Beken BK7231/BK7252 SPI flashing and recovery - new flasher tool and protocol specs

p.kaczmarek2 6768 213

Report a violation of the law

Reply Cool? Ranking DIY | New topic

Notify about new articles

📢 Listen (AI):

#211 21821133 27 Jan 2026 11:30

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Topic author Helpful post? (0)

Post #211
21821133 27 Jan 2026 11:30

Why not move flash vars elsewhere on BK7238 and update offset in obk?

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
ADVERTISEMENT
#212 21821138 27 Jan 2026 12:11

divadiow divadiow

Level 37

Helpful post? (0)

Post #212
21821138 27 Jan 2026 12:11

DeDaMrAz wrote:
why not make this automatically in the flash write process

well indeed.

Added after 37 [seconds]:

p.kaczmarek2 wrote:
Why not move flash vars elsewhere on BK7238 and update offset in obk?

will that kill anyone already on OpenBK7238?

Added after 38 [minutes]:

xref https://www.elektroda.com/rtvforum/topic4159859.html#21802365
ADVERTISEMENT

#213 21821592 27 Jan 2026 20:54

max4elektroda max4elektroda

Level 22

Post #213

21821592 27 Jan 2026 20:54

max4elektroda wrote:
But at least a first try to fix the things you mentioned (rl_on\d+_pin and rl_off\d+_pin)

Added some code to use regex finding these keys instead of looping through the numbers.

For now, mainly coded, not tested thoroughly, not sure if it's even ready for a PR......

https://github.com/MaxineMuster/OBK_webapp/tree/templateparser

Made some more changes and (hopefully) improvements to "templateParser.js".
Now all cases from "TuyaConfig.cs" should be here, too + added code for (seldom) "sel_pin_lv: 0" needing BL0937SEL_n.

Also tried to fix import.vue "ignoring" WebApp source, but always loading "https://openbekeniot.github.io/webapp/templateParser.js" and "https://openbekeniot.github.io/webapp/tuyaExporter.js".
Since I wanted this to work even in strange configs, I had to find the location, from which script was loaded.
For me it now worked with both on a single machine, e.g. simulators web interface running on default port 80 and WebApp served locally e.g. on port 8080.
Just had to make sure, httpd will send "Access-Control-Allow-Origin: *"...

But let's get sure about some questions:

rl_on1_pin / rl_off1_pin: What is the correct role? BridgeFWD/BridgeREV or Rel/Rel_n ??
r_pin/g_pin/b_pin/c_pin/w_pin: What's the correct channel to use? templateParser.js assigns 1 to 5, C# code in TuyaConfig.cs assigns 0 to 4 (though in description it's 1 - 5):

                   case "r_pin":
                        desc += "- LED Red (Channel 1) on P" + value + Environment.NewLine;
                        tg?.setPinRole(value, PinRole.PWM);
                        tg?.setPinChannel(value, 0);
                        break;
                    case "g_pin":
                        desc += "- LED Green (Channel 2) on P" + value + Environment.NewLine;
                        tg?.setPinRole(value, PinRole.PWM);
                        tg?.setPinChannel(value, 1);
                        break;
                    case "b_pin":
                        desc += "- LED Blue (Channel 3) on P" + value + Environment.NewLine;
                        tg?.setPinRole(value, PinRole.PWM);
                        tg?.setPinChannel(value, 2);
                        break;
                    case "c_pin":
                        desc += "- LED Cool (Channel 4) on P" + value + Environment.NewLine;
                        tg?.setPinRole(value, PinRole.PWM);
                        tg?.setPinChannel(value, 3);
                        break;
                    case "w_pin":
                        desc += "- LED Warm (Channel 5) on P" + value + Environment.NewLine;
                        tg?.setPinRole(value, PinRole.PWM);
                        tg?.setPinChannel(value, 4);
                        break;

#214 21823610 29 Jan 2026 20:29

divadiow divadiow

Level 37

Helpful post? (0)

Post #214
21823610 29 Jan 2026 20:29

max4elektroda wrote:
rl_on1_pin / rl_off1_pin: What is the correct role? BridgeFWD/BridgeREV or Rel/Rel_n ??

there's this maybe pivotal moment here https://www.elektroda.com/rtvforum/topic4000770.html#20869388

I can't find an obvious change to templateParser.js to coincide.

My feeling is that this detection should be BridgeFWD/BridgeREV and not Rel/Rel_n

lt detects it as bistable / H-Bridge if there is no normal relay pin and both ON and OFF drive pins exist

Added after 40 [minutes]:

hmm, there must be quite a few more out there to be added too. eg:

https://www.elektroda.com/rtvforum/topic4093780.html#21790729

in the json we see

Code: Text
Log in, to see the code

chip_type:2 = HLW8032
Create an account, log in here. You will receive points by participating in discussions.
Join this discussion.

Install Elektroda application

Reply Cool? Ranking DIY | New topic

Notify about new articles

📢 Listen (AI):

Report a violation of the law

Topic summary

BK7231GUIFlashTool version 98 and later introduces a new SPI flashing method for Beken BK7231/BK7252 devices using only a CH341 SPI programmer. This method enables recovery of bricked devices with overwritten bootloaders and functions as a general-purpose SPI flasher supporting various memory chips. The approach builds on previous SPI programming techniques using Python and Banana Pi, adapting them for CH341 hardware and C# implementation. Required hardware includes a CH341 programmer and soldering tools for wire attachment. Recent user feedback on version 98 highlights issues such as the tool requiring a COM port selection in SPI mode, lack of CH341A detection warnings, and missing ch341dll.dll errors. The developer has addressed the COM port requirement and plans to add the missing DLL, requesting further debugging via Visual Studio to handle CH341 initialization exceptions.
Summary generated by the language model.

Home page
/
Forum
/
Smart Home
/
Smart Home IoT
/
Smart Home Guides
/
Beken BK7231/BK7252 SPI flashing and recovery - new flasher tool and protocol specs

FAQ

TL;DR: New BK7231GUIFlashTool v98+ adds SPI flashing for Beken chips; sample 4,096 KB flash detected. “Only a CH341 SPI programmer is required.” Use CH341A D2 to toggle CEN, send 0xD2, then read/write like generic SPI. [Elektroda, p.kaczmarek2, post #21711721]

Why it matters: It lets you recover bricked BK7231/BK7252 devices without a working bootloader, using low‑cost tools.

Who this is for: DIYers, repair techs, and firmware engineers asking how to unbrick or mass‑flash Beken SoCs via SPI with a CH341A and the latest tool.

Quick Facts

- Hardware: CH341A set to I2C position so Windows shows “USB‑EPP/I2C… CH341A”; wire D2→CEN, and P20–P23 for SCK/CSN/SI/SO. [Elektroda, p.kaczmarek2, post #21711721]
- Enter SPI mode: reset CEN via D2, stream 0xD2, then JEDEC 0x9F; sample ID FF‑EF‑40‑16 → 4,096 KB. [Elektroda, p.kaczmarek2, post #21711721]
- Common setup fix: in v99, COM is no longer mandatory in SPI mode; add CH341DLL if the GitHub build complains. [Elektroda, divadiow, post #21712310]
- Linux/mono: mono 6.12 works; max stable baud typically 921,600; LAN scanner and downloader tested. [Elektroda, insmod, post #21712663]
- Recovery scope: Works even when the BK bootloader is overwritten; can serve as a generic SPI flasher too. [Elektroda, p.kaczmarek2, post #21711721]

What exactly is the new Beken SPI flashing method and what do I need?

The tool drives CH341A as an SPI master, resets BK via CEN on D2, sends 0xD2 to enter BK’s SPI-memory mode, then treats the chip like a standard SPI flash. You need a CH341A (jumper at I2C), 3.3 V power, and wiring for P20–P23 (SCK/CSN/SI/SO) plus CEN. Select “Beken SPI” in BK7231GUIFlashTool v98+. “Only a CH341 SPI programmer is required.” [Elektroda, p.kaczmarek2, post #21711721]

How do I wire CH341A to BK7231/BK7252 for SPI mode?

Connect CH341A SCK→P20, CS0→P21, MOSI→P22 (SI), MISO→P23 (SO), and D2→CEN. Keep MOSI→SI and MISO→SO mapping. Provide GND and target power. Some boards have pads labeled CE/TCK/TMS/TDI/TDO that map to CEN/SCK/CSN/SI/SO respectively. [Elektroda, p.kaczmarek2, post #21711721]

How do I reliably enter BK SPI mode? (3‑step)

Use CH341 D2 to pull CEN low then high to reset the BK chip. 2. Stream 0xD2 bytes repeatedly over SPI. 3. Issue 0x9F and confirm a valid JEDEC response; then proceed to Read/Write/Erase. [Elektroda, p.kaczmarek2, post #21711721]

I get “Failed to open CH341 device” or “Failed to toggle CEN.” What should I check?

Confirm CH341A is jumpered to I2C, recognized by Windows, and the D2 wire is soldered to CEN. Re‑seat USB, power the target, and verify SPI lines. The tool logs these errors when CH341 isn’t detected or CEN can’t be driven; fix wiring or driver, then retry. [Elektroda, p.kaczmarek2, post #21711721]

The app says “missing ch341dll.dll” or quits in SPI mode—how do I fix that?

Place CH341DLL.DLL alongside the GitHub build, or build from source in Visual Studio. Earlier builds could exit if CH341A wasn’t present; recent fixes improved handling, but adding the DLL resolved missing‑library errors during testing. [Elektroda, divadiow, post #21712310]

Do I need to select a COM port for SPI flashing?

No. As of v99, SPI mode does not require a COM port. This was confirmed after fixes; previous v98 prompts were removed. Ensure CH341A is connected; SPI operations run without a serial port. [Elektroda, divadiow, post #21712310]

What does the Verify button do?

Verify compares flash contents against the firmware file currently selected in the tool. Use it after Write or Erase to confirm success. “Verify verifies against selected firmware.” [Elektroda, p.kaczmarek2, post #21712551]

Can this recover a bricked BK7252 camera?

Yes. After wiring CEN and SPI lines, use Beken SPI mode to read/erase/write. The author provides a BK7252 camera recovery example using this exact method with CH341A and the new flasher. [Elektroda, p.kaczmarek2, post #21711721]

Can I use CH341 Programmer or NeoProgrammer once SPI mode is active?

Yes. After the 0xD2 hand‑off, the BK behaves like a generic SPI flash. You can then operate with common SPI flash tools (CH341 Programmer or NeoProgrammer) if you prefer. [Elektroda, p.kaczmarek2, post #21711721]

Linux support: what baud rates are stable under mono?

Mono 6.12 worked for testers. They reported stable operation at 921,600 baud; 1,500,000 worked on Windows, but they lowered to 921,600 on Linux. LAN Scanner and release downloader also worked. [Elektroda, insmod, post #21712663]

The tool shows a 4,096 KB device. Is that normal for these chips?

Yes. A sample JEDEC ID FF‑EF‑40‑16 decoded to 4,096 KB and printed by the tool. That confirms JEDEC read and size decoding in SPI mode. Actual sizes vary by module; always check the tool’s detected flash size. [Elektroda, p.kaczmarek2, post #21711721]

How do I just switch a BK device into SPI mode without reading or writing?

Use the new “Detect” button. It performs a zero‑length custom operation to toggle CEN and send the 0xD2 sync, placing the chip in SPI mode for use with other SPI tools. [Elektroda, p.kaczmarek2, post #21731041]

I flashed many times and now erase fails. What should I try?

Expand Unprotect logic before erase, similar to AsProgrammer. A contributor noted needing stronger Unprotect after many BK7252 cycles. Add an Unprotect/Status-Register release step, then retry the erase/write. [Elektroda, p.kaczmarek2, post #21714737]

What is OpenBeken (OBK) in this context?

OpenBeken is an open‑source firmware used across supported Wi‑Fi MCUs in this ecosystem. The author uses OBK devices for testing and demos, including camera boards and remote flashing concepts. [Elektroda, p.kaczmarek2, post #21714427]

Can I flash a BK device over Wi‑Fi/TCP instead of USB?

Yes, a Wi‑Fi flasher demo proxies UART over TCP and controls CEN via an OBK device. It’s a separate utility that mirrors the BK UART routines, useful when PC‑to‑target wiring is hard. [Elektroda, p.kaczmarek2, post #21720013]

Any known edge cases or failure symptoms I should expect?

If CH341DLL is missing, some GitHub builds previously exited. On mono/Linux, 1,500,000 baud may fail while 921,600 works. Also, after heavy cycling, protection bits may block erase until Unprotect expands. Address each symptom as noted, then retry. [Elektroda, divadiow, post #21712310]