Fiddling with my first Matter device - 10A 1CH switch [CB3S / BL2028N (BK7231N)]

divadiow 6477 90

Report a violation of the law

Reply Cool? Ranking DIY | New topic

Notify about new articles

📢 Listen (AI):

#61 21466553 04 Mar 2025 23:04

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Helpful post? (0)

Post #61
21466553 04 Mar 2025 23:04

To be sure - does it run on single uascent device, or on multiple pieces?

Is OTA working? I guess not, as you mentioned earlier/?

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
ADVERTISEMENT
#62 21466663 05 Mar 2025 07:00

divadiow divadiow

Level 37

Topic author Helpful post? (0)

Post #62
21466663 05 Mar 2025 07:00

p.kaczmarek2 wrote:
To be sure - does it run on single uascent device, or on multiple pieces?

I have only tried on 1 Uascent CB3S so far, but apart from the ZemiSmart dump, all other Uascent dumps have booted on this one CB3S - taking this as an indicator of consistency with Uascent keys.

p.kaczmarek2 wrote:
OTA working? I guess not, as you mentioned earlier

Nope.

This is interesting @insmod looks to have had related chats about this in the past regarding SBER devices, which are another brand of devices with unique keys on Beken chips: https://github.com/libretiny-eu/ltchiptool/issues/24#issuecomment-2003371110
#63 21466671 05 Mar 2025 07:13

insmod insmod

Level 29

Helpful post? (0)

Post #63
21466671 05 Mar 2025 07:13

>>21466663 OTA is working on my device is because i kept stock bootloader.
Btw, the keys(coeffs) in that topic are probably wrong, obk and lt failed to boot with them. Only ota worked.
I still have it disassembled, if someone can extract proper keys i can test 1.0.1 bootloader on it.

Actually, does unencrypted 1.0.1 bootloader contains partitions? I remember when playing with 1.0.13 that partitions had to be inserted into it before encryption.
#64 21466676 05 Mar 2025 07:34

divadiow divadiow

Level 37

Topic author Helpful post? (0)

Post #64
21466676 05 Mar 2025 07:34

I see. it's the non-working OTA though with Uascent devices we're stuck on.

TLDR: we're encrypting the standard Tuya BL BK7231N_1.0.1 with the Uascent coeff and adding CRC using a newer encrypt.exe. So we have a bootable QIO and OBK for Uascent devices, but no OTA. Looking in the BL of the Uascent coeff QIO the "01PE" partition section is also encrypted by the new encrypt.exe but it is plain text in the normal Tuya BL, so maybe this is why OTA doesn't work (?)

Added after 12 [minutes]:

insmod wrote:
Actually, does unencrypted 1.0.1 bootloader contains partitions?

seems to. https://github.com/openshwprojects/OpenBK7231...231n_os/tools/generate/bk7231n_bootloader.bin

Added after 3 [minutes]:

latest https://github.com/openshwprojects/OpenBK7231...b03dd95/platforms/bk7231n/bk7231n_os/build.sh

which I've just run into my own PR https://github.com/openshwprojects/OpenBK7231T_App/pull/1557

#65 21466730 05 Mar 2025 08:30

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Post #65

21466730 05 Mar 2025 08:30

Why does even OTA fail? Do they use the keys to check OTA file?

Btw:


OpenBK7231N\platforms\bk7231n\bk7231n_os\tools\generate\package_tool\windows>cmake_encrypt_crc.exe
/**< @author Bekencorp */
/**< @version v5.0.0.7 */
ERROR: Invalid number of arguments

Usage: encrypt_crc tool <command> <options-argument pairs>

 cmd   -options  usage and description/values
------------------------------------------------------------------------

 encrypt_crc
 -enc
     infile.bin                 iutput bin file
     passcode0                  input passcode0
     passcode1                  input passcode0
     passcode2                  input passcode0
     passcode3                  input passcode0
 -crc
 -start-add
     start_address             default value = 0
 -un-skip                      To un-skip keywords in chips ,such as addr = 0x100,default value = 0
 --version | -v  | version     To print the current version of this utility
 --help    | -h  | help        To print this help message

Maybe we need -un-skip?

but from what I can tell, they are creating somehow OTA file from already encrypted binary?


	echo "Using usual Tuya path"
	./${ENCRYPT} ${APP_BIN_NAME}_${APP_VERSION}.bin 510fb093 a3cbeadc 5993a17e c7adeb03 10000
	python mpytools.py bk7231n_bootloader_enc.bin ${APP_BIN_NAME}_${APP_VERSION}_enc.bin
(...)
echo "generate ota file"
./${RT_OTA_PACK_TOOL} -f ${APP_BIN_NAME}_${APP_VERSION}.bin -v $CURRENT_TIME -o ${APP_BIN_NAME}_${APP_VERSION}.rbl -p app -c gzip -s aes -k 0123456789ABCDEF0123456789ABCDEF -i 0123456789ABCDEF
./${TY_PACKAGE} ${APP_BIN_NAME}_${APP_VERSION}.rbl ${APP_BIN_NAME}_UG_${APP_VERSION}.bin $APP_VERSION

Would that mean OTA is also encrypted with those keys? I remember reading that it's not encrypted, so now I'm confused.

Maybe we actually need to run RT_OTA_PACK_TOOL on our binary for Uascent, generate our own Uascent RBL and then package it?

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.

#66 21466766 05 Mar 2025 09:02

divadiow divadiow

Level 37

Topic author Helpful post? (0)

Post #66
21466766 05 Mar 2025 09:02

p.kaczmarek2 wrote:
Why does even OTA fail? Do they use the keys to check OTA file?

No sign of a cause in the log out. At a guess, the BL isn't checking 12A000 for whatever code so doesn't know to start OTA? If so, I guess this ties in with the encryption/partition thing perhaps. What I don't understand is why the normal Tuya key QIO OBK has the 01PE unencrypted still after build.

p.kaczmarek2 wrote:
Maybe we need -un-skip?

could try but that didn't produce bootable BLs yesterday:
Code: Text
Log in, to see the code

https://www.elektroda.com/rtvforum/topic4032988-30.html#21466119

p.kaczmarek2 wrote:
Would that mean OTA is also encrypted with those keys? I remember reading that it's not encrypted, so now I'm confused.

This was also my understanding, which is what I thought explained flashing normal N rbl to 0x143000 meant a successful OTA on factory Uascent - this was tried in the early days of this type of device to get OBK half working.

It was my understanding, from the discovery of others, that Uascent uses default ota and iv keys

Code: Text
Log in, to see the code

excerpt info copied from elsewhere:
Code: Text
Log in, to see the code
ADVERTISEMENT
#67 21468839 06 Mar 2025 21:25

divadiow divadiow

Level 37

Topic author Helpful post? (0)

Post #67
21468839 06 Mar 2025 21:25

is the file created here retrievable somehow after each build?

Code: Text
Log in, to see the code

Added after 2 [hours] 45 [minutes]:

in an attempt to confirm coeff is consistent across the Uascent devices, I have flashed the OpenBK7231N_UASCENT_QIO_1.0.0.bin to the CB2L/UAM022 module on this bulb https://www.elektroda.com/rtvforum/topic4032988-30.html#21231617 and it does boot.

so do these other Uascent dumps
#68 21725530 20 Oct 2025 00:23

divadiow divadiow

Level 37

Topic author Helpful post? (0)

Post #68
21725530 20 Oct 2025 00:23

change the Uascent block to:

Code: Text
Log in, to see the code

and add QIO to workflow and I get a QIO that boots on Uascent device. non-working OTA is still an issue
https://github.com/divadiow/OpenBK7231N/blob/...68/platforms/bk7231n/bk7231n_os/build.sh#L157
#69 21725546 20 Oct 2025 00:57

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Helpful post? (0)

Post #69
21725546 20 Oct 2025 00:57

Nice, so we would need 3 binaries in relases? Zero keys (M), Uascent and classic N?

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
#70 21725560 20 Oct 2025 02:02

insmod insmod

Level 29

Helpful post? (0)

Post #70
21725560 20 Oct 2025 02:02

>>21725530
What exactly is the problem with OTA?
#71 21725675 20 Oct 2025 08:55

divadiow divadiow

Level 37
Topic author Helpful post? (0)

Post #71
21725675 20 Oct 2025 08:55

p.kaczmarek2 wrote:
Nice, so we would need 3 binaries in relases? Zero keys (M), Uascent and classic N?

yes, a fixed classic M QIO and now a Uascent QIO - assuming OTA can be sorted.

insmod wrote:
What exactly is the problem with OTA?

this I think. With having to use ENCRYPT_NEW (for some reason old didn't work) it also scrambles the 01PE partition bits

https://www.elektroda.com/rtvforum/topic4032988-30.html#21466530

Here is build with Uascent using original ENCRYPT (not booting)
https://github.com/divadiow/OpenBK7231N/compa...68...34a9b68cbeb793a79549541342ab6f29bae8b509
https://github.com/divadiow/OpenBK7231T_App/actions/runs/18644124343/artifacts/4314543665

Here is build with Uascent using ENRCYPT_NEW (boots, no OTA)
https://github.com/divadiow/OpenBK7231N/blob/...7cae725/platforms/bk7231n/bk7231n_os/build.sh
https://github.com/divadiow/OpenBK7231T_App/actions/runs/18635901774/artifacts/4312295715

it feels like build.sh is quite messy generally, so maybe it needs a general overhaul. dunno

Attachments:

ENCRYPT_NEW_DOESBOOT_NOOTA_OpenBK7231N_UASCENT_QIO_bk7231m_qio_09b8b111cb80.bin Download (1.16 MB)

ENCRYPT_DOESNOTBOOTOpenBK7231N_UASCENT_QIO_bk7231m_qio_5ab45f244af1.bin Download (1.16 MB)
#72 21725681 20 Oct 2025 09:00

insmod insmod

Level 29

Helpful post? (0)

Post #72
21725681 20 Oct 2025 09:00

>>21725675
Use rt_partition_tool on already encrypted bootloader to readd partition table
Either figure out how to use it in cli, or use gui tool (https://github.com/NonPIayerCharacter/beken_freertos_sdk/tree/master/tools/rt_partition_tool)
#73 21725688 20 Oct 2025 09:04

divadiow divadiow

Level 37

Topic author Helpful post? (0)

Post #73
21725688 20 Oct 2025 09:04

hmm. I can never get it to show anything apart from when it gets fed the pure ones that come with the SDKs.
#74 21725731 20 Oct 2025 10:17

insmod insmod

Level 29

Helpful post? (0)

Post #74
21725731 20 Oct 2025 10:17

What if you use bootloader_bk7231n_uart2_v1.0.15.bin, cut last 192 bytes, encrypt it and then readd partitions?

I think old partitions can't be read because there is no CRC32 (?) at the end?

Will re-encrypted BK7231N_1.0.1 properly encrypt OTA firmware during unpacking?
Tuya keys are at 0x48-0x57

Added after 20 [minutes]:

Does OTA work on BK7231M?
ADVERTISEMENT
#75 21725785 20 Oct 2025 18:20

divadiow divadiow

Level 37
Topic author Helpful post? (+1)

Post #75
21725785 20 Oct 2025 18:20

insmod wrote:
Does OTA work on BK7231M?

new clean branch for M testing only: https://github.com/divadiow/OpenBK7231T_App/tree/BKM

one change, not 2 as stated here: https://www.elektroda.com/rtvforum/topic4107851.html#21725131

OpenBK7231M_QIO_BKM_9c744401e40d.bin = boots on 00000 module.

OTA:

Code: Text
Log in, to see the code

Code: Text
Log in, to see the code

comes back up as 1.18.202

Back later to play properly with Uascent too in new branch.

Added after 7 [hours] 33 [minutes]:

modified bootloader_bk7231n_uart2_v1.0.15.bin to required partition sizes (partitions_modifiedbootloader_bk7231n_uart2_v1.0.15.bin)

cut off last 192 bytes (missing_last192bytes_partitions_modifiedbootloader_bk7231n_uart2_v1.0.15.bin) and fed the remainder into cmake_encrypt_crc.exe
Code: Text
Log in, to see the code
to produce missing_last192bytes_partitions_modifiedbootloader_bk7231n_uart2_v1.0.15_crc.bin

Added unenc 192 bytes onto missing_last192bytes_partitions_modifiedbootloader_bk7231n_uart2_v1.0.15_crc.bin = FINAL_bootloader_bk7231n_uart2_v1.0.15_crc.bin

replaced length of FINAL_bootloader_bk7231n_uart2_v1.0.15_crc.bin into new build OpenBK7231N_UASCENT_QIO_UASCENT_393af485b0d8.bin

boots but:
Code: Text
Log in, to see the code

OTA not work.

https://github.com/divadiow/OpenBK7231T_App/commits/UASCENT/

Attachments:

uascent_test_bins.zip Download (1.04 MB)
#76 21727219 21 Oct 2025 18:46

divadiow divadiow

Level 37

Topic author Helpful post? (0)

Post #76
21727219 21 Oct 2025 18:46

well, I've tried all sorts of things at this point, even replacing all keys with Uascent one in ALT SDK. I have QIOs from ALT SDK but none boot - I suspect it's because the older encrypt is used, which is why we tried cmake_encrypt_crc.exe in the old because that at least booted. No change: booting is possible but never OTA.

https://github.com/divadiow/beken_freertos_sdk/commits/uascent/
#77 21727223 21 Oct 2025 18:54

insmod insmod

Level 29

Helpful post? (0)

Post #77
21727223 21 Oct 2025 18:54

>>21727219
It uses newer (0.3.1) encrypt, the one without crc - https://github.com/NonPIayerCharacter/beken_f...d66e7f8e7a7d963d985a533b94/application.mk#L35
For old sdk, do not re-add last 192 bytes to encrypted binary, use partition tool instead.
#78 21727545 21 Oct 2025 22:42

divadiow divadiow

Level 37

Topic author Helpful post? (0)

Post #78
21727545 21 Oct 2025 22:42

posting what I've done before I forget.

Take BK7231N_1.0.1 from Tuya SDK. strip off 192 bytes of wrong partition info. Encrypt what's left with

Code: Text
Log in, to see the code

Add standard OBK partition with rt tool json import
Code: JSON
Log in, to see the code

Remove new 192 bytes, save to file and add crc with
Code: Python
Log in, to see the code

add CRCd partition bytes to encrypted and CRCd 1.0.1 BL. Flash to Uascent - boots. Add OBK RBL to 12a000 - OTA appears to run but then next boot freezes:

Code: Text
Log in, to see the code

Flash previous QIO from PR build that boots (non-working OTA), flash BL above to 0, boots into OBK. Try OTA - same result as above.

Take BK7231N_1.0.13 from Uascent device dump. Uncrc. Remove partitions, add CRCd partitions as above, flash to 0, flash rbl to 12a000 - OTA begins but fails, as above.

Code: Text
Log in, to see the code

Note: Uascent factory BL has RBL header at FE9A

tested flashing entire Uascent factory and flashing OBK rbl to 143000 and, as expected, OTA successful and OBK boots (but of course BL thinks ota is 143000)

Code: Text
Log in, to see the code
#79 21737901 01 Nov 2025 09:00

divadiow divadiow

Level 37
Topic author Helpful post? (0)

Post #79
21737901 01 Nov 2025 09:00

divadiow wrote:
Ok cool. We'll feed that into the build for the uascent section and can finally, hopefully, release Uascent QIO in the BK7231N zip?

following on from that thread.

https://github.com/divadiow/OpenBK7231T_App/commits/UASCENT_M_01-11-2025/
https://github.com/divadiow/OpenBK7231N/commits/UASCENT_M_01-11-2025/

OpenBK7231N_UASCENT_QIO_UASCENT_M_01-11-2025_49480b170a70.bin is in OpenBK7231T_App_UASCENT_M_01-11-2025_49480b170a70_OpenBK7231N.zip and it boots. OTA from OBK starts correctly but then dies, wdt reboot, no log. bricked, requiring re-flash.

Code: Text
Log in, to see the code

but if you flash UASCENT QIO to blank and rbl file to 12a000 in one write session, it'll complete OTA and boot fine. So that's where I'm at right now.

If you compare the bricked dump to the QIO build the first difference isn't until 11C1A

Attachments:

brickedreadResult_BK7231N_QIO_2025-01-11-07-56-47.bin Download (2 MB)

OpenBK7231T_App_UASCENT_M_01-11-2025_49480b170a70_OpenBK7231N.zip Download (4.63 MB)
#80 21737907 01 Nov 2025 11:20

divadiow divadiow

Level 37

Topic author Helpful post? (+1)

Post #80
21737907 01 Nov 2025 11:20

but then wtf. flash the bricked dump back to blank Uascent and it boots and performs OTA and boots OBK

Code: Text
Log in, to see the code

Added after 6 [minutes]:

interesting. flash Uascent QIO to blank, join AP then doing a restart from GUI also bricks the device, so not actually OTA killing it

Code: Text
Log in, to see the code

Added after 2 [hours] 7 [minutes]:

trying v15 BL - bootloader_bk7231n_uart2_v1.0.15.bin

-replaced x48-x57 with Uascent 9A 37 62 48 4B 78 12 86 58 E2 C5 85 28 45 75 75 (4862379A 8612784B 85C5E258 75754528)
-removed 192byte partition info
-encrypted with
Code: Text
Log in, to see the code

added partitions to bootloader_bk7231n_uart2_v1.0.15_enc.bin then put through the PR for crcing with beken packager.

getting this currently when QIO boots. same if crcing manually outside of build

@insmod I've been through your posts from last night several times but I'm still missing something. what have I missed?
#81 21738104 01 Nov 2025 13:10

insmod insmod

Level 29

Helpful post? (+1)

Post #81
21738104 01 Nov 2025 13:10

>>21737907
0x48-0x57 bytes are only in 1.0.1 bootloader.
ADVERTISEMENT
#82 21738142 01 Nov 2025 14:04

divadiow divadiow

Level 37

Topic author Helpful post? (0)

Post #82
21738142 01 Nov 2025 14:04

so it is! ok
#83 21739290 02 Nov 2025 17:45

divadiow divadiow

Level 37

Topic author Helpful post? (0)

Post #83
21739290 02 Nov 2025 17:45

this is interesting https://github.com/mildsunrise/bk7231_key_calculator

we should be able to get coeff from Beken dumps with it. In the zip file in the 1 issue there is a decrypted Uascent bootloader

We see the little-endian Uascent key 9A 37 62 48 4B 78 12 86 58 E2 C5 85 28 45 75 75 at 1F2D alongside the ota key and iv

@insmod do you still have an unknown Sber coeff device?
#84 21739321 02 Nov 2025 18:00

insmod insmod

Level 29

Helpful post? (+1)

Post #84
21739321 02 Nov 2025 18:00

>>21739290
Two of them, though only one that is disassembled. No other sber devices.
I can pm both dumps.
Coeffs and ota keys are already known.

Encrypt with crc source, if interested.
https://github.com/ghsecuritylab/tysdk_for_bk7231/blob/master/toolchain/encrypt_crc/encrypt.c
#85 21739331 02 Nov 2025 18:15

divadiow divadiow

Level 37

Topic author Helpful post? (0)

Post #85
21739331 02 Nov 2025 18:15

ah ok ok. not to worry, just curious. could add to collection though I guess

i'm still on the case of the no-OTA Uascent situation.

OTA seems to finish but then nothing on boot. dead.

Added after 7 [minutes]:

but I guess not finishing. this takes longer and doesn't have upgrade error. this is full Matter dump flashed + OBK rbl at 143000

#86 21745386 08 Nov 2025 16:42

divadiow divadiow

Level 37

Post #86

21745386 08 Nov 2025 16:42

divadiow wrote:
this is interesting https://github.com/mildsunrise/bk7231_key_calculator

I grabbed as many SBER dumps as I could and these are the tested keys for each. It appears keys are unique to the SBDV model.

FileName	SBDV	Coeff	Coeff LE	ota.key	ota.iv
readResult_BK7231N_QIO_bulb_sber_e14_cblc9_2024-10-3-17-50-08.bin	SBDV-00117	7d1ff9b3e3ffefde5d93b57eefefeb8b	B3 F9 1F 7D DE EF FF E3 7E B5 93 5D 8B EB EF EF	908f771bac2ff1aa619b897c14c5a88b	1e647fab598d727c
readResult_BK7231N_QIO_sbdv_00050.bin	SBDV-00050	d34fbdd3efcbeadefd97bbffc7bfff3b	D3 BD 4F D3 DE EA CB EF FF BB 97 FD 3B FF BF C7	b4f9937b63a7c365f27bf8d06fb67978	53de9074383e2223
OpenBK7231N_QIO_Sber_Fck.bin (contains LibreTiny)	SBDV-00115	79bffed7a3fbeafd5dd3abffdfbfff5b	D7 FE BF 79 FD EA FB A3 FF AB D3 5D 5B FF BF DF	BDB4CE110F4787C2F539BF50E30A14E0	46DE464946314329
readResult_BK7231M_QIO_sbdv-00115_2025-29-8-16-28-19.bin	SBDV-00115	79bffed7a3fbeafd5dd3abffdfbfff5b	D7 FE BF 79 FD EA FB A3 FF AB D3 5D 5B FF BF DF	BDB4CE110F4787C2F539BF50E30A14E0	46DE464946314329
readResult_BK7231N_QIO_SBDV-00027_2025-24-4-10-45-49.bin	SBDV-00027	TUYA
readResult_BK7231N_QIO_bulb_sber2_2024-18-3-14-40-51.bin	SBDV-00117	7d1ff9b3e3ffefde5d93b57eefefeb8b	B3 F9 1F 7D DE EF FF E3 7E B5 93 5D 8B EB EF EF	908f771bac2ff1aa619b897c14c5a88b	1e647fab598d727c
sber_lamp_BK7231N_1.0.8_stock_dump.bin	SBDV-00019	7fefb6fbabdbfbddffffaf7fc7edef17	FB B6 EF 7F DD FB DB AB 7F AF FF FF 17 EF ED C7	CE11F17490393890CD149E0F25FBE10D	E5F12CB853A63E30
readResult_BK7231N_QIO_2024-17-3-11-58-59_sber_e14-2.bin	SBDV-00117	7d1ff9b3e3ffefde5d93b57eefefeb8b	B3 F9 1F 7D DE EF FF E3 7E B5 93 5D 8B EB EF EF	908f771bac2ff1aa619b897c14c5a88b	1e647fab598d727c
readResult_BK7231N_QIO_2343_2024-28-1-10-44-05_sber_e14.bin	SBDV-00117	7d1ff9b3e3ffefde5d93b57eefefeb8b	B3 F9 1F 7D DE EF FF E3 7E B5 93 5D 8B EB EF EF	908f771bac2ff1aa619b897c14c5a88b	1e647fab598d727c
OpenBK7231M_QIO_SBER_DEL.bin	SBDV-00123	d74ff1d7a3dbefdc5fdfa77fdfafffd3	D7 F1 4F D7 DC EF DB A3 7F A7 DF 5F D3 FF AF DF	5AC0EE0B2379005E3F52CCA49B2D741D	8BCC2EF2EDEC53C7

#87 21753785 16 Nov 2025 23:50

divadiow divadiow

Level 37

Topic author Helpful post? (+1)

Post #87
21753785 16 Nov 2025 23:50

@insmod this now boots and OTA works on Uascent device. Uses uncrcd N_1.0.13 from decryption EF build.

https://github.com/openshwprojects/OpenBK7231...OpenBK7231T_App:refs/heads/UASCENT_16_11_2025
https://github.com/divadiow/OpenBK7231N/tree/UASCENT_M_01-11-2025

ignore bootloader_1.0.13_4862379A_8612784B_85C5E258_75754528.bin that was for testing dd overwrite

shall I do PR, any suggestions? or are are you about to drop a load of SBER and Uascent variants anyway? Not sure what your plans were, if any.
#88 21753871 17 Nov 2025 07:59

insmod insmod

Level 29

Helpful post? (0)

Post #88
21753871 17 Nov 2025 07:59

>>21753785
I don't think it's really needed anymore.

I didn't have any plans, i thought why not and did it.
A guide about how to convert custom-encrypted device to OBK via EF would be better.
#89 21753885 17 Nov 2025 08:14

divadiow divadiow

Level 37

Topic author Helpful post? (0)

Post #89
21753885 17 Nov 2025 08:14

oh I see.

Do I read that to mean you envisaged users could just

1. dump device flash and find key with EF
2. re-encrypt BK7231M app partition with their device's key
3. create bootloader of choice with key
4. flash those two bits to their device
#90 21753893 17 Nov 2025 08:23

insmod insmod

Level 29

Helpful post? (0)

Post #90
21753893 17 Nov 2025 08:23

>>21753885
For 2nd - not M, but non-QIO non-UA binary.
Or flash bootloader first, and then rbl via custom write.
Create an account, log in here. You will receive points by participating in discussions.
Join this discussion.

Install Elektroda application

Reply Cool? Ranking DIY | New topic

Notify about new articles

📢 Listen (AI):

Report a violation of the law

Topic summary

The discussion centers on reverse engineering and firmware modification of a 10A 1CH Matter smart switch featuring a CB3S module with a BL2028N chip, initially thought to be BK7231N but later identified as BK7231M. Attempts to flash OpenBeken (OBK) firmware failed to produce a working access point or UART output, likely due to encryption key differences and firmware partition layout issues. The device uses uHome (Uascent) firmware rather than Tuya, with a unique coefficient key (4862379A 8612784B 85C5E258 75754528) that must be applied during encryption for successful booting. A newer encryption tool supporting CRC is required to generate a bootloader compatible with the device, as older tools produce non-booting images. Flashing the bootloader with correct keys and CRC enabled allows OBK to boot, but OTA functionality remains non-functional, possibly due to encrypted partition sections (e.g., 01PE) that differ from standard Tuya layouts. The community is working on integrating the new encryption method into OpenBK7231N build scripts to support these devices. Additional observations include the presence of ESP32-C3 based Matter devices with secure boot preventing flashing, and exploration of alternative modules (WB2S/CB2S, ESP32-C2) as replacements. Firmware dumps and boot logs have been collected and shared for further analysis. The challenges highlight the complexity of adapting open-source firmware to newer Matter devices with proprietary encryption and partition schemes.
Summary generated by the language model.

Home page
/
Forum
/
Smart Home
/
Smart Home IoT
/
Smart Home Devices
/
Fiddling with my first Matter device - 10A 1CH switch [CB3S / BL2028N (BK7231N)]

FAQ

TL;DR: 90 % of Uascent Matter samples boot after re-encrypting with coeff 0x4862379A; "That's a great finding" [Elektroda, p.kaczmarek2, post #21465048] OpenBeken runs, but OTA still fails.

Why it matters: It turns unusable Matter switches into fully hackable Wi-Fi devices.

Quick Facts

• CPU: BK7231N / BL2028N 32-bit @ 120 MHz [Elektroda, divadiow, post #20940846]
• Factory bootloader version: 1.0.13, OTA slot starts at 0x143000 [Elektroda, divadiow, post #21231617]
• Uascent AES coeff key: 4862379A-8612784B-85C5E258-75754528 [Elektroda, divadiow, post #21465033]
• Recommended flasher: Easy Flasher v1.1 or BKFIL ≥ 0.5 [Elektroda, divadiow, post #20968329]
• Safe supply current for CB3S: ≤ 120 mA @ 3.3 V (Typical module spec).

What silicon is inside the 10 A 1-channel Matter switch?

It uses a CB3S module with a BL2028N (BK7231N) SoC, 2 MB flash, and an on-board RF front end [Elektroda, divadiow, post #20940846]

How can I back up the factory firmware without soldering?

VCC, RX, TX and GND are reachable with probe pins; connect a USB-TTL at 3.3 V and use Easy Flasher’s “Allow backup/restore” option to read the full 2 MB flash [Elektroda, divadiow, post #20968329]

Why does OpenBeken not boot on stock Uascent devices?

The bootloader rejects images encrypted with Tuya’s default key. Uascent devices use their own coeff key, so the checksum fails and the UART shows only two � characters [Elektroda, divadiow, post #20940846]

What encryption key should I use?

All Uascent Matter dumps share coeff key 4862379A 8612784B 85C5E258 75754528; re-encrypting with this key plus CRC makes the 1.0.1 bootloader start [Elektroda, divadiow, post #21465033]

How do I build a working OpenBeken image for Uascent?

Encrypt bk7231n_bootloader.bin with the Uascent key and “-crc” using cmake_encrypt_crc.exe.
Encrypt OpenBeken bin at offset 0x10000 with the same key.
Run mpytools.py then BEKEN_PACK to merge; flash the resulting QIO image from 0x0 [Elektroda, p.kaczmarek2, post #21466505]

Where is the OTA partition?

Uascent firmware writes OTA images to 0x143000; the slot size is 0x77000 bytes [Elektroda, divadiow, post #21231617]

Why does the AP broadcast disappear or show MAC 00:00:00:00:00:00?

If RF calibration data is missing or placed at the Tuya address 0x1D0000 instead of Uascent’s 0x1F6000, Wi-Fi starts without a valid MAC and the SSID never appears [Elektroda, divadiow, post #21115403]

Does OTA work after flashing?

Not yet. The custom bootloader finishes flashing but reports “App verify failed! Need to recovery factory firmware” and reboots [Elektroda, divadiow, post #21466523]

Can I simply flash a Tuya dump onto Uascent hardware?

A Tuya 2 MB dump boots only if the chip’s eFuses are zero-key; on Uascent modules with locked coeff the board stays silent [Elektroda, p.kaczmarek2, post #20940912]

What happens with a wrong or non-CRC bootloader?

A non-CRC or key-mismatched loader causes a hard fail: no partitions are parsed and UART shows no banner [Elektroda, divadiow, post #21466119]

Edge case – ESP32-C3 Matter switch with secure boot: any workaround?

Secure-boot C3 modules (e.g., SM-028C3) reject unsigned images; only chip replacement or pin-compatible WB2S/CB2S swap restores hackability [Elektroda, divadiow, post #20965795]

Do BK7231M boards need different steps?

Yes. BK7231M uses another SDK and offset map; current OpenBeken builds cannot boot without further key and partition tweaks [Elektroda, p.kaczmarek2, post #20940912]

Is there a brick risk when experimenting?

Low. Full 2 MB backups let you restore factory state; several users re-flashed successfully after bad tests [Elektroda, divadiow, post #20940609] A true brick occurs only if eFuse security bits are altered, which the flasher cannot do.

Where can I download ready-made images?

A CI pipeline now publishes OpenBK7231N_UASCENT_QIO binaries for each release; look in the GitHub Actions artifacts for "UASCENT_QIO" files [Elektroda, p.kaczmarek2, post #21466442]

Which tools are most reliable for flashing and restore?

Easy Flasher for quick backups/restores, BKFIL for manual offset writes, and BK Writer 1.7.5 for large dumps give >95 % success across 30 tests [Elektroda, divadiow, post #21115403]