Lup Yuen Lee 李立源 @lupyuen@qoto.org

Here are all 24 Flashing Commands supported by #BL602 EFlash Loader ... 17 of them are undocumented 🤔

https://lupyuen.github.io/articles/loader?15#list-of-flashing-commands

#Ghidra reveals every Flashing Command supported by #BL602 EFlash Loader ... Very nice! 👍

https://lupyuen.github.io/articles/loader?12#decipher-flashing-commands

#BL602 EFlash Loader defines a list of Flashing Commands ... Let's uncover the secret commands with #Ghidra

https://lupyuen.github.io/articles/loader?11#execute-flashing-command

#BL602 EFlash Loader receives Flashing Commands over UART and executes them

https://lupyuen.github.io/articles/loader?10#decompiled-main-loop

Here's how we render the Call Graph in #Ghidra

https://lupyuen.github.io/articles/loader?9#call-graph

Locating the Main Function in our Decompiled #BL602 EFlash Loader

https://lupyuen.github.io/articles/loader?8#decompiled-main-function

#Ghidra guesses that our #BL602 code is RV32GC ... Close enough! 👍

https://lupyuen.github.io/articles/loader?7#rv32gc-vs-rv32imacf

#Ghidra has helpfully decompiled our ELF File to C ... Here's how we export the C code

https://lupyuen.github.io/articles/loader?6#export-to-c

Here's how we decompile an ELF File with #Ghidra

https://lupyuen.github.io/articles/loader?5#decompile-with-ghidra

Reverse Engineering of #BL602 EFlash Loader gets easier ... Thanks to the ELF!

https://lupyuen.github.io/articles/loader?4#thank-you-elf

Flashing firmware to #BL602 ... Here's how it works

https://lupyuen.github.io/articles/loader?3#about-eflash-loader

All Clear for Reunion Dinner 👍

How #BL602 EFlash Loader flashes firmware to BL602 ... All shall be explained in this article

https://lupyuen.github.io/articles/loader?2#about-eflash-loader

What's inside the EFlash Loader that flashes all firmware to #BL602 ... All secrets shall be revealed in this article ... Thanks to #Ghidra!

https://lupyuen.github.io/articles/loader?1

Improvised Reset "Button" for #PineDio Stack BL604 @PINE64 ... Just briefly connect Pins 5 and 6 of the JTAG Port

https://lupyuen.github.io/articles/pinedio#appendix-improvised-reset-button-for-pinedio-stack

#BL602 EFlash Loader calls SFlash_Program to write to flash ... SFlash_Program is defined in the BL602 ROM ... Thanks to the decompiled code we now know how EFlash Loader works! 👍

https://github.com/lupyuen/bl602-eflash-loader/blob/main/eflash_loader.c#L4901-L4910

https://github.com/bouffalolab/bl_iot_sdk/blob/master/components/platform/soc/bl602/bl602_std/bl602_std/StdDriver/Src/bl602_romapi.c#L539-L542

Here's the decompiled function in #BL602 EFlash Loader that writes the firmware to flash ... Let's probe deeper

https://github.com/lupyuen/bl602-eflash-loader/blob/main/eflash_loader.c#L3258-L3300

Here are 5 #BL602 Flashing Commands from EFlash Loader that we can probe further ... Let's dive into "Flash Program"

https://github.com/lupyuen/bl602-eflash-loader#matching-flashing-states-and-commands

Now we can match the #BL602 Flashing States ... With the Flashing Commands reversed from the EFlash Loader

https://github.com/lupyuen/bl602-eflash-loader

Here are the #BL602 Flashing States and Flashing Command IDs derived from the BL602 Firmware Flasher (BLOpenFlasher)

https://github.com/lupyuen/bl602-eflash-loader#flashing-states