Is there any document describing BL702's ISP protocol?
Just like this: https://github.com/bouffalolab/bl_docs/blob/main/BL602_ISP/en/BL602_ISP_protocol.pdf but for BL702?
BL702 is the same as BL602
I took my setup under logic analyzer and there seems to be some undocumented commands (HEX):
Do you have information about some of these?
There is this list in the sources of the bl_mcu_sdk repo which lists the names of those commands, though you will have to do your own reverse engineering to figure out what they mean.
0x50 0x00 0x08 0x00 # BFLB_EFLASH_LOADER_CMD_MEM_WRITE
0x36 0x00 0x00 0x00 # BFLB_EFLASH_LOADER_CMD_FLASH_READ_JEDECID
0x60 0x00 0x00 0x00 # BFLB_EFLASH_LOADER_CMD_XIP_READ_START
0x3E 0xB8 0x08 0x00 # BFLB_EFLASH_LOADER_CMD_FLASH_XIP_READSHA
0x61 0x00 0x00 0x00 # BFLB_EFLASH_LOADER_CMD_XIP_READ_FINISH
That's pretty helpful. Thanks!
They look like EFlash Loader Commands. I wrote about the EFlash Loader here, hope it helps...
BL602 EFlash Loader: Reverse Engineered with Ghidra
lupyuen Thanks! I already had some succes with reverse engineering the flasher. It's not fully standalone solution but it's working 🙂 https://github.com/Jatsekku/jq_flasher