Protecting Your Privacy: Scan IoT Firmware Backups for Sensitive Information

divadiow 1986 1

TL;DR

Protecting IoT firmware backups from leaking Wi‑Fi credentials in BL602, LN882H, BK7231N, BK7231T, and similar factory dumps.
A PowerShell script converts a typed SSID or password into hex, then recursively scans every .bin backup for matching byte patterns.
LN882H and BL602/LF686 backups commonly produce 2048KB / 2MB / 2,097,152-byte .bin files.
The script flags any backup containing the searched string, helping batch-check collections of dumps for credentials or other repeated firmware strings.
Factory resets do not always clear identifiable data, and the search is case-sensitive, so the exact text must be entered.

Generated by the language model.

Report a violation of the law

Reply Cool? Ranking DIY | New topic

Notify about new articles

📢 Listen (AI):

Topic author Helpful post? (+3)

Post #1
21144635 06 Jul 2024 08:39

I'm hoping this post, and the script herein, will be useful to anyone unsure about posting BL602, LN882H, BK7231N, BK7231T etc factory firmware backup/dump binary files anywhere public, eg these forums on Elektroda.

Factory firmware backups can be used to restore devices to their original state. This can be useful when, for example:

- troubleshooting RF issues
- to check if an expected or seemingly erroneous behaviour exhibits with factory firmware
- to confirm normal operational behaviour as intended by manufacturer
- to prepare device for resale
- to capture more bi-directional communication data with TuyaMCU device

The backup procedure varies depending on the platform, but the easiest and most common (regarding OpenBeken) is with openshwprojects's Easy UART Flasher for Beken BK7321N/BK7231M/BK7231T/T34/BL2028N IoT ICs

Both highlighted buttons in Easy Flasher will create a backup file in the \backups subdirectory of the Easy Flasher root folder.

LN882H and BL602/LF686 backup procedures will, in the vast majority of cases, result in the same 2048KB / 2MB / 2,097,152 bytes sized .bin file.

If the device has already connected to your wifi with an official app, Magic Home, Cozylife, Tuya, Blitzwolf, eWelink etc, then it'll have saved your SSID and wireless password in its memory in order to achieve this. Potentially this data can be read by others if they have access to your firmware backup file.

It is sometimes the case that even after factory resetting the device using the Remove Device -> Remove and Clear Data options in the app and/or resetting using the push button reset procedure, that a subsequent firmware backup will contain some identifiable information. I have seen this on a number of occasions. eg https://www.elektroda.com/rtvforum/topic4063490.html

And so, here is how you can check your firmware backups for plain-text credentials in hex. The attached zip file contains a PowerShell script - findstringinbinfiles.ps1 - that can be run to check backups for signs of your wifi SSID or password.

Unzip the PowerShell script to a preferred location, eg c:\scripts. Elevate PowerShell (run as administrator)

Navigate to where you saved your script

Run the script with command .\findstringinbinfiles.ps1 (or whatever you renamed script to)

Enter part or whole of SSID or your wifi password used to pair device originally and enter the root folder of your backups when prompted. My test backups are in C:\smartdevices. The search is case-sensitive so enter the exact partial or whole match.

The script will recursively look for all files with extension .bin and return any that contain a match to the keyword entered. My examples:

and now the same with a part-password search

These devices were joined to this test Windows hotspot with the Tuya/MagicHome app before I took a backup

And for a breakdown of how the script works:

#### 1. Function to Convert a Keyword to a Hexadecimal String
Code: Powershell
Log in, to see the code

- Purpose: This function converts a string (keyword) into its hexadecimal representation.
- Steps:
- Takes an input string.
- Converts the string into an array of bytes using UTF-8 encoding.
- Iterates through each byte, converts it to a two-digit hexadecimal string, and concatenates these hex strings into one final string.
- Returns the complete hexadecimal string.

#### 2. Prompt User for a Keyword
Code: Powershell
Log in, to see the code

- Purpose: Prompts the user to enter a keyword which will be searched for in the binary files.

#### 3. Convert the Keyword to a Hexadecimal String Pattern
Code: Powershell
Log in, to see the code

- Purpose: Converts the user-entered keyword into a hexadecimal string pattern.
- Steps:
- Calls the `Convert-StringToHex` function to convert the keyword into a hex string.
- Converts the hex string into a byte array by splitting the string into pairs of hex digits prefixed with `0x`.

#### 4. Prompt User for a Location to Search
Code: Powershell
Log in, to see the code

- Purpose: Prompts the user to enter the directory location where the search should be conducted. The search will be recursive, meaning it will include all subdirectories.

#### 5. Function to Search for a Byte Pattern Within a File's Byte Array
Code: Powershell
Log in, to see the code

- Purpose: Checks if a specified byte pattern exists within a file's byte content.
- Steps:
- Takes the file content (as a byte array) and the pattern to search for (also as a byte array).
- Iterates through the file content to find a match for the pattern.
- If the pattern is found, returns `true`; otherwise, returns `false`.

#### 6. Search All .bin Files for the Pattern in the Specified Location
Code: Powershell
Log in, to see the code

- Purpose: Searches all `.bin` files in the specified directory (and subdirectories) for the byte pattern corresponding to the keyword.
- Steps:
- Retrieves all `.bin` files in the specified location recursively.
- Reads the content of each file into a byte array.
- Uses the `Find-PatternInFile` function to check if the byte pattern is present in the file.
- If the pattern is found, outputs the file path where the pattern was found.

#### 7. Indicate Search Completion
Code: Powershell
Log in, to see the code

- Purpose: Prints a message indicating that the search process has completed.

### Summary
This script allows the user to search for a specific keyword within `.bin` files in a specified directory. It converts the keyword into a hexadecimal byte pattern and checks each `.bin` file in the directory (and subdirectories) for this pattern. If the pattern is found in a file, it outputs the file's path.

In conclusion, I hope this doesn't stop anyone posting backup files but just raises awareness of what they might contain. I hope this demonstrates it's easy to check for personal information in these backups. It may mean a little more work to re-flash/re-pair to a test network, one where you don't care if the credentials are retrievable by others. Yes, it's also easy to load the bin file into HxD and do a manual search, but if you're like me and have a collection of backups, the script is useful for searching them all at once. It's also good to see which firmwares might contain similar AT commands or other strings when researching capabilities and exploits.

I guess it's all about risk management, maybe no one would care to take the effort to find where your network is broadcasting and travel to the vicinity. But then maybe your wifi password is also a password you use elsewhere...

Attachments:

findstringinbinfiles.zip (897 Bytes) You must be logged in to download this attachment.

Cool? Ranking DIY
About Author
divadiow divadiow

Level 38
Offline

Joined: 20 Nov 2023

Posts: 4839

Help: 420

Posts rating: 852

Points: 24023
divadiow wrote 4839 posts with rating 852, helped 420 times. Live in city Bristol. Been with us since 2023 year.
ADVERTISEMENT
Helpful post

#2 21144946 06 Jul 2024 13:26

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Posts: 14394

Help: 650

Rate: 12315
Helpful post? (+1)

Helpful post
Post #2
21144946 06 Jul 2024 13:26

2MB backup can be very crucial for reverse-engineering process if your device is not already supported by OpenBeken. This allows you to freely share the firmware with us, so we can do more testing on our side. This was for example used at the first stage of SM15155 research, described here:
https://www.elektroda.com/rtvforum/topic4060227.html
That being said, we still in the end got the physical device for testing, but having 2MB flash dump (that we can flash on our CB3S and capture waveforms with the scope) was still helpful nonetheless.

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
Create an account, log in here. You will receive points by participating in discussions.
Join this discussion.

Install Elektroda application

Didn't find an answer? Ask Artificial Intelligence

*I agree to send the question to OpenAI, Anthropic PBC, Perplexity AI, Inc., Kagi Inc., Google LLC - owners of language models in order to prepare the best response. The companies may monitor and log information entered into the form.

*I agree to publicly display my question and answer. The question and answer will be publicly available to everyone. The process may take a few minutes. Upon completion, you will be redirected to the page with the answer.

Wait...(2min)

Reply Cool? Ranking DIY | New topic

Notify about new articles

📢 Listen (AI):

Report a violation of the law

Home page
/
Forum
/
Smart Home
/
Smart Home IoT
/
Smart Home Guides
/
Protecting Your Privacy: Scan IoT Firmware Backups for Sensitive Information

FAQ

TL;DR: A 2MB IoT firmware backup can expose Wi‑Fi credentials, and the post says "it's easy to check" before sharing. This FAQ helps anyone posting BK7231N, BK7231T, BL602, or LN882H .bin dumps scan for exact SSID or password strings with a recursive PowerShell script and reduce privacy risk by using a disposable test network first. [#21144635]

Why it matters: Factory resets do not always remove identifiable network data from smart-device flash dumps, so a public upload can leak credentials you still use.

Method	Files checked	Search scope	Best use
PowerShell script	All `.bin` files recursively	Exact case-sensitive text converted to bytes	Large backup collections
HxD manual search	One file at a time	Manual text or hex inspection	Spot-checking a single dump
Easy UART Flasher backup	Creates backup file in `\backups`	Acquisition, not inspection	Reading firmware before analysis

Key insight: Treat every raw IoT backup as potentially sensitive. Scan it before upload, and pair test devices to a throwaway network if you plan to share the dump later.

Quick Facts

Easy UART Flasher creates backup files with both highlighted read options and stores them in the \backups subdirectory of the flasher folder. [#21144635]
LN882H and BL602 backup procedures commonly produce a 2048KB binary, equal to 2MB or 2,097,152 bytes. [#21144635]
The PowerShell script searches *.bin files recursively, so one run can inspect an entire backup tree instead of one image at a time. [#21144635]
The keyword search is case-sensitive, so you must enter the exact SSID fragment or password fragment used during pairing. [#21144635]
A 2MB flash dump can help reverse engineering unsupported devices because researchers can reflash it onto a CB3S and capture waveforms with a scope. [#21144946]

How do I scan BK7231N, BK7231T, BL602, or LN882H firmware backup .bin files for plain-text Wi-Fi SSID and password data before sharing them publicly?

Use the included PowerShell script to search your backup folder for exact SSID or password text stored inside .bin files. 1. Unzip findstringinbinfiles.ps1 and run PowerShell as administrator. 2. Run the script, enter the exact SSID or password fragment, then enter the root backup folder. 3. Review any returned file paths, because those .bin files contain the matching byte sequence and should not be shared unchanged. The script searches recursively, so one run can cover many BK7231N, BK7231T, BL602, or LN882H backups at once. [#21144635]

Why do factory firmware backups from Tuya, Magic Home, Cozylife, Blitzwolf, or eWeLink devices sometimes still contain identifiable network information after a factory reset?

They sometimes still contain identifiable data because a reset does not always clear all stored Wi‑Fi information in flash. The thread reports repeated cases where a new backup still held recoverable identifiers even after using app options like "Remove Device -> Remove and Clear Data" and button-based reset procedures. That means SSIDs, password fragments, or related strings can survive long enough to appear in a later firmware dump. [#21144635]

What is a factory firmware backup or flash dump in the context of IoT devices, and why is it useful for troubleshooting and restoring devices?

A factory firmware backup is a saved binary image of the device's original flash contents that preserves the vendor firmware, configuration area, and behavior baseline for later restore and analysis. It is useful because you can restore a device to its original state, troubleshoot RF issues, confirm whether behavior is normal for the manufacturer firmware, prepare a unit for resale, or capture more TuyaMCU communication data. [#21144635]

What is OpenBeken, and how does it use 2MB flash dumps during reverse engineering of unsupported devices?

"OpenBeken" is firmware project that supports certain IoT devices, aids reverse engineering, and uses original flash dumps as reference data for unsupported hardware. When a device is not yet supported, a 2MB dump lets researchers inspect the vendor image, reflash it onto compatible hardware such as a CB3S, and capture waveforms with a scope during early analysis. [#21144946]

Which Easy UART Flasher backup option should I use for Beken chips, and where are the backup files stored after reading the firmware?

Either highlighted backup button in Easy UART Flasher will create a firmware backup for supported Beken targets. The post states that both highlighted buttons generate a backup file, and the file is written into the \backups subdirectory under the Easy Flasher root folder. That makes the tool the easiest common backup path mentioned for OpenBeken-related work on BK7231-family devices. [#21144635]

How does the PowerShell script findstringinbinfiles.ps1 work when searching recursively through .bin backups for SSIDs, passwords, or other text strings?

It converts your text keyword into UTF-8 bytes, then scans each .bin file byte-by-byte for the same sequence. The script reads all .bin files under the chosen folder with Get-ChildItem -Recurse, uses ReadAllBytes to load each file, and returns the full path when the byte pattern matches. It finishes by printing "Search complete." after checking the recursive file set. [#21144635]

What file size should I expect from LN882H and BL602 firmware backups, and why do they commonly produce a 2048KB binary file?

You should usually expect a 2048KB backup, which is 2MB or 2,097,152 bytes. The thread states that LN882H and BL602/LF686 backup procedures, in the vast majority of cases, produce that same full-size .bin image. In practice, that means you often receive one standard-sized dump that is large enough to include both firmware and any leftover plain-text strings. [#21144635]

When searching firmware backups for credentials, what exact keyword format should I enter in PowerShell, and why does case sensitivity matter?

Enter the whole SSID, whole password, or an exact partial fragment exactly as the device originally stored it. The script is case-sensitive, so MyWiFi and mywifi are different searches and can produce different results. If you mistype the capitalization, the scan can miss a valid match even when the credential exists in the .bin file. [#21144635]

How does searching a firmware dump with HxD compare with using a PowerShell script for checking many IoT backup files at once?

HxD works for manual inspection, but the PowerShell script scales better for many backups. The thread says loading a .bin into HxD and searching manually is easy, yet the script becomes more useful when you have a collection of dumps because it checks all .bin files recursively in one run. Use HxD for one image and the script for a whole backup archive. [#21144635]

What steps should I follow to safely prepare an IoT device for resale without exposing old Wi-Fi credentials in the backup image?

Use a reset-and-verify workflow, because reset alone may leave old network data behind. 1. Remove the device in the app with "Remove Device -> Remove and Clear Data" and perform the push-button reset. 2. Re-pair the device to a test network whose credentials you do not reuse elsewhere. 3. Take a fresh backup and scan the .bin for the old SSID or password before sharing or archiving it. This reduces the chance that a resale backup exposes your real home network. [#21144635]

Why is a 2MB backup especially valuable when reverse engineering a device that is not yet supported by OpenBeken?

A 2MB backup gives researchers enough original flash data to start testing before they even have the exact device in hand. The thread explains that such a dump can be reflashed onto a CB3S and used for waveform capture with a scope, which helps early reverse-engineering work on unsupported targets. It was valuable in the first stage of SM15155 research, even though physical hardware was later obtained. [#21144946]

What are the risks of uploading a raw firmware backup from a previously paired smart device to a public forum like Elektroda?

The main risk is exposing plain-text identifiers or credentials that other people can extract from the raw .bin file. The post shows that devices previously paired with apps such as Tuya or Magic Home may store SSID and Wi‑Fi password data in flash, and that data may remain visible even after reset. If you reused that password elsewhere, the privacy and security impact becomes much larger than a single IoT device. [#21144635]

How should I set up a test hotspot or disposable network before pairing Tuya or Magic Home devices so later firmware dumps do not expose my real home credentials?

Pair the device to a separate test hotspot whose SSID and password you can safely disclose. The thread demonstrates this with a test Windows hotspot used before taking backups, so any recovered strings belonged to that disposable environment instead of a real home network. That approach limits harm if you later upload a 2MB dump for troubleshooting or reverse engineering. [#21144635]

What other sensitive plain-text strings besides SSID and Wi-Fi password might appear inside IoT firmware backups, such as AT commands or device configuration data?

Other searchable plain-text strings can include AT commands and similar configuration or capability markers. The post explicitly notes that the same script is useful for finding not only SSIDs and passwords, but also similar AT commands or other strings when researching capabilities and exploits. That means a dump can reveal more than credentials, even if the network fields are absent. [#21144635]

If I already shared a firmware dump online, what cleanup and mitigation steps should I take to reduce privacy and security risks afterward?

Assume the shared dump is recoverable and rotate exposed credentials first. 1. Change the Wi‑Fi password if the uploaded .bin may contain it. 2. Remove or replace the public file with a cleaned dump made after pairing to a disposable network. 3. Reflash or re-pair the device, then rescan the new backup for exact old credentials before sharing again. The thread frames this as risk management, especially if the same password is reused elsewhere. [#21144635]