Unusual firmware change for the non-detachable Blow 72-070 socket for PLN 30

p.kaczmarek2 14 Mar 2024 18:29 27 5589 Cool? (+6)

📢 Listen (AI):

I will show you a little interesting fact - a quite invasive but effective way to change the firmware of the cheapest WiFi-controlled socket. This socket is characterized by a low price (PLN 30) and a structure that makes it impossible to remove the board with the WiFi module from inside, which makes changing the insert very difficult. This is not a product like Blitzwolf sockets, where we have either a hidden screw or retractable pins, here everything is held together and there is really no way to get to the programming pads. Normally I wouldn`t touch it, but I received a request from a reader to change the insert of such a socket at all costs ...

You can buy this socket really cheap and it`s not strange at all - it`s the cheapest option possible:

The socket offers energy measurement:

This is a variation of the LSPA9 socket, described here:
Electrical socket with LSPA9 energy measurement - we program our own firmware
but this version has a grounding plate whose rivet makes it impossible to remove the PCB .
We`ll get to that in a moment, but first, photos of the packaging:

Set:

Polish-language instructions:

Socket itself:

Interior and blow flashing
At first, they are disassembled like LSPA9, but after a while we have a surprise - the ground plate holds the rest of the system:

I don`t know how to make sense of this:

After consulting the reader, the decision was made - we cut:

Already then I tried to connect with the programmer:

There is of course BK7231 inside, BK7231Flasher should be able to handle it:
https://github.com/openshwprojects/BK7231GUIFlashTool
but here is the problem, because the energy measurement system is probably on RX/TX... so you need to desolder the module:

Outside the system, you can change the input normally:

This is what the socket looks like from above:

The module returns to its place:

Flasher obviously detected the configuration:

Verbal description:


Device configuration, as extracted from Tuya: 
- BL0937 SEL on P24
- Button (channel 1) on P11
- LED (channel 1) on P10
- BL0937 VI on P8
- WiFi LED on P6
- BL0937 ELE on P7
- Relay (channel 1) on P26
Device seems to be using WB2S module, which is using BK7231T.
And the Tuya section starts, as usual, at 2023424

JSON Tuya:

OBK template:

After changing the firmware, you still need to perform calibration, similarly to Tasmota - CurrentSet, VoltageSet, PowerSet commands.

Finally, we protected the socket - first with a solder mask, and then (on the reader`s side) with epoxy or some form of filler, at our discretion:

Summary
Nothing to be proud of here, terrible load changing device. Very problematic, especially since now the products are no longer susceptible to the exploit allowing the first OTA via WiFi. I have very fond memories original LSPA9 where it was possible to remove the entire PCB from the housing. In the case of Blow, this is not possible due to the previously mentioned rivet plate.
It`s possible that something better could be invented, but I only programmed two pieces, so the method from the topic worked anyway.
What not to do to have automation operating fully locally, without the Chinese cloud...

About Author

p.kaczmarek2 wrote 14589 posts with rating 12611 , helped 654 times. Been with us since 2014 year.

Comments

Add a comment

Nargo 14 Mar 2024 20:22

Wouldn`t it be easier to drill out the rivet? [Read more]

p.kaczmarek2 14 Mar 2024 23:47

Well, I don ll try. [Read more]

acctr 15 Mar 2024 00:03

If there was determination, it had to succeed. Alternatively, after drilling out the rivet, you can rivet it again or tighten it with an M3 screw. [Read more]

neo_84 15 Mar 2024 05:36

I would do that too. By the way, why change the load to something other than the factory one? I t work with a given smartphone application, as we would like. [Read more]

p.kaczmarek2 15 Mar 2024 08:08

I wrote about why people want to change the load in the topic The electrode list of interior IoT devices has reached 500 entries [Read more]

K 15 Mar 2024 10:07

Why bottle it at all, what does it give? I`ve always wondered about this, and finally today I decided to ask. [Read more]

jajacek44 15 Mar 2024 10:21

Dissociating yourself from observation by Rice Brother, e.g. . [Read more]

p.kaczmarek2 15 Mar 2024 11:20

@K, there was an answer posted above. I will add that I also change the batch because I like to have the device available in the local network through a browser, normally by IP address, and Tuya etc.... [Read more]

omaxp 15 Mar 2024 14:51

but then you don`t have access to the device outside your home?? [Read more]

acctr 15 Mar 2024 14:52

The point is that if the user is sitting on the sofa and wants to close the blinds from the smartphone, the request should not go through the server room in Shenzhen but only through the home router. ... [Read more]

p.kaczmarek2 15 Mar 2024 15:00

Access to the device is whatever you organize, i.e. after flashing the IoT device with an alternative firmware that works without the cloud, such as Tasmota and connecting the device to your WiFi,... [Read more]

William Bonawentura 16 Mar 2024 09:35

Isn`t it enough to, for example, redirect the DNS router to your own service? [Read more]

acctr 16 Mar 2024 10:20

It may be possible, but you still need to support the original software protocol. I have never played with it, I prefer to move four letters, go to the switch and manually turn on the light. I only use... [Read more]

tomaszlonski 16 Mar 2024 11:15

Just invest in a router with VPN or simply run a VPN server on your router if it has one. With public IP, access to your home network around the world. [Read more]

acctr 16 Mar 2024 11:33

Or set up your own server with a public IP. Or subscribe to AWS or Azure and write your own applications with all the benefits of possibilities. There are many possibilities - it`s just a matter of ... [Read more]

tomaszlonski 16 Mar 2024 15:50

But why, since VPN is the simplest and relatively safe way to access your home network. Most new routers are supported, configuration and launch on any device takes 5 minutes without any additional costs. ... [Read more]

Oddawajsanki 17 Mar 2024 00:27

You could have reached the arrangement in a simpler way [Read more]

Jurek_I 19 Mar 2024 08:12

@tomaszlonski How did you achieve this? [Read more]

tomaszlonski 19 Mar 2024 19:15

I described only have a router with a VPN server (not with the client because that`s different). And at home I have two Vu+ Uno 4kSE tuners, one with satellite and the other with terrestrial. [Read more]

FAQ

TL;DR: For a PLN 30 Blow 72-070 smart plug, “we cut” was the working method when the grounded riveted plate blocked PCB removal. This FAQ helps DIY IoT users reflash a WB2S/BK7231T socket, recover energy metering, and choose between invasive hardware work, older OTA options, and local-only remote access. [#21004173]

Why it matters: This thread shows that the cheapest Tuya-based sockets can be converted to local control, but mechanical design can turn a routine flash into board cutting, desoldering, and post-repair insulation work.

Method	Opening effort	Main obstacle	Reassembly need	Best use case
Cut metal part	High	Riveted ground plate	High	When PCB cannot be removed at all
Drill out rivet	Medium	Re-fastening the ground part	Medium	If you can restore strength with rivet or M3 screw
Tuya CloudCutter	Low	Works only on older batches	None	Older Tuya firmware still vulnerable

Key insight: The real blocker is not the BK7231T chip. The blocker is the grounded riveted plate and shared serial lines, which force invasive access before safe flashing.

Quick Facts

The socket discussed costs about PLN 30 and includes energy measurement, making it cheap but still useful for local automation after reflashing. [#21004173]
The extracted Tuya config identifies a WB2S module with BK7231T and a BL0937 metering chip, with relay on P26 and button on P11. [#21004173]
Tuya settings in the dump include approximate protection thresholds of 90 V low voltage and 260 V overvoltage. [#21004173]
One suggested mechanical fix after drilling is to reattach the structure with an M3 screw, instead of leaving the ground section loose. [#21004597]
A home VPN was described as taking about 5 minutes to configure on supported routers, while one tuner setup streamed up to 8 SAT programs and terrestrial TV from 2 muxes. [#21011703]

1. How can I flash alternative firmware on the Blow 72-070 WiFi socket when the PCB cannot be removed because of the grounded riveted plate?

You can flash it only by using an invasive hardware method. 1. Open the socket until the grounded riveted plate stops PCB removal. 2. Cut the blocking metal part, then desolder the WB2S module so the programmer can access it cleanly. 3. Flash the module outside the socket, solder it back, then protect the area with solder mask and filler. The working example was done on a Blow 72-070 sold for about PLN 30. [#21004173]

2. Why is the Blow 72-070 harder to reflash than the original LSPA9 socket with energy measurement?

The Blow 72-070 is harder because its grounded riveted plate prevents normal PCB extraction. The original LSPA9 let the whole PCB come out of the housing, which made pad access much easier. Here, the author says the Blow design leaves “really no way” to reach the programming pads without destructive work. That makes reflashing slower, riskier, and more mechanical than the earlier LSPA9 approach. [#21004173]

3. What role does the riveted ground plate play in the Blow 72-070, and why does it block access to the programming pads?

The riveted ground plate mechanically holds the rest of the socket together. Because it is fixed through a rivet, it traps the internal PCB and prevents the board from sliding out like it does in easier designs. That blocks direct access to the programming pads, even after partial disassembly. In practice, the plate turns a standard serial flash job into cutting, drilling, or other invasive rework. [#21004173]

4. Which pins and functions should I configure in OpenBeken for the Blow 72-070 with a WB2S BK7231T module and BL0937 power monitor?

Use the extracted mapping: P26 relay, P11 button, P10 LED, P6 WiFi LED, P24 BL0937 SEL, P8 BL0937 VI, and P7 BL0937 ELE/CF. The dump also identifies a 1-channel device on a WB2S board with a BK7231T chip. In the posted OBK template, those pins are assigned as Rel, Btn, LED, WifiLED_n, BL0937SEL, BL0937CF1, and BL0937CF. That mapping is the starting point before calibration. [#21004173]

5. What is BK7231GUIFlashTool, and how is it used to read Tuya configuration from a BK7231T-based socket?

BK7231GUIFlashTool is the flasher used here to detect the device and extract its Tuya configuration. "BK7231GUIFlashTool is a flashing utility that reads and writes BK7231-based modules, exposing Tuya pin mappings and board details from device memory." In this case, it detected a WB2S/BK7231T socket and produced a readable configuration that listed pins such as P24, P11, P10, and P26, plus the Tuya section start address 2023424. [#21004173]

6. Why do I need to desolder the WB2S module in this socket before flashing, and how do the RX/TX lines used by the energy metering circuit affect programming?

You need to desolder the WB2S because the socket’s metering hardware occupies the serial lines needed for programming. The author states the energy measurement system is on RX/TX, so in-circuit flashing is blocked or unreliable. Removing the module isolates it from the BL0937-related circuitry and lets the programmer talk directly to the BK7231T. Without that step, the flasher may not get a clean serial connection. [#21004173]

7. How do I calibrate voltage, current, and power readings after flashing OpenBeken or Tasmota on a BL0937-based smart plug?

Calibrate it manually after flashing by setting current, voltage, and power factors. The thread names the needed commands directly: CurrentSet, VoltageSet, and PowerSet. That means reflashing restores control first, then measurement accuracy later. On this BL0937-based socket, pin mapping alone is not enough if you want correct energy readings in daily use. [#21004173]

8. What is Tuya CloudCutter, and why does it work only on some older Tuya device batches?

Tuya CloudCutter is an OTA method that can reflash some Tuya devices without opening them, but only older batches remain vulnerable. "Tuya CloudCutter is an over-the-air flashing method that replaces firmware through Wi‑Fi, without opening the device, but only when the installed Tuya software still contains the older exploit path." A later reply states newer Tuya software removed that vulnerability, so identical hardware can differ by production batch. [#21013100]

9. Drilling out the rivet vs cutting the metal part in the Blow 72-070 — which approach is safer and easier when modifying the socket?

Drilling out the rivet sounds cleaner, but cutting the metal part was the proven method in this case. The author had already completed two units by cutting and was unsure whether reattaching a drilled-out structure could be soldered solidly without melting the socket center. Other users suggested drilling, then re-riveting or using an M3 screw. So the easier method is the one you can also reassemble safely afterward. [#21004588]

10. How can I restore the mechanical strength and insulation of a smart socket after invasive reflashing, for example with solder mask, epoxy, or an M3 screw?

Restore both strength and insulation before reuse. 1. Cover exposed modified areas with solder mask. 2. Fill or reinforce the opened section with epoxy or another filler. 3. If you drilled the rivet, reattach the structure with a new rivet or an M3 screw. The thread shows solder mask first, then optional epoxy on the reader’s side, and another post suggests the M3 fastener route. [#21004597]

11. Why do people replace Tuya firmware with OpenBeken or Tasmota if the factory app already controls the socket?

They replace it to keep control local, avoid vendor cloud dependence, and integrate devices into one system. The thread lists several motives: privacy, survival after vendor shutdown, Home Assistant or ioBroker integration, browser access by local IP, and feature expansion. One related post says the device list had already reached 500 entries, showing this is a broad ecosystem goal, not a one-off hack. [#21004737]

12. What are the best ways to access a locally controlled smart plug from outside home without using the Tuya cloud, such as Home Assistant remote access or VPN?

Use your own secured remote path, not the vendor cloud. The thread gives two concrete options: expose a properly secured Home Assistant instance through public IP or dynamic DNS, or connect back to the home network through a VPN on the router. The key tradeoff is convenience versus self-management. If you want instant worldwide access with no setup, the author says you should not change the firmware. [#21005209]

13. How does VPN-based access to a home network compare with vendor cloud access for controlling IoT devices remotely?

VPN keeps traffic inside your own network path, while vendor cloud sends control through the manufacturer’s servers. One poster summarized it bluntly: commands should go through the home router, not a remote server room. Another said a supported VPN router can be configured in about 5 minutes and then exposes cameras, alarms, temperature sensors, music, movies, and TV as if you were home. Cloud is simpler; VPN gives you direct control. [#21006493]

14. What causes antivirus software to flag BK7231GUIFlashTool as a trojan, and how can I verify whether it is a false positive from GitHub Actions builds?

The flag is presented here as a false positive, not proof of malware. The recommended check is to verify that the binary is built directly from source through GitHub Actions, using the published workflow run. That matters because a transparent CI build path reduces the chance of a repackaged executable. The thread’s reply points specifically to a GitHub Actions run as the verification method. [#21448674]

15. How was remote streaming of terrestrial and satellite TV achieved through a home VPN and Vu+ Uno 4K SE tuners?

It was done by connecting into the home network through a VPN server on the router and then using two Vu+ Uno 4K SE tuners at home. The user reports full tuner access via web, FTP, or SSH, plus app control on phone or tablet. Streaming worked like IPTV playlists: up to 8 satellite programs from the SAT tuner, while terrestrial TV was limited to channels from 2 muxes because that tuner was twin only. [#21011703]

Generated by the language model.