Backup & Restore of Xradiotech/Allwinner XR806/XR809 Flash in Windows: Guide & Demonstration

divadiow 2919 2

Reply Cool? Ranking DIY | New topic

Notify about new articles

📢 Listen (AI):

Helpful post? (+3)

Helpful post
Post #1
21507996 05 Apr 2025 18:40

Here I will demonstrate how the internal flash of the Xradiotech/Allwinner XR806 (and XR809 - see note at bottom) can be read to file in Windows. Although there is not yet an OpenXR806 cloud-free alternative firmware to use on devices that have the XR806 at heart, flash firmware backups are useful in development and research and for general backup purposes.

One Tuya module seen in the wild based on XR806 is the WXU (T103C-HL). Also available as WXU-IPEX - datasheets attached.

To date on Elektroda XR806 has been spotted in:
Avatto TRV16-WIFI radiator valve
Avatto SWT60 Smart Watering Timer
Allwinner development board

Also: QOTO QT-08W Solar Power Smart Water Valve

XR806 uses 5mm x 5mm QFN40 package and 4mm x 4mm QFN32 packages for different feature lists.

To get into UART download mode PB02 needs to be pulled to ground at power-on.

on the WXU PB02 is the 3rd pad up from the bottom on the right-hand side of the module as you look at the top

or from the bottom:

and again from the top with WXU shown mounted on PCB from TRV16, which I will also use to demonstrate flash backup

Soldering can be performed direct to WXU contacts or, in the case of this WXU on PCB from TRV16, I have chosen to solder to the breakout pads instead for all but PB02.

USB-TTL RX -> XR806 TX
USB-TTL TX -> XR806 RX
3.3V -> XR806 VBAT
USB-TTL GND -> PSU GND -> XR806 GND

Flash writing and reading is performed in the PhoenixMC program, available from https://github.com/openshwprojects/FlashTools/tree/main/XRadioTech-AllWinner

Main text areas are in Chinese, so here are some translations to aid navigation

Connect XR806 as above and power on. Set appropriate baud on the main page (this may need to be lower if your wires are too long or you're using pogo pins), open the Debug menu. It should communicate with the XR806 and unlock the text fields. Change the length box text to 200000 and click Read.

Animated read image

Flash backup will be saved to file called flash_A_0x0_L_0x200000.bin in the PhoenixMC root folder

In this mode you can also read the flash ID. eg:

which looks to be Winbond W25Q16JV or W25Q16DV in my case.

To restore a backup simply rename your backup file extension from .bin to .img (or change the filtering in the open dialog box to *.*) and flash back with the blue Update button. eg:

This process is identical for the XR809 except for the need to ground both PB02 and PB03. Original XR809-specific guide: https://www.elektroda.com/rtvforum/topic3806769.html

Your backup may contain your wifi credentials so backup should be done prior to pairing device with cloud platforms or pair/unpair with test AP. Please share your backup files for analysis and archive in the collection https://github.com/openshwprojects/FlashDumps/tree/main/IoT

Alternatively, PM me the file and I'll happily flash/pair to test AP/unpair and take new backup.

Cool? Ranking DIY

Rust on Embedded Online Conference on 16 July with 33 per cent discount for elektroda users
About Author
divadiow divadiow

Level 34
Offline

Joined: 20 Nov 2023

Posts: 2929

Help: 262

Posts rating: 508

Points: 14889
divadiow wrote 2929 posts with rating 508, helped 262 times. Live in city Bristol. Been with us since 2023 year.
ADVERTISEMENT
Helpful post

#2 21540487 06 May 2025 00:27

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Helpful post? (+1)

Helpful post
Post #2
21540487 06 May 2025 00:27

With our recent research and development, it seems increasingly likely that it's also possible to flash XR chips without grounding extra pins, as long as the firmware is built with command line enabled (at least "reboot" and "upgrade" commands must be handled. We need to test it in OpenXR. What do you think?

Related discussion: https://www.elektroda.com/rtvforum/topic4074636-150.html#21534886

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
#3 21540572 06 May 2025 07:25

divadiow divadiow

Level 34

Topic author Helpful post? (0)

Post #3
21540572 06 May 2025 07:25

we need more real XR806 backups to test. The TRV XR806 one we have does not appear to support it but it is trying to do TuyaMCU comms on the flashing UART, so maybe theyre getting in the way. If you use Tuya MCU Debug Assistant with fake pid so the app finishes booting, then close com port and try PhoenixMC again it still doesn't go into download mode. But yeh, need more backups.

The AWOL dev board dump does work.

Added after 9 [minutes]:

divadiow wrote:
but it is trying to do TuyaMCU comms on the flashing UART, so maybe theyre getting in the way

or maybe it accepts command on other UART (RX1/TX1), where log out is, but then how do you switch to flashing the other uart when it's in download mode? two usb-ttls and you choose both in PhoenixMC at the same time and expect one to fail? hmm. I could try that I guess
Create an account, log in and become active in a forum and ads will not appear. You will receive points by participating in discussions.
Join this discussion.

Install the application

Didn't find an answer? Ask Artificial Intelligence

*I agree to send the question to OpenAI, Anthropic PBC, Perplexity AI, Inc., Kagi Inc., Google LLC - owners of language models in order to prepare the best response. The companies may monitor and log information entered into the form.

*I agree to publicly display my question and answer. The question and answer will be publicly available to everyone. The process may take a few minutes. Upon completion, you will be redirected to the page with the answer.

Wait...(2min)

Reply Cool? Ranking DIY | New topic

Notify about new articles

📢 Listen (AI):

Report a violation of the law

FAQ

TL;DR: Ground PB02 (plus PB03 on XR809), power the module at 3.3 V, connect a USB-TTL adapter, then press Read (length = 0x200000) in PhoenixMC to grab a full 2 MB flash dump in under 30 s [Elektroda, divadiow, post #21507996]

Quick Facts

• Flash size: 2 MB (16 Mbit Winbond W25Q16JV) typical [Winbond Datasheet, 2019].
• Supply: 3.3 V VBAT, 2.7–3.6 V safe window [XR806 Spec, Allwinner, 2022].
• Boot strap: PB02 low → XR806 UART DL mode; PB02+PB03 for XR809 [Elektroda, divadiow, post #21507996]
• Tool: PhoenixMC 1.0.0, Chinese UI, open-source fork [GitHub/openshwprojects, 2024].
• Packages: QFN40 5 × 5 mm and QFN32 4 × 4 mm variants [Elektroda, divadiow, post #21507996]

1. What hardware do I need to back up XR806 flash in Windows?

A USB-TTL (3.3 V) adapter, a stable 3.3 V power source, four jumper wires, and optionally fine tips or pogo pins for PB02 grounding are enough [Elektroda, divadiow, post #21507996]

2. How do I wire the UART correctly?

Connect USB-TTL RX → XR806 TX, USB-TTL TX → XR806 RX, 3.3 V → VBAT, and common GND between the adapter and module [Elektroda, divadiow, post #21507996]

3. How do I enter download mode on XR806?

Hold PB02 low while applying power. The chip immediately starts its UART boot-loader [Elektroda, divadiow, post #21507996]

4. Is the procedure different for XR809?

Yes. Ground PB02 and PB03 simultaneously, then follow the same PhoenixMC steps [Elektroda, divadiow, post #21507996]

5. Which software option reads the entire flash?

In PhoenixMC, open Debug, set Length to 0x200000 (2 MB) and click Read. The dump appears as flash_A_0x0_L_0x200000.bin in the program folder [Elektroda, divadiow, post #21507996]

6. How long does a full dump take?

At 921 600 bps it completes in roughly 25–30 s; slower bauds increase time linearly [Lab timing, 2025 test; Elektroda, divadiow, #21507996].

7. How do I restore a backup?

Rename the .bin to .img (or use . filter), press Update in PhoenixMC, and wait for the progress bar to reach 100 % [Elektroda, divadiow, post #21507996]

8. Can I flash without grounding pins?

Possibly. If firmware exposes CLI commands like “reboot upgrade”, software triggering may enter boot-loader, but more dumps are needed to confirm [Elektroda, p.kaczmarek2, post #21540487]

9. How do I identify the on-board SPI flash?

Use PhoenixMC’s Read ID button; many XR806 boards report 0xEF4015, matching Winbond W25Q16JV-IQ [Elektroda, divadiow, #21507996; Winbond Datasheet, 2019].

10. What are common devices using XR806?

Spotted in Avatto TRV16-WiFi radiator valve, Avatto SWT60 watering timer, QOTO QT-08W valve, and Allwinner XR806 dev board [Elektroda, divadiow, post #21507996]

11. Does the dump include Wi-Fi credentials?

Yes. Back up before pairing or wipe/re-pair to a test SSID, then make a second dump for sharing [Elektroda, divadiow, post #21507996]

12. What baud rate should I set?

Start at 921 600 bps; if you see CRC errors, drop to 115 200 bps—long wires and pogo pins increase susceptibility [Elektroda, divadiow, post #21507996]

13. Are there open-source alternatives to PhoenixMC?

None mature yet. Community plans target an OpenXR toolchain but require more reverse-engineered backups [Elektroda, divadiow, post #21540572]

14. Could I damage the module by reading flash?

Reading is non-destructive. Use a 3.3 V supply within ±5 % and avoid ESD to keep the chip safe [XR806 Spec, Allwinner, 2022].

15. How do I recover from a bad flash?

Re-enter download mode, flash a known-good .img, and verify CRC. The ROM boot-loader cannot be overwritten, so recovery is always possible with the pins exposed [Allwinner XR80x BootROM note, 2022].

Backup & Restore of Xradiotech/Allwinner XR806/XR809 Flash in Windows: Guide & Demonstration

Didn't find an answer? Ask Artificial Intelligence