Beken BK7231/BK7252 SPI flashing and recovery - new flasher tool and protocol specs

p.kaczmarek2 4209 131

Report a violation of the law

Reply Cool? Ranking DIY | New topic

Notify about new articles

📢 Listen (AI):

#121 21777354 10 Dec 2025 21:42

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Topic author Helpful post? (0)

Post #121
21777354 10 Dec 2025 21:42

Try to remove those binary arrays (make them empty), rebuild and recheck

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
ADVERTISEMENT
#122 21777398 10 Dec 2025 22:37

divadiow divadiow

Level 37

Helpful post? (0)

Post #122
21777398 10 Dec 2025 22:37

v166: https://www.virustotal.com/gui/file/5eedb0785...50b85f329038724a3b7064f5c0d25ee3453/detection
0 floader:
https://www.virustotal.com/gui/file/503e651aa...6f8801627007d99bfcd89ebc10a527c66a4?nocache=1

not much different
#123 21777450 11 Dec 2025 00:35

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Topic author Helpful post? (0)

Post #123
21777450 11 Dec 2025 00:35

We need to pinpoint each change that breaks.

Also, what about "encryption experiments" PR? Ready to merge?

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
#124 21777517 11 Dec 2025 07:47

divadiow divadiow

Level 37

Helpful post? (0)

Post #124
21777517 11 Dec 2025 07:47

p.kaczmarek2 wrote:
Also, what about "encryption experiments" PR? Ready to merge?

I used it a fair bit a few weeks ago and it was good. A couple of issues were ironed out and I would say yes

Added after 7 [minutes]:

p.kaczmarek2 wrote:
We need to pinpoint each change that breaks.

in the meantime though maybe a sticky topic in issues? I asked GPT to draft something after my conversation with it.

Spoiler:
Why Some Antivirus Products Flag BK7231GUIFlashTool (False Positives Explained)

Proposed Body Text

Several users have reported that recent builds of BK7231GUIFlashTool trigger warnings from certain antivirus engines. These detections often appear under generic names such as Trojan.MSILZilla.xxx, MSIL.Generic, or similar. This notice explains why this happens, what changed recently, and what you can safely expect from the tool’s behaviour.

1. The short answer

These antivirus alerts are false positives.
BK7231GUIFlashTool is an open-source, C#/.NET WinForms application whose only functions are:

Opening a serial port

Communicating with supported MCUs

Reading/writing flash memory

Loading firmware files (optionally downloading them from GitHub)

Displaying progress in a simple UI

Nothing in the source code installs persistence, modifies the registry, injects into processes, or communicates with anything other than GitHub (when the “download latest firmware” option is used) and the serial port.

2. Why AV engines sometimes flag the tool

Modern antivirus products rely heavily on heuristic and reputation-based detection. A small, unsigned, niche hardware-flashing utility looks very similar—structurally—to the tools used by malware operators, even though the behaviour is entirely legitimate.

The tool has several characteristics that mislead heuristic scanners:

a) It is a .NET (MSIL) executable

Many malware families are also written in .NET, so generic signatures tend to over-match.

b) It performs “downloader-like” behaviour

When you click “Download firmware from Web”, the application downloads a binary file from GitHub and saves it to disk.
Heuristic engines sometimes classify any application that downloads executable files as a “downloader”, regardless of purpose.

c) It interacts with hardware at a low level

The program reads and writes flash memory over UART, sends stubs/loaders to the device, and transfers raw binary blocks. Tools doing this kind of I/O get flagged routinely, even though this is exactly what a flashing utility is supposed to do.

d) It is not code-signed

Unsigned executables with a small user base are automatically given lower reputation scores. This can increase false positives, especially immediately after a new release.

e) Some recent releases introduced new stubs/loaders

Binary blobs included inside the release package (e.g., RTL loader files, temporary loaders) can resemble obfuscated or “packed” resources to AV engines, which further increases the likelihood of a generic detection.

3. What changed in v32 and earlier—did anything suspicious get added?

No. Recent versions (v27–v32 and surrounding builds) include:

RTL flashing improvements

Flash ID read support

Logging fixes

A progress bar calculation fix

CI packaging changes (adding the /loaders folder to the release ZIP)

No networking changes, no system-level changes, and no code capable of malicious behaviour were introduced. The tool’s functionality has remained the same: serial-port flashing and firmware utility tasks.

False positives became more common simply because the build output changed slightly, altering the internal structure enough for heuristic signatures to trigger.

4. What you can do as a user

If your antivirus flags the tool, you may safely trust / allow it provided you downloaded it from the official GitHub Releases page.

You can also build the tool yourself from source using Visual Studio, which eliminates any doubt about the executable’s origin.

Consider adding a local exclusion for the flashing tool if your security software interferes with its operation.

If comfortable, you can submit the file to your AV vendor as a false positive—they typically whitelist legitimate tools once reviewed.

5. What we (the maintainers) will continue to do

Keep the tool fully open-source and transparent.

Avoid unnecessary obfuscation or packing.

Work with contributors to minimise false-positive triggers where feasible.

Investigate code-signing options for future releases to reduce reputation-based alerts.

6. Bottom line

BK7231GUIFlashTool is safe, open, and does exactly what a flashing tool needs to do—and nothing more.
AV detections are a side effect of heuristic scanning on a low-reputation, unsigned, hardware-flashing application, not an indication of malicious behaviour.

If you have questions or encounter new detections, feel free to comment below.
ADVERTISEMENT
#125 21777565 11 Dec 2025 08:41

insmod insmod

Level 29

Helpful post? (0)

Post #125
21777565 11 Dec 2025 08:41

Packing is not a problem
https://www.virustotal.com/gui/file/023eaf0ec...0cbc5c30a6189ca06cb266e650378fed0e90a5c1bb691
#126 21777576 11 Dec 2025 08:53

DeDaMrAz DeDaMrAz

Level 21

Helpful post? (0)

Post #126
21777576 11 Dec 2025 08:53

This will trigger some of the heuristic analysis, where is this coming from?

If you like my work, support me at: https://paypal.me/openshwprojects
ADVERTISEMENT
#127 21778541 12 Dec 2025 08:39

divadiow divadiow

Level 37

Helpful post? (0)

Post #127
21778541 12 Dec 2025 08:39

I've been playing with BK7252 2/4mb wrap-around and generally with BK7252U BK7231T/U it seems to give up some as soon as there's a read error, no retries /per sector crc check? Is this correct? It seems other tools are more resilient/forgiving. hmm

also, any change in detection with the AV experiments? https://github.com/openshwprojects/BK7231GUIFlashTool/pull/88
#128 21778988 12 Dec 2025 17:02

insmod insmod

Level 29

Helpful post? (+1)

Post #128
21778988 12 Dec 2025 17:02

It started being detected as msilzilla in https://github.com/openshwprojects/BK7231GUIF...mmit/35bc1fcc7699fee47e1842c5aba5389e5380e486
But even if i remove both rtl and rtlz2 flashers, it still detects as such

It's still detects even if all but beken flasher are removed.
ADVERTISEMENT
#129 21779041 12 Dec 2025 17:56

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Topic author Helpful post? (0)

Post #129
21779041 12 Dec 2025 17:56

i was rather expecting network scan tool and Process.Start to cause some alarms, but I haven't found anything meaningful yet. Strange.

I wonder how would it behave if I were to rewrite, let's say, Beken flashing to C++?

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
#130 21779051 12 Dec 2025 18:09

insmod insmod

Level 29

Helpful post? (+1)

Post #130
21779051 12 Dec 2025 18:09

Here we go
https://github.com/openshwprojects/BK7231GUIFlashTool/pull/89
https://www.virustotal.com/gui/file/48a958e72...c83f9b2e440312722acef3ff913b15472dca2cf55b9ec

stupid antiviruses
#131 21779170 12 Dec 2025 20:15

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Topic author Helpful post? (0)

Post #131
21779170 12 Dec 2025 20:15

Haha, really? Nice! How did you come up with it? Even with bisecting approach, it would take me some time.

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
#132 21779175 12 Dec 2025 20:28

insmod insmod

Level 29

Helpful post? (0)

Post #132
21779175 12 Dec 2025 20:28

>>21779170
Well, it started detecting in that commit, and continued even after i removed both z and z2 flashers.
So, i took a guess and removed all combobox.add except for one. And it worked.
How/why would it trigger av, i don't know.
Create an account, log in here. You will receive points by participating in discussions.
Join this discussion.

Install Elektroda application

Reply Cool? Ranking DIY | New topic

Notify about new articles

📢 Listen (AI):

Report a violation of the law

Topic summary

BK7231GUIFlashTool version 98 and later introduces a new SPI flashing method for Beken BK7231/BK7252 devices using only a CH341 SPI programmer. This method enables recovery of bricked devices with overwritten bootloaders and functions as a general-purpose SPI flasher supporting various memory chips. The approach builds on previous SPI programming techniques using Python and Banana Pi, adapting them for CH341 hardware and C# implementation. Required hardware includes a CH341 programmer and soldering tools for wire attachment. Recent user feedback on version 98 highlights issues such as the tool requiring a COM port selection in SPI mode, lack of CH341A detection warnings, and missing ch341dll.dll errors. The developer has addressed the COM port requirement and plans to add the missing DLL, requesting further debugging via Visual Studio to handle CH341 initialization exceptions.
Summary generated by the language model.

Home page
/
Forum
/
Smart Home
/
Smart Home IoT
/
Smart Home Guides
/
Beken BK7231/BK7252 SPI flashing and recovery - new flasher tool and protocol specs

FAQ

TL;DR: New BK7231GUIFlashTool v98+ adds SPI flashing for Beken chips; sample 4,096 KB flash detected. “Only a CH341 SPI programmer is required.” Use CH341A D2 to toggle CEN, send 0xD2, then read/write like generic SPI. [Elektroda, p.kaczmarek2, post #21711721]

Why it matters: It lets you recover bricked BK7231/BK7252 devices without a working bootloader, using low‑cost tools.

Who this is for: DIYers, repair techs, and firmware engineers asking how to unbrick or mass‑flash Beken SoCs via SPI with a CH341A and the latest tool.

Quick Facts

- Hardware: CH341A set to I2C position so Windows shows “USB‑EPP/I2C… CH341A”; wire D2→CEN, and P20–P23 for SCK/CSN/SI/SO. [Elektroda, p.kaczmarek2, post #21711721]
- Enter SPI mode: reset CEN via D2, stream 0xD2, then JEDEC 0x9F; sample ID FF‑EF‑40‑16 → 4,096 KB. [Elektroda, p.kaczmarek2, post #21711721]
- Common setup fix: in v99, COM is no longer mandatory in SPI mode; add CH341DLL if the GitHub build complains. [Elektroda, divadiow, post #21712310]
- Linux/mono: mono 6.12 works; max stable baud typically 921,600; LAN scanner and downloader tested. [Elektroda, insmod, post #21712663]
- Recovery scope: Works even when the BK bootloader is overwritten; can serve as a generic SPI flasher too. [Elektroda, p.kaczmarek2, post #21711721]

What exactly is the new Beken SPI flashing method and what do I need?

The tool drives CH341A as an SPI master, resets BK via CEN on D2, sends 0xD2 to enter BK’s SPI-memory mode, then treats the chip like a standard SPI flash. You need a CH341A (jumper at I2C), 3.3 V power, and wiring for P20–P23 (SCK/CSN/SI/SO) plus CEN. Select “Beken SPI” in BK7231GUIFlashTool v98+. “Only a CH341 SPI programmer is required.” [Elektroda, p.kaczmarek2, post #21711721]

How do I wire CH341A to BK7231/BK7252 for SPI mode?

Connect CH341A SCK→P20, CS0→P21, MOSI→P22 (SI), MISO→P23 (SO), and D2→CEN. Keep MOSI→SI and MISO→SO mapping. Provide GND and target power. Some boards have pads labeled CE/TCK/TMS/TDI/TDO that map to CEN/SCK/CSN/SI/SO respectively. [Elektroda, p.kaczmarek2, post #21711721]

How do I reliably enter BK SPI mode? (3‑step)

Use CH341 D2 to pull CEN low then high to reset the BK chip. 2. Stream 0xD2 bytes repeatedly over SPI. 3. Issue 0x9F and confirm a valid JEDEC response; then proceed to Read/Write/Erase. [Elektroda, p.kaczmarek2, post #21711721]

I get “Failed to open CH341 device” or “Failed to toggle CEN.” What should I check?

Confirm CH341A is jumpered to I2C, recognized by Windows, and the D2 wire is soldered to CEN. Re‑seat USB, power the target, and verify SPI lines. The tool logs these errors when CH341 isn’t detected or CEN can’t be driven; fix wiring or driver, then retry. [Elektroda, p.kaczmarek2, post #21711721]

The app says “missing ch341dll.dll” or quits in SPI mode—how do I fix that?

Place CH341DLL.DLL alongside the GitHub build, or build from source in Visual Studio. Earlier builds could exit if CH341A wasn’t present; recent fixes improved handling, but adding the DLL resolved missing‑library errors during testing. [Elektroda, divadiow, post #21712310]

Do I need to select a COM port for SPI flashing?

No. As of v99, SPI mode does not require a COM port. This was confirmed after fixes; previous v98 prompts were removed. Ensure CH341A is connected; SPI operations run without a serial port. [Elektroda, divadiow, post #21712310]

What does the Verify button do?

Verify compares flash contents against the firmware file currently selected in the tool. Use it after Write or Erase to confirm success. “Verify verifies against selected firmware.” [Elektroda, p.kaczmarek2, post #21712551]

Can this recover a bricked BK7252 camera?

Yes. After wiring CEN and SPI lines, use Beken SPI mode to read/erase/write. The author provides a BK7252 camera recovery example using this exact method with CH341A and the new flasher. [Elektroda, p.kaczmarek2, post #21711721]

Can I use CH341 Programmer or NeoProgrammer once SPI mode is active?

Yes. After the 0xD2 hand‑off, the BK behaves like a generic SPI flash. You can then operate with common SPI flash tools (CH341 Programmer or NeoProgrammer) if you prefer. [Elektroda, p.kaczmarek2, post #21711721]

Linux support: what baud rates are stable under mono?

Mono 6.12 worked for testers. They reported stable operation at 921,600 baud; 1,500,000 worked on Windows, but they lowered to 921,600 on Linux. LAN Scanner and release downloader also worked. [Elektroda, insmod, post #21712663]

The tool shows a 4,096 KB device. Is that normal for these chips?

Yes. A sample JEDEC ID FF‑EF‑40‑16 decoded to 4,096 KB and printed by the tool. That confirms JEDEC read and size decoding in SPI mode. Actual sizes vary by module; always check the tool’s detected flash size. [Elektroda, p.kaczmarek2, post #21711721]

How do I just switch a BK device into SPI mode without reading or writing?

Use the new “Detect” button. It performs a zero‑length custom operation to toggle CEN and send the 0xD2 sync, placing the chip in SPI mode for use with other SPI tools. [Elektroda, p.kaczmarek2, post #21731041]

I flashed many times and now erase fails. What should I try?

Expand Unprotect logic before erase, similar to AsProgrammer. A contributor noted needing stronger Unprotect after many BK7252 cycles. Add an Unprotect/Status-Register release step, then retry the erase/write. [Elektroda, p.kaczmarek2, post #21714737]

What is OpenBeken (OBK) in this context?

OpenBeken is an open‑source firmware used across supported Wi‑Fi MCUs in this ecosystem. The author uses OBK devices for testing and demos, including camera boards and remote flashing concepts. [Elektroda, p.kaczmarek2, post #21714427]

Can I flash a BK device over Wi‑Fi/TCP instead of USB?

Yes, a Wi‑Fi flasher demo proxies UART over TCP and controls CEN via an OBK device. It’s a separate utility that mirrors the BK UART routines, useful when PC‑to‑target wiring is hard. [Elektroda, p.kaczmarek2, post #21720013]

Any known edge cases or failure symptoms I should expect?

If CH341DLL is missing, some GitHub builds previously exited. On mono/Linux, 1,500,000 baud may fail while 921,600 works. Also, after heavy cycling, protection bits may block erase until Unprotect expands. Address each symptom as noted, then retry. [Elektroda, divadiow, post #21712310]