EFlash Loader is the program that runs on #BL602 to flash all firmware ... The ELF was uploaded recently (no source available) ... Let's look inside with Ghidra
https://github.com/bouffalolab/bl_iot_sdk/tree/master/flash_tool/chips/bl602/eflash_loader
Decompiled #BL602 EFlash Loader is here ... 10,000 lines of C to skim for goodies 👍
https://github.com/lupyuen/bl602-eflash-loader/blob/main/eflash_loader.c
More about #BL602 EFlash Loader
#BL602 EFlash Loader's Main Function is surprisingly readable ... Decompiled from ELF by Ghidra
https://github.com/lupyuen/bl602-eflash-loader/blob/main/eflash_loader.c#L2803-L2863
Here's the #BL602 EFlash Loader's Main Loop that executes Flashing Commands
https://github.com/lupyuen/bl602-eflash-loader/blob/main/eflash_loader.c#L4031-L4108
What are the Flash Commands executed by the #BL602 EFlash Loader? 🤔
https://github.com/lupyuen/bl602-eflash-loader/blob/main/eflash_loader.c#L3814-L3844
Here are the 24 Flashing Commands supported by the #BL602 EFlash Loader ... Thanks to Ghidra 🎉
https://github.com/lupyuen/bl602-eflash-loader#flashing-commands
So cute that the #BL602 Flashing Commands are all ASCII ... Perfect for UART! 👍
https://github.com/lupyuen/bl602-eflash-loader#flashing-commands
You can't tell which way the train went by looking at the tracks ... So let's study the #BL602 Firmware Flasher ... And see what Flashing Commands it sends to the EFlash Loader
#BL602 Firmware Flasher works like a State Machine ... Each Flashing State triggers a Flashing Command ... Let's trace the Flashing States
https://github.com/bouffalolab/BLOpenFlasher/blob/main/utils/util_program.go#L195-L245
Here are the #BL602 Flashing States and Flashing Command IDs derived from the BL602 Firmware Flasher (BLOpenFlasher)
https://github.com/lupyuen/bl602-eflash-loader#flashing-states
Now we can match the #BL602 Flashing States ... With the Flashing Commands reversed from the EFlash Loader
Here are 5 #BL602 Flashing Commands from EFlash Loader that we can probe further ... Let's dive into "Flash Program"
https://github.com/lupyuen/bl602-eflash-loader#matching-flashing-states-and-commands
Here's the decompiled function in #BL602 EFlash Loader that writes the firmware to flash ... Let's probe deeper
https://github.com/lupyuen/bl602-eflash-loader/blob/main/eflash_loader.c#L3258-L3300
#BL602 EFlash Loader calls SFlash_Program to write to flash ... SFlash_Program is defined in the BL602 ROM ... Thanks to the decompiled code we now know how EFlash Loader works! 👍
https://github.com/lupyuen/bl602-eflash-loader/blob/main/eflash_loader.c#L4901-L4910
How #BL602 EFlash Loader flashes firmware to BL602 ... All shall be explained in this article
https://lupyuen.github.io/articles/loader?2#about-eflash-loader
Flashing firmware to #BL602 ... Here's how it works
https://lupyuen.github.io/articles/loader?3#about-eflash-loader
Reverse Engineering of #BL602 EFlash Loader gets easier ... Thanks to the ELF!
Here's how we decompile an ELF File with #Ghidra
https://lupyuen.github.io/articles/loader?5#decompile-with-ghidra
#Ghidra has helpfully decompiled our ELF File to C ... Here's how we export the C code
#Ghidra guesses that our #BL602 code is RV32GC ... Close enough! 👍
https://lupyuen.github.io/articles/loader?7#rv32gc-vs-rv32imacf
Locating the Main Function in our Decompiled #BL602 EFlash Loader
https://lupyuen.github.io/articles/loader?8#decompiled-main-function
Here's how we render the Call Graph in #Ghidra
#BL602 EFlash Loader receives Flashing Commands over UART and executes them
https://lupyuen.github.io/articles/loader?10#decompiled-main-loop
#BL602 EFlash Loader defines a list of Flashing Commands ... Let's uncover the secret commands with #Ghidra
https://lupyuen.github.io/articles/loader?11#execute-flashing-command
#Ghidra reveals every Flashing Command supported by #BL602 EFlash Loader ... Very nice! 👍
https://lupyuen.github.io/articles/loader?12#decipher-flashing-commands
Here are all 24 Flashing Commands supported by #BL602 EFlash Loader ... 17 of them are undocumented 🤔
https://lupyuen.github.io/articles/loader?15#list-of-flashing-commands
Out of 24 Flashing Commands supported by #BL602 EFlash Loader ... Only 5 are used when flashing firmware
https://lupyuen.github.io/articles/loader?17#match-flashing-states-and-commands
Here's how #BL602 EFlash Loader writes to Embedded Flash
Now we know everything about #BL602 EFlash Loader ... Thanks to #Ghidra!
https://lupyuen.github.io/articles/loader?19#how-the-train-goes
#BL602 Firmware Flasher runs a State Machine that talks to EFlash Loader
https://lupyuen.github.io/articles/loader?16#flashing-states