logo elektroda
logo elektroda
X
logo elektroda
Advanced Search
logo elektroda

Reverse engineering of the unusual protocol of the Tuya FS-05R dimmer based on UART

p.kaczmarek2 7011 36
ADVERTISEMENT
Treść została przetłumaczona polish » english Zobacz oryginalną wersję tematu
Report a violation of the law
Reply Cool? Ranking DIY | New topic
Notify about new articles
📢 Listen (AI):
  • Light bulb in a socket on a wooden table
    Today it`s fun again reverse engineering . The Tuya FS-05R dimmer was sent to me by a reader asking me to decipher the UART protocol of communication between the WiFi module and the microcontroller responsible for dimming. Contrary to appearances, this is not a typical dimmer based on TuyaMCU , just like EDM-01AA-EU , the protocol in this product is non-standard. Here I will describe how I intercepted and decrypted this communication. The topic will also include a presentation of subsequent scripting of the operation of this dimmer OBK so that it can work with Home Assistant.


    FS-05R dimmer
    This dimmer first appeared in the topic on our English-language website . He managed to read the dunk with our flasher , which allowed us to preview Tuya`s JSON:
    Code: JSON
    Log in, to see the code

    This JSON usually contains either the baud setting for TuyaMCU or the GPIO roles. Here it is unusual, because we have this and that here. We have baud rate:
    Code: JSON
    Log in, to see the code

    and we also have GPIO roles:
    Code: JSON
    Log in, to see the code

    This is unusual, because in the case of TuyaMCU the MCU itself controls everything, the buttons and LEDs too, so usually the WiFi module does not use the GPIO at all.
    Short tests on that topic showed that this is not a TuyaMCU product and the baud rate refers to something else.
    The work got stuck, so the reader sent me the equipment so I could examine it myself:
    Side of the Tuya FS-05R dimmer packaging with feature markings. MiNi Smart Switch box on a wooden table
    Mini dimmer module FS-05R with packaging and instructions on a wooden table.
    Instruction:
    MNINI FS-05R dimming switch module manual Instruction manual for the Tuya FS-05R dimmer Tuya app operation instructions shown on an unfolded leaflet, depicting various device control screens. User manual for smart modules with Bluetooth and Zigbee functions.
    Thank you for sending me the equipment! Time for analysis.

    Interior of the FS-05R
    The first thing that catches your eye after looking inside is: invalid CB2S description layer : :
    Close-up of a blue PCB with a green screw terminal block and visible silkscreen showing pins.
    Location of 3.3V (VDD) and GND is incorrect .
    I`ve checked it many times, and it`s not the first time I`ve come across a poorly described CB2S, and I know that the correct schedule is available on the Tuya website:
    Pin layout diagram with dimensions for an electronic module.
    Plus - here`s the interior:
    Interior of the Tuya FS-05R dimmer showing electronic components on the PCB.
    Here we have a non-isolated step down converter which, interestingly, directly powers the microcontroller itself. There is no additional LDO AMS1117-3.3V here, as is usually the case.
    Additionally, you can see that the CB2S WiFi module is connected to the element in the SOIC8 housing via RX and TX lines.
    Now the view from above:
    Close-up of Slkor BTA16-800B triac and green terminal block PCB with electronic components including capacitors and a green screw terminal block. Close-up of a circuit with a BTA16-800B triac and capacitors on a PCB
    Dimming is performed on the BTA16-800B triac, which is controlled by 3022 F462H.


    Interception of FS-05R communication
    I decided on a method based on the Sigrok analyzer, similarly to the one above this topic .
    Normally there would be a problem here, because you cannot connect the analyzer to a system powered from the mains, you would have to use special opto-isolation systems/modules, but I powered the whole thing from 3.3V and the arrangement started anyway:
    Interior of an electronic circuit with voltage labels
    Here is the traffic on TX/RX:
    UART signal measurements in PulseView
    While the MCU is idle, it sends something to us...
    Screenshot of protocol analyzer with UART signals
    View of captured UART protocol on a logic analyzer
    Screenshot of UART signal analysis using Saleae Logic.
    It sends three bytes with the AA header, which I associate with the BL0942 protocol. This is not TuyaMCU.
    But what happens when we press the button?
    Screenshot from PulseView showing UART data.
    When you press the button, the WiFi module sends something to the MCU:
    Screenshot of UART signal analysis in a logic analyzer.
    Wait, heading 55 AA? This looks like TuyaMCU though! This protocol must be some simplified version of it.
    Screenshot from a logic analyzer showing UART data.
    Let`s see what mine says TuyaMCU analyzer
    TuyaMCU Explorer application interface displaying raw packet data in hex format.
    This is a TuyaMCU compatible package , even the checksum is calculated correctly.
    I collected some of these packages and noticed that second and third bytes payload changes when I press the button - maybe the brightness levels?


    Changing the FS-05R load
    CB2S communicates with the MCU via the UART port used for programming, so you need to desolder CB2S. You need flux and braid.
    FS-05R dimmer circuit board next to solder wick
    I program with my flasher:
    https://github.com/openshwprojects/BK7231GUIFlashTool
    Desoldered, cables need to be connected ignoring the descriptive layer, looking at the catalog note : :
    Electronic module with connected wires on a wooden surface.
    Whole system:
    Breadboard with connected electronic equipment on a desk
    After uploading, we solder the module into place.


    Configuration for OBK FS-05R
    My first experiment was to create a script that sends hard-captured UART packets:
    Code: text Expand Select all Copy to clipboard
    
startDriver TuyaMCU
tuyaMcu_setBaudRate 115200

[inContentAd]

again:
delay_s 1
uartSendHex 55AA0030000300000638
delay_s 1
uartSendHex 55AA0030000300000032
goto again

    Everything works, the dimmer responds:




    Then I added a wrapper for sending TuyaMCU commands so as not to have to provide the checksum and header in the script, now the last byte is counted automatically:
    Code: text Expand Select all Copy to clipboard
    
startDriver TuyaMCU
tuyaMcu_setBaudRate 115200

again:
delay_s 1
tuyaMcu_sendCmd 0x30 000000
delay_s 1
tuyaMcu_sendCmd 0x30 0001FF
goto again

    The syntax of tuyaMcu_sendCmd is very simple. The first argument is the TuyaMCU command number and the second is its payload. The checksum is calculated automatically.
    Effect:



    Here you can also see that the smooth transition effect is handled by the MCU itself, not the WiFi module.
    Now it`s time to turn this proof of concept demo into something functional .
    OBK allows you to define channel types and create simple scripts, you can read about it in the documentation:
    https://github.com/openshwprojects/OpenBK7231T_App/tree/main/docs
    Based on this, I prepared the following script:
    Code: text Expand Select all Copy to clipboard
    
// this is not really tuyaMCU but we will treat it as such
startDriver TuyaMCU
// set baud rate
tuyaMcu_setBaudRate 115200

// create a toggle and a dimmer
setChannelType 1 toggle
setChannelType 2 dimmer256


// invoke refresh on change
addEventHandler OnChannelChange 1 startScript autoexec.bat refresh
addEventHandler OnChannelChange 2 startScript autoexec.bat refresh


refresh:
// channel 5 is temporary variable, from 0 to 255*3, multiplied also by toggle value
setChannel 5 $CH2*3*$CH1
// split into two bytes
setChannel 3 $CH5/256
setChannel 4 $CH5%256
// send the two bytes
tuyaMcu_sendCmd 0x30 00$CH3$$CH4$

    This script creates a dimmer controller on foot that supports both turning it on and off, as well as changing the brightness level. The brightness level is remembered after turning it off and on. It`s all about the scripts. The brightness level is manually split into two bytes and sent in the packet already discussed.
    This is what it looks like in LittleFS:
    Screenshot of OBK script editor with autoexec.bat
    And on the panel:
    OpenBK7231N dimmer control panel.
    Thanks to the new Home Assistant Discovery system, a dimmer scripted in this way will be seen automatically by HA, without writing Yaml!


    We are adding the missing FS-05R buttons
    I almost forgot about the buttons that are worth adding here too. I mean a separate GPIO responsible for turning on and increasing and decreasing the brightness:
    Code: JSON
    Log in, to see the code

    Just set their roles Btn_ScriptOnly . Then we add button events to autoexec.bat, according to the pattern:
    Code: text Expand Select all Copy to clipboard
    
addEventHandler [Event] [PinIndex] [Command]

    More examples: https://github.com/openshwprojects/OpenBK7231T_App/blob/main/docs/autoexecExamples.md
    According to my script, the channel responsible for the on-off state is 1.
    So, for the on-off button, P7, I propose:
    Code: text Expand Select all Copy to clipboard
    
addEventHandler OnClick 7 toggleChannel 1

    Alternatively, you can set P7 to the Btn role and give it channel 1, and you can also set the flags to respond immediately to button presses.
    For the + and - buttons, I suggest:
    Code: text Expand Select all Copy to clipboard
    
addEventHandler OnHold 26 addChannel 2 10 0 255

    Of course, we change the added value for this second button from 10 to -10, so that it subtracts instead of adding.
    Let me remind you of the addChannel syntax:
    Code: text Expand Select all Copy to clipboard
    
addChannel [Channel] [ValueToAd] [MinClamp] [MaxClamp]

    Although in fact it could be combined into one button and set its events separately:
    - OnClick toggles OnOff
    - OnHold e.g. increases the brightness level
    - and e.g. OnDblClick can set full brightness automatically

    Summary
    Typically, Tuya dimmers are based on the TuyaMCU protocol. In this case it was a bit different, the protocol here is simplified. The WiFi module sends a single packet, somewhat compatible with TuyaMCU, and the MCU responds with something, but I have not analyzed the format of the response data (or maybe prompt?). There is certainly no exchange here heartbeats be dpID as in normal TuyaMCU, there is only this one packet with checksum.
    Operating this dimmer in OpenBeken turned out to be quite simple, because the existing OBK scripting language fully coped with the new task. Scriptable channel types (here on/off state and dimmer) allow you to easily handle the logic of such a dimmer in the script itself, even with button operation.
    PS: it is also worth reading a related topic where the dimmer protocol was also based on UART, but was not based on TuyaMCU: WXDM2 dual dimmer - reverse engineering - weird UART protocol

    Cool? Ranking DIY
    Helpful post? Buy me a coffee.
    About Author
    p.kaczmarek2
    Moderator Smart Home
    Offline 
    p.kaczmarek2 wrote 14612 posts with rating 12629, helped 655 times. Been with us since 2014 year.
  • ADVERTISEMENT
  • #2 21006612
    tretyakalex
    Level 3  
    Posts: 5
    Hello.
    Thank you for your job.
    I have the same dimmer. I use your script in autoexec.bat.
    But i haven't dimmer effect. When i move slider up the bulb only light up with full brightness. Toogle works correctly.
    With Tuya smart soft the same bulb change brightness smoothly.
    What can be problem?
  • ADVERTISEMENT
  • #3 21006617
    p.kaczmarek2
    Moderator Smart Home
    Posts: 14612
    Help: 655
    Rate: 12629
    Please try updating OBK to latest version. You may have an older one, depending on the way you've flashed your dimmer.
    Helpful post? Buy me a coffee.
  • ADVERTISEMENT
  • #4 21006623
    tretyakalex
    Level 3  
    Posts: 5
    I've updated to 1.17.507 ver. by OTA
  • ADVERTISEMENT
  • #5 21006659
    p.kaczmarek2
    Moderator Smart Home
    Posts: 14612
    Help: 655
    Rate: 12629
    If it's still not working, then try executing the test autoexec.bat:
    Code: text Expand Select all Copy to clipboard
    

startDriver TuyaMCU
tuyaMcu_setBaudRate 115200

again:
delay_s 1
tuyaMcu_sendCmd 0x30 000000
delay_s 1
tuyaMcu_sendCmd 0x30 0001FF
goto again
    Helpful post? Buy me a coffee.
  • #6 21006729
    tretyakalex
    Level 3  
    Posts: 5
    Just switch on and switch off.
    May be try dimmer1000?
  • #7 21006779
    p.kaczmarek2
    Moderator Smart Home
    Posts: 14612
    Help: 655
    Rate: 12629
    What if you change the hex bytes here:
    Code: text Expand Select all Copy to clipboard
    

startDriver TuyaMCU
tuyaMcu_setBaudRate 115200

again:
delay_s 1
tuyaMcu_sendCmd 0x30 000000
delay_s 1
tuyaMcu_sendCmd 0x30 0001FF
goto again

    For example, change 1FF to other bytes? Are other dimmer levels working?
    Helpful post? Buy me a coffee.
  • #8 21006928
    tretyakalex
    Level 3  
    Posts: 5
    Tomorrow I'll try other type of bulb.
    This bulb has small interval of dimming.
  • #9 21006944
    p.kaczmarek2
    Moderator Smart Home
    Posts: 14612
    Help: 655
    Rate: 12629
    Sure, please try, but still, didn't you say that the same bulb worked with Tuya?
    Helpful post? Buy me a coffee.
  • #10 21008260
    tretyakalex
    Level 3  
    Posts: 5
    Yes. It works with Tuya, but in very small range.
    Today i've changed the bulb and... it works perfectly with your script. It is very strange, but it is. Thank your for reverse engeneering!!!
    I think not all dimming bulbs suit this dimmer (and OBK and Tuya).
  • #11 21014440
    p.kaczmarek2
    Moderator Smart Home
    Posts: 14612
    Help: 655
    Rate: 12629
    Of course not all of the bulbs are dimmable nowadays. I would even say that it's safe to assume that bulb is not dimmable unless otherwise specified.

    @ElektrodaBot which bulbs are dimmable? How to know if a bulb is dimmable or not?
    Helpful post? Buy me a coffee.
  • #12 21014444
    ElektrodaBot
    AI OpenAI ChatGPT4
    Posts: 8812
    Help: 357
    Rate: 937
    p.kaczmarek2 wrote:
    which bulbs are dimmable? How to know if a bulb is dimmable or not?
    Hello there! It's great that you're asking about dimmable bulbs. The ability to dim lights can really change the ambiance of a space, not to mention it can be energy-saving too. Let's delve into how you can identify dimmable bulbs and understand the types available.

    First off, not all bulbs are dimmable. The dimmability of a bulb depends on its technology and design. Here are some common types of bulbs and their general compatibility with dimmers:

    1. Incandescent and Halogen Bulbs: These are generally dimmable. They've been around for a long time, and dimming technology was initially designed with these bulbs in mind.

    2. LED Bulbs: This is where it gets a bit tricky. Many LED bulbs are made to be dimmable, but not all of them are. It's essential to check the packaging or the bulb itself for marks that indicate dimmability. Look for labels or symbols that explicitly state "dimmable".

    3. CFL (Compact Fluorescent Lamps): Like LEDs, some CFL bulbs can be dimmed, but the majority are not designed for it. Again, checking the packaging or the bulb for a "dimmable" label is key.

    4. Fluorescent Tubes: Traditional fluorescent tubes generally are not designed to be dimmable with standard dimmers. Special dimmable versions and compatible dimming systems are required for dimming fluorescent tube lighting.

    How to Know if a Bulb is Dimmable:

    1. Check the Packaging or the Bulb: Manufacturers typically indicate whether a bulb is dimmable on the packaging or the bulb itself. Look for terms like "dimmable".

    2. Manufacturer's Website or Technical Specifications: If you can't find the information on the packaging or the bulb, the manufacturer's website or the technical specifications sheet for the bulb should provide this information.

    3. Symbols: Besides text, there may be symbols indicating dimmability. Common symbols include a light bulb icon with a variable line across it or simply the text "dimmable".

    4. Ask the Retailer: If you're purchasing in-store and unsure, asking a staff member can be a quick way to find out. For online purchases, product descriptions often mention dimmability.

    One key point to remember is that having a dimmable bulb is just part of the equation. The dimmer switch itself needs to be compatible with the bulb type. For instance, LEDs often require specific types of dimmers to function correctly without flickering or reduced lifespan.

    Is there a specific type of bulb or application you're considering for dimming? That might help narrow down some recommendations or things to watch out for.
    You can call me in any topic by writing @ElektrodaBot. Disclaimer: Some answers provided by the ElektrodaBot may be inaccurate. Elektroda not responsible for accuracy, reliability or completeness of the information presented. All ElektrodaBot responses should be verified by the user. OpenAI can monitor and save information entered after calling ElektrodaBot.
  • #13 21015451
    Nanganator
    Level 6  
    Posts: 14
    Rate: 6
    Great work on this reverse engineering! I was able to flash 2X FS-05R today and, with your script, added to home assistant.

    I am using these dimmers to control some long 24V LED strips driven by KGP CC15W500-700CG LED drivers. With this setup, dimming below 40 starves the driver of enough current and the LED strip starts behaving strangely. Is there a way to limit the dimming range between 45 and 256 but still use the 0-100 slider? I tried simply adding 45 to the calculation in the script (setChannel 5 $CH2+45*3*$CH1). This works with the controls directly on OBK on the device, however Home Assistant seems to simply set the dimming to 0 when turning “off”. So with the calculation (0+45), the strip doesn’t turn off but just goes very dim.

    Also is there any way to set the dimming transition speed? It is mentioned in post that the smooth transition is handled by the MCU, but I’m looking for an even slower transition for my use case and prefer to do this on device as it is generally more seamless than doing with Home Assistant.

    Thanks in advance and thanks again for everything OBK!
  • #14 21015455
    p.kaczmarek2
    Moderator Smart Home
    Posts: 14612
    Help: 655
    Rate: 12629
    I don't know any way to slow down the transition speed. Well, unless you can write a little C code snippet to run on OBK, but that may look jerky, because you will get two levels of smoothing that way.

    As for the mapping, I think we have a command for that. It may require some script trickery but here it is:
    https://github.com/openshwprojects/OpenBK7231T_App/blob/main/docs/commands.md
    Table showing the syntax for Map and MapRanges commands from documentation.
    I guess you will need to introduce a third channel a temporary variable for that to work.
    Helpful post? Buy me a coffee.
  • #15 21180600
    gunthervc
    Level 1  
    Posts: 1
    Thanks, works perfectly. i Got 5 of these.
    Can this also work with ESPhome?
  • #17 21402422
    cbcelek
    Level 1  
    Posts: 1
    Hi, I also got FS-05R dimmer module, except it had a Zigbee module. I figured I wanted WiFi so I replaced the module with and ESP equivalent of CB2S.
    This is exactly the same 'motherboard'. However I figured the MCU protocol is "more" custom. In my case it is using 9600baud, and the frames are 5 bytes as follow:
    0xFF 00 V1 V2 CK where:
    V1, V2 are 2 bytes coding the dimming value
    CK is a checksum computed as (V1+V2-1) & 0xFF
    Has anyone seen this protocol before?

    I am a bit devices as the MCU applies some transition/effect delay when setting a new value, this is annoying because it takes ~ 1s to turn on and off the bulb (indeed in a smooth way), but was looking for a simple on/off in case of non dimmable bulb...

    Anyway is there a way to change the MCU firmware? (there is no marking on the MCU chip). Or another idea to make the mcu not applying transition effect between set values?

    Cheers!
  • #18 21482144
    @GUTEK@
    Level 31  
    Posts: 1561
    Help: 163
    Rate: 367
    Hello,
    I am currently playing with this dimmer and have a problem.
    It is also the FS-05R version, although there is no model designation on the housing and there are minimal differences in the position of the components on the PCB. For that, the markings on the CB2S are also reversed.

    To the point, I've uploaded OpenBK there and created an Autoexec.bat file with that ready-made script given in the first message. It seemingly works, i.e. I have a brightness slider and a button, but it doesn't respond every time. For a few clicks on the button it turns the connected bulb on/off, then for a few clicks it doesn't respond. It's the same with the brightness slider, a few slides work, then a few don't. I haven't noticed any rule so far.
    Any ideas what could be the cause?

    Added after 6 [hours] 28 [minutes]: .

    Here's some more pictures of this dimmer of mine.

    View of the lighting dimmer circuit board. .
    Dimmer circuit board with electronic components .
    Photo of an electronic dimmer circuit board with various components. .
    Close-up of a dimmer circuit board with visible markings on components. .
    White plastic mini dimmable switch with technical specifications. .

    And a video of how he behaves:




    I have the flags enabled 2,7,10,37. With MQTT not connected for now.
    Pins configured as follows:
    "pins: {
    "7": "Btn;1",
    "8": "LED_n;1",
    "24": "Btn_ScriptOnly;0",
    "26": "Btn_ScriptOnly;0"

    And autoexec.bat with this entry:
    Code: text Expand Select all Copy to clipboard
    // this is not really tuyaMCU but we will treat it as such
startDriver TuyaMCU
// set baud rate
tuyaMcu_setBaudRate 115200


// create a toggle and a dimmer
setChannelType 1 toggle
setChannelType 2 dimmer256


// invoke refresh on change
addEventHandler OnChannelChange 1 startScript autoexec.bat refresh
addEventHandler OnChannelChange 2 startScript autoexec.bat refresh


refresh:
// channel 5 is temporary variable, from 0 to 255*3, multiplied also by toggle value
setChannel 5 $CH2*3*$CH1
// split into two bytes
setChannel 3 $CH5/256
setChannel 4 $CH5%256
// send the two bytes
tuyaMcu_sendCmd 0x30 00$CH3$$CH4$
    .

    And also the ripped original batch with the location where the wifi password was stored reset to zero:
    readResult...ezwifi.bin (2 MB)You must be logged in to download this attachment. .
    Code: text Expand Select all Copy to clipboard
    {
	"display_led1_pin":"8",
	"lightminus_sw_lv":"0",
	"is_rlen":"0",
	"brightindi":"1",
	"rsthold":"5",
	"net_trig":"0",
	"ctrl_type":"1",
	"jv":"130",
	"bt_lv":"0",
	"standtime":"3000",
	"is_swled_en":"0",
	"is_netled_en":"0",
	"ffc_select":"0",
	"btkm":"0",
	"total_stat":"0",
	"mcu_type":"0",
	"brightstep":"20",
	"bt_pin":"7",
	"baud_rate":"115200",
	"module":"CBU",
	"display_led1_lv":"0",
	"lightminus_sw_pin":"24",
	"init_conf":"100",
	"onoffmode":"0",
	"lightplus_sw_pin":"26",
	"periodtime":"5",
	"lightplus_sw_lv":"0",
	"crc":"126"
}


Device configuration, as extracted from Tuya: 
- Button (channel 0) on P7
Device seems to be using CBU module, which is using BK7231N.
And the Tuya section starts, as usual, at 2023424
    .
  • #19 21482806
    p.kaczmarek2
    Moderator Smart Home
    Posts: 14612
    Help: 655
    Rate: 12629
    And when you send in an "artificial" command to change the brightness it always arrives?
    Helpful post? Buy me a coffee.
  • #20 21482824
    @GUTEK@
    Level 31  
    Posts: 1561
    Help: 163
    Rate: 367
    I understand that I have to go into "Execute Custom Command" and send, for example, something like "tuyaMcu_sendCmd 0x30 0001FF" ?
    It doesn't, it also only responds after the first time.
  • #21 21482835
    p.kaczmarek2
    Moderator Smart Home
    Posts: 14612
    Help: 655
    Rate: 12629
    You send the same command several times and it only responds the first time?
    Helpful post? Buy me a coffee.
  • #22 21482838
    @GUTEK@
    Level 31  
    Posts: 1561
    Help: 163
    Rate: 367
    Exactly right.
  • #23 21482859
    p.kaczmarek2
    Moderator Smart Home
    Posts: 14612
    Help: 655
    Rate: 12629
    Try it with an empty autoexec.bat and without PowerSave, after rebooting the device.

    Try it on the firmware version what I have in the topic.
    Helpful post? Buy me a coffee.
  • #24 21482884
    @GUTEK@
    Level 31  
    Posts: 1561
    Help: 163
    Rate: 367
    It goes like this:
    - I uploaded version 1.17.507
    - restored factory settings, nothing was set except for wifi
    - unplugged for a while
    - I sent the following commands in sequence:
    startDriver TuyaMCU
    tuyaMcu_setBaudRate 115200
    - then for example:
    tuyaMcu_sendCmd 0x30 0001FF or tuyaMcu_sendCmd 0x30 000050 and it still only responds after the first time the command is sent. Sometimes it is after the first, sometimes after the 3rd or 4th.
  • #25 21483241
    p.kaczmarek2
    Moderator Smart Home
    Posts: 14612
    Help: 655
    Rate: 12629
    Do you only have one copy of this device?

    Are the capacitors OK?
    Helpful post? Buy me a coffee.
  • #26 21484199
    @GUTEK@
    Level 31  
    Posts: 1561
    Help: 163
    Rate: 367
    On WiFi I only have one piece bought about 1.5 months ago. The capacitors are ok, this is a new unused one, but just to be sure I measured and they are ok.

    What came to mind I tested:
    - I have the same dimmer but on Zigbee, the board looks the same but I think there is a different batch in TuyaMCU because after soldering CB2S it didn't work at all - I suspect what someone described above
    - instead of Beken I soldered T102_V1.1 - RTL8710B board with fw 1.18.35 uploaded and it behaved in the same way i.e. it responded after some time
    - I have uploaded the original batch to the CB2S and it works ok, via the Smart Life app it reacts to any change in brightness or switching off

    So it comes out that they changed something in the communication with TuyaMCU.
  • #27 21484690
    p.kaczmarek2
    Moderator Smart Home
    Posts: 14612
    Help: 655
    Rate: 12629
    And would you be able to power it with 5V from USB, unplug it from the mains and capture with the UART what it sends?
    Helpful post? Buy me a coffee.
  • #28 21485568
    @GUTEK@
    Level 31  
    Posts: 1561
    Help: 163
    Rate: 367
    Rather 3.3V instead of 5V was it supposed to be? From what I can see from the BP2525 catalogue note it is in 3.3V mode there.

    I managed to capture something via Realterm. I am uploading in the attachment.
    sciemniac..ump.7z (1.47 kB)You must be logged in to download this attachment. .
  • #29 21486931
    @GUTEK@
    Level 31  
    Posts: 1561
    Help: 163
    Rate: 367
    While I still have it connected to the terminal, I have loaded OpenBK and I see that every few seconds it sends 55 AA 00 00 00 00 FF, all the time as it is running. Is this by any chance somehow "clogging up" this TuyaMCU chip?

    Added after 1 [hour] 14 [minutes]: .

    Okay, that will be 99% the heartbeat sent.
    I did a test like this:
    I initialised only the uart, instead of the tuyamcu driver:
    uartInit 115200
    then I alternated sending commands:
    uartSendHex 55AA0030000300000032
    uartSendHex 55AA003000030003E81D
    and each time it responded.

    Is there any way to disable the heartbeat, as I have not found anything in the documentation so far?
  • #30 21487134
    p.kaczmarek2
    Moderator Smart Home
    Posts: 14612
    Help: 655
    Rate: 12629
    Well done on diagnosing the problem and suggesting a fix. I'll try to add a flag or switch for this. Maybe it's also possible to "cheat the system" and type startDriver tmSensor into the autoexec bat too, but I haven't tried that.
    Helpful post? Buy me a coffee.
Reply Cool? Ranking DIY | New topic
Notify about new articles
📢 Listen (AI):
Report a violation of the law

Topic summary

✨ The discussion focuses on reverse engineering the UART communication protocol of the Tuya FS-05R dimmer, which differs from typical TuyaMCU-based dimmers like the EDM-01AA-EU. The FS-05R uses a non-standard protocol between its WiFi module and the microcontroller responsible for dimming. Users successfully flashed the dimmer with OpenBK firmware and scripted it to work with Home Assistant, though some encountered issues with dimming smoothness and responsiveness. Problems included limited dimming range depending on the bulb type, delayed or inconsistent command responses, and the presence of a heartbeat signal (55 AA 00 00 00 00 FF) potentially interfering with communication. Solutions involved updating to the latest OpenBK firmware, adjusting baud rates, sending repeated commands to ensure reception, and disabling or working around the heartbeat. Some users replaced the original WiFi module with ESP-based boards and noted differences in baud rates and frame formats. The dimmer’s smooth transition effect is handled by the MCU, but slowing it further requires custom scripting. Compatibility varies with bulb types; not all bulbs are dimmable or suitable for this dimmer. The discussion also covers scripting techniques to map dimming ranges and attempts to integrate the device with ESPhome. Hardware variations and firmware batches affect behavior, and UART captures helped analyze the protocol. Overall, the thread provides detailed insights into the FS-05R’s unique UART protocol, firmware customization, and practical integration challenges and solutions for smart home automation.
Generated by the language model.
Today's popular

FAQ

TL;DR: At 115200 baud, “This is a TuyaMCU compatible package” became the key clue: the Tuya FS-05R uses a simplified UART dimmer protocol, not full TuyaMCU. This FAQ helps OpenBeken, ESPHome, and Tasmota users capture packets, flash the CB2S safely, script dimming, and fix variants that ignore single commands. [#20986793]

Why it matters: The FS-05R looks like a normal Tuya dimmer, but its non-standard UART behavior changes how you flash, script, troubleshoot, and integrate it.

Approach What the thread shows Best use case
OpenBeken Native scripting, HA discovery, proven working on multiple units Best documented path for Wi-Fi retrofits
ESPHome Reported working through a Home Assistant forum configuration Good if you already standardize on ESPHome
Tasmota Basic serial control works, but no tuyaMcu_sendCmd equivalent; Berry needed for production Useful for experiments, weaker fit for this dimmer

[#21283485]

Key insight: The hardest part is not brightness math. It is that some FS-05R variants accept the same dimming packet only when it is sent two or three times, especially when heartbeat traffic interferes.

Quick Facts

  • The original reverse-engineered FS-05R used 115200 baud, and the dimmer MCU reacted to command 0x30 with a 2-byte brightness value packed after the 55 AA header. [#20986793]
  • The board could be analyzed safely off-mains by powering it from 3.3 V, which let the UART RX/TX traffic be captured with a Sigrok analyzer. [#20986793]
  • The Wi-Fi module JSON exposed four GPIO roles: bt_pin=7, display_led1_pin=8, lightminus_sw_pin=24, and lightplus_sw_pin=26, showing the module handles local inputs too. [#20986793]
  • A later hardware variant used 9600 baud and 5-byte frames: FF 00 V1 V2 CK, with checksum (V1 + V2 - 1) & 0xFF, so not every FS-05R speaks the same protocol. [#21402422]
  • Real-world load limits matter: one user saw unstable strip behavior below dimmer value 40, another needed a minimum usable value of 65, and a different user found the issue was the bulb, not the script. [#21703784]

How was the UART protocol of the Tuya FS-05R dimmer reverse engineered, and what tools were used to capture the RX/TX traffic?

It was reverse engineered by intercepting the serial link between the CB2S Wi-Fi module and the dimmer MCU. The setup used a Sigrok analyzer on the RX/TX lines, and the board was powered from 3.3 V instead of mains so the capture could be done safely. The captured traffic showed the MCU sending short idle packets and the Wi-Fi module sending control frames when buttons were pressed. [#20986793]

What is TuyaMCU, and how is the FS-05R's simplified UART protocol different from a standard TuyaMCU implementation?

“TuyaMCU” is a UART control protocol that links a Tuya Wi-Fi module to a separate microcontroller, using framed commands, checksums, heartbeats, and datapoint-style exchanges. The FS-05R only reuses part of that model. It sends a checksum-valid 55 AA control packet, but it does not show normal TuyaMCU heartbeats or dpID exchanges. In this dimmer, one simplified brightness packet drives the MCU directly. [#20986793]

Why does the Tuya FS-05R JSON dump show both a 115200 baud rate and GPIO roles like bt_pin, display_led1_pin, and lightplus_sw_pin?

Because this dimmer is not a normal full-TuyaMCU design. The JSON shows baud_rate=115200 for UART communication, but it also lists local GPIO roles such as P7, P8, P24, and P26. That matters because the Wi-Fi module still handles buttons and LED functions, which is unusual for classic TuyaMCU devices where the external MCU usually owns those signals. [#20986793]

How do you flash OpenBeken onto a Tuya FS-05R with a CB2S module when the PCB pin labels for 3.3V and GND are wrong?

You must ignore the PCB silkscreen and follow the CB2S catalog pinout. 1. Desolder the CB2S, because the UART lines are shared with the dimmer MCU. 2. Connect programming wires by the datasheet pinout, not the reversed board labels for 3.3 V and GND. 3. Flash with BK7231GUIFlashTool, then solder the module back. The thread explicitly warns that the board’s CB2S marking is incorrect. [#20986793]

What does the 55 AA header mean in the FS-05R UART packets, and how was the checksum verified as TuyaMCU-compatible?

The 55 AA header marks a frame that looks like a TuyaMCU command. The captured button-triggered packet was checked with a TuyaMCU analyzer, and the author confirmed that the checksum matched the TuyaMCU calculation correctly. That proved the FS-05R packet format is TuyaMCU-compatible at the frame level, even though the overall protocol is simplified. [#20986793]

How can I write an autoexec.bat script in OpenBK to control the FS-05R as a dimmer with on/off and brightness channels?

Use one toggle channel and one dimmer256 channel, then convert brightness into two bytes for command 0x30. The published script sets channel 1 as on/off, channel 2 as brightness, multiplies the dimmer value by 3, splits it into high and low bytes, and sends tuyaMcu_sendCmd 0x30 00$CH3$$CH4$. That gives on/off memory plus slider control in OpenBK and Home Assistant. [#20986793]

Which OBK pin roles and event handlers should be used to make the FS-05R's P7, P24, and P26 buttons work for toggle and dimming?

Set P24 and P26 to Btn_ScriptOnly if you want the script to own dimming behavior. For the main button on P7, use either Btn_ScriptOnly with addEventHandler OnClick 7 toggleChannel 1 or assign the standard Btn role to channel 1. For brightness, the thread suggests addEventHandler OnHold 26 addChannel 2 10 0 255 on one button and the same command with -10 on the other. [#20986793]

Why does an FS-05R bulb jump to full brightness in OpenBeken instead of dimming smoothly, even though it works in the Tuya app?

The usual cause is the load, not the UART math. One user reported that the bulb only switched full on in OpenBeken, but after changing to a different bulb the same script worked “perfectly.” The follow-up conclusion was clear: not every lamp behaves well with this dimmer, and some bulbs have only a very small dimming range even under Tuya firmware. [#21008260]

What kinds of bulbs are actually dimmable, and how can I tell whether an LED bulb will work properly with the Tuya FS-05R dimmer?

Only bulbs explicitly designed for dimming should be assumed compatible. The thread states the safe rule bluntly: assume a bulb is not dimmable unless the packaging says so. In practice, users in this thread saw three outcomes: some bulbs worked smoothly, some dimmed only across a small range, and some loads behaved oddly below certain brightness values. That makes label verification essential before blaming OBK or the dimmer. [#21014440]

How can I remap the FS-05R dimming range in OpenBK so Home Assistant still uses a 0-100 slider while the real output stays between a higher minimum and maximum value?

Map the slider into a higher internal minimum, then send zero only when the slider is zero. A working example used minimum value 65 and this logic: if the slider equals 0, send 0; otherwise scale 1..255 into 65..255 before multiplying for the packet. That preserves normal Home Assistant off behavior while avoiding the unusable lower dimming range. [#21703784]

What controls the fade speed in the FS-05R dimmer, and what options exist if I want a slower or instant transition on the device itself?

The dimmer MCU controls the fade speed, not the Wi-Fi module. The thread states that the smooth transition is handled inside the MCU, and no built-in OpenBK command was given to slow it further or make it instant. A custom C snippet on OBK was mentioned as a possible workaround, but it could look jerky because MCU smoothing would still remain underneath. [#21015455]

ESPHome vs OpenBeken vs Tasmota for the Tuya FS-05R dimmer: which approach works best when the device uses custom UART commands?

OpenBeken is the best-documented fit in this thread. It already has working scripts, Home Assistant discovery, and direct tuyaMcu_sendCmd support. ESPHome was later reported working through a Home Assistant forum example, so it is viable. Tasmota can send raw serial frames like SerialSend5 55AA0030000300009DCF, but one user noted it lacks a direct tuyaMcu_sendCmd equivalent and would need Berry for a polished setup. [#21703814]

What is the CB2S module in Tuya devices, and why does its incorrect silkscreen labeling matter when powering or programming the FS-05R?

“CB2S” is a Tuya Wi‑Fi radio module that hosts the BK7231-family firmware, exposes UART and GPIO pins, and serves as the network side of many Tuya devices. The bad silkscreen matters because the FS-05R board reversed the labels for 3.3 V and GND. If you trust the board print instead of the official CB2S pinout, you can mis-power or mis-wire the module during flashing. [#20986793]

Why do some FS-05R hardware variants ignore every few TuyaMCU commands unless the same brightness packet is sent two or three times?

Because some variants appear to reject or miss single packets when the TuyaMCU driver keeps sending heartbeat traffic. One user captured repeated 55 AA 00 00 00 00 FF frames, identified them as heartbeat-like traffic, then showed that raw uartSendHex commands worked every time while tuyaMcu_sendCmd did not. A practical fix was to send the same brightness packet two or three times, sometimes with a 3 ms delay. [#21488398]

How can the MCU firmware or behavior be changed on an FS-05R variant that uses a different 9600-baud 0xFF 00 V1 V2 CK protocol and adds an unwanted 1-second smooth transition?

The thread does not provide a working way to reflash that MCU or disable its transition effect. That variant used 9600 baud and 5-byte frames FF 00 V1 V2 CK, with checksum (V1+V2-1) & 0xFF, and the user reported about a 1 s smooth on/off delay. The only concrete takeaway is that this is a different FS-05R-family protocol, so the original 115200-baud OpenBK script will not directly solve it. [#21402422]
Generated by the language model.
ADVERTISEMENT