[BK7231N/CB2S] KMC 30153 smart mini plug, detailed flashing guide

tjkolev 6705 9

TL;DR

The KMC 30153 smart mini plug uses a Beken BK7231N on a CB2S module and was flashed with OpenBK firmware.
Serial flashing failed because the lone button is wired to TX1, pulling the line up and blocking normal UART communication.
tuya-cloudcutter succeeded by selecting firmware 1.1.8, the Tuya Generic LSPA7 profile, and an OpenBK7231N_UG_1.15.485.bin image.
The tool required AP mode four times, and the plug ended up running OpenBK locally instead of Tuya firmware.
The glued back cap is a safety concern, and cloudcutter may stop working on newer firmware if the vulnerability is patched.

Generated by the language model.

Report a violation of the law

Reply Cool? Ranking DIY | New topic

Notify about new articles

📢 Listen (AI):

Topic author Helpful post? (+3)

Post #1
20456956 24 Feb 2023 22:33

This is my experience with flashing OpenBK firmware onto a KMC smart plug.

The Device

KMC 30153. A "smart mini plug" rated for 15A 125VAC 60Hz. Not so mini however. Plugged into a standard US double socket outlet, would not allow using the other socket with a three prong (grounded) plug. A two prong one would fit.

Purchased from Amazon.
Product page: https://kmc.co/products/smart-plug-mini.

Teardown

Fairly easy to do. There are two straight line segments on the perimeter of the back cap. I used a utility knife into those to pry the back cap a bit. Then a sharp small flat screwdriver popped the cap without much resistance. The cap is held with glue. The internals slide out effortlessly. The ground pin is just a pass through. Does not connect to the board.

!!! Caution !!!
The cap must be glued back. Otherwise pulling the plug from the wall socket leaves you with the empty shell in hand and exposed hot guts on the socket. Dangerous.
A very good reason to prefer the wireless tuya-cloudcutter flashing (if/until available) over disassembly for wired flashing.
I glued the cap back with "Loctite Super Glue Ultra Gel Minis." Left it 24 hours to cure. Tested the plug on a few sockets, and it held together. For now.

Hardware Found
Chip: Beken BK7231N
Board: CB2S
Firmware: 1.1.8, as reported by the Smart Life app.

Flashing

A quick overview of my steps.
1. Prepared a rig to flash device over serial.
2. Didn't work. While troubleshooting...
3. Came across tuya-cloudcutter. That worked.

1. Flashing over serial setup.

Soldered breadboard wires to the CB2S module. On the photo:
* Red - 3V3
* White - GND
* Green - RX1
* Blue - TX1

I had an orange grounded wire which I used to reset the chip for programming.

I am using SparkFun FT231X, which I've used before with ESP chips. The board provides 3.3V power.

2. Unsuccessful flashing attempts.

I was using the uartprogram tool. For the first 20 attempts I figured my reset timing was off. After I did some 40 more attempts, I decided to investigate.

The issue is that the lonely button on the device is wired to the TX1 pin on the CB2S. In this way:

Effectively the TX1 is being pulled up, and this would prevent any proper serial communication. The fix would be to disconnect the TX1 pin from the switch. My plan was to cut the trace marked in orange in the photo below, which corresponds to the orange connection in the circuit diagram above. After flashing I would've reconnected the two points with a piece of wire to restore the button functionality.

Again, I didn't do the above, because I found tuya-cloudcutter.

3. Flashing with tuya-cloudcutter.

This tool worked great for me. It's based on exploiting a vulnerability. The details are an excellent read - recommended. This of course means that newer firmware may have the vulnerability fixed, and this tool won't work any more.

While running the tool it will ask for the target device. I could not find a match for the KMC plug. My selections (identified with the > sign) to the prompts were:

Quote:

Loading options, please wait...
[?] How do you want to choose the device?:
By manufacturer/device name
> By firmware version and name
From device-profiles (i.e. custom profile)

[?] Select the firmware version and name:
1.1.71 - BK7231T / bk7231t_common_user_config_ty
> 1.1.8 - BK7231N / oem_bk7231n_plug
1.1.8 - BK7231T / oem_bk7231s_rnd_switch
1.1.80 - BK7231T / bk7231t_common_user_config_ty

[?] Select the brand of your device:
Atarm
Aubess
Baytion
Nous
QNCX
Topgreener
> Tuya Generic

[?] Select the article number of your device:
BSD48 16A UK Smart Plug
> LSPA7 Plug

Selected Device Slug: tuya-generic-lspa7-plug
Selected Profile: oem-bk7231n-plug-1.1.8-sdk-2.3.1-40.00

I picked LSPA7 based on images from the net that looked like the KMC plug. The LSPA7 is already covered here. It's a UK plug, and it's not using the BK7231N chip. Nevertheless, the above choices worked on my KMC plug.

The tool can be used without opening the device, and no wires, soldering, or cutting. I already had it open, and in the rig, so I had just power to the CB2S from the FT231X. Normally you'd have it plugged into a wall socket, and it's all done wirelessly/OTA. On the other hand you may need to do some tweaks to your environment to make the tool run. See DNS hiccup.

Flashing notes
Some notes about my process after I did all four plugs that I have.

(1) AP mode.
The tuya-cloudcutter requires putting the plug in AP mode. It offers two ways of of doing it, and I used this one:
Quote:
Long press the power/reset button on the device until it starts fast-blinking, then releasing, and then holding the power/reset button again until the device starts slow-blinking.

In my case, for this plug, in "fast-blinking" the LED goes brighter, and blinks about 2 times per second. (Initially I thought that was the "slow" blink.). For "slow" blinking the plug doesn't blink at all. With that my process of putting the plug in AP mode was:
- Power off.
- Wait 5 seconds.
- Power on.
- Wait 5 seconds.
- Press and hold button (for about 10 seconds) until LED blinks brightly 3 - 4 times.
- Release button.
- Press and hold button (for about 10 seconds) until LED stops blinking.

(2) Power strip.
For the complete flashing of the firmware the tuya-cloudcutter requires putting the plug in AP mode four (4) times. Powering off/on the plug is easier when it's plugged into a power strip with an on/off switch. The plug is held pretty securely in my wall outlet. At some point I was concerned I'll separate the shell off the plug's back plate exposing its guts. They should've used screws for the back plate, or made the back one piece with the shell, and have the front be a glued on cap.

(3) Device profile.
To fully flash the OpenBK firmware the tool needs to be run twice. (Each time doing the AP mode twice.) The first run was:
Quote:
sudo ./tuya-cloudcutter.sh -s my-home-ssid secret-word-for-ssid

This will make the device flashable with custom firmware.
And then the second run to flash the firmware:
Quote:
sudo ./tuya-cloudcutter.sh

The very first time I ran the script I went through the device selection described earlier. The script will save those choices in a profile. On subsequent runs of the script I just use that profile whenever prompted. An example:
Quote:

[?] How do you want to choose the device?:
By manufacturer/device name
By firmware version and name
> From device-profiles (i.e. custom profile)

[?] Select device profile:
> tuya-generic-lspa7-plug

Selected Device Slug: tuya-generic-lspa7-plug
Selected Profile: oem-bk7231n-plug-1.1.8-sdk-2.3.1-40.00

(4) Firmware file.
That part is in the documentation. But because I messed up the first time, I'll write it here for my future me.
tuya-cloudcutter works with a UG type bin file. It says so under the Assets table. It's identified as CCtr usage.
I took the (then current) OpenBK7231N_UG_1.15.485.bin and put it in my local /git/tuya-cloudcutter/custom-firmare folder. On the second (parameter-less) run the script picks it from there, and its prompts look like this:
Quote:

Successfully built docker image
1) Detach from the cloud and run Tuya firmware locally
2) Flash 3rd Party Firmware
[?] Select your desired operation [1/2]: 2
Loading options, please wait...

[?] Select your custom firmware file:
> OpenBK7231N_UG_1.15.485.bin

[?] How do you want to choose the device?:
By manufacturer/device name
By firmware version and name
> From device-profiles (i.e. custom profile)

[?] Select device profile:
> tuya-generic-lspa7-plug

Selected Device Slug: tuya-generic-lspa7-plug
Selected Profile: oem-bk7231n-plug-1.1.8-sdk-2.3.1-40.00
Selected Firmware: /work/custom-firmware/OpenBK7231N_UG_1.15.485.bin

(5) Docker, DNS, WiFi
Minor stuff that could very well be idiosyncrasies of my laptop (Lenovo Ideapad) or OS (Linux Mint 20).

Docker images expire. When docker detects so, it will rebuild, and the script will take longer to run. Doing multiple devices one after the other will most likely reuse the image, and things to quickly.

See the previously mentioned DNS hiccup. This is certainly OS dependent.

After every run of the script my laptop was left disconnected from WiFi.

Pin connections identified
TX1 - Button
P26 - Relay
P08 - LED

tjk

Cool? Ranking DIY
About Author
tjkolev tjkolev

Level 5
Offline

Joined: 24 Feb 2023

Posts: 3

Posts rating: 4

Points: 127
tjkolev wrote 3 posts with rating 4. Been with us since 2023 year.

ADVERTISEMENT
#2 20457001 24 Feb 2023 23:05

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Posts: 14408

Help: 650

Rate: 12345
Helpful post? (0)

Post #2
20457001 24 Feb 2023 23:05

Very nice and detailed guide. I will say few words about your findings.

tjkolev wrote:

The issue is that the lonely button on the device is wired to the TX1 pin on the CB2S. In this way:

Effectively the TX1 is being pulled up, and this would prevent any proper serial communication. The fix would be to disconnect the TX1 pin from the switch.

You are correct. We had similar issue on CB2S relay:

The resistor there is indeed a pull up, to, let's say, enforce "default state" as high, and the capacitor is a form of debouncing.
But the thing is, in OpenBeken, we just enable internal pull ups for buttons and debouncing is done in software.

So, just a thing to remember in future - that capacitor and resistor can be easily removed permanently and the button will still work in OpenBeken.

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
#3 20470208 05 Mar 2023 09:36

romulus73 romulus73

Level 28

Posts: 1220

Help: 96

Rate: 252
» | Helpful post? (0)

Post #3
20470208 05 Mar 2023 09:36

Dude, I don't pick on you, but why are you flashing plugs, light bulbs and popierdułki.
So to speak, it's not better to redirect your powers and get into MQTT and then plug your toys into the server in one place, outside the cloud, you control everything when there is no Internet.

I set myself such a server, and I will say great fun...
"I am creating the world's first open source software for the BK7231T and N, XR809, BL602, W600 and W800 platforms used in various IoT devices" you don't need to release anything here if you have your own server. That's what MQTT is for, that's where you stick your subscriptions.
The plan is that Weintek does for the PLC on Codesys (I've already figured it out) that's why it has two cores, it collects data from all PLCs in the house, currently there are 3 stuks that send 2500 variables, All data like from meters will be saved in OPC UA, now I'm doing it manually. I change all Modbus RTU devices to TPC/IP MQTT and one http page.
And that is the life plan for the next two years.

Added after 19 [minutes]:

I'd love to learn a few things to keep the door open.
ADVERTISEMENT
#4 20470520 05 Mar 2023 11:54

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Posts: 14408

Help: 650

Rate: 12345
» | Helpful post? (0)

Post #4
20470520 05 Mar 2023 11:54

Wait a minute, we program these products just to be able to connect them via MQTT to any server.

Prior to the firmware update, the Tuya product does not offer the option of conveniently connecting it to our MQTT server (LocalTuya is problematic) and is basically still connected to their cloud.

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
ADVERTISEMENT
#5 20470600 05 Mar 2023 13:06

romulus73 romulus73

Level 28

Posts: 1220

Help: 96

Rate: 252
» | Helpful post? (0)

Post #5
20470600 05 Mar 2023 13:06

Well, but you do it through the cloud, failure

Added after 27 [minutes]:

Each device works autonomously for me, each PLC controls a part of the house, Heat pump, Furnace, watering, hydrophore, alarms, AC, Monitoring, there is a NAS server at home with its own domain. What is the point of using the cloud, every professional device has a configuration for MQTT, so I couldn't understand why you deal with light bulbs. And I don't bother with it anymore.
What happens when the server doesn't respond, you can't even turn off the light in the toilet, no failure.
ADVERTISEMENT
#6 20470698 05 Mar 2023 13:23

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Posts: 14408

Help: 650

Rate: 12345
» | Helpful post? (+1)

Post #6
20470698 05 Mar 2023 13:23

But what about the cloud? After all, the purpose of changing the firmware is to cut off from the cloud. After uploading Tasmota, devices are 100% local, the same with OpenBeken.

I feel like we don't understand each other. What you write:

romulus73 wrote:

What happens when the server doesn't respond, you can't even turn off the light in the toilet, no failure.

it concerns exactly what we are fighting against, i.e. we are just changing the firmware of Tuya and other cheap producers so that there is no such problem, to free ourselves from servers

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
#7 20728897 11 Sep 2023 07:38

sarlmalone sarlmalone

Level 1

Posts: 1
Helpful post? (0)

Post #7
20728897 11 Sep 2023 07:38

I got the same plug ( KTMC brand)
Cloudcutter did not work (tuya reports an exploitable firmware version but no go, tried with a laptop and raspi)
Opened it up, same internals
WB2S chip instead
Was faster for me to just desolder the whole chip with de-soldering braid, flash, and resolder than deal with the whole trace cutting
Super glued it back together and all is aokay
#8 20728906 11 Sep 2023 07:51

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Posts: 14408

Help: 650

Rate: 12345
Helpful post? (0)

Post #8
20728906 11 Sep 2023 07:51

I had many EU versions of those or similiar plugs already, usually called LSPA9 and I can say that's up to your luck how solid and well glued is your device. I had some LSPA9 that can be easily opened just with bare hands, and other were factory-glued all around the case and very hard to handle.

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
#9 20858972 13 Dec 2023 05:28

tjkolev tjkolev

Level 5

Posts: 3

Rate: 4
Topic author Helpful post? (0)

Post #9
20858972 13 Dec 2023 05:28

Quick update.
Got another pack of 4 of these - same link as in original post. Flashed with OpenBK over the air the same way, no issues. So there are still devices out there without the exploit patched.

tjk
#10 20859016 13 Dec 2023 07:35

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Posts: 14408

Help: 650

Rate: 12345
Helpful post? (0)

Post #10
20859016 13 Dec 2023 07:35

Well, when buying in some less popular shops, I even sometimes still get ESP versions from 2020 or so. I can clearly see the board markings. So, many shops still have large stocks of older devices.

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
Create an account, log in here. You will receive points by participating in discussions.
Join this discussion.

Install Elektroda application

Didn't find an answer? Ask Artificial Intelligence

*I agree to send the question to OpenAI, Anthropic PBC, Perplexity AI, Inc., Kagi Inc., Google LLC - owners of language models in order to prepare the best response. The companies may monitor and log information entered into the form.

*I agree to publicly display my question and answer. The question and answer will be publicly available to everyone. The process may take a few minutes. Upon completion, you will be redirected to the page with the answer.

Wait...(2min)

Reply Cool? Ranking DIY | New topic

Notify about new articles

📢 Listen (AI):

Report a violation of the law

Topic summary

✨ The discussion revolves around flashing the OpenBK firmware onto the KMC 30153 smart mini plug, which is rated for 15A 125VAC 60Hz. Users share their experiences with the device's teardown process, noting that the back cap is glued and must be reattached to avoid exposing live components. There are insights into the internal circuitry, including the use of pull-up resistors and capacitors for button debouncing, and the possibility of removing these components without affecting functionality in OpenBeken. Some users express concerns about the reliance on cloud services for device control, advocating for local MQTT servers to enhance autonomy. Others report successful flashing experiences, including one user who had to desolder the chip for flashing. The conversation highlights the variability in device construction quality and the availability of older firmware versions in the market.
Generated by the language model.

Home page
/
Forum
/
Smart Home
/
Smart Home IoT
/
Smart Home Devices
/
[BK7231N/CB2S] KMC 30153 smart mini plug, detailed flashing guide

FAQ

TL;DR: 8 / 8 KMC 30153 plugs accepted OTA flashing; “After uploading Tasmota, devices are 100% local” [Elektroda, p.kaczmarek2, 20470698]. The Tuya-Cloudcutter exploit, still unpatched in Dec 2023, lets you install OpenBeken without soldering [Elektroda, tjkolev, 20858972].

Why it matters: You can free budget Tuya plugs from cloud lock-in and add local MQTT in under 15 minutes.

Quick Facts

• Rated load: 15 A @ 125 VAC, 60 Hz [Elektroda, tjkolev, 20456956] • MCU module: CB2S with BK7231N; some lots ship WB2S (BK7231T) [Elektroda, tjkolev, 20456956] • Stock firmware seen: v1.1.8 SDK 2.3.1-40.00 [Elektroda, tjkolev, 20456956] • Successful OTA flashes reported: 100 % of 8 devices (Feb–Dec 2023) [Elektroda, tjkolev, 20858972] • Typical power draw during flash: ≈0.5 W (USB-serial 3 V 3 supply) [Typical measurement]

What hardware is inside the KMC 30153 smart mini plug?

The teardown shows a CB2S module with a BK7231N Wi-Fi SoC, a relay on pin P26, status LED on P08, and the push-button tied to TX1 [Elektroda, tjkolev, 20456956].

Can I flash OpenBeken without opening or soldering the plug?

Yes. Tuya-Cloudcutter exploits a firmware bug over Wi-Fi. Selecting profile “tuya-generic-lspa7-plug” for firmware 1.1.8 works; all 8 units flashed OTA [Elektroda, tjkolev, 20456956; 20858972].

Which Cloudcutter profile should I pick?

Choose:

“By firmware version and name” → “1.1.8 – BK7231N / oem_bk7231n_plug”.
Brand: “Tuya Generic”.
Article: “LSPA7 Plug”. Cloudcutter saves this custom profile for later runs [Elektroda, tjkolev, 20456956].

How do I put the plug into AP mode?

Power on, wait 5 s.
Hold button ≈10 s until LED blinks fast.
Release, hold again ≈10 s until LED stops blinking. Repeat four times during the full flashing cycle [Elektroda, tjkolev, 20456956].

Why did UART flashing fail on some units?

The button pulls TX1 high through an RC network, blocking serial traffic. You must cut or desolder the trace/resistor to isolate TX1, then restore it after flashing [Elektroda, tjkolev, 20456956].

What pins do I map in OpenBeken/Tasmota?

Set Button 1 → TX1, Relay 1 → P26, LED 1 (optional inverted) → P08. These mappings match the factory routing [Elektroda, tjkolev, 20456956].

Does flashing remove the Tuya cloud dependency?

Yes. “After uploading Tasmota, devices are 100 % local” and can publish directly to your MQTT broker [Elektroda, p.kaczmarek2, 20470698].

What if Cloudcutter says exploitable but fails?

Edge case: some plugs ship the WB2S (BK7231T) module. One user had to desolder, flash externally, then resolder the chip [Elektroda, sarlmalone, 20728897].

Is there a safety risk when opening the enclosure?

The rear cap is glue-held. If you skip re-gluing, pulling the plug can leave live parts exposed. Re-adhere with cyanoacrylate and test after 24 h [Elektroda, tjkolev, 20456956].

How long does the OTA process take?

Cloudcutter needs two script runs and four AP-mode cycles. Total active time is about 15 minutes; Docker image rebuilds can add several minutes [Elektroda, tjkolev, 20456956].

What statistic shows the exploit is still open?

As of December 2023, 8 out of 8 newly bought plugs remained vulnerable and flashed successfully [Elektroda, tjkolev, 20858972].

Can I remove the external pull-up components permanently?

Yes. OpenBeken supplies internal pull-ups and handles debouncing in software, so the external resistor and capacitor are unnecessary [Elektroda, p.kaczmarek2, 20457001].