logo elektroda
logo elektroda
X
logo elektroda
Advanced Search
logo elektroda

Eswin ECR6600 flashing guide, datasheet, pinout, 100% local setup, Home Assistant

p.kaczmarek2 10101 116

TL;DR

  • ECR6600 WiFi+BT modules, including Tuya AXY2S and WG236 variants, get a pinout, datasheet links, and a guide for running them locally with Home Assistant.
  • Flashing uses UART0 TX0/RX0, GND, 3.3V, and ideally RST; unlike ESP chips, ECR6600 has no GPIO0 and relies on reset timing when prompted.
  • The chip pairs an Andes D10 @160MHz, up to 240MHz, with 512KB SRAM and 2MB/4MB Flash.
  • RDTool backs up the original firmware with a stub, then writes the OpenECR6600 UART binary; after reboot, the device exposes a WiFi access point for configuration.
  • The firmware release is still a March 2025 WIP, and backups should be made before cloud pairing because dumps may contain SSID and other personal data.
Generated by the language model.
ADVERTISEMENT
Report a violation of the law
Reply Cool? Ranking DIY | New topic
Notify about new articles
📢 Listen (AI):
  • #61 21491220
    divadiow
    Level 38  
    Posts: 4878
    Help: 427
    Rate: 868
    Hmm. Not sure what to suggest or do next tbh.
  • ADVERTISEMENT
  • #62 21492866
    divadiow
    Level 38  
    Posts: 4878
    Help: 427
    Rate: 868
    not that it helps, but I sought to find documented evidence of that address/range in relation to ECR6600. It seems perhaps chip_memmap.h in the SDK is a useful source

    ChatGPT said:

    Code: Text
    Log in, to see the code


    https://github.com/divadiow/ECR6600/blob/main...s/Boards/ecr6600/common/include/chip_memmap.h

    sometimes get this though, but not with 0x40800000
    Error message in auto analysis

    https://github.com/search?q=repo%3Adivadiow%2FECR6600%2040800000&type=code

    Added after 1 [hours] 1 [minutes]:

    maybe we need to know the efuse content. need someone with a real device to flash the AT firmware and read the values from RDTool, assuming it allows read.
  • #63 21501376
    divadiow
    Level 38  
    Posts: 4878
    Help: 427
    Rate: 868
    p.kaczmarek2 wrote:
    I can get this from LN882H:


    does TEY_SN_8710 get you anywhere in this app with ECR6600 fw?
  • ADVERTISEMENT
  • Helpful post
    #64 21501866
    divadiow
    Level 38  
    Posts: 4878
    Help: 427
    Rate: 868
    divadiow wrote:
    does TEY_SN_8710 get you anywhere in this app with ECR6600 fw?

    no, this does not seem to be it
    Screenshot of a C# code snippet dealing with Tuya configuration.

    it was something GPT suggested was derivable from @miegapele's efuse bytes https://www.elektroda.com/rtvforum/topic4106357.html#21500523

    Code: Text
    Log in, to see the code


    Added after 39 [minutes]:

    some basic observations re key/SDK consistency/variations across the dumps we have.

    Code: Text
    Log in, to see the code


    in summary, all the ECR6600 plugs have same key logged in boot output and are built with same SDK. Jasperro's LSC is the odd one out with a different key and older SDK.

    boot, dumps and get key summary package attached for all 4.

    Code: Text
    Log in, to see the code
    Attachments:
    • ECR6600_DECRYPT.rar (2.54 MB) You must be logged in to download this attachment.
  • #65 21505163
    p.kaczmarek2
    Moderator Smart Home
    Posts: 14440
    Help: 650
    Rate: 12410
    Nice research, I'll get back to it in a moment.
    @insmod what happened to ECR build? Did maintainer of ECR SDK submit code with syntax error?
    Code: text Expand Select all Copy to clipboard
    

../components/wpa/wpa_supplicant/ctrl_iface_freeRTOS.c: In function 'ctrl_iface_receive':
../components/wpa/wpa_supplicant/ctrl_iface_freeRTOS.c:100:27: error: 'CLI_PRINT_BUFFER_SIZE' undeclared (first use in this function); did you mean 'PRINT_BUFFER_SIZE'?
 #define PRINT_BUFFER_SIZE CLI_PRINT_BUFFER_SIZE//256
                           ^~~~~~~~~~~~~~~~~~~~~
../components/wpa/wpa_supplicant/ctrl_iface_freeRTOS.c:131:22: note: in expansion of macro 'PRINT_BUFFER_SIZE'
      if (reply_len > PRINT_BUFFER_SIZE ) {
                      ^~~~~~~~~~~~~~~~~
../components/wpa/wpa_supplicant/ctrl_iface_freeRTOS.c:100:27: note: each undeclared identifier is reported only once for each function it appears in
 #define PRINT_BUFFER_SIZE CLI_PRINT_BUFFER_SIZE//256
                           ^~~~~~~~~~~~~~~~~~~~~
../components/wpa/wpa_supplicant/ctrl_iface_freeRTOS.c:131:22: note: in expansion of macro 'PRINT_BUFFER_SIZE'
      if (reply_len > PRINT_BUFFER_SIZE ) {
                      ^~~~~~~~~~~~~~~~~
../components/wpa/wpa_supplicant/ctrl_iface_freeRTOS.c:133:15: error: unused variable 'atom' [-Werror=unused-variable]
          char atom[PRINT_BUFFER_SIZE+1];
               ^~~~

    I'll accept your fix... https://github.com/NonPIayerCharacter/OpenECR...d334ded1dab18dcd506d52398df83329bb00095939a83 thanks
    Helpful post? Buy me a coffee.
  • #66 21505185
    insmod
    Level 31  
    Posts: 1356
    Help: 161
    Rate: 426
    >>21505163
    Unknown what happened, it worked ok, but suddenly, without any changes in code, it started failing build.
    That only happened in github actions, building locally worked like before.
    I eventually determined that cli.h stopped including, so that hack will add it's path to include dirs.
    Though now that i checked the code, probably another cli.h was included, instead of the needed one.
    But why it worked before then?
  • #67 21505459
    divadiow
    Level 38  
    Posts: 4878
    Help: 427
    Rate: 868
    p.kaczmarek2 wrote:
    Nice research, I'll get back to it in a moment.

    no pressure. I notice IDA have mentioned NDS32 in their 2025 visions and goals https://hex-rays.com/blog/2025-product-vision-and-goals

    Code: Text
    Log in, to see the code


    but no sign of a release with that support, assuming I could even get hold of it somehow. My angle was that maybe that Ghidra processor add for NDS32 isn't as good as it could be, but I don't really know.
  • #69 21506177
    divadiow
    Level 38  
    Posts: 4878
    Help: 427
    Rate: 868
    nice. another ECR6600 to swoon over. Would be interesting to know what fw it has and how its RF compares to the WG236.
    I was going to hook up WG236 again this evening just to experience the efuse read in RDTool using AT.

    Added after 1 [hours] 7 [minutes]:

    yuh. no great surprise. all 0x0. read via TX0/IO6 and RX0/IO5

    Screenshot of RDTool showing efuse settings details and read logs for a device.

    UART prints

    Code: Text
    Log in, to see the code


    Added after 4 [minutes]:

    this would be doable on the ECR6600 EU plugs because that's the same RX/TX as flash is through - but miegapele has already read it somehow. not sure how @miegapele's values translate to what would be displayed in RDTool though.
  • ADVERTISEMENT
  • #71 21509287
    p.kaczmarek2
    Moderator Smart Home
    Posts: 14440
    Help: 650
    Rate: 12410
    Nice! Take a backup and we'll compare them.
    Helpful post? Buy me a coffee.
  • #72 21509304
    divadiow
    Level 38  
    Posts: 4878
    Help: 427
    Rate: 868
    in my haste I neglected to uncheck the WG236A backup under stub and flashed that already! 🤦🏼‍♂ I'll dump second, I'm betting it'll be the same as the others we've had though.

    Screenshot of a binary file management program with the download option checked.

    efuse read is successful but doesn't reveal anything different to trying on WG236 https://www.elektroda.com/rtvforum/topic4111822-60.html#21506177

    Firmware upgrade software interface with a settings table.

    Added after 2 [minutes]:

    seeing what else I can read from it. any requests?

    Firmware upgrade tool software interface with error logs.
  • ADVERTISEMENT
  • #73 21584722
    divadiow
    Level 38  
    Posts: 4878
    Help: 427
    Rate: 868
    >>21506165
    did you ever dump flash from this?
  • #74 21594320
    p.kaczmarek2
    Moderator Smart Home
    Posts: 14440
    Help: 650
    Rate: 12410
    I didn't make any futher tests with IDA, but I am helping user to port HTTP GET/POST requests to ECR in OBK, and I'm currently looking for hal_machw_time equivalent in their SDK - any ideas?
    Helpful post? Buy me a coffee.
  • #76 21594381
    p.kaczmarek2
    Moderator Smart Home
    Posts: 14440
    Help: 650
    Rate: 12410
    I'll give it a go. Another missing think would be lwip_close_force, which was added by me to LWIP some time ago as a work around to lingering sockets... they weren't freed correctly and kept using heap. I'm curious if the same problem will occur on ECR, maybe it should be solved differently.

    @divadiow do you have ECR?
    Helpful post? Buy me a coffee.
  • #77 21594385
    divadiow
    Level 38  
    Posts: 4878
    Help: 427
    Rate: 868
    p.kaczmarek2 wrote:
    @divadiow do you have ECR?

    of course!

    WG236A modules and 4 EU LSPA9-type ECR6600 plugs - the one we've seen posted about a few times by various users
  • #78 21594402
    p.kaczmarek2
    Moderator Smart Home
    Posts: 14440
    Help: 650
    Rate: 12410
    https://github.com/openshwprojects/OpenBK7231T_App/pull/1700
    It compiled with following stubs:
    Code: text Expand Select all Copy to clipboard
    

void lwip_close_force(int x) {
	lwip_close(x);
}
int hal_machw_time() {
	return os_time_get() * 1000;
}

    Now, will this work?
    Code: text Expand Select all Copy to clipboard
    
// SendGet http://192.168.0.112/cm?cmnd=Power0%20Toggle
// addRepeatingEvent 5 -1 SendGet http://192.168.0.112/cm?cmnd=Power0%20Toggle
// addEventHandler OnClick 8 SendGet http://192.168.0.112/cm?cmnd=Power0%20Toggle

    This SendGET is HTTP only. It can be tested easily with two OBK devices. One with single LED/relay on channel (or anything, really) and second (ECR) to send it.
    Helpful post? Buy me a coffee.
  • #79 21594487
    divadiow
    Level 38  
    Posts: 4878
    Help: 427
    Rate: 868
    I'll try. Not home til next week though but I have some stuff with me
  • #80 21594548
    p.kaczmarek2
    Moderator Smart Home
    Posts: 14440
    Help: 650
    Rate: 12410
    Thank you, are you on holidays?

    I've also looked at BL602. I've managed to get it to compile but the time call is missing.

    I think that maybe we could just have some kind of our own crude timer, for example, counted by quicktick calls, but maybe that's not necessary...

    Added after 51 [minutes]:

    It has turned out that quicktick already has a time mechanism. I've renamed it to g_timeMs. Currently it's 32 bit but probably should be long.
    Helpful post? Buy me a coffee.
  • #81 21594657
    DeDaMrAz
    Level 22  
    Posts: 600
    Help: 34
    Rate: 127
    Since I am back to digging through my collection of modules I've noticed something interesting, first E103W module has a non standard pinout

    Eswin ECR6600 flashing guide, datasheet, pinout, 100% local setup, Home Assistant

    And second is this little detail

    Eswin ECR6600 flashing guide, datasheet, pinout, 100% local setup, Home Assistant
  • #82 21594671
    p.kaczmarek2
    Moderator Smart Home
    Posts: 14440
    Help: 650
    Rate: 12410
    I didn't notice it as well, but it seems that this module can work with WiFi 6.
    Helpful post? Buy me a coffee.
  • #83 21594674
    insmod
    Level 31  
    Posts: 1356
    Help: 161
    Rate: 426
    I knew that it can work with Wifi 6. But it can't work with 5Ghz.
    The only module i know that supports both wifi 6 and 5ghz is ESP32-C5.
  • #84 21594681
    DeDaMrAz
    Level 22  
    Posts: 600
    Help: 34
    Rate: 127
    Confirmed, SendGET is working from ECR module to another OBK, both as a single toggle and as a repeating event!


    Eswin ECR6600 flashing guide, datasheet, pinout, 100% local setup, Home Assistant
  • #85 21594683
    p.kaczmarek2
    Moderator Smart Home
    Posts: 14440
    Help: 650
    Rate: 12410
    I have fixed SendGet on BL602 as well, I am working on LN882H now. I'm also going to clear up codebase there a bit.

    Ok, next test. Does ECR have LFS? I think it does? So... try to download a file.
    Code: text Expand Select all Copy to clipboard
    
// Following command will send get and save result to file:
// SendGet http://example.com/ myFile.html
// test code: addRepeatingEvent 30 -1 SendGet http://example.com/ myFile.html

    Just make sure to use HTTP, not HTTPS. We don't have HTTPS enabled.
    Maybe try on Beken first, my memory may be faulty here, but it should work more or less...

    Just to be sure - no sockets in use/heap impact after repeated requests?
    Helpful post? Buy me a coffee.
  • #86 21594684
    DeDaMrAz
    Level 22  
    Posts: 600
    Help: 34
    Rate: 127
    insmod wrote:
    I knew that it can work with Wifi 6. But it can't work with 5Ghz.
    The only module i know that supports both wifi 6 and 5ghz is ESP32-C5.


    I honestly didn't even notice that until now, but I have something exotic to try it with 2.4GHZ WiFi6 Mikrotik that has a 160MHz channel 😁

    I'll test that later this night as if I turn that thing on most of my neighborhood will lose their WiFi's 😁
  • #87 21594686
    p.kaczmarek2
    Moderator Smart Home
    Posts: 14440
    Help: 650
    Rate: 12410
    This os_ stuff is messy:
    Code: C / C++
    Log in, to see the code

    What is even the initial purpose of that on Beken? @insmod do you know anything about it? Maybe we could normalize all functions and remove os_* stuff. I know os_realloc/os_malloc vs malloc is an ongoing issue on Beken, tough
    Helpful post? Buy me a coffee.
  • #88 21594690
    DeDaMrAz
    Level 22  
    Posts: 600
    Help: 34
    Rate: 127
    p.kaczmarek2 wrote:
    Just to be sure - no sockets in use/heap impact after repeated requests?


    Confirmed, heap does go down some, check the log.

    Code: text Expand Select all Copy to clipboard
    Error:HTTP_CLIENT:success to establish tcp, fd=2
Error:HTTP_CLIENT:connection is closed
Error:HTTP_CLIENT:httpclient - no response buff, skipped 240
Info:MAIN:Time 745, idle 0/s, free 188376, MQTT 0(46), bWifi 1, secondsWithNoPing 676, socks 2/20 
Info:MAIN:Time 746, idle 0/s, free 188376, MQTT 0(46), bWifi 1, secondsWithNoPing 677, socks 2/20 
Info:MAIN:Time 747, idle 0/s, free 188376, MQTT 0(46), bWifi 1, secondsWithNoPing 678, socks 2/20 
Info:MQTT:mqtt_host empty, not starting mqtt
Info:MAIN:Time 748, idle 0/s, free 188376, MQTT 0(47), bWifi 1, secondsWithNoPing 679, socks 2/20 
Info:MAIN:Time 749, idle 0/s, free 188376, MQTT 0(47), bWifi 1, secondsWithNoPing 680, socks 2/20 
Info:CMD: CMD_SendGET received with args http://192.168.0.48/cm?cmnd=Power1%20Toggle
Info:HTTP_CLIENT:HTTPClient_Async_SendGet for http://192.168.0.48/cm?cmnd=Power1%20Toggle, sizeof(httprequest_t) == 160!
Info:HTTP_CLIENT:Parse url http://192.168.0.48/cm?cmnd=Power1%20Toggle
Info:HTTP_CLIENT:host: '192.168.0.48', port: 80
Info:HTTP_CLIENT:HAL_TCP_Establish: created socket 2

Error:HTTP_CLIENT:success to establish tcp, fd=2
Error:HTTP_CLIENT:connection is closed
Error:HTTP_CLIENT:httpclient - no response buff, skipped 239
Info:MAIN:Time 750, idle 0/s, free 175512, MQTT 0(47), bWifi 1, secondsWithNoPing 681, socks 3/20 
Info:MAIN:Time 751, idle 0/s, free 188368, MQTT 0(47), bWifi 1, secondsWithNoPing 682, socks 2/20 
Info:MAIN:Time 752, idle 0/s, free 188368, MQTT 0(47), bWifi 1, secondsWithNoPing 683, socks 2/20 
Info:MAIN:Time 753, idle 0/s, free 188368, MQTT 0(47), bWifi 1, secondsWithNoPing 684, socks 2/20 
Info:MAIN:Time 754, idle 0/s, free 175512, MQTT 0(47), bWifi 1, secondsWithNoPing 685, socks 3/20 
Info:CMD: CMD_SendGET received with args http://192.168.0.48/cm?cmnd=Power1%20Toggle
Info:HTTP_CLIENT:HTTPClient_Async_SendGet for http://192.168.0.48/cm?cmnd=Power1%20Toggle, sizeof(httprequest_t) == 160!
Info:HTTP_CLIENT:Parse url http://192.168.0.48/cm?cmnd=Power1%20Toggle
Info:HTTP_CLIENT:host: '192.168.0.48', port: 80
Info:HTTP_CLIENT:HAL_TCP_Establish: created socket 3

Error:HTTP_CLIENT:success to establish tcp, fd=3
Error:HTTP_CLIENT:connection is closed
Error:HTTP_CLIENT:httpclient - no response buff, skipped 240
Info:MAIN:Time 755, idle 0/s, free 188368, MQTT 0(47), bWifi 1, secondsWithNoPing 686, socks 2/20 
Info:MAIN:Time 756, idle 0/s, free 188368, MQTT 0(47), bWifi 1, secondsWithNoPing 687, socks 2/20 
Info:MAIN:Time 757, idle 0/s, free 188368, MQTT 0(47), bWifi 1, secondsWithNoPing 688, socks 2/20 
Info:MAIN:Time 758, idle 0/s, free 175512, MQTT 0(47), bWifi 1, secondsWithNoPing 689, socks 3/20 
Info:CMD: CMD_SendGET received with args http://192.168.0.48/cm?cmnd=Power1%20Toggle
Info:HTTP_CLIENT:HTTPClient_Async_SendGet for http://192.168.0.48/cm?cmnd=Power1%20Toggle, sizeof(httprequest_t) == 160!
Info:HTTP_CLIENT:Parse url http://192.168.0.48/cm?cmnd=Power1%20Toggle
Info:HTTP_CLIENT:host: '192.168.0.48', port: 80
Info:HTTP_CLIENT:HAL_TCP_Establish: created socket 2

Error:HTTP_CLIENT:success to establish tcp, fd=2
Error:HTTP_CLIENT:connection is closed
Error:HTTP_CLIENT:httpclient - no response buff, skipped 239
Info:MAIN:Time 759, idle 0/s, free 188368, MQTT 0(47), bWifi 1, secondsWithNoPing 690, socks 2/20 
Info:MAIN:Time 760, idle 0/s, free 188376, MQTT 0(47), bWifi 1, secondsWithNoPing 691, socks 2/20 
Info:MAIN:Time 761, idle 0/s, free 188376, MQTT 0(47), bWifi 1, secondsWithNoPing 692, socks 2/20 
Info:MAIN:Time 762, idle 0/s, free 175520, MQTT 0(47), bWifi 1, secondsWithNoPing 693, socks 3/20 
Info:MAIN:Time 763, idle 0/s, free 188376, MQTT 0(47), bWifi 1, secondsWithNoPing 694, socks 2/20 
Info:CMD: CMD_SendGET received with args http://192.168.0.48/cm?cmnd=Power1%20Toggle
Info:HTTP_CLIENT:HTTPClient_Async_SendGet for http://192.168.0.48/cm?cmnd=Power1%20Toggle, sizeof(httprequest_t) == 160!
Info:HTTP_CLIENT:Parse url http://192.168.0.48/cm?cmnd=Power1%20Toggle
Info:HTTP_CLIENT:host: '192.168.0.48', port: 80
Info:HTTP_CLIENT:HAL_TCP_Establish: created socket 2

Error:HTTP_CLIENT:success to establish tcp, fd=2
Error:HTTP_CLIENT:connection is closed
Error:HTTP_CLIENT:httpclient - no response buff, skipped 240
Info:MQTT:mqtt_host empty, not starting mqtt
Info:MAIN:Time 764, idle 0/s, free 188376, MQTT 0(48), bWifi 1, secondsWithNoPing 695, socks 2/20


    LFS is present and confirmed working. SendGET obviously needs some delay after booting but it is working. For http file download I will try at some point, not sure when though.
  • #89 21594698
    p.kaczmarek2
    Moderator Smart Home
    Posts: 14440
    Help: 650
    Rate: 12410
    LN882H also compiled now, so we would need to check that platform as well. Still, for now, just check file downloading on your ECR, since you have it at hand.
    Helpful post? Buy me a coffee.
  • #90 21594701
    insmod
    Level 31  
    Posts: 1356
    Help: 161
    Rate: 426
    >>21594686
    os_malloc/free/realloc should remain as it is.
    os_memmove/os_strcmp/os_strchr/os_strstr are only used in http_client.c
    os_strcpy is in BK hal, new_mqtt.c, logging.c, http_client.c and http_tcp_server.c
    os_memcpy in BK hal and http_client.c
    os_memset is used ...
    os_strlen in BK hal and http_client
    Perhaps default functions are problematic on Beken and removing them could create problems?

    But no, i see that for example os_memmove just returns memmove in https://github.com/NonPIayerCharacter/beken_f...os_sdk/blob/master/beken378/os/mem_arch.c#L14
Reply Cool? Ranking DIY | New topic
Notify about new articles
📢 Listen (AI):
Report a violation of the law

Topic summary

✨ The discussion focuses on the Eswin ECR6600 WiFi+Bluetooth SoC module used in IoT devices, particularly smart plugs with integrated BL0937 energy metering chips. Key topics include detailed pinout configurations, firmware flashing procedures via UART, and local firmware development to enable cloud-free operation with Home Assistant using Tasmota/esphome-like firmware ports. Users report initial issues with the BL0937 driver not functioning due to its exclusion from firmware builds, which was later resolved by including the driver and verifying correct pin assignments. Attempts to extract and decrypt Tuya configuration keys from original firmware backups reveal challenges due to changed secondary keys and CRC errors, complicating full firmware analysis and key extraction. The community explores using Tuya Wind IDE on Linux for SDK access, and reverse engineering efforts with Ghidra face difficulties due to the ECR6600’s NDS32 architecture and base address uncertainties. Firmware disassembly and key extraction are ongoing, with partial success in identifying key material and decrypting some blocks. Additional tests confirm the ECR6600 supports WiFi 6 (2.4 GHz only) and HTTP GET/POST commands for local network control, including file downloads via HTTP client functionality. Integration efforts include porting missing HAL functions like hal_machw_time and lwip_close_force for timing and socket management. Various ECR6600-based devices, including plugs ordered from AliExpress (e.g., TNCE 16A power monitors and E103-W11 modules), are tested for firmware backup, flashing, and local control capabilities. The discussion also covers SDK build issues, firmware memory mapping, and the need for improved tooling and documentation to fully support ECR6600 development and integration with open-source platforms.
Generated by the language model.
Today's popular

FAQ

TL;DR: With 2 MB or 4 MB flash and a "very small" boot window, ECR6600 devices can be backed up over UART, flashed with OpenECR6600, and then paired locally with Home Assistant instead of Tuya cloud. This guide is for users converting Tuya plugs, dimmers, and switches to fully local control. [#21479963]

Why it matters: It gives ECR6600 owners a repeatable path from unknown Tuya hardware to local firmware, backup safety, and practical pin mapping.

Option Chip/module family Flashing method in thread Local firmware status Notable limitation
ECR6600 / AXYU / AXY2S / WG236 ESWIN ECR6600 UART with RDTool or BK7231GUIFlashTool OpenECR6600 works; Home Assistant local use confirmed Reset timing is critical
BK7231-based modules Beken CB2S/WB2S/CBU-like Similar UART workflow Used as reference platform Tuya config extraction behavior differs
ESP8266-based TYWE2S ESP8266 Mentioned as module comparison Familiar baseline for users ECR6600 has no GPIO0-style flash pin

Key insight: ECR6600 flashing is straightforward once wiring is correct: use TX0, RX0, 3.3 V, GND, and usually RST, then hit reset exactly when the tool starts. The harder part is often pin mapping or Tuya config extraction, not writing firmware.

Quick Facts

  • ECR6600 is a Wi‑Fi + BLE SoC with 2.4 GHz 802.11 b/g/n/ax, BLE 5.0, an Andes D10 at 160 MHz up to 240 MHz, 512 KB SRAM, and 2 MB or 4 MB flash variants. [#21479963]
  • The flashing UART uses IO6/TX0 and IO5/RX0; IO13/TX2 outputs boot logs at 115200 baud, which helps confirm whether firmware actually boots. [#21479963]
  • RDTool backup reads from address 0x0 with length 0x400000 for 4 MB parts or 0x200000 for 2 MB parts; if RDTool reports "FLASH is not enough!", switch to 0x200000. [#21479963]
  • AXY2S is an 11-pin Tuya-style ECR6600 module, while AXYU is a 21-pin CBU-shaped module exposing extra GPIOs such as P00, P01, P02, P03, P04, P21, P23, and dedicated L_RX/L_TX log pins. [#21479963]
  • In March 2025, a BL0937 plug issue was traced to a build error: the BL0937 driver was not included in the binary, and a rebuilt firmware fixed zero readings. [#21480949]

What is the Eswin ECR6600, and how does it compare to BK7231, ESP8266, and other Tuya Wi-Fi modules for local firmware use?

ECR6600 is a Wi‑Fi and Bluetooth SoC used in Tuya-style modules such as AXY2S and AXYU, and it can run local OpenECR6600 firmware. It offers 2.4 GHz 802.11 b/g/n/ax, BLE 5.0, 512 KB SRAM, and 2 MB or 4 MB flash. In the thread, it is compared to BK7231 modules like CB2S and WB2S and to the ESP8266-based TYWE2S because those are familiar Tuya module formats. For local use, the big practical difference is flashing: ECR6600 has no ESP-style GPIO0 boot strap and instead relies on reset timing during UART flashing. [#21479963]

How do I flash an ECR6600 device over UART with RDTool and OpenECR6600 for a fully local Home Assistant setup?

You flash it over UART, then join the new AP and finish setup like Tasmota. 1. Wire 3.3 V, GND, TX0 on GPIO6, RX0 on GPIO5, and preferably RST. 2. In RDTool, open the develop tool, use the download tab, choose the all-in-one OpenECR6600 UART binary, click Start, then reset or power-cycle the board immediately. 3. After flashing, power-cycle again, connect to the firmware access point, open the configuration page, and add it to Home Assistant locally. The thread states this was already working in March 2025, though the release was still marked WIP testing. [#21479963]

What are the important ECR6600 flashing pins, and how are TX0, RX0, IO13, RST, 3.3V, and GND used during backup and programming?

The essential pins are TX0, RX0, 3.3 V, GND, and usually RST. TX0 is IO6 and RX0 is IO5; they form the user UART used for backup and flashing. IO13 is TX2 and outputs boot logs at 115200 baud, so it helps verify whether the firmware starts after programming. RST lets you hit the short boot window without repeatedly removing power. 3.3 V powers the module, and GND is the common reference. The thread’s tested wiring used an ESP adapter on a WG236 module, but the same signal roles apply across ECR6600 modules. [#21479963]

What's the difference between BK7231GUIFlashTool and the legacy ESWIN RDTool for reading and writing ECR6600 flash?

BK7231GUIFlashTool is the newer multi-platform flasher, while RDTool is the original ESWIN utility shown in the screenshots. The main post says ECR6600 read and write support was added to BK7231GUIFlashTool in 2026, with the same soldering and UART wiring as RDTool. RDTool remains the documented legacy workflow for backup, restore, and flashing OpenECR6600. Later thread feedback showed mixed real-world results: one user reported BK7231GUIFlashTool v.228 failed with wrong-header errors, while another flashed successfully at 921600 baud. If you want the most proven path from the thread, RDTool is still the safest first choice. [#21823087]

How do I back up the original ECR6600 firmware, and which read length should I use for 2 MB vs 4 MB flash chips?

Back up first with RDTool’s stub workflow, then read the whole flash from address 0x0. In RDTool, open develop tool, go to single file, load ECR6600F_stub_V1.3.1.bin, set startup address to 0x10000, and trigger reset exactly when you click Start. Then switch to the flash tab, enter start address 0 and read length 0x400000 for 4 MB or 0x200000 for 2 MB. If you do not know the size, try 0x400000 first. If RDTool says "FLASH is not enough!", retry with 0x200000 and save the dump under a descriptive filename. [#21479963]

Why does RDTool on ECR6600 require precise reset timing, and what is the easiest way to catch the boot window reliably?

RDTool needs precise timing because the bootloader accepts the UART session only in a very short window after reset or power-up. The thread explicitly says "the window of opportunity is very small," so clicking Start alone is not enough. The easiest reliable method is to wire the RST pin and ground it exactly when RDTool starts, instead of pulling power each time. If RST is unavailable, power-cycle 3.3 V at the same moment. Using IO13 boot logs at 115200 baud also helps confirm whether you missed the window or the firmware simply failed to boot. [#21479963]

What is AXYU or AXY2S in the context of ECR6600 devices, and how do their pinouts differ from WG236-style modules?

AXY2S and AXYU are Tuya-style ECR6600 modules, while WG236 is a non-Tuya module in an ESP-12 or CB3S-like format. "AXYU is a module board that exposes the ECR6600 SoC in a CBU-shaped 21-pin footprint, with UART, ADC, PWM-capable GPIOs, and dedicated log pins for integration into Tuya devices." AXY2S is smaller, with 11 pins including VBAT, GND, RX, TX, ADC, RST, and a few PWM GPIOs. AXYU exposes many more signals, including P00–P04, P21, P23, P24, P25, TXD, RXD, L_TX, and L_RX, so it is easier to probe and repurpose. [#21479963]

Why was the BL0937 energy meter showing all zero values on OpenECR6600, and how was that issue fixed in the thread?

It showed zero because the BL0937 driver was missing from the build, not because the reported plug pinout was wrong. The user first flashed an OpenECR build and saw the driver start but every reading stayed at 0.0 V, 0.000 A, and 0.00 W. After investigation, the maintainer said the cause was simple: "BL0937 driver was simply not included in the build." A new binary was generated and uploaded, and the tester later confirmed that BL0937 then worked correctly and could be calibrated. [#21480949]

How can I verify BL0937 CF, CF1, and SEL pin assignments on an ECR6600 smart plug when the driver starts but readings stay at zero?

Verify them by checking pulse activity, not only continuity. The thread suggests adding a Counter role as a simple HAL-backed change counter, then using GPIO Doctor to see which pin actually carries BL0937 pulse traffic. That helps distinguish CF from CF1 when the driver loads but readings remain zero. One tested plug used pin 14 for BL0937CF, 15 for BL0937SEL, and 20 for BL0937CF1, but the maintainers still wanted a counter-based method to confirm assignments on future boards. If the driver runs and values stay at zero, first suspect missing pulses or swapped CF and CF1. [#21480916]

Why does Tuya config extraction from ECR6600 backups fail after the first block, and what does the thread suggest about changed secondary keys or TuyaOS 3 storage?

It fails because the first block decrypts, but later blocks fail header and CRC checks, which points to a changed secondary key or a different storage scheme. The extractor found the Tuya config magic at offset 1921024, passed the first MAGIC and CRC checks, then produced repeated "strange nextblock header" and "bad nextblock CRC" warnings. The thread’s main hypothesis was that ECR6600 changed KEY_PART_1 used by makeSecondaryKey, while a related idea was that newer TuyaOS 3 firmware stores config differently from older BK-based devices. In short, the parser understands the opening block but not the follow-up encryption logic. [#21481206]

What is KV_KEY_SEED in Tuya firmware, and why does it matter when trying to decrypt or extract configuration from ECR6600 dumps?

KV_KEY_SEED is the short seed string used to derive part of Tuya’s secondary flash-encryption key for stored configuration. "KV_KEY_SEED is a Tuya firmware configuration value that feeds key derivation for encrypted key-value storage, and changing it breaks block decryption even when the first flash header still matches." In the thread, older non-ECR examples used CONFIG_KV_KEY_SEED="8710_2M", but ECR6600 binaries appeared to contain only some known key parts, not that seed. Because decryption failed right after makeSecondaryKey was applied, the maintainers suspected ECR6600 used a different KV seed or a modified derivation path. [#21481270]

How do I restore a full ECR6600 backup in RDTool after saving the original flash image?

Restore the full dump from RDTool’s single file tab using the same stub setup as backup. 1. Open develop tool, choose single file, select the same stub, set the port, and keep startup address at 0x10000. 2. In the main file path area, choose your saved backup file, set begin address to 0x0, and check is download. 3. Click Start next to startup address and immediately reset or power-cycle the device. The thread notes that stub upload and full-flash restore then happen in one go, so you do not need a separate restore stage. [#21480971]

What is NDS32 in relation to the ECR6600 SDK, and how were people in the thread using Ghidra to analyze ECR6600 binaries?

NDS32 is the Andes CPU architecture used by ECR6600, and it is why stock reverse-engineering setups struggled with the binaries. The thread found the SDK used nds32le-elf-mculib-v3s, then built a custom Ghidra version with NDS32 processor support from an external branch. After that, users could at least open binaries and view disassembly. They searched for strings, constants like 0x13579753, and boot-log references such as the key print path to locate simple_flash and key-handling routines. The goal was to trace where ECR6600 derives or loads the Tuya secondary decryption key. [#21481465]

How can I find relay, button, and LED pins on an unknown ECR6600 switch using GPIO Doctor and boot logs without a published template?

Use GPIO Doctor for live testing, then confirm with the original firmware boot log. One maintainer advised testing unconfigured pins as outputs while the device is on mains; when a relay clicks, you found the relay pin. For buttons, the user had already identified them, and for LEDs, the thread notes they are often tied to the same logic as relays on many switches. Boot logs from the factory dump can list initialized pins, which helps narrow candidates. This method produced a full 3-gang mapping, including buttons on 0, 2, 17 and relay-related pins on 14, 15, 22, 23, 24, and 25. [#21616102]

How do I build or configure OpenBK/OpenECR6600 so SendGet can use HTTPS instead of HTTP, especially for requests to services like Google Apps Script?

You need a build that enables HTTPS in the platform SDK, because the tested SendGet path only supports plain HTTP by default. The thread confirms this directly: a user tried sending a Google Apps Script request and was told SendGET could only do HTTP unless OpenBK was built with secure support. On ECR6600 specifically, one maintainer noted that mbedTLS is enabled by default in the SDK, so HTTPS may be possible there, but no finished OpenBK HTTPS procedure was provided. The practical limitation is clear: unmodified SendGet works for http://..., not for https://... targets like Google Apps Script. [#21640832]
Generated by the language model.
ADVERTISEMENT