Is there any document describing BL702's ISP protocol? Just like this: https://github.com/bouffalolab/bl_docs/blob/main/BL602_ISP/en/BL602_ISP_protocol.pdf but for BL702?
BL702 is the same as BL602
I took my setup under logic analyzer and there seems to be some undocumented commands (HEX):
Do you have information about some of these?
There is this list in the sources of the bl_mcu_sdk repo which lists the names of those commands, though you will have to do your own reverse engineering to figure out what they mean. https://github.com/bouffalolab/bl_mcu_sdk/blob/8742503a9e9aaa36462767b300f3c22b2935cc5e/examples/boot2_iap/bflb_eflash_loader_cmds.h#L42-L87
0x50 0x00 0x08 0x00 # BFLB_EFLASH_LOADER_CMD_MEM_WRITE 0x36 0x00 0x00 0x00 # BFLB_EFLASH_LOADER_CMD_FLASH_READ_JEDECID 0x60 0x00 0x00 0x00 # BFLB_EFLASH_LOADER_CMD_XIP_READ_START 0x3E 0xB8 0x08 0x00 # BFLB_EFLASH_LOADER_CMD_FLASH_XIP_READSHA 0x61 0x00 0x00 0x00 # BFLB_EFLASH_LOADER_CMD_XIP_READ_FINISH
That's pretty helpful. Thanks!
They look like EFlash Loader Commands. I wrote about the EFlash Loader here, hope it helps...
BL602 EFlash Loader: Reverse Engineered with Ghidra
lupyuen Thanks! I already had some succes with reverse engineering the flasher. It's not fully standalone solution but it's working 🙂 https://github.com/Jatsekku/jq_flasher