Elektroda.com
Elektroda.com
X

[Tutorial] Flashing OpenBK via OTA using tuya-cloudcutter

ferbulous 5658 14
  • Download the tool here
    https://github.com/tuya-cloudcutter/tuya-cloudcutter

    Before using the script, verify your device tuya-firmware version using the tuya/smartlife app
    and download the correct firmware for your device chip (T or N). The chip would not boot if wrong firmware version is flashed on it and it would require using serial method to re-flash it again with the correct firmware.

    Steps:
    1. Start the script (run_flash.sh)
    2. Select the firmware that you have downloaded earlier to the custom-firmware directory.
    3. Select your profile that matches with the tuya-firmware version.
    4. Reset your device to AP mode (if profile matches, A-xx prefix would show up after it gets reset the 2nd time)
    5. Reset your device again for the OTA flashing,





    For no (3), if your device is not supported, then you would need to make dump of your device firmware using bk7231tools and submit a github request for profile creation.
    There's also Lightleak app that can obtain firmware dump wirelessly. I've had some success with T device but not N yet

    [Tutorial] Flashing OpenBK via OTA using tuya-cloudcutter

    Alternatively you could still generate your own profile using hexomatic with this batch script

    Spoiler:
    
    bk7231tools dissect_dump -e -O %1 %1.bin
    pushd %1
    ..\haxomatic.py %1_app_1.00_decrypted.bin
    ..\parse_storage.py %1_storage.json
    ..\parse_app.py %1_app_1.00_decrypted.bin
    mkdir extracted
    move *.txt extracted\
    popd
    assemble_universal.py %1

    save as do_magic.bat

    On windows rename full dump .bin to device-manufacturer_device-name.bin and run it like this
    do_magic.bat device-manufacturer_device-name


    It should generate these files

    [Tutorial] Flashing OpenBK via OTA using tuya-cloudcutter

    Copy the last two JSON files to a subdirectory in device-profiles.
    Rename each to device.json and profile.json, respectively
    And execute run_flash.sh <wifi adapter name> <your subdirectory name>

    Cool? Ranking DIY
    About Author
    ferbulous
    Level 16  
    Offline 
    ferbulous wrote 312 posts with rating 37, helped 5 times. Been with us since 2022 year.
  • #2
    nielspiersma
    Level 6  
    Excellent tutorial. I want to share that it is essential to double-check the real chip on the PCB. Tuya has been shipping out CB2S labelled PCB's with BK7231Ts.
    [Tutorial] Flashing OpenBK via OTA using tuya-cloudcutter
    [Tutorial] Flashing OpenBK via OTA using tuya-cloudcutter
    So, removing the label and double-checking if you run into flashing issues is imperative.
  • #3
    ferbulous
    Level 16  
    nielspiersma wrote:
    Tuya has been shipping out CB2S labelled PCB's with BK7231Ts

    Thanks for highlighting that, probably won't notice if I never open the metal case which I rarely do
    I think I'll edit my post to recommend running 'run_detach' script first just to verify which chip the device is running on.
  • #4
    mcheibani
    Level 3  
    Thanks for the great tutorial. The wireless method is very easy and beginner friendly (like myself). It will help a lot of us disconnect from the Tuya cloud.
    I tried it in a couple of devices and it worked with one but the other one failed to boot after flashing which is likely caused by flashing the wrong firmware. Is there a way to find out which chip I have (N or T)? I find it a bit confusing. I have for example a MOES dimmer module (105B). In the OpenBeken device list page, it shows that the device has the T version. But in cloudcutter device profiles, if I select manufacturer and profile, it suggestes that it's N. I opened up the device and I see Model: CB2S. Is there a way to confirm which chip I have?
  • #5
    nielspiersma
    Level 6  
    We found that tuya is sending out pcbs with wrong labeling. So the only way to know 100% sure is by finding the chip and reading it.

    Other method is just try on error. The good thing is that it is almost impossible flashing T on N or vise versa.

    Niels
  • #6
    mcheibani
    Level 3  
    Thanks for the reply. The problem is that I have caused a device not to boot by flashing the wrong firmware. I had a 16a mini switch that I flashed with the N firmware and it didn't boot after the flash process completed. Afterwards I found out that it has a T chip. I need now to flash it with the serial method for which I don't have the tools.
  • #7
    nielspiersma
    Level 6  
    Okay,

    That is kinda new for me. I never was able flashing an T to N or vice versa.

    Am I correct in assuming you used tuya cloud cutter for initial flash and then a flash with OTa resulting in a bricked device?

    Afaik it is not possible flashing the wrong firmware during cloud cutter...

    Niels
  • #8
    mcheibani
    Level 3  
    nielspiersma wrote:
    Am I correct in assuming you used tuya cloud cutter for initial flash and then a flash with OTa resulting in a bricked device?


    I meant that I flashed it the initial time with the wrong firmware using cloudcutter.
    nielspiersma wrote:
    Afaik it is not possible flashing the wrong firmware during cloud cutter...

    Hmm. the device stopped working right after flashing with cloudcutter. I assumed that it was because of the wrong firmware.
  • #9
    nielspiersma
    Level 6  
    Hmm. That is new for me.

    I initially had a problem with a wrongly labelled N version that was actually a T. It was never possible for me to flash it with the N version until I tried the T version that magically worked.

    So I would recommend trying to boot it again in recovery mode and try flashing it again.

    Getting the device into recovery mode differs from device to device. My best results are. Power on. Wait 2 seconds. Keep button pressed for 7 to 8 seconds. Release and press again for 6 to 8 seconds. Usually it is in open access point mode and you should be able to run cloudcutter again.


    Niels
  • #10
    Zain00
    Level 9  
    nielspiersma wrote:
    We found that tuya is sending out pcbs with wrong labeling. So the only way to know 100% sure is by finding the chip and reading it.

    Other method is just try on error. The good thing is that it is almost impossible flashing T on N or vise versa.

    Niels


    A few months ago I had AVATTO Bulb that came with WB2L module .
    Under the metal shield I found C-chip CC8000 instead of BK7231T
    I don’t know if it's the same chip under a different name or Tuya was trying other chips than Beken

    [Tutorial] Flashing OpenBK via OTA using tuya-cloudcutter
  • #11
    ferbulous
    Level 16  
    @mcheibani

    To avoid this, i would recommend initially using the detach script (just cloudcut from tuya).
    If N profile works, then it has to be N device
    Same goes with T device

    Added after 4 [minutes]:

    @Zain00
    Well that’s something new
    That’s not even a beken chip, i’ve bought one before with the exact same chip (CC8000) and i ended just selling that one.
    The pinout was odd so I wasn’t sure if i could just swap it with esp
  • #12
    mcheibani
    Level 3  
    nielspiersma wrote:
    So I would recommend trying to boot it again in recovery mode and try flashing it again.


    Thank you! This helped solve the issue for my old switch that I thought will need to be reflashed using the serial/soldering method. I tried again to put it in recovery mode and was able to flash it with the correct firmware.

    Added after 1 [minutes]:

    ferbulous wrote:
    @mcheibani

    To avoid this, i would recommend initially using the detach script (just cloudcut from tuya).
    If N profile works, then it has to be N device
    Same goes with T device

    Thank you for the response. I will try that.
  • #14
    Zain00
    Level 9  
    This picture was taken 5 months ago.
    Sadly, I can't find the module
  • #15
    p.kaczmarek2
    Moderator Smart Home
    Yea, same here... I once ordered BK7231U dev board from aliexpress and also got CC8000. I am not sure if I tested it more... I must find my module and test.

    https://www.elektroda.pl/rtvforum/find.php?q=CC8000
    https://www.elektroda.com/rtvforum/find.php?q=CC8000