[BK7231N / CB3S] HiDANCE AT2P - "HD Color Screen" DIN-rail relay/energy meter

Teardown of this energy meter from AliExpress.



This looks like a very nice and full featured circuit breaker/energy meter called "HiDANCE".
The build quality is excellent, and the screen looks very nice, and it has a complete set of features.




Opening the device is simple, just 2 screws, except these are torx T10 screws... just for something different!
I also had to cut the sticker on the side with a blade.



Construction is very nice. The daughter board is conveniently connected with some pins, power electronics are arranged nicely, and this device even has a little beeper speaker thing to make audible alert noises!




The logic board is interesting. It seems to be using TuyaMCU, except it's using an extremely small SMD chip in a square package, connecting to the CB3S by UART as usual.
There appears to be some unpopulated components; a rather large 8-pin chip is missing, and very strangely, there is a second wifi antenna printed on the daughter board beside the main antenna for the wifi module.



I couldn't see the LCD driver chip, I think it's stuck under the display, but that's kinda glued down with some adhesive foam, and I didn't want to destroy it.

Now the bad news...

Trying to flash this device looks very challenging... the TX/RX tracks disappear under the wifi module, and lead directly to the tiny microcontroller. In order to flash this, the TX/RX lines will need to be cut somewhere... but where?
The microcontroller is MUCH too small to attack with a soldering iron, and removing the wifi module completely is very difficult with a soldering iron; much easier with a hot air station!

Sadly, it gets worse.

I turned it on to try and capture the MCU comms. As with other power metering devices, they always seem to detect that the mains power is disconnected, and the software just says "OFF" or something to that effect and there is no interesting comms.
I figured I'd have to capture the comms while on mains power.
To do this, I broke out TX/RX and connected the RX pin on the wifi module to the RX pin on my USB UART module to snoop comms from the Tuya->wifi... the instant I connected the wire, *POP*, the wifi module is very dead, there is now a short circuit from 3.3V to GND across the wifi module.
It also destroyed my USB TTL device, and the USB bus in my monitor! >_<
Thankfully it didn't destroy the USB bus in my PC which the monitor was connected to.

So, that sucks! I guess there was a huge voltage difference between the UART pins of the 2 devices. I've sniffed several devices this way before, normally works. I'm not sure how the voltages could be so hugely different between the 2 devices?

It raises an important question... what is the proper way to do this? I've never really liked snooping comms from devices while connected to mains, but I couldn't think of another way. How can I connect a device to mains and snoop the UART bus safely without blowing anything else up?

I'm tempted to buy another one of these and try again because I really like the device... but it seems like a particularly tricky device to modify, and probably not one to recommend to people who are not experts.

Since many TuyaMCU devices make it particularly difficult to flash, I'd suggest that maybe it should be considered a recommended approach to flash these devices using SPI instead of RS232? I successfully flashed another device using SPI, although it was difficult because the process is not clearly documented. It works, so maybe it should be promoted and the process improved? It feels bad to recommend people cut traces, or remove small SMD components when most people have very little soldering experience. It's not a good look for the ecosystem.
Breaking out the SPI pins is much simpler and less error-prone, it should be recommended in these cases so users are less likely to destroy their equipment.

TurkeyMan wrote:

Teardown of this energy meter from AliExpress.

Since many TuyaMCU devices make it particularly difficult to flash, I'd suggest that maybe it should be considered a recommended approach to flash these devices using SPI instead of RS232? I successfully flashed another device using SPI, although it was difficult because the process is not clearly documented. It works, so maybe it should be promoted and the process improved? It feels bad to recommend people cut traces, or remove small SMD components when most people have very little soldering experience. It's not a good look for the ecosystem.
Breaking out the SPI pins is much simpler and less error-prone, it should be recommended in these cases so users are less likely to destroy their equipment.

This looks very similar to the ATORCH at4p series I documented here https://www.elektroda.com/rtvforum/topic3941692.html
In order to capture tx/rx on any main connected device I always use an opto isolator as it's more about the voltage potential between devices.
More often though I just power the device from my programming rig as mains scares me even though I have it isolated via an isolation transformer.

With mine I had to remove the wifi board in order to program the first 3 devices I got, with the next batch of 3 I just received I want to see if I can program it while holding the ch573 in reset (on mine there are 3 headers, 1 to the tuyamcu, 1 to the unpopulated 8 pin btle chip, 1 goes to lower 4 pins of wifi but are not programming pins)
on the tuyamcu header there is spio/spiclk/reset/gnd/3.3v/5v for the ch573 chip with tuyamcu code
the 8 pin unpopulated ic is for BPOX226 http://zh-jieli.com which is a ble uart/spi chip.

what's also to note is the ch573 has btle as well as the c3bs module and you find a lot of units without bt support, lol
I am hoping to add cloudcutter support for the devices I have.

darkspr1te

Yeah, looks like a little brother to that one you have. So it's BLE that's not populated... but I thought bluetooth could share an antenna with 2.4g wifi?

Yeah, I have been thinking I should get an opto isolator... can you recommend one I should use?
I guess I need a device with approximately 6 pins: VCC-A, GND-A, SIGNAL-A (IN), VCC-B, GND-B, SIGNAL-B (OUT)... for 3.3V. Is that a thing?

Does cloudcutter work with these chips? I have this other device which is riveted shut, you basically have to destroy it to flash it... so it really needs a soft-mod strategy to make it a viable device.

TurkeyMan wrote:

Yeah, looks like a little brother to that one you have. So it's BLE that's not populated... but I thought bluetooth could share an antenna with 2.4g wifi?

Yeah, I have been thinking I should get an opto isolator... can you recommend one I should use?
I guess I need a device with approximately 6 pins: VCC-A, GND-A, SIGNAL-A (IN), VCC-B, GND-B, SIGNAL-B (OUT)... for 3.3V. Is that a thing?

Does cloudcutter work with these chips? I have this other device which is riveted shut, you basically have to destroy it to flash it... so it really needs a soft-mod strategy to make it a viable device.

waveshare sells a galvanic isolated unit
https://www.waveshare.com/product/iot-communication/wired-comm-converter/usb-to-rs232-uart-fifo/usb-to-rs232-485-ttl-kl.htm

don't confuse this one with the non-isolated model which looks identical but does not have isolation.
another trick is to get one of those wall shaver outlets that you fit in bathrooms, they can't supply a lot of current but they can isolate from mains avoiding power loops.
also you should check with a multimeter the voltages between devices to be sure (eg gnd to gnd with dmm)

I have not yet got cloudcutter to work on any device I have, could be many reasons so am still working on that.


darkspr1te

Oh yeah... I guess it could be handy to have a device like that. Maybe I could invest in one.
Honestly, I was thinking of something that looks a little more like this:



I did put my meter on gnd to gnd on another device I'm working on now. It measured -0.07V, which seems reasonable. I can't imagine why the device in this thread had such a huge ground imbalance that it blew up my devices and my monitor's USB bus... :/

Added after 31 [minutes]:

I can't find that exact device online. It seems the ad you showed me is confused...
I can see 2 versions, one with "original CH343G Converter", and one with "FT232RL".
The difference I can see between the 2 devices is that the CH343G version has VCC and GND terminals on the TTL, but the FT232RL version only has GND on the TTL terminal, it doesn't receive VCC (so, how does it actually work?).
Now the confusing part is, the link you just showed me claims "Adopt original FT232RL inside", saying "original" and "FT232RL" together, which I didn't see anywhere else. And then it shows a picture of a device with the VCC terminal, and everywhere else I look that is the CH343G version. So... I'm confused. And I have no idea if this matters? Are they both equivalent? Why does one have a VCC port and the other not?

Cloudcut needs a flash dump first (full 2MB) that's why it's useful to do a backup.

The new GUI flash BK7231 T and N tool does backup automatically.
Please bookmark this tab, bkWriter 1.60 is no longer recommended!:
https://github.com/openshwprojects/BK7231GUIFlashTool

Another way to safety capture data would be to just connect another BK7231 module with UART and power that BK7231 from the same power supply that your IoT device has - so there is no external connection anywhere. Then, I think, OBK should be able to print received packets, but I might need to first add a better flag for that, something like a generic UART driver, etc.... or even support doing UART capture to LittleFS?

Just tell me if it's needed, I can prepare it for you per request. You are doing great input for our community @TurkeyMan , keep it on, let's support all those devices!

For those wondering how to flash this device to OpenBeken, I figured out a way to disable the main MCU, and after that can flash CB3S without a problem.
I've shorted two pads near crystal with a blob of solder, and this prevents CH573F from booting, and it no longer interferes with CB3S.


Config similar to AT4P device, but it reports Power as div100, unfortunately, OpenBK doesn't have this option.

I can add it, you mean Power_div100?

Yep, it would be very useful.

I have added Power_div100 but I am unable to test it. Can you update, test and let me know if it works?

I'll check it soon.
But maybe worth mentioning, that I implemented a dirty hack and just changed div10 for my purpose, and for the correct working in home assistant it needs to adjust here too https://github.com/openshwprojects/OpenBK7231...c/src/httpserver/http_fns.c#L1950C15-L1950C15

Ah, you are correct, I pushed the missing file now.

p.kaczmarek2 wrote:

I pushed the missing file now

Seems something went wrong, can't see new builds with

Sorry, I forget to push the changes. They should be up soon.

Tested it, works fine, thank you!

>>20365528
After going over the board on another AT2PW, I found the incoming AC line connected to the "ground plane" on the board, giving the MAINS voltage on ground.
Definitely could see it frying anything that is actually grounded properly.

Hello experts,

I have this AT2PW that refuses to connect to Wifi (the Wifi light is totally off). I suspect that the Tuya module is dead. Can I buy a new CB3S module and just replace it? If that is possible, will it appear as a new device in the Tuya app or as an old device?

(Sorry to be off-topic. I don't know where else to ask.)

Thank you.

Why do you think that WiFi module is dead? Maybe it's a software issue. I'd suggest trying to flash it with OpenBeken and seeing if the Access Point appears.

Added after 32 [seconds]:

Soldering new WiFi module will only work if you flash it with proper 2MB dump first.

>>21335479 Thank you very much for the info. I was right to ask real people, cause ChatGPT told me to just replace the module

(I think the Wifi module is dead because it just suddenly won't connect to Wifi, and the Wifi status LED stopped lighting up. I tried resetting the unit to factory default and the app cannot find it.)

ChatGPT is not a reliable source of information, it just predicts text, the prediction is only relatively good for common cases, and most of the time is more or less wrong.

Is 3.3V reaching the WiFi module?

If anyone has a Tuya factory firmware dump from this device please post it for analysis. Or if there's potential for cached WiFi credentials PM me the file and I'll reset. Cheers

I had the same issue. Wifi not responding. I removed the chip and when reading the Flash Rom an error pop up. I flashed the Rom with new firmware and when reading it, the same error pop up. Also no AP is seen. Now I have ordered a new module.

Can you provide more information? Are you saying that Tuya firmware failed? What do you mean by "new firmware"? Do you know that flashing OBK is not enough, you also need to add the configuration? The screen will not communicate with the WiFi module if you don't start TuyaMCU driver in OBK. You also may need to set the baud rate, wifistate, etc...

The error while reading the Flash:
W: Unknown bootloader
CRC - 0xEDA73627 - please report this on GitHub issues!
E: An error has occurred
E: ValueError: Chip CRC value 6255236F does not match calculated CRC value 52EFAA54 (at 0x0)
E: |-- File "ltchiptoolguiworkbase.py", line 24, in run
E: |-- File "ltchiptoolguiworkflash.py", line 75, in run_impl
E: |-- File "ltchiptoolguiworkflash.py", line 189, in _do_read
E: |-- File "ltchiptoolsocbk72xxflash.py", line 261, in flash_read_raw

Reading with Ltchiptool 4.11.6, give this error.

Tuya was not connecting with the other chip (red light for the WiFi was not ON), it was not detected... I don't know. I reset all that is possible from the menu on the device.

Regarding the new firmware. I have created with ESP Home firmware but no AP is created, no connection to ESP Home, nothing. This is not the first device I am flashing but it is the first CB3S.

EDIT: Severla days after this post.
I have recived a new CB3S modul, I programed it without problem this time with the same setup as before. I have replaced the CB3S mobul on the main board. The Atorch device started but on the bood the display have started flickering and turned off. I first desoldered the CB3S and tested it was working fine, and after that I found out that the other chip HDM CH573F is shorted. The power consumption is going up to 150mA (the power limit I have set). So making it work has failed.