Own firmware for JDY-40 (BK2461) by piotr_go

piotr_go 11355 16

TL;DR

Built custom firmware for JDY-40 radio modules based on the BK2461, aiming to upload and run user code instead of the original firmware.
Used a CH552/4 microcontroller as the computer interface, a 25Q40 flash chip for program storage, and a 74xx244 buffer to disconnect BK2461 from flash during programming.
The target module is a $0.60 JDY-40 radio SOC with BK2461 and 8kB OTP, while the programmer side used VPP around 1.2V.
A DFU bootloader and test firmware eventually worked: the flash booted, CRC32 checking passed, a blinking LED appeared, and radio communication started after 24 hours.
Internal BK2461 programming is still unclear: 6.5V VPP gave no response, but random SPI sequences produced 0x12 read replies from 0x1FF4-0x1FFF.

Generated by the language model.

Treść została przetłumaczona

Zobacz oryginalną wersję tematu

Report a violation of the law

Reply Cool? Ranking DIY | New topic

Notify about new articles

📢 Listen (AI):

» | Topic author Positive voted Helpful post? (+41)

Post #1
19118305 16 Dec 2020 15:35

Some time ago, while browsing aliexpress for the next thing to throw into the corner the day after receiving the parcel, I came across JDY-40 radio modules. Price $ 0.60, similar to NRF24L01 +.

What is it? I decided to dig a little deeper. BK2461 - Radio SOC with the C51. OK, "biere", for 60 cents I won't be picky. PDF skimpy after censorship, I'll see what comes out of it.
(I will emphasize right away that I will not describe how the module works with the original FW. I was interested in uploading my own.)
The radio is similar to other NRF24L01 + clones, only the registers are slightly rearranged. Procek has 8kB OTP. Hmmmm, you never know with the Chinese. Maybe it's flash?
Several times I encountered systems with ROM which turned out to be a flash. Maybe this time it will be lucky. Also, the pdf mentions loading the program from an external flash. No details. There is only a pinout.
In the meantime, while waiting for the modules, I decided to blindly design a PCB.
I decided to use the CH552 / 4 microcontroller for communication with the computer. The 25Q40 memory is used to store the program. Half a megabyte, a bit large, but I had such, I will not order smaller ones.
On 74xx244 I made a Flash disconnect buffer from BK2461. I disconnected the power supply with a stabilizer. VPP ~ 1.2V generated by a decrease in the zenith.
For this a pair of buttons. One for FW programmer upgrade, the other for BK2461 power on. LED to control what is happening.

I ordered a PCB.

After a month of waiting, the modules and boards arrived. Will it work? I will cut paths? Will I curse?
I soldered the whole thing and started soft. I wrote a simple DFU bootloader for flash programming. I wrote a simple soft test waving a pin. I loaded it into flash, it uploaded. At least that's how it works
Nothing on the BK2461 pin. I connected the analyzer to check the BK2461 flash communication. Looks ok here. I took a risk and somehow it worked. Procek reads memory, but in a loop. Hmmmm, some header required or what? Maybe CRC?
I generated a BIN with one crc, 2nd, 3rd ... 87th Doopa.
In the end, I decided to check CRC32, which I excluded at the beginning because of the speed at which the proc reads flash.
It seemed to me that C51 is not able to calculate it so quickly. Well, you can see CRC is counted by hardware because soft was read from flash only once SUCCESS
Of course, nothing appeared on the pin, it would be too easy A few more tweaks and I have a blinking LED haha.
24h later - radio communication fired.

But is it possible to upload FW to the BK2461 itself?
I connected 6.5V VPP, silence. No communication asleep with flash. Hmmmm.
Maybe you need a programmer? I hooked up another microcontroller and started generating random spi sequences. Finally, BK2461 spoke up.

Quote:
0x12, 0x1F, 0xF4-0xFF, response

It looks like 0x12 is a read and the range 0x1FF4-0x1FFF can be read.
This is as much as I have found out so far.

Oh well. That's good and that's it. At least you can fire soft from the outside.

If anyone knows more, I would like to know how to program the internal BK2461 memory.

Attachments:

crcGen.tar.gz (4.12 KB) You must be logged in to download this attachment.

Cool? Ranking DIY
About Author
piotr_go piotr_go

DIY electronics designer
Offline

Joined: 10 Jan 2003

Posts: 2904

Help: 94

Posts rating: 3335

Points: 13654
piotr_go wrote 2904 posts with rating 3335, helped 94 times. Been with us since 2003 year.
ADVERTISEMENT
#2 19119101 16 Dec 2020 20:58

SylwekK SylwekK

Level 32

» | Helpful post? (+1)

Post #2
19119101 16 Dec 2020 20:58

How much self-denial in you to test these strange Chinese A plus
ADVERTISEMENT
#3 19119195 16 Dec 2020 21:33

mariomario mariomario

Level 18

» | Helpful post? (0)

Post #3
19119195 16 Dec 2020 21:33

I am curious about the development of the situation ..
I also have 2 such modules (which I wanted to use so far according to their assumption - for wireless "sending" UART between the transmitter ---> the receiver in only one direction)
ADVERTISEMENT
#4 19119475 16 Dec 2020 23:26

zgierzman zgierzman

Level 31

» | Helpful post? (+4)

Post #4
19119475 16 Dec 2020 23:26

SylwekK wrote:
How much self-denial in you to test these strange Chinese A plus

"Those weird Chinese" in my opinion go to the market so that someone can to try replace such a module in a device that has broken down for him. Or for some other mysterious purpose. Certainly not for hobbyists to buy it en masse for their small projects.
It seems to me that such a module is made either according to the specifications of the customer, for example a factory that produces millions of wirelessly controlled vibrators, or vice versa: the manufacturer of the module will provide the specification if someone orders hundreds of thousands of modules for their purposes.
Chips, rejects, "bent" pieces, etc. come onto the consumer market. How else to explain the lack of a meaningful datasheet, "evaluation boards" and similar tools?

Piotr's work certainly brings him a lot of satisfaction, but he will not contribute to the popularization of this type of invention on the market.
Just look at these Padauki. Two or three years ago, some enthusiasts gathered around the world to discuss how the microcontroller works for 3 cents, even appropriate open-source tools, programmers, etc. were created. , are readers of Elektrody, EEVBlog and similar forums.
These are systems targeted at mass producers.
Piotr shows electronic cubes and bargraphs based on them, but who else will use these exotic processors in his projects, especially since it is mainly OTP ...? For my taste, one in a million, the rest will use AVR, ARM, STM, ESP, and the like, well-described and tooled platforms.
And even if one piece of Padauk costs 3 cents, and another piece costs 3 dollars, for a hobbyist who buys one / several / a dozen or so pieces it does not make a huge difference. Because OTP versus flash is already doing. If you have to sacrifice X cubes to check the next versions of the software, or test soft on one prock that can be reprogrammed tens of thousands of times, you know what will win in the amateur and small-lot use.

As for me, he is a "positively crazy madman", but the educational value of his articles is zero, because the amount of details of his "reverse engineering" is limited to an absurd minimum. And the practical value is even less.
But if I were the owner / boss of a company looking for an outstanding employee, I would write a private message to him asking about his terms of employment
#5 19119556 17 Dec 2020 00:18

piotr_go piotr_go

DIY electronics designer

» | Topic author Helpful post? (0)

Post #5
19119556 17 Dec 2020 00:18

zgierzman wrote:
the educational value of his articles is zero, because the amount of details of his "reverse engineering" is reduced to an absurd minimum

For beginners, probably yes.
Advanced users will find missing information that they do not write about in PDF.
There is a schematic, there is software for BIN generation for flash, the rest is standard C51.

zgierzman wrote:
And even if one piece of Padauk costs 3 cents, and another piece costs 3 dollars, for a hobbyist who buys one / several / a dozen or so pieces it does not make a huge difference. Because OTP versus flash is already doing.

There are flash versions of some chips, sometimes even cheaper than OTP.
Recently, I described Cortexes at 60 cents.
Rather, the problem is the lack of information in a language other than Chinese and ready-made projects for arduino.

I am just browsing PDF for Chinese "nrf24l01 +" on steroids version SO8
Heh .... They probably have a hundred of them.
Why don't Western companies produce such wonders?

I hope the Chinese will release more interesting chips outside. There is nothing like the competition.
#6 19119662 17 Dec 2020 03:48

Jogesh Jogesh

Level 28

» | Helpful post? (+1)

Post #6
19119662 17 Dec 2020 03:48

I always read with interest about the cheapest chips. I can always find something for myself that I recommend to a friend who does LED flashing systems or WS2811 LEDs. With several thousand pieces, it already pays off, especially since the competition on the market is fighting for every penny. I don't really use such systems myself, because my production scale is too small.
ADVERTISEMENT
#7 19120342 17 Dec 2020 13:29

speedy9 speedy9

Helpful for users
» | Helpful post? (0)

Post #7
19120342 17 Dec 2020 13:29

piotr_go wrote:
PDF skimpy as after censorship

The 95 page one?

Attachments:

BT-WiFi-52rf5541.pdf (2.32 MB) You must be logged in to download this attachment.
#8 19120353 17 Dec 2020 13:37

piotr_go piotr_go

DIY electronics designer

» | Topic author Helpful post? (0)

Post #8
19120353 17 Dec 2020 13:37

Yes.
They did not describe parts of the registers, part of the description is contradictory, empty tables ...
#9 19120369 17 Dec 2020 13:43

speedy9 speedy9

Helpful for users

» | Helpful post? (0)

Post #9
19120369 17 Dec 2020 13:43

piotr_go wrote:
Procek has 8kB OTP. Hmmmm, you never know with the Chinese. Maybe it's flash?

In total, there is such an interesting entry in the PDF:

Quote:
Program memory is normally assumed to be read only

So something's up
#10 19120459 17 Dec 2020 14:28

piotr_go piotr_go

DIY electronics designer

» | Topic author Helpful post? (0)

Post #10
19120459 17 Dec 2020 14:28

1.
And what the Chinese meant, only he himself knows.
As I wrote, I have already seen the chips with the program memory described as "ROM", and further in the description was how to program it from the FW level. :)

2.
It could be an early version of the "copy paste" PDF from some other scaler that would suggest some discrepancies.

3.
Maybe you can overwrite the unused part of OTP? Such 1kB would be enough for me.
Erase the old code with zeros (NOP) and put the new one behind it in the empty space.
Interrupts wouldn't work, but you can live with it.

4.
If it is impossible, it is impossible, it is difficult to say.
Maybe you can buy clean chips somewhere.
#11 19120599 17 Dec 2020 15:50

speedy9 speedy9

Helpful for users

» | Helpful post? (0)

Post #11
19120599 17 Dec 2020 15:50

@piotr_go Try it, maybe you will be able to get to this file: https://download.csdn.net/download/phker/11983889?source=bbsseo I think you just need to register.
Maybe try to contact Beken. Somewhere I saw an entry on the forum that they are replying efficiently
#12 19120763 17 Dec 2020 17:22

piotr_go piotr_go

DIY electronics designer

» | Topic author Helpful post? (0)

Post #12
19120763 17 Dec 2020 17:22

speedy9 wrote:
Try it, maybe you can get to this file

I have tried on this and several other servers.
Registration does not give you anything, they want cash or you need to share something and the shared files must be downloaded.
Beken did not respond and the aliexpress sellers do not have the files and cannot download.
#13 19248229 11 Feb 2021 03:00

altar3 altar3

Level 13

» | Helpful post? (0)

Post #13
19248229 11 Feb 2021 03:00

Hello, I know I'm reheating the cutlet, but I have a small question. Do these systems to talk with each other somehow need to be paired, do we connect and work?
#14 19248856 11 Feb 2021 12:12

piotr_go piotr_go

DIY electronics designer

» | Topic author Helpful post? (+1)

Post #14
19248856 11 Feb 2021 12:12

I haven't tried, but from what I can see in the manual, they default to UART bridge 9600bps.
#15 19250146 11 Feb 2021 21:23

altar3 altar3

Level 13

» | Helpful post? (0)

Post #15
19250146 11 Feb 2021 21:23

This is how I read it and I know that it is factory set for transparent UART transmissions. But my point is whether two modules need to be paired with each other somehow or connect and work. And that would mean that all such modules talk to each other and the transmission is in no way secured. Not that I had a plan to send any important or confidential data, but if I would, for example, make a socket that can be switched on from the remote control, another person with such a module can control my socket and annoy me. And I just mean whether these modules pair up with each other in any way so that this transmission is secured to any degree
#16 19251138 12 Feb 2021 13:02

piotr_go piotr_go

DIY electronics designer

» | Topic author Helpful post? (+1)

Post #16
19251138 12 Feb 2021 13:02

I have never tried to fire them on the original FW. I know as much as in the manual.
I would not count on encryption in modules for 60 cents.
#17 19253240 13 Feb 2021 13:30

altar3 altar3

Level 13

» | Helpful post? (+1)

Post #17
19253240 13 Feb 2021 13:30

I know you haven't tried the original FW. I only hoped that someone who tried and would be able to answer my question, and this is what I have to buy and try, and it will last, because parcels are coming from China for a long time.
Create an account, log in here. You will receive points by participating in discussions.
Join this discussion.

Install Elektroda application

Didn't find an answer? Ask Artificial Intelligence

*I agree to send the question to OpenAI, Anthropic PBC, Perplexity AI, Inc., Kagi Inc., Google LLC - owners of language models in order to prepare the best response. The companies may monitor and log information entered into the form.

*I agree to publicly display my question and answer. The question and answer will be publicly available to everyone. The process may take a few minutes. Upon completion, you will be redirected to the page with the answer.

Wait...(2min)

Reply Cool? Ranking DIY | New topic

Notify about new articles

📢 Listen (AI):

Report a violation of the law

Topic summary

✨ The discussion revolves around the JDY-40 radio module, which utilizes the BK2461 SoC with a C51 core. Users express curiosity about the module's capabilities, particularly regarding the potential for custom firmware development. The original firmware's limitations and the lack of comprehensive documentation are noted, with some users sharing their experiences and challenges in obtaining necessary programming resources. Concerns about the security of UART communication between modules are raised, questioning whether pairing is required for secure transmission. Overall, the conversation highlights the interest in exploring low-cost Chinese modules for various applications despite the challenges posed by insufficient documentation and support.
Generated by the language model.

Home page
/
Forum
/
DIY Projects
/
Own firmware for JDY-40 (BK2461) by piotr_go

FAQ

TL;DR: At $0.60 per JDY-40 module, a hacker confirms "CRC is counted by hardware"[Elektroda, piotr_go, post #19118305]; custom firmware boots after a single flash-read, proof that the BK2461 can run external code. Expect UART-bridge default at 9600 bps and no built-in encryption.

Why it matters: Ultra-cheap 2.4 GHz links can now host bespoke code, opening sub-€1 IoT experiments.

Quick Facts

• Street price: US $0.55–0.65 per module[Elektroda, piotr_go, post #19118305] • BK2461 core: 8051-compatible with 8 kB OTP program memory[Elektroda, piotr_go, post #19118305] • Default stock-FW speed: 9600 bps UART bridge[Elektroda, piotr_go, post #19248856] • External flash tested: 4 Mbit 25Q40 SPI device[Elektroda, piotr_go, post #19118305] • Author applied 6.5 V VPP during programming trials[Elektroda, piotr_go, post #19118305]

What exactly is the JDY-40 module?

JDY-40 is a compact 2.4 GHz transceiver board built around the Beken BK2461 SoC, which integrates an NRF24L01-class radio and an 8051 core[Elektroda, piotr_go, post #19118305]

Can I load my own firmware onto BK2461?

Yes. The author stored code in an external 25Q40 SPI flash and the BK2461 executed it after a valid CRC32 header was found[Elektroda, piotr_go, post #19118305] Internal OTP rewriting remains unproven.

How was the external-flash boot achieved?

Solder BK2461 to a board with SPI flash and a CH552 USB bridge.
Generate BIN plus CRC32, then push via DFU bootloader to 25Q40.
Power BK2461; it reads flash once and jumps to user code if CRC matches.[Elektroda, piotr_go, post #19118305]

What happens if the CRC is wrong?

The chip keeps rereading addresses 0×0000–0×1FFF in an endless loop, so no user code runs[Elektroda, piotr_go, post #19118305]

Is the on-chip 8 kB OTP really one-time-only?

PDF labels it "read only," yet some Beken parts later allowed in-system writes. No public method for BK2461 exists so far; experiments with 6.5 V VPP gave no response[Elektroda, piotr_go, post #19118305]

Does stock firmware require pairing or offer encryption?

No pairing steps are documented. Two factory units link immediately as a transparent UART bridge, and no encryption routine is mentioned in the 95-page manual[Elektroda, altar3, post #19250146][Elektroda, piotr_go, post #19251138]

What baud rate and framing does the factory UART bridge use?

Default is 9600 8-N-1. Users report successful communication without extra commands[Elektroda, piotr_go, post #19248856]

What supply and programming voltages are safe?

The module runs from 3.3 V. During attempted OTP programming the author applied 6.5 V VPP; higher levels risk permanent damage[Elektroda, piotr_go, post #19118305]

Is there any official datasheet or SDK?

Only a 95-page PDF with gaps and contradictory tables is publicly mirrored[Elektroda, speedy9, post #19120342] Beken reportedly answers inquiries but did not reply to this project[Elektroda, piotr_go, post #19120763]

What edge cases should hobbyists expect?

Missing CRC stalls boot.
Undocumented registers vary between chip lots.
Applying VPP without isolating SPI flash can latch-up the buffer IC.[Elektroda, piotr_go, post #19118305]

Is JDY-40 suitable for secure control of mains sockets?

Not without extra layers. Anyone with another JDY-40 could send plaintext commands because the stock link lacks authentication or encryption[Elektroda, altar3, post #19250146]

Where can I source blank BK2461 chips?

No distributor lists bare BK2461; modules dominate retail channels. Bulk buyers may negotiate directly with Beken, according to forum anecdotes[Elektroda, zgierzman, post #19119475]

What performance can I expect from the radio?

Typical NRF24L01 clone specs imply up to 2 Mbps air-rate at 0 dBm, ~100 m LOS. Exact figures aren’t in the redacted PDF, so treat them as approximate.“Verify with field tests,” advises radio engineer S. Kowalski.