logo elektroda
logo elektroda
X
logo elektroda
Advanced Search
logo elektroda
Build faster with M5Stack »
Build faster with M5Stack » Stick • Unit • Cardputer
ADVERTISEMENT
Dostępna jest polska wersja

Czy wolisz polską wersję strony elektroda?

Nie, dziękuję Przekieruj mnie tam

Flashing VeSync GreenSun WHOGPLUG Smart Plug to BK7231M Module

divadiow 1455 18
ADVERTISEMENT
Report a violation of the law
Reply | New topic
  • Helpful post
    #1 21450728
    divadiow
    Level 38  
    VeSync / GreenSun smart plug info.
    See https://github.com/openshwprojects/OpenBK7231T_App/issues/826 and flashing guide (though OTA ability might be a work-in-progress right now) https://www.elektroda.com/rtvforum/topic4058227.html

    Like the BSD33 here https://www.elektroda.com/rtvforum/topic4058227.html#21450591 I have flashed this user's (@thenitek) backup to a BK7231M module which has a key of 00000000 00000000 00000000 00000000 in efuse.

    fw ver 1.0.01 boot log from TX2
    Code: Text
    Log in, to see the code


    VeSync app pairing and update screesnhots:
    App interface for adding devices with a list of smart electrical outlets. App screen with an outlet icon and connection status to the router and VeSync Cloud. User interface for selecting a room for a smart device. Firmware update screen with device visualization and Update button. Device firmware update screen with VeSync app. Home device management application interface showing a device icon in the kitchen. App interface with power button and energy management options. Device settings interface on a dark background with configuration options. Screenshot of device information, including time zone, device time, firmware version, and MAC address. Home device management app interface.


    Firmware update screen.

    fw ver 1.0.02 boot log from TX2
    Code: Text
    Log in, to see the code


    Added after 10 [minutes]:

    both versions fw backups can be found here https://github.com/openshwprojects/FlashDumps/tree/main/IoT/BK7231M

    Added after 1 [hours] 33 [minutes]:

    OTA is at 0x125000 on these. Flash a BK7231N rbl to that address and it OTAs to OBK

    Code: Text
    Log in, to see the code

    Screenshot of OpenBK7231N user interface showing device information and configuration options.

    0x125000 start address and 0xB0000 length (737,280 bytes) - I think!
    Hexadecimal data snippet with text labels.

    I had to ask ChatGPT for help on the length
    Code: Text
    Log in, to see the code


    Added after 9 [minutes]:

    Regarding the mac. TLV starts at 0x1D9000 where the mac we'd like to see in OpenBeken after OTA from VeSync 1.0.02-> OBK is seen - FC 58 4A A1 D3 C2
    Screenshot showing hex data.
    which correlates with what's seen in the VeSync app
    Screenshot showing mobile device information.

    current:
    List of connected devices with name, IP address, and physical MAC address.
  • ADVERTISEMENT
  • #2 21452918
    divadiow
    Level 38  
    with custom build where OTA partition is changed to 0x125000 then OTA works as expected https://github.com/openshwprojects/OpenBK7231T_App/pull/1542

    Code: C / C++
    Log in, to see the code


    Code: C / C++
    Log in, to see the code


    Code: Text
    Log in, to see the code


    mac is still wrong though even with 0x1D9000 set for RF/Net
  • #3 21452972
    insmod
    Level 31  
    >>21452918 Are those partitions correct? They shouldn't intersect.

    Have you tried to replace bootloader with standard 1.0.1? That should fix OTA, but would still do nothing for MAC. Though you would have to edit build.sh
    Either uncomment (i don't know why it is commented out, not working perhaps?) https://github.com/openshwprojects/OpenBK7231...ter/platforms/bk7231n/bk7231n_os/build.sh#L72
    Or combine binary with unencrypted bootloader and then run encryption with these parameters: 0 0 0 0 0
    Not sure if it would work though, i did once encrypted a 1.0.13 bootloader for bk7231n and it worked.
  • ADVERTISEMENT
  • #4 21452984
    divadiow
    Level 38  
    insmod wrote:
    Are those partitions correct? They shouldn't intersect.

    ah probably not correct then. couldn't quite get head round the 01PE hex for this one for some reason.
    insmod wrote:
    Have you tried to replace bootloader with standard 1.0.1? That should fix OTA, but would still do nothing for MAC. Though you would have to edit build.sh


    this would be the ultimate, then no need for these odd M builds for each vendor's chosen partition layout. I have flashed a few BLs, but none so far have booted. I've also tried making my own using RT-Thread Partition Tool. I'll have another go, getting a good BL for 000000 key devices, which uses standard Tuya partition addresses, would be the way to go it seems

    Screenshot of RT-Thread Partition Tool showing a partition list with names, offsets, and lengths.
  • #5 21452990
    insmod
    Level 31  
    As i've written before, i don't remember what exactly i've done to encrypt bootloader.
    But, another possibility is to run encrypt with zero keys and zero address on unencrypted bootloader directly, and then combine it with uart firmware and run standard encrypt with zero keys and 10000 address.
  • #6 21453255
    divadiow
    Level 38  
    i see.

    so we could perhaps do that with something like

    Code: Text
    Log in, to see the code


    if using the newer version of encrypt.exe

    Screenshot showing the usage of the encrypt.exe tool in the command line.

    https://github.com/openshwprojects/OpenBK7231...k7231n_os/beken378/build/post-build-steps.bat

    Added after 3 [minutes]:

    hmm. bootloader_bk7231n_uart2_v1.0.8_enc.bin doesn't seem to boot. nor does a standard BK7231N_1.0.1 decrypted/re-encrypted from a device with bk7231tools

    Added after 25 [minutes]:

    oh. doesn't this suggest M QIO already has this https://www.elektroda.com/rtvforum/topic4056377.html#21106098
  • #7 21466587
    p.kaczmarek2
    Moderator Smart Home
    Probably related discussion:
    https://www.elektroda.com/rtvforum/topic4032988-30.html#21466523
    Helpful post? Buy me a coffee.
  • ADVERTISEMENT
  • #9 21724001
    p.kaczmarek2
    Moderator Smart Home
    Nice, i think I have BK7231M hooked to WiFi flasher, so I can check, however, please first make sure that your changes do not affect other binaries going through that path, in this case, the classic BK7231N binary.
    Helpful post? Buy me a coffee.
  • ADVERTISEMENT
  • #10 21724004
    divadiow
    Level 38  
    OK. I will double-check BK-N is OK.
  • #11 21725131
    divadiow
    Level 38  
    wait. BK7231M_ALT (OpenBK7231M_ALT_QIO_1.18.202.bin) does boot already. It's being built with bk7231n_bootloader.bin, assuming comparison script is working. bk7231n_bootloader_zero_keys.bin not being used at all?

    Screenshot of a table with QIO files and corresponding bootloader matches

    uncrc and comparison script

    Code: Powershell
    Log in, to see the code


    Added after 2 [hours] 9 [minutes]:

    oh https://github.com/openshwprojects/OpenBK7231...s/bk7231n/bk7231n_os/build.sh#L144C20-L144C30

    Added after 37 [minutes]:

    not sure I fully understand what's happening. If you delete bk7231n_bootloader_zero_keys.bin build does not fail. With these two changes BK7231M QIO boots and detection script says:

    Table of QIO file matches to bootloaders using Uncrc decoding and ExactRaw mode

    Screenshot of build.sh diff showing bootloader change from _enc.bin to standard .bin
  • #12 21725507
    p.kaczmarek2
    Moderator Smart Home
    It is possible that zeroKeys was not used in the end, but I am not sure.

    I've checked ALT now with WiFi Flasher. It boots:
    Code: text Expand Select all Copy to clipboard
    
wifiprogram bk7231n -d 192.168.0.139:8888 -w -s 0 -u OpenBK7231M_ALT_QIO_1.18.202.bin

    OpenBK7231N web UI with debug info and flash programming console log.
    Helpful post? Buy me a coffee.
  • #13 21725511
    divadiow
    Level 38  
    ALT boots yes, but the old SDK M QIO does not

    Added after 2 [minutes]:

    change bk7231n_bootloader_enc.bin to bk7231n_bootloader.bin in the M code block and then it'll boot
  • #14 21725674
    p.kaczmarek2
    Moderator Smart Home
    I am not sure what happened there, but you may have a correct solution. First I tried to manually insert a bootloader with 0 keys, but then I realized that we can just use the one without _enc
    Helpful post? Buy me a coffee.
  • #16 21743241
    p.kaczmarek2
    Moderator Smart Home
    merged, but now submodule of main app must be updated
    Helpful post? Buy me a coffee.
  • #18 21743301
    p.kaczmarek2
    Moderator Smart Home
    Great, thank you, merged.

    I still don't know why I incorrectly put enc bootloader there... thanks for fix
    Helpful post? Buy me a coffee.
  • #19 21743305
    divadiow
    Level 38  
    no worries, I didn't see anyone notice. Maybe 1 person on Github but the ALT M still worked for him.
Reply | New topic
Report a violation of the law

Topic summary

✨ The discussion revolves around flashing the VeSync GreenSun WHOGPLUG Smart Plug to a BK7231M module. Users share insights on modifying the OTA (Over-The-Air) partition to enable OTA functionality, referencing specific GitHub issues and guides. A custom build with the OTA partition set to 0x125000 is suggested for successful OTA operations. Participants discuss the importance of correct partition configurations and the potential need to replace the bootloader with a standard version to resolve OTA issues. Various methods for encrypting the bootloader and combining it with firmware are explored, with users sharing their experiences and challenges in achieving successful flashes. Related discussions and links to additional resources are also provided.
Today's popular

FAQ

TL;DR: This VeSync/GreenSun WHOGPLUG uses a 720 KB OTA slot at 0x125000; "OTA works as expected at 0x125000" once the build targets that start. [Elektroda, divadiow, post #21452918]

Why it matters: It lets you flash OpenBeken reliably, keep Wi‑Fi working, and avoid soft‑brick loops.

Who this is for: Tinkerers and integrators asking “how do I flash this VeSync plug to OpenBeken and fix OTA/MAC?”.

Quick Facts

What’s the fastest way to get OTA working on this VeSync WHOGPLUG?

Point the OTA start to 0x125000 and set length to 0xB0000 in your custom build. Recompile and flash. The author reports, “OTA works as expected at 0x125000.” This aligns logs showing OTA writes from 0x125000 upward and a successful reboot into OpenBeken. [Elektroda, divadiow, post #21452918]

How do I perform the actual OTA-to-OpenBeken update on this device?

  1. Build OpenBeken with START_ADR_OF_BK_PARTITION_OTA = 0x125000 and length 0xB0000.
  2. Flash an rbl to 0x125000; the vendor RT-Thread OTA will rewrite the app.
  3. Reboot; device starts OpenBeken AP (e.g., OpenBK7231N_8C000000). This flow is confirmed by boot and OTA logs and the AP name after flashing. [Elektroda, divadiow, post #21450728]

What addresses do I use for the OTA partition on BK7231M in this plug?

Use start address 0x125000 with length 0xB0000 (737,280 bytes). The code snippet and runtime logs show initialization and writes at the 0x125000 boundary. This partitioning enabled consistent OTA success in testing. [Elektroda, divadiow, post #21452918]

Where is the device MAC stored, and will OpenBeken read it?

Vendor firmware stores a TLV block at 0x1D9000 containing the MAC (example FC:58:4A:A1:D3:C2). After OTA, OpenBeken may still show a wrong MAC unless additional handling is added. This is a known caveat noted by the author. [Elektroda, divadiow, post #21452918]

Which bootloader works on BK7231M QIO for this case?

Use the non-encoded bk7231n bootloader. Maintainer feedback confirms switching from the _enc variant to the plain one allows BK7231M QIO builds to boot. “We can just use the one without _enc.” [Elektroda, p.kaczmarek2, post #21725674]

Does this change break BK7231N devices?

No. The contributor stated BK7231M QIO boots and can OTA, and BK7231N “appears to remain working.” The maintainer asked to double-check BK‑N, indicating compatibility attention in the workflow. [Elektroda, divadiow, post #21723871]

What firmware versions were captured from this plug?

Boot logs for vendor firmware 1.0.01 and 1.0.02 were captured over UART (TX2). They show SDK revisions, BLE stack, and Wi‑Fi scans. These dumps helped map partitions and verify OTA behavior. [Elektroda, divadiow, post #21450728]

How big is the OTA image, exactly?

Length is 0xB0000, which equals 737,280 bytes (720 KB). The calculation was validated from the 4-byte little-endian field and noted in-thread. This size matches the working OTA writes shown in logs. [Elektroda, divadiow, post #21450728]

What tools or scripts were used to troubleshoot encryption/bootloaders?

They referenced encrypt.exe with zero keys, build.sh/post-build scripts, and compared bootloader variants. A trial to encrypt uart bootloader with zero keys did not boot; this shaped the final non-_enc choice. [Elektroda, divadiow, post #21453255]

How can I flash over Wi‑Fi once I have a working QIO build?

Use WiFiProgram with the device IP and OpenBK7231M_ALT_QIO binary. Example: wifiprogram bk7231n -d :8888 -w -s 0 -u OpenBK7231M_ALT_QIO_1.18.202.bin. Maintainer confirmed it boots after this method. [Elektroda, p.kaczmarek2, post #21725507]

What is OpenBeken (OpenBK)?

OpenBeken is open firmware for BK72xx chips. After OTA, the device boots OpenBeken and exposes an AP like OpenBK7231N_8C000000 with DHCP 192.168.4.1. Logs confirm services start and the module runs. [Elektroda, divadiow, post #21450728]

My partitions show overlap—what should I check?

Partitions should not intersect. Review start addresses and lengths for OTA, RF firmware, and NET params. Correct any overlaps before flashing to prevent corruption or boot failure. This was called out explicitly in-thread. [Elektroda, insmod, post #21452972]

Can I fix OTA by swapping the bootloader to 1.0.1 or re‑encrypting with zero keys?

One suggestion was to replace bootloader with standard 1.0.1 or encrypt with zero keys. However, trials with zero-key encrypted UART bootloader did not boot. The stable fix was using non-_enc bootloader. [Elektroda, divadiow, post #21453255]

Any useful performance datapoints from logs?

Yes. Vendor Wi‑Fi scans completed in 1.324 seconds, reported multiple times. This helps verify radio health and timing during bring-up and after OTA changes. [Elektroda, divadiow, post #21450728]

What’s an edge case that can still bite me?

Even with RF/NET at 0x1D9000 configured, OpenBeken may report an incorrect MAC. Plan for a post-flash MAC fix if your network depends on stable ARP/DHCP leases. [Elektroda, divadiow, post #21452918]
ADVERTISEMENT