logo elektroda
logo elektroda
X
logo elektroda
Advanced Search
logo elektroda

Tuya TYBL1 Bluetooth Gateway: CR3L/RTL8720CM [W701M-VT2-CG] Flash Backup, Boot Log - Info Dump

divadiow 1770 22
ADVERTISEMENT
Reply | New topic
  • Helpful post
    #1 21413940
    divadiow
    Level 35  
    Tuya TYBL1 Bluetooth Gateway bits:

    White Tuya TYBL1 Bluetooth module in a rectangular shape with two small holes on the front.White Tuya Smart Gateway hub with a promotion on the AliExpress page.

    https://www.aliexpress.us/item/1005005986939367.html

    Smart Gateway packaging with technical information. Box of Tuya Smart Gateway Hub Bluetooth ZigBee product. Label on a box with information about eVAtmasterConsulting GmbH, CE and recycling symbols. Tuya TYBL1 packaging with connection options and power outlets. White square router in an open cardboard box on a wooden table. Tuya BLE Gateway user manual with USB cable on a wooden surface. BLE Gateway user manual with Smart Life app instructions on wooden background. BLE Smart Gateway instruction and FAQ with cable. Opened case of Tuya TYBL1 Smart Gateway showing internal components and screws. Back of a blue circuit board with visible traces and mounting holes. Circuit board with CR3L module on a wooden background

    App interface showing no added devices. Screen showing instructions for pairing child devices, with icons for sensors, sockets, and light sources, and a confirmation button. Device update screen showing no updates available, version V1.17.5.

    https://developer.tuya.com/en/docs/iot/cr3l-module-datasheet?id=Ka3gl6ria8f1t

    Block diagram of Tuya CR3L module with pins and connections Bottom view pin layout of CR3L module

    A_13/RX and A_0 pull high to get into uart DL mode. Within ESP adaptor only A_0 needs pulling high it seems.

    de-soldered CR3L module mapping for my flavour of ESP adaptor

    Tuya TYBL1 adapter with CR3L module and visible pins.

    A_16_UART_TXLOG Tuya boot log:

    Code: Text
    Log in, to see the code


    NeoProgrammer detection and dump log
    Code: Text
    Log in, to see the code


    CR3L electronic module with components clamped in a vise on a blue background.
    Close-up of a chip on a circuit board with visible markings W701M, 06GR2G4, G028T2. Close-up of a BoyaMicro 25Q32BSTIG chip on a circuit board. Close-up of a circuit board with BoyaMicro and Winbond chips.

    Tuya_TYBL1_key7mn9kc48xep73_xxx.bin dumps at https://github.com/openshwprojects/FlashDumps/tree/main/IoT/RTL8720CM

    All 3 dumps boot and pair when flashed back using AmebaZ2 PG Tool

    Added after 9 [hours] 53 [minutes]:


    User interface displaying information about the OpenRTL87X0C device.Screenshot of the AmebaZ2 PG Tool 1.2.47 with flashing settings.
  • ADVERTISEMENT
  • #2 21418020
    p.kaczmarek2
    Moderator Smart Home
    Interesting device, so it basically allows you to connect Tuya Bluetooth devices to the cloud via the WiFi?
    Helpful post? Buy me a coffee.
  • ADVERTISEMENT
  • #3 21418031
    divadiow
    Level 35  
    actually not tried using its official function, but yes, it would seem to be for that.
  • #4 21418038
    p.kaczmarek2
    Moderator Smart Home
    Are there also Beken-based BT gateways? BK7231-based, for example?
    Helpful post? Buy me a coffee.
  • #5 21418043
    divadiow
    Level 35  
    I don't believe I've seen any variation, or even seen many internal pics of this device or others like it. I have 2 more coming and @max4elektroda has one too, so maybe we'll find out. There must be some type BK7231 bluetooth gateway somewhere.

    Added after 1 [minutes]:

    any plans to do anything with BT in OBK?

    But then maybe enabling BLE would take up too much space?

    Added after 36 [seconds]:

    1 user would like BLE :D https://community.home-assistant.io/t/tuya-bl...ay-cr3l-any-open-firmware/830195/2?u=divadiow
  • ADVERTISEMENT
  • #6 21423978
    divadiow
    Level 35  
    >>21413940

    Code: Text
    Log in, to see the code
  • #9 21439605
    p.kaczmarek2
    Moderator Smart Home
    I have recently received Tuya Bluetooth-only bulb:
    https://www.elektroda.pl/rtvforum/topic4105891.html
    I have only so far paired such Bluetooth bulb only directly with my mobile phone... maybe I should order a BT gateway to check if it's supported there?

    I wonder how much work would it take to run OBK on Bluetooth gateway so it can support such bulbs as I linked.
    Helpful post? Buy me a coffee.
  • #10 21439617
    divadiow
    Level 35  
    definitely get one or more. If only so you have a CR3L
  • #11 21439662
    insmod
    Level 26  
    >>21439281 Curious, a zigbee only gateway with bluetooth-capable module, and the same one as from bluetooth-only gateways at that.
    I too received a CR3L bt gateway today. Board is a little different, but overall they are like copy+paste with a little editing.
    Board is W-BG-CR3L V1.02
    I will later try to convert it to zigbee coordinator with TB-03F module.

    Added after 1 [hours] 11 [minutes]:

    Backup, made with modified ltchiptool.
    A LOT of free heap available with OBK. I thought at least some code modification would be needed to map sram, but it seems to work oob.
    Code: text Expand Select all Copy to clipboard
    Info:MAIN:Time 1, idle 0/s, free 4297224, MQTT 0(0), bWifi 0, secondsWithNoPing -1, socks 2/21 
    Attachments:
  • Helpful post
    #12 21440797
    max4elektroda
    Level 20  
    Here is my device, layout is quite different, board is labelled "NH-BLE-WIFI-GW" "V1.0.8"

    Back of a white Moes Wireless Smart Gateway device with an informational label. Printed circuit board labeled NH-BLE-WIFI-GW V1.0.8 with various components and a USB connector on a blue background. Bottom of a printed circuit board marked NH-BLE-WIFI-GW with visible traces and mounting holes.

    Ali-Link: https://www.aliexpress.com/item/1005005637088709.html

    It took me (too) much time to dump the firmware with ltchiptool - only got I/O errors.
    Finally I switched from one CH340 to another CH340 adapter, and it worked. Very strange.

    OBK installed via
    "ltchiptool flash write -f realtek-ambz2 ~/Downloads/OpenRTL87X0C_1.18.41.bin"

    Web interface of OpenRTL87X0C software on a computer screen.
    Attachments:
  • #13 21440852
    max4elektroda
    Level 20  
    Should pin cfg work? only getting "error" for all pins:
    Configuration page of OpenRTL87X0C interface with errors at pins.

    ... "error" should only be returned, if index is out of range.

    In "src/hal/realtek/hal_pins_realtek.c":
    Code: text Expand Select all Copy to clipboard
    
const char* HAL_PIN_GetPinNameAlias(int index)
{
   if(index >= g_numPins)
      return "error";
   return g_pins[index].name;
}


    How can this happen here with "src/hal/realtek/rtl87x0c/hal_pins_rtl87x0c.c"

    Code: text Expand Select all Copy to clipboard
    rtlPinMapping_t g_pins[] = {
   { "PA0 (RX1)",   PA_0,   NULL, NULL },
   { "PA1 (TX1)",   PA_1,   NULL, NULL },
   { "PA2 (RX1)",   PA_2,   NULL, NULL },
   { "PA3 (TX1)",   PA_3,   NULL, NULL },
   { "PA4",      PA_4,   NULL, NULL },
   { "PA5",      PA_5,   NULL, NULL },
   { "PA6",      PA_6,   NULL, NULL },
   { "PA7",      PA_7,   NULL, NULL },
   { "PA8",      PA_8,   NULL, NULL },
   { "PA9",      PA_9,   NULL, NULL },
   { "PA10",      PA_10,   NULL, NULL },
   { "PA11",      PA_11,   NULL, NULL },
   { "PA12",      PA_12,   NULL, NULL },
   { "PA13 (RX0)",   PA_13,   NULL, NULL },
   { "PA14 (TX0)",   PA_14,   NULL, NULL },
   { "PA15 (RX2)",   PA_15,   NULL, NULL },
   { "PA16 (TX2)",   PA_16,   NULL, NULL },
   { "PA17",      PA_17,   NULL, NULL },
   { "PA18",      PA_18,   NULL, NULL },
   { "PA19",      PA_19,   NULL, NULL },
   { "PA20",      PA_20,   NULL, NULL },
   { "PA21",      PA_21,   NULL, NULL },
   { "PA22",      PA_22,   NULL, NULL },
   { "PA23",      PA_23,   NULL, NULL },
};

int g_numPins = sizeof(g_pins) / sizeof(g_pins[0]);


    Added after 1 [hours] 38 [minutes]:

    Must be some recent change - after looking at your screenshot I tried 1.18.31 and it works. Will try to find the version breaking it.

    Added after 14 [minutes]:

    It's broken from .32 to .33 will check further
  • #15 21441050
    max4elektroda
    Level 20  
    Thanks, great!
    I wasn't that fast, but at least I was near ;-)

    Pins can be configured (to be exact, configuring a role worked before even with the missing description) and work again:


    Screenshot of the OpenRTL87XOC interface showing DS18B20 sensor information and configuration options.

    Thanks for your all your work!
  • #16 21441103
    p.kaczmarek2
    Moderator Smart Home
    Hey is multi-DS18B20 available in the main tree, or is it something that I forgot to merge? Sorry, I'm just a one person, I've barely managed to do BK7238 testing today
    Helpful post? Buy me a coffee.
  • #17 21441163
    max4elektroda
    Level 20  
    Thats my private branch I'm currently working on. Atm it's possible to have multiple sensors and even multiple GPIOs and adding a name and channel per sensor with a command, but I'm not yet satisfied with it and will do some more testing and coding. If you're interested, you might take a look here:
    https://github.com/MaxineMuster/OpenBK7231T_App/tree/1820full_3
    (Since I enabled local workflows, too, you can also download the latest firmwares from the actions here: https://github.com/MaxineMuster/OpenBK7231T_App/actions/runs/13347992548)
  • #18 21441231
    p.kaczmarek2
    Moderator Smart Home
    I would really love to have your changes merged, they look interesting
    https://github.com/MaxineMuster/OpenBK7231T_A...mmit/301b625620a9b7a61b3d92bea71bd4092581a998
    let me know if there is something specific that I can check out, I don't have time for a generic testing unless you'll request checking of given feature specifically.

    Will this also have a sensor scan?
    Helpful post? Buy me a coffee.
  • #19 21441320
    divadiow
    Level 35  
    post edited. previous message was meant to be a pvt message

    I can help with small specific targeted testing :)
  • ADVERTISEMENT
  • #20 21441375
    max4elektroda
    Level 20  
    No complaints @p.kaczmarek2 , I know about the limited time and capabilities of one person only too well. So you can be sure I'll give a hint if I ever feel you didn't see something I would expect you should be aware of ;-).
    Maybe we can/should split this DS1820 related stuff to a different thread? There are some things about what and how to implement details I would love to discuss with others users.
    This driver is the extended version of the DS18B20 driver you, @divadiow (and others?) added to the repository just before I came with the "simple" driver. So the code e.g for scanning the bus for sensors and so on was there, I only moved some stuff to a separate file for code shared between the two drivers and added code to use the functions present in an OBK driver.
  • #23 21471484
    setum
    Level 5  
    Looks like an ESP32-C3 can be used as a Bluetooth Proxy with ESPHome, which is much cheaper. Check here: https://digiblur.com/wiki/ha/esphome-bluetooth-proxy-esp32c3/

    I have a few ESP32-C3 SuperMini lying around, I'll try this out there (in a few days) and report.

    Added later: It works, as a dumb bluetooth passthrough. ESP32-C3 SuperMini accepts the bluetooth signal (also 2.4GHz) and passes it on to Home Assistant which handles interfacing with device (add, remove, control etc...).
Reply | New topic
Report a violation of the law

Topic summary

The discussion centers on the Tuya TYBL1 Bluetooth Gateway and related devices based on the Realtek CR3L/RTL8720CM chipset, including variants like GW003-BLE / RSH-GW001-V1.1 and NH-BLE-WIFI-GW V1.0.8. Users explore hardware differences, firmware dumping challenges, and attempts to run OpenBeken (OBK) firmware on these gateways. Partition tables, boot logs, and firmware backup details are shared, highlighting the use of default encryption and hash keys. Issues with pin configuration in OBK due to missing source file inclusion were identified and resolved by updating the build system. The conversation also touches on the presence of multiple Bluetooth gateway types, including Zigbee hubs with Bluetooth modules, and the potential for BK7231-based gateways. Development efforts include extended DS18B20 sensor support with multi-sensor and multi-GPIO capabilities, with ongoing testing and pull requests to improve timing and sensor scanning. Alternative solutions such as using ESP32-C3 as a Bluetooth proxy with ESPHome are mentioned as cost-effective options for Bluetooth device integration with Home Assistant. Overall, the thread provides detailed technical insights into hardware variants, firmware manipulation, open-source firmware adaptation, and sensor integration for Tuya Bluetooth gateways and similar devices.
Summary generated by the language model.
Popular Topics
ADVERTISEMENT