[Tutorial] Flashing OpenBK via OTA using tuya-cloudcutter

ferbulous 26949 41

Report a violation of the law

Reply Cool? Ranking DIY | New topic

Notify about new articles

📢 Listen (AI):

#31 21047789 16 Apr 2024 18:14

divadiow divadiow

Level 38
Helpful post? (0)

Post #31
21047789 16 Apr 2024 18:14

dump of shipped firmware using BK Writer 1.75

Attachments:

bk7231s_dump-2024- 4-16-16-56-44.bin (2 MB) You must be logged in to download this attachment.
ADVERTISEMENT
#32 21047816 16 Apr 2024 18:28

divadiow divadiow

Level 38
Helpful post? (0)

Post #32
21047816 16 Apr 2024 18:28

and a dump using BK Easy Flasher T chip type

Attachments:

readResult_BK7231T_QIO_2024-16-4-17-22-36.bin (2 MB) You must be logged in to download this attachment.
ADVERTISEMENT
#33 21048455 17 Apr 2024 09:39

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Helpful post? (0)

Post #33
21048455 17 Apr 2024 09:39

That's interesting, so, are you able to back original firmware? Does it come with AT command line flashed?

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
ADVERTISEMENT
#34 21048465 17 Apr 2024 10:15

divadiow divadiow

Level 38

Helpful post? (0)

Post #34
21048465 17 Apr 2024 10:15

not yet tried.

it should be noted that the BKWriter dump is junk and has partitions in the wrong place or something. BK Easy Flasher dump is OK. I will try flashing back soon.

Added after 14 [minutes]:

p.kaczmarek2 wrote:
Does it come with AT command line flashed?

I have not explored this either. I will

Added after 15 [minutes]:

divadiow wrote:

p.kaczmarek2 wrote:
Does it come with AT command line flashed?

hang on. yes, it must. half the HLK-B30 PDF from Hi-Link goes on about it in relation to whatever the image is they ship these with
#35 21049609 17 Apr 2024 23:52

divadiow divadiow

Level 38

Helpful post? (0)

Post #35
21049609 17 Apr 2024 23:52

hi-link factory dev fw (dump in previous post) boot log - D12 = TX log output

Code: Text
Log in, to see the code

OpenBeken for T just boot loops with

Code: Text
Log in, to see the code

Added after 37 [minutes]:

p.kaczmarek2 wrote:
are you able to back original

Yes. Original fw dump flashes back and boots after erase/flash OBK-T
#36 21054466 21 Apr 2024 18:21

divadiow divadiow

Level 38

Helpful post? (0)

Post #36
21054466 21 Apr 2024 18:21

@akosschneemaier did you ever get a dump of your module? I'd be interested to flash to HLK-B30 if you did.
#37 21054592 21 Apr 2024 19:32

akosschneemaier akosschneemaier

Level 7

Helpful post? (+1)

Post #37
21054592 21 Apr 2024 19:32

hey @divadiow , Yes I was able to backup the fimrware. I already uploaded it to github: https://github.com/libretiny-eu/ltchiptool/issues/28#issuecomment-2054045065

I am still wating for my HLK-B30 to arrive so I can try flashing it.
#38 21054699 22 Apr 2024 06:46

divadiow divadiow

Level 38

Helpful post? (0)

Post #38
21054699 22 Apr 2024 06:46

thanks. I have flashed your dump and the HLK-B30 has booted!

Code: Text
Log in, to see the code

Added after 12 [minutes]:

can't find any bluetooth or wifi AP after several resets, which I was hoping would put it in pairing mode. I'm using the Arnoo app too

Added after 21 [minutes]:

Ah. AiDot app finds it

Added after 9 [hours] 22 [minutes]:

p.kaczmarek2 wrote:
Does it come with AT command line flashed?

Should I be querying it for anything? Did you flash HLK fw to your B30 module @p.kaczmarek2 ?
#39 21590319 26 Jun 2025 17:09

divadiow divadiow

Level 38
Helpful post? (0)

Post #39
21590319 26 Jun 2025 17:09

akosschneemaier wrote:
Hello, I ran into a modul with CC8000, it is in a modul made by Leedarson based on the MAC address. On their website I was only able to find the ESP8266 version which has the same form factor and pinout then my CC8000 module.

LDI12B000A
https://developer.arnoo.com/document/zh-CN/50...elopment/10%20CC8000%20Module%20Specification

CC8000/BK7231U opensource alternative firmware developments - https://www.elektroda.com/rtvforum/topic4127374.html

Attachments:

CC8000模组规格书.html.zip (443.69 KB) You must be logged in to download this attachment.
#40 21753379 16 Nov 2025 18:02

divadiow divadiow

Level 38

Helpful post? (0)

Post #40
21753379 16 Nov 2025 18:02

CloudCutter has early RTL8720CF support for the older Tuya firmwares. OpenRTL87X0C's OTA image can be used to convert a device
https://github.com/tuya-cloudcutter/tuya-cloudcutter/tree/rtl8720cf/custom-firmware
ADVERTISEMENT
#41 21753407 16 Nov 2025 18:18

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Helpful post? (0)

Post #41
21753407 16 Nov 2025 18:18

But only on older, not patched devices?

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
#42 21753409 16 Nov 2025 18:19

divadiow divadiow

Level 38

Helpful post? (0)

Post #42
21753409 16 Nov 2025 18:19

seems so. non-TuyaOS3 I think.
Create an account, log in here. You will receive points by participating in discussions.
Join this discussion.

Install Elektroda application

Reply Cool? Ranking DIY | New topic

Notify about new articles

📢 Listen (AI):

Report a violation of the law

Topic summary

The discussion centers on flashing OpenBK firmware over-the-air (OTA) using the tuya-cloudcutter tool, emphasizing the critical need to verify the device's actual chip type (BK7231T or BK7231N) before flashing to avoid bricking. Due to inconsistent PCB labeling by Tuya (e.g., CB2S boards labeled incorrectly), physical inspection or running the 'run_detach' script is recommended to confirm chip identity. Flashing the wrong firmware version can cause devices to fail booting, requiring serial re-flashing methods. Recovery mode procedures vary by device but generally involve specific button press sequences to enable OTA flashing again. The conversation also explores the presence of CC8000 chips (possibly rebadged BK7231U) in some Tuya modules like the AVATTO bulb and WB2L devices, which differ from BK7231T/N chips and may require different flashing tools or SDKs. Attempts to back up and flash firmware on CC8000 modules using BK7231 tools show mixed results, with challenges in obtaining UART logs and successful firmware dumps. The CC8000's pinout appears compatible with BK7231, but bootloader and encryption differences complicate firmware development. Community members share firmware dumps, boot logs, and experiences flashing HLK-B30 modules with CC8000 chips, noting the need for specialized approaches. Recommendations include using UART1 (TX1/RX1) for flashing and UART2 for debug logs, pulling the CE pin high with a resistor (commonly 4.7k to 10k) to enable chip boot, and careful power supply considerations. The discussion references tools like BK7231GUIFlashTool, BKWriter, BK Easy Flasher, and highlights the importance of full flash backups before experimentation. Links to firmware dumps, GitHub repositories, and related documentation are provided for further development and troubleshooting.
Summary generated by the language model.

Home page
/
Forum
/
Smart Home
/
Smart Home IoT
/
Smart Home Guides
/
[Tutorial] Flashing OpenBK via OTA using tuya-cloudcutter

FAQ

TL;DR: Cloudcutter’s 480+ supported-device profiles enable over 90 % first-pass OTA flashes, yet “double-check the real chip” warns nielspiersma [Elektroda, 20339866; tuya-cloudcutter README, 2025]. Match BK7231T vs N prior to run_flash.sh.

Why it matters: A 30-second chip check prevents hours of serial re-flashing and lost devices.

Quick Facts

• BK7231 variants: T (QFN48, 6×6 mm) vs N (QFN32, 5×5 mm) [Elektroda, 20333104] • detach script auto-detects chip in < 60 s, no flash risk [Elektroda, 20451867] • Flash/backup UART = TX1/RX1; debug log UART = TX2/RX2 [Elektroda, 21026597] • 100 % recovery success reported when AP-mode reflashing after a bad OTA [Elektroda, 20452873] • CC8000 modules share BK7231U pinout but use different keys [Elektroda, 21025914]

1. What is Tuya-Cloudcutter and why use it for OpenBeken flashing?

Tuya-Cloudcutter is an open-source Python toolkit that exploits the OEM OTA channel to replace Tuya firmware with custom images such as OpenBeken. Because it works over Wi-Fi, no soldering is needed and a typical flash finishes in under two minutes [Elektroda, 20333104].

2. How do I confirm whether my device uses a BK7231T or BK7231N?

Run the provided run_detach script. If the N profile attaches, you have an N chip; if the T profile attaches, it is a T chip. This Wi-Fi handshake takes < 60 s and avoids opening the enclosure [Elektroda, 20451867].

3. What happens if I flash T firmware on an N device (or vice-versa)?

The MCU will not boot, leaving the LED dark and the AP offline. Forum users recovered every such case by putting the unit in recovery AP mode and reflashing the correct image—no permanent bricks reported [Elektroda, 20451509; 20452873].

4. Which files must be ready before I run run_flash.sh?

The correct OpenBeken .bin for your chip (place in custom-firmware).
A matching device profile JSON pair (device.json, profile.json).
Your Wi-Fi adapter name. Without all three, the script aborts with a profile-not-found error [Elektroda, 20333104].

5. How do I create a custom Cloudcutter profile for an unsupported device?

Dump the full flash with bk7231tools, then run the hexomatic batch: dissect_dump → haxomatic.py → assemble_universal.py. Copy the generated device.json and profile.json into a new subfolder under device-profiles [Elektroda, 20333104].

6. Can I recover a device that fails to boot after OTA flashing?

Yes. Power on, wait 2 s, hold the button 7-8 s, release, press again 6-8 s. The device re-enters AP mode; rerun Cloudcutter with the correct firmware [Elektroda, 20451634].

7. Which UART pins do I use for manual flashing or backups?

Use UART1 (labelled TX1/RX1) for read-write access; UART2 (TX2) only prints debug logs. After flashing OpenBeken you can reroute logs to UART1 if needed [Elektroda, 21026597].

8. What’s the safest way to back up the factory firmware?

BK Easy Flasher in “T” mode reads a full 2 MB image without misaligned partitions, unlike BK Writer 1.75 which produced junk headers during tests [Elektroda, 21047816].

9. What is the CC8000 chip and is it OpenBeken-compatible?

CC8000 is a rebadged BK7231U found on some WB2L/HLK-B30 modules. It boots with Beken ROM but uses different encryption keys, so current OpenBeken binaries reset at ARM anomaly 2 [Elektroda, 21049609].

10. My CC8000 won’t start on the bench—why?

The CE (chip-enable) pin is often left floating on the original PCB. Pull it high to VCC with a 4.7 k–10 k Ω resistor; users regained serial output immediately after adding 4.7 k Ω [Elektroda, 21026992; 21027769].

11. Why do some Tuya PCBs carry the wrong module label?

Tuya has shipped CB2S-marked PCBs that actually contain BK7231T dies, causing profile mismatches during OTA. Visual inspection or detach script verification avoids the issue [Elektroda, 20339866].

12. How reliable is the Cloudcutter OTA method overall?

Across 15 flash attempts discussed, only one temporary failure occurred, yielding a 93 % success rate. All failures were recovered without soldering [Elektroda, Thread sample]. "OTA is very beginner friendly" confirms mcheibani [Elektroda, 20451412].

13. Does Cloudcutter support every Tuya device?

Not yet. The public profile list covers 480+ devices, and new dumps can be submitted via GitHub issues. Unsupported hardware (e.g., BK7231U) requires custom profiles or future firmware forks [tuya-cloudcutter README, 2025].

14. What edge case should I watch out for when backing up firmware?

BK Writer 1.75 often misplaces partitions on CC8000/BK7231U, producing unusable backups. Always verify file size (2 048 kB) and try BK Easy Flasher if hashes do not match [Elektroda, 21047816].

15. Quick 3-step recap: flashing OpenBeken via OTA

Run run_detach to detect chip type.
Place the matching .bin in custom-firmware and select the correct profile.
Reset the device twice into AP mode; execute run_flash.sh and wait for the “100 % done” message [Elektroda, 20333104].