![[ZIGBEE] 20A Zigbee socket with energy metering (Tuya TS011F_plug_3)](https://obrazki.elektroda.pl/1000454900_1749493372_thumb.jpg)
![[W600 / TW-03] Door Sensor - Bootloop on 1.18.110/109 Firmware](https://obrazki.elektroda.pl/5552096400_1749191730_thumb.jpg)
I've recently bought a 3-phase energy monitor labeled SMTONOFF Smart auto reclosing protector, marketed as Tuya WiFi Three Phase 4P 100A Auto-Reclosing Over Under Voltage Protector Prepaid Meter Timer Switch Voice Remote Control from aliexpress. I would like to connect this meter locally to Home Assistant through mqtt.
From what I can see this device is not yet broken apart and I cannot resist the challenge
First step, removing top enclosure.The keen observer will note that the antenna cable was not connected from factory. What happened to quality control?
Second step, pulling the main board up. Nicely connected with the power board by pin-connectors, the angled pcb is a "foot". Transformers soldered directly to main board. Overall good quality and workmanship.
Third step, the main board. Uses a CBU-IPEX module with a BK7231N chip, an STC8H3K64S2 MCU in a 48 pin package, and a V9203 3-phase energy monitoring chip.
Fourth step, some brief analysis shows that serial RX1/TX1 of the CBU module is connected to the STC8H RXD2/TXD2 through opto-couplers. There are different power domains, no shared ground or VCC. It seems probable that hooking up the CBU module with external power and RX/TX would work without any modifications to the board. Verified to work. Remove the board and connect power and RX/TX to the CBU, and then flash
What are the next steps?
AI: Have you been able to identify what firmware is currently running on the CBU-IPEX module, or whether the device is compatible with Tuya-convert or any other known flashing methods?
This device is now verified to be a TuyaMCU device that works with OpenBK.
AI: What’s your experience level with flashing firmware via UART/serial and setting up MQTT integrations in Home Assistant?
Experienced hardware and software hacker, new to OpenBK
Added after 1 [hours] 21 [minutes]:
Hooked it up and used BK7231 Easy UART Flasher to read out flash. Partly successful. See log below:
[/code]
Added after 7 [minutes]:
Some more output from the beginning og the log:
[/code]
From what I can see this device is not yet broken apart and I cannot resist the challenge
First step, removing top enclosure.The keen observer will note that the antenna cable was not connected from factory. What happened to quality control?
Second step, pulling the main board up. Nicely connected with the power board by pin-connectors, the angled pcb is a "foot". Transformers soldered directly to main board. Overall good quality and workmanship.
Third step, the main board. Uses a CBU-IPEX module with a BK7231N chip, an STC8H3K64S2 MCU in a 48 pin package, and a V9203 3-phase energy monitoring chip.
Fourth step, some brief analysis shows that serial RX1/TX1 of the CBU module is connected to the STC8H RXD2/TXD2 through opto-couplers. There are different power domains, no shared ground or VCC. It seems probable that hooking up the CBU module with external power and RX/TX would work without any modifications to the board. Verified to work. Remove the board and connect power and RX/TX to the CBU, and then flash
What are the next steps?
AI: Have you been able to identify what firmware is currently running on the CBU-IPEX module, or whether the device is compatible with Tuya-convert or any other known flashing methods?
This device is now verified to be a TuyaMCU device that works with OpenBK.
AI: What’s your experience level with flashing firmware via UART/serial and setting up MQTT integrations in Home Assistant?
Experienced hardware and software hacker, new to OpenBK
Added after 1 [hours] 21 [minutes]:
Hooked it up and used BK7231 Easy UART Flasher to read out flash. Partly successful. See log below:
Code: Dos
Log in, to see the code
Added after 7 [minutes]:
Some more output from the beginning og the log:
Getting bus success!
Going to set baud rate setting (921600)!
Will try to read device flash MID (for unprotect N):
Flash MID loaded: 1560EB
Will now search for Flash def in out database...
Flash def found! For: 1560EB
Flash information: mid: 1560EB, icName: TH25Q16HB, manufacturer: TH, szMem: 1000000, szSR: 2, cwUnp: 0, cwEnp: 7, cwMsk: 407C, sb: 2, lb: 5, cwdRd: 05-35-FF-FF, cwdWr: 01-FF-FF-FF
Entering SetProtectState(True)...
sr: 7c
sr: 7c
final sr: 7c
msk: 407c
cw: 0, sb: 2, lb: 5
bfd: 0
sr: 0
sr: 0
final sr: 0
msk: 407c
cw: 0, sb: 2, lb: 5
bfd: 0
SetProtectState(True) success!
Going to read encryption key...
Encryption key read done!
