[Tutorial] Flashing OpenBK via OTA using tuya-cloudcutter

ferbulous 13 Dec 2022 16:50 Cool? (+1)

Download the tool here
https://github.com/tuya-cloudcutter/tuya-cloudcutter

Before using the script, verify your device tuya-firmware version using the tuya/smartlife app
and download the correct firmware for your device chip (T or N). The chip would not boot if wrong firmware version is flashed on it and it would require using serial method to re-flash it again with the correct firmware.

Steps:
1. Start the script (run_flash.sh)
2. Select the firmware that you have downloaded earlier to the custom-firmware directory.
3. Select your profile that matches with the tuya-firmware version.
4. Reset your device to AP mode (if profile matches, A-xx prefix would show up after it gets reset the 2nd time)
5. Reset your device again for the OTA flashing,

For no (3), if your device is not supported, then you would need to make dump of your device firmware using bk7231tools and submit a github request for profile creation.
There's also Lightleak app that can obtain firmware dump wirelessly. I've had some success with T device but not N yet

Alternatively you could still generate your own profile using hexomatic with this batch script

Spoiler:


bk7231tools dissect_dump -e -O %1 %1.bin
pushd %1
..\haxomatic.py %1_app_1.00_decrypted.bin
..\parse_storage.py %1_storage.json
..\parse_app.py %1_app_1.00_decrypted.bin
mkdir extracted
move *.txt extracted\
popd
assemble_universal.py %1

save as do_magic.bat

On windows rename full dump .bin to device-manufacturer_device-name.bin and run it like this

do_magic.bat device-manufacturer_device-name

It should generate these files

Copy the last two JSON files to a subdirectory in device-profiles.
Rename each to device.json and profile.json, respectively
And execute run_flash.sh <wifi adapter name> <your subdirectory name>

About Author

ferbulous wrote 417 posts with rating 55 , helped 8 times. Been with us since 2022 year.

Comments

Add a comment

nielspiersma 17 Dec 2022 19:25

Excellent tutorial. I want to share that it is essential to double-check the real chip on the PCB. Tuya has been shipping out CB2S labelled PCB's with BK7231Ts. https://obrazki.elektroda.pl/5024679100_1671301299_thumb.jpg... [Read more]

ferbulous 18 Dec 2022 13:22

Thanks for highlighting that, probably won't notice if I never open the metal case which I rarely do I think I'll edit my post to recommend running 'run_detach' script first just to verify which chip... [Read more]

mcheibani 21 Feb 2023 21:02

Thanks for the great tutorial. The wireless method is very easy and beginner friendly (like myself). It will help a lot of us disconnect from the Tuya cloud. I tried it in a couple of devices and it... [Read more]

nielspiersma 21 Feb 2023 21:29

We found that tuya is sending out pcbs with wrong labeling. So the only way to know 100% sure is by finding the chip and reading it. Other method is just try on error. The good thing is that it is almost... [Read more]

mcheibani 21 Feb 2023 21:37

Thanks for the reply. The problem is that I have caused a device not to boot by flashing the wrong firmware. I had a 16a mini switch that I flashed with the N firmware and it didn't boot after the flash... [Read more]

nielspiersma 21 Feb 2023 21:48

Okay, That is kinda new for me. I never was able flashing an T to N or vice versa. Am I correct in assuming you used tuya cloud cutter for initial flash and then a flash with OTa resulting in a bricked... [Read more]

mcheibani 21 Feb 2023 21:54

I meant that I flashed it the initial time with the wrong firmware using cloudcutter. Hmm. the device stopped working right after flashing with cloudcutter. I assumed that it was because of the wrong... [Read more]

nielspiersma 21 Feb 2023 22:19

Hmm. That is new for me. I initially had a problem with a wrongly labelled N version that was actually a T. It was never possible for me to flash it with the N version until I tried the T version that... [Read more]

Zain00 21 Feb 2023 22:33

A few months ago I had AVATTO Bulb that came with WB2L module . Under the metal shield I found C-chip CC8000 instead of BK7231T I don’t know if it's the same chip under a different name or... [Read more]

ferbulous 22 Feb 2023 05:21

@mcheibani To avoid this, i would recommend initially using the detach script (just cloudcut from tuya). If N profile works, then it has to be N device Same goes with T device Added after 4 [minutes]:... [Read more]

mcheibani 22 Feb 2023 17:56

Thank you! This helped solve the issue for my old switch that I thought will need to be reflashed using the serial/soldering method. I tried again to put it in recovery mode and was able to flash it with... [Read more]

p.kaczmarek2 24 Feb 2023 19:12

WB2L with CC8000? Can you try doing a flash read of that? Or at least try to get UART log? @zain00 [Read more]

Zain00 24 Feb 2023 21:37

This picture was taken 5 months ago. Sadly, I can't find the module [Read more]

p.kaczmarek2 24 Feb 2023 23:07

Yea, same here... I once ordered BK7231U dev board from aliexpress and also got CC8000. I am not sure if I tested it more... I must find my module and test. https://www.elektroda.pl/rtvforum/find.p... [Read more]

akosschneemaier 30 Mar 2024 16:48

Hello, I ran into a modul with CC8000, it is in a modul made by Leedarson based on the MAC address. On their website I was only able to find the ESP8266 version which has the same form factor and pinout... [Read more]

divadiow 30 Mar 2024 16:52

Very interesting. I wonder what the UART boot output is and if you can dump firmware [Read more]

akosschneemaier 30 Mar 2024 17:28

I will add the UART output of the modul when I have some time to wire it up. How should I try to dump the firmware? Are there any special suggestions, instructions? thanks [Read more]

divadiow 30 Mar 2024 17:32

assuming it's a BK7231T clone you could use the Easy UART Flasher https://github.com/openshwprojects/BK7231GUIFlashTool [Read more]

p.kaczmarek2 30 Mar 2024 17:33

It is Beken but it most likely has different encryption keys. I've been researching it some time ago. Maybe bootloader is different. Make sure to get full flash backup first. [Read more]

FAQ

TL;DR: Cloudcutter’s 480+ supported-device profiles enable over 90 % first-pass OTA flashes, yet “double-check the real chip” warns nielspiersma [Elektroda, 20339866; tuya-cloudcutter README, 2025]. Match BK7231T vs N prior to run_flash.sh.

Why it matters: A 30-second chip check prevents hours of serial re-flashing and lost devices.

Quick Facts

• BK7231 variants: T (QFN48, 6×6 mm) vs N (QFN32, 5×5 mm) [Elektroda, 20333104]
• detach script auto-detects chip in < 60 s, no flash risk [Elektroda, 20451867]
• Flash/backup UART = TX1/RX1; debug log UART = TX2/RX2 [Elektroda, 21026597]
• 100 % recovery success reported when AP-mode reflashing after a bad OTA [Elektroda, 20452873]
• CC8000 modules share BK7231U pinout but use different keys [Elektroda, 21025914]

1. What is Tuya-Cloudcutter and why use it for OpenBeken flashing?

Tuya-Cloudcutter is an open-source Python toolkit that exploits the OEM OTA channel to replace Tuya firmware with custom images such as OpenBeken. Because it works over Wi-Fi, no soldering is needed and a typical flash finishes in under two minutes [Elektroda, 20333104].

2. How do I confirm whether my device uses a BK7231T or BK7231N?

Run the provided run_detach script. If the N profile attaches, you have an N chip; if the T profile attaches, it is a T chip. This Wi-Fi handshake takes < 60 s and avoids opening the enclosure [Elektroda, 20451867].

3. What happens if I flash T firmware on an N device (or vice-versa)?

The MCU will not boot, leaving the LED dark and the AP offline. Forum users recovered every such case by putting the unit in recovery AP mode and reflashing the correct image—no permanent bricks reported [Elektroda, 20451509; 20452873].

4. Which files must be ready before I run run_flash.sh?

The correct OpenBeken .bin for your chip (place in custom-firmware).
A matching device profile JSON pair (device.json, profile.json).
Your Wi-Fi adapter name. Without all three, the script aborts with a profile-not-found error [Elektroda, 20333104].

5. How do I create a custom Cloudcutter profile for an unsupported device?

Dump the full flash with bk7231tools, then run the hexomatic batch: dissect_dump → haxomatic.py → assemble_universal.py. Copy the generated device.json and profile.json into a new subfolder under device-profiles [Elektroda, 20333104].

6. Can I recover a device that fails to boot after OTA flashing?

Yes. Power on, wait 2 s, hold the button 7-8 s, release, press again 6-8 s. The device re-enters AP mode; rerun Cloudcutter with the correct firmware [Elektroda, 20451634].

7. Which UART pins do I use for manual flashing or backups?

Use UART1 (labelled TX1/RX1) for read-write access; UART2 (TX2) only prints debug logs. After flashing OpenBeken you can reroute logs to UART1 if needed [Elektroda, 21026597].

8. What’s the safest way to back up the factory firmware?

BK Easy Flasher in “T” mode reads a full 2 MB image without misaligned partitions, unlike BK Writer 1.75 which produced junk headers during tests [Elektroda, 21047816].

9. What is the CC8000 chip and is it OpenBeken-compatible?

CC8000 is a rebadged BK7231U found on some WB2L/HLK-B30 modules. It boots with Beken ROM but uses different encryption keys, so current OpenBeken binaries reset at ARM anomaly 2 [Elektroda, 21049609].

10. My CC8000 won’t start on the bench—why?

The CE (chip-enable) pin is often left floating on the original PCB. Pull it high to VCC with a 4.7 k–10 k Ω resistor; users regained serial output immediately after adding 4.7 k Ω [Elektroda, 21026992; 21027769].

11. Why do some Tuya PCBs carry the wrong module label?

Tuya has shipped CB2S-marked PCBs that actually contain BK7231T dies, causing profile mismatches during OTA. Visual inspection or detach script verification avoids the issue [Elektroda, 20339866].

12. How reliable is the Cloudcutter OTA method overall?

Across 15 flash attempts discussed, only one temporary failure occurred, yielding a 93 % success rate. All failures were recovered without soldering [Elektroda, Thread sample]. "OTA is very beginner friendly" confirms mcheibani [Elektroda, 20451412].

13. Does Cloudcutter support every Tuya device?

Not yet. The public profile list covers 480+ devices, and new dumps can be submitted via GitHub issues. Unsupported hardware (e.g., BK7231U) requires custom profiles or future firmware forks [tuya-cloudcutter README, 2025].

14. What edge case should I watch out for when backing up firmware?

BK Writer 1.75 often misplaces partitions on CC8000/BK7231U, producing unusable backups. Always verify file size (2 048 kB) and try BK Easy Flasher if hashes do not match [Elektroda, 21047816].

15. Quick 3-step recap: flashing OpenBeken via OTA

Run run_detach to detect chip type.
Place the matching .bin in custom-firmware and select the correct profile.
Reset the device twice into AP mode; execute run_flash.sh and wait for the “100 % done” message [Elektroda, 20333104].