FAQ
TL;DR: BK7231T’s 120 MHz ARM9E core drives this open-source BLE demo [Beken Datasheet]—“Comprehensive and well written” [Elektroda, p.kaczmarek2, post #20653668] The thread bundles a 50-page tutorial, ready-to-use JTAG config, and an updated BK7231N register map.
Why it matters: These resources let you flash, debug and reverse-engineer low-cost Wi-Fi/BLE modules without vendor SDKs.
Quick Facts
• 32-bit ARM9E @ 120 MHz, ~2 MB embedded flash [Beken Datasheet].
• WB2L footprint: 26 × 16 mm, on-board PCB antenna *“WB2L Data Sheet”*.
• SPI pads = pins 20-23 + RESET on module back [Elektroda, jitsirakowsk, post #20654654]
• OpenOCD TAPID 0x15968001; adapter speed 100 kHz [Elektroda, p.kaczmarek2, post #20654215]
• Archive contains 50-page guide with exercises [Elektroda, jitsirakowsk, post #20742145]
What does the WB2L BLE demo actually do?
It starts the BLE stack, advertises a custom service, and streams test bytes to any connected host. It shows register setup, GATT definitions, and log output, but performs no real sensor task [Elektroda, jitsirakowsk, post #20653571]
Where can I download the newest code and documentation?
Grab the attachment in post #20742145; it replaces the July archive and folds in extra reverse-engineering notes [Elektroda, jitsirakowsk, post #20742145]
Does the project depend on Tuya or other proprietary libraries?
No. The authors removed Tuya code and call the Beken SDK directly, then document every low-level register touched [Elektroda, jitsirakowsk, post #20653571]
Will BK7231N be supported?
Yes. The team has hardware in hand and already mapped the N-chip BLE registers. Code porting is on their agenda [Elektroda, jitsirakowsk, #20654018; #20742145].
How different is the BLE block on BK7231N?
Register addresses and prototypes change, yet the overall driver layout stays familiar. Expect to rewrite init calls but reuse GATT logic [Elektroda, jitsirakowsk, post #20742145]
Can I debug BK7231T with OpenOCD and a Raspberry Pi?
Yes. Use the bk7321t.cfg snippet from post #20654215, wire SPI pins to Pi GPIO 11/8/10/9 plus GPIO 22 for reset, then start OpenOCD [Elektroda, p.kaczmarek2, post #20654215]
Quick 3-step OpenOCD setup?
- Copy the cfg from post #20654215 into bk7321t.cfg.
- Connect pins: TCK-11, TMS-8, TDI-10, TDO-9, SRST-22.
- Run
openocd -f bk7321t.cfg, then connect GDB at :3333. Each step takes under one minute [Elektroda, p.kaczmarek2, post #20654215]
Are SPI pads exposed on WB2L for bootloader recovery?
Datasheet shows pads on module back; author confirmed pins 20-23 plus RESET are reachable as test pads [Elektroda, jitsirakowsk, post #20654654]
How do I restore a wiped bootloader?
Unsolder the module, clip to the SPI pads, and flash an intact image using the guide in topic 3931424 [Elektroda, p.kaczmarek2, post #20654334]
What happens if I overwrite the bootloader?
The MCU stays in reset and no UART appears—common soft-brick edge case. SPI flashing is the sole recovery path [Elektroda, p.kaczmarek2, post #20654334]
Can I build a transparent UART over BLE?
Yes. Beken’s BLE profile API exposes a UART service. The team plans to wrap it after finishing register research [Elektroda, jitsirakowsk, post #20654018] Peak BLE 4.2 payload is 1 Mbps [Bluetooth SIG].
Which tools help reverse-engineer the vendor library?
The authors use Ghidra for ARM9 disassembly, OpenOCD for live memory reads, and custom Python scripts for symbol hunting [Elektroda, jitsirakowsk, post #20742145] "Document details; it helps beginners ask the right questions" they note [Elektroda, jitsirakowsk, post #20654018]
Comments
Very impressive documentation. Comprehensive and well written. I will have to find some time to analyze it. Are you planning to support N platform as well (BK7231N)? [Read more]
We are. I think we have `N' powered devices lying around as well so as soon as we hook it up we should be able to get something similar. In the meanwhile we are planning to use Beken's BLE profile api... [Read more]
Hi Andy, That writeup looks very, very nice and thank you for sharing it with us! Disclaimer - haven't read the paper yet so ignore the question if irrelevant. Have you considered using OpenOCD... [Read more]
There was a JTAG config by @xabean somewhere. [Read more]
Hi! Thanks for the question and the info about JTAG. No, we have not done anything with it but OpenOCD with jtag would be fantastic. If I understand correctly this requires access to SPI pins and a few... [Read more]
Here is a guide for SPI flashing of BK7231. It can be used to reconstruct bootloader if it was overwritten: https://www.elektroda.com/rtvforum/topic3931424.html I will, however, note here that WB2L may... [Read more]
Yes, we have seen the guide (excellent work by the way) and judging by the datasheet for WB2L pins 20-23, as well as reset are exposed as test pins on the back of the pcb. The datasheet also explicitly... [Read more]
Hi everyone! Here is a new version of the tutorial and the project. Not much new code, although we have reverse engineered three somewhat large functions in the link layer driver. There is a detailed... [Read more]