[BK7231T] A simple BLE device project using WB2L. Comments and help welcome.

jitsirakowsk 3156 8

Reply Cool? Ranking DIY | New topic

Notify about new articles

Helpful post? (+3)

Helpful post
Post #1
20653571 14 Jul 2023 00:53

Hi! In case anyone is interested, here is a simple project to initialize a simple BLE device on WB2L. No Tuya libraries. This is not a fully functional device (in the sense that it does not do anything useful but sends some data to the host). There is a (long) write-up in the doc directory on the project and related topics (overview of BLE, etc.) that my friend and I wrote for a local group of enthusiasts. Apologies for it being too elementary for many of you, some of our participants are students. Also, the original archive had a bz2 extension but the forum only accepts zip files, so the instruction for extraction should read tar xzvf bk_ble.tar.zip.

Andy
Edit: there is a newer version of the project later in this thread with a lot more details.

Attachments:

bk_ble.tar.zip Download (2.48 MB)

Cool? Ranking DIY
About Author
jitsirakowsk jitsirakowsk

Level 6
Offline

Joined: 20 May 2023

Posts: 8

Help: 2

Posts rating: 7

Points: 164
jitsirakowsk wrote 8 posts with rating 7, helped 2 times. Been with us since 2023 year.

ADVERTISEMENT
#2 20653668 14 Jul 2023 07:42

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Helpful post? (0)

Post #2
20653668 14 Jul 2023 07:42

Very impressive documentation. Comprehensive and well written. I will have to find some time to analyze it.

Are you planning to support N platform as well (BK7231N)?

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
ADVERTISEMENT
#3 20654018 14 Jul 2023 13:16

jitsirakowsk jitsirakowsk

Level 6

Topic author Helpful post? (0)

Post #3
20654018 14 Jul 2023 13:16

We are. I think we have `N' powered devices lying around as well so as soon as we hook it up we should be able to get something similar. In the meanwhile we are planning to use Beken's BLE profile api to get a full `transparent UART' and reverse engineer the lower level calls (setting registers, basically). We try to write about details, we found that it helps beginners ask the right questions.

Andy
#4 20654137 14 Jul 2023 14:48

DeDaMrAz DeDaMrAz

Level 20

Helpful post? (0)

Post #4
20654137 14 Jul 2023 14:48

jitsirakowsk wrote:
We are. I think we have `N' powered devices lying around as well so as soon as we hook it up we should be able to get something similar. In the meanwhile we are planning to use Beken's BLE profile api to get a full `transparent UART' and reverse engineer the lower level calls (setting registers, basically). We try to write about details, we found that it helps beginners ask the right questions.

Andy

Hi Andy,

That writeup looks very, very nice and thank you for sharing it with us!

Disclaimer - haven't read the paper yet so ignore the question if irrelevant.
Have you considered using OpenOCD to confirm the possible register changes??

If you like my work, support me at: https://paypal.me/openshwprojects
ADVERTISEMENT

Helpful post

#5 20654215 14 Jul 2023 16:06

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Helpful post

Post #5

20654215 14 Jul 2023 16:06

There was a JTAG config by @xabean somewhere.

xabean wrote:

I got JTAG working, it's the same pins used for SPI programming, so I didn't need to rewire anything. Drop the below config into bk7321t.cfg, and run openocd -f bk7321t.cfg to start it up.


source [find interface/raspberrypi2-native.cfg]

## https://docs.microsoft.com/en-us/windows/iot-core/learn-about-hardware/pinmappings/pinmappingsrpi
##
## CEN  -> (bcm)GPIO 22 / RPI3b pin 15
## SCLK -> (bcm)GPIO 11 / RPI3b pin 23
## CSN  -> (bcm)GPIO 08 / RPI3b pin 24
## SI   -> (bcm)GPIO 10 / RPI3b pin 19
## SO   -> (bcm)GPIO 9 / RPI3b pin 21


# Each of the JTAG lines need a (bcm) gpio number set:
#                     tck tms tdi tdo
bcm2835gpio_jtag_nums 11  8   10  9

#                     srst
bcm2835gpio_srst_num  22

# we only have CEN (aka chip enable, system reset)
reset_config srst_only

# CEN is normally pulled high, but sometimes it can help to force it high, not just low.
reset_config srst_push_pull

# on connect, deassert (reset to HIGH) the SRST pin
reset_config connect_deassert_srst

# we have no TRST pin, tell OpenOCD to imagine it's tied to SRST.
reset_config srst_pulls_trst

# use JTAG.
transport select jtag

# go slow.
adapter speed 100

# wait 200ms after releasing srst before we send JTAG commands over TMS,
# we will never reset into halt because we have no tRST pin :(
adapter srst delay 200

if { [info exists CHIPNAME] } {
   set _CHIPNAME $CHIPNAME
} else {
   set _CHIPNAME bk7321t
}

if { [info exists ENDIAN] } {
   set _ENDIAN $ENDIAN
} else {
  # this defaults to a little endian
   set _ENDIAN little
}

if { [info exists CPUTAPID] } {
   set _CPUTAPID $CPUTAPID
} else {
   set _CPUTAPID 0x15968001
}

jtag newtap $_CHIPNAME cpu -irlen 4 -expected-id $_CPUTAPID

set _TARGETNAME $_CHIPNAME.cpu
target create $_TARGETNAME arm966e -endian $_ENDIAN -chain-position $_TARGETNAME

Then you can read the flash chip ID over the OpenOCD telnet interface on port 4444,


xabean@raspberrypi:~ $ telnet localhost 4444
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Open On-Chip Debugger
> mww 0x00803000 74
> mdw 0x00803010 1
0x00803010: 001c7015

> bk7321t.cpu arm reg                
System and User mode registers
      r0: 00000001       r1: 00000069       r2: 00090080       r3: 00100000 
      r4: 00408b5e       r5: 00000001       r6: 00405d80       r7: 00000010 
      r8: 08080808       r9: 09090909      r10: 10101010      r11: 11111111 
     r12: 0000000a   sp_usr: 00420870   lr_usr: 00016dfd       pc: 00016dc2 
    cpsr: 6000003f 

FIQ mode shadow registers
  r8_fiq: 00000000   r9_fiq: 00000000  r10_fiq: 00000000  r11_fiq: 00000000 
 r12_fiq: 00000000   sp_fiq: 00400fe0   lr_fiq: b51edf9b spsr_fiq: 00000010 

Supervisor mode shadow registers
  sp_svc: 004027a0   lr_svc: 00016dc6 spsr_svc: 6000003f 

Abort mode shadow registers
  sp_abt: 004007e0   lr_abt: df9ff7e5 spsr_abt: 00000010 

IRQ mode shadow registers
  sp_irq: 00401fd0   lr_irq: 00059ae8 spsr_irq: 6000001f 

Undefined instruction mode shadow registers
  sp_und: 004007e0   lr_und: bb0de3bc spsr_und: 00000010

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.

ADVERTISEMENT
#6 20654311 14 Jul 2023 17:51

jitsirakowsk jitsirakowsk

Level 6

Topic author Helpful post? (0)

Post #6
20654311 14 Jul 2023 17:51

>>20654137
Hi! Thanks for the question and the info about JTAG. No, we have not done anything with it but OpenOCD with jtag would be fantastic. If I understand correctly this requires access to SPI pins and a few others. Not a major problem in itself, of course. I noticed in the original Makefile by Tuya that they have a setup using OpenOCD (and jlink) with the serial bootloader on the chip. This would speed things up tremendously as one would be able to use gdb and there would be no need for the second serial port to print to. By the way, has there been any effort to replace the bootloader with something better known?

Andy
#7 20654334 14 Jul 2023 18:18

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Helpful post? (0)

Post #7
20654334 14 Jul 2023 18:18

Here is a guide for SPI flashing of BK7231. It can be used to reconstruct bootloader if it was overwritten:
https://www.elektroda.com/rtvforum/topic3931424.html
I will, however, note here that WB2L may not have easily accessible SPI pins. I remember there was a problem with that. I used SPI method succesfully for WB3S. You need to consult the module datasheet to be sure.

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
#8 20654654 14 Jul 2023 22:10

jitsirakowsk jitsirakowsk

Level 6

Topic author Helpful post? (+1)

Post #8
20654654 14 Jul 2023 22:10

Yes, we have seen the guide (excellent work by the way) and judging by the datasheet for WB2L pins 20-23, as well as reset are exposed as test pins on the back of the pcb. The datasheet also explicitly says that these pins can be used to read and write flash, so it should be doable. In our case, there is a complication of having to desolder the module itself which is also glued to the mother-pcb it seems. It should be possible but naturally we are putting it off until we are done experimenting with the code (or have to rebuild the bootloader). It is getting more and more tempting though.
Helpful post

#9 20742145 21 Sep 2023 18:19

jitsirakowsk jitsirakowsk

Level 6
Topic author Helpful post? (+3)

Helpful post
Post #9
20742145 21 Sep 2023 18:19

Hi everyone!

Here is a new version of the tutorial and the project. Not much new code, although we have reverse engineered three somewhat large functions in the link layer driver. There is a detailed guide on how it was done in case anyone wants to continue the work (we are planning to continue, as well, probably concentrating more on reverse engineering itself, and less on the description of the process). There are guides (albeit of varying quality) on several topics, from assembly to computer arithmetic (whatever the members of our little group asked about), a small glossary, a literature guide. There are even exercises, in case someone wants to practice!

We have also looked at the BLE subsystem on the `N' chip. It turned out that the register map is different and the registers themselves are also not the same (although similar; it seems the `N' chips use a newer BLE cell). The functions have different prototypes, as well, although the overall organization of the code is not that different. We have not started reverse engineering the corresponding BLE library yet but it is `on the agenda'. As always, comments, requests, and questions are welcome.

Andy

Attachments:

bk_ble.tar.zip Download (3.59 MB)
Create an account, log in and become active in a forum and ads will not appear. You will receive points by participating in discussions.
Join this discussion.

Install the application

Didn't find an answer? Ask Artificial Intelligence

*I agree to send the question to OpenAI, Anthropic PBC, Perplexity AI, Inc., Kagi Inc., Google LLC - owners of language models in order to prepare the best response. The companies may monitor and log information entered into the form.

*I agree to publicly display my question and answer. The question and answer will be publicly available to everyone. The process may take a few minutes. Upon completion, you will be redirected to the page with the answer.

Wait...(2min)

Reply Cool? Ranking DIY | New topic

Notify about new articles

Report a violation of the law

Topic summary

A project was introduced to initialize a simple BLE device using the WB2L module, without relying on Tuya libraries. The documentation provided is comprehensive, aimed at beginners, and includes an overview of BLE. The author plans to extend support to the BK7231N platform and is exploring the use of Beken's BLE profile API for a transparent UART. Discussions included the potential use of OpenOCD for confirming register changes and the challenges of accessing SPI pins for flashing the BK7231. A new version of the project was later shared, detailing reverse engineering efforts on the link layer driver and differences in the BLE subsystem of the BK7231N chip.
Summary generated by the language model.

Home page
/
Forum
/
Smart Home
/
Smart Home IoT
/
Smart Home Guides
/
[BK7231T] A simple BLE device project using WB2L. Comments and help welcome.

FAQ

TL;DR: BK7231T’s 120 MHz ARM9E core drives this open-source BLE demo [Beken Datasheet]—“Comprehensive and well written” [Elektroda, p.kaczmarek2, post #20653668] The thread bundles a 50-page tutorial, ready-to-use JTAG config, and an updated BK7231N register map. Why it matters: These resources let you flash, debug and reverse-engineer low-cost Wi-Fi/BLE modules without vendor SDKs.

Quick Facts

• 32-bit ARM9E @ 120 MHz, ~2 MB embedded flash [Beken Datasheet].
• WB2L footprint: 26 × 16 mm, on-board PCB antenna *“WB2L Data Sheet”*.
• SPI pads = pins 20-23 + RESET on module back [Elektroda, jitsirakowsk, post #20654654]
• OpenOCD TAPID 0x15968001; adapter speed 100 kHz [Elektroda, p.kaczmarek2, post #20654215]
• Archive contains 50-page guide with exercises [Elektroda, jitsirakowsk, post #20742145]

What does the WB2L BLE demo actually do?

It starts the BLE stack, advertises a custom service, and streams test bytes to any connected host. It shows register setup, GATT definitions, and log output, but performs no real sensor task [Elektroda, jitsirakowsk, post #20653571]

Where can I download the newest code and documentation?

Grab the attachment in post #20742145; it replaces the July archive and folds in extra reverse-engineering notes [Elektroda, jitsirakowsk, post #20742145]

Does the project depend on Tuya or other proprietary libraries?

No. The authors removed Tuya code and call the Beken SDK directly, then document every low-level register touched [Elektroda, jitsirakowsk, post #20653571]

Will BK7231N be supported?

Yes. The team has hardware in hand and already mapped the N-chip BLE registers. Code porting is on their agenda [Elektroda, jitsirakowsk, #20654018; #20742145].

How different is the BLE block on BK7231N?

Register addresses and prototypes change, yet the overall driver layout stays familiar. Expect to rewrite init calls but reuse GATT logic [Elektroda, jitsirakowsk, post #20742145]

Can I debug BK7231T with OpenOCD and a Raspberry Pi?

Yes. Use the bk7321t.cfg snippet from post #20654215, wire SPI pins to Pi GPIO 11/8/10/9 plus GPIO 22 for reset, then start OpenOCD [Elektroda, p.kaczmarek2, post #20654215]

Quick 3-step OpenOCD setup?

Copy the cfg from post #20654215 into bk7321t.cfg.
Connect pins: TCK-11, TMS-8, TDI-10, TDO-9, SRST-22.
Run openocd -f bk7321t.cfg, then connect GDB at :3333. Each step takes under one minute [Elektroda, p.kaczmarek2, post #20654215]

Are SPI pads exposed on WB2L for bootloader recovery?

Datasheet shows pads on module back; author confirmed pins 20-23 plus RESET are reachable as test pads [Elektroda, jitsirakowsk, post #20654654]

How do I restore a wiped bootloader?

Unsolder the module, clip to the SPI pads, and flash an intact image using the guide in topic 3931424 [Elektroda, p.kaczmarek2, post #20654334]

What happens if I overwrite the bootloader?

The MCU stays in reset and no UART appears—common soft-brick edge case. SPI flashing is the sole recovery path [Elektroda, p.kaczmarek2, post #20654334]

Can I build a transparent UART over BLE?

Yes. Beken’s BLE profile API exposes a UART service. The team plans to wrap it after finishing register research [Elektroda, jitsirakowsk, post #20654018] Peak BLE 4.2 payload is 1 Mbps [Bluetooth SIG].

Which tools help reverse-engineer the vendor library?

The authors use Ghidra for ARM9 disassembly, OpenOCD for live memory reads, and custom Python scripts for symbol hunting [Elektroda, jitsirakowsk, post #20742145] "Document details; it helps beginners ask the right questions" they note [Elektroda, jitsirakowsk, post #20654018]

[BK7231T] A simple BLE device project using WB2L. Comments and help welcome.

Didn't find an answer? Ask Artificial Intelligence

Topic summary