BL602 EFlash Loader decompiled with Ghidra

Read the article...

• "BL602 EFlash Loader: Reverse Engineered with Ghidra"

BL602 EFlash Loader is the program that runs on BL602 to flash all firmware to its Embedded Flash. The ELF was uploaded recently (no source available, according to GitHub Code Search).

To understand what's inside BL602 EFlash Loader, we decompiled with Ghidra this official ELF from BL IoT SDK...

• bl_iot_sdk/flash_tool/chips/bl602/eflash_loader/eflash_loader.elf

  (Dated 17 Jan 2022)

Below is the decompiled C source file...

• eflash_loader.c

More about BL602 EFlash Loader...

• "Flashing Firmware to PineCone BL602"

More about Ghidra...

• "Ghidra: Software reverse engineering suite of tools"

Flashing Commands

Here are the 24 Flashing Commands supported by the BL602 EFlash Loader, as decoded by Ghidra from eflash_loader_cmds...

ID	ASCII	Flashing Command
10	LF	bflb_eflash_loader_cmd_get_bootinfo
21	!	bflb_eflash_loader_cmd_reset
30	0	bflb_eflash_loader_cmd_erase_flash
31	1	bflb_eflash_loader_cmd_write_flash
3F	?	bflb_eflash_loader_cmd_write_flash_with_decompress
32	2	bflb_eflash_loader_cmd_read_flash
34	4	bflb_eflash_loader_cmd_xip_read_flash
3A	:	bflb_eflash_loader_cmd_write_flash_check
3B	;	bflb_eflash_loader_cmd_set_flash_para
3C	<	bflb_eflash_loader_cmd_flash_chip_erase
3D	=	bflb_eflash_loader_cmd_readSha_flash
3E	>	bflb_eflash_loader_cmd_xip_readSha_flash
40	@	bflb_eflash_loader_cmd_write_efuse
41	A	bflb_eflash_loader_cmd_read_efuse
42	B	bflb_eflash_loader_cmd_read_mac_addr
50	P	bflb_eflash_loader_cmd_write_mem
51	Q	bflb_eflash_loader_cmd_read_mem
71	q	bflb_eflash_loader_cmd_read_log
60	`	bflb_eflash_loader_cmd_xip_read_flash_start
61	a	bflb_eflash_loader_cmd_xip_read_flash_finish
36	6	bflb_eflash_loader_cmd_read_jedec_id
37	7	bflb_eflash_loader_cmd_read_status_register
38	8	bflb_eflash_loader_cmd_write_status_register
33	3	bflb_eflash_loader_cmd_flash_boot

7 of the above Flashing Commands are documented in the BL602 ISP Protocol...

• 10 - Get Boot Info
• 3C - Chip Erase
• 30 - Flash Erase
• 31 - Flash Program
• 3A - Flash Program Check
• 32 - Flash Read
• 3D - SHA256 Read

The other 17 Flashing Commands are undocumented.

Flashing States

BL602 Firmware Flasher works like a State Machine. Each Flashing State triggers a Flashing Command. Here are the Flashing States and Flashing Command IDs derived from BLOpenFlasher/utils/util_program.go...

State	ID	On Success	On Error
ConfigReset		CmdReset	ErrorLoaderBin
CmdReset		CmdShakeHand	ErrorShakeHand
CmdShakeHand	55	CmdBootInfo	CmdReset
CmdBootInfo	10	CmdBootHeader	CmdReset
CmdBootHeader	11	CmdSegHeader	ConfigReset
CmdSegHeader	17	CmdSegData	ConfigReset
CmdSegData	18	CmdCheckImage	ConfigReset
CmdCheckImage	19	CmdRunImage	ConfigReset
CmdRunImage	1A	CmdReshake	ConfigReset
CmdReshake	55	CmdLoadFile	ConfigReset
CmdLoadFile		CmdEraseFlash^	ErrorOpenFile^
CmdEraseFlash	30	CmdProgramFlash	ErrorEraseFlash
CmdProgramFlash	31	CmdProgramOK^	ErrorProgramFLash
CmdProgramOK	3A	CmdSha256	ErrorProgramOK
CmdSha256	3D	CmdLoadFile	ErrorVerifySha256^
CmdProgramFinish	55	CmdProgramFinish	CmdProgramFinish

^ denotes multiple states

The Flashing Process is documented in the BL602 ISP Protocol.

Matching Flashing States and Commands

By matching the Flashing States and the Flashing Commands above, we identify 5 commands that we can probe further...

ID	ASCII	Flashing Command
10	LF	Get Boot Info bflb_eflash_loader_cmd_get_bootinfo
30	0	Flash Erase bflb_eflash_loader_cmd_erase_flash
31	1	Flash Program bflb_eflash_loader_cmd_write_flash
3A	:	Flash Program Check bflb_eflash_loader_cmd_write_flash_check
3D	=	SHA256 Read bflb_eflash_loader_cmd_readSha_flash

(3C Chip Erase and 32 Flash Read aren't used while flashing BL602, according to BLOpenFlasher)