Inside a Tuya Doorbell: BK7252 Exploration and SPI Programming with Python/NeoProgrammer

divadiow 6618 36

#31 21717022 11 Oct 2025 16:52

divadiow divadiow

Level 37

Topic author Helpful post? (0)

Post #31
21717022 11 Oct 2025 16:52

yes. more GPIOs could be done probably but it's OK for now. it looks a bit messy inside. Hoping the enamel holds on these wires. there are no shorts (at the moment)
ADVERTISEMENT
#32 21738029 01 Nov 2025 11:51

akeilox akeilox

Level 2

Helpful post? (0)

Post #32
21738029 01 Nov 2025 11:51

Stumbled on this thread during search, and delighted with the amount of tinkering.
These doorbells are sold in two types: Kement or Tuya app compatible. Kement one being widely available and cheaper.
My question is: can I change firmware from Kement to Tuya by OTA update?
ADVERTISEMENT
#33 21738166 01 Nov 2025 14:30

divadiow divadiow

Level 37

Topic author Helpful post? (0)

Post #33
21738166 01 Nov 2025 14:30

The Kements that have been seen are both XR872 chip, not BK7252U. What is your Kement inside?

here's one: https://www.elektroda.com/rtvforum/topic4150435.html
#34 21738175 01 Nov 2025 14:50

akeilox akeilox

Level 2

Helpful post? (0)

Post #34
21738175 01 Nov 2025 14:50

>>21738166

Thanks for the link! I did not expect they'd gone with different chip and board for the same product.
I did not yet order it; I came across a listing of Kement type which was dramatically cheaper than Tuya version and thought firmware might be the only difference.
It's also interesting how much detail can be found inside the APK file, like the JSON object used.
I have a bunch of Tuya sensors, recently added Cat Feeder and plan to eventually go with ESPHome/HomeKit automation and thought this doorbell was cheap and hackable. It seems in very early stages now, as chips/board differ and extracting firmware has nuances between XR872 and BK725U.
ADVERTISEMENT
#35 21753146 16 Nov 2025 15:03

divadiow divadiow

Level 37

Topic author Helpful post? (0)

Post #35
21753146 16 Nov 2025 15:03

divadiow wrote:
14: CMP/TB seems to be the one

This may relate to OpenBeken booting. I've been flashing BK7252U with bootloader only quite a few times this weekend, power cycles in between and SREG2:14 isn't becoming ticked, so no need to clear it. Only when OpenBeken boots did it become enabled for the next SPI flash
ADVERTISEMENT
#36 21759739 23 Nov 2025 12:56

divadiow divadiow

Level 37

Topic author Helpful post? (0)

Post #36
21759739 23 Nov 2025 12:56

Hello @insmod. Before I forget why/what, should I try to fix the Tuya BK7252U BL for working OTA (as worked on in DMs) or were you going to?

There's also the fact that the Tuya variant is missing in release asset list at the moment...
Helpful post

#37 21760281 23 Nov 2025 20:41

insmod insmod

Level 29

Helpful post? (+1)

Helpful post
Post #37
21760281 23 Nov 2025 20:41

>>21759739
Sure, but it needs to be decrc'ed and with normal, non-N partitions.
Create an account, log in here. You will receive points by participating in discussions.
Join this discussion.

Install Elektroda application

Topic summary

The discussion centers on reverse engineering a low-cost Tuya doorbell featuring the BK7252 SoC. The device was physically inspected, revealing a QFN68 BK7252 chip and multiple test pads including UART interfaces for logging and firmware flashing. UART boot logs were captured, showing RT-Thread OS messages and missing partition tables on flash. SPI flash access was achieved using an LC Technology CH341A programmer in I2C mode, with test pads mapped to CH341A pins, and a Python script was used to enter SPI mode before employing NeoProgrammer for flash operations. The Tuya bootloader uses a dual partition (ping-pong) OTA scheme with a 4MB flash size and a 0x11000 offset for the bootloader. OpenBK7252 firmware support is partial, with some success reported using BK7231GUIFlashTool adapted for BK7252, though full cloud-free firmware replacements are not yet available. Firmware backups are recommended before experimentation. Additional resources include BK7252 SDKs, community projects, and detailed partition and bootloader information. Challenges remain in UART flashing reliability on this device, and efuse reading was queried but not resolved. The discussion includes links to firmware, SDKs, and flashing tools, as well as references to similar devices and ongoing development efforts.
Summary generated by the language model.

FAQ

TL;DR: For Tuya BK7252 doorbells, reliable backups/flashing work over CH341A SPI; one unit needed 398 attempts — “Today this look 398 attempts.” Run the Python helper, then read/write with NeoProgrammer. [Elektroda, divadiow, post #21512355]

Why it matters: This FAQ helps hardware tinkerers back up, unbrick, or experiment with BK7252-based Tuya doorbells without losing factory firmware.

Quick Facts

- Core silicon: Beken BK7252 (QFN68); on-board flash XTX XT25F32B 4 MiB, JEDEC 0B 40 16. [Elektroda, divadiow, post #21213265]
- Exposed pins: UART2_TX for logs; P10 UART1_RX and P11 UART1_TX for flashing. [Elektroda, divadiow, post #21213265]
- SPI wiring used here: CE→CH341 D2, TCK→SCK, TMS→CS0, TDI→MOSI, TDO→MISO; set CH341 jumper to I2C. [Elektroda, divadiow, post #21512355]
- Tuya OTA scheme: ping‑pang dual partitions, app1 at 0x11000 and app2 at 0x1BA000; bootloader skips RBL. [Elektroda, insmod, post #21513232]
- No full drop-in replacement firmware for BK7252U doorbells yet; keep a full backup. [Elektroda, divadiow, post #21578866]

What chipset and flash are inside this Tuya doorbell?

It uses a Beken BK7252 (QFN68). The SPI flash is XTX XT25F32B, 4 MiB capacity, with JEDEC ID 0B 40 16. The PCB exposes well-labeled test pads for UART and JTAG/SPI access. Photos and a full boot log confirm the platform and memory. This baseline helps you choose the right flasher, offsets, and OTA expectations. [Elektroda, divadiow, post #21213265]

Which UART pins should I use for logs and flashing?

Use UART2_TX for boot logs. Use P10 (UART1_RX) and P11 (UART1_TX) for flashing and backups. The thread identifies both UART sets on the test pads. Keep wires short and solidly soldered or use quality pogo pins to reduce noise during high-baud transfers. [Elektroda, divadiow, post #21213265]

How do I enter BK7252 SPI mode and dump flash with a CH341A?

Three steps:

Put CH341A in I2C mode; wire pads: CE→D2, TCK→SCK, TMS→CS0, TDI→MOSI, TDO→MISO.
Run the provided Python wrapper to toggle CEN and enter SPI; wait for the 0x9F ID pattern.
Once in SPI mode, use NeoProgrammer to detect and read/erase/program the flash. [Elektroda, divadiow, post #21512355]

How long can entering SPI mode take on BK7252?

It can be slow. One capture needed 398 attempts before the expected SPI response appeared. As the author noted, “Today this look 398 attempts.” If retries take long, adjust timing and ensure stable CE control from CH341A GPIO2. [Elektroda, divadiow, post #21512355]

Which tools should I use once the chip is in SPI mode?

Use NeoProgrammer to auto-detect the flash and perform read/erase/program. The helper Python executable only handles the SPI-mode entry and basic JEDEC read; NeoProgrammer handles the actual dump and writes after that. Keep the wiring from the CH341A short and shielded. [Elektroda, divadiow, post #21512355]

Does BK7231GUIFlashTool support BK7252 over UART?

Yes. BK7252 support was added in the tool. Quoting the maintainer: “BK7252 is like BK7231T but without ‘wrap around 2MB’ hack … read/write just skips bootloader (0x11000 offset).” Use the new BK7252 mode and follow the tutorial notes. [Elektroda, p.kaczmarek2, post #21525243]

Why does Easy UART Flasher sometimes fail on this doorbell?

Some boards block or disturb T/N mode. The author could not back up this unit with Easy UART Flasher in T or N mode, and BKFIL did not recognize BK7252. When that happens, switch to the SPI method described above. [Elektroda, divadiow, post #21213265]

Is there an alternate UART method I can try if the normal one fails?

Yes. Use the hid_download_py method from the linked tutorial. It can succeed where standard UART bootstrap fails. Follow the steps carefully and confirm your USB‑UART (e.g., FT232R) and wiring quality before retries. [Elektroda, p.kaczmarek2, post #21526049]

What does a successful BK7252 UART dump look like?

One successful session started at 0x11000, read 495 sectors, verified CRC 0x64E354DE, and produced 2,027,520 bytes. Using an FT232R improved reliability in that case. Save the output and verify CRC before proceeding with any erase or write. [Elektroda, divadiow, post #21526057]

How does Tuya OTA work on BK7252?

It uses a ping‑pang (dual app) layout. Bootloader partitions are app1 at 0x11000 and app2 at 0x1BA000. The standard Tuya bootloader doesn’t use RBL; it toggles between these partitions. Package metadata matches that dual scheme. [Elektroda, insmod, post #21513232]

Why didn’t an OpenBK OTA persist after reboot?

Logs showed the OTA copy then a reboot, but the bootloader reported FAL partition table not found and jumped to 0x10000. This aligns with Tuya’s dual-partition scheme rather than OpenBK’s RBL approach. [Elektroda, divadiow, post #21514822]

Can I flash OpenBK7252 on this doorbell today?

You can experiment, but there is no fully-functioning, cloud‑free replacement yet for BK7252U doorbells. As the author cautioned, “there is no fully-functioning replacement firmware for BK7252U.” Always keep a verified full backup first. [Elektroda, divadiow, post #21578866]

Why won’t OpenBK7252_Tuya_QIO at 0x0 boot on this unit?

On this doorbell, the Tuya QIO image at 0x0 did not boot until a compatible bootloader was spliced in. Tuya’s BL and partitioning expectations differ, so include the matching BL if you test. [Elektroda, divadiow, post #21617297]

Should I back up the full 4 MB including the bootloader?

Yes. Keep a complete 4 MB dump that includes the bootloader, so you can restore factory behavior if needed. This is especially important while experimenting with OpenBK or custom builds. [Elektroda, divadiow, post #21578866]

Where can I get BK7252 Tuya SDKs for reference?

Multiple Tuya BK7252 SDK zip releases were shared (1.1.10 through 1.1.23). Use them to study partitioning, OTA handling, and drivers before attempting custom builds. [Elektroda, divadiow, post #21499790]

My logs show SD timeouts and "no sdcard"—is something broken?

No, that’s expected without a card. The boot log repeats CMD8 timeouts and reports “no sdcard,” then continues. Insert a supported microSD if you need on-device recording. The device boots and operates without it. [Elektroda, divadiow, post #21213265]