Power Meter KWS-302WF: Switching from Shunt to Transformer with HT7017 Chip sometime in the futur ..

Lusant 4743 30

#31 21617102 25 Jul 2025 22:10

DGAlexandru DGAlexandru

Level 7

Helpful post? (0)

Post #31
21617102 25 Jul 2025 22:10

Hi Lusant,

thanks for the file... it makes some more light into those "unknown" dpIDs:
"switch_schedule" for "dp_id": 122 - now it makes sense. In the Smart Life App you can define schedules to control the relay. I think they used a different dpID for this than the 0x10 / 16 one just to have a trace of the owner of the command

I confirm that pressing + and - buttons on the device, for 5s, resets all the values in the device, including this dpID 0x7b / 123. The screen puts underscores "___" at all the values for about 1 second then it switches the Relay to Off and changes the screen to "Relay Off" mode and stays like that.
It also resets the configured values for UnderVoltage, OverVoltage and so on to their default values.
Great find!

Now if I could make Ghidra help me in decompiling the MCU firmware to something I can work with so I can modify it to have at least a "recovery time" option

Added after 25 [minutes]:

Revised autoexec.bat version based on the new findings now draws the GUI like this:

(I edited my previous message with the autoexec.bat code and updated it there)
ADVERTISEMENT
Create an account, log in and become active in a forum and ads will not appear. You will receive points by participating in discussions.
Join this discussion.

Install the application

Topic summary

The discussion centers on modifying the Power Meter KWS-302WF to switch its current measurement method from a shunt resistor to a transformer. The device uses an HT7017 measurement chip from HitrendTech, controlled by a PY32F002A MCU, which interfaces with a TM1622 display driver and a WiFi module identified as CBU (likely BK7231N). Communication between HT7017 and PY32F occurs at 4800 bps, while between CBU and PY32F it is at 115200 bps. Efforts include intercepting UART communications and backing up firmware to enable custom firmware flashing, particularly on the CBU WiFi module, using OpenBeken firmware and TuyaMCU protocols. Challenges include potential MCU protection and limited documentation on HT7017. The community provides resources such as firmware backups, dpID mappings, and autoexec.bat configuration examples for TuyaMCU integration, enabling relay control, voltage display, and parameter settings like overvoltage and overcurrent protection. Additional observations highlight incomplete frequency parsing in OpenBK firmware and the absence of recovery time settings after protection trips. A hardware fault involving the U3211 power supply chip is also discussed, with datasheets and sourcing advice provided.
Summary generated by the language model.

FAQ

TL;DR: 115 200-baud UART lets the BK7231N Wi-Fi module talk to the PY32F002A MCU, and “Once you flash OpenBeken, Tuya has no access at all” [Elektroda, #21226741 #21226744]. Why it matters: correct speed and open firmware decide whether your KWS-302WF becomes cloud-free or a brick.

Quick Facts

• UART speeds: 4800 bps (HT7017↔MCU) and 115 200 bps (MCU↔BK7231N) [Elektroda, 21226741]
• Metrology IC: HT7017, ±0.1 % typical accuracy *HT7017 datasheet*
• Wi-Fi SoC: BK7231N with 2 MB flash [Elektroda, 21226735]
• Factory firmware seen: v2.1.6 and v2.1.17 [Elektroda, 21340504]
• PSU controller that often fails: UNI U3211, 85-265 VAC input *U3211 datasheet*

What main chips are inside the KWS-302WF power meter?

The meter uses an HT7017 metrology IC, a PY32F002A 32-bit MCU to handle the display and protection logic, a BK7231N (labelled CBU) for Wi-Fi, and a TM1622 LCD driver under MCU control [Elektroda, #21226708 #21226735].

Which UART speed must I set in OpenBeken’s autoexec.bat?

Set tuyaMcu_setBaudRate 115200 because the BK7231N <-> PY32F002A link runs at 115 200 bps [Elektroda, 21226741] The HT7017 link stays at 4 800 bps but OpenBeken does not touch it.

Can I replace the shunt with a current transformer?

Hardware swap is possible, but calibration lives inside the protected PY32F002A. Without rewriting that firmware the reading will be wrong, so most users keep the original shunt and just log data via Wi-Fi [Elektroda, #21226735 #21226741].

How do I flash OpenBeken safely?

Desolder or isolate the BK7231N UART pins because the same port is used for Tuya MCU traffic [Elektroda, 21226735]
Make a complete 2 MB flash backup with BK7231GUIFlashTool [Elektroda, 21226735]
Flash OpenBeken, then re-enable the UART lines. This restores original firmware if something fails.

Where can I get the dpID list for this meter?

A cleaned JSON list mapping dpIDs 16-123 to functions such as Voltage, Current and Over-Power was posted by divadiow [Elektroda, 21338483] Both firmware versions share this map [Elektroda, 21365919]

How do I map dpIDs to channels in OpenBeken?

Three steps:

For each measurement run linkTuyaMCUOutputToChannel val .
Assign a type with setChannelType (e.g., voltage_div10).
Optionally add setChannelLabel for clarity. Hypnotics’ working script shows Voltage (dp 101) on channel 2, Current (102) on channel 3, etc. [Elektroda, 21348761]

How can I clear the accumulated kWh counter?

Toggle dpID 118 (Electricity Clear). Hypnotics mapped it to channel 9 and verified that the relay and readings stay intact [Elektroda, 21349683]

Is there a setting for relay recovery delay after over-voltage trips?

No dpID in the published list controls a recovery timer. Both community firmware dumps lack such a parameter [Elektroda, #21365793 #21365871].

What hardware failure is most common?

Blown UNI U3211 power-supply IC stops Wi-Fi and blanks the LCD. One user reported total blackout until the chip was replaced [Elektroda, 21428074] The part costs about US $0.30 in bulk U3211 datasheet.

Where can I buy a replacement U3211?

Search for “UNI U3211 SOP-8” on Aliexpress, LCSC or local parts brokers. Lusant confirmed availability after his own repair [Elektroda, 21527175]

What is the rated current and power of the meter?

Product labels show 0–20 A and up to 4.4 kW at 220 V Typical KWS-302WF listing. Exceeding 20 A risks shunt overheating.

Can I downgrade from v2.1.17 to v2.1.6?

Yes, as long as you have a full 2 MB backup. Flashing older firmware restores original Tuya keys, because they are stored in the same image [Elektroda, #21340103 #21340504].

How accurate are the measurements after flashing OpenBeken?

Accuracy remains within ±0.1 % of reading because OpenBeken only replaces the Wi-Fi stack; HT7017 and PY32F002A continue to handle calibration [Elektroda, 21226735] HT7017 datasheet.

Does flashing OpenBeken block Tuya’s cloud?

Yes. As p.kaczmarek2 states, “Once you flash OpenBeken, Tuya has no access at all” [Elektroda, 21226744]