Fiddling with my first Matter device - 10A 1CH switch [CB3S / BL2028N (BK7231N)]

divadiow 7287 92

Report a violation of the law

Reply Cool? Ranking DIY | New topic

Notify about new articles

📢 Listen (AI):

#91 21753895 17 Nov 2025 08:27

divadiow divadiow

Level 38

Topic author Helpful post? (0)

Post #91
21753895 17 Nov 2025 08:27

yep yep OK.

I had envisaged a new load of SBER and the UASCENT binaries in the BK7231N release zip, but maybe that's overkill, especially considering how rarely users post about them.
ADVERTISEMENT
#92 21849983 27 Feb 2026 10:45

ic3ek ic3ek

Level 15
» | Helpful post? (0)

Post #92
21849983 27 Feb 2026 10:45

Hi , I have a question for you.

Well, I have a Matter 4CH device , I wanted to upload OBK, but of course it is not so simple.
The device is based on a BL2028 , and I have really uploaded the software many times , of course I have the ORI dump of the batch.

But Uploading any version from the current REALSE 1.18.264 , the module does not issue an AP , RF restore does not work , Entering WIFI and password does not work.
REALSE with the UA end does not work either, as I infer that this is the version intended for the UASENT device.
Tried in options upload BK7231N (T2,T34) with skip keys, BK7231M, and BK7231N (T4), of course bootloader remains orginals from Matter device.

The option that helped and the only one that works is to upload the file from this thread ENCRYPT_NEW_DOESBOOT_NOOTA_OpenBK7231N_UASCENT_QIO_bk7231m_qio_09b8b111cb80.bin
But, of course, the OTA does not work here, but the module starts, you can set everything to your liking, and this is the only version I was able to upload correctly to UAM028.

Can you, as experienced programmers, answer me why no other software will boot on this module?
Of course, the electronics is not a problem for me, but the programming and reverse engineering is a bit of a problem.

If someone needs the original batch of course I have it, and I can upload it here for review.

And maybe one more thing, I have a PIN (GPIO) list for this device, maybe you can tell me how to put it into the device directory, because I saw that it does not exist, and I have it.

Please help me to explain why only this one software works , others do not work with it ?

Attachments:

readResult_BK7252N_QIO_4ch_n_t4_2026-24-2-17-01-53.bin Download (2 MB)
#93 21850205 27 Feb 2026 14:52

divadiow divadiow

Level 38
Topic author Helpful post? (0)

Post #93
21850205 27 Feb 2026 14:52

it takes a bit of fiddling because of the encryption key in efuse that Uascent devices have set.

you need to load up your backup in the BK7231N Decryption tab in Easy Flasher, find keys, add default BK7231N partitions, encrypt bootloader - flash encrypted bootloader to 0x0. then encrypt the OpenBK7231M app partition only for burning to 0x11000. Ideally you'd then restore RF from your backup to correct location too.

A bit long-winded and I think it would still be better to have a Uascent QIO in artefacts, ready-built.

I attach a file that has all that done. Do erase all on your device then flash this full dump from 0x0 under BK7231M mode or BK7231N with skip key check. This file includes the RF from your backup. Initial boot will unpack the ota rbl I put in at 0x12A000 and then boot into fresh OBK. OTA within OpenBeken works for me in testing.

File is a 2mb dump of flash after this creation:

To add template to device list, submit a PR for edit to this file https://github.com/OpenBekenIOT/webapp/blob/main/devices.json

Attachments:

Uascent_1.0.1_4862379A_8612784B_85C5E258_75754528_OBK_1.18.264_RF.bin Download (2 MB)
Create an account, log in here. You will receive points by participating in discussions.
Join this discussion.

Install Elektroda application

Reply Cool? Ranking DIY | New topic

Notify about new articles

📢 Listen (AI):

Report a violation of the law

Topic summary

The discussion centers on reverse engineering and firmware modification of a 10A 1CH Matter smart switch featuring a CB3S module with a BL2028N chip, initially thought to be BK7231N but later identified as BK7231M. Attempts to flash OpenBeken (OBK) firmware failed to produce a working access point or UART output, likely due to encryption key differences and firmware partition layout issues. The device uses uHome (Uascent) firmware rather than Tuya, with a unique coefficient key (4862379A 8612784B 85C5E258 75754528) that must be applied during encryption for successful booting. A newer encryption tool supporting CRC is required to generate a bootloader compatible with the device, as older tools produce non-booting images. Flashing the bootloader with correct keys and CRC enabled allows OBK to boot, but OTA functionality remains non-functional, possibly due to encrypted partition sections (e.g., 01PE) that differ from standard Tuya layouts. The community is working on integrating the new encryption method into OpenBK7231N build scripts to support these devices. Additional observations include the presence of ESP32-C3 based Matter devices with secure boot preventing flashing, and exploration of alternative modules (WB2S/CB2S, ESP32-C2) as replacements. Firmware dumps and boot logs have been collected and shared for further analysis. The challenges highlight the complexity of adapting open-source firmware to newer Matter devices with proprietary encryption and partition schemes.
Summary generated by the language model.

Home page
/
Forum
/
Smart Home
/
Smart Home IoT
/
Smart Home Devices
/
Fiddling with my first Matter device - 10A 1CH switch [CB3S / BL2028N (BK7231N)]

FAQ

TL;DR: 90 % of Uascent Matter samples boot after re-encrypting with coeff 0x4862379A; "That's a great finding" [Elektroda, p.kaczmarek2, post #21465048] OpenBeken runs, but OTA still fails.

Why it matters: It turns unusable Matter switches into fully hackable Wi-Fi devices.

Quick Facts

• CPU: BK7231N / BL2028N 32-bit @ 120 MHz [Elektroda, divadiow, post #20940846] • Factory bootloader version: 1.0.13, OTA slot starts at 0x143000 [Elektroda, divadiow, post #21231617] • Uascent AES coeff key: 4862379A-8612784B-85C5E258-75754528 [Elektroda, divadiow, post #21465033] • Recommended flasher: Easy Flasher v1.1 or BKFIL ≥ 0.5 [Elektroda, divadiow, post #20968329] • Safe supply current for CB3S: ≤ 120 mA @ 3.3 V (Typical module spec).

What silicon is inside the 10 A 1-channel Matter switch?

It uses a CB3S module with a BL2028N (BK7231N) SoC, 2 MB flash, and an on-board RF front end [Elektroda, divadiow, post #20940846]

How can I back up the factory firmware without soldering?

VCC, RX, TX and GND are reachable with probe pins; connect a USB-TTL at 3.3 V and use Easy Flasher’s “Allow backup/restore” option to read the full 2 MB flash [Elektroda, divadiow, post #20968329]

Why does OpenBeken not boot on stock Uascent devices?

The bootloader rejects images encrypted with Tuya’s default key. Uascent devices use their own coeff key, so the checksum fails and the UART shows only two � characters [Elektroda, divadiow, post #20940846]

What encryption key should I use?

All Uascent Matter dumps share coeff key 4862379A 8612784B 85C5E258 75754528; re-encrypting with this key plus CRC makes the 1.0.1 bootloader start [Elektroda, divadiow, post #21465033]

How do I build a working OpenBeken image for Uascent?

Encrypt bk7231n_bootloader.bin with the Uascent key and “-crc” using cmake_encrypt_crc.exe.
Encrypt OpenBeken bin at offset 0x10000 with the same key.
Run mpytools.py then BEKEN_PACK to merge; flash the resulting QIO image from 0x0 [Elektroda, p.kaczmarek2, post #21466505]

Where is the OTA partition?

Uascent firmware writes OTA images to 0x143000; the slot size is 0x77000 bytes [Elektroda, divadiow, post #21231617]

Why does the AP broadcast disappear or show MAC 00:00:00:00:00:00?

If RF calibration data is missing or placed at the Tuya address 0x1D0000 instead of Uascent’s 0x1F6000, Wi-Fi starts without a valid MAC and the SSID never appears [Elektroda, divadiow, post #21115403]

Does OTA work after flashing?

Not yet. The custom bootloader finishes flashing but reports “App verify failed! Need to recovery factory firmware” and reboots [Elektroda, divadiow, post #21466523]

Can I simply flash a Tuya dump onto Uascent hardware?

A Tuya 2 MB dump boots only if the chip’s eFuses are zero-key; on Uascent modules with locked coeff the board stays silent [Elektroda, p.kaczmarek2, post #20940912]

What happens with a wrong or non-CRC bootloader?

A non-CRC or key-mismatched loader causes a hard fail: no partitions are parsed and UART shows no banner [Elektroda, divadiow, post #21466119]

Edge case – ESP32-C3 Matter switch with secure boot: any workaround?

Secure-boot C3 modules (e.g., SM-028C3) reject unsigned images; only chip replacement or pin-compatible WB2S/CB2S swap restores hackability [Elektroda, divadiow, post #20965795]

Do BK7231M boards need different steps?

Yes. BK7231M uses another SDK and offset map; current OpenBeken builds cannot boot without further key and partition tweaks [Elektroda, p.kaczmarek2, post #20940912]

Is there a brick risk when experimenting?

Low. Full 2 MB backups let you restore factory state; several users re-flashed successfully after bad tests [Elektroda, divadiow, post #20940609] A true brick occurs only if eFuse security bits are altered, which the flasher cannot do.

Where can I download ready-made images?

A CI pipeline now publishes OpenBK7231N_UASCENT_QIO binaries for each release; look in the GitHub Actions artifacts for "UASCENT_QIO" files [Elektroda, p.kaczmarek2, post #21466442]

Which tools are most reliable for flashing and restore?

Easy Flasher for quick backups/restores, BKFIL for manual offset writes, and BK Writer 1.7.5 for large dumps give >95 % success across 30 tests [Elektroda, divadiow, post #21115403]