logo elektroda
logo elektroda
X
logo elektroda
Advanced Search
logo elektroda

TUYA Blood Pressure Monitor BLE Readings - Smaller Chip Inquiry

elektradi 843 13
ADVERTISEMENT
Reply | New topic
  • #1 21281017
    elektradi
    Level 6  
    Circuit board with electronic components of a TUYA blood pressure monitor. Circuit board with electronic components, including a BLE module and LED display. TUYA blood pressure monitor circuit board with electronic components and LED display. Close-up of a pressure monitor circuit board with a BLE module and LED displays. Electronic module with TUYA marking on a circuit board, visible components and connectors.

    This is a TUYA blood pressure monitor and I'm trying to get the readings via BLE. It is smaller than the usual ones found in the switches, anyone seen this before?
  • ADVERTISEMENT
  • #2 21281085
    p.kaczmarek2
    Moderator Smart Home
    Can you remove the metal shield and tell which MCU is used by this wireless module? Is it Beken?
    Helpful post? Buy me a coffee.
  • ADVERTISEMENT
  • #4 21282367
    p.kaczmarek2
    Moderator Smart Home
    If you are sure that it's bk3432, there is no need to remove the metal shielding.
    By the way, removing metal shielding does NOT Break the device, if done correctly.
    Still, we didn't do any work on BK3432 yet. We would need to first try available SDKs, like:
    https://github.com/Cdreamyao/tuya_ble_sdk_Demo_Project_bk3432
    Helpful post? Buy me a coffee.
  • #5 21282374
    elektradi
    Level 6  
    The device transmits to the BK3432 using 9600bps UART

    Added after 5 [minutes]:

    Every time I power up, it sends this to the BK3432

    55 aa 00 00 00 01 00 00 55 aa 00 01 00 70 74 62
    76 6f 79 64 6a 31 2e 30 2e 30 6c 55 aa 00 02 00
    00 01

    Then if I quickly power it off, it sends 0x00

    Any idea what this protocol is?

    Added after 18 [minutes]:

    Found https://images.tuyacn.com/smart/aircondition/Guide-to-Interworking-with-the-Tuya-MCU.pdf
  • #6 21282427
    divadiow
    Level 34  
    partially decodes as a heartbeat

    Screenshot of the TuyaMCU Explorer/Analyzer program showing raw packet data in hex format, partially decoded as heartbeat.
  • ADVERTISEMENT
  • #7 21282438
    elektradi
    Level 6  
    want to add to your collection?

    Sniffing on RX of BK3432

    sys: 115, dia: 77, pulse 79, this is definitely unix timestamp 31373330323830333633303030

    Received by WiFi module:
    55 AA 00 00 00 01 01 01
    HEADER VER=00 Heartbeat LEN 01 CHK

    Received by WiFi module:
    55 AA 00 E0 00 30 033137333032383033363330303001020004000000880202000400000055030200040000004A04010001000904000100 F6
    HEADER VER=00 Unk LEN 033137333032383033363330303001020004000000880202000400000055030200040000004A04010001000904000100 CHK

    Received by WiFi module:
    55 AA 00 00 00 01 01 01
    HEADER VER=00 Heartbeat LEN 01 CHK

    Received by WiFi module:
    55 AA 00 00 00 01 01 01
    HEADER VER=00 Heartbeat LEN 01 CHK
  • #8 21282642
    p.kaczmarek2
    Moderator Smart Home
    Maybe we could replace BK3432 with something more easily flashable?

    What is on the other side of the UART line?
    Helpful post? Buy me a coffee.
  • ADVERTISEMENT
  • #9 21282814
    elektradi
    Level 6  
    Sniffing on TX of BK3432

    1. I powered up and then powered off

    55 aa 00 00 00 00 ff
    55 aa 00 01 00 00 00
    55 aa 00 02 00 00 01
    55 aa 00 03 00 01 01 04
    00

    The last 00 is sent when I press power off

    2. I powered up and took a measurement, then power off

    55 aa 00 00 00 00 ff
    55 aa 00 01 00 00 00
    55 aa 00 02 00 00 01
    55 aa 00 03 00 01 01 04
    55 aa 00 00 00 00 ff
    55 aa 00 00 00 00 ff
    55 aa 00 00 00 00 ff
    55 aa 00 00 00 00 ff
    55 aa 00 00 00 00 ff

    55 aa 00 e0 00 01 00 e0
    55 aa 00 00 00 00 ff
    55 aa 00 00 00 00 ff
    55 aa 00 00 00 00 ff
    00

    Added after 32 [minutes]:

    >>21282642

    What would you suggest? ESP32?
  • #10 21282854
    p.kaczmarek2
    Moderator Smart Home
    There are two UART lines, which are you checking? BT RX to MCU TX or BT TX to MCU RX?

    OBK can run on ESP32.
    Helpful post? Buy me a coffee.
  • #11 21282907
    elektradi
    Level 6  
    Please see updates to my earlier posts on where I was sniffing the traffic.

    The ESP32 and the BK3432 module foot print is very different, need some way to secure it or maybe, just solder ESP32 to VCC/GND/RX/TX as a sniffer chip and leave the BK3432 as-is
  • #12 21284994
    p.kaczmarek2
    Moderator Smart Home
    I think you could easily use ESP module for that. Flash it with Arduino OTA bootloader and write some simple code to intercept the communication. We can help. Would you like to give it a go?

    This will be easier than replacing BK with ESP because in case of full replacement you need to implement whole UART protocol, and in case of sniffing you need to just parse what you want.
    Helpful post? Buy me a coffee.
  • #13 21285040
    elektradi
    Level 6  
    >>21284994

    do you know how to fully decode the payloads I sent earlier?
  • #14 21285412
    p.kaczmarek2
    Moderator Smart Home
    This may contain some data:

    Received by WiFi module:
    55 AA 00 E0 00 30 033137333032383033363330303001020004000000880202000400000055030200040000004A04010001000904000100 F6
    HEADER VER=00 Unk LEN 033137333032383033363330303001020004000000880202000400000055030200040000004A04010001000904000100 CHK

    0xE0 may mean it's a Report record-type data (0xE0) command.
    See: https://developer.tuya.com/en/docs/iot/ble-do...ock-mcu-development-overview?id=K95l67wf9xopf
    Quote:
    Report record-type data (0xE0)
    - If the module is offline when receiving reported data from the MCU, it will save the data to its flash memory and send the stranded data after going online. After the last piece of stranded data is sent to the cloud, the module will release the cache.
    - The module can cache up to N pieces of DP data. When the limit is reached, the newest record will overwrite the oldest one.
    -> The nRF52832 and BK3431Q based modules can store up to 80 pieces of data, with a maximum length of 200 bytes per piece.
    -> The BK3432 based modules can store up to 32 pieces of data, with a maximum length of 32 bytes per piece.
    - The time drift of the module’s internal clock is less than one minute in 24 hours. The module will sync its clock with the server time each time it is connected to the cloud. If you require highly accurate time, you can report data using the MCU’s timestamp.


    Table of MCU-sent data with field descriptions.
    Screenshot showing data format for report types 0x01 and 0x03 from Bluetooth and MCU modules.
    Helpful post? Buy me a coffee.
Reply | New topic
Report a violation of the law

Topic summary

The discussion revolves around a TUYA blood pressure monitor that utilizes BLE for readings. The user inquires about the possibility of identifying a smaller chip within the device, specifically the BK3432, and whether removing the metal shield would damage the device. Responses suggest that removing the shield is safe if done correctly, and that the BK3432 chip is compatible with existing SDKs. The communication protocol involves UART transmission at 9600bps, with various data packets being analyzed. Suggestions include using an ESP32 module for intercepting communications instead of replacing the BK3432, as it would simplify the process of decoding the data without needing to implement the entire UART protocol.
Summary generated by the language model.
Popular Topics
ADVERTISEMENT