logo elektroda
logo elektroda
X
logo elektroda
Advanced Search
logo elektroda

OpenBeken HTTP WiFi Setup: Connect to Router & Disable AP Mode via REST Commands

Ask a question on the Forum

User question

How to use HTTP to configure OpenBK to connect to a WiFi network AND shut down AP mode

Artificial Intelligence Response

Direct answer to the question

• Send one Backlog HTTP request to the device’s configuration endpoint containing these commands, URL-encoded and separated with semicolons:
Wifi_SSID <SSID>; Wifi_Pass <PASSWORD>; Wifi_EnableSta 1; Wifi_EnableAp 0; Save; Restart
• Point your browser or automation tool (e.g. cURL) to
http://192.168.4.1/cm?cmnd=<URL-ENCODED_BACKLOG> ‑– or, for legacy builds, /cfg?cmd=.
• After the reboot the OpenBK device joins the specified Wi-Fi network (STA mode) and the built-in Access-Point is turned off.

Key points
– Use the /cm?cmnd= (Tasmota-style) endpoint on current firmware, /cfg?cmd= on size-optimised/old builds.
– URL-encode every non-alphanumeric character (space → %20, “;” → %3B, “@” → %40, etc.).
– A single Backlog line guarantees atomic execution and prevents a half-configured, unreachable device.

Detailed problem analysis

  1. Device start-up behaviour
    • First boot / after reset: OpenBK exposes an AP (SSID like OpenBK7231T_F4C8B6) on 192.168.4.1/24.
    • Goal: Move from AP (Soft-AP) to STA (client) mode, then disable Soft-AP to avoid unneeded RF traffic and security exposure.

  2. OpenBK HTTP control interface
    a) Endpoints
    – New builds (2022 – now): /cm?cmnd= (mirrors Tasmota syntax).
    – “CFG” builds (<2022 or size-optimised): /cfg?cmd=.
    b) Command grammar (subset)
    Wifi_SSID  – store SSID
    Wifi_Pass  – store PSK / password
    Wifi_EnableSta 1|0 – enable/disable station mode
    Wifi_EnableAp 1|0 – enable/disable Soft-AP
    Save       – commit to flash
    Restart     – warm-reboot MCU
    Backlog c1; c2; … – queue commands in one transaction

  3. Constructing the request

    Example with SSID = My Net and Password = P@ssw0rd!
    Raw backlog: 

    Backlog Wifi_SSID My Net; Wifi_Pass P@ssw0rd!; Wifi_EnableSta 1; Wifi_EnableAp 0; Save; Restart

    URL-encoded backlog (spaces → %20, “;” → %3B, “@” → %40, “!” → %21): 

    Backlog%20Wifi_SSID%20My%20Net%3B%20Wifi_Pass%20P%40ssw0rd%21%3B%20Wifi_EnableSta%201%3B%20Wifi_EnableAp%200%3B%20Save%3B%20Restart

    Final URL (current firmware): 

    http://192.168.4.1/cm?cmnd=Backlog%20Wifi_SSID%20My%20Net%3B%20Wifi_Pass%20P%40ssw0rd%21%3B%20Wifi_EnableSta%201%3B%20Wifi_EnableAp%200%3B%20Save%3B%20Restart

    After pressing Enter the browser shows a JSON reply, then the socket drops because the ESP/Beken reboots.

  4. Timing & fallback
    • Boot-up sequence:
    – STA connects to router (typically <4 s).
    – If connection succeeds, AP stops immediately (or after WiFiAPStaTimeout seconds – default ≈ 60).
    – If connection fails, AP re-enables so you are not locked out.
    • You can shorten the fallback with WiFiAPStaTimeout 5 in the same backlog if desired.

  5. Automation with cURL 

    DEVICE_IP=192.168.4.1
curl -G --data-urlencode \
"cmnd=Backlog Wifi_SSID My_Net; Wifi_Pass P@ssw0rd!; Wifi_EnableSta 1; Wifi_EnableAp 0; Save; Restart" \
"http://${DEVICE_IP}/cm"

    --data-urlencode handles special characters for you.

Current information and trends

• Since mid-2023 OpenBK adds mDNS (openbk.local) making discovery easier after STA join.
• New commits (Q2-2024) introduce Wifi_EnableAp 2 (AP only for N seconds) – may supersede manual timeout tweaks.
• OTA SSL endpoint under test; HTTPS control may soon be available (currently HTTP only).

Supporting explanations and details

• Why Backlog? Minimises race conditions: Wi-Fi credentials are saved before AP is disabled, then a controlled reboot starts STA quickly.
• Security: Turning off AP removes an open or weakly-secured SSID, shrinking attack surface.

Ethical and legal aspects

• Ensure you have permission to join the target Wi-Fi (corporate or neighbour networks may forbid unregistered IoT nodes).
• Open APs may leak personal data; disabling them is good cybersecurity hygiene.
• Comply with local RF regulations; some regions restrict channel/power – OpenBK honours country code only when compiled with such support.

Practical guidelines

• Always test credentials on another device first to avoid typos.
• Keep the device powered on near the router for strong RSSI during first connection.
• After reboot, look up the MAC (printed on JSON boot log or label) in your router’s DHCP list.
• For fleets, script discovery with arp-scan or use mDNS (.local) names.

Potential challenges & remedies
– Wrong country settings ⇒ set WiFi_TxPower or channel to match router.
– Hidden SSID ⇒ OpenBK 1.18+ supports them but needs Wifi_ScanHidden 1.
– WPA3-only router ⇒ force WPA2 mixed mode; Beken SoC does not speak WPA3 yet.

Possible disclaimers or additional notes

• A firmware crash during Save could brick the configuration (rare). Keep GPIO0 broken-out for serial recovery.
• Legacy /cfg?cmd= builds lack some commands (e.g., Wifi_EnableAp). Upgrade when possible.

Suggestions for further research

• Explore MQTT / HTTP REST integration after the device is on your LAN.
• Evaluate mTLS patches for encrypted command channel.
• Monitor GitHub repo openshwprojects/OpenBK7231T_App for new Wi-Fi stack (BK7236 port).

Brief summary

Send a single URL-encoded Backlog request – via /cm?cmnd= or /cfg?cmd= – that: sets SSID and password, enables STA, disables AP, saves, and restarts. After reboot the device associates with your router, the temporary Access-Point vanishes, and you can reach the web UI on the new DHCP address. This one-shot method is safe, script-friendly, and aligns with current OpenBK firmware capabilities.

User question

Does openBeken support WPA3?

Artificial Intelligence Response

Direct answer to the question

  • Short answer: No—on the hardware and builds OpenBeken is commonly used with (BK7231T/N/S/U and BK7238), WPA3 is not supported; these devices connect only to WPA/WPA2‑PSK networks. (bekencorp.com)
  • Key points:
    • Beken BK7231 family’s own datasheet lists WPA/WPA2 (plus WAPI), not WPA3. (bekencorp.com)
    • OpenBeken maintainers and troubleshooting guides advise using WPA2‑PSK (AES) and note that WPA3 (or 802.1X) will fail. (elektroda.com)
    • Newer Beken Wi‑Fi 6 chips (BK7235/BK7236) advertise WPA3‑Personal at the silicon/SDK level, but OpenBeken’s public releases and docs do not (as of Dec 21, 2025) indicate working WPA3 support in OpenBeken builds. Expect WPA2 unless explicitly stated otherwise in a specific experimental port. (bekencorp.com)

Detailed problem analysis

  • What actually limits WPA3 today
    • BK7231(T/N/S/U) SoCs that dominate Tuya‑class IoT devices implement WPA/WPA2; vendor product pages make no claim of WPA3. Therefore client‑side WPA3‑SAE association is unavailable to OpenBeken on these parts. (bekencorp.com)
    • Community guidance from OpenBeken forums repeatedly instructs users to configure APs for WPA2‑PSK (AES) and warns that WPA3 and enterprise (802.1X) won’t work on BK7231—connections either fail or “fail silently.” (elektroda.com)
  • New silicon vs current firmware reality
    • Beken BK7235 and BK7236 (Wi‑Fi 6, 2.4 GHz) list WPA3‑Personal in their feature sets, showing the hardware/SDK can do WPA3. However, OpenBeken’s release notes and README focus on BK7231 variants and several other platforms; there is no release note announcing WPA3 client support. In engineering terms, that means even if the radio can do WPA3, the firmware that OpenBeken ships and the SDK integration path for WPA3 are not publicly delivered today. (bekencorp.com)
  • Why some posts claim “OpenBeken supports WPA3”
    • A few third‑party forum comments assert WPA3 works on “Beken with OpenBeken,” but they don’t reference upstream docs or releases. Given Beken’s own BK7231 spec (WPA/WPA2 only) and the OpenBeken troubleshooting guidance, those claims are not reliable for BK7231‑based devices. Treat them as anecdotal and likely referring to other platforms (e.g., ESP32 firmware lines) or future hardware. (bekencorp.com)
  • Practical implication
    • If your AP is set to WPA3‑only, OpenBeken on BK7231 will not associate. In WPA2/WPA3 “transition” (mixed) mode, association will still fail if the AP requires WPA3 or PMF=Required; you must allow WPA2‑PSK. (elektroda.com)

Current information and trends

  • Silicon trend: Newer low‑power 2.4‑GHz Wi‑Fi 6 IoT SoCs (e.g., BK7235/BK7236) advertise WPA3‑Personal, so hardware capability is arriving on next‑gen parts. (bekencorp.com)
  • Firmware status: OpenBeken public releases up to 1.18.224 do not announce WPA3 client support; released targets remain BK7231 variants (and others) where WPA2 is the expectation. Track releases for change. (github.com)
  • Market experience: Many IoT clients struggle with WPA3‑only or WPA2/WPA3 mixed networks; fallbacks and PMF settings matter, especially for 2.4‑GHz IoT. This is broadly reported across vendor ecosystems. (reddit.com)

Supporting explanations and details

  • WPA3‑Personal uses SAE (Simultaneous Authentication of Equals), which is different from WPA2‑PSK. If the client stack (radio firmware + supplicant) lacks SAE, association fails early—typically with no helpful error on the IoT device UI. That’s the observed “silent fail” on BK7231 when the AP requires WPA3. (elektroda.com)
  • Protected Management Frames (PMF): WPA3 requires PMF=Required. Many legacy IoT stacks only interoperate when PMF=Optional or Disabled. If your controller forces PMF=Required in mixed mode, BK7231 clients will not connect. (elektroda.com)

Ethical and legal aspects

  • Don’t weaken security across your whole WLAN for legacy IoT. Prefer a segmented 2.4‑GHz SSID/VLAN with WPA2‑PSK for constrained devices, keeping your primary SSID on WPA3 if your client base allows it. This balances security and operability while respecting regulatory limits and good practice. (elektroda.com)

Practical guidelines

  • If you must support OpenBeken devices today:
    • Set the IoT SSID to WPA2‑PSK (AES/CCMP). Avoid WPA3‑only and avoid mixed mode if your controller enforces PMF=Required. Set PMF to Optional if available. (elektroda.com)
    • Keep 2.4‑GHz channel width at 20 MHz; disable band‑steering to 5/6 GHz; avoid mesh “optimization” features during troubleshooting. (elektroda.com)
    • If you want WPA3 on other clients, create two SSIDs: WPA3 (or mixed) on 5 GHz/6 GHz for modern devices and a separate 2.4‑GHz WPA2‑PSK SSID for IoT.
  • If WPA3 is mandatory in your environment:
    • Use hardware known to implement WPA3 in both silicon and firmware (for example, ESP32 family under ESP‑IDF), or deploy devices based on Beken’s Wi‑Fi 6 parts when and if OpenBeken announces WPA3 support for them. Until such a release exists, plan for WPA2 with segmentation. (docs.espressif.com)

Possible disclaimers or additional notes

  • Absence‑of‑evidence note: As of December 21, 2025, OpenBeken’s public README/releases do not claim WPA3 support; if you see anecdotal reports, verify the exact chip and firmware branch. Future commits could change this. (github.com)
  • Hardware variance: Some Tuya modules label variants similarly while using different chipsets; always identify the actual SoC (e.g., BK7231 vs BK7235/BK7236).

Suggestions for further research

  • Monitor OpenBeken releases and issues for explicit “WPA3/SAE” notes, and watch Beken SDK updates for BK7235/7236. (github.com)
  • Check the Beken product pages (BK7235/BK7236) to determine when WPA3‑capable modules become common in your supply chain. (bekencorp.com)

Brief summary

  • Today, OpenBeken on the widely used BK7231 family does not support WPA3; configure your AP for WPA2‑PSK (AES) or provide an IoT‑only WPA2 SSID. Although Beken’s newer Wi‑Fi 6 chips list WPA3‑Personal, OpenBeken has not announced WPA3 client support in its public releases; track future releases if you need WPA3 in OpenBeken. (bekencorp.com)

Ask additional question

Wait...(2min)
Disclaimer: The responses provided by artificial intelligence (language model) may be inaccurate and misleading. Elektroda is not responsible for the accuracy, reliability, or completeness of the presented information. All responses should be verified by the user.
Report illegal content (Article 16 DSA)