Eswin ECR6600 flashing guide, datasheet, pinout, 100% local setup, Home Assistant

p.kaczmarek2 4299 72

Post #1

21479963 14 Mar 2025 21:03

This topic covers detailed information about ECR6600 WiFi modules, datasheets, pinout, and firmware backup via UART and write procedure required to run ESWIN chips locally. Thanks to this, it's possible to pair ECR6600 devices with Home Assistant and use them free from the cloud. We'll use our Tasmota/esphome-like firmware port, as seen here.

What is ECR6600?
ECR6600 is an SoC WiFi+BT combo chip found in some IoT, featuring:
- WiFi connectivity, 2.4G, 802.11b/g/n/ax, 1T1R, DCM, HE20, MCS7, TX=+17dBm, Soft AP/Station/Direct mode
- Bluetooth connectivity, BLE 5.0, AFH, TX=+10dBm
- RF, Built-in PA, LNA, Switch, and Balun
- processor, Andes D10 @160MHz (up to 240MHz), FPU
- memory, 512KB SRAM, 48KB ROM, 32KB Cache, 2MB/4MB Flash, XIP
- peripherals, GPIOs, HS-UART, QSPI, PWM, I2C, I2S, SDIO, ADC(1MSPS), IR
- security, TRNG, Secure Boot, AES256, HASH, WPA/WPA2/WPA3, WPS, WEP
- operating temperature, -40~+105℃
ECR6600 can be found in two surface-mount packages, ECR6600-40D (5x5 QFN40), and ECR6600-TSxD/L (4x4 QFN32):

Diagrams of two ECR6600 integrated circuits in QFN40 and QFN32 packages.

See the table for the full list of variants:

Variant	Packaging
ECR6600-40D	QFN40 5x5
ECR6600-TS2D	QFN32 4x4
ECR6600-TS2L	QFN32 4x4
ECR6600-TS4D	QFN32 4x4
ECR6600-TS4L	QFN32 4x4

ECR6600 modules
ECR6600 can be found in a form of some Tuya modules, for example, AXY2S, which is similar to Beken-based CB2S, WB2S or ESP8266-based TYWE2S.

Top view schematic of an electronic module.

Pinout:

Pin number	Symbol	Type	Function
1	VBAT	P	Power supply pin (3.3V)
2	P25	I/O	GPIO_25, hardware PWM, correspond to Pin 7 of the IC
3	GND	P	Power supply reference ground
4	P24	I/O	GPIO_24, hardware PWM, correspond to Pin 8 of the IC
5	RX	I/O	GPIO_5, UART0_RXD (user serial interface)
6	P22	I/O	GPIO_22, hardware PWM, Pin 4 of the IC
7	TX	I/O	GPIO_6, UART0_TXD (user serial interface)
8	ADC	AI	GPIO_20, common GPIO, which can be used as ADC. The range of input voltage is 0 to 3.3V. Correspond to Pin 27 of the IC.
9	P15	I/O	GPIO_15, hardware PWM, Pin 28 of the IC
10	RST	I/O	Reset pin, reset at a low level. The module has been pulled to a high level and the user can control the pin externally.
11	P14	I/O	GPIO_14, hardware PWM, correspond to Pin 29 of the IC

Another similar module is AXYU, which is in form of a well-known CBU.

Technical drawing of an electronic module with top and bottom views.

Pinout:

Pin number	Symbol	Type	Function
1	P00	I/O	GPIO_00, common GPIO, which can be reused as SPI_SCK and corresponds to Pin 25 of the IC
2	P02	I/O	GPIO_02, common GPIO, which can be reused as SPI_MOSI and corresponds to Pin 23 of the IC
3	P21	I/O	GPIO_21, common GPIO, correspond to Pin 6 of the IC
4	P16	I/O	GPIO_16, common GPIO, correspond to Pin 10 of the IC
5	ADC	I/O	GPIO_20, common GPIO, which can be used as ADC. The range of input voltage is 0 to 3.3V. Correspond to Pin 27 of the IC.
6	L_RX	I/O	GPIO_17, UART_Log_RXD (used to receive information about the external logs of the module), which can be configured as a common GPIO
7	L_TX	I/O	GPIO_13, UART_Log_TXD (used to send information about the internal logs of the module), which can be configured as a common GPIO
8	P24	I/O	GPIO_24, hardware PWM, correspond to Pin 8 of the IC
9	P25	I/O	GPIO_25, hardware PWM, correspond to Pin 7 of the IC
10	P22	I/O	GPIO_22, hardware PWM, correspond to Pin 4 of the IC
11	P23	I/O	GPIO_23, hardware PWM, correspond to Pin 3 of the IC
12	P04	I/O	GPIO_04, hardware PWM, correspond to Pin 21 of the IC
13	GND	P	Power supply reference ground
14	VCC	P	Power supply pin (3.3V)
15	TXD	I/O	GPIO_6, UART0_TXD (user serial interface)
16	RXD	I/O	GPIO_5, UART0_RXD (user serial interface)
17	P15	I/O	GPIO_15, common GPIO, correspond to Pin 28 of the IC
18	RST	I/O	Reset pin, reset at low level. The module has been pulled to a high level and the user can control the pin externally.
19	P14	I/O	GPIO_14, common GPIO, correspond to Pin 29 of the IC
20	P03	I/O	GPIO_03, common GPIO, which can be reused as SPI_MISO and corresponds to Pin 22 of the IC
21	P01	I/O	GPIO_01, common GPIO, which can be reused as SPI_CS and corresponds to Pin 24 of the IC

Of course, there are also non-Tuya ECR6600 modules, for example, WG236, which is in form similar to ESP12 or CB3S/WB3S/TYWE3S:

Electronic modules with SKYLAB labels and designations.

Electronic module with connectors and labeled pins.

ECR6600 devices
ECR6600 has been observed in few devices so far:
- [ECR6600][BL0937] Tuya Wifi Smart Plug With Energy Measurement
- [AXY2S] [ECR6600] Teardown LSC Connect Smart Wall Dimmer (3207304)
Please let us know if you've managed to get IoT device with ECR6600!

Important pins
For the flashing, there are just few important pins:
- IO6/TX0 - programming port
- IO5/RX0 - programming port
- IO13/TX2 - boot log output - 115200 baud - use it to check if firmware boots correctly
You may also need RST and obviously power pins (GND and 3.3V).

Connection requirements
ECR6600 connection for flashing is very similar to Beken - there is no GPIO0 like on ESP, you just need to reset when prompted.
This procedure was tested with a WG236 module using an ESP adapter, but it should work with any ECR chip.

Electronic module with pin labels and connectors.

So, solder to GND, VCC and TX0 (GPIO6) and RX0 (GPIO5) according to however real device allows this if possible. Also preferably RST pin, so you can do reboot.

Backup old firmware
Firmware backup is always recommended; furthermore, you can always submit a flash dump to our repository to help us:
https://github.com/openshwprojects/FlashDumps
So, to backup the firmware - start by running the ESWIN RDTool.exe program after downloading and unzipping ESWIN_ECR6600_RDTool_v1.0.21.zip from https://github.com/openshwprojects/FlashTools/tree/main/TransaSemi-ESWIN

Screenshot showing the contents of a folder with files and subfolders in a file manager.

When loaded double-click the develop tool plugin.

Select the single file tab and choose the file ECR6600F_stub_V1.3.1.bin from the unzipped files in the open dialog box after clicking select stub.
Ensure the startup address is 0x10000 and select the correct COM port

Screenshot of a firmware upgrade tool program with a list of settings and files.

At the moment you hit start, reset (ground CEN/RST) or power-on 3.3V to the device. The window of opportunity is very small so timing is crucial.

Screenshot of a firmware upgrade tool with various configuration options.

Switch to the flash tab, choose port again and enter start address of 0 and read length of 0x400000 or 0x200000, depending on your chip flash size (4MB or 2MB). If not sure, first try 0x400000, then, in case of "FLASH is not enough!" error, fall back to 0x200000. Select save path and give your backup an informative name eg; Tuya_LSPA9_Backup_ECR6600.bin. Click start next to save path to begin device flash backup to file.

Screenshot of firmware upgrade software with progress logs.

Once backup is done, please consider sharing it with us, but be aware - it will contain your SSID and other data after pairing, so better backup firmware before connecting device to the cloud.

Flashing new firmware - OpenECR6600
Run RDTool as above, go to the develop tool plugin but navigate to all-in-one on the download tab. Download the latest OpenECR600 UART flash binary from the release page https://github.com/openshwprojects/OpenBK7231T_App/releases/
Choose the downloaded file after selecting all-in-one file path. Click start and perform CEN/RST or power-on quickly, just like with the backup.
Flashing OBK does not require the same stub step that backup requires.

Animation showing a firmware update tool interface.

Reboot by doing power off and power on cycle. The device WiFi access point should appear, just like with Tasmota, connect to it and visit configuration page to proceed. Everything as usual.

Wi-Fi network name OpenECR6600_19B16353 with signal icon.

Screenshot of the OpenECR6600 device management interface.

At the time of writing (March 2025), our firmware release for this platform is a WIP testing version, so there still may be imperfections, but we'll try to increase the stability soon...

Attachments
ECR6600 datasheet:
ECR6600 Da...t_V1.6.pdf Download (1.74 MB)

ECR6600 pins functions (pinmux) table:
ECR6600 Pi...Rev4.0.pdf Download (1.29 MB)

RDToolV1.0.19.rar for flashing:
RDToolV1...19.rar Download (57.97 MB)

RD Tool User Guide_v2.0 guide pdf:
RD Tool Us...e_v2.0.pdf Download (2.18 MB)

Hardware Reference Design User guide:
Hardware R...Rev5.0.pdf Download (1.96 MB)

CDI-WX56600A-00 module documentation:
cdtech_CDI...00A-00.pdf Download (399.78 kB)

ECR6600 product brief:
ECR6600-A..2D.pdf Download (234.32 kB)

ECR6600_T_EVK_V2 development board schematic:
ECR6600_T_.._V2.pdf Download (460.83 kB)

SkyLab WG236 V1.04 datasheet_SL-22020220 (chinese):
SkyLab_WG2...0 - 副本.pdf Download (493.9 kB)

SDK OTA doc (chinese):
ECR6600 SD...指南V1.0.pdf Download (508.25 kB)

Summary
This is how you can backup and flash ESR6600, this way you can also run it free from the cloud. That's how much we've found out so far, special thanks for @insmod for porting and @divadiow for research and testing. If you're reading it, and have device with ECR chip or similar, let us know! We can help you with flashing and getting your device to run 100% local.
PS: Don't forget related links:
- YT guides: https://www.youtube.com/@elektrodacom
- devices list: https://openbekeniot.github.io/webapp/devicesList.html
- project repository: https://github.com/openshwprojects/OpenBK7231T_App

Cool? Ranking DIY

Helpful post? Buy me a coffee.

About Author

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Offline

p.kaczmarek2 wrote 11955 posts with rating 9993, helped 572 times. Been with us since 2014 year.

#2 21480857 15 Mar 2025 15:33

spectrality spectrality

Level 7

Post #2

21480857 15 Mar 2025 15:33

Hi,

I have Plug with ECR6600 and BL0937, same as here: https://www.elektroda.com/rtvforum/topic4106357.html
Flashed lasted OpenECR, but looks like BL0937 driver is not working. Is I missing something ?

My config is:


{
  "vendor": "Tuya",
  "bDetailed": "0",
  "name": "Full Device Name Here",
  "model": "enter short model name here",
  "chip": "ECR6600",
  "board": "TODO",
  "flags": "1024",
  "keywords": [
    "TODO",
    "TODO",
    "TODO"
  ],
  "pins": {
    "14": "BL0937CF;0",
    "15": "BL0937SEL;0",
    "20": "BL0937CF1;0",
    "22": "WifiLED;0",
    "24": "Btn;1",
    "25": "Rel;1"
  },
  "command": "",
  "image": "https://obrazki.elektroda.pl/YOUR_IMAGE.jpg",
  "wiki": "https://www.elektroda.com/rtvforum/topic_YOUR_TOPIC.html"
}

Helpful post

#3 21480871 15 Mar 2025 15:45

insmod insmod

Level 24
Helpful post? (+1)

Helpful post
Post #3
21480871 15 Mar 2025 15:45

>>21480857 First, have you configured pins correctly?
Also attached a possible bl0937 fix, check and reply if it works for you.

Attachments:

OpenBK7231T_App_1569_merge_22330ce7c7f3_OpenECR6600.zip Download (843.1 KB)
#4 21480916 15 Mar 2025 16:10

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Topic author Helpful post? (0)

Post #4
21480916 15 Mar 2025 16:10

I think it would be helpful to introduce this already-mentioned "Counter" role that is basically just a HAL for change counter used by BL0937. We could then just add it to GPIODoctor and use it to investigate whether given pin is actually CF or CF1 of BL0937.

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
#5 21480938 15 Mar 2025 16:26

spectrality spectrality

Level 7
Helpful post? (+1)

Post #5
21480938 15 Mar 2025 16:26

>>21480871

Tried with your attached FW version. BL0937 still not working.
Pins should be assigned correctly, tested connectivity with multimeter.

Attaching original plug FW

Attachments:

Tuya_Plug1_Backup_ECR6600.bin Download (2 MB)
ADVERTISEMENT
#6 21480949 15 Mar 2025 16:41

insmod insmod

Level 24
Helpful post? (0)

Post #6
21480949 15 Mar 2025 16:41

>>21480938 You didn't specify what was wrong with BL0937 originally.
Well, i decided to try to check what was wrong myself.
It was very simple - BL0937 driver was simply not included in the build.
Wait until a binary is generated on github, i will upload it as soon as i can.

Added after 7 [minutes]:

Try that

Attachments:

OpenBK7231T_App_1569_merge_dabd8f3f2626_OpenECR6600.zip Download (845.84 KB)
#7 21480971 15 Mar 2025 18:19

divadiow divadiow

Level 34

Helpful post? (0)

Post #7
21480971 15 Mar 2025 18:19

>>21480938

yep. same fw version as other posted
Code: Text
Log in, to see the code

Added after 1 [hours] 33 [minutes]:

>>21479963

to add that FlashDumps has version 1.0.19 of RDTool, attached to the main post, but also v1.0.21 which was used in the screenshots. v1.0.19 has a different second plugin, but still has the main develop tool one. The RF tester plugin content is the reason for the file size difference in zipped files

Additionally, to restore a full device backup file:
-Navigate to the single file tab
-Set port, stub and startup address as with backup procedure
-Select your backup file from select in main file path area
-Set begin address to 0x0
-Check is download on same line
-Click start next to startup address and RST/power-on quickly, as before

Stub and backup will be done in one go.

#8 21481109 15 Mar 2025 18:26

spectrality spectrality

Level 7

Post #8

21481109 15 Mar 2025 18:26

>>21480949

Now BL0937 driver is starting, but I'm receiving zero values.
I still believe, that I have pins configured correctly. As I understood, it is not possible to extract Tuya configuration from original firmware, as with BK chips?


Voltage   0.0   V
Current   0.000   A
Power   0.00   W
Apparent Power   0.00   VA
Reactive Power   0.00   var
Power Factor   1.00   
Energy Total   0.000   kWh
(changes sent 0, skipped 2068, saved 5) - BL0937
Energy Clear Date: 2025-03-15 17:07:52
NTP driver is not started, daily energy stats disabled.
Periodic Statistics disabled. Use startup command SetupEnergyStats to enable function.
1 drivers active (BL0937), total 16
Channel 0 = 0.00, Channel 1 = 1.00
Cfg size: 3584, change counter: 49, ota counter: 0, incomplete boots: 1 (might change to 0 if you wait to 30 sec)!
Chip temperature: 43.0°C
Wifi RSSI: Good (-50dBm)
MQTT State: not configured


Info:MAIN:Main_Init_Before_Delay
Warn:CFG:CFG_InitAndLoad: Correct config has been loaded with 49 changes count.
Error:CMD:no file early.bat err -2
Info:EnergyMeter:Read ENERGYMETER status values. sizeof(ENERGY_METERING_DATA)=32
Info:MAIN:Started BL0937.
Info:GEN:PIN_SetupPins pins have been set up.
Info:MAIN:Main_Init_Before_Delay done
Info:MAIN:Main_Init_Delay
Info:MAIN:Main_Init_Delay done
Info:MAIN:Main_Init_After_Delay
Info:MAIN:Using SSID [HUAWEI-0G1OM8]
Info:MAIN:Using Pass [Chinese6+]
Info:HTTP:TCP server listening
Info:MQTT:MQTT_RegisterCallback called for bT ecr66005320D204/ subT ecr66005320D204/+/set
Info:MQTT:MQTT_RegisterCallback called for bT obks/ subT obks/+/set
Info:MQTT:MQTT_RegisterCallback called for bT cmnd/ecr66005320D204/ subT cmnd/ecr66005320D204/+
Info:MQTT:MQTT_RegisterCallback called for bT cmnd/obks/ subT cmnd/obks/+
Info:MQTT:MQTT_RegisterCallback called for bT ecr66005320D204/ subT ecr66005320D204/+/get
Info:CMD:CMD_StartScript: started @startup at the beginning
Info:CMD:CMD_StartScript: started autoexec.bat at the beginning
Info:MAIN:Main_Init_After_Delay done
Info:MAIN:Time 1, idle 0/s, free 197728, MQTT 0(0), bWifi 0, secondsWithNoPing -1, socks 2/20 
Info:MAIN:Time 2, idle 0/s, free 197728, MQTT 0(0), bWifi 0, secondsWithNoPing -1, socks 2/20 
Info:MAIN:Time 3, idle 0/s, free 197728, MQTT 0(0), bWifi 0, secondsWithNoPing -1, socks 2/20 
Info:MAIN:Time 4, idle 0/s, free 197728, MQTT 0(0), bWifi 0, secondsWithNoPing -1, socks 2/20 
Info:MAIN:Time 5, idle 0/s, free 197728, MQTT 0(0), bWifi 0, secondsWithNoPing -1, socks 2/20 
Info:MAIN:Registered for wifi changes


{
  "vendor": "Tuya",
  "bDetailed": "0",
  "name": "Full Device Name Here",
  "model": "enter short model name here",
  "chip": "ECR6600",
  "board": "TODO",
  "flags": "1024",
  "keywords": [
    "TODO",
    "TODO",
    "TODO"
  ],
  "pins": {
    "14": "BL0937CF;0",
    "15": "BL0937SEL;0",
    "20": "BL0937CF1;0",
    "22": "WifiLED;0",
    "24": "Btn;1",
    "25": "Rel;1"
  },
  "command": "",
  "image": "https://obrazki.elektroda.pl/YOUR_IMAGE.jpg",
  "wiki": "https://www.elektroda.com/rtvforum/topic_YOUR_TOPIC.html"
}

#9 21481206 15 Mar 2025 19:49

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Post #9

21481206 15 Mar 2025 19:49

spectrality wrote:
As I understood, it is not possible to extract Tuya configuration from original firmware, as with BK chips?

I've checked with our flash tool and got this:


Tuya config extractor - magic is at 1921024 
WARNING - strange nextblock header C21C5F37
WARNING - bad nextblock CRC
WARNING - strange nextblock header E84BA5F8
WARNING - bad nextblock CRC
WARNING - strange nextblock header 8D1CB576
WARNING - bad nextblock CRC
WARNING - strange nextblock header EA527B9C
WARNING - bad nextblock CRC
WARNING - strange nextblock header 4E327288
WARNING - bad nextblock CRC
WARNING - strange nextblock header BDC7C597
WARNING - bad nextblock CRC
WARNING - strange nextblock header A0ADE9EC
WARNING - bad nextblock CRC
WARNING - strange nextblock header B0A01E70
WARNING - bad nextblock CRC
WARNING - strange nextblock header 679EA04
WARNING - bad nextblock CRC
WARNING - strange nextblock header 46003914
WARNING - bad nextblock CRC
WARNING - strange nextblock header 190E6AFB
WARNING - bad nextblock CRC
WARNING - strange nextblock header 622E483D
WARNING - bad nextblock CRC
WARNING - strange nextblock header 5B781A14
WARNING - bad nextblock CRC
WARNING - strange nextblock header 190E6AFB
WARNING - bad nextblock CRC
WARNING - strange nextblock header 190E6AFB
WARNING - bad nextblock CRC
WARNING - strange nextblock header 190E6AFB
WARNING - bad nextblock CRC
WARNING - strange nextblock header 44ACB83E
WARNING - bad nextblock CRC
WARNING - strange nextblock header 190E6AFB
WARNING - bad nextblock CRC
WARNING - strange nextblock header 424FACBE
WARNING - bad nextblock CRC
WARNING - strange nextblock header BB52ED27
WARNING - bad nextblock CRC
WARNING - strange nextblock header BB52ED27
WARNING - bad nextblock CRC
WARNING - strange nextblock header BB52ED27
WARNING - bad nextblock CRC
WARNING - strange nextblock header BB52ED27
WARNING - bad nextblock CRC
WARNING - strange nextblock header BB52ED27
WARNING - bad nextblock CRC
WARNING - strange nextblock header BB52ED27
WARNING - bad nextblock CRC
WARNING - strange nextblock header BB52ED27
WARNING - bad nextblock CRC
WARNING - strange nextblock header BB52ED27
WARNING - bad nextblock CRC
WARNING - strange nextblock header BB52ED27
WARNING - bad nextblock CRC
WARNING - strange nextblock header BB52ED27
WARNING - bad nextblock CRC
WARNING - strange nextblock header BB52ED27
WARNING - bad nextblock CRC
WARNING - strange nextblock header BB52ED27
WARNING - bad nextblock CRC
WARNING - strange nextblock header BB52ED27
WARNING - bad nextblock CRC
WARNING - strange nextblock header 5471CD9A
WARNING - bad nextblock CRC
WARNING - strange nextblock header A9EB8793
WARNING - bad nextblock CRC
WARNING - strange nextblock header 41E1A305
WARNING - bad nextblock CRC
WARNING - strange nextblock header 41E1A305
WARNING - bad nextblock CRC
WARNING - strange nextblock header 41E1A305
WARNING - bad nextblock CRC
WARNING - strange nextblock header A9EB8793
WARNING - bad nextblock CRC
WARNING - strange nextblock header 41E1A305
WARNING - bad nextblock CRC
WARNING - strange nextblock header 41E1A305
WARNING - bad nextblock CRC
WARNING - strange nextblock header A9EB8793
WARNING - bad nextblock CRC
WARNING - strange nextblock header 41E1A305
WARNING - bad nextblock CRC
Saving debug Tuya decryption data to lastRawDecryptedStrings.bin
Failed to extract Tuya keys - no json start found

This seems to indicate that config header is found in the binary, but encryption is different.
Config header is defined as:

Interestingly enough, we get only errors on futher blocks, and not on first - "Failed to extract Tuya keys - bad firstblock crc".

I've double-checked, and it indeed passes first MAGIC and CRC check:

Screenshot of Visual Studio displaying a code editor with an open programming project.

First problem happens here:

This is after the call of myDecrypt... but first call of myDecrypt (firstblock) seems to be okay, interestingly enough.
So what could be going wrong? Maybe makeSecondaryKey?

Related code:
https://github.com/openshwprojects/BK7231GUIFlashTool/blob/main/BK7231Flasher/TuyaConfig.cs

Added after 2 [minutes]:

Do we know KV KEY SEED of ECR6600?

A section of the build.conf configuration file related to OpenBK7231T software.

Added after 11 [minutes]:

Same?>

Screenshot showing a hex editor and a fragment of code in the background.

Added after 4 [minutes]:

I can also find this key in the binary: qwertyuiopasdfgh

Only one missing is 8710_2M

Added after 7 [minutes]:

I'm trying to find this key in ASCII strings in the file...
There are some interesting things like: keyge8wsy99n5pr7 ? DIFF2YA0 ? but that's not it

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.

Helpful post

#10 21481243 15 Mar 2025 19:57

divadiow divadiow

Level 34

Helpful post? (+1)

Helpful post
Post #10
21481243 15 Mar 2025 19:57

p.kaczmarek2 wrote:
keyge8wsy99n5pr7

these are in all Tuya devices, often seen in boot log. It's used with product key and sometimes fac_pin when pairing with Tuya.

There's this in the boot log for this device

Code: Text
Log in, to see the code
#11 21481247 15 Mar 2025 20:00

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Topic author Helpful post? (0)

Post #11
21481247 15 Mar 2025 20:00

@divadiow , in our flasher, there are 3 keys:
Code: C#
Log in, to see the code

but in the ECR binary, only 2 of them are seen. Does it mean that they changed 8710_2M?
Futhermore, decrypt fails at second block, only after KEY_PART_1 is used.

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
#12 21481255 15 Mar 2025 20:04

divadiow divadiow

Level 34

Helpful post? (0)

Post #12
21481255 15 Mar 2025 20:04

>>21481247

oh I see. hmm. im seeing what I can find. nothing guessable like 6600_2M?
#13 21481270 15 Mar 2025 20:18

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Topic author Helpful post? (0)

Post #13
21481270 15 Mar 2025 20:18

It would help a lot to have Tuya SDK of ECR6600, I mean, complete, with KV_KEY_SEED define

Added after 3 [minutes]:

Remember how I said that first block is correctly read?

These things match:
divadiow wrote:

Code: Text
Log in, to see the code

Everything breaks with makeSecondaryKey call I guess...
Code: C#
Log in, to see the code

And I can see "HHRRQbyemofrtytf" string in flash, so I still suspect that 8710_2M was changed.

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
#14 21481313 15 Mar 2025 20:44

insmod insmod

Level 24
Helpful post? (0)

Post #14
21481313 15 Mar 2025 20:44

@spectrality this version should work, i even tried to simulate bl0937 myself - and i got some values.

Attachments:

OpenBK7231T_App_1569_merge_aaa8455fc6f8_OpenECR6600.zip Download (845.82 KB)
#15 21481360 15 Mar 2025 21:26

insmod insmod

Level 24
Helpful post? (0)

Post #15
21481360 15 Mar 2025 21:26

>>21481270
I managed to get this from WBRG1 backup:
Code: text Expand Select all Copy to clipboard
{ "dp3":"10", "dp5":"2", "dp30":"1", "dp39":"1", "dp40":"1", "dp44":"100", "dp41":"50", "dp46":"0" }

With KEY_PART_1 8721D
But trying it on WBR1D backup failed.
ADVERTISEMENT
#16 21481367 15 Mar 2025 21:34

divadiow divadiow

Level 34

Helpful post? (0)

Post #16
21481367 15 Mar 2025 21:34

just looking through tuyaos-iot_3.8.3_eswin_ecr6600_wifi-ble-tuyastack

does it have to have that part specified?

I did build it without any value but..
#17 21481371 15 Mar 2025 21:36

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home
Topic author Helpful post? (0)

Post #17
21481371 15 Mar 2025 21:36

nice finding @insmod , but now look, if I search for this string in the dump of WBRG1 gateway, I can find it:

The same goes for HHRRQbyemofrtytf:

Both tested on Tuya-Gateway-20250219-(8721csm_bt_zg_gw)_keym557nqw3p8p7m_WBRG1_1.7.2_p.kaczmarek2.

So, it should be fair to assume, that the key for ECR6600 can be also found in the dump?

Well, I've tried to dump all strings and use them as keys in a brute-force method, but it still failed. Maybe i am missing something obvious, but at least you confirmed that my initial idea is correct.

Attachments:

extracted_strings.txt Download (114.77 KB)

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
#18 21481374 15 Mar 2025 21:38

insmod insmod

Level 24

Helpful post? (0)

Post #18
21481374 15 Mar 2025 21:38

>>21481371 WBR1D backup contains 8721D too, but it fails to extract anything still.
That was just luck on my part
#19 21481382 15 Mar 2025 21:49

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home
Topic author Helpful post? (0)

Post #19
21481382 15 Mar 2025 21:49

divadiow wrote:

does it have to have that part specified?

I did build it without any value but..

The array is used by makeSecondaryKey function. I can remove it from calculation:

But it still fails for futher sectors.

But maybe Tuya does something else then.

Added after 7 [minutes]:

From non-ECR SDK:
Code: text Expand Select all Copy to clipboard
CONFIG_ENABLE_KV_KEY_SEED=y CONFIG_KV_KEY_SEED="8710_2M"

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
#20 21481398 15 Mar 2025 21:54

divadiow divadiow

Level 34

Helpful post? (0)

Post #20
21481398 15 Mar 2025 21:54

p.kaczmarek2 wrote:
HHRRQbyemofrtytf

only 2 mentions of that in plain-text in TuyaOS SDK

Added after 3 [minutes]:

divadiow wrote:
tuyaos-iot_3.8.3_eswin_ecr6600_wifi-ble-tuyastack

FYI
https://airtake-public-data-1254153901.cos.ap.../smart/embed/pruduct/eswin_ecr6600_1.0.22.zip
ADVERTISEMENT
#21 21481402 15 Mar 2025 21:54

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Topic author Helpful post? (0)

Post #21
21481402 15 Mar 2025 21:54

I also can't fail to notice that we don't even have source code that uses CONFIG_KV_KEY_SEED and such defines, neither in OpenBK7231T, not in OpenBK7231N, so it looks like it's distributed by Tuya only in the binary blob?

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
Helpful post

#22 21481407 15 Mar 2025 21:56

spectrality spectrality

Level 7

Helpful post? (+1)

Helpful post
Post #22
21481407 15 Mar 2025 21:56

>>21481313

Now BL0937 works, and my pin configuration was correct for this plug.

Calibrated and everything seems working correctly.

Thank you very much
#23 21481410 15 Mar 2025 21:58

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Topic author Helpful post? (0)

Post #23
21481410 15 Mar 2025 21:58

@spectrality Thank you for testing!

Btw, where did you order that plug? Was it from Alie?

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
#24 21481420 15 Mar 2025 22:02

spectrality spectrality

Level 7

Helpful post? (0)

Post #24
21481420 15 Mar 2025 22:02

>>21481410
Yes, it was from Ali
Ordered two(16A Power Monitor) from here:
https://www.aliexpress.com/item/1005006777059....order_list.order_list_main.17.43a81802FJCTkH
and one(16A Power Monitor) from here:
https://www.aliexpress.com/item/1005007055724....order_list.order_list_main.41.43a81802FJCTkH
And all of then came with ECR6600
#25 21481424 15 Mar 2025 22:04

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Topic author Helpful post? (0)

Post #25
21481424 15 Mar 2025 22:04

@divadiow is this libtuyaos.a from your screenshot available in the SDK you linked to?

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
#26 21481432 15 Mar 2025 22:07

divadiow divadiow

Level 34
Helpful post? (0)

Post #26
21481432 15 Mar 2025 22:07

>>21481424

Attachments:

libtuyaos.zip Download (9.46 MB)
#27 21481441 15 Mar 2025 22:11

divadiow divadiow

Level 34
Helpful post? (0)

Post #27
21481441 15 Mar 2025 22:11

hmm

Attachments:

DebugAES.zip Download (1.75 KB)
#28 21481445 15 Mar 2025 22:13

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Topic author Helpful post? (0)

Post #28
21481445 15 Mar 2025 22:13

We could try to open it in Ghidra but I don't know which RISC is it:

Ideas? Or are you interested in getting Ghidra and trying

Added after 1 [minutes]:

Function names are here but they can't be disassembled, probably I've chosen wrong RISC type.

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
#29 21481452 15 Mar 2025 22:25

insmod insmod

Level 24

Helpful post? (0)

Post #29
21481452 15 Mar 2025 22:25

>>21481445 It's a little different one, RISC + extra
Check https://github.com/NationalSecurityAgency/ghidra/pull/1778

Added after 8 [minutes]:

>>21481398 I just changed 1.0.22 to 1.0.23 and it started to download another archive
Inside it is folder named eswin_ecr6600_1.0.23_temp
#30 21481465 15 Mar 2025 22:32

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Topic author Helpful post? (0)

Post #30
21481465 15 Mar 2025 22:32

I see, used SDK is nds32le-elf-mculib-v3s.tar.gz, but now it seems that we would need to compile Ghidra from source...

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
Create an account, log in and become active in a forum and ads will not appear. You will receive points by participating in discussions.
Join this discussion.

Install the application

Reply Cool? Ranking DIY | New topic

Notify about new articles

Report a violation of the law

Topic summary

The discussion revolves around the Eswin ECR6600 WiFi module, focusing on flashing procedures, firmware issues, and integration with Home Assistant. Users share experiences with the BL0937 driver, troubleshooting pin configurations, and extracting Tuya configurations from the original firmware. Several users report issues with the BL0937 driver not functioning correctly, despite correct pin assignments and firmware updates. Solutions include checking pin configurations, using specific firmware versions, and discussing the extraction of keys from the firmware. The conversation also touches on the need for a complete Tuya SDK for the ECR6600 and the challenges faced in disassembling the firmware for further analysis. Successful calibration and operation of the BL0937 driver are eventually reported, along with the sharing of links to purchase ECR6600 modules.
Summary generated by the language model.

Home page
/
Forum
/
Smart Home
/
Smart Home IoT
/
Smart Home Guides
/
Eswin ECR6600 flashing guide, datasheet, pinout, 100% local setup, Home Assistant