[BK7231N/CB2S] Comparison of multiple smart switch modules, differences on PCB, patched firmware

I don't even know which one is from which seller. They all look identical on the outside...



4 variants in total:


First one:
Patched firmware 1.3.10 (Tuya-Cloudcutter won't work)

Device configuration, as extracted from Tuya:
- Pair/Toggle All Pin on P8
- WiFi LED on P6
- TglChannelToggle (channel 1) on P14
- Relay (channel 1) on P15
Device seems to be using CBU module, which is using BK7231N.


Second one:
Also patched firmware


Device configuration, as extracted from Tuya:
- Pair/Toggle All Pin on P23
- WiFi LED on P26
- TglChannelToggle (channel 1) on P6
- Relay (channel 1) on P7
Device seems to be using CB2S module, which is using BK7231N.


Third one:
Also patched firmware

Device configuration, as extracted from Tuya:
- Pair/Toggle All Pin on P8
- WiFi LED on P7
- TglChannelToggle (channel 1) on P26
- Relay (channel 1) on P24
Device seems to be using CB2S module, which is using BK7231N.


Forth one:
BL2028N chip. (BK7231 variant)
Firmware 1.2.1 Tuya-cloudcutter worked yay

UPDATE:
I later received another one and it was patched. Be aware that RX is shorted to ground so the connection between the module and the main pcb needs to be removed. No need to desolder the entire module, just wick away the solder connection.


Device configuration, as extracted from Tuya:
- Pair/Toggle All Pin on P10
- WiFi LED on P7
- TglChannelToggle (channel 1) on P26
- Relay (channel 1) on P8
Device seems to be using CB2S module, which is using BK7231N.


5th one:
This one should support power monitoring.
Also patched firmware.
Be aware that RX is shorted to ground so the connection between the module and the main pcb needs to be removed. No need to desolder the entire module, just wick away the solder connection.



Unhackable variant:
This one cannot be hacked.



My setup:


I used an ESP8266 Nodemcu because I'm too cheap to buy a dedicated serial to usb. I disabled the ESP12F chip by connecting the ENABLED pin to GND

I'm using a breadboard so I can disconnect VCC easily.

To flash the Openbeken firmware I used BK7231GUIFlashTool. Only downside of this tool is that it doesn't work on MacOS with Mono.

NOTES:

Every switch I flashed with BK7231GUIFlashTool had firmware 1.3.10 and for some reason I couldn't read any firmware. Flashing worked fine tho.

AFTER SOLDERING THE WIRES ALWAYS CHECK WITH A MULTIMETER THAT THEY ARE NOT BRIDGED OR MAGIC SMOKE MAY COME OUT.

Don't worry about cloudcutter not working. Newest BK7231GUIFlashTool will be able to automatically configure GPIO of your device.
https://github.com/openshwprojects/BK7231GUIFlashTool

I don't know why BK7231 GUI Flasher has troubles on Mono, I will try to investigate that.

Please remember to use PowerSave 1 in short startup command on those devices! They are very cheap, and have low quality power supplies, I already had to fix one some time ago.

So you had CB2S with BL2028N? Tuya doesn't seem to respect their own marking standards.

Are the GPIO configs the same?

BK7231 GUI Flasher has troubles on Mono on Mac OS
The tool uses Windows.Forms that are 32 bit only. Mac OS doesn't support 32 bit apps so Mono fails to launch the tool.
The only solution I think is to change che GUI to some other library like QT.

I've yet have to configure them. I will update the post once I figure out all pinouts.

Well, maybe then just post here 2MB flash dumps and I will extract GPIO for you?

It wasn't a big issue, I have a Windows desktop so I used that to run the tool.
The software couldn't read any firmware from the switches. I don't know if the new firmware 1.3.10 have some protection or what but it would always error out. Had to use the third button to only flash.

This is most likely because you need to try out the new version:
bk7231flas...230513.zip Download (431.64 kB)
Please try it.

If it's not working, please submit your binary files so I can update my tool.

Oh I didn't know that the one on Github wasn't the latest... Unfortunately I currently already flashed every smart switch I own. But I will receive another 4 by the next week. I will post an update when I receive them.

Hmmm it's worth to make 2MB backup anyway. Keep it and also submit it here for analysis, if you can.

But..... You don't have to test, but I think that this tool is able to extract Tuya config even after flashing OBK, because we currently don't overwrite it.

Anyway, we will be releasing it on Github tomorrow or something, so don't worry if you don't have devices waiting to be flashed at the moment.

Ohhh I though it erased everything because the first step was a loading bar saying "Erasing...". So I can still retrieve the original firmware/config? Because that would help figuring out the pinout.

No, wait, let me clarify.

The BK7231 flashing process first erases the blocks that it's going to overwrite. So it erases old firmware section and writes new firmware. But new firmware is not taking whole 2MB space of flash, only the part of it.

The remaining parts of flash, the RF section (calibration, MAC) is not erased. it is also not overwritten. It would be very bad to erase that. The partitions of Tuya, that are outside of the Tuya firmware, are also not erased.

This is why flashing OpenBK will overwrite Tuya firmware, but it will not overwrite Tuya config, which is at the very end of flash memory,

Wait a minute... But if the original Tuya config containing all the pinout is not erased and still present on the flash, Openbeken should be able to access it and automatically import the configuration theoretically right? Or am I missing something?

Bingo! It could do that, but there is one problem - the Tuya config is using AES encryption:

So, as a developer, I have basically two (maybe three?) options here:
a) include AES library in OpenBeken and make config import fully within firmware. It is being considered but it would take more Flash size
b) just let Flasher tool decode that, Flasher will soon also be able to connect to already flashed OBK device and extract config from there
c) just let Web App decode that (but I must check if there is AES for Javascript)

I will think about it, but option a) is also possible, just like you say, it would only take some more of the flash memory.

Cool. for option c) webassembly could also be used.

Later in the day I will solder the wires again and make a backup of the firmware.

There is no need to solder the wires. If you have latest OBK, you can get 2MB from Web App, but due to some small flash problems it will restart device few times and take some time:

You can try it, or wait for a better Web App update soon.

Added after 55 [minutes]:

Disregard what I said above. We're having so fast progress that my information gets obsolete as I speak.
Use this button:

It will generate file like:

and later you can drag and drop it on flasher:

I received another package containing 6 switches. 2 ESP and 4 likely BK. I'm not at home currently but tonight I will crack them open and dump the original firmware before flashing OBK.

With current version, you can even extract Tuya Config from device that was already flashed in OBK. Just go to Web App, open Flash Tab, and press:

Then you can drag and drop it on the flasher.

The backup still fails using the BKGUI app.


I cannot manage to backup nor an original firmware nor OBK firmware


"Read only OBK config" makes the program launch an exception and it crashes


Also I tested the function to dump the Tuya GPIO config and looks like it's working fine. Tomorrow I will dump the rest and update the post with the pinout

I have seen this error reported two or three times already. It seems that with certain USB to UART dongle or on a certain system, there is some kind of instability. I am unable to reproduce it.

I will ask @DeDaMrAz if he is also getting that problem.

One of the switches I got is a black sheep... with TR6260S1 that to my knowledge is not supported by Openbeken and with 1M of flash. (Should I make a separate post for this? I don't have much to say other than that I lost the chip lottery on this)

If there is no clear marking on the switch package, then you don't really have to make a separate post... but if you have this device, can you try to capture the log from UART? If it has UART... how the back of that module looks like? Does it have TX2? Maybe it would tell us something about the SDK they used.

I updated the post with all pinout. I'll analyze the weird one later. Tears of the Kingdom came out so smart home stuff will be on pause for a while.

I have also the V1.3.10 / V102 with Energy Monitoring, which is not working via cloudcutter.
I ordered 15 devices. All of them having this new firmware.

Did anyone flash this device without wiring?

In my case these are Aubess Mini Wifi Switches

Hello @ttp1106 . I would suggest you to take one apart and take 2MB flash dump - BK7231 gui flasher can now extract GPIO! Then we can also check if it is possible to create a new profile for those devices. If not, you will have to flash all of them by wires... some newer BK7231N have sadly patched firmware, which is not working with cloudcutter.
Here's our flasher:
https://github.com/openshwprojects/BK7231GUIFlashTool
Here's our Youtube playlist of flashing by wires guides (soldering guides, step by step, it's very easy!)
https://www.youtube.com/playlist?list=PLzbXEc2ebpH0CZDbczAXT94BuSGrd_GoM
After flashing, don't forget to enable PowerSave feature of OBK.

>>20588900

Yours looks like this?



I received my last package and I found one of these. They claim power monitoring and based on the presence of the big 1 ohm resistor it should be true. Petty good deal for 1.79$...

It's not hard to solder the wires to it but be aware I think they shorted rx to ground so you will have to remove the connection between the module and the main PCB or flashing will fail.

Added after 18 [minutes]:

Anyway.

I received all the packages.



To sum it up:
x20 16A smart switch
x7 variant 2
x6 variant 1
x3 variant 3
x2 variant 4
x1 variant 5 (power monitoring)
x1 Trash (Non hackable)

Considering one is unusable I spent on average 1,88$ for each. Not bad.


x16 Smart relay 10A

x2 Trash (Non hackable)
x1 I broke (I think) because I connected GND and VCC in reverse....
x13 ESP8265 chip. Flashed with Tasmota.

So averaged out I spent 2,2$ for each. Still not too bad of a deal.

I'm not sure what I'm going to do with this many smart switches... I only needed a few but after all the research it took, it only made sense if I bough a large batch of it.

The first switch took me hours to flash. After a few I could flash one every 3 minute or less.

When flashing by wires, try to do flash 2MB dumps, they may be some of use for us.

those "2x thrash/non-hackable" are using TRS? Or did you get another chip?

Yes that chip


After flashing 10+ of them where they all had ESP8265 I went in autopilot and tried flashing them as usual. It took me way too long to figure out what the f was happening.


Also the GUI tool always failed to read the firmware at least for me. So I always had to click "flash only". Unfortunately I don't have any other usb-serial adapter.

Try doing reading with bkWriter 1.60. only read. bkWriter 1.60 is buggy. Make sure to enter 2MB number to read length, so it reads whole flash. Check is result binary is 2MB.
Here is bkWriter 1.60:
https://github.com/openshwprojects/OpenBK7231T/blob/master/bk_writer1.60.zip

Do you need the 2MB flash from the Beken chip? I don't think I will wire read any Beken chip anytime soon because I flashed them all. If it's needed I will simply download it from the OpenBeken web UI.

The TRS chip on the other hand I think it may be useful to you but from my research it's 1MB and I don't know what tool to use to dump the firmware.

Also I tried editing my post to add the 5th variant images and it doesn't seem to be updating.

erlipan2001 wrote:

Do you need the 2MB flash from the Beken chip?

Yes, but there is no hurry.

erlipan2001 wrote:

If it's needed I will simply download it from the OpenBeken web UI.

No, this is only good to get GPIO template, not for full analysis. I meant original 2MB Tuya firmware.

erlipan2001 wrote:

The TRS chip on the other hand I think it may be useful to you but from my research it's 1MB and I don't know what tool to use to dump the firmware.

I don't know how to flash TRS as well

erlipan2001 wrote:

Also I tried editing my post to add the 5th variant images and it doesn't seem to be updating.

I have accepted your changes, now they are live. We have extra security check for editing old posts.

Unfortunately I don't have nor I will receive any new switches so I guess I won't be able to provide the original firmware.