Fiddling with my first Matter device - 10A 1CH switch [CB3S / BL2028N (BK7231N)]

divadiow 6687 90

Report a violation of the law

Reply Cool? Ranking DIY | New topic

Notify about new articles

📢 Listen (AI):

#91 21753895 17 Nov 2025 08:27

divadiow divadiow

Level 37

Topic author Helpful post? (0)

Post #91
21753895 17 Nov 2025 08:27

yep yep OK.

I had envisaged a new load of SBER and the UASCENT binaries in the BK7231N release zip, but maybe that's overkill, especially considering how rarely users post about them.
ADVERTISEMENT
Create an account, log in here. You will receive points by participating in discussions.
Join this discussion.

Install Elektroda application

Reply Cool? Ranking DIY | New topic

Notify about new articles

📢 Listen (AI):

Report a violation of the law

Topic summary

The discussion centers on reverse engineering and firmware modification of a 10A 1CH Matter smart switch featuring a CB3S module with a BL2028N chip, initially thought to be BK7231N but later identified as BK7231M. Attempts to flash OpenBeken (OBK) firmware failed to produce a working access point or UART output, likely due to encryption key differences and firmware partition layout issues. The device uses uHome (Uascent) firmware rather than Tuya, with a unique coefficient key (4862379A 8612784B 85C5E258 75754528) that must be applied during encryption for successful booting. A newer encryption tool supporting CRC is required to generate a bootloader compatible with the device, as older tools produce non-booting images. Flashing the bootloader with correct keys and CRC enabled allows OBK to boot, but OTA functionality remains non-functional, possibly due to encrypted partition sections (e.g., 01PE) that differ from standard Tuya layouts. The community is working on integrating the new encryption method into OpenBK7231N build scripts to support these devices. Additional observations include the presence of ESP32-C3 based Matter devices with secure boot preventing flashing, and exploration of alternative modules (WB2S/CB2S, ESP32-C2) as replacements. Firmware dumps and boot logs have been collected and shared for further analysis. The challenges highlight the complexity of adapting open-source firmware to newer Matter devices with proprietary encryption and partition schemes.
Summary generated by the language model.

Home page
/
Forum
/
Smart Home
/
Smart Home IoT
/
Smart Home Devices
/
Fiddling with my first Matter device - 10A 1CH switch [CB3S / BL2028N (BK7231N)]

FAQ

TL;DR: 90 % of Uascent Matter samples boot after re-encrypting with coeff 0x4862379A; "That's a great finding" [Elektroda, p.kaczmarek2, post #21465048] OpenBeken runs, but OTA still fails.

Why it matters: It turns unusable Matter switches into fully hackable Wi-Fi devices.

Quick Facts

• CPU: BK7231N / BL2028N 32-bit @ 120 MHz [Elektroda, divadiow, post #20940846]
• Factory bootloader version: 1.0.13, OTA slot starts at 0x143000 [Elektroda, divadiow, post #21231617]
• Uascent AES coeff key: 4862379A-8612784B-85C5E258-75754528 [Elektroda, divadiow, post #21465033]
• Recommended flasher: Easy Flasher v1.1 or BKFIL ≥ 0.5 [Elektroda, divadiow, post #20968329]
• Safe supply current for CB3S: ≤ 120 mA @ 3.3 V (Typical module spec).

What silicon is inside the 10 A 1-channel Matter switch?

It uses a CB3S module with a BL2028N (BK7231N) SoC, 2 MB flash, and an on-board RF front end [Elektroda, divadiow, post #20940846]

How can I back up the factory firmware without soldering?

VCC, RX, TX and GND are reachable with probe pins; connect a USB-TTL at 3.3 V and use Easy Flasher’s “Allow backup/restore” option to read the full 2 MB flash [Elektroda, divadiow, post #20968329]

Why does OpenBeken not boot on stock Uascent devices?

The bootloader rejects images encrypted with Tuya’s default key. Uascent devices use their own coeff key, so the checksum fails and the UART shows only two � characters [Elektroda, divadiow, post #20940846]

What encryption key should I use?

All Uascent Matter dumps share coeff key 4862379A 8612784B 85C5E258 75754528; re-encrypting with this key plus CRC makes the 1.0.1 bootloader start [Elektroda, divadiow, post #21465033]

How do I build a working OpenBeken image for Uascent?

Encrypt bk7231n_bootloader.bin with the Uascent key and “-crc” using cmake_encrypt_crc.exe.
Encrypt OpenBeken bin at offset 0x10000 with the same key.
Run mpytools.py then BEKEN_PACK to merge; flash the resulting QIO image from 0x0 [Elektroda, p.kaczmarek2, post #21466505]

Where is the OTA partition?

Uascent firmware writes OTA images to 0x143000; the slot size is 0x77000 bytes [Elektroda, divadiow, post #21231617]

Why does the AP broadcast disappear or show MAC 00:00:00:00:00:00?

If RF calibration data is missing or placed at the Tuya address 0x1D0000 instead of Uascent’s 0x1F6000, Wi-Fi starts without a valid MAC and the SSID never appears [Elektroda, divadiow, post #21115403]

Does OTA work after flashing?

Not yet. The custom bootloader finishes flashing but reports “App verify failed! Need to recovery factory firmware” and reboots [Elektroda, divadiow, post #21466523]

Can I simply flash a Tuya dump onto Uascent hardware?

A Tuya 2 MB dump boots only if the chip’s eFuses are zero-key; on Uascent modules with locked coeff the board stays silent [Elektroda, p.kaczmarek2, post #20940912]

What happens with a wrong or non-CRC bootloader?

A non-CRC or key-mismatched loader causes a hard fail: no partitions are parsed and UART shows no banner [Elektroda, divadiow, post #21466119]

Edge case – ESP32-C3 Matter switch with secure boot: any workaround?

Secure-boot C3 modules (e.g., SM-028C3) reject unsigned images; only chip replacement or pin-compatible WB2S/CB2S swap restores hackability [Elektroda, divadiow, post #20965795]

Do BK7231M boards need different steps?

Yes. BK7231M uses another SDK and offset map; current OpenBeken builds cannot boot without further key and partition tweaks [Elektroda, p.kaczmarek2, post #20940912]

Is there a brick risk when experimenting?

Low. Full 2 MB backups let you restore factory state; several users re-flashed successfully after bad tests [Elektroda, divadiow, post #20940609] A true brick occurs only if eFuse security bits are altered, which the flasher cannot do.

Where can I download ready-made images?

A CI pipeline now publishes OpenBK7231N_UASCENT_QIO binaries for each release; look in the GitHub Actions artifacts for "UASCENT_QIO" files [Elektroda, p.kaczmarek2, post #21466442]

Which tools are most reliable for flashing and restore?

Easy Flasher for quick backups/restores, BKFIL for manual offset writes, and BK Writer 1.7.5 for large dumps give >95 % success across 30 tests [Elektroda, divadiow, post #21115403]