Hi all, got me a bunch of these $2.56 smartplugs from KMC.
Quality is quite good, must see how long they work before capacitors give way. BTW, I got me 22uF/25 ceramic capacitors and add them to the secondary stage of all these units, and switched power supplies in general. This reduces the stress on the existing electrolytic caps and enhances efficiency.
Opening was easy, just a glued back lid.
Schematic: I'm still in awe why they don't use 3.3V relays? This is the fourth unit where they scale down the AC to 5V (for the relays) and then with another DC/DC converter down to 3.3V (for the uController etc). In all these units the 5V is *ONLY* used for the relay! Why not scale down to 3.3V only and use a 3.3V relay???
and dump (bk7231flasher_1.1.6): (attached)
JSON: Device configuration, as extracted from Tuya: - Button (channel 1) on P11 - WiFi LED on P6 - Relay (channel 1) on P26 Device seems to be using WB2S module, which is using BK7231T. And the Tuya section starts, as usual, at 2023424
Thanks for sharing. I haven't indeed seen any Tuya devices using 3.3V relays, but on the other hand I don't remember seeing ANY 3.3V relays at all. It seems they are not that common. Futhermore, I think using separate LDO for WiFi module may reduce the potential interference from the relay.
Which tool do you use to draw schematics?
Yes, 3.3V relays don't exist much (yet), but there are 3V. Most 3V relays can be driven up to 4.5V, and many 5V relays can be driven by 3.3V.
There were Tasmota units with 3V (latched) relays, had to replace some caps after 5ish years, other than that still working strong.
This unit here would be a perfect example to use a latched relay. Controller has plenty of unused pins, it takes just a transistor and a resistor some software to use sooo much less energy over the life of the unit. I don't know how much power the output pins from these tuya chips can handle, but I'm driving 3V latched relays directly from ESP units by paralleling a few. I first activate the pins with pullups, and then go full force. Not only are latching relays (pulse) powered by less than half of the current relays (360mW vs 170mW), but they don't use power when on.
There is no interference from the relay itself, maybe by the load attached, but not the relay itself. The diode at the coil takes care of that. And powerswise those ~72mA inrush current are also not an issue.
I am ashamed to admit that I'm using Fritzing (the last really free version). My Orcad and other tools from 30 years ago don't run reliably on new systems. Fritzing is quick and dirty but bad.
I am not sure about using 3V relays because they would need to be powered from the same rail as WiFi module, but that certainly would be an interesting experiment. Are you planning to try?
The latching relays, on the other hand, are great and it's a shame that they are not used more. I have indeed seen some latching relays in the IoT products already but they were mostly used in the battery-powered light switches controlled via RF. I think using latching relays in IoT products could really have made a change but chinese manufacturers prefer to lower the cost of the product at the expense of the higher power consumption when relay is on...
Totally agree with what you said about latching relays. I did transform some of the Tasmota devices to latching, early on those features were added to Tasmota.
Don't know if there's an easy path to convert regular to latching with your nice tools.
I offer to try to make the physical changes needed if you provide the software for adding latching. Have to dig out the specs, but I think I used Siemens 3V DPDT latching relays (has two coils). Most of the times I just needed to add a diode (across the relay) and a wire to some ESP pins, they could drive that coil without a transistor. Latching relays don't have to fight big spring-loaded forces.
Yes, I did also change some of the Tasmota devices from 5V to regular 3V relays. It depended on the AC/DC converter, I changed only those where that change was easy. Making those changes to tuya devices should be same easy, that section is the same vs Tasmota. This not only saves energy but is also easier on the capacitors etc. extending the life of these units.
I hoped for this to get to the tuya-cloudcutter section since I wanted to OTA my other 30154s. Managed to issue an issue there and uploaded the whole dump to them. https://github.com/tuya-cloudcutter/tuya-cloudcutter/issues/643 What a waste of resources. Bummer that this goes to two different places, couldn't these json profiles be in one place??
Added after 13 [minutes]:
After finally managing OTA-ing one unit I noticed that the LED if set to WiFi only blinks when no connection. When set to "LED_n" it turns on/off with the relay The original would however use the LED for both functions. Is it possible to set that here, too?
Wanted to OTA the other 7 of these units, but got stuck right with the first of them. Some cloudcutter back and forth and now the newest firmware is flashed, relay + LED respond to button, but the MAC is all zeros!
WebAppConfig shows 00:00:00:00:xy:za MAC, the xy:za change after each refresh.
After saving the RF tried the Flash/Restore-Recreate RF to get some MAC back, didn't work, MACs stay at 00:00:00:00:xy:za
The unit goes into AP mode (with LED fast blinking) after powerup, maybe related to the zero-MAC, could be that the router won't issue an IP lease if MAC is all zeros. Re-added SSID and pw manually, same.
Current Device: UpTime: 244s Build: Build on Apr 21 2024 08:20:43 version 1.17.553 IP Address: 192.168.4.1 MAC Address: 00:00:00:00:35:ee <--- these last 4 change all the time MQTT Server: :1883 MQTT Topic: obkD830B6DB Device Short Name: obkD830B6DB WEBAPP Url root: https://openbekeniot.github.io/webapp/ Chipset: BK7231T Flags: 1024 Version: 1.17.553
Reflashed, same.
So right now I only have access to the unit via it's AP mode, which is on all the time.
Any help on what I need to do? Is there a manual way to put in the original (saved) MAC? Thanks!
No problem, I can help you with MAC address change, but first, can you specify whether you have a backup of original flash? Futhermore, how was the MAC address deleted? It doesn't delete itself unless something goes very wrong.
This part is strange:
Quote:
After saving the RF tried the Flash/Restore-Recreate RF to get some MAC back, didn't work, MACs stay at 00:00:00:00:xy:za
Did you try that tool from the Web App and still had no change in MAC?
thank you for your help (yet again, sorry). The original flash is in my first post. Not from this unit but they are really exactly the same. I have no idea how MACs get deleted. I used CloudCutter and it had hiccups but it finally worked. Yes, I used the web app with the Flash->Restore-Recreate RF tool. It didn't change anything.
But on the web app-> Config-> Current Device: it shows MAC Address: 00:00:00:00:35:ee <--- these last 4 change after reboot/refresh. The pattern of these four bytes is repeating and doesn't look random. 00:00:00:00:25:ee, 00:00:00:0035:something etc It seems to go right to the AP mode. I can control the unit fully via 192.168.4.1 I stopped converting the other units.
Hey, I wanted to create an account here to respond to your post.
I got 2 packs of 4 of these on that same Amazon deal a couple weeks ago with the intent to try to flash them. I used cloudcutter and i think the profile that is in there for this 30154 device is from your submissions. I saw some recent github activity and such.
Well, 3 out of the 8 I have flashed fine. Without issues. I'm using a raspberry pi 3. The other 5 result in the following error:
[!] The profile you selected did not result in a successful exploit.
I've been playing around with this off and on for 3 days. I finally thought, well why don't I attach one of these plugs to the Tuya App to see what version of the firmware is on it? Well, one that doesn't flash via cloudcutter is 1.0.7. It works properly in the Tuya app too. Unfortunately I did not check any of the 3 that did flash properly to see if they might be on 1.0.6. I didn't' want to use the Tuya app at all.
Then I wondered, does the profile name reflect the firmware version that's on the device that was dumped to create that profile?
Selected Profile: oem-bk7231s-rnd-switch-1.0.6-sdk-2.0.0-30.05
Is there a way for you to check and see if any of your devices that didn't work for you are actually on 1.0.7 and dump that one to get a profile in there for 1.0.7 as well so people can flash both 1.0.6 and 1.0.7 firmware plugs?
So that's my theory. Some that did flash are on the 1.0.6 firmware. But the profile doesn't work for 1.0.7. I'm not sure if this is true or not. And it's just a guess.
Added after 26 [minutes]:
Ok. I shouldn't have posted my last post, but I had a lightbulb moment. I went into the cloudcutter repo that has the profiles and I saw one that said 1.0.7 and it looked identical to the 1.0.6 one except the firmware number. So I thought "what are those other options in the menu and how can I find this profile?"
Here it is:
Quote:
Successfully built docker image
1) Detach from the cloud and run Tuya firmware locally
2) Flash 3rd Party Firmware
[?] Select your desired operation [1/2]: 2
Loading options, please wait...
[?] How do you want to choose the device?: By firmware version and name
By manufacturer/device name
► By firmware version and name
From device-profiles (i.e. custom profile)
Performing safety checks to make sure all required ports are available
Checking UDP port 53... Available.
Checking UDP port 67... Available.
Checking TCP port 80... Available.
Checking TCP port 443... Available.
Checking TCP port 1883... Available.
Checking TCP port 8886... Available.
Safety checks complete.
[?] Select your custom firmware file for BK7231T chip:
ESPHome-Kickstart-v23.08.29_bk7231t_app.ota.ug.bin
OpenBeken-v1.17.262_bk7231t.ug.bin
This worked for me. I guess it might be nice to see if we can make available the 1.0.7 profile to the menu option where you choose your model "KMC" such that it shows up as a usable one for the 30154 device. Might help others.
Glad to have this device in home assistant. Thank you for your effort!
The discussion revolves around the teardown and modification of the KMC 30154 smart plug, which was purchased for $2.56. The user notes the quality of the device and shares their experience of adding 22uF/25V ceramic capacitors to enhance efficiency and reduce stress on electrolytic capacitors. The conversation highlights the absence of 3.3V relays in the device, with participants discussing the potential benefits of using latching relays to decrease power consumption. Several users share their experiences with flashing the device using CloudCutter, detailing issues with MAC address retrieval and firmware versions. The KMC 30154 is identified as a 120V 15A low-profile smart plug utilizing the BK7231T chip and WB2S board. Summary generated by the language model.
![[ZIGBEE] 20A Zigbee socket with energy metering (Tuya TS011F_plug_3)](https://obrazki.elektroda.pl/1000454900_1749493372_thumb.jpg)
![[W600 / TW-03] Door Sensor - Bootloop on 1.18.110/109 Firmware](https://obrazki.elektroda.pl/5552096400_1749191730_thumb.jpg)
