STM32F103C8T6 Blue Pill as CK-Link Debugger: C-SKY/T-Head/XuanTie CK804 Flash Backup Investigations

September 2025 Update:
see here for details about converting STM32 over UART instead of J-Link (ie, J-Link not required) https://www.elektroda.com/rtvforum/viewtopic.php?p=21695356#21695356 (thanks @max4elektroda!)
see here for higher version converted CK-Link Lite firmware for STM32 https://www.elektroda.com/rtvforum/topic4120455.html#21554694

---

Here I'll document my journey with a cheap STM32F103C8T6 "blue pill" dev/hobby board bought from Ali Express. Despite the IC labelled as "STM32F103C8T6" the internal flash appears to be 128k instead of 64k making it more like an STM32F103CBT6. It seems this is not unexpected with STM32 fakes/clones.

The purpose of this purchase is to make a cheap C-SKY CK-Link / T-Head CPU debugger in the hope that I can access and dump the flash of C-SKY based chips like the WinnerMicro W800/W801/W806 which are C-SKY CK804FGT.




I bought 3 from the YouKeyi Store https://www.aliexpress.com/item/1005006999051681.html



Using cjacker's developments at https://github.com/cjacker/cklink-lite-fw-convertor we can convert the 'cklink_lite.hex' file that ships with the T-Head debug server so it will run on the STM32 after flashing. cjacker also supplies a binary that's already been converted https://github.com/cjacker/cklink-lite-fw-con.../blob/main/cklink_lite-2.36_for-stm32f103.hex and version 2.37, along with a Windows-compatible Python conversion script can be found in this PR https://github.com/cjacker/cklink-lite-fw-convertor/pull/1/files. I'll attach all files here for safe-keeping.

But how do we program the STM32? SWD - Serial Wire Debug!

Using one of these cheap clone J-Link programmer/debuggers we can flash the STM32 using J-Flash.



J-Flash can be downloaded from https://www.segger.com/products/debug-probes/j-link/technology/flash-download/

Connect like so
J-Link GND -> STM32 GND
J-Link SWDIO -> STM32 SWIO
J-Link SWCLK -> STM32 SWCLK
J-Link 3V3/VCC - <disconnected>



run J-Flash, make a new project and select "STM32F103CB" (128kb) from the target device list



with both devices powered from their micro-USB ports 'Target' and 'Connect' in J-Flash menus should see the device connect successfully


Now you can erase/write or read entire chip from the Target-> Manual Programming menu. First I read the Keil USB memory stick emulator demo thing that shipped with the STM32.



To flash cklink_lite-2.37_for-stm32f103.hex just drag the file into J-Flash window -> Erase Chip -> Program & Verify



Power off the STM32 and re-plug it. If using Windows it should be detected as a C-Sky CKLink-Lite device



Now that this is done we need to engage with the T-Head debugging server so we can interface with C-SKY-based devices.

Register for and download the T-Head debug server from https://www.xrvm.cn/community/download?id=4380347564587814912 - I'll be demonstrating the Windows variant. I attach Windows and Linux downloads at the latest version at time of writing, as well as the debug user guide PDF.

The CPU I'll be connecting to is the CK804 in a Hi-Link HLK-W806-KIT dev board, the same as explained here https://github.com/cjacker/opensource-toolcha...your-own-ck-link-lite-debugger-with-stm32f103

STM32 is connected to the HLK like so




With power to STM32 and the W806, running the DebugServerConsole app should put the CPU into debug mode and show information about the CK-Link firmware version and the W806 CPU





Extract the attached w806.elf file and put it into the \bin folder alongside the debug console executable - C:\Users\xxxx\AppData\Roaming\T-Head\T-HeadDebugServer\bin if installed to default location



Information about the elf file can be obtained with command flash -al w806.elf from the debug console

DebuggerServer$ flash -al w806.elf


For reference the entire flash command list is as follows



so we should be able to dump the W806 flash content with a command like this



those arguments meaning:



The dump appears to work. 1mb took 56 seconds.



The dump lands in \bin folder


The resultant file appears to contain data and even some plain text from the W806 demo flashed using Upgrade Tools

Unfortunately flashing back as-is using command flash program -f blinkydump.bin -b -a 0x08000000 -al w806.elf does not appear to result in a bootable app, leaving the device waiting for an upload in the xmodem "CCCCCCCCCCC" mode



Also curious is that erasing flash even though 'successful', doesn't appear to actually zero the flash, a subsequent dump appears to be almost identical to one taken before the erase - this is also true if using wm_tool (wm_tool_1.0.4.exe -c com79 -eo all) to erase the W806 over UART - no empty flash, though it does appear to go into CCCCC mode after the erase, so maybe it's changing some byte to mark as empty?
debug console erase commands tried:

flash erase -a 0x08000000 -s 0x100000 -al w806.elf
flash erase -c -al w806.elf

Other observations:

COM port outputs this during read operations

and this with write


That's where I've got to right now. A working restore of the flash I think is the priority thing to work out. Unfortunately I do not have any C-Sky devices with their original firmware on to dump something new and interesting from a company like Tuya.

since posting, I've taken a different approach. I've opened up Upgrade_Tools_V1.5.9.exe with pyinstxtractor in search of the main flashing code. The most interesting stuff (I've seen so far) is in

SerialThread.pyc
icons_rc.pyc
ImageThread.pyc
MainWindow.pyc
ConfigHelper.pyc

after uncompyle6 on each we see commands like these that will be used to return information seen in the Upgrade Tools GUI when flashing







These commands, and others, can be seen in various WinnerMicro documentation eg https://arduino.winnermicro.com/w800/en/2.3-beta.1/component_guides/rom.html

We know the GUI doesn't offer a flash read option, but there might be something in the code to suggest this is possible.

In SerialThread.py:



but how and what is needed to be running on the chip before these commands can be received and actioned?



there is no sign of w800_fls_erase.img in any of the extractions so far. Fast-forward several hours of trying things, it turns out to be some virtual path in some Qt resource. It's pieced together from this Python byte code string in icons_rc.py



Confirming the extraction was sound took some working out.
As it happens, you can also see the same code in HxD live memory viewer. Here's the start of the same data as from byte code extraction





Using SerialThread as a reference point GPT and I made some script to mimic resetting the device via AT+Z command and RTS, waiting for Xmodem CCC, uploading flash stub and sending commands. This script gets wifi mac, ble mac, flash ID and gain info from the device, it also asks which com port you want to use first.



Flash ID 85, 15 = manufacturer and size, so, Puya and 2mb.

The official tool uses this to detect flash size



Script correctly detects 14 as the flash size on W806 - 1MB


(wifi and ble macs are FF even in GUI flasher tool, so not worried about that)

what about adapting the flash read so the whole 2mb can be captured?


in the dump we see data at 2400, the main image


and some other bits before that 0 and 2000






I've had quite a few variation of script and it seems timing and flushes are critical to a clean dump. Oftentimes without the right flush or pause the end or beginning of flash would contain Xmodem CCC.

I also played with set gain a little, but I think this is in ROM so cannot be changed. My 3 boards return this though for the gain read

HLK-W806


HLK-W801


HLK-W800


In ConfigHelper.py we see a gain value for W600 and W800. I'm not sure why this is set or its effect. It does not appear to be persistent.



I think that's as far as I've got for now. I'll attach the scripts used in the screenshots (and more - some may not work), the stub and the py files. If anyone wants more let me know.

TODO/questions:
Where does official flasher start writing from and how does it handle .fls and .img files differently?
Can a device backup be flashed back to make a working device?
What differences are there between a backup taken from CKLink method and UART?
Why does W806 not read flash when W800/W801 does?
Does this work on a real device? And does anyone have a real W800 with factory Tuya firmware intact?

I remembered I had a Hi-Link HLK-B36 - a W800 module - that I had not flashed OBK to. It still boots Hi-Link firmware





and broadcasts AP "HI-LINK-184C"


Dump using w800_flash_read_crc_flush_double.py shows no captured CCCC whereas w800_flash_read.py does



we clearly see data at the expected points in file



and signs of HLK


despite soldering and short cables, I have not been able to get the CK-Link method to connect to the CPU

and following the Bouffalo Lab part we can connect to BL602 MCU with the T-Head debug server too
https://github.com/cjacker/opensource-toolchain-bouffalo-lab





I am using BL602 Ai-Thinker NodeMCU Ai-WB2-32S-Kit


STM32F103 assignments for BL

STM32F103	Function	BL602/BL604	BL702/BL704/BL706	BL616/BL618	BL808
A5	TMS	GPIO12	GPIO0	GPIO0	GPIO6
A1	TCK	GPIO14	GPIO2	GPIO1	GPIO12
A4	TDO	GPIO11	GPIO9	GPIO2	GPIO7
B9	TDI	GPIO17	GPIO1	GPIO3	GPIO13

This is maybe how you could fix your BL602 @p.kaczmarek2 if UART is not successful

higher version ck-link lite files. converted and original - 2.38

Anybody having the TXW8301 FLASH ALGORITHM ELF file ? Getting the error "ERROR: Current CPU is not in debug-mode, can't do any flash operations" while trying to dump the flash when using other elf files.

P.S.

The flash is SPI 16Mbit W25Q16JVSSIG

The CPU inside TXW8301 is CK803SG:

im not seeing any additional flash algorithm files in the TXW8301 SDK.

Your error sounds more like a not connecting type of thing though rather than a flash read problem.

looks like we have read CK803SG variant successfully here https://www.elektroda.com/rtvforum/topic4129331.html

Maybe this is the kind of error you'd expect with wrong flash algo file?

https://www.elektroda.com/rtvforum/topic4134923.html#21640179

Have you tried lower ICE Clk speeds?

divadiow wrote:

I'm not seeing any additional flash algorithm files in the TXW8301 SDK.

The TXW8301 SDK never contained flash algorithm files. These files were supplied with programmer. I see the files:

Taixin_TXW80X_FLASH_ALGORITHM.elf
Taixin_TXW81X_FLASH_ALGORITHM.elf
WinnerMicro_W800_FLASH_ALGORITHM.elf
WinnerMicro_W806_FLASH_ALGORITHM.elf

But there are no TXW83X files present!

Quote:

Your error sounds more like a not connecting type of thing though rather than a flash read problem.

looks like we have read CK803SG variant successfully here https://www.elektroda.com/rtvforum/topic4129331.html

This link is about TXW816 for which algorithm file is definitely present.

Quote:

Maybe this is the kind of error you'd expect with wrong flash algo file?

Exactly as I have no TXW83X FLASH ALGORITHM file. This was the my question.

Quote:

https://www.elektroda.com/rtvforum/topic4134923.html#21640179

Have you tried lower ICE Clk speeds?

Will try, but seems like Linux Debug server app just ignores ICE speed command line option and I do not use Windows.

P.S. Tried with 12kHz



The same error

sure. The TXW80X and TX81X algorithm files were pulled from the SDKs for those platforms so I wondered if the TXW8301 SDK might also contain some specific to that platform

Quote:

Maybe this is the kind of error you'd expect with wrong flash algo file?

with reference to this error: https://obrazki.elektroda.pl/6958044300_1755725962_bigthumb.jpg

anyway, I'm not sure what to suggest next regarding the TXW8301 and flash dump/programming.

Okay, debug mode error gone just after connecting gdb to the debugserver. But new error appeared:

Quote:

DebuggerServer$ flash dump -o dump.bin -b -a 0x0 -s 0x1000000 -al Taixin_TXW81X_FLASH_ALGORITHM.elf
flash dump -o dump.bin -b -a 0x0 -s 0x1000000 -al Taixin_TXW81X_FLASH_ALGORITHM.elf
ERROR: Load Flash Algorithm File: Failed to load algorithm to target.
Can't run FlashAlgorithm to bkpt_label, restore destoryed registers and memory.
Dump failed.

Now is definitely clear that proper TXW83x elf file is needed.

beginning to think it may be a different beast and a different approach may be required. may I ask what device you have with TXW8301 in? I do not have any so may try to source something if it's cheap enough.

There are plenty of it. The famous is LilyGO T-Hallow, second is MaduinoZeroWiFiHalow and many others. I see that you are partially right - there is the flash template project in SDK. Usually they placed the compiled ELF file but not in TXW8301 case. Will try to compile and test it. The current main problem for me - is the buggy debug server. It is constantly failing to put CPU in debug mode. But the debug API example that is supplied with the debug server is constantly can do this:

divadiow wrote:

But how do we program the STM32? SWD - Serial Wire Debug!

Using one of these cheap clone J-Link programmer/debuggers we can flash the STM32 using J-Flash.

Maybe you allow for a short alternate approach (if it's there and I simply overlooked it, sorry).

I didn't have a J-Link programmer at hand, so I tried with a simple UART (as done here).

Connect
GND -> G
UARTs RX -> A9
UARTs TX -> A10

Download Flasher from ST site https://www.st.com/en/development-tools/flasher-stm32.html#get-software (you'll need to get an access code with a valid mail address, mailinator.com works )

The process is straight forward, but you need to set the "Boot0" jumper (the one opposite to the button):











Setting both "BOOT" jumpers to 0 again and re-connecting STM to USB:




Done!

oh wow. cool! that's a bit easier

Added after 36 [seconds]:

easier as in no J-Link requirement

Yes, easier for me, for I didn't find my J-Link clone
Thanks for your work, I just successfully dumped my X5 Cam and flashed OpenTXW81X with help of this and this post!

Maybe you want to mention or even better "integrate" this approach in your initial post?
Feel free to use all images or text

cheers. added update note header for now