Eswin ECR6600 flashing guide, datasheet, pinout, 100% local setup, Home Assistant

p.kaczmarek2 10101 116

TL;DR

ECR6600 WiFi+BT modules, including Tuya AXY2S and WG236 variants, get a pinout, datasheet links, and a guide for running them locally with Home Assistant.
Flashing uses UART0 TX0/RX0, GND, 3.3V, and ideally RST; unlike ESP chips, ECR6600 has no GPIO0 and relies on reset timing when prompted.
The chip pairs an Andes D10 @160MHz, up to 240MHz, with 512KB SRAM and 2MB/4MB Flash.
RDTool backs up the original firmware with a stub, then writes the OpenECR6600 UART binary; after reboot, the device exposes a WiFi access point for configuration.
The firmware release is still a March 2025 WIP, and backups should be made before cloud pairing because dumps may contain SSID and other personal data.

Generated by the language model.

Report a violation of the law

Reply Cool? Ranking DIY | New topic

Notify about new articles

📢 Listen (AI):

Post #1

21479963 14 Mar 2025 21:03

This topic covers detailed information about ECR6600 WiFi modules, datasheets, pinout, and firmware backup via UART and write procedure required to run ESWIN chips locally. Thanks to this, it's possible to pair ECR6600 devices with Home Assistant and use them free from the cloud. We'll use our Tasmota/esphome-like firmware port, as seen here.

What is ECR6600?
ECR6600 is an SoC WiFi+BT combo chip found in some IoT, featuring:
- WiFi connectivity, 2.4G, 802.11b/g/n/ax, 1T1R, DCM, HE20, MCS7, TX=+17dBm, Soft AP/Station/Direct mode
- Bluetooth connectivity, BLE 5.0, AFH, TX=+10dBm
- RF, Built-in PA, LNA, Switch, and Balun
- processor, Andes D10 @160MHz (up to 240MHz), FPU
- memory, 512KB SRAM, 48KB ROM, 32KB Cache, 2MB/4MB Flash, XIP
- peripherals, GPIOs, HS-UART, QSPI, PWM, I2C, I2S, SDIO, ADC(1MSPS), IR
- security, TRNG, Secure Boot, AES256, HASH, WPA/WPA2/WPA3, WPS, WEP
- operating temperature, -40~+105℃
ECR6600 can be found in two surface-mount packages, ECR6600-40D (5x5 QFN40), and ECR6600-TSxD/L (4x4 QFN32):

Diagrams of two ECR6600 integrated circuits in QFN40 and QFN32 packages.

See the table for the full list of variants:

Variant	Packaging
ECR6600-40D	QFN40 5x5
ECR6600-TS2D	QFN32 4x4
ECR6600-TS2L	QFN32 4x4
ECR6600-TS4D	QFN32 4x4
ECR6600-TS4L	QFN32 4x4

ECR6600 modules
ECR6600 can be found in a form of some Tuya modules, for example, AXY2S, which is similar to Beken-based CB2S, WB2S or ESP8266-based TYWE2S.

Top view schematic of an electronic module.

Pinout:

Pin number	Symbol	Type	Function
1	VBAT	P	Power supply pin (3.3V)
2	P25	I/O	GPIO_25, hardware PWM, correspond to Pin 7 of the IC
3	GND	P	Power supply reference ground
4	P24	I/O	GPIO_24, hardware PWM, correspond to Pin 8 of the IC
5	RX	I/O	GPIO_5, UART0_RXD (user serial interface)
6	P22	I/O	GPIO_22, hardware PWM, Pin 4 of the IC
7	TX	I/O	GPIO_6, UART0_TXD (user serial interface)
8	ADC	AI	GPIO_20, common GPIO, which can be used as ADC. The range of input voltage is 0 to 3.3V. Correspond to Pin 27 of the IC.
9	P15	I/O	GPIO_15, hardware PWM, Pin 28 of the IC
10	RST	I/O	Reset pin, reset at a low level. The module has been pulled to a high level and the user can control the pin externally.
11	P14	I/O	GPIO_14, hardware PWM, correspond to Pin 29 of the IC

Another similar module is AXYU, which is in form of a well-known CBU.

Technical drawing of an electronic module with top and bottom views.

Pinout:

Pin number	Symbol	Type	Function
1	P00	I/O	GPIO_00, common GPIO, which can be reused as SPI_SCK and corresponds to Pin 25 of the IC
2	P02	I/O	GPIO_02, common GPIO, which can be reused as SPI_MOSI and corresponds to Pin 23 of the IC
3	P21	I/O	GPIO_21, common GPIO, correspond to Pin 6 of the IC
4	P16	I/O	GPIO_16, common GPIO, correspond to Pin 10 of the IC
5	ADC	I/O	GPIO_20, common GPIO, which can be used as ADC. The range of input voltage is 0 to 3.3V. Correspond to Pin 27 of the IC.
6	L_RX	I/O	GPIO_17, UART_Log_RXD (used to receive information about the external logs of the module), which can be configured as a common GPIO
7	L_TX	I/O	GPIO_13, UART_Log_TXD (used to send information about the internal logs of the module), which can be configured as a common GPIO
8	P24	I/O	GPIO_24, hardware PWM, correspond to Pin 8 of the IC
9	P25	I/O	GPIO_25, hardware PWM, correspond to Pin 7 of the IC
10	P22	I/O	GPIO_22, hardware PWM, correspond to Pin 4 of the IC
11	P23	I/O	GPIO_23, hardware PWM, correspond to Pin 3 of the IC
12	P04	I/O	GPIO_04, hardware PWM, correspond to Pin 21 of the IC
13	GND	P	Power supply reference ground
14	VCC	P	Power supply pin (3.3V)
15	TXD	I/O	GPIO_6, UART0_TXD (user serial interface)
16	RXD	I/O	GPIO_5, UART0_RXD (user serial interface)
17	P15	I/O	GPIO_15, common GPIO, correspond to Pin 28 of the IC
18	RST	I/O	Reset pin, reset at low level. The module has been pulled to a high level and the user can control the pin externally.
19	P14	I/O	GPIO_14, common GPIO, correspond to Pin 29 of the IC
20	P03	I/O	GPIO_03, common GPIO, which can be reused as SPI_MISO and corresponds to Pin 22 of the IC
21	P01	I/O	GPIO_01, common GPIO, which can be reused as SPI_CS and corresponds to Pin 24 of the IC

Of course, there are also non-Tuya ECR6600 modules, for example, WG236, which is in form similar to ESP12 or CB3S/WB3S/TYWE3S:

Electronic modules with SKYLAB labels and designations.

Electronic module with connectors and labeled pins.

ECR6600 devices
ECR6600 has been observed in few devices so far:
- [ECR6600][BL0937] Tuya Wifi Smart Plug With Energy Measurement
- [AXY2S] [ECR6600] Teardown LSC Connect Smart Wall Dimmer (3207304)
Please let us know if you've managed to get IoT device with ECR6600!

Important pins
For the flashing, there are just few important pins:
- IO6/TX0 - programming port
- IO5/RX0 - programming port
- IO13/TX2 - boot log output - 115200 baud - use it to check if firmware boots correctly
You may also need RST and obviously power pins (GND and 3.3V).

Connection requirements
ECR6600 connection for flashing is very similar to Beken - there is no GPIO0 like on ESP, you just need to reset when prompted.
This procedure was tested with a WG236 module using an ESP adapter, but it should work with any ECR chip.

Electronic module with pin labels and connectors.

So, solder to GND, VCC and TX0 (GPIO6) and RX0 (GPIO5) according to however real device allows this if possible. Also preferably RST pin, so you can do reboot.

Update 2026
As of 2026, this platform read/write is also supported by our flash tool:
https://github.com/openshwprojects/BK7231GUIFlashTool
The connection (soldering, wires), is the same, but you can use our tool instead of the legacy one.
Please check it out and use it instead of legacy tools, let us know how it works for you!

Backup old firmware
Firmware backup is always recommended; furthermore, you can always submit a flash dump to our repository to help us:
https://github.com/openshwprojects/FlashDumps
So, to backup the firmware - start by running the ESWIN RDTool.exe program after downloading and unzipping ESWIN_ECR6600_RDTool_v1.0.21.zip from https://github.com/openshwprojects/FlashTools/tree/main/TransaSemi-ESWIN

Screenshot showing the contents of a folder with files and subfolders in a file manager.

When loaded double-click the develop tool plugin.

Select the single file tab and choose the file ECR6600F_stub_V1.3.1.bin from the unzipped files in the open dialog box after clicking select stub.
Ensure the startup address is 0x10000 and select the correct COM port

Screenshot of a firmware upgrade tool program with a list of settings and files.

At the moment you hit start, reset (ground CEN/RST) or power-on 3.3V to the device. The window of opportunity is very small so timing is crucial.

Screenshot of a firmware upgrade tool with various configuration options.

Switch to the flash tab, choose port again and enter start address of 0 and read length of 0x400000 or 0x200000, depending on your chip flash size (4MB or 2MB). If not sure, first try 0x400000, then, in case of "FLASH is not enough!" error, fall back to 0x200000. Select save path and give your backup an informative name eg; Tuya_LSPA9_Backup_ECR6600.bin. Click start next to save path to begin device flash backup to file.

Screenshot of firmware upgrade software with progress logs.

Once backup is done, please consider sharing it with us, but be aware - it will contain your SSID and other data after pairing, so better backup firmware before connecting device to the cloud.

Flashing new firmware - OpenECR6600
Run RDTool as above, go to the develop tool plugin but navigate to all-in-one on the download tab. Download the latest OpenECR600 UART flash binary from the release page https://github.com/openshwprojects/OpenBK7231T_App/releases/
Choose the downloaded file after selecting all-in-one file path. Click start and perform CEN/RST or power-on quickly, just like with the backup.
Flashing OBK does not require the same stub step that backup requires.

Animation showing a firmware update tool interface.

Reboot by doing power off and power on cycle. The device WiFi access point should appear, just like with Tasmota, connect to it and visit configuration page to proceed. Everything as usual.

Wi-Fi network name OpenECR6600_19B16353 with signal icon.

Screenshot of the OpenECR6600 device management interface.

At the time of writing (March 2025), our firmware release for this platform is a WIP testing version, so there still may be imperfections, but we'll try to increase the stability soon...

Attachments
ECR6600 datasheet:
ECR6600 Da...t_V1.6.pdf (1.74 MB)You must be logged in to download this attachment.

ECR6600 pins functions (pinmux) table:
ECR6600 Pi...Rev4.0.pdf (1.29 MB)You must be logged in to download this attachment.

RDToolV1.0.19.rar for flashing:
RDToolV1...19.rar (57.97 MB)You must be logged in to download this attachment.

RD Tool User Guide_v2.0 guide pdf:
RD Tool Us...e_v2.0.pdf (2.18 MB)You must be logged in to download this attachment.

Hardware Reference Design User guide:
Hardware R...Rev5.0.pdf (1.96 MB)You must be logged in to download this attachment.

CDI-WX56600A-00 module documentation:
cdtech_CDI...00A-00.pdf (399.78 kB)You must be logged in to download this attachment.

ECR6600 product brief:
ECR6600-A..2D.pdf (234.32 kB)You must be logged in to download this attachment.

ECR6600_T_EVK_V2 development board schematic:
ECR6600_T_.._V2.pdf (460.83 kB)You must be logged in to download this attachment.

SkyLab WG236 V1.04 datasheet_SL-22020220 (chinese):
SkyLab_WG2...0 - 副本.pdf (493.9 kB)You must be logged in to download this attachment.

SDK OTA doc (chinese):
ECR6600 SD...指南V1.0.pdf (508.25 kB)You must be logged in to download this attachment.

Summary
This is how you can backup and flash ESR6600, this way you can also run it free from the cloud. That's how much we've found out so far, special thanks for @insmod for porting and @divadiow for research and testing. If you're reading it, and have device with ECR chip or similar, let us know! We can help you with flashing and getting your device to run 100% local.
PS: Don't forget related links:
- YT guides: https://www.youtube.com/@elektrodacom
- devices list: https://openbekeniot.github.io/webapp/devicesList.html
- project repository: https://github.com/openshwprojects/OpenBK7231T_App

Cool? Ranking DIY

Helpful post? Buy me a coffee.

About Author

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Offline

p.kaczmarek2 wrote 14440 posts with rating 12410, helped 650 times. Been with us since 2014 year.

#2 21480857 15 Mar 2025 15:33

spectrality spectrality

Level 7

Posts: 5

Help: 1

Rate: 2

Post #2

21480857 15 Mar 2025 15:33

Hi,

I have Plug with ECR6600 and BL0937, same as here: https://www.elektroda.com/rtvforum/topic4106357.html
Flashed lasted OpenECR, but looks like BL0937 driver is not working. Is I missing something ?

My config is:


{
  "vendor": "Tuya",
  "bDetailed": "0",
  "name": "Full Device Name Here",
  "model": "enter short model name here",
  "chip": "ECR6600",
  "board": "TODO",
  "flags": "1024",
  "keywords": [
    "TODO",
    "TODO",
    "TODO"
  ],
  "pins": {
    "14": "BL0937CF;0",
    "15": "BL0937SEL;0",
    "20": "BL0937CF1;0",
    "22": "WifiLED;0",
    "24": "Btn;1",
    "25": "Rel;1"
  },
  "command": "",
  "image": "https://obrazki.elektroda.pl/YOUR_IMAGE.jpg",
  "wiki": "https://www.elektroda.com/rtvforum/topic_YOUR_TOPIC.html"
}

Helpful post

#3 21480871 15 Mar 2025 15:45

insmod insmod

Level 31

Posts: 1356

Help: 161

Rate: 426
Helpful post? (+1)

Helpful post
Post #3
21480871 15 Mar 2025 15:45

>>21480857 First, have you configured pins correctly?
Also attached a possible bl0937 fix, check and reply if it works for you.

Attachments:

OpenBK7231T_App_1569_merge_22330ce7c7f3_OpenECR6600.zip (843.1 KB) You must be logged in to download this attachment.
#4 21480916 15 Mar 2025 16:10

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Posts: 14440

Help: 650

Rate: 12410
Topic author Helpful post? (0)

Post #4
21480916 15 Mar 2025 16:10

I think it would be helpful to introduce this already-mentioned "Counter" role that is basically just a HAL for change counter used by BL0937. We could then just add it to GPIODoctor and use it to investigate whether given pin is actually CF or CF1 of BL0937.

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
ADVERTISEMENT
#5 21480938 15 Mar 2025 16:26

spectrality spectrality

Level 7

Posts: 5

Help: 1

Rate: 2
Helpful post? (+1)

Post #5
21480938 15 Mar 2025 16:26

>>21480871

Tried with your attached FW version. BL0937 still not working.
Pins should be assigned correctly, tested connectivity with multimeter.

Attaching original plug FW

Attachments:

Tuya_Plug1_Backup_ECR6600.bin (2 MB) You must be logged in to download this attachment.
ADVERTISEMENT
#6 21480949 15 Mar 2025 16:41

insmod insmod

Level 31

Posts: 1356

Help: 161

Rate: 426
Helpful post? (0)

Post #6
21480949 15 Mar 2025 16:41

>>21480938 You didn't specify what was wrong with BL0937 originally.
Well, i decided to try to check what was wrong myself.
It was very simple - BL0937 driver was simply not included in the build.
Wait until a binary is generated on github, i will upload it as soon as i can.

Added after 7 [minutes]:

Try that

Attachments:

OpenBK7231T_App_1569_merge_dabd8f3f2626_OpenECR6600.zip (845.84 KB) You must be logged in to download this attachment.
ADVERTISEMENT
#7 21480971 15 Mar 2025 18:19

divadiow divadiow

Level 38

Posts: 4878

Help: 427

Rate: 868
Helpful post? (0)

Post #7
21480971 15 Mar 2025 18:19

>>21480938

yep. same fw version as other posted
Code: Text
Log in, to see the code

Added after 1 [hours] 33 [minutes]:

>>21479963

to add that FlashDumps has version 1.0.19 of RDTool, attached to the main post, but also v1.0.21 which was used in the screenshots. v1.0.19 has a different second plugin, but still has the main develop tool one. The RF tester plugin content is the reason for the file size difference in zipped files

Additionally, to restore a full device backup file:
-Navigate to the single file tab
-Set port, stub and startup address as with backup procedure
-Select your backup file from select in main file path area
-Set begin address to 0x0
-Check is download on same line
-Click start next to startup address and RST/power-on quickly, as before

Stub and backup will be done in one go.

#8 21481109 15 Mar 2025 18:26

spectrality spectrality

Level 7

Posts: 5

Help: 1

Rate: 2

Post #8

21481109 15 Mar 2025 18:26

>>21480949

Now BL0937 driver is starting, but I'm receiving zero values.
I still believe, that I have pins configured correctly. As I understood, it is not possible to extract Tuya configuration from original firmware, as with BK chips?


Voltage   0.0   V
Current   0.000   A
Power   0.00   W
Apparent Power   0.00   VA
Reactive Power   0.00   var
Power Factor   1.00   
Energy Total   0.000   kWh
(changes sent 0, skipped 2068, saved 5) - BL0937
Energy Clear Date: 2025-03-15 17:07:52
NTP driver is not started, daily energy stats disabled.
Periodic Statistics disabled. Use startup command SetupEnergyStats to enable function.
1 drivers active (BL0937), total 16
Channel 0 = 0.00, Channel 1 = 1.00
Cfg size: 3584, change counter: 49, ota counter: 0, incomplete boots: 1 (might change to 0 if you wait to 30 sec)!
Chip temperature: 43.0°C
Wifi RSSI: Good (-50dBm)
MQTT State: not configured


Info:MAIN:Main_Init_Before_Delay
Warn:CFG:CFG_InitAndLoad: Correct config has been loaded with 49 changes count.
Error:CMD:no file early.bat err -2
Info:EnergyMeter:Read ENERGYMETER status values. sizeof(ENERGY_METERING_DATA)=32
Info:MAIN:Started BL0937.
Info:GEN:PIN_SetupPins pins have been set up.
Info:MAIN:Main_Init_Before_Delay done
Info:MAIN:Main_Init_Delay
Info:MAIN:Main_Init_Delay done
Info:MAIN:Main_Init_After_Delay
Info:MAIN:Using SSID [HUAWEI-0G1OM8]
Info:MAIN:Using Pass [Chinese6+]
Info:HTTP:TCP server listening
Info:MQTT:MQTT_RegisterCallback called for bT ecr66005320D204/ subT ecr66005320D204/+/set
Info:MQTT:MQTT_RegisterCallback called for bT obks/ subT obks/+/set
Info:MQTT:MQTT_RegisterCallback called for bT cmnd/ecr66005320D204/ subT cmnd/ecr66005320D204/+
Info:MQTT:MQTT_RegisterCallback called for bT cmnd/obks/ subT cmnd/obks/+
Info:MQTT:MQTT_RegisterCallback called for bT ecr66005320D204/ subT ecr66005320D204/+/get
Info:CMD:CMD_StartScript: started @startup at the beginning
Info:CMD:CMD_StartScript: started autoexec.bat at the beginning
Info:MAIN:Main_Init_After_Delay done
Info:MAIN:Time 1, idle 0/s, free 197728, MQTT 0(0), bWifi 0, secondsWithNoPing -1, socks 2/20 
Info:MAIN:Time 2, idle 0/s, free 197728, MQTT 0(0), bWifi 0, secondsWithNoPing -1, socks 2/20 
Info:MAIN:Time 3, idle 0/s, free 197728, MQTT 0(0), bWifi 0, secondsWithNoPing -1, socks 2/20 
Info:MAIN:Time 4, idle 0/s, free 197728, MQTT 0(0), bWifi 0, secondsWithNoPing -1, socks 2/20 
Info:MAIN:Time 5, idle 0/s, free 197728, MQTT 0(0), bWifi 0, secondsWithNoPing -1, socks 2/20 
Info:MAIN:Registered for wifi changes


{
  "vendor": "Tuya",
  "bDetailed": "0",
  "name": "Full Device Name Here",
  "model": "enter short model name here",
  "chip": "ECR6600",
  "board": "TODO",
  "flags": "1024",
  "keywords": [
    "TODO",
    "TODO",
    "TODO"
  ],
  "pins": {
    "14": "BL0937CF;0",
    "15": "BL0937SEL;0",
    "20": "BL0937CF1;0",
    "22": "WifiLED;0",
    "24": "Btn;1",
    "25": "Rel;1"
  },
  "command": "",
  "image": "https://obrazki.elektroda.pl/YOUR_IMAGE.jpg",
  "wiki": "https://www.elektroda.com/rtvforum/topic_YOUR_TOPIC.html"
}

#9 21481206 15 Mar 2025 19:49

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Posts: 14440

Help: 650

Rate: 12410

Post #9

21481206 15 Mar 2025 19:49

spectrality wrote:
As I understood, it is not possible to extract Tuya configuration from original firmware, as with BK chips?

I've checked with our flash tool and got this:


Tuya config extractor - magic is at 1921024 
WARNING - strange nextblock header C21C5F37
WARNING - bad nextblock CRC
WARNING - strange nextblock header E84BA5F8
WARNING - bad nextblock CRC
WARNING - strange nextblock header 8D1CB576
WARNING - bad nextblock CRC
WARNING - strange nextblock header EA527B9C
WARNING - bad nextblock CRC
WARNING - strange nextblock header 4E327288
WARNING - bad nextblock CRC
WARNING - strange nextblock header BDC7C597
WARNING - bad nextblock CRC
WARNING - strange nextblock header A0ADE9EC
WARNING - bad nextblock CRC
WARNING - strange nextblock header B0A01E70
WARNING - bad nextblock CRC
WARNING - strange nextblock header 679EA04
WARNING - bad nextblock CRC
WARNING - strange nextblock header 46003914
WARNING - bad nextblock CRC
WARNING - strange nextblock header 190E6AFB
WARNING - bad nextblock CRC
WARNING - strange nextblock header 622E483D
WARNING - bad nextblock CRC
WARNING - strange nextblock header 5B781A14
WARNING - bad nextblock CRC
WARNING - strange nextblock header 190E6AFB
WARNING - bad nextblock CRC
WARNING - strange nextblock header 190E6AFB
WARNING - bad nextblock CRC
WARNING - strange nextblock header 190E6AFB
WARNING - bad nextblock CRC
WARNING - strange nextblock header 44ACB83E
WARNING - bad nextblock CRC
WARNING - strange nextblock header 190E6AFB
WARNING - bad nextblock CRC
WARNING - strange nextblock header 424FACBE
WARNING - bad nextblock CRC
WARNING - strange nextblock header BB52ED27
WARNING - bad nextblock CRC
WARNING - strange nextblock header BB52ED27
WARNING - bad nextblock CRC
WARNING - strange nextblock header BB52ED27
WARNING - bad nextblock CRC
WARNING - strange nextblock header BB52ED27
WARNING - bad nextblock CRC
WARNING - strange nextblock header BB52ED27
WARNING - bad nextblock CRC
WARNING - strange nextblock header BB52ED27
WARNING - bad nextblock CRC
WARNING - strange nextblock header BB52ED27
WARNING - bad nextblock CRC
WARNING - strange nextblock header BB52ED27
WARNING - bad nextblock CRC
WARNING - strange nextblock header BB52ED27
WARNING - bad nextblock CRC
WARNING - strange nextblock header BB52ED27
WARNING - bad nextblock CRC
WARNING - strange nextblock header BB52ED27
WARNING - bad nextblock CRC
WARNING - strange nextblock header BB52ED27
WARNING - bad nextblock CRC
WARNING - strange nextblock header BB52ED27
WARNING - bad nextblock CRC
WARNING - strange nextblock header 5471CD9A
WARNING - bad nextblock CRC
WARNING - strange nextblock header A9EB8793
WARNING - bad nextblock CRC
WARNING - strange nextblock header 41E1A305
WARNING - bad nextblock CRC
WARNING - strange nextblock header 41E1A305
WARNING - bad nextblock CRC
WARNING - strange nextblock header 41E1A305
WARNING - bad nextblock CRC
WARNING - strange nextblock header A9EB8793
WARNING - bad nextblock CRC
WARNING - strange nextblock header 41E1A305
WARNING - bad nextblock CRC
WARNING - strange nextblock header 41E1A305
WARNING - bad nextblock CRC
WARNING - strange nextblock header A9EB8793
WARNING - bad nextblock CRC
WARNING - strange nextblock header 41E1A305
WARNING - bad nextblock CRC
Saving debug Tuya decryption data to lastRawDecryptedStrings.bin
Failed to extract Tuya keys - no json start found

This seems to indicate that config header is found in the binary, but encryption is different.
Config header is defined as:

Interestingly enough, we get only errors on futher blocks, and not on first - "Failed to extract Tuya keys - bad firstblock crc".

I've double-checked, and it indeed passes first MAGIC and CRC check:

Screenshot of Visual Studio displaying a code editor with an open programming project.

First problem happens here:

This is after the call of myDecrypt... but first call of myDecrypt (firstblock) seems to be okay, interestingly enough.
So what could be going wrong? Maybe makeSecondaryKey?

Related code:
https://github.com/openshwprojects/BK7231GUIFlashTool/blob/main/BK7231Flasher/TuyaConfig.cs

Added after 2 [minutes]:

Do we know KV KEY SEED of ECR6600?

A section of the build.conf configuration file related to OpenBK7231T software.

Added after 11 [minutes]:

Same?>

Screenshot showing a hex editor and a fragment of code in the background.

Added after 4 [minutes]:

I can also find this key in the binary: qwertyuiopasdfgh

Only one missing is 8710_2M

Added after 7 [minutes]:

I'm trying to find this key in ASCII strings in the file...
There are some interesting things like: keyge8wsy99n5pr7 ? DIFF2YA0 ? but that's not it

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.

Helpful post

#10 21481243 15 Mar 2025 19:57

divadiow divadiow

Level 38

Posts: 4878

Help: 427

Rate: 868
Helpful post? (+1)

Helpful post
Post #10
21481243 15 Mar 2025 19:57

p.kaczmarek2 wrote:
keyge8wsy99n5pr7

these are in all Tuya devices, often seen in boot log. It's used with product key and sometimes fac_pin when pairing with Tuya.

There's this in the boot log for this device

Code: Text
Log in, to see the code
#11 21481247 15 Mar 2025 20:00

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Posts: 14440

Help: 650

Rate: 12410
Topic author Helpful post? (0)

Post #11
21481247 15 Mar 2025 20:00

@divadiow , in our flasher, there are 3 keys:
Code: C#
Log in, to see the code

but in the ECR binary, only 2 of them are seen. Does it mean that they changed 8710_2M?
Futhermore, decrypt fails at second block, only after KEY_PART_1 is used.

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
#12 21481255 15 Mar 2025 20:04

divadiow divadiow

Level 38

Posts: 4878

Help: 427

Rate: 868
Helpful post? (0)

Post #12
21481255 15 Mar 2025 20:04

>>21481247

oh I see. hmm. im seeing what I can find. nothing guessable like 6600_2M?
#13 21481270 15 Mar 2025 20:18

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Posts: 14440

Help: 650

Rate: 12410
Topic author Helpful post? (0)

Post #13
21481270 15 Mar 2025 20:18

It would help a lot to have Tuya SDK of ECR6600, I mean, complete, with KV_KEY_SEED define

Added after 3 [minutes]:

Remember how I said that first block is correctly read?

These things match:
divadiow wrote:

Code: Text
Log in, to see the code

Everything breaks with makeSecondaryKey call I guess...
Code: C#
Log in, to see the code

And I can see "HHRRQbyemofrtytf" string in flash, so I still suspect that 8710_2M was changed.

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
#14 21481313 15 Mar 2025 20:44

insmod insmod

Level 31

Posts: 1356

Help: 161

Rate: 426
Helpful post? (0)

Post #14
21481313 15 Mar 2025 20:44

@spectrality this version should work, i even tried to simulate bl0937 myself - and i got some values.

Attachments:

OpenBK7231T_App_1569_merge_aaa8455fc6f8_OpenECR6600.zip (845.82 KB) You must be logged in to download this attachment.
#15 21481360 15 Mar 2025 21:26

insmod insmod

Level 31

Posts: 1356

Help: 161

Rate: 426
Helpful post? (0)

Post #15
21481360 15 Mar 2025 21:26

>>21481270
I managed to get this from WBRG1 backup:
Code: text Expand Select all Copy to clipboard
{ "dp3":"10", "dp5":"2", "dp30":"1", "dp39":"1", "dp40":"1", "dp44":"100", "dp41":"50", "dp46":"0" }

With KEY_PART_1 8721D
But trying it on WBR1D backup failed.
#16 21481367 15 Mar 2025 21:34

divadiow divadiow

Level 38

Posts: 4878

Help: 427

Rate: 868
Helpful post? (0)

Post #16
21481367 15 Mar 2025 21:34

just looking through tuyaos-iot_3.8.3_eswin_ecr6600_wifi-ble-tuyastack

does it have to have that part specified?

I did build it without any value but..
#17 21481371 15 Mar 2025 21:36

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Posts: 14440

Help: 650

Rate: 12410
Topic author Helpful post? (0)

Post #17
21481371 15 Mar 2025 21:36

nice finding @insmod , but now look, if I search for this string in the dump of WBRG1 gateway, I can find it:

The same goes for HHRRQbyemofrtytf:

Both tested on Tuya-Gateway-20250219-(8721csm_bt_zg_gw)_keym557nqw3p8p7m_WBRG1_1.7.2_p.kaczmarek2.

So, it should be fair to assume, that the key for ECR6600 can be also found in the dump?

Well, I've tried to dump all strings and use them as keys in a brute-force method, but it still failed. Maybe i am missing something obvious, but at least you confirmed that my initial idea is correct.

Attachments:

extracted_strings.txt (114.77 KB) You must be logged in to download this attachment.

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
#18 21481374 15 Mar 2025 21:38

insmod insmod

Level 31

Posts: 1356

Help: 161

Rate: 426
Helpful post? (0)

Post #18
21481374 15 Mar 2025 21:38

>>21481371 WBR1D backup contains 8721D too, but it fails to extract anything still.
That was just luck on my part
#19 21481382 15 Mar 2025 21:49

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Posts: 14440

Help: 650

Rate: 12410
Topic author Helpful post? (0)

Post #19
21481382 15 Mar 2025 21:49

divadiow wrote:

does it have to have that part specified?

I did build it without any value but..

The array is used by makeSecondaryKey function. I can remove it from calculation:

But it still fails for futher sectors.

But maybe Tuya does something else then.

Added after 7 [minutes]:

From non-ECR SDK:
Code: text Expand Select all Copy to clipboard
CONFIG_ENABLE_KV_KEY_SEED=y CONFIG_KV_KEY_SEED="8710_2M"

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
#20 21481398 15 Mar 2025 21:54

divadiow divadiow

Level 38

Posts: 4878

Help: 427

Rate: 868
Helpful post? (0)

Post #20
21481398 15 Mar 2025 21:54

p.kaczmarek2 wrote:
HHRRQbyemofrtytf

only 2 mentions of that in plain-text in TuyaOS SDK

Added after 3 [minutes]:

divadiow wrote:
tuyaos-iot_3.8.3_eswin_ecr6600_wifi-ble-tuyastack

FYI
https://airtake-public-data-1254153901.cos.ap.../smart/embed/pruduct/eswin_ecr6600_1.0.22.zip
#21 21481402 15 Mar 2025 21:54

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Posts: 14440

Help: 650

Rate: 12410
Topic author Helpful post? (0)

Post #21
21481402 15 Mar 2025 21:54

I also can't fail to notice that we don't even have source code that uses CONFIG_KV_KEY_SEED and such defines, neither in OpenBK7231T, not in OpenBK7231N, so it looks like it's distributed by Tuya only in the binary blob?

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
Helpful post

#22 21481407 15 Mar 2025 21:56

spectrality spectrality

Level 7

Posts: 5

Help: 1

Rate: 2
Helpful post? (+1)

Helpful post
Post #22
21481407 15 Mar 2025 21:56

>>21481313

Now BL0937 works, and my pin configuration was correct for this plug.

Calibrated and everything seems working correctly.

Thank you very much
#23 21481410 15 Mar 2025 21:58

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Posts: 14440

Help: 650

Rate: 12410
Topic author Helpful post? (0)

Post #23
21481410 15 Mar 2025 21:58

@spectrality Thank you for testing!

Btw, where did you order that plug? Was it from Alie?

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
#24 21481420 15 Mar 2025 22:02

spectrality spectrality

Level 7

Posts: 5

Help: 1

Rate: 2
Helpful post? (0)

Post #24
21481420 15 Mar 2025 22:02

>>21481410
Yes, it was from Ali
Ordered two(16A Power Monitor) from here:
https://www.aliexpress.com/item/1005006777059....order_list.order_list_main.17.43a81802FJCTkH
and one(16A Power Monitor) from here:
https://www.aliexpress.com/item/1005007055724....order_list.order_list_main.41.43a81802FJCTkH
And all of then came with ECR6600
#25 21481424 15 Mar 2025 22:04

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Posts: 14440

Help: 650

Rate: 12410
Topic author Helpful post? (0)

Post #25
21481424 15 Mar 2025 22:04

@divadiow is this libtuyaos.a from your screenshot available in the SDK you linked to?

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
#26 21481432 15 Mar 2025 22:07

divadiow divadiow

Level 38

Posts: 4878

Help: 427

Rate: 868
Helpful post? (0)

Post #26
21481432 15 Mar 2025 22:07

>>21481424

Attachments:

libtuyaos.zip (9.46 MB) You must be logged in to download this attachment.
#27 21481441 15 Mar 2025 22:11

divadiow divadiow

Level 38

Posts: 4878

Help: 427

Rate: 868
Helpful post? (0)

Post #27
21481441 15 Mar 2025 22:11

hmm

Attachments:

DebugAES.zip (1.75 KB) You must be logged in to download this attachment.
#28 21481445 15 Mar 2025 22:13

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Posts: 14440

Help: 650

Rate: 12410
Topic author Helpful post? (0)

Post #28
21481445 15 Mar 2025 22:13

We could try to open it in Ghidra but I don't know which RISC is it:

Ideas? Or are you interested in getting Ghidra and trying

Added after 1 [minutes]:

Function names are here but they can't be disassembled, probably I've chosen wrong RISC type.

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
#29 21481452 15 Mar 2025 22:25

insmod insmod

Level 31

Posts: 1356

Help: 161

Rate: 426
Helpful post? (0)

Post #29
21481452 15 Mar 2025 22:25

>>21481445 It's a little different one, RISC + extra
Check https://github.com/NationalSecurityAgency/ghidra/pull/1778

Added after 8 [minutes]:

>>21481398 I just changed 1.0.22 to 1.0.23 and it started to download another archive
Inside it is folder named eswin_ecr6600_1.0.23_temp
#30 21481465 15 Mar 2025 22:32

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Posts: 14440

Help: 650

Rate: 12410
Topic author Helpful post? (0)

Post #30
21481465 15 Mar 2025 22:32

I see, used SDK is nds32le-elf-mculib-v3s.tar.gz, but now it seems that we would need to compile Ghidra from source...

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
Create an account, log in here. You will receive points by participating in discussions.
Join this discussion.

Install Elektroda application

Reply Cool? Ranking DIY | New topic

Notify about new articles

📢 Listen (AI):

Report a violation of the law

Topic summary

✨ The discussion focuses on the Eswin ECR6600 WiFi+Bluetooth SoC module used in IoT devices, particularly smart plugs with integrated BL0937 energy metering chips. Key topics include detailed pinout configurations, firmware flashing procedures via UART, and local firmware development to enable cloud-free operation with Home Assistant using Tasmota/esphome-like firmware ports. Users report initial issues with the BL0937 driver not functioning due to its exclusion from firmware builds, which was later resolved by including the driver and verifying correct pin assignments. Attempts to extract and decrypt Tuya configuration keys from original firmware backups reveal challenges due to changed secondary keys and CRC errors, complicating full firmware analysis and key extraction. The community explores using Tuya Wind IDE on Linux for SDK access, and reverse engineering efforts with Ghidra face difficulties due to the ECR6600’s NDS32 architecture and base address uncertainties. Firmware disassembly and key extraction are ongoing, with partial success in identifying key material and decrypting some blocks. Additional tests confirm the ECR6600 supports WiFi 6 (2.4 GHz only) and HTTP GET/POST commands for local network control, including file downloads via HTTP client functionality. Integration efforts include porting missing HAL functions like hal_machw_time and lwip_close_force for timing and socket management. Various ECR6600-based devices, including plugs ordered from AliExpress (e.g., TNCE 16A power monitors and E103-W11 modules), are tested for firmware backup, flashing, and local control capabilities. The discussion also covers SDK build issues, firmware memory mapping, and the need for improved tooling and documentation to fully support ECR6600 development and integration with open-source platforms.
Generated by the language model.

Home page
/
Forum
/
Smart Home
/
Smart Home IoT
/
Smart Home Guides
/
Eswin ECR6600 flashing guide, datasheet, pinout, 100% local setup, Home Assistant

FAQ

TL;DR: With 2 MB or 4 MB flash and a "very small" boot window, ECR6600 devices can be backed up over UART, flashed with OpenECR6600, and then paired locally with Home Assistant instead of Tuya cloud. This guide is for users converting Tuya plugs, dimmers, and switches to fully local control. [#21479963]

Why it matters: It gives ECR6600 owners a repeatable path from unknown Tuya hardware to local firmware, backup safety, and practical pin mapping.

Option	Chip/module family	Flashing method in thread	Local firmware status	Notable limitation
ECR6600 / AXYU / AXY2S / WG236	ESWIN ECR6600	UART with RDTool or BK7231GUIFlashTool	OpenECR6600 works; Home Assistant local use confirmed	Reset timing is critical
BK7231-based modules	Beken CB2S/WB2S/CBU-like	Similar UART workflow	Used as reference platform	Tuya config extraction behavior differs
ESP8266-based TYWE2S	ESP8266	Mentioned as module comparison	Familiar baseline for users	ECR6600 has no GPIO0-style flash pin

Key insight: ECR6600 flashing is straightforward once wiring is correct: use TX0, RX0, 3.3 V, GND, and usually RST, then hit reset exactly when the tool starts. The harder part is often pin mapping or Tuya config extraction, not writing firmware.

Quick Facts

ECR6600 is a Wi‑Fi + BLE SoC with 2.4 GHz 802.11 b/g/n/ax, BLE 5.0, an Andes D10 at 160 MHz up to 240 MHz, 512 KB SRAM, and 2 MB or 4 MB flash variants. [#21479963]
The flashing UART uses IO6/TX0 and IO5/RX0; IO13/TX2 outputs boot logs at 115200 baud, which helps confirm whether firmware actually boots. [#21479963]
RDTool backup reads from address 0x0 with length 0x400000 for 4 MB parts or 0x200000 for 2 MB parts; if RDTool reports "FLASH is not enough!", switch to 0x200000. [#21479963]
AXY2S is an 11-pin Tuya-style ECR6600 module, while AXYU is a 21-pin CBU-shaped module exposing extra GPIOs such as P00, P01, P02, P03, P04, P21, P23, and dedicated L_RX/L_TX log pins. [#21479963]
In March 2025, a BL0937 plug issue was traced to a build error: the BL0937 driver was not included in the binary, and a rebuilt firmware fixed zero readings. [#21480949]

What is the Eswin ECR6600, and how does it compare to BK7231, ESP8266, and other Tuya Wi-Fi modules for local firmware use?

ECR6600 is a Wi‑Fi and Bluetooth SoC used in Tuya-style modules such as AXY2S and AXYU, and it can run local OpenECR6600 firmware. It offers 2.4 GHz 802.11 b/g/n/ax, BLE 5.0, 512 KB SRAM, and 2 MB or 4 MB flash. In the thread, it is compared to BK7231 modules like CB2S and WB2S and to the ESP8266-based TYWE2S because those are familiar Tuya module formats. For local use, the big practical difference is flashing: ECR6600 has no ESP-style GPIO0 boot strap and instead relies on reset timing during UART flashing. [#21479963]

How do I flash an ECR6600 device over UART with RDTool and OpenECR6600 for a fully local Home Assistant setup?

You flash it over UART, then join the new AP and finish setup like Tasmota. 1. Wire 3.3 V, GND, TX0 on GPIO6, RX0 on GPIO5, and preferably RST. 2. In RDTool, open the develop tool, use the download tab, choose the all-in-one OpenECR6600 UART binary, click Start, then reset or power-cycle the board immediately. 3. After flashing, power-cycle again, connect to the firmware access point, open the configuration page, and add it to Home Assistant locally. The thread states this was already working in March 2025, though the release was still marked WIP testing. [#21479963]

What are the important ECR6600 flashing pins, and how are TX0, RX0, IO13, RST, 3.3V, and GND used during backup and programming?

The essential pins are TX0, RX0, 3.3 V, GND, and usually RST. TX0 is IO6 and RX0 is IO5; they form the user UART used for backup and flashing. IO13 is TX2 and outputs boot logs at 115200 baud, so it helps verify whether the firmware starts after programming. RST lets you hit the short boot window without repeatedly removing power. 3.3 V powers the module, and GND is the common reference. The thread’s tested wiring used an ESP adapter on a WG236 module, but the same signal roles apply across ECR6600 modules. [#21479963]

What's the difference between BK7231GUIFlashTool and the legacy ESWIN RDTool for reading and writing ECR6600 flash?

BK7231GUIFlashTool is the newer multi-platform flasher, while RDTool is the original ESWIN utility shown in the screenshots. The main post says ECR6600 read and write support was added to BK7231GUIFlashTool in 2026, with the same soldering and UART wiring as RDTool. RDTool remains the documented legacy workflow for backup, restore, and flashing OpenECR6600. Later thread feedback showed mixed real-world results: one user reported BK7231GUIFlashTool v.228 failed with wrong-header errors, while another flashed successfully at 921600 baud. If you want the most proven path from the thread, RDTool is still the safest first choice. [#21823087]

How do I back up the original ECR6600 firmware, and which read length should I use for 2 MB vs 4 MB flash chips?

Back up first with RDTool’s stub workflow, then read the whole flash from address 0x0. In RDTool, open develop tool, go to single file, load ECR6600F_stub_V1.3.1.bin, set startup address to 0x10000, and trigger reset exactly when you click Start. Then switch to the flash tab, enter start address 0 and read length 0x400000 for 4 MB or 0x200000 for 2 MB. If you do not know the size, try 0x400000 first. If RDTool says "FLASH is not enough!", retry with 0x200000 and save the dump under a descriptive filename. [#21479963]

Why does RDTool on ECR6600 require precise reset timing, and what is the easiest way to catch the boot window reliably?

RDTool needs precise timing because the bootloader accepts the UART session only in a very short window after reset or power-up. The thread explicitly says "the window of opportunity is very small," so clicking Start alone is not enough. The easiest reliable method is to wire the RST pin and ground it exactly when RDTool starts, instead of pulling power each time. If RST is unavailable, power-cycle 3.3 V at the same moment. Using IO13 boot logs at 115200 baud also helps confirm whether you missed the window or the firmware simply failed to boot. [#21479963]

What is AXYU or AXY2S in the context of ECR6600 devices, and how do their pinouts differ from WG236-style modules?

AXY2S and AXYU are Tuya-style ECR6600 modules, while WG236 is a non-Tuya module in an ESP-12 or CB3S-like format. "AXYU is a module board that exposes the ECR6600 SoC in a CBU-shaped 21-pin footprint, with UART, ADC, PWM-capable GPIOs, and dedicated log pins for integration into Tuya devices." AXY2S is smaller, with 11 pins including VBAT, GND, RX, TX, ADC, RST, and a few PWM GPIOs. AXYU exposes many more signals, including P00–P04, P21, P23, P24, P25, TXD, RXD, L_TX, and L_RX, so it is easier to probe and repurpose. [#21479963]

Why was the BL0937 energy meter showing all zero values on OpenECR6600, and how was that issue fixed in the thread?

It showed zero because the BL0937 driver was missing from the build, not because the reported plug pinout was wrong. The user first flashed an OpenECR build and saw the driver start but every reading stayed at 0.0 V, 0.000 A, and 0.00 W. After investigation, the maintainer said the cause was simple: "BL0937 driver was simply not included in the build." A new binary was generated and uploaded, and the tester later confirmed that BL0937 then worked correctly and could be calibrated. [#21480949]

How can I verify BL0937 CF, CF1, and SEL pin assignments on an ECR6600 smart plug when the driver starts but readings stay at zero?

Verify them by checking pulse activity, not only continuity. The thread suggests adding a Counter role as a simple HAL-backed change counter, then using GPIO Doctor to see which pin actually carries BL0937 pulse traffic. That helps distinguish CF from CF1 when the driver loads but readings remain zero. One tested plug used pin 14 for BL0937CF, 15 for BL0937SEL, and 20 for BL0937CF1, but the maintainers still wanted a counter-based method to confirm assignments on future boards. If the driver runs and values stay at zero, first suspect missing pulses or swapped CF and CF1. [#21480916]

Why does Tuya config extraction from ECR6600 backups fail after the first block, and what does the thread suggest about changed secondary keys or TuyaOS 3 storage?

It fails because the first block decrypts, but later blocks fail header and CRC checks, which points to a changed secondary key or a different storage scheme. The extractor found the Tuya config magic at offset 1921024, passed the first MAGIC and CRC checks, then produced repeated "strange nextblock header" and "bad nextblock CRC" warnings. The thread’s main hypothesis was that ECR6600 changed KEY_PART_1 used by makeSecondaryKey, while a related idea was that newer TuyaOS 3 firmware stores config differently from older BK-based devices. In short, the parser understands the opening block but not the follow-up encryption logic. [#21481206]

What is KV_KEY_SEED in Tuya firmware, and why does it matter when trying to decrypt or extract configuration from ECR6600 dumps?

KV_KEY_SEED is the short seed string used to derive part of Tuya’s secondary flash-encryption key for stored configuration. "KV_KEY_SEED is a Tuya firmware configuration value that feeds key derivation for encrypted key-value storage, and changing it breaks block decryption even when the first flash header still matches." In the thread, older non-ECR examples used CONFIG_KV_KEY_SEED="8710_2M", but ECR6600 binaries appeared to contain only some known key parts, not that seed. Because decryption failed right after makeSecondaryKey was applied, the maintainers suspected ECR6600 used a different KV seed or a modified derivation path. [#21481270]

How do I restore a full ECR6600 backup in RDTool after saving the original flash image?

Restore the full dump from RDTool’s single file tab using the same stub setup as backup. 1. Open develop tool, choose single file, select the same stub, set the port, and keep startup address at 0x10000. 2. In the main file path area, choose your saved backup file, set begin address to 0x0, and check is download. 3. Click Start next to startup address and immediately reset or power-cycle the device. The thread notes that stub upload and full-flash restore then happen in one go, so you do not need a separate restore stage. [#21480971]

What is NDS32 in relation to the ECR6600 SDK, and how were people in the thread using Ghidra to analyze ECR6600 binaries?

NDS32 is the Andes CPU architecture used by ECR6600, and it is why stock reverse-engineering setups struggled with the binaries. The thread found the SDK used nds32le-elf-mculib-v3s, then built a custom Ghidra version with NDS32 processor support from an external branch. After that, users could at least open binaries and view disassembly. They searched for strings, constants like 0x13579753, and boot-log references such as the key print path to locate simple_flash and key-handling routines. The goal was to trace where ECR6600 derives or loads the Tuya secondary decryption key. [#21481465]

How can I find relay, button, and LED pins on an unknown ECR6600 switch using GPIO Doctor and boot logs without a published template?

Use GPIO Doctor for live testing, then confirm with the original firmware boot log. One maintainer advised testing unconfigured pins as outputs while the device is on mains; when a relay clicks, you found the relay pin. For buttons, the user had already identified them, and for LEDs, the thread notes they are often tied to the same logic as relays on many switches. Boot logs from the factory dump can list initialized pins, which helps narrow candidates. This method produced a full 3-gang mapping, including buttons on 0, 2, 17 and relay-related pins on 14, 15, 22, 23, 24, and 25. [#21616102]

How do I build or configure OpenBK/OpenECR6600 so SendGet can use HTTPS instead of HTTP, especially for requests to services like Google Apps Script?

You need a build that enables HTTPS in the platform SDK, because the tested SendGet path only supports plain HTTP by default. The thread confirms this directly: a user tried sending a Google Apps Script request and was told SendGET could only do HTTP unless OpenBK was built with secure support. On ECR6600 specifically, one maintainer noted that mbedTLS is enabled by default in the SDK, so HTTPS may be possible there, but no finished OpenBK HTTPS procedure was provided. The practical limitation is clear: unmodified SendGet works for http://..., not for https://... targets like Google Apps Script. [#21640832]

Generated by the language model.