin or efuse.bin file after a successful BL602 backup?

BLDevCube saves the dump in its own working folder. The thread explicitly states that the file appears where BLDevCube is located after a successful run, with examples for both flash.bin and efuse.bin. That means you should check the BLDevCube executable directory first if you do not see the backup immediately after the read completes. [#21455894]

What is eFuse on BL602, and what useful information can be read from it with BLDevCube?

"eFuse is non-volatile chip configuration storage that keeps device-specific settings, security-related values, and identifiers even without power." In the thread, BLDevCube successfully read eFuse to efuse.bin and also showed boot details such as chip ID and MAC address during the session. That makes eFuse useful as a second backup alongside flash.bin when you document or restore a BL602 board. [#21455894]

What is the BW2L module, and how is it related to BL602-based eWeLink bulbs and other pin-compatible modules?

BW2L is a BL602-based Wi-Fi module used in eWeLink bulbs discussed in the thread, including E14 and E27 models. One reply notes it appears pin-compatible with modules such as TYWE2L, CB2L, DT-BL200, WB2L, WBR2L, WR2L, ESP8685-WROOM-05, ESP8684-WROOM-05, DT-ESP-C05, and DMP-L1. In practice, that suggests similar pad placement and replacement potential across several smart-device modules. [#21456605]

BLDevCube v1.9.0 vs v1.4.8 for BL602 flash dumping and writing — which one works better and what differences matter?

Both versions worked in this thread, but v1.9.0 had the fuller troubleshooting record. Version 1.9.0 was used for documented flash and eFuse reads, including the 200000 baud workaround and the 0x1FFFFF length fix. Version 1.4.8 also worked well for flash read and was shown for flashing, with no major extra commentary. Choose v1.9.0 if you want the exact proven read procedure, and v1.4.8 if you follow the shown write screenshots. [#21455894]

What is the correct way to flash OpenBK7231T_App onto a BL602 device with BLDevCube, including Partition Table, Boot2, and firmware files?

Flash OpenBK7231T_App by loading the partition table, Boot2 binary, and firmware binary in the flash section of BLDevCube. The thread says the process is similar to flash read, but you must select those three files instead of running a read. After flashing, disconnect BOOT from the pull-up path, then do a full power off/on cycle. The expected result is that the device boots and creates an OBK access point. [#21455894]

Why is a stable external 3.3V supply recommended for BL602 flashing instead of powering the chip directly from some USB-to-UART converters?

A stable external 3.3V supply prevents failed flashes and unstable boots. The thread warns that some USB-to-UART adapters cannot provide enough current, especially when the Wi-Fi module creates an AP or connects, and that can cause flash failure or boot loops. The shown setup used a separate 3.3V LDO on a protoboard, with TC1264 named as one example and AMS1117 mentioned as another option. [#21455894]

How should the BOOT pin on BL602 be pulled high, and why is a 10k resistor recommended instead of connecting BOOT directly to 3.3V?

Pull BOOT high through a 10k resistor, not with a direct short to 3.3V. The thread repeats this point in both the wiring section and the summary, and the photos show the resistor in the working setup. That arrangement safely forces boot mode for BLDevCube while making it easy to release BOOT afterward for normal startup following a power cycle. [#21455894]

What should I check if a BL602 device will not enter flashing mode or needs a power cycle between BLDevCube operations?

Check boot wiring, UART polarity, power quality, and reset timing first. The thread recommends: 1. Verify BOOT is high through 10k and swap RX/TX if communication fails. 2. Confirm a reliable 3.3V rail and short wires. 3. Perform a full power off/on cycle between every flash operation, just like on ESP devices. The posted guidance says skipping that cycle can stop BLDevCube from reconnecting cleanly. [#21455894]

Which modules appear to be pin-compatible with BW2L, such as TYWE2L, CB2L, DT-BL200, WB2L, WR2L, or ESP8685-WROOM-05, and what does that mean in practice?

The thread lists BW2L as pin-compatible with TYWE2L, CB2L, DT-BL200, WB2L, WBR2L, WR2L, ESP8685-WROOM-05, ESP8684-WROOM-05, DT-ESP-C05, and DMP-L1. In practice, pin-compatible means the module likely shares a similar physical pin layout, so it may fit the same PCB footprint or help guide pad identification during reverse engineering. It does not prove identical firmware, GPIO mapping, or feature behavior. [#21456605]

How can I figure out the remaining pinout of a BW2L module when the pads are unmarked, and is it likely to match DT-BL200?

Map the pads by tracing continuity from the module to the BL602 pins, then compare that map with known compatible modules. The thread’s working method was to use the BL602 GPIO diagram, identify pin 1 from the package dot, and check pads with a multimeter until TX, RX, BOOT, power, and ground were confirmed. One poster suggested BW2L may match DT-BL200, but the thread did not confirm the full remaining pinout. [#21455894]

How can I analyze a BL602 firmware dump in Ghidra to find GPIO assignments or strings like cw_power, and why might string references not resolve correctly?

Load the dump, search for strings such as cw_power, then inspect nearby data and boot-log clues, but expect incomplete cross-references. The thread shows strings were visible in Ghidra, yet code references did not resolve, and the likely issue was an incorrect import or memory layout for the BL602 dump. One reply also points to boot logs that print GPIO config values, where 200 appears to mean an unassigned function. [#21474640]