logo elektroda
logo elektroda
X
logo elektroda
Advanced Search
logo elektroda

TUYA Blood Pressure Monitor BLE Readings - Smaller Chip Inquiry

elektradi 1833 13
ADVERTISEMENT
Report a violation of the law
Reply | New topic
  • #1 21281017
    elektradi
    Level 7  
    Circuit board with electronic components of a TUYA blood pressure monitor. Circuit board with electronic components, including a BLE module and LED display. TUYA blood pressure monitor circuit board with electronic components and LED display. Close-up of a pressure monitor circuit board with a BLE module and LED displays. Electronic module with TUYA marking on a circuit board, visible components and connectors.

    This is a TUYA blood pressure monitor and I'm trying to get the readings via BLE. It is smaller than the usual ones found in the switches, anyone seen this before?
  • ADVERTISEMENT
  • #2 21281085
    p.kaczmarek2
    Moderator Smart Home
    Can you remove the metal shield and tell which MCU is used by this wireless module? Is it Beken?
    Helpful post? Buy me a coffee.
  • ADVERTISEMENT
  • #4 21282367
    p.kaczmarek2
    Moderator Smart Home
    If you are sure that it's bk3432, there is no need to remove the metal shielding.
    By the way, removing metal shielding does NOT Break the device, if done correctly.
    Still, we didn't do any work on BK3432 yet. We would need to first try available SDKs, like:
    https://github.com/Cdreamyao/tuya_ble_sdk_Demo_Project_bk3432
    Helpful post? Buy me a coffee.
  • ADVERTISEMENT
  • #5 21282374
    elektradi
    Level 7  
    The device transmits to the BK3432 using 9600bps UART

    Added after 5 [minutes]:

    Every time I power up, it sends this to the BK3432

    55 aa 00 00 00 01 00 00 55 aa 00 01 00 70 74 62
    76 6f 79 64 6a 31 2e 30 2e 30 6c 55 aa 00 02 00
    00 01

    Then if I quickly power it off, it sends 0x00

    Any idea what this protocol is?

    Added after 18 [minutes]:

    Found https://images.tuyacn.com/smart/aircondition/Guide-to-Interworking-with-the-Tuya-MCU.pdf
  • #6 21282427
    divadiow
    Level 38  
    partially decodes as a heartbeat

    Screenshot of the TuyaMCU Explorer/Analyzer program showing raw packet data in hex format, partially decoded as heartbeat.
  • #7 21282438
    elektradi
    Level 7  
    want to add to your collection?

    Sniffing on RX of BK3432

    sys: 115, dia: 77, pulse 79, this is definitely unix timestamp 31373330323830333633303030

    Received by WiFi module:
    55 AA 00 00 00 01 01 01
    HEADER VER=00 Heartbeat LEN 01 CHK

    Received by WiFi module:
    55 AA 00 E0 00 30 033137333032383033363330303001020004000000880202000400000055030200040000004A04010001000904000100 F6
    HEADER VER=00 Unk LEN 033137333032383033363330303001020004000000880202000400000055030200040000004A04010001000904000100 CHK

    Received by WiFi module:
    55 AA 00 00 00 01 01 01
    HEADER VER=00 Heartbeat LEN 01 CHK

    Received by WiFi module:
    55 AA 00 00 00 01 01 01
    HEADER VER=00 Heartbeat LEN 01 CHK
  • #8 21282642
    p.kaczmarek2
    Moderator Smart Home
    Maybe we could replace BK3432 with something more easily flashable?

    What is on the other side of the UART line?
    Helpful post? Buy me a coffee.
  • #9 21282814
    elektradi
    Level 7  
    Sniffing on TX of BK3432

    1. I powered up and then powered off

    55 aa 00 00 00 00 ff
    55 aa 00 01 00 00 00
    55 aa 00 02 00 00 01
    55 aa 00 03 00 01 01 04
    00

    The last 00 is sent when I press power off

    2. I powered up and took a measurement, then power off

    55 aa 00 00 00 00 ff
    55 aa 00 01 00 00 00
    55 aa 00 02 00 00 01
    55 aa 00 03 00 01 01 04
    55 aa 00 00 00 00 ff
    55 aa 00 00 00 00 ff
    55 aa 00 00 00 00 ff
    55 aa 00 00 00 00 ff
    55 aa 00 00 00 00 ff

    55 aa 00 e0 00 01 00 e0
    55 aa 00 00 00 00 ff
    55 aa 00 00 00 00 ff
    55 aa 00 00 00 00 ff
    00

    Added after 32 [minutes]:

    >>21282642

    What would you suggest? ESP32?
  • #10 21282854
    p.kaczmarek2
    Moderator Smart Home
    There are two UART lines, which are you checking? BT RX to MCU TX or BT TX to MCU RX?

    OBK can run on ESP32.
    Helpful post? Buy me a coffee.
  • #11 21282907
    elektradi
    Level 7  
    Please see updates to my earlier posts on where I was sniffing the traffic.

    The ESP32 and the BK3432 module foot print is very different, need some way to secure it or maybe, just solder ESP32 to VCC/GND/RX/TX as a sniffer chip and leave the BK3432 as-is
  • ADVERTISEMENT
  • #12 21284994
    p.kaczmarek2
    Moderator Smart Home
    I think you could easily use ESP module for that. Flash it with Arduino OTA bootloader and write some simple code to intercept the communication. We can help. Would you like to give it a go?

    This will be easier than replacing BK with ESP because in case of full replacement you need to implement whole UART protocol, and in case of sniffing you need to just parse what you want.
    Helpful post? Buy me a coffee.
  • #13 21285040
    elektradi
    Level 7  
    >>21284994

    do you know how to fully decode the payloads I sent earlier?
  • #14 21285412
    p.kaczmarek2
    Moderator Smart Home
    This may contain some data:

    Received by WiFi module:
    55 AA 00 E0 00 30 033137333032383033363330303001020004000000880202000400000055030200040000004A04010001000904000100 F6
    HEADER VER=00 Unk LEN 033137333032383033363330303001020004000000880202000400000055030200040000004A04010001000904000100 CHK

    0xE0 may mean it's a Report record-type data (0xE0) command.
    See: https://developer.tuya.com/en/docs/iot/ble-do...ock-mcu-development-overview?id=K95l67wf9xopf
    Quote:
    Report record-type data (0xE0)
    - If the module is offline when receiving reported data from the MCU, it will save the data to its flash memory and send the stranded data after going online. After the last piece of stranded data is sent to the cloud, the module will release the cache.
    - The module can cache up to N pieces of DP data. When the limit is reached, the newest record will overwrite the oldest one.
    -> The nRF52832 and BK3431Q based modules can store up to 80 pieces of data, with a maximum length of 200 bytes per piece.
    -> The BK3432 based modules can store up to 32 pieces of data, with a maximum length of 32 bytes per piece.
    - The time drift of the module’s internal clock is less than one minute in 24 hours. The module will sync its clock with the server time each time it is connected to the cloud. If you require highly accurate time, you can report data using the MCU’s timestamp.


    Table of MCU-sent data with field descriptions.
    Screenshot showing data format for report types 0x01 and 0x03 from Bluetooth and MCU modules.
    Helpful post? Buy me a coffee.
Reply | New topic
Report a violation of the law

Topic summary

✨ The discussion revolves around a TUYA blood pressure monitor that utilizes BLE for readings. The user inquires about the possibility of identifying a smaller chip within the device, specifically the BK3432, and whether removing the metal shield would damage the device. Responses suggest that removing the shield is safe if done correctly, and that the BK3432 chip is compatible with existing SDKs. The communication protocol involves UART transmission at 9600bps, with various data packets being analyzed. Suggestions include using an ESP32 module for intercepting communications instead of replacing the BK3432, as it would simplify the process of decoding the data without needing to implement the entire UART protocol.
Generated by the language model.
Today's popular

FAQ

TL;DR: Tuya BK3432 BLE modules cache up to 32 records (32 bytes each). "0xE0 may mean it's a Report record-type data." Sniff the 0x55AA UART stream to extract blood pressure readings without replacing the module. For makers needing local BP data via BLE UART. [Elektroda, p.kaczmarek2, post #21285412]

Why it matters: You can capture systolic/diastolic/pulse locally, avoid cloud lock-in, and integrate with ESP32-based workflows.

Quick Facts

Will removing the metal shield break my TUYA BLE module?

No, removing the RF can does not break the device if you do it carefully. If you already confirmed it's BK3432 by footprint or markings, you don't need to remove the shield to proceed. Work slowly, avoid lifting pads, and reflow evenly if you must open it. [Elektroda, p.kaczmarek2, post #21282367]

How can I confirm it’s a BK3432 without opening the shield?

Match the module’s footprint, pinout, and antenna layout against the Tuya YLB1/BK3432 reference. The thread author noted the pinouts and antenna design are the same, indicating BK3432. Visual confirmation often suffices for planning UART sniffing. [Elektroda, elektradi, post #21281091]

What UART settings should I use to capture data?

Use 9600 bps. The BP monitor’s main MCU talks to the BK3432 at 9600 bps over UART. Configure your sniffer to that rate and capture both directions to see heartbeats, records, and power events. [Elektroda, elektradi, post #21282374]

Which UART direction carries which data?

There are two lines: BT RX (module receives from MCU) and BT TX (module transmits to MCU). Tap both to observe reported data and acknowledgements. The choice determines whether you see measurements or module responses. [Elektroda, p.kaczmarek2, post #21282854]

What do the 0x55 0xAA frames mean at startup?

They are Tuya MCU protocol frames. On boot you will see heartbeats such as 55 AA 00 00 ... 01 01. These keep the link alive and confirm module presence before measurement data flows. [Elektroda, elektradi, post #21282438]

Does 0xE0 indicate record-type uploads?

Yes. 0xE0 is the record-type reporting command. BK3432 caches up to 32 records at 32 bytes each and later uploads them; if offline, it buffers. Limit reached? The newest overwrites the oldest. Time drift is under one minute per 24 hours. [Elektroda, p.kaczmarek2, post #21285412]

How do I decode the example 0xE0 payload with timestamp?

The payload includes ASCII-encoded digits for time, for example the sequence 31 37 33 ... decodes to a timestamp string. Map remaining bytes by Tuya DP format (DP ID, type, length, value) to extract systolic, diastolic, and pulse. [Elektroda, elektradi, post #21282438]

What traffic appears during a blood pressure measurement?

You will see repeated heartbeats and a single 0xE0 record sequence when a measurement completes. When powering off, the line emits a trailing 0x00 byte to mark the event. Capture both directions to correlate frames with cuff actions. [Elektroda, elektradi, post #21282814]

Is replacing the BK3432 with an ESP32 a good idea?

Sniffing is easier than replacement. “This will be easier than replacing BK,” because full replacement means re-implementing the entire UART protocol, while sniffing only needs parsing. Use an ESP32 as a passive interceptor. [Elektroda, p.kaczmarek2, post #21284994]

Can OBK firmware run on ESP32 for processing these frames?

Yes. “OBK can run on ESP32.” That lets you parse Tuya frames, forward readings to MQTT/Home Assistant, or log measurements without touching the BK3432 firmware. [Elektroda, p.kaczmarek2, post #21282854]

How do I set up an ESP32 to sniff the UART (3-step)?

  1. Flash an ESP32 with an Arduino OTA bootloader to allow easy updates.
  2. Wire ESP32 GND to device GND, and UART pins to the two lines through high-impedance buffering.
  3. Log both directions and parse 0x55AA frames to extract DPs. “Flash it with Arduino OTA bootloader and write some simple code to intercept the communication.” [Elektroda, p.kaczmarek2, post #21284994]

Where’s the Tuya MCU UART protocol guide for decoding DPs?

See the Tuya “Guide to Interworking with the Tuya MCU” referenced in the thread. It explains the 0x55AA frame structure and DP fields, enabling you to map blood pressure, pulse, and timestamps from payloads. [Elektroda, elektradi, post #21282374]

Does powering off send a special marker?

Yes. A single 0x00 byte is seen on the line when the device powers off. Treat it as an event delimiter in your parser to close out partial frames or mark session boundaries. [Elektroda, elektradi, post #21282814]

Is there an SDK for BK3432 if I later want BLE control?

An open BK3432 BLE SDK demo is referenced for experimentation. While this project focused on UART sniffing, the SDK can help if you move toward custom BLE integrations or module-side logic. [Elektroda, p.kaczmarek2, post #21282367]

The ESP32 footprint doesn’t match BK3432—how should I wire it?

Don’t replace the module. Solder the ESP32 to VCC, GND, RX, and TX as a sniffer, and leave the BK3432 in place. This avoids re-implementing Tuya’s protocol and preserves device function. [Elektroda, elektradi, post #21282907]
Generated by the language model.
ADVERTISEMENT