Reverse engineering the SDK for BL602 RISC-V WiFi & BLE microcontroller

Bouffalo Lab BL602, and its big brother BL604 with extra GPIOs, are RISC-V microcontrollers with WiFi and Bluetooth LE that offer an alternative to Espressif Systems ESP32 Xtensa based WiSoC, although Espressif has also designed its own RISC-V solution: ESP32-C3.

Soon after the “announcement” in October 2020, we found out the SDK and a relatively cheap BL602 board, but the SDK has many closed-source binaries. Soon after Sipeed and Pine64 expressed their interest in developing an open-source toolchain and even an open-source WiFi (and BLE) stack. Time has passed and even got a Pinecone board in January, but did not do anything with it, especially seeing the status of the software.

The same cannot be said for Lup Yuen Lee (aka MrTechBlog) who spent a lot of time doing interesting with Pine64 BL602 module and board including playing and thoroughly documenting his work with Tensorflow Lite, connecting the board to a LoRa module, and more (scroll down that link to the Publications section for more posts).

BL602 SDK reverse engineer code
BL602 “non-WiFi ” modules functions and lines of code

More recently he decided to work on the Nutcracker challenge to create an open-source WiFi and Bluetooth stack, and wrote a long post going through the reverse engineering process for the WiFI code in BL602 SDK.

This includes going through all functions of the code to understand basics like connecting to a WiFi router and sending some HTTP packets using the demo firmware, Since some of the code is binary only it was decompiled into C language for further analysis. That part is not quite easy since variable and function names are not exactly meaningful, but he went through it to check out which part may be leveraged for reverse engineering as illustrated below.

BL602 decompiled C code

Then the whole process is a dance between the SDK source code and the decompiled C source to try to understand what’s going on… and eventually, it appears the WiFi code comes from CEVA RivieraWaves firmware/software used in many WiFi solutions. Lup Yuen Lee even noticed the code for BL602 looks very similar to the one for the RK3399 WiFi supplicant code.

Most of the non-WiFi functions are open-sourced and the analysis also found out the SDK uses source code from various projects including AliOS embedded framework for multitasking and device drivers, AWS Cloud for IoT and MQTT (Message Queue) services, EasyFlash embedded database, FreeRTOS running underneath AliOS, Lightweight IP (LWIP), and Mbed TLS.

But all this work is just a starting point for further work. You may learn a lot about reverse engineering a WiFi stack by reading the full post.

Share this:
FacebookTwitterHacker NewsSlashdotRedditLinkedInPinterestFlipboardMeWeLineEmailShare

Support CNX Software! Donate via cryptocurrencies, become a Patron on Patreon, or purchase goods on Amazon or Aliexpress

ROCK 5 ITX RK3588 mini-ITX motherboard

2 Replies to “Reverse engineering the SDK for BL602 RISC-V WiFi & BLE microcontroller”

  1. Lup Yuen Lee publishes a ton of educational content. I suggest anyone interested in IoT/embedded SW to follow him on Twitter (@MisterTechBlog).

  2. Thank you so much for exposure! Best of luck!
    But missing registers and 10 000 lines of source code …

Leave a Reply

Your email address will not be published. Required fields are marked *

Khadas VIM4 SBC
Khadas VIM4 SBC