logo elektroda
logo elektroda
X
logo elektroda
Advanced Search
logo elektroda
3D printer for home or business?
3D printer for home or business? Here are the perfect 3D printers to start with »
ADVERTISEMENT
Dostępna jest polska wersja

Czy wolisz polską wersję strony elektroda?

Nie, dziękuję Przekieruj mnie tam

Winner Micro W803-E400 in RMW002 Smart Mini Switch: TW-803 Module, CozyLife Firmware & Boot Log

divadiow 870 1

TL;DR

  • A RMW002 Smart Mini Switch / 16A DIY mini breaker hides a Winner Micro W803-E400 on a TW-803 module instead of the usual MCU mix.
  • The module exposes TX0/RX0 for CozyLife boot logs, and a Python W80x flash-read stub captures the flash backup over USB-TTL.
  • The backup shows a 2mb flash and a factory Wi-Fi target named CozyLife_Upgrade using password 12345678.
  • With CozyLife_Upgrade broadcasting, the switch connects, but Wireshark and nmap reveal no obvious plain-text AT commands or active network behavior.
Generated by the language model.
ADVERTISEMENT
Report a violation of the law
Reply Cool? Ranking DIY | New topic
Notify about new articles
📢 Listen (AI):
  • Small white box with printed Wi-Fi smart switch, lying on a carpet
    This device is another one of those 16A "DIY" mini switch/breakers that has been seen with quite a few different MCUs, modules and PCB layouts. Without high expectations it was ordered in the off-chance something new and interesting was inside. This time there was!
    MINI Smart Switch 20A in open box on carpet Mini Wi-Fi switch with technical label and screw terminal ports on white casing White plastic device with ventilation holes and a black logo on top Disassembled electronic switch with black PCB board on carpet background SED-05DM relay module with capacitors and screw terminal block Close-up of PCB labeled BRK-CWNN1 with capacitors and screw terminal block

    TW-803 V2.0 module with W803-E400 chip mounted on a PCB board Relay module with capacitors and screw terminal on blue background Close-up of PCB with push button, transistors, and labeled SMD components Bottom part of black PCB with button, resistors, and connectors. Desoldered PCB with black solder mask, SMD components, and visible copper traces

    A Winner Micro W803-E400 chip on a TW-803 module. I've never received a production device with a W80x in. I have W800/W801 dev boards only - the Hi-Link HLK-W800-Kit, HLK-W801-Kit, HLK-W806-Kit and a HLK-B36 module.

    It's the same CSKY/XuanTie XT804/CK804 architecture as the others. This family of chips is sometimes seen referred to as W80X.

    At the moment we only have one W800 device in the device list (though it doesn't appear to have any pin assignments) - a WX300P RGB Strip Controller in the W800 flashing and development topic.

    The TW-* module naming is reminiscent of the TW-02/03 labelling of the ThingsTurn W600 modules, but I've yet to find any official documentation to confirm a relation - only the ThingsTurn logo on this Taobao listing https://world.taobao.com/item/688026122927.htm

    ThingsTurn TW-803 Wi-Fi module with embedded W800 chip and Chinese labeling

    And it seems there is a W803Pico board https://doc.winnermicro.net/w800/en/latest/get_started/w803_pico.html from which chip pins can be seen

    Pinout diagram for W803-Pico module showing microcontroller W803 wiring

    De-soldered module
    TW-803 V2.0 electronic module with WinnerMicro chip on blue mat TW-803 electronic module with labeled pins, placed on a blue anti-static surface

    and from TX0 (PB19) we get the CozyLife boot log at 115200 baud

    Code: Text
    Log in, to see the code


    Before I flash OpenW800, erasing the factory firmware, I'd like to give my Python/W80x stub flash reader a go to see if I can take a backup. I've had no success getting a working device flashing these images back, but the read at least looks (mostly) sound.

    The CK-Link method is an option too but only PA1 is routed out to a pad, PA4 would need to be a pogo pin or needle job.

    Using python w800_flash_read_crc_flush_double.py (attached) and with RX0 (PA20) and TX0 (PA19) soldered up and connected to USB-TTL adaptor, I can read flash. Quick RST to ground for the script to catch and upload stub

    Code: Text
    Log in, to see the code


    2mb flash.

    w800_flash_read.zip contains stub, script and my backup.

    My initial finding in the backup is that it appears a factory SSID "CozyLife_Upgrade" is searched for and connected to with password "12345678". Interesting, maybe it'll then be open to OTA exploitation.

    With that SSID available, it does indeed connect

    Wi-Fi settings screenshot for CozyLife_Upgrade showing password and MAC address details.

    on TX0 we see it listing SSIDs and stopping at CozyLife_Upgrade

    Code: Text
    Log in, to see the code


    Wireshark doesn't seem to suggest it tries to do anything on connection

    Wireshark capture showing DHCP sequence and ARP packet with MAC c8:58:6a:2e:cf:a0

    nmap

    Code: Text
    Log in, to see the code


    Similarly with "CozyLife_CC" broadcasting:

    Code: Text
    Log in, to see the code


    I do not see any AT commands in plain text in the fw backup.

    There's probably more to investigate before the one-way trip to OpenW800

    oh and Tuya still have these as downloads

    https://airtake-public-data-1254153901.cos.ap...qcloud.com/smart/embed/pruduct/w803_0.0.1.zip
    https://airtake-public-data-1254153901.cos.ap...qcloud.com/smart/embed/pruduct/w803_0.0.2.zip

    UPDATE. Device was from Ali Express 20A option https://www.aliexpress.com/item/1005009631991603.html

    AliExpress product page screenshot of Mini WiFi Smart Switch 20A
    Attachments:
    • w800_flash_read.zip (421.86 KB) You must be logged in to download this attachment.

    Cool? Ranking DIY
    About Author
    divadiow
    Level 38  
    Offline 
    divadiow wrote 4797 posts with rating 844, helped 416 times. Live in city Bristol. Been with us since 2023 year.
  • ADVERTISEMENT
  • #2 21640179
    divadiow
    Level 38  
    With an STM32 running CK-Link Lite firmware and cabled as:

    Table comparing the pinout of STM32F103 microcontroller with XT-E804 module.

    PA4 pin connected using sewing needle held in place.
    Module with PCB antenna wired to STM32 board, needle touching one pin

    TW-803 V2.0 module with W800 chip and partial pinout schematic visible

    We get this info from the XuanTie Debug Server

    Code: Text
    Log in, to see the code


    CSKY Flash Programmer read attempt is giving this at the moment with the W800 flash algorithm file. Maybe I need to find W803 one. Lower ICE Clk has not helped.

    Flash read error message – address 0, size 0, in programming tool window
Reply Cool? Ranking DIY | New topic
Notify about new articles
📢 Listen (AI):
Report a violation of the law
Today's popular

FAQ

TL;DR: RMW002 hides a Winner Micro W803‑E400 with 2 MB flash; "I can read flash" via UART and a Python stub. CozyLife firmware seeks "CozyLife_Upgrade" (12345678) but exposes little; flashing OpenW800 looks one‑way today. [Elektroda, divadiow, post #21639312]

Why it matters: This FAQ helps tinkerers safely back up, probe, and reflash W803‑based mini switches without losing recoverability.

Quick facts:

Quick Facts

What’s inside the RMW002 mini switch?

A TW‑803 module carrying a Winner Micro W803‑E400. The unit runs CozyLife firmware and reports both Wi‑Fi and BLE MACs. The board appears in a 16A “DIY” mini switch form factor. This mix makes it an attractive alternative to ESP or BK‑based devices for custom firmware work. Photos and serial logs confirm the module and firmware family. [Elektroda, divadiow, post #21639312]

How do I capture the CozyLife boot log?

Connect a USB‑TTL adapter to the module’s UART0 and set 115200 baud. Use the TX0 pad for output and ground the reset briefly to restart logging. You’ll see CozyLife versions, MACs, Wi‑Fi scans, and domain settings in clear text. Keep mains disconnected when probing UART on an in‑wall device. [Elektroda, divadiow, post #21639312]

How can I back up the factory firmware before flashing OpenW800?

Use the author’s Python stub method.
  1. Wire RX0, TX0, and GND to a USB‑TTL adapter; open the provided script.
  2. Reset the module; let the script trigger bootloader and upload the stub.
  3. Switch to 2,000,000 baud when prompted; save the 2 MB dump (ID EB,15). Expect a dump even if CRC verification mismatches. [Elektroda, divadiow, post #21639312]

What flash size and ID does the TW‑803 use?

The flash probe returned “FID:EB,15” and a detected size of 2,048 KB (2 MB). The script logs show a full read at high speed after the stub handshake. This capacity is typical for compact Wi‑Fi switch modules and is ample for alternative firmware images and backups. [Elektroda, divadiow, post #21639312]

How do I trigger the W803 bootloader over UART?

The provided script floods AT+Z with RTS and ESC to coax bootloader mode. Watch for “CCC” to confirm entry and proceed with the stub. “Stub confirmed ready after baud switch.” Once you see that, reads at 2,000,000 baud are reliable. Keep reset timing tight so the stub loads. [Elektroda, divadiow, post #21639312]

Does CK‑Link work on this board, and which pins are available?

Yes, CK‑Link is an option. However, only PA1 is routed to a convenient pad on this PCB. PA4 is not exposed, so you’ll need a pogo pin or needle to access it. That makes repeated CK‑Link sessions fiddly compared with UART, which is already proven for reading flash. [Elektroda, divadiow, post #21639312]

What Wi‑Fi behavior should I expect from the CozyLife firmware?

It passively scans, then connects to a factory SSID. With “CozyLife_Upgrade” and key 12345678 available, it associates and gets an IP. With “CozyLife_CC” present, logs show factory mode messages like “ZC FAC” and “found factory ssid.” The boot log also notes UDPlog disabled and a doiting.com API domain. [Elektroda, divadiow, post #21639312]

Are there open network ports after it joins CozyLife_Upgrade?

Yes. An nmap scan reported 5555/tcp open and 6095/udp open|filtered. Packet capture did not show immediate traffic on connect. That suggests the factory SSID path may be used as a quiet provisioning mode rather than an automatic OTA attempt. Treat any exposed services cautiously during further probing. [Elektroda, divadiow, post #21639312]

Can I revert to stock firmware after flashing OpenW800?

Treat flashing as a one‑way trip for now. The author can read flash, but restoring images has not worked. Even clean reads showed a CRC mismatch at the end. Keep a backup, but do not rely on it for recovery until a proven write‑back method exists. [Elektroda, divadiow, post #21639312]

Is TW‑803 related to ThingsTurn W600 modules (TW‑02/03)?

The TW‑* naming looks similar. The author only found a ThingsTurn logo on a Taobao listing and no official confirmation. Without vendor documentation linking the families, assume TW‑803 is independent. Avoid pin‑for‑pin assumptions from W600 modules when planning hardware mods. [Elektroda, divadiow, post #21639312]

Where can I find official pin references for W803?

See Winner Micro’s W803 Pico documentation. The page shows chip pin assignments you can use to infer UART and GPIO options during bring‑up. Cross‑check against your module since carrier boards route pins differently. Use this as a chip‑level, not module‑level, reference. “W803 Pico — Get Started”

What’s the CozyLife firmware version on this unit?

Boot logs show CozyLife SDK Version 0.6.0 and device firmware 2.1.5, both built on 2025‑03‑05. The product ID is kHFvFr, and the API domain resolves to api‑us.doiting.com. BLE and Wi‑Fi MACs are consecutive, indicating a shared OUI. These details help match firmware images or cloud endpoints. [Elektroda, divadiow, post #21639312]

Where can developers download W803 resources or SDKs mentioned?

The thread links Tuya’s public W803 zip packages (w803_0.0.1.zip and w803_0.0.2.zip). They remain downloadable at the time noted. Combine those with your dump for analysis, strings searches, and potential OTA vectors. Always verify hashes and provenance before flashing anything derived from third‑party archives. [Elektroda, divadiow, post #21639312]
Generated by the language model.
ADVERTISEMENT