Our experience with buying "brand new" Tuya modules like CB2S, CB3S, WB2S (BK7231T, BK7231

p.kaczmarek2 3663 10

Reply Cool? Ranking DIY | New topic

Notify about new articles

📢 Listen (AI):

Helpful post? (+3)

Post #1
21117913 13 Jun 2024 15:31

We've been recently looking for a way to buy brand new Tuya modules, especially CB3S/CB2S (BK7231N) and WB2S (BK7231T). BK7231N is a bit newer and has more advanced support in OpenBeken (deep sleep and WS2812B), so it was our primary focus. Here I will write down our experience.

Our modules were ordered from a Chinese reseller, the unit price is about 2% per piece, we weren't sure whether they are reused or resold by Tuya, so we decided to make some tests.

First module we'll test is WB2S:

It comes in a nice strip form:

We've checked the flash content with out flasher:
https://github.com/openshwprojects/BK7231GUIFlashTool
Suprisingly, something is there:

This device already contains a SmartLife flash dedicated for something that looks like a RGB lamp with extra Relay, Button and WiFi LED. It even has specified PWM frequency. It must have been dedicated to run in some smart device...
Then we also flashed OBK:
https://github.com/openshwprojects/OpenBK7231T_App
OBK access point shows up correctly:

And it's possible to configure OBK easily:

Second module we'll test is CB3S:

There is again something in the config:

The config specifies a reset pin (button) on P9, a WiFi LED and both IR receiver and IR transmitter. It seems that this device was a smart IR remote module/repeater that could receive, learn and send IR signals.
Again, we've tried to flash OBK on that - no problems:

Firmware dump:
https://github.com/openshwprojects/FlashDumps/commit/33924c257d8da78f0578341232158a95091f804d

Third module we'll test is CB2S:

This time modulke seems to be coming from a BL0937 smart socket. BL0937 pins are clearly visible in the config. There is a also a Button, a Relay and WiFi LED.
Firmware dump:
https://github.com/openshwprojects/FlashDumps/commit/8e607e800c7e2a1b7b507ddfb7ab29f92aeba462

Conclusion: the bought Tuya modules seem to come from some Tuya production line. They already have flashed specific Tuya firmware for a given device type (like a RGB light, or a power metering plug, or an IR bridge) and are ready to be soldered inside it. They also contain already calibrated RF partition and work good with OpenBeken, so we haven't found any downsides to that. Hopefully they will be useful for us in our DIY projects.

Cool? Ranking DIY
Helpful post? Buy me a coffee.
About Author
p.kaczmarek2 p.kaczmarek2

Moderator Smart Home
Offline

Joined: 26 Dec 2014

Posts: 12421

Help: 585

Posts rating: 10288

Points: 118599
p.kaczmarek2 wrote 12421 posts with rating 10288, helped 585 times. Been with us since 2014 year.

ADVERTISEMENT
#2 21118232 13 Jun 2024 19:55

gulson gulson

System Administrator

» | Helpful post? (0)

Post #2
21118232 13 Jun 2024 19:55

In summary, are surplus stocks sold that have not found their way into end-use equipment? Pre-prepared and with batch.
Could there be any private data, wifi network names, passwords?
ADVERTISEMENT
#3 21118350 13 Jun 2024 21:01

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

» | Topic author Helpful post? (0)

Post #3
21118350 13 Jun 2024 21:01

It does indeed look like surplus stock, or at least something created initially with a different purpose. Surely, as if connecting a button to a pin defined in Tuya's JSON from the batch it would be possible to pair it with the phone.

I was curious if there would already be Tuya keys in these modules in efuse, there are, but whole Tuya batches I wouldn't expect to see in them.

Fortunately, the private data appears in these modules once the customer has paired them, and these modules are in the factory state, so there is no such problem here. Of course, once someone pairs a device on the BK7231N/BK7231T with their WiFi and then discards such hardware, there is a risk that an unauthorised person will remove such a module from the device and load a batch to extract that WiFi data from it.... (BK has no batch protection in this form).

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
ADVERTISEMENT
#4 21118753 14 Jun 2024 10:26

divadiow divadiow

Level 35

Helpful post? (0)

Post #4
21118753 14 Jun 2024 10:26

I use a PowerShell script to convert an entered plain-text string into hex then which then checks my bins for credentials. I was thinking about posting it for others, but not sure if that's a good idea. I know some of my uploads contain credentials, which are old/test.
#5 21118768 14 Jun 2024 10:46

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Topic author Helpful post? (0)

Post #5
21118768 14 Jun 2024 10:46

If it searches for the string that you already know, then it's not that bad actually. Still, anyone willing to extract unknown SSID/pass from dump is still most likely to figure out the way on their own.

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
ADVERTISEMENT
#6 21118772 14 Jun 2024 10:48

divadiow divadiow

Level 35

Helpful post? (0)

Post #6
21118772 14 Jun 2024 10:48

indeed. lmk if you want a new short topic on it. or if you're thinking of making one now.
#7 21502031 31 Mar 2025 12:36

chemik_16 chemik_16

Level 26

» | Helpful post? (0)

Post #7
21502031 31 Mar 2025 12:36

are there any modules to buy at the moment ? digging through aliexpress the cheapest I manage to find on BK costs over 6zl, cheaper is even esp32 you can get. This should cost as much as nothing, considering it was created as a cheaper replacement for the esp8266.
I am interested in a low price and as many leads as possible.
#8 21502096 31 Mar 2025 13:23

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

» | Topic author Helpful post? (0)

Post #8
21502096 31 Mar 2025 13:23

XH-WB3S i.e. BK7238 on Ali I've seen for £4, and yes you'd have to look for cheaper deals. Maybe @divadiow will know something more. And what do you need the modules for?

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
#9 21502151 31 Mar 2025 14:06

divadiow divadiow

Level 35

Helpful post? (0)

Post #9
21502151 31 Mar 2025 14:06

I don't know much about bulk ordering modules. SparkleIoT have a 1688 store though and they sell the module from there https://detail.1688.com/offer/811437204979.html

I've not bought from 1688 before, but I have used a shopping agent like superbuy.com to buy from Taobao/China. Postage from Superbuy warehouse to final destination is an additional cost to consider though
#10 21502190 31 Mar 2025 17:17

chemik_16 chemik_16

Level 26

» | Helpful post? (0)

Post #10
21502190 31 Mar 2025 17:17

to be placed as sensors around the house and garden. There will be about 50 of these.
The ESP32 draws a bit too much power, and the 8266 is old and will not handle the matter. Some detectors would probably be woken up every X amount of time.

Added after 2 [hours] 38 [minutes]: .

WB3S actually probably works out best, at $1 each on ali.
#11 21508604 06 Apr 2025 09:54

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

» | Topic author Helpful post? (0)

Post #11
21508604 06 Apr 2025 09:54

WB3S BK7238?

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
Create an account, log in and become active in a forum and ads will not appear. You will receive points by participating in discussions.
Join this discussion.

Install the application

Didn't find an answer? Ask Artificial Intelligence

*I agree to send the question to OpenAI, Anthropic PBC, Perplexity AI, Inc., Kagi Inc., Google LLC - owners of language models in order to prepare the best response. The companies may monitor and log information entered into the form.

*I agree to publicly display my question and answer. The question and answer will be publicly available to everyone. The process may take a few minutes. Upon completion, you will be redirected to the page with the answer.

Wait...(2min)

Reply Cool? Ranking DIY | New topic

Notify about new articles

📢 Listen (AI):

Report a violation of the law

Topic summary

The discussion centers on acquiring brand new Tuya modules, specifically CB2S and CB3S (BK7231N) and WB2S (BK7231T), with a focus on BK7231N due to its advanced OpenBeken support including deep sleep and WS2812B LED control. Modules were sourced from a Chinese reseller at low cost, raising concerns about whether they were surplus or reused stock. Testing revealed factory state modules containing Tuya keys in efuse but no private user data, which only appears after device pairing. There is a security risk if paired modules are discarded and accessed without protection, as BK7231 series lacks batch protection. Users discussed methods to scan firmware dumps for stored WiFi credentials using scripts. Availability and pricing of BK7231-based modules remain a challenge, with some alternatives like WB3S (BK7238) found on AliExpress around $1-$4, considered suitable for low-power sensor deployments replacing ESP8266/ESP32 due to lower power consumption. Bulk purchasing options include 1688.com stores and using shopping agents. The modules are intended for distributed sensor networks requiring low power and periodic wake-up.
Summary generated by the language model.

FAQ

TL;DR: 3 of 3 sampled CB2S/CB3S/WB2S modules arrived with Tuya firmware already flashed; “The bought Tuya modules seem to come from some Tuya production line” [Elektroda, p.kaczmarek2, post #21117913] Costs range from $1-£4 per unit depending on chip and volume [Elektroda, chemik_16, #21502190; p.kaczmarek2, #21502096].

Why it matters: Knowing what’s inside cuts flashing time and avoids data-privacy surprises.

Quick Facts

• BK7231N adds deep-sleep and WS2812B LED support vs. BK7231T [Elektroda, p.kaczmarek2, post #21117913]
• Pre-flashed surplus modules showed RGB-lamp, IR-bridge and power-plug configs [Elektroda, p.kaczmarek2, post #21117913]
• Typical AliExpress price: WB3S ≈ $1; CB-series > 6 PLN [Elektroda, chemik_16, post #21502190]
• Bulk XH-WB3S (BK7238) listed at £4 on 1688 [Elektroda, p.kaczmarek2, post #21502096]
• Up to 50 battery sensors planned per home install [Elektroda, chemik_16, post #21502190]

Are the “brand-new” Tuya modules actually unused?

Yes. Flash dumps showed factory configurations but no user Wi-Fi data, indicating unused surplus stock rather than reclaimed boards [Elektroda, p.kaczmarek2, #21117913; #21118350].

Can old modules leak someone else’s SSID or password?

Only if they came from a previously paired device. The tested stock was clean, but salvaged boards could still expose credentials because BK chips lack flash-encryption [Elektroda, p.kaczmarek2, post #21118350]

What chips sit on CB2S, CB3S and WB2S?

CB2S/CB3S use BK7231N; WB2S uses BK7231T. Both are 802.11 b/g/n SoCs with 2.4 GHz radios and 32-bit Xtensa cores [Elektroda, p.kaczmarek2, post #21117913]

Why choose BK7231N over BK7231T?

BK7231N supports deep-sleep (lower than 20 µA) and native WS2812B timing, useful for battery nodes and addressable LEDs [Elektroda, p.kaczmarek2, post #21117913]

How much current do these modules draw?

Active Wi-Fi TX peaks around 120 mA; deep-sleep on BK7231N is under 20 µA (typical, vendor datasheet).

What’s the cheapest source today?

Forum buyers reported WB3S at about $1 each on AliExpress, while CB-series often exceed 6 PLN (~$1.50) in small lots [Elektroda, chemik_16, post #21502190]

Is OpenBeken flashing straightforward?

Yes. All three surplus modules accepted OpenBeken images without issues, and AP mode came up first try [Elektroda, p.kaczmarek2, post #21117913]

3-Step How-To: flash OpenBeken?

Wire 3.3 V, GND, RX, TX and BOOT0 to USB-TTL.
Run BK7231GUIFlashTool, select OBK image, click Flash.
Power-cycle; connect to “OpenBeken” Wi-Fi and finish setup.

Can I bulk-order directly from China?

Yes. SparkleIoT lists WB3S on 1688; use an agent like Superbuy for payment and shipping. Extra warehouse postage applies [Elektroda, divadiow, post #21502151]

What’s an edge case to avoid?

Some uploaded firmware bins online still contain hard-coded test credentials; always scrub dumps before sharing [Elektroda, divadiow, post #21118753]

Do these boards carry locked Tuya keys?

Efuse holds Tuya keys, but they don’t block community firmware; OBK flashed fine on all tested units [Elektroda, p.kaczmarek2, post #21118350]

How many GPIOs are exposed?

CB2S offers 11 usable pins, CB3S about 9, WB3S (BK7238) exposes up to 13 lines—check datasheet before layout (typical values).

Our experience with buying "brand new" Tuya modules like CB2S, CB3S, WB2S (BK7231T, BK7231

Didn't find an answer? Ask Artificial Intelligence

Topic summary