Decompiled the new #BL602 EFlash Loader with #Ghidra 🤔

https://github.com/bouffalolab/bl_iot_sdk/blob/master/flash_tool/chips/bl602/eflash_loader/eflash_loader.elf

EFlash Loader is the program that runs on #BL602 to flash all firmware ... The ELF was uploaded recently (no source available) ... Let's look inside with Ghidra

https://github.com/bouffalolab/bl_iot_sdk/tree/master/flash_tool/chips/bl602/eflash_loader

Here's how we decompile a #BL602 #RISCV ELF with #Ghidra

https://youtu.be/3Ikn8Y775Lk

Decompiled #BL602 EFlash Loader is here ... 10,000 lines of C to skim for goodies 👍

https://github.com/lupyuen/bl602-eflash-loader/blob/main/eflash_loader.c

More about #BL602 EFlash Loader

https://lupyuen.github.io/articles/flash#flash-the-firmware

#BL602 EFlash Loader's Main Function is surprisingly readable ... Decompiled from ELF by Ghidra

https://github.com/lupyuen/bl602-eflash-loader/blob/main/eflash_loader.c#L2803-L2863

Here's the #BL602 EFlash Loader's Main Loop that executes Flashing Commands

https://github.com/lupyuen/bl602-eflash-loader/blob/main/eflash_loader.c#L4031-L4108

What are the Flash Commands executed by the #BL602 EFlash Loader? 🤔

https://github.com/lupyuen/bl602-eflash-loader/blob/main/eflash_loader.c#L3814-L3844

Call Graph for #BL602 EFlash Loader ... Generated by #Ghidra

https://github.com/lupyuen/bl602-eflash-loader

#Ghidra says that #BL602 EFlash Loader supports 24 Flashing Commands ... Let's decipher them 🤔

https://github.com/lupyuen/bl602-eflash-loader

#Ghidra reveals the 24 Flashing Commands supported by #BL602 EFlash Loader ... Very nice! 👍

https://github.com/lupyuen/bl602-eflash-loader

Here are the 24 Flashing Commands supported by the #BL602 EFlash Loader ... Thanks to Ghidra 🎉

https://github.com/lupyuen/bl602-eflash-loader#flashing-commands

So cute that the #BL602 Flashing Commands are all ASCII ... Perfect for UART! 👍

https://github.com/lupyuen/bl602-eflash-loader#flashing-commands

You can't tell which way the train went by looking at the tracks ... So let's study the #BL602 Firmware Flasher ... And see what Flashing Commands it sends to the EFlash Loader

https://github.com/bouffalolab/BLOpenFlasher

#BL602 Firmware Flasher works like a State Machine ... Each Flashing State triggers a Flashing Command ... Let's trace the Flashing States

https://github.com/bouffalolab/BLOpenFlasher/blob/main/utils/util_program.go#L195-L245

Here are the #BL602 Flashing States and Flashing Command IDs derived from the BL602 Firmware Flasher (BLOpenFlasher)

https://github.com/lupyuen/bl602-eflash-loader#flashing-states

Now we can match the #BL602 Flashing States ... With the Flashing Commands reversed from the EFlash Loader

https://github.com/lupyuen/bl602-eflash-loader

Here are 5 #BL602 Flashing Commands from EFlash Loader that we can probe further ... Let's dive into "Flash Program"

https://github.com/lupyuen/bl602-eflash-loader#matching-flashing-states-and-commands

Here's the decompiled function in #BL602 EFlash Loader that writes the firmware to flash ... Let's probe deeper

https://github.com/lupyuen/bl602-eflash-loader/blob/main/eflash_loader.c#L3258-L3300

#BL602 EFlash Loader calls SFlash_Program to write to flash ... SFlash_Program is defined in the BL602 ROM ... Thanks to the decompiled code we now know how EFlash Loader works! 👍

https://github.com/lupyuen/bl602-eflash-loader/blob/main/eflash_loader.c#L4901-L4910

https://github.com/bouffalolab/bl_iot_sdk/blob/master/components/platform/soc/bl602/bl602_std/bl602_std/StdDriver/Src/bl602_romapi.c#L539-L542