Beken BK7231/BK7252 SPI flashing and recovery - new flasher tool and protocol specs

p.kaczmarek2 9228 281

Report a violation of the law

Reply Cool? Ranking DIY | New topic

Notify about new articles

📢 Listen (AI):

#91 21718693 13 Oct 2025 08:30

divadiow divadiow

Level 38
Helpful post? (0)

Post #91
21718693 13 Oct 2025 08:30

insmod wrote:
And on W600 flash id command outputs either 1 or 2 bytes, i'm not sure which, because i get 1C

ah yes. remember now. weird.

Added after 2 [minutes]:

what I have played with

Attachments:

W600_TESTING_SCRIPTS.zip Download (3.4 KB)
ADVERTISEMENT
#92 21718744 13 Oct 2025 09:23

divadiow divadiow

Level 38

Helpful post? (0)

Post #92
21718744 13 Oct 2025 09:23

source for the W600 FLM used to read flash in J-Flash
https://github.com/cjacker/wm-sdk-w60x/tree/m...Doc.CN/W60X_QFLASH_Driver_for_SWD/W60X_QFlash
ADVERTISEMENT
#93 21719187 13 Oct 2025 23:45

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Topic author Helpful post? (+1)

Post #93
21719187 13 Oct 2025 23:45

Nice, W800 read seem to work.

@insmod by msvc didn't see System.Text.Json and I had to install it via NuGet , is it intended, or is my MSVC old?

Added after 6 [hours] 34 [minutes]:

PS: I tried to add retry for BK7231T on UART in EF:

It fails to retry everytime.
On the other hand... on N:

I cause interference by shorting RX and TX together.

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
#94 21719650 14 Oct 2025 00:54

insmod insmod

Level 31

Helpful post? (+1)

Post #94
21719650 14 Oct 2025 00:54

>>21718744
Nothing interesting here

>>21719187
Intended.

Maybe move all the other chips bar bk spi into another topic? But what to call it...
#95 21720013 14 Oct 2025 14:20

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Topic author Helpful post? (0)

Post #95
21720013 14 Oct 2025 14:20

Well, considering the discussion is more or less about new features of the flasher, I can say it's marginally acceptable to at least let it stay here.

I am posting a WiFi flasher demo. Currently, it's a dirty copy of BK7123 flashing routines to C# with serial port changed to TCP socket.
It is available here: https://www.elektroda.com/rtvforum/topic4148743.html

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
#96 21720700 15 Oct 2025 02:57

insmod insmod

Level 31

Helpful post? (+1)

Post #96
21720700 15 Oct 2025 02:57

W600 and W800 update: https://github.com/openshwprojects/BK7231GUIFlashTool/pull/75
W600 backups can now be restored. I tried HC-25 backup on Air602, there was no log on any UART, but AP showed up.
W800 config can now be written.
W600 config can only be written if "Automatically configure OBK on flash write" is enabled.
#97 21720718 15 Oct 2025 07:40

divadiow divadiow

Level 38

Helpful post? (0)

Post #97
21720718 15 Oct 2025 07:40

>>21720700

amazing! in that case I might have to have another stab at backing up the ELM327 W600 I still have on stock fw, though the pins are quite small and IC placement particularly awkward. PB6 is right next to VDD33 too. xtal could be removed I guess

Added after 40 [minutes]:

very good. does EF acknowledge flash completion for you?

boots, AP, HC-25 web

Added after 13 [minutes]:

divadiow wrote:
does EF acknowledge flash completion for you?

if writing custom bin*

OpenW600 written OK and boots. Air602

Added after 1 [minutes]:

insmod wrote:
there was no log on any UART

same.
#98 21721526 15 Oct 2025 21:59

divadiow divadiow

Level 38
Helpful post? (0)

Post #98
21721526 15 Oct 2025 21:59

hello.

I'm curious about the current state of BK7252U backup in EF. I've got a new 2MB BK7252UQN48 and I took an SPI backup with Neo and Beken SPI. Easy Flasher BK7231T and BK7231U uart mode takes identical backup to both SPI - so 4 identical backups. But if you take a BK7252U backup it will get it wrong, creating a different backup to the rest.

EF says it is starting at 0x11000:

Code: Text
Log in, to see the code

and at the end:

Code: Text
Log in, to see the code

but then makes a 2,097,152 bytes file with UA in the name.

If you do a custom read from 0x0 for 0x200000 length you get this, which has been seen in posts before:

Code: Text
Log in, to see the code

I gather there's an ongoing issue with 4mb BK7252U and wrap-around but a 2mb backup should just be the same as T/U but with different names?

I attach all backups for reference.

Attachments:

167. Pocket WiFi Cam INO-A15-V1.1 AK23 BK7252UQN48.zip Download (5.57 MB)
#99 21722488 16 Oct 2025 22:10

divadiow divadiow

Level 38

Helpful post? (0)

Post #99
21722488 16 Oct 2025 22:10

insmod wrote:
Since it's a 24pin camera, would it work in ESP32-CAM?

GPT sketch. it got OmniVision OV3660 right

Code: Text
Log in, to see the code

Detects some stuff if 24-pin doorbell GC0328C inserted

Code: Text
Log in, to see the code
#100 21730989 25 Oct 2025 09:39

divadiow divadiow

Level 38

Helpful post? (0)

Post #100
21730989 25 Oct 2025 09:39

ah yes, this old chestnut.

fiddling with https://www.elektroda.com/rtvforum/topic4150112.html

it's weird because unchecking SREG2:14 then allows erase/write but subsequent reads of values in AS shows it checked still BUT you can continue to erase/write. hmm

Also, could we have an SPI-entry/D2 mode only for Beken SPI? At the moment you have to do an operation (erase/write/read) to get into SPI mode, but sometimes you my just want to get into SPI mode to then use other apps.
#101 21731041 25 Oct 2025 10:52

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Topic author Helpful post? (0)

Post #101
21731041 25 Oct 2025 10:52

Good idea, I added "Detect" button, it currently works by doing custom operation with 0 read and 0 write size. Can you check if it works?

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
#102 21731062 25 Oct 2025 11:08

divadiow divadiow

Level 38

Helpful post? (0)

Post #102
21731062 25 Oct 2025 11:08

excellent. seems OK. thanks
ADVERTISEMENT
#103 21734531 28 Oct 2025 22:16

divadiow divadiow

Level 38

Helpful post? (0)

Post #103
21734531 28 Oct 2025 22:16

forgot I'd tried W806 too. pretty sure this is the same as when tried with Python thing. detect flash size but nothing more

Write works OK though. Or says it does. Doesn't boot.

Added after 2 [hours] 17 [minutes]:

here's what seems to be a working full erase inspired by Upgrade Tool's serialthread.py
Code: Python
Log in, to see the code

Erase success for 1mb W806 too but I can't confirm it.

on 2mb W800 read-backs appear blank apart from the first few bytes. Read-back content is the same after stopping Upgrade Tool's own erase function just before it starts to write new image (erase selection requires flash image selection too to start).
#104 21747802 11 Nov 2025 10:06

divadiow divadiow

Level 38

Helpful post? (0)

Post #104
21747802 11 Nov 2025 10:06

there was a suggestion somewhere that BK7238 in EF might default to QIO I think. Or maybe the option, and why, should be made clearer when the user hits the flash button without "overwrite bootloader" selected. It just feels like with BK7238's increasing popularity, there will potentially be a number of people that don't flash QIO then later realise OTA doesn't work and be annoyed.

Added after 1 [minutes]:

or the need will arise to add a variant that caters for OTA at other popular offsets
#105 21747805 11 Nov 2025 10:12

insmod insmod

Level 31

Helpful post? (+1)

Post #105
21747805 11 Nov 2025 10:12

>>21747802
If i remember correctly, bootloader is always overwritten on 7238 and 7252N.
ADVERTISEMENT
#106 21747811 11 Nov 2025 10:20

divadiow divadiow

Level 38

Helpful post? (0)

Post #106
21747811 11 Nov 2025 10:20

so it is! ok good.
Helpful post

#107 21748843 12 Nov 2025 08:12

divadiow divadiow

Level 38

Helpful post? (+1)

Helpful post
Post #107
21748843 12 Nov 2025 08:12

does ECR6600 stub pr read OK for you @insmod ?

I get this

but v148 reads ok
Helpful post

#108 21748861 12 Nov 2025 08:32

insmod insmod

Level 31

Helpful post? (+1)

Helpful post
Post #108
21748861 12 Nov 2025 08:32

>>21748843
Fixed
#109 21748866 12 Nov 2025 08:39

divadiow divadiow

Level 38

Helpful post? (0)

Post #109
21748866 12 Nov 2025 08:39

cool. initial read fails but then click read again and it will start

same pattern with a few tries. device resets in between
#110 21748878 12 Nov 2025 08:52

insmod insmod

Level 31

Helpful post? (0)

Post #110
21748878 12 Nov 2025 08:52

Fixed too
Helpful post

#111 21748882 12 Nov 2025 20:15

divadiow divadiow

Level 38

Helpful post? (+1)

Helpful post
Post #111
21748882 12 Nov 2025 20:15

Ta. Now afk until this evening

Added after 8 [hours] 50 [minutes]:

✅

Added after 21 [minutes]:

bit more.

every baud in EF read first time apart from 460800 which errors with

Code: Text
Log in, to see the code

Added after 2 [hours] 7 [minutes]:

writing worked first time for all but 460800. I never flash at 460800 to be honest.
#112 21773678 07 Dec 2025 12:18

divadiow divadiow

Level 38

Helpful post? (0)

Post #112
21773678 07 Dec 2025 12:18

copy to clipboard buttons in Tuya config extraction tab when they're empty results in a little crash. I made this to fix. Hope code is OK

https://github.com/openshwprojects/BK7231GUIFlashTool/pull/82
#113 21773694 07 Dec 2025 12:36

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Topic author Helpful post? (+1)

Post #113
21773694 07 Dec 2025 12:36

Seems acceptable, nice, thank you. Let me know if you are able to find more such issues in the flasher.

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
#114 21773698 07 Dec 2025 23:34

divadiow divadiow

Level 38

Helpful post? (0)

Post #114
21773698 07 Dec 2025 23:34

great. thanks for merge.

Added after 10 [hours] 54 [minutes]:

couple of spelling tweaks and the "open backups dir" button on the LAN Scanner only opens Explorer, not backups dir like on Flasher tab https://github.com/openshwprojects/BK7231GUIFlashTool/pull/83
#115 21776068 09 Dec 2025 18:26

divadiow divadiow

Level 38

Helpful post? (0)

Post #115
21776068 09 Dec 2025 18:26

I think this text needs tweaking

https://github.com/openshwprojects/BK7231GUIF...90910c1ab7918/BK7231Flasher/FormMain.cs#L1315

Code: Text
Log in, to see the code

0x11000 is only true for BK-N/T? and then erase all doesn't work for some platforms but then erase all is from 0x0 for those that do work?

My preferences would be: greyed out for any platform that doesn't support erase, then erase from 0 if the platform has a rom and flasher code supports it. Only for BK7252U (which has the other problem still) and BK7231T is erase from 0x11000 performed. Text updated to reflect this situation.

thoughts?
#116 21777249 10 Dec 2025 20:28

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Topic author Helpful post? (0)

Post #116
21777249 10 Dec 2025 20:28

Tool is now for many platforms so UI could be improved...

@insmod https://github.com/openshwprojects/BK7231GUIFlashTool/pull/86 nice , how did you figure out chip ID?

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
#117 21777260 10 Dec 2025 20:34

divadiow divadiow

Level 38

Helpful post? (0)

Post #117
21777260 10 Dec 2025 20:34

0x7252a = BK7252N
#118 21777264 10 Dec 2025 20:37

insmod insmod

Level 31

Helpful post? (0)

Post #118
21777264 10 Dec 2025 20:37

>>21777249
BKFIL with bk_loader 3.0.1.2 + debug mode
#119 21777290 10 Dec 2025 20:50

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Topic author Helpful post? (0)

Post #119
21777290 10 Dec 2025 20:50

We also probably need to narrow down what causes false alarms and scares out users:
https://github.com/openshwprojects/BK7231GUIFlashTool/issues/84

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
Helpful post

#120 21777296 10 Dec 2025 21:40

divadiow divadiow

Level 38

Helpful post? (+1)

Helpful post
Post #120
21777296 10 Dec 2025 21:40

p.kaczmarek2 wrote:
https://github.com/openshwprojects/BK7231GUIFlashTool/pull/86

erase all of N just now showed empty flash from 11000 on read-back. it's very quick.

success when erase is part of firmware write too

Added after 47 [minutes]:

p.kaczmarek2 wrote:
We also probably need to narrow down what causes false alarms and scares out users:
https://github.com/openshwprojects/BK7231GUIFlashTool/issues/84

I don't really know but I've been chatting to GPT about it and had it go back through all the changes and take into account the issues posts and the detection type.

Code: Text
Log in, to see the code

Code: Text
Log in, to see the code

ltchiptool has the same issue for the packed single-file Java exe version.

I seem to remember seeing more dll files in the zip alongside the exe at one point, I guess @insmod packed them in or something. Maybe that was when it became more suspicious?
Create an account, log in here. You will receive points by participating in discussions.
Join this discussion.

Install Elektroda application

Reply Cool? Ranking DIY | New topic

Notify about new articles

📢 Listen (AI):

Report a violation of the law

Topic summary

BK7231GUIFlashTool version 98 and later introduces a new SPI flashing method for Beken BK7231/BK7252 devices using only a CH341 SPI programmer. This method enables recovery of bricked devices with overwritten bootloaders and functions as a general-purpose SPI flasher supporting various memory chips. The approach builds on previous SPI programming techniques using Python and Banana Pi, adapting them for CH341 hardware and C# implementation. Required hardware includes a CH341 programmer and soldering tools for wire attachment. Recent user feedback on version 98 highlights issues such as the tool requiring a COM port selection in SPI mode, lack of CH341A detection warnings, and missing ch341dll.dll errors. The developer has addressed the COM port requirement and plans to add the missing DLL, requesting further debugging via Visual Studio to handle CH341 initialization exceptions.
Summary generated by the language model.

Home page
/
Forum
/
Smart Home
/
Smart Home IoT
/
Smart Home Guides
/
Beken BK7231/BK7252 SPI flashing and recovery - new flasher tool and protocol specs

FAQ

TL;DR: New BK7231GUIFlashTool v98+ adds SPI flashing for Beken chips; sample 4,096 KB flash detected. “Only a CH341 SPI programmer is required.” Use CH341A D2 to toggle CEN, send 0xD2, then read/write like generic SPI. [Elektroda, p.kaczmarek2, post #21711721]

Why it matters: It lets you recover bricked BK7231/BK7252 devices without a working bootloader, using low‑cost tools.

Who this is for: DIYers, repair techs, and firmware engineers asking how to unbrick or mass‑flash Beken SoCs via SPI with a CH341A and the latest tool.

Quick Facts

Hardware: CH341A set to I2C position so Windows shows “USB‑EPP/I2C… CH341A”; wire D2→CEN, and P20–P23 for SCK/CSN/SI/SO. [Elektroda, p.kaczmarek2, post #21711721]
Enter SPI mode: reset CEN via D2, stream 0xD2, then JEDEC 0x9F; sample ID FF‑EF‑40‑16 → 4,096 KB. [Elektroda, p.kaczmarek2, post #21711721]
Common setup fix: in v99, COM is no longer mandatory in SPI mode; add CH341DLL if the GitHub build complains. [Elektroda, divadiow, post #21712310]
Linux/mono: mono 6.12 works; max stable baud typically 921,600; LAN scanner and downloader tested. [Elektroda, insmod, post #21712663]
Recovery scope: Works even when the BK bootloader is overwritten; can serve as a generic SPI flasher too. [Elektroda, p.kaczmarek2, post #21711721]

What exactly is the new Beken SPI flashing method and what do I need?

The tool drives CH341A as an SPI master, resets BK via CEN on D2, sends 0xD2 to enter BK’s SPI-memory mode, then treats the chip like a standard SPI flash. You need a CH341A (jumper at I2C), 3.3 V power, and wiring for P20–P23 (SCK/CSN/SI/SO) plus CEN. Select “Beken SPI” in BK7231GUIFlashTool v98+. “Only a CH341 SPI programmer is required.” [Elektroda, p.kaczmarek2, post #21711721]

How do I wire CH341A to BK7231/BK7252 for SPI mode?

Connect CH341A SCK→P20, CS0→P21, MOSI→P22 (SI), MISO→P23 (SO), and D2→CEN. Keep MOSI→SI and MISO→SO mapping. Provide GND and target power. Some boards have pads labeled CE/TCK/TMS/TDI/TDO that map to CEN/SCK/CSN/SI/SO respectively. [Elektroda, p.kaczmarek2, post #21711721]

How do I reliably enter BK SPI mode? (3‑step)

Use CH341 D2 to pull CEN low then high to reset the BK chip. 2. Stream 0xD2 bytes repeatedly over SPI. 3. Issue 0x9F and confirm a valid JEDEC response; then proceed to Read/Write/Erase. [Elektroda, p.kaczmarek2, post #21711721]

I get “Failed to open CH341 device” or “Failed to toggle CEN.” What should I check?

Confirm CH341A is jumpered to I2C, recognized by Windows, and the D2 wire is soldered to CEN. Re‑seat USB, power the target, and verify SPI lines. The tool logs these errors when CH341 isn’t detected or CEN can’t be driven; fix wiring or driver, then retry. [Elektroda, p.kaczmarek2, post #21711721]

The app says “missing ch341dll.dll” or quits in SPI mode—how do I fix that?

Place CH341DLL.DLL alongside the GitHub build, or build from source in Visual Studio. Earlier builds could exit if CH341A wasn’t present; recent fixes improved handling, but adding the DLL resolved missing‑library errors during testing. [Elektroda, divadiow, post #21712310]

Do I need to select a COM port for SPI flashing?

No. As of v99, SPI mode does not require a COM port. This was confirmed after fixes; previous v98 prompts were removed. Ensure CH341A is connected; SPI operations run without a serial port. [Elektroda, divadiow, post #21712310]

What does the Verify button do?

Verify compares flash contents against the firmware file currently selected in the tool. Use it after Write or Erase to confirm success. “Verify verifies against selected firmware.” [Elektroda, p.kaczmarek2, post #21712551]

Can this recover a bricked BK7252 camera?

Yes. After wiring CEN and SPI lines, use Beken SPI mode to read/erase/write. The author provides a BK7252 camera recovery example using this exact method with CH341A and the new flasher. [Elektroda, p.kaczmarek2, post #21711721]

Can I use CH341 Programmer or NeoProgrammer once SPI mode is active?

Yes. After the 0xD2 hand‑off, the BK behaves like a generic SPI flash. You can then operate with common SPI flash tools (CH341 Programmer or NeoProgrammer) if you prefer. [Elektroda, p.kaczmarek2, post #21711721]

Linux support: what baud rates are stable under mono?

Mono 6.12 worked for testers. They reported stable operation at 921,600 baud; 1,500,000 worked on Windows, but they lowered to 921,600 on Linux. LAN Scanner and release downloader also worked. [Elektroda, insmod, post #21712663]

The tool shows a 4,096 KB device. Is that normal for these chips?

Yes. A sample JEDEC ID FF‑EF‑40‑16 decoded to 4,096 KB and printed by the tool. That confirms JEDEC read and size decoding in SPI mode. Actual sizes vary by module; always check the tool’s detected flash size. [Elektroda, p.kaczmarek2, post #21711721]

How do I just switch a BK device into SPI mode without reading or writing?

Use the new “Detect” button. It performs a zero‑length custom operation to toggle CEN and send the 0xD2 sync, placing the chip in SPI mode for use with other SPI tools. [Elektroda, p.kaczmarek2, post #21731041]

I flashed many times and now erase fails. What should I try?

Expand Unprotect logic before erase, similar to AsProgrammer. A contributor noted needing stronger Unprotect after many BK7252 cycles. Add an Unprotect/Status-Register release step, then retry the erase/write. [Elektroda, p.kaczmarek2, post #21714737]

What is OpenBeken (OBK) in this context?

OpenBeken is an open‑source firmware used across supported Wi‑Fi MCUs in this ecosystem. The author uses OBK devices for testing and demos, including camera boards and remote flashing concepts. [Elektroda, p.kaczmarek2, post #21714427]

Can I flash a BK device over Wi‑Fi/TCP instead of USB?

Yes, a Wi‑Fi flasher demo proxies UART over TCP and controls CEN via an OBK device. It’s a separate utility that mirrors the BK UART routines, useful when PC‑to‑target wiring is hard. [Elektroda, p.kaczmarek2, post #21720013]

Any known edge cases or failure symptoms I should expect?

If CH341DLL is missing, some GitHub builds previously exited. On mono/Linux, 1,500,000 baud may fail while 921,600 works. Also, after heavy cycling, protection bits may block erase until Unprotect expands. Address each symptom as noted, then retry. [Elektroda, divadiow, post #21712310]