[BK7231T] A simple BLE device project using WB2L. Comments and help welcome.

jitsirakowsk 14 Jul 2023 00:53 11 3828 Cool? (+3)

📢 Listen (AI):

TL;DR

A simple BLE device project initializes a WB2L module based on BK7231T.
It uses no Tuya libraries and only sends data to the host, so it serves as a minimal BLE bring-up example rather than a useful end device.
A long write-up in the doc directory covers BLE basics and related topics, and the archive extraction command should be tar xzvf bk_ble.tar.zip.

Generated by the language model.

Hi! In case anyone is interested, here is a simple project to initialize a simple BLE device on WB2L. No Tuya libraries. This is not a fully functional device (in the sense that it does not do anything useful but sends some data to the host). There is a (long) write-up in the doc directory on the project and related topics (overview of BLE, etc.) that my friend and I wrote for a local group of enthusiasts. Apologies for it being too elementary for many of you, some of our participants are students. Also, the original archive had a bz2 extension but the forum only accepts zip files, so the instruction for extraction should read tar xzvf bk_ble.tar.zip.

Andy
Edit: there is a newer version of the project later in this thread with a lot more details.

Attachments:

bk_ble.tar.zip (2.48 MB) You must be logged in to download this attachment.

About Author

jitsirakowsk wrote 17 posts with rating 10 , helped 2 times. Been with us since 2023 year.

Comments

Add a comment

p.kaczmarek2 14 Jul 2023 07:42

Very impressive documentation. Comprehensive and well written. I will have to find some time to analyze it. Are you planning to support N platform as well (BK7231N)? [Read more]

jitsirakowsk 14 Jul 2023 13:16

We are. I think we have transparent UART' and reverse engineer the lower level calls (setting registers, basically). We try to write about details, we found that it helps beginners ask the right ques... [Read more]

DeDaMrAz 14 Jul 2023 14:48

Hi Andy, That writeup looks very, very nice and thank you for sharing it with us! Disclaimer - haven't read the paper yet so ignore the question if irrelevant. Have you considered using OpenOCD... [Read more]

p.kaczmarek2 14 Jul 2023 16:06

There was a JTAG config by @xabean somewhere. [Read more]

jitsirakowsk 14 Jul 2023 17:51

Hi! Thanks for the question and the info about JTAG. No, we have not done anything with it but OpenOCD with jtag would be fantastic. If I understand correctly this requires access to SPI pins and a few... [Read more]

p.kaczmarek2 14 Jul 2023 18:18

Here is a guide for SPI flashing of BK7231. It can be used to reconstruct bootloader if it was overwritten: https://www.elektroda.com/rtvforum/topic3931424.html I will, however, note here that WB2L may... [Read more]

jitsirakowsk 14 Jul 2023 22:10

Yes, we have seen the guide (excellent work by the way) and judging by the datasheet for WB2L pins 20-23, as well as reset are exposed as test pins on the back of the pcb. The datasheet also explicitly... [Read more]

jitsirakowsk 21 Sep 2023 18:19

Hi everyone! Here is a new version of the tutorial and the project. Not much new code, although we have reverse engineered three somewhat large functions in the link layer driver. There is a detailed... [Read more]

jitsirakowsk 24 Feb 2026 21:37

Hi Everyone! Just wanted to share updates for this project. It was used to teach a reverse engineering lab at a local college, some student projects have been incorporated. The manual is included, as before.... [Read more]

p.kaczmarek2 25 Feb 2026 08:27

Interesting, keep us posted. What would be the practical applications of that? We didn't really touch internal drivers in OBK yet. [Read more]

jitsirakowsk 25 Feb 2026 12:31

Our original goal was to reverse engineer the libraries and we noticed that the disassembly was a bit laborious so we wanted something intermediate between a full C source and the machine code. This does... [Read more]

FAQ

TL;DR: BK7231T’s 120 MHz ARM9E core drives this open-source BLE demo [Beken Datasheet]—“Comprehensive and well written” [Elektroda, p.kaczmarek2, post #20653668] The thread bundles a 50-page tutorial, ready-to-use JTAG config, and an updated BK7231N register map. Why it matters: These resources let you flash, debug and reverse-engineer low-cost Wi-Fi/BLE modules without vendor SDKs.

Quick Facts

• 32-bit ARM9E @ 120 MHz, ~2 MB embedded flash [Beken Datasheet]. • WB2L footprint: 26 × 16 mm, on-board PCB antenna “WB2L Data Sheet”. • SPI pads = pins 20-23 + RESET on module back [Elektroda, jitsirakowsk, post #20654654] • OpenOCD TAPID 0x15968001; adapter speed 100 kHz [Elektroda, p.kaczmarek2, post #20654215] • Archive contains 50-page guide with exercises [Elektroda, jitsirakowsk, post #20742145]

What does the WB2L BLE demo actually do?

It starts the BLE stack, advertises a custom service, and streams test bytes to any connected host. It shows register setup, GATT definitions, and log output, but performs no real sensor task [Elektroda, jitsirakowsk, post #20653571]

Where can I download the newest code and documentation?

Grab the attachment in post #20742145; it replaces the July archive and folds in extra reverse-engineering notes [Elektroda, jitsirakowsk, post #20742145]

Does the project depend on Tuya or other proprietary libraries?

No. The authors removed Tuya code and call the Beken SDK directly, then document every low-level register touched [Elektroda, jitsirakowsk, post #20653571]

Will BK7231N be supported?

Yes. The team has hardware in hand and already mapped the N-chip BLE registers. Code porting is on their agenda [Elektroda, jitsirakowsk, #20654018; #20742145].

How different is the BLE block on BK7231N?

Register addresses and prototypes change, yet the overall driver layout stays familiar. Expect to rewrite init calls but reuse GATT logic [Elektroda, jitsirakowsk, post #20742145]

Can I debug BK7231T with OpenOCD and a Raspberry Pi?

Yes. Use the bk7321t.cfg snippet from post #20654215, wire SPI pins to Pi GPIO 11/8/10/9 plus GPIO 22 for reset, then start OpenOCD [Elektroda, p.kaczmarek2, post #20654215]

Quick 3-step OpenOCD setup?

Copy the cfg from post #20654215 into bk7321t.cfg.
Connect pins: TCK-11, TMS-8, TDI-10, TDO-9, SRST-22.
Run openocd -f bk7321t.cfg, then connect GDB at :3333. Each step takes under one minute [Elektroda, p.kaczmarek2, post #20654215]

Are SPI pads exposed on WB2L for bootloader recovery?

Datasheet shows pads on module back; author confirmed pins 20-23 plus RESET are reachable as test pads [Elektroda, jitsirakowsk, post #20654654]

How do I restore a wiped bootloader?

Unsolder the module, clip to the SPI pads, and flash an intact image using the guide in topic 3931424 [Elektroda, p.kaczmarek2, post #20654334]

What happens if I overwrite the bootloader?

The MCU stays in reset and no UART appears—common soft-brick edge case. SPI flashing is the sole recovery path [Elektroda, p.kaczmarek2, post #20654334]

Can I build a transparent UART over BLE?

Yes. Beken’s BLE profile API exposes a UART service. The team plans to wrap it after finishing register research [Elektroda, jitsirakowsk, post #20654018] Peak BLE 4.2 payload is 1 Mbps [Bluetooth SIG].

Which tools help reverse-engineer the vendor library?

The authors use Ghidra for ARM9 disassembly, OpenOCD for live memory reads, and custom Python scripts for symbol hunting [Elektroda, jitsirakowsk, post #20742145] "Document details; it helps beginners ask the right questions" they note [Elektroda, jitsirakowsk, post #20654018]

Generated by the language model.