When comparing two flash dumps from DS-101JL light switches (Tuya WL2H-U-2 module, LN882H chip),
I found the following:
Firmware is 100% identical between units
Both devices came from the factory with exactly the same firmware. The app partition
(0x007000–0x132FFF, 1.2 MB) is bit-for-bit identical.
Flash partition layout (2 MB total)
Partition Offset Size D1 vs D2
--------- ------ ---- --------
boot 0x000000 24 KB IDENTICAL
part_table 0x006000 4 KB IDENTICAL
app 0x007000 1.2 MB IDENTICAL ← same firmware on all units
ota 0x133000 680 KB different (6306 bytes — MAC provisioning)
nvds 0x1DD000 12 KB different (1146 bytes — runtime state)
kv 0x1E0000 16 KB different (3069 bytes)
kvs 0x1E4000 32 KB different (4095 bytes)
user 0x1EC000 80 KB different (77813 bytes)
All differences are in the data area above 0x133000 — device-specific info only.
MAC address location
Both WiFi and BLE MACs are stored in the OTA partition region at offset
0x1C543C.
The KV key names are readable in plaintext:
Key name Offset D1 D2
-------- ------ -- --
6_sta_mac 0x1C543C 00:33:7A:2B:86:95 BC:35:1E:BE:41:EB
24_ble_mac 0x1C5464* 00:33:7A:2B:86:96 BC:35:1E:BE:41:EC
* stored in reversed byte order
BLE MAC is always WiFi MAC 1. The OUI 00:33:7A belongs to Lightning Semiconductor,
BC:35:1E belongs to Tuya.
KV key names visible in plaintext around the MAC area
it_magic — KV entry separator/magic marker
6_sta_mac — WiFi (station) MAC address
24_ble_mac — BLE MAC address
ty_ada_psk — WiFi credentials (SSID password, plaintext!)
