FAQ
TL;DR: Tuya BK3432 BLE modules cache up to 32 records (32 bytes each). "0xE0 may mean it's a Report record-type data." Sniff the 0x55AA UART stream to extract blood pressure readings without replacing the module. For makers needing local BP data via BLE UART. [Elektroda, p.kaczmarek2, post #21285412]
Why it matters: You can capture systolic/diastolic/pulse locally, avoid cloud lock-in, and integrate with ESP32-based workflows.
Quick Facts
- UART link observed at 9600 bps between the main MCU and the BK3432 BLE module. [Elektroda, elektradi, post #21282374]
- Tuya MCU frames start with 0x55 0xAA; boot emits heartbeat frames like 55 AA 00 00 ... 01 01. [Elektroda, elektradi, post #21282438]
- Command 0xE0 is record-type reporting; BK3432 caches up to 32×32-byte records; time drift <1 minute/day. [Elektroda, p.kaczmarek2, post #21285412]
- Two UART directions: BT RX⇐MCU TX and BT TX⇒MCU RX; sniff both sides. [Elektroda, p.kaczmarek2, post #21282854]
- Power-off generates a single 0x00 byte on the line as an event marker. [Elektroda, elektradi, post #21282814]
Will removing the metal shield break my TUYA BLE module?
No, removing the RF can does not break the device if you do it carefully. If you already confirmed it's BK3432 by footprint or markings, you don't need to remove the shield to proceed. Work slowly, avoid lifting pads, and reflow evenly if you must open it. [Elektroda, p.kaczmarek2, post #21282367]
How can I confirm it’s a BK3432 without opening the shield?
Match the module’s footprint, pinout, and antenna layout against the Tuya YLB1/BK3432 reference. The thread author noted the pinouts and antenna design are the same, indicating BK3432. Visual confirmation often suffices for planning UART sniffing. [Elektroda, elektradi, post #21281091]
What UART settings should I use to capture data?
Use 9600 bps. The BP monitor’s main MCU talks to the BK3432 at 9600 bps over UART. Configure your sniffer to that rate and capture both directions to see heartbeats, records, and power events. [Elektroda, elektradi, post #21282374]
Which UART direction carries which data?
There are two lines: BT RX (module receives from MCU) and BT TX (module transmits to MCU). Tap both to observe reported data and acknowledgements. The choice determines whether you see measurements or module responses. [Elektroda, p.kaczmarek2, post #21282854]
What do the 0x55 0xAA frames mean at startup?
They are Tuya MCU protocol frames. On boot you will see heartbeats such as 55 AA 00 00 ... 01 01. These keep the link alive and confirm module presence before measurement data flows. [Elektroda, elektradi, post #21282438]
Does 0xE0 indicate record-type uploads?
Yes. 0xE0 is the record-type reporting command. BK3432 caches up to 32 records at 32 bytes each and later uploads them; if offline, it buffers. Limit reached? The newest overwrites the oldest. Time drift is under one minute per 24 hours. [Elektroda, p.kaczmarek2, post #21285412]
How do I decode the example 0xE0 payload with timestamp?
The payload includes ASCII-encoded digits for time, for example the sequence 31 37 33 ... decodes to a timestamp string. Map remaining bytes by Tuya DP format (DP ID, type, length, value) to extract systolic, diastolic, and pulse. [Elektroda, elektradi, post #21282438]
What traffic appears during a blood pressure measurement?
You will see repeated heartbeats and a single 0xE0 record sequence when a measurement completes. When powering off, the line emits a trailing 0x00 byte to mark the event. Capture both directions to correlate frames with cuff actions. [Elektroda, elektradi, post #21282814]
Is replacing the BK3432 with an ESP32 a good idea?
Sniffing is easier than replacement. “This will be easier than replacing BK,” because full replacement means re-implementing the entire UART protocol, while sniffing only needs parsing. Use an ESP32 as a passive interceptor. [Elektroda, p.kaczmarek2, post #21284994]
Can OBK firmware run on ESP32 for processing these frames?
Yes. “OBK can run on ESP32.” That lets you parse Tuya frames, forward readings to MQTT/Home Assistant, or log measurements without touching the BK3432 firmware. [Elektroda, p.kaczmarek2, post #21282854]
How do I set up an ESP32 to sniff the UART (3-step)?
- Flash an ESP32 with an Arduino OTA bootloader to allow easy updates.
- Wire ESP32 GND to device GND, and UART pins to the two lines through high-impedance buffering.
- Log both directions and parse 0x55AA frames to extract DPs.
“Flash it with Arduino OTA bootloader and write some simple code to intercept the communication.” [Elektroda, p.kaczmarek2, post #21284994]
Where’s the Tuya MCU UART protocol guide for decoding DPs?
See the Tuya “Guide to Interworking with the Tuya MCU” referenced in the thread. It explains the 0x55AA frame structure and DP fields, enabling you to map blood pressure, pulse, and timestamps from payloads. [Elektroda, elektradi, post #21282374]
Does powering off send a special marker?
Yes. A single 0x00 byte is seen on the line when the device powers off. Treat it as an event delimiter in your parser to close out partial frames or mark session boundaries. [Elektroda, elektradi, post #21282814]
Is there an SDK for BK3432 if I later want BLE control?
An open BK3432 BLE SDK demo is referenced for experimentation. While this project focused on UART sniffing, the SDK can help if you move toward custom BLE integrations or module-side logic. [Elektroda, p.kaczmarek2, post #21282367]
The ESP32 footprint doesn’t match BK3432—how should I wire it?
Don’t replace the module. Solder the ESP32 to VCC, GND, RX, and TX as a sniffer, and leave the BK3432 in place. This avoids re-implementing Tuya’s protocol and preserves device function. [Elektroda, elektradi, post #21282907]
