Beken BK7231/BK7252 SPI flashing and recovery - new flasher tool and protocol specs

p.kaczmarek2 6075 205

Report a violation of the law

Reply Cool? Ranking DIY | New topic

Notify about new articles

📢 Listen (AI):

#181 21805374 11 Jan 2026 11:51

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Topic author Helpful post? (0)

Post #181
21805374 11 Jan 2026 11:51

Oh, so you have LN8825B? How much is LN8825B different from LN882H? Same SDK? Same binary? How are the protocols similar?

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
ADVERTISEMENT
#182 21805393 11 Jan 2026 12:24

insmod insmod

Level 30

Helpful post? (0)

Post #182
21805393 11 Jan 2026 12:24

Completely different. Except for bootrom protocol. And it's baud rate is 117000 (or close enough), not 115200.
Ramcode was ported from LN882H, but there is a major bug with write.
It writes ok, but hangs right before it receives EOT.

ROM version is Jun 19 2019/21:01:04
#183 21805827 11 Jan 2026 19:24

divadiow divadiow

Level 37

Helpful post? (0)

Post #183
21805827 11 Jan 2026 19:24

insmod wrote:
ROM version is Jun 19 2019/21:01:04

found inside FactoryDownloadTools.exe? or using that boot_rom_6.19-(Commit e6f20df7).bin in the ART2000 7z?
#184 21805832 11 Jan 2026 19:27

insmod insmod

Level 30

Helpful post? (0)

Post #184
21805832 11 Jan 2026 19:27

>>21805827
What is that last one?
And no, i just put it into bootrom mode and entered version command via terminal.
ADVERTISEMENT
Helpful post

#185 21805842 11 Jan 2026 19:34

divadiow divadiow

Level 37
Helpful post? (+1)

Helpful post
Post #185
21805842 11 Jan 2026 19:34

ah I see.

There used to be 2 Lightning Semi FTP sites but they stopped working a while ago. I ripped everything off it a couple of years ago.

also, source for boot rom?

I can stick the lot somewhere if you want it all.

Attachments:

ART2000-SRC-LN8826-2020.03.02.7z Download (21.54 MB)

ART2000-SRC-LN8825_26-2020.04.29.7z Download (13.17 MB)

ART2000-SRC_LN8825_26-2020.06.19.7z Download (31.05 MB)

ART2000-SRC-TencentCloud-08-07-m(0910).7z Download (42.39 MB)

ART2000-SRC-LN8829-2020.04.14.7z Download (21.61 MB)

ART2000-SRC-LN8829-2020.03.11.7z Download (40.47 MB)

ART2000-SRC_LN8825_26-2020.06.11.7z Download (30.99 MB)

boot_rom_6.19-(Commit e6f20df7).bin Download (13.11 KB)
#186 21805853 11 Jan 2026 19:40

divadiow divadiow

Level 37

Helpful post? (0)

Post #186
21805853 11 Jan 2026 19:40

https://www.elektroda.com/rtvforum/topic4008545-60.html#20902158
#187 21805858 11 Jan 2026 19:47

insmod insmod

Level 30

Helpful post? (0)

Post #187
21805858 11 Jan 2026 19:47

There is actually a ramcode source code in one of those archives, good
I probably won't use it...
#188 21805863 11 Jan 2026 19:53

divadiow divadiow

Level 37

Helpful post? (0)

Post #188
21805863 11 Jan 2026 19:53

other sightings of that date/time
#189 21806130 12 Jan 2026 01:10

insmod insmod

Level 30

Helpful post? (+1)

Post #189
21806130 12 Jan 2026 01:10

Pushed to bl_refac https://github.com/openshwprojects/BK7231GUIFlashTool/pull/96
Changed default LN baudrate to 117000 (for rom, not ramcode).
This works with CH340 on both LN882H and LN8825. But would it work on a different USB-UART adapter?
Helpful post

#190 21806165 12 Jan 2026 18:55

divadiow divadiow

Level 37

Helpful post? (+1)

Helpful post
Post #190
21806165 12 Jan 2026 18:55

LN882H - onboard WCH CH9102 no problems 5x write 5x read 921600.

Added after 4 [minutes]:

also fine with my CH340C

Added after 25 [minutes]:

'FTDI' FT232RL works too 5x.

A small thing. CRC matching message shows completion in log but GUI status doesn't go beyond "Doing CRC verification..." after writing

Added after 11 [hours] 30 [minutes]:

LN8825B success

Added after 3 [minutes]:

just a few bytes difference to your dump
#191 21807201 13 Jan 2026 07:30

divadiow divadiow

Level 37
Helpful post? (0)

Post #191
21807201 13 Jan 2026 07:30

2 Tuya LN8825B device dumps https://github.com/openshwprojects/FlashDumps/tree/main/IoT/LN8825B

LED controller is this https://www.elektroda.com/rtvforum/topic4023264.html

RGBW lamp is taken with Easy Flasher PR from user Cossid on Discord
- https://www.amazon.com/gp/product/B09D76M8MC
- https://fccid.io/2A2HS-M4/Internal-Photos/Internal-Photos-5787172

~~neither boot if flashed back to OBD so unsure if some W600/W800 secboot thing is going on, or some Tuya check is happening~~

Attachments:

ln8825b_lamp_bootlog.txt Download (4.3 KB)

ln8825b_lamp_easyflasherlog.txt Download (8.51 KB)
#192 21808161 14 Jan 2026 00:32

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Topic author Helpful post? (0)

Post #192
21808161 14 Jan 2026 00:32

Guys, what's the PRs state? I see @insmod one has last "revert" commit and I'm not sure if it's experimental or working..

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
#193 21808426 14 Jan 2026 11:34

divadiow divadiow

Level 37

Helpful post? (0)

Post #193
21808426 14 Jan 2026 11:34

well, I kinda thought the BL stuff was seen to be OK. I have dumped and flashed LN8825B but not many times, so dunno.

The micro-PR for seed key text tweaking is ready 🤣 (if an agreeable change)
#194 21809218 15 Jan 2026 08:25

divadiow divadiow

Level 37

Helpful post? (0)

Post #194
21809218 15 Jan 2026 08:25

I've written LN8825B OBK and the 2 Tuya flash backups a few times now and it's been OK. Also, the two Tuya backups boot and can be paired with app.

Added after 5 [minutes]:

>>21808161

@insmod should it be merged?
#195 21809229 15 Jan 2026 08:32

insmod insmod

Level 30

Helpful post? (+1)

Post #195
21809229 15 Jan 2026 08:32

>>21809218
Yes, and if i fix something then i'll just open a new pr.
ADVERTISEMENT
#196 21809246 15 Jan 2026 09:00

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Topic author Helpful post? (0)

Post #196
21809246 15 Jan 2026 09:00

Or maybe let's go through each PR one by one - which are tested and ready for merge?

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
#197 21809257 15 Jan 2026 09:08

insmod insmod

Level 30

Helpful post? (0)

Post #197
21809257 15 Jan 2026 09:08

Ready:
https://github.com/openshwprojects/BK7231GUIFlashTool/pull/96
https://github.com/openshwprojects/OpenBK7231T_App/pull/1940 (i can disable extra build variants if needed. Contains 7238 internal temperature fix)
https://github.com/openshwprojects/OpenBK7231T_App/pull/1943 (requires W800 and W600 sdk pr merge. Stability can be checked in prod, since this defaults to off)

For 8825, need to check if i didn't break anything in 882h.

Added IR to 8825 btw, but i can't check it.

Regarding previously non-working scripts on 8825
malloc returns null in https://github.com/openshwprojects/OpenBK7231...7f85dca9e89fdeb33/src/cmnds/cmd_script.c#L248
_malloc_r returns OS_Malloc.
I tried wrapping malloc to OS_Malloc, but it doesn't work.
But defining malloc to os_malloc, which does the same thing works fine.
Why??
#198 21809426 15 Jan 2026 11:34

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Topic author Helpful post? (0)

Post #198
21809426 15 Jan 2026 11:34

Merged, thanks.

Maybe some sneaky #define ?

I think I need to add more NULL protections so it doesn't at least crash.

Added after 18 [seconds]:

We need docs for variants, like for platforms.

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
#199 21810151 15 Jan 2026 23:45

insmod insmod

Level 30

Helpful post? (+1)

Post #199
21810151 15 Jan 2026 23:45

I rebuilt ramcode using my SDK, instead of ln882x-mcu, and suddenly ymodem started working fine.

I'll also rebuild bootloader, so that LN882H OTA images would not be processed and vice versa.
Currently you can flash H image to 5, which will require UART reflash. Didn't test H, but it should be the same.
#200 21811166 17 Jan 2026 09:01

divadiow divadiow

Level 37

Helpful post? (0)

Post #200
21811166 17 Jan 2026 09:01

there's a bit of a gap between what Easy Flasher can interpret into plain-text in the left pane and what templateparser.js can do in import tab in web app.

eg
Templateparser.js only handles one bridge pair, hard-coded to rl_on1_pin and rl_off1_pin, and always forces channel = 1, mapping to BridgeFWD and BridgeREV whereas Easy Flasher matches any rl_on\d+_pin and rl_off\d+_pin and extracts the channel number from the key name. It also maps them to Rel / Rel_n (not BridgeFWD/BridgeREV).

There are others
-EF matches on more netled, pir, i2c, one_wire, backlit, button variants
-web app also matches mic pin to ADC whereas EF is TODO.

TLDR some jsons imported into web app will be a little wrong or incomplete vs what's seen in EF

my question was going to be is EF the source of latest truth on how these should all map, but it seems pretty obvious it is.
ADVERTISEMENT
#201 21811298 17 Jan 2026 11:41

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Topic author Helpful post? (0)

Post #201
21811298 17 Jan 2026 11:41

Fair point, that's something that should be fixed. Maintaining it by hand may be hard.

Maybe we could make some kind of C# array of these pins, and then use it to regenerate javascript snippet? @max4elektroda likes that kind of changes

Or for now, just add missing info...

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
#202 21811444 17 Jan 2026 14:37

divadiow divadiow

Level 37

Helpful post? (0)

Post #202
21811444 17 Jan 2026 14:37

a starting point?

https://github.com/divadiow/BK7231GUIFlashTool/blob/platforms.md/platforms.md

Lots need confirming if true. Needs tidying. Notes are probably too much info?

dunno
#203 21811515 17 Jan 2026 16:09

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Topic author Helpful post? (0)

Post #203
21811515 17 Jan 2026 16:09

Notes are good, as long as they represent the current state and are at least verified by hand (be careful of LLMs halucinating false information), we can keep them.

Would it bring any benefits to add some kind of self test mechanism to the GPIO extractor? Something like a list of dumps (maybe fetched from flash dumps repository) and expected outputs, so it runs everytime after we change something, and it checks if all information is still decoded as it should?

This would notify us as soon as we break some existing feature....

Easy flasher binary could also have a simple command line mode, i.e. if a command is set, like "extract_gpio" it does what's asked without showing gui. Probably we would need to still have gui but as a hidden dummy, because some of the extraction code depends on it? Or maybe it's OOP enough so we can make a clean cut...

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
#204 21811565 17 Jan 2026 16:59

divadiow divadiow

Level 37

Helpful post? (0)

Post #204
21811565 17 Jan 2026 16:59

p.kaczmarek2 wrote:
Notes are good, as long as they represent the current state and are at least verified by hand (be careful of LLMs halucinating false information), we can keep them.

ah sure. even if only the skeleton (columns headers) were the only agreeable thing, I thought maybe it was a start. It definitely needs checking more. Or starting from scratch :D

Added after 2 [minutes]:

I expect @insmod can immediately identify stuff that's wrong or has ideas on what columns should be, what's missing etc
#205 21811574 17 Jan 2026 17:02

max4elektroda max4elektroda

Level 22

Helpful post? (0)

Post #205
21811574 17 Jan 2026 17:02

p.kaczmarek2 wrote:
Maybe we could make some kind of C# array of these pins, and then use it to regenerate javascript snippet? @max4elektroda likes that kind of changes

Indeed, I like them. Didn't follow this thread the last time, to be honest, so I'll need to read about the actual "problem"...
#206 21811583 17 Jan 2026 17:13

divadiow divadiow

Level 37

Helpful post? (0)

Post #206
21811583 17 Jan 2026 17:13

max4elektroda wrote:
so I'll need to read about the actual "problem"

with hindsight, this post could have been its own thread - https://www.elektroda.com/rtvforum/viewtopic.php?p=21811166#21811166

this is the issue to which @p.kaczmarek2 tagged your good self.
Create an account, log in here. You will receive points by participating in discussions.
Join this discussion.

Install Elektroda application

Reply Cool? Ranking DIY | New topic

Notify about new articles

📢 Listen (AI):

Report a violation of the law

Topic summary

BK7231GUIFlashTool version 98 and later introduces a new SPI flashing method for Beken BK7231/BK7252 devices using only a CH341 SPI programmer. This method enables recovery of bricked devices with overwritten bootloaders and functions as a general-purpose SPI flasher supporting various memory chips. The approach builds on previous SPI programming techniques using Python and Banana Pi, adapting them for CH341 hardware and C# implementation. Required hardware includes a CH341 programmer and soldering tools for wire attachment. Recent user feedback on version 98 highlights issues such as the tool requiring a COM port selection in SPI mode, lack of CH341A detection warnings, and missing ch341dll.dll errors. The developer has addressed the COM port requirement and plans to add the missing DLL, requesting further debugging via Visual Studio to handle CH341 initialization exceptions.
Summary generated by the language model.

Home page
/
Forum
/
Smart Home
/
Smart Home IoT
/
Smart Home Guides
/
Beken BK7231/BK7252 SPI flashing and recovery - new flasher tool and protocol specs

FAQ

TL;DR: New BK7231GUIFlashTool v98+ adds SPI flashing for Beken chips; sample 4,096 KB flash detected. “Only a CH341 SPI programmer is required.” Use CH341A D2 to toggle CEN, send 0xD2, then read/write like generic SPI. [Elektroda, p.kaczmarek2, post #21711721]

Why it matters: It lets you recover bricked BK7231/BK7252 devices without a working bootloader, using low‑cost tools.

Who this is for: DIYers, repair techs, and firmware engineers asking how to unbrick or mass‑flash Beken SoCs via SPI with a CH341A and the latest tool.

Quick Facts

- Hardware: CH341A set to I2C position so Windows shows “USB‑EPP/I2C… CH341A”; wire D2→CEN, and P20–P23 for SCK/CSN/SI/SO. [Elektroda, p.kaczmarek2, post #21711721]
- Enter SPI mode: reset CEN via D2, stream 0xD2, then JEDEC 0x9F; sample ID FF‑EF‑40‑16 → 4,096 KB. [Elektroda, p.kaczmarek2, post #21711721]
- Common setup fix: in v99, COM is no longer mandatory in SPI mode; add CH341DLL if the GitHub build complains. [Elektroda, divadiow, post #21712310]
- Linux/mono: mono 6.12 works; max stable baud typically 921,600; LAN scanner and downloader tested. [Elektroda, insmod, post #21712663]
- Recovery scope: Works even when the BK bootloader is overwritten; can serve as a generic SPI flasher too. [Elektroda, p.kaczmarek2, post #21711721]

What exactly is the new Beken SPI flashing method and what do I need?

The tool drives CH341A as an SPI master, resets BK via CEN on D2, sends 0xD2 to enter BK’s SPI-memory mode, then treats the chip like a standard SPI flash. You need a CH341A (jumper at I2C), 3.3 V power, and wiring for P20–P23 (SCK/CSN/SI/SO) plus CEN. Select “Beken SPI” in BK7231GUIFlashTool v98+. “Only a CH341 SPI programmer is required.” [Elektroda, p.kaczmarek2, post #21711721]

How do I wire CH341A to BK7231/BK7252 for SPI mode?

Connect CH341A SCK→P20, CS0→P21, MOSI→P22 (SI), MISO→P23 (SO), and D2→CEN. Keep MOSI→SI and MISO→SO mapping. Provide GND and target power. Some boards have pads labeled CE/TCK/TMS/TDI/TDO that map to CEN/SCK/CSN/SI/SO respectively. [Elektroda, p.kaczmarek2, post #21711721]

How do I reliably enter BK SPI mode? (3‑step)

Use CH341 D2 to pull CEN low then high to reset the BK chip. 2. Stream 0xD2 bytes repeatedly over SPI. 3. Issue 0x9F and confirm a valid JEDEC response; then proceed to Read/Write/Erase. [Elektroda, p.kaczmarek2, post #21711721]

I get “Failed to open CH341 device” or “Failed to toggle CEN.” What should I check?

Confirm CH341A is jumpered to I2C, recognized by Windows, and the D2 wire is soldered to CEN. Re‑seat USB, power the target, and verify SPI lines. The tool logs these errors when CH341 isn’t detected or CEN can’t be driven; fix wiring or driver, then retry. [Elektroda, p.kaczmarek2, post #21711721]

The app says “missing ch341dll.dll” or quits in SPI mode—how do I fix that?

Place CH341DLL.DLL alongside the GitHub build, or build from source in Visual Studio. Earlier builds could exit if CH341A wasn’t present; recent fixes improved handling, but adding the DLL resolved missing‑library errors during testing. [Elektroda, divadiow, post #21712310]

Do I need to select a COM port for SPI flashing?

No. As of v99, SPI mode does not require a COM port. This was confirmed after fixes; previous v98 prompts were removed. Ensure CH341A is connected; SPI operations run without a serial port. [Elektroda, divadiow, post #21712310]

What does the Verify button do?

Verify compares flash contents against the firmware file currently selected in the tool. Use it after Write or Erase to confirm success. “Verify verifies against selected firmware.” [Elektroda, p.kaczmarek2, post #21712551]

Can this recover a bricked BK7252 camera?

Yes. After wiring CEN and SPI lines, use Beken SPI mode to read/erase/write. The author provides a BK7252 camera recovery example using this exact method with CH341A and the new flasher. [Elektroda, p.kaczmarek2, post #21711721]

Can I use CH341 Programmer or NeoProgrammer once SPI mode is active?

Yes. After the 0xD2 hand‑off, the BK behaves like a generic SPI flash. You can then operate with common SPI flash tools (CH341 Programmer or NeoProgrammer) if you prefer. [Elektroda, p.kaczmarek2, post #21711721]

Linux support: what baud rates are stable under mono?

Mono 6.12 worked for testers. They reported stable operation at 921,600 baud; 1,500,000 worked on Windows, but they lowered to 921,600 on Linux. LAN Scanner and release downloader also worked. [Elektroda, insmod, post #21712663]

The tool shows a 4,096 KB device. Is that normal for these chips?

Yes. A sample JEDEC ID FF‑EF‑40‑16 decoded to 4,096 KB and printed by the tool. That confirms JEDEC read and size decoding in SPI mode. Actual sizes vary by module; always check the tool’s detected flash size. [Elektroda, p.kaczmarek2, post #21711721]

How do I just switch a BK device into SPI mode without reading or writing?

Use the new “Detect” button. It performs a zero‑length custom operation to toggle CEN and send the 0xD2 sync, placing the chip in SPI mode for use with other SPI tools. [Elektroda, p.kaczmarek2, post #21731041]

I flashed many times and now erase fails. What should I try?

Expand Unprotect logic before erase, similar to AsProgrammer. A contributor noted needing stronger Unprotect after many BK7252 cycles. Add an Unprotect/Status-Register release step, then retry the erase/write. [Elektroda, p.kaczmarek2, post #21714737]

What is OpenBeken (OBK) in this context?

OpenBeken is an open‑source firmware used across supported Wi‑Fi MCUs in this ecosystem. The author uses OBK devices for testing and demos, including camera boards and remote flashing concepts. [Elektroda, p.kaczmarek2, post #21714427]

Can I flash a BK device over Wi‑Fi/TCP instead of USB?

Yes, a Wi‑Fi flasher demo proxies UART over TCP and controls CEN via an OBK device. It’s a separate utility that mirrors the BK UART routines, useful when PC‑to‑target wiring is hard. [Elektroda, p.kaczmarek2, post #21720013]

Any known edge cases or failure symptoms I should expect?

If CH341DLL is missing, some GitHub builds previously exited. On mono/Linux, 1,500,000 baud may fail while 921,600 works. Also, after heavy cycling, protection bits may block erase until Unprotect expands. Address each symptom as noted, then retry. [Elektroda, divadiow, post #21712310]