[CBU/BK7231N and SH4/CMTOV30] Wi-Fi IR+RF Remote Control (S11)

Question

Pictures: Purchased on Amazon [line:49192ac37d] Pinout: CBU Pin BK7231N Function Board TP 1 P14 (SPI_SCK) SH4 CLK SCK 2 P16 (SPI_MOSI) SH4 SDIO via R9 3 P20 SH4 GPIO1 INT1 4 P22 SH4 GPIO2 INT2 5 ADC Button via RC network ADC 6 RX2 7 TX2 8 P8 IR receiver 9 P7 IR tx 10 P6 11 P26 12 P24 13 GND GND...

romsenin · Accepted Answer

Hi, i have the same board but my device is not square.

I confirm that it use CBU/BK7231N and SH4/CMTOV30
I have draw a mini diagram


  ┌─────────────────────────────────────────────────────────────────────┐
  │                                                                     │
  │                      CBU                                            │                  SH4
  │         ┌──────────────────────────┐                                │           ┌──────────────┐
  │         │                          │                                │           │              │
  └───────► │ P14                 P15  │                                │           │ NC       ANT │
            │                          │                                │           │              │
  ┌───────► │ P16                 P17  │                                │           │ GPIO3     NC │
  │         │                          │                                │           │              │
  │ ┌─────► │ P20                  P9  │ LED                            │           │ GND      GND │
  │ │       │                          │                                │           │              │
  │ │   ┌─► │ P22                 CEN  │                                └────────── │ SCLK      NC │
  │ │   │   │                          │                                            │              │
  │ │   │   │ ADC                 P28  │                                      ┌──── │ SDIO      NC │
  │ │   │   │                          │                                      │     │              │
  │ │   │   │ RX2                 RX1  │                                  ┌───┼──── │ CSB    GPIO1 │ ────────────────┐
  │ │   │   │            P P G 3       │                                  │   │     │              │                 │
  │ │   │   │ TX2  P P P 2 2 N V  TX1  │                              ┌───┼───┼──── │ FCSB   GPIO2 │ ─────────────┐  │
  │ │   │   │      8 7 6 6 4 D 3       │                              │   │   │     │              │              │  │
  │ │   │   │                          │                              │   │   │     │ VCC      GND │              │  │
  │ │   │   └──────────────────────────┘                              │   │   │     │              │              │  │
  │ │   │          I I ▲ ▲                                            │   │   │     └──────────────┘              │  │
  │ │   │          R R │ └────────────────────────────────────────────┘   │   │                                   │  │
  │ │   │              │                                                  │   │                                   │  │
  │ │   │          R T └──────────────────────────────────────────────────┘   │                                   │  │
  │ │   │          X X                                                        │                                   │  │
  └─┼───┼─────────────────────────────────────────────────────────────────────┘                                   │  │
    │   │                                                                                                         │  │
    │   │                                                                                                         │  │
    │   │                                                                                                         │  │
    │   └─────────────────────────────────────────────────────────────────────────────────────────────────────────┘  │
    │                                                                                                                │
    └────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘

Also the CBU use the 3 wires SPI (SDIO) protocol to communicate with SH4.
And in the log when we use the RF is mention "CMT2300A_IsExist" so it seems that we can use the CMT2300A as reference.

On the product page of CMT2300A, there is two demo with some source code (where there is a function "CMT2300A_IsExist"):
* CMT2300A_DemoEasy_v1.2
* CMT2300A_Demo(STM32)V1.0.1

I don't know if this can help you and if we can use it in OpenSource project, let me know.

DeDaMrAz · Accepted Answer

Just so we have some idea of what we are dealing with, attached here is a schematic of a version of this device that I have.

We were planning on working on this device for the longest time but there is always something more important :)

I think we will begin soon though.

p.kaczmarek2 · Answer

Very interesting, so they are using a SPI protocol to communicate with RF module? Do you have any idea what kind of protocol are they using, is it documented somewhere, or do we have to capture all their data and reverse engineer the protocol ourselves?

JustAnotherUser · Answer

It's SPI, but it uses a bi-directional data line so the master needs to write the register address out on it and then change it to an input to read the response. It's described in the CMT2300A datasheet page 27, and the register table is on page 40. Basically the CSB line goes low, the master writes 7 address bits plus the read/!write bit, and then either reads or writes 8 bits of data before setting CSB high again.

codyroseman · Answer

Does anyone have a dump of the original firmware? I've flashed OpenBeken and since the rf module isn't supported I'd like to return it to stock. Thanks

JustAnotherUser · Answer

Unfortunately unless you have a backup of that specific module you're not going to be able to completely get it back to stock as each module has a serial number and key burned in. The best you'll get is local-only control with TinyTuya or HA. There's a stock firmware image posted lower down in the discussion over at

codyroseman · Answer

No it's literally the same board Added after 7 [minutes]: Added after 2 [minutes]:more importantly I have the partial binary dump containing the boards keys

JustAnotherUser · Answer

Yes, it was the keys I was referring to. If you have those then great, the firmware posted in that thread should work fine once they're spliced in.

p.kaczmarek2 · Answer

@codyroseman if you flashed with BK7231tool easy gui flash tool: you should have a backup, the default option is Create backup and read

codyroseman · Answer

Nah I flashed it with I could only dump the first 1.2mb before the device became unresponsive. Unfortunately I think I deleted the partial dump off my pc, ahh well I think this one is destined for the bin Added after 3 [minutes]:Unless either of you would like this unit

p.kaczmarek2 · Answer

Very nice find! It indeed seems like CMT2300A-EN-Rev0.7.pdf document contains all the information we need. I need to find time to check this out.

thementor · Answer

I wonder if this source code can be of any use for us

merni99 · Answer

I just bought the S11. Any progress on supporting/implementing S11 with SH4 RF module?

olivluca · Answer

I just got a moes UFO-R2-RF and it uses the same CBU/SH4 combo. I didn't check (yet) if the connections are the same. (edit: I checked now and they seem to match). Any progress on this module?

p.kaczmarek2 · Answer

We've started working on new IR library that can more or less capture data and send Flipper Zero IR format:

olivluca · Answer

And what about the RF part?Added after 5 [minutes]:That link doesn't work, but there is this one this one (I searched github for the RF_StartRx function) Added after 11 [hours] 17 [minutes]:Seaching cmt2300a on github gives some interesting results, e.g.: (which is part of an esphome component) the parameters files are for a different frequency (860 or 900 MHz) but using the one from the tuya driver should use the correct frequency.

olivluca · Answer

I'm trying to get the RF part working using libretiny
https://github.com/olivluca/TestTuya
So far no success.
The spi part seems to be working (I tried with a bogus pin for data and it couldn't initialize the radio, with the correct definition it initializes, I can put it in RX mode and see the state transitions), but I see no data (the fifo is always filled with 0).

olivluca · Answer

I fixed the gpio assignment in the code and I'm using the RF parameters (registers from 0x00 to 0x5f) in the csv of the first post.
With that I had some limited success: I can see some data but it's not correct (i.e. I see the same bytes for more than one button of my remote) besides I see some stray codes (maybe there's another transmitter nearby).
It turns out you can generate the parameters using the RFPK tool, available here https://www.hoperf.cn/ic/rf_receiver/CMT2219A.html, the register values can be exported to a text file then a simple python script will convert it to the cmt2300a_params.h
The problem is I cannot find a way to do the reverse (i.e. from the registers derive the parameters) so I can tweak it to see if I can decode my remote. The datasheet doesn't document most of them, it just says to use the RFPK tool.
@JustAnotherUser did you per chance capture the spi conversation while trying to learn some buttons?
Maybe it uses different sets of parameters doing several attempts.

Ç

olivluca · Answer

I bit the bullet, soldered some more cables and captured the spi communication of the original firmware.
Now sending mostly works (sometimes I have to repeat the same button more than once before it is received), receiving is still not working.
Oh, and the trick is to use direct mode, avoiding the decoding/encoding on the cmt2300a and its fifo.

Edit: I labeled the test points, P6 (CSB) and P16 (FCSB) are not available on this side of the pcb, you have to get them from the cpu on the other side.

olivluca · Answer

Sorry folks, I couldn't wrap my head around the openbeken firmware, so I tentatively wrote an esphome component. Sending works, receiving doesn't right now.

divadiow · Answer

@DeDaMrAz @p.kaczmarek2 I'm going to pickup one of these IR devices with SH4 if that's any help with testing in the future...

divadiow · Answer

Circular type. Interesting flexible aerial pad stuck to the back Code: TextLog in, to see the code

alaei · Answer

@olivluca Thanks for the work. works like a charm.It would be wonderful if we could extract formula RFPK tool is using and add support for other frequencies. One simple idea is to get multiple const configuration for example 315/433 and switch between those.

olivluca · Answer

@alaei as I said, I couldn't succeed in generating a working configuration using RFPK. You could try generating a random configuration for 433MHz, another for 315 and see what are the differences, then plug those differences in cmt2300a_params_captured.h.

[CBU/BK7231N and SH4/CMTOV30] Wi-Fi IR+RF Remote Control (S11)

Post #1

Post #2

Post #3

Post #4

Post #5

Post #6

Post #7

Post #8

Post #9

Post #10

Post #11

Post #12

Post #13

Post #14

Post #15

Post #16

Post #17

Post #18

Post #19

Post #20

Post #21

Post #22

Post #23

Post #24

Post #25

Topic summary

CBU Pin	BK7231N	Function	Board TP
1	P14 (SPI_SCK)	SH4 CLK	SCK
2	P16 (SPI_MOSI)	SH4 SDIO via R9
3	P20	SH4 GPIO1	INT1
4	P22	SH4 GPIO2	INT2
5	ADC	Button via RC network	ADC
6	RX2
7	TX2
8	P8	IR receiver
9	P7	IR tx
10	P6
11	P26
12	P24
13	GND	GND	GND
14	3V3	3V3	3V3
15	TX1		TXD
16	RX1		RXD
17	P28
18	CEN	CEN
19	P9	Status LED
20	P17 (SPI_MISO)	~~SH4 SDIO via (not populated) R18~~
21	P15 (SPI_CS)		CSN