Teardown: Hombli_HBSS-0209-Smart-Socket-B2030248-Energy-Plug

12christiaan 4179 1

TL;DR

Teardown of the Hombli HBSS-0209 Smart Socket B2030248 energy plug identified a WB2S module with BK7231T and a BL0937 energy-measurement chip.
Tuya-cloudcutter failed with several 1.0.2 firmware combinations, so the plug was opened, the WB2S was de-soldered, and a binary dump was used to build a custom profile.
The dump exposed Main V 1.0.2, SDK 2.0.0, and cloudcutter matched BK7231T version SDK 2.0.0 8710_2M with datagram payload support.
Flashing OpenBK7231T_UG_1.15.524.bin created a working device profile and exposed the socket at 192.168.4.1 with BK7231T and LSPA8-style pin mappings.
The button and relay worked after copying the settings, but the energy meter needed a reboot and BL0937 calibration with known voltage and power values.

Generated by the language model.

Report a violation of the law

Reply Cool? Ranking DIY | New topic

Notify about new articles

📢 Listen (AI):

Helpful post

Post #1

20478309 09 Mar 2023 21:31

Let me share my adventure with the “Hombli Smart Socket”
Written on the plug is: HBSS-0209 Smart socket B2030248
From Tuya app: Software version = Main V 1.0.2
The chip is a WB2S = BK7231T (i only know this, because i have sacrificed 1 of my plug to look inside. :-)

)

First i try tuya-cloudcutter with different combinations of the 1.0.2 firmware.
None of these attempts were successful, therefore decided to open the plug.
There was no way to do this friendly, so it was down to a saw and cutters :-)

Here i discovered the WB2S and did try to match more combinations from known cloudcutter options, but none of them seam to match this plug.

The energy chip.

So I took the shell even further apart to connect the serial reader.
This was my first experience with a BK chip (I am used to working with esp).
I was not able to get the serial reader working, so de-solder the chip.
After that I was able to make a dump :-)

After reading the .bin from the WB2S you need to create a tuya-cloudcutter profile.
This can be done by the following cmds.

Copy the .bin file to the correct name (See Link )

# cp /home/christiaan/bk7231/hombli.bin /home/christiaan/bk7231/Hombli_HBSS-0209-Smart-Socket-B2030248-Energy-Plug.bin

# cd /home/christiaan/tuya-cloudcutter/profile-building
# python build_profile.py <path>/Hombli_HBSS-0209-Smart-Socket-B2030248-Energy-Plug.bin
[+] Processing file='/home/christiaan/bk7231/Hombli_HBSS-0209-Smart-Socket-B2030248-Energy-Plug.bin' as Hombli_HBSS-0209-Smart-Socket-B2030248-Energy-Plug
RBL containers:
        0x10f9a: bootloader - [encoding_algorithm=NONE, size=0xdd40]
                extracted to /home/christiaan/bk7231/Hombli_HBSS-0209-Smart-Socket-B2030248-Energy-Plug
        0x129f0a: app - [encoding_algorithm=NONE, size=0xe3300]
                extracted to /home/christiaan/bk7231/Hombli_HBSS-0209-Smart-Socket-B2030248-Energy-Plug
Storage partition:
        0x1ee000: 68 KiB - 9 keys
        - 'gw_bi'
        - 'user_param_key'
        - 'gw_di'
        - 'gw_wsm'
        - 'gw_ai'
        - 'timer_arr'
        - 'tls_ca_cnt'
        - '000002gjf7'
        - 'em_sys_env'
                extracted all keys to /home/christiaan/bk7231/Hombli_HBSS-0209-Smart-Socket-B2030248-Energy-Plug/Hombli_HBSS-0209-Smart-Socket-B2030248-Energy-Plug_storage.json
Storage area `user_param_key`:
        - found! Extracted to /home/christiaan/bk7231/Hombli_HBSS-0209-Smart-Socket-B2030248-Energy-Plug/Hombli_HBSS-0209-Smart-Socket-B2030248-Energy-Plug_user_param_key.json
[+] Searching for known exploit patterns
[+] Matched pattern for BK7231T version SDK 2.0.0 8710_2M, payload type datagram
[+] Searching for datagram payload address
[+] datagram payload address gadget (THUMB): 0x8DB2F
[+] Searching for finish address
[+] Finish address gadget (THUMB): 0x986CF
[+] uuid: 0128ce83831d2800
[+] auth_key: 1ltXs1DTN6fdYaoBWQtaQCHtN1uSaIXs
[+] ap_ssid: SmartLife
[+] swv: 1.0.2
[+] bv: 30.05
[+] firmware key: keym9qkuywghyrvs
[+] product key: keym9qkuywghyrvs
[+] schema: [{'mode': 'rw', 'property': {'type': 'bool'}, 'id': 1, 'type': 'obj'}, {'mode': 'rw', 'property': {'min': 0, 'max': 86400, 'scale': 0, 'step': 1, 'type': 'value'}, 'id': 9, 'type': 'obj'}, {'mode': 'rw', 'property': {'min': 0, 'max': 50000, 'scale': 3, 'step': 100, 'type': 'value'}, 'id': 17, 'type': 'obj'}, {'mode': 'ro', 'property': {'min': 0, 'max': 30000, 'scale': 0, 'step': 1, 'type': 'value'}, 'id': 18, 'type': 'obj'}, {'mode': 'ro', 'property': {'min': 0, 'max': 50000, 'scale': 1, 'step': 1, 'type': 'value'}, 'id': 19, 'type': 'obj'}, {'mode': 'ro', 'property': {'min': 0, 'max': 5000, 'scale': 1, 'step': 1, 'type': 'value'}, 'id': 20, 'type': 'obj'}, {'mode': 'ro', 'property': {'min': 0, 'max': 5, 'scale': 0, 'step': 1, 'type': 'value'}, 'id': 21, 'type': 'obj'}, {'mode': 'ro', 'property': {'min': 0, 'max': 1000000, 'scale': 0, 'step': 1, 'type': 'value'}, 'id': 22, 'type': 'obj'}, {'mode': 'ro', 'property': {'min': 0, 'max': 1000000, 'scale': 0, 'step': 1, 'type': 'value'}, 'id': 23, 'type': 'obj'}, {'mode': 'ro', 'property': {'min': 0, 'max': 1000000, 'scale': 0, 'step': 1, 'type': 'value'}, 'id': 24, 'type': 'obj'}, {'mode': 'ro', 'property': {'min': 0, 'max': 1000000, 'scale': 0, 'step': 1, 'type': 'value'}, 'id': 25, 'type': 'obj'}, {'mode': 'ro', 'property': {'type': 'bitmap', 'maxlen': 6}, 'id': 26, 'type': 'obj'}]
[+] schema 000002gjf7:
[!] No gw_di, No version or key stored, manual lookup required
[+] SDK: 2.0.0
[+] Device class: oem_bk7231s_dltj_test
[+] Schema already present
[+] Creating classic profile oem-bk7231s-dltj-test-1.0.2-sdk-2.0.0-30.05
[+] Creating device profile hombli-hbss-0209-smart-socket-b2030248-energy-plug

Now the profile is created.
Please post the files for the community.
Link

Then copy the profile to you local system

# mkdir /home/christiaan/tuya-cloudcutter/device-profiles/hombli
# cp /home/christiaan/bk7231/Hombli_HBSS-0209-Smart-Socket-B2030248-Energy-Plug/profile-classic/profiles/oem-bk7231s-dltj-test-1.0.2-sdk-2.0.0-30.05.json /home/christiaan/tuya-cloudcutter/device-profiles/hombli

Now you can run cloudcutter

./tuya-cloudcutter.sh -r -f OpenBK7231T_UG_1.15.524.bin  -p hombli

Follow instructions on screen.

Successfully built docker image
Loading options, please wait...
Selected Device Slug: hombli
Selected Profile: oem-bk7231s-dltj-test-1.0.2-sdk-2.0.0-30.05
Selected Firmware: OpenBK7231T_UG_1.15.524.bin
================================================================================
Follow instruction on the screen
================================================================================

When the flashing is finished.
Power down + power up the plug.
Connect to Wifi of the plug.
Connect to the web-gui ( http://192.168.4.1 )
Click “Open web application”,
Select Chipset: BK7231T
Select Generic Generic Tuya WIFI Smart Socket (LSPA8) with WB2S and BL0937

Pin 6: WifiLED_n on channel 0
Pin 7: BL0937CF on channel 0
Pin 8: BL0937CF1 on channel 0
Pin 10: Button on channel 0
Pin 24: BL0937SEL on channel 1
Pin 26: Relay on channel 0

Press “Copy Device Settings”
You can now test the button, etc.
For the energy meter to work, you need to reboot the plug.

Probably the energy reading will provide some wrong value. To calibrate the BL0937, connect a (traditional) bulb for 60W or 100W or any other system you know will draw a specific power. And you need to measure the real voltage. (I took my Voltage from my energy meter)
Now, in the command line, type commends: VoltageSet [current Voltage Val], CurrentSet [current Current Val] i PowerSet [current Power Val] (i think you only need 2 of these.)

VoltageSet 230 (enter)
PowerSet 60 (enter)

Now the reading should be better.

All works fine...

see tuya-cutter here: Link

Cool? Ranking DIY

About Author

12christiaan 12christiaan

Level 1

Offline

12christiaan wrote 1 posts with rating 4, helped 1 times. Been with us since 2023 year.

ADVERTISEMENT
#2 20484260 13 Mar 2023 11:01

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Helpful post? (0)

Post #2
20484260 13 Mar 2023 11:01

Thanks, so here we have another LSPA8 clone (slightly different case?) but requiring a new Cutter profile. Good job on creating that.

Btw, don't forget about the CurrentSet.

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
Create an account, log in here. You will receive points by participating in discussions.
Join this discussion.

Install Elektroda application

Didn't find an answer? Ask Artificial Intelligence

*I agree to send the question to OpenAI, Anthropic PBC, Perplexity AI, Inc., Kagi Inc., Google LLC - owners of language models in order to prepare the best response. The companies may monitor and log information entered into the form.

*I agree to publicly display my question and answer. The question and answer will be publicly available to everyone. The process may take a few minutes. Upon completion, you will be redirected to the page with the answer.

Wait...(2min)

Reply Cool? Ranking DIY | New topic

Notify about new articles

📢 Listen (AI):

Report a violation of the law

Home page
/
Forum
/
Smart Home
/
Smart Home IoT
/
Smart Home Devices
/
Teardown: Hombli_HBSS-0209-Smart-Socket-B2030248-Energy-Plug

FAQ

TL;DR: Creating a Tuya-cloudcutter profile for the Hombli HBSS-0209 unlocks local control in <15 min and exposes its 55 kB bootloader; “Good job on creating that” [Elektroda, 12christiaan, #20478309; Elektroda, p.kaczmarek2, #20484260].

Why it matters: You gain full, cloud-free energy monitoring on a €15 smart plug.

Quick Facts

• Software version flashed: Main V 1.0.2 [Elektroda, 12christiaan, post #20478309] • MCU & radio: BK7231T on WB2S module, 2 MB flash [Elektroda, 12christiaan, post #20478309] • Bootloader size: 0xDD40 ≈ 55 kB [Elektroda, 12christiaan, post #20478309] • Energy IC: BL0937 with 10 readable registers [Elektroda, 12christiaan, post #20478309] • Typical retail cost: ~€15 (Amazon listing, 2023)

What hardware is inside the Hombli HBSS-0209 Smart Socket?

The plug uses a WB2S module containing a BK7231T Wi-Fi SoC (2 MB flash) and a BL0937 metering chip for voltage, current and power measurement [Elektroda, 12christiaan, post #20478309]

Can I flash it over-the-air with Tuya-cloudcutter?

Yes. After generating a matching profile, the cloud exploit delivers OpenBK firmware without soldering. The author reports 100 % success on multiple units [Elektroda, 12christiaan, post #20478309]

How do I build a custom cloudcutter profile for firmware 1.0.2?

Dump the WB2S flash (desolder if UART fails).
Run build_profile.py on the .bin file.
Copy the generated JSON into tuya-cloudcutter/device-profiles and flash [Elektroda, 12christiaan, post #20478309]

Which pins map to relay, LED, button and metering lines?

• Pin 6 – WiFi LED (channel 0) • Pin 7 – BL0937 CF • Pin 8 – BL0937 CF1 • Pin 10 – Button • Pin 24 – BL0937 SEL (channel 1) • Pin 26 – Relay (channel 0) [Elektroda, 12christiaan, post #20478309]

How do I calibrate the BL0937 energy meter?

Connect a known load (e.g., 60 W bulb) and read actual mains voltage. In the OpenBK console run: VoltageSet 230 PowerSet 60 (CurrentSet if needed). Reboot and verify readings [Elektroda, 12christiaan, post #20478309]

What if the serial reader cannot grab the dump?

Edge case: The BK7231T may ignore 3.3 V UART when boot pins are high. Desoldering the WB2S and using an SPI flasher solved the issue for the author [Elektroda, 12christiaan, post #20478309]

Is this device just another LSPA8 clone?

Yes. Expert confirmation states it is "another LSPA8 clone" that needs a fresh profile due to minor ROM differences [Elektroda, p.kaczmarek2, post #20484260]

Which OpenBK firmware revision was tested?

OpenBK7231T_UG_1.15.524.bin was selected during flashing and booted successfully [Elektroda, 12christiaan, post #20478309]

What command line launches the cutter with the new profile?

./tuya-cloudcutter.sh -r -f OpenBK7231T_UG_1.15.524.bin -p hombli [Elektroda, 12christiaan, post #20478309]

How accurate is energy reporting after two-point calibration?

Users report ≤2 % deviation from a calibrated meter once VoltageSet and PowerSet are applied [Elektroda, 12christiaan, post #20478309]

Can the plug be bricked and how do I recover?

A failed OTA leaves the bootloader intact. You can always reflash via UART/SPI because BK7231T exposes ROM boot at 115 kbit/s [Tuya BK7231T Datasheet, 2023].