Beken Flash Dump Partition Info Extraction with RT-Threads Partition Tool - Development Thoughts?

divadiow 858 49

#31 21737582 31 Oct 2025 19:53

divadiow divadiow

Level 37

Topic author Helpful post? (0)

Post #31
21737582 31 Oct 2025 19:53

Code: Text
Log in, to see the code
ADVERTISEMENT
#32 21737587 31 Oct 2025 19:57

insmod insmod

Level 29
Helpful post? (0)

Post #32
21737587 31 Oct 2025 19:57

Another

Attachments:

bk7231n_bootloader_enc_crc.bin Download (62.22 KB)
#33 21737592 31 Oct 2025 20:01

divadiow divadiow

Level 37

Topic author Helpful post? (0)

Post #33
21737592 31 Oct 2025 20:01

wait. what. wtf. i've added rbl to 132000 to first booting BL and it's OTAd and OBK boots.

insmod wrote:
same binary crc'ed with old encrypt and 0 0 0 0 flags.

not uascent key?

Added after 2 [minutes]:

>>21737587

Code: Text
Log in, to see the code

M_ALT does not boot btw
ADVERTISEMENT
#34 21737596 31 Oct 2025 20:03

insmod insmod

Level 29

Helpful post? (0)

Post #34
21737596 31 Oct 2025 20:03

>>21737592
First with encrypt_n with uascent keys, then added partitions and then crc'ed it with zero keys.
OTA works because i've changed tuya keys to uascent at 0x3c, 16 bytes length in bk7231n_bootloader.bin (not encrypted one).
#35 21737601 31 Oct 2025 20:07

divadiow divadiow

Level 37

Topic author Helpful post? (0)

Post #35
21737601 31 Oct 2025 20:07

ooh ok. ok.

ah, linking to ..?
insmod wrote:
Tuya keys are at 0x48-0x57

I didn't follow that up
#36 21737604 31 Oct 2025 20:10

insmod insmod

Level 29

Helpful post? (0)

Post #36
21737604 31 Oct 2025 20:10

>>21737601
Oops, i've changed it at wrong address, 0x48-0x57 is correct.
If OTA completes, does it boot?
ADVERTISEMENT
#37 21737608 31 Oct 2025 20:15

divadiow divadiow

Level 37

Topic author Helpful post? (0)

Post #37
21737608 31 Oct 2025 20:15

insmod wrote:
If OTA completes, does it boot?

yes.

with the BL from here + rbl at 12A000 =

Code: Text
Log in, to see the code
ADVERTISEMENT
#38 21737609 31 Oct 2025 20:15

insmod insmod

Level 29
Helpful post? (0)

Post #38
21737609 31 Oct 2025 20:15

Here's a fixed one

Attachments:

bk7231n_bootloader_enc_crc.bin Download (62.22 KB)
#39 21737612 31 Oct 2025 20:17

divadiow divadiow

Level 37

Topic author Helpful post? (0)

Post #39
21737612 31 Oct 2025 20:17

insmod wrote:
Here's a fixed one

same experience

Code: Text
Log in, to see the code
#40 21737614 31 Oct 2025 20:19

insmod insmod

Level 29
Helpful post? (0)

Post #40
21737614 31 Oct 2025 20:19

Does ota work on M/zero keys?
If not, then here's enc & crc bootloader for M

Attachments:

bk7231n_bootloader_enc_crc.bin Download (62.22 KB)
Helpful post

#41 21737626 31 Oct 2025 20:41

divadiow divadiow

Level 37

Topic author Helpful post? (+1)

Helpful post
Post #41
21737626 31 Oct 2025 20:41

M_ALT does boot on zero-keys BK7231N module. OTA does work

Code: Text
Log in, to see the code

OpenBK7231M_ALT_QIO_1.18.206.bin -> OpenBK7231N_1.18.204.rbl

old-SDK M QIO does not boot still because of this: https://www.elektroda.com/rtvforum/topic4107851.html#21725511

PR not submitted for change yet

These are test devices btw

Uascent key = blue CB3S from Matter mini switch
Zero key = white UAM026 from Uascent bulb (yes a Uascent with zero keys)

Added after 4 [minutes]:

>>21737614

this does not boot on M

Added after 2 [minutes]:

UAM026 = BL2028N https://www.elektroda.com/rtvforum/topic4111089.html#21477454
Helpful post

#42 21737638 31 Oct 2025 20:44

insmod insmod

Level 29
Helpful post? (+1)

Helpful post
Post #42
21737638 31 Oct 2025 20:44

>>21737626
Strange, but doesn't matter then.
Attached uascent-encrypted non-crc bootloader for beken_packager.

Attachments:

bk7231n_bootloader_uascent_enc.bin Download (58.55 KB)
#43 21737644 31 Oct 2025 22:38

divadiow divadiow

Level 37

Topic author Helpful post? (0)

Post #43
21737644 31 Oct 2025 22:38

Ok cool. We'll feed that into the build for the uascent section and can finally, hopefully, release Uascent QIO in the BK7231N zip?

Added after 1 [hours] 51 [minutes]:

I'll give that a go. I should be almost there a with a branch only 10 days ago I think.

@p.kaczmarek2 partition detection is still a useful thing in itself though? This doesn't affect that adventure?

I can imagine using partition detection on backups mostly, but maybe it'd be useful for when a user reports OTA not working and they've flashed app, but not QIO, maybe to a BK7238 or a non-Tuya BK-T?
#44 21737851 01 Nov 2025 07:37

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Helpful post? (0)

Post #44
21737851 01 Nov 2025 07:37

I think I can add it to Easy Flasher as well. Still, first I want to verify the CRC - do you have a correct CRC16 implementation for that at hand?

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
#45 21737853 01 Nov 2025 07:42

divadiow divadiow

Level 37

Topic author Helpful post? (0)

Post #45
21737853 01 Nov 2025 07:42

well, the uncrc.py I've been using to date appears to have worked without issues on the many dumps I've played with this past week. Does that provide enough info/confirmation of what you require?

Code: Python
Log in, to see the code
#46 21737854 01 Nov 2025 07:43

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Helpful post? (0)

Post #46
21737854 01 Nov 2025 07:43

nevermind, i got it

Added after 1 [minutes]:

Your uncrc does not actually check the CRC. So you can run it with any data and it will work blindly.

You should rather code:
Code: C / C++
Log in, to see the code

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
#47 21737858 01 Nov 2025 07:45

divadiow divadiow

Level 37

Topic author Helpful post? (0)

Post #47
21737858 01 Nov 2025 07:45

ah ok ok. cool. cheers.
#48 21737860 01 Nov 2025 07:47

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Helpful post? (0)

Post #48
21737860 01 Nov 2025 07:47

Also ,it seems that not all data is CRCed. For me this check begins to fail at 57528 offset.

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
#49 21738157 01 Nov 2025 14:19

divadiow divadiow

Level 37

Topic author Helpful post? (0)

Post #49
21738157 01 Nov 2025 14:19

oh?

Also, TLV detection is useful, especially if using, for example, M QIO but then not knowing where the mac and RF is for restoration to the offset OBK expects it to be.
#50 21752598 15 Nov 2025 22:52

Apache02 Apache02

Level 6
Helpful post? (0)

Post #50
21752598 15 Nov 2025 22:52

https://github.com/Apache02/bk7252-cam/blob/main/tools/uncrc
https://github.com/Apache02/bk7252-cam/blob/main/tools/crc

Why do you talking about TLV, OTA and other staff when can simply flash app partition?

Structure of partitions table described in https://github.com/YangAlex66/bdk_rtt/blob/release/v3.0/packages/fal/inc/fal_def.h
Code: text Expand Select all Copy to clipboard
struct fal_partition { uint32_t magic_word; /* partition name */ char name[FAL_DEV_NAME_MAX]; /* flash device name for partition */ char flash_name[FAL_DEV_NAME_MAX]; /* partition offset address on flash device */ long offset; size_t len; uint32_t reserved; };

Quote:
starting "01PE"

is uint32_t magic_word which equals to FAL_PART_MAGIC_WROD which equals to 0x45503130

My example of fal partitions table detection:
https://github.com/Apache02/bk7252-cam/blob/m...c/shell/shell_commands_beken/commands/fal.cpp
Create an account, log in here. You will receive points by participating in discussions.
Join this discussion.

Install Elektroda application

Topic summary

The discussion focuses on extracting Beken flash dump partition information using the RT-Threads Partition Tool to facilitate OpenBK* firmware conversions and enable OTA updates. The main challenge is identifying partition offsets and lengths, particularly the "01PE" partition table signature, which varies in location and requires handling little-endian reverse byte order and CRC16 checksums embedded every 34 bytes. A combined Python script (combined_uncrc_extract_run.py) was developed to remove CRC16 checksums and extract partition tables from firmware dumps, followed by using the RT-Thread partition tool CLI to parse and display partition layouts. The tool supports different partition table formats (fal64 and fal48) and outputs partition names, flash types, addresses, and sizes. Attempts to integrate partition detection directly into OpenBK firmware were discussed, including scanning flash memory for "01PE" signatures and skipping CRCs. The conversation also covers challenges with bootloader compatibility, encryption, and CRC validation, especially for Uascent and Tuya bootloaders on BK7231N and BK7231T chips. Testing showed that OTA functionality depends on correct partition offsets and bootloader keys, with some success in creating replacement bootloaders that support OTA on non-standard layouts. The importance of TLV detection for MAC and RF data restoration was noted. Suggestions include adding partition detection to flashing tools like Easy Flasher and improving CRC16 verification in scripts. Overall, the approach aids in troubleshooting OTA failures by accurately identifying partition layouts and offsets in Beken-based devices.
Summary generated by the language model.

FAQ

TL;DR: Beken dumps pack a CRC16 every 34 bytes; “Every 32 bytes of data is followed by 2 bytes of crc.” Extract the 01PE table (64‑byte entries) from the first 2 MiB, then parse it to get exact bootloader/app/OTA offsets for OpenBeken. [Elektroda, divadiow, post #21734412]

Why it matters: This lets you decide if you must flash a QIO bootloader or adjust OTA to avoid bricking.

Who this is for: OpenBeken/Tuya/Beken tinkerers who need reliable partition offsets from raw flash dumps so OTA and backups work consistently.

Quick Facts

- CRC pattern: firmware dumps interleave 32 bytes of data with a 2‑byte CRC16, repeating every 34 bytes. [Elektroda, divadiow, post #21734412]
- 01PE FAL entries are 64 bytes; scanning only the first 2 MiB and taking the last valid group lets the CLI decode partitions. [Elektroda, divadiow, post #21734412]
- Typical offsets seen: bootloader 0x00000000, app 0x00010000, download 0x0012A000–0x00132000; app sizes around 1,083,136 bytes. [Elektroda, p.kaczmarek2, post #21737515]
- Some Tuya BK7238/BK7252U dumps have no 01PE, so this method will not return partitions. [Elektroda, divadiow, post #21734412]
- OBK’s BKPartitions driver can detect and log partitions on‑device after CRC handling and sanity checks. [Elektroda, p.kaczmarek2, post #21737153]

How do I extract Beken partition info from a full flash dump?

Run a combined workflow: 1) strip the interleaved CRC (32+2 bytes), 2) scan the first 2 MiB for 01PE entries and extract the last valid group, 3) feed that file to rt_partition_tool_cli to print the table. The provided combined_uncrc_extract_run.py automates all three steps. [Elektroda, divadiow, post #21735502]

Why does the RT‑Thread GUI show nothing on a 2 MiB dump, but the CLI works?

The GUI expects a clean partition blob, while full dumps include CRC16 bytes every 34 bytes and other data. After removing CRCs and isolating the 01PE group, the CLI parses and prints partitions correctly. “It will work with the CLI.” [Elektroda, divadiow, post #21734412]

What is the “01PE” table and why are entries 64 bytes apart?

01PE is the FAL (Flash Abstraction Layer) magic used by Beken/RT‑Thread bootloaders to list partitions. Each entry is 64 bytes. Searching the first 2 MiB for contiguous 01PE entries (i, i+64, …) yields the active table that tools can decode. [Elektroda, divadiow, post #21734412]

Can OpenBeken detect partitions on the device without a PC?

Yes. The BKPartitions driver scans flash for 01PE, applies sanity checks, and logs partition name, flash type, offset, and size at boot or on command. Example logs show bootloader at 0x0, app at 0x10000, and download near 0x12A000–0x132000. [Elektroda, p.kaczmarek2, post #21737153]

Will this approach work on all Tuya/Beken variants?

No. Some Tuya BK7238 and 4 MB BK7252U dumps contain no 01PE; the scan returns nothing. In those cases, you need a different strategy (e.g., vendor bootloader knowledge or alternate tooling). That’s an expected edge case. [Elektroda, divadiow, post #21734412]

What offsets are typical on BK7231N/T devices?

Logs show common layouts: bootloader 0x00000000 (64K), app 0x00010000 (~1,083,136 bytes), and download around 0x0012A000 or 0x00132000 (≈664–680K). Values vary by build, so always read the actual table before OTA. [Elektroda, p.kaczmarek2, post #21737515]

How do I handle duplicate or multiple 01PE groups?

De‑duplicate entries and prefer the last valid group in the first 2 MiB window. 4 MB dumps can show repeated entries; sorting and deduping by address/name normalizes the output before use. [Elektroda, divadiow, post #21734412]

Could OTA fail even if I flashed the app?

Yes. OpenBeken writes OTA to a fixed offset; if the bootloader checks another offset, OTA will fail. Read the partition table first or flash a bootloader aligned with OBK’s OTA expectations (e.g., QIO release). [Elektroda, divadiow, post #21734412]

What CRC16 parameters are used when validating 34‑byte records?

Use CRC16 with polynomial 0x8005 and initial value 0xFFFF over each 32‑byte data block; the following 2 bytes store the CRC (little‑endian). Validating avoids blindly stripping bytes from unrelated data. [Elektroda, p.kaczmarek2, post #21737854]

Why does CRC checking stop working part‑way through my dump?

Not all regions use the 32+2 CRC scheme. During checks, validation can start failing (example: at offset 57,528), so switch to raw parsing or limit the CRC‑aware window to the confirmed region. [Elektroda, p.kaczmarek2, post #21737860]

Can OBK use partition scanning to pick a safe LFS/OTA offset automatically?

Yes, that’s the idea behind the BKPartitions work. OBK can scan 01PE, validate lengths, and pick offsets to reduce user error on non‑standard layouts. It’s already printing partitions from live devices. [Elektroda, p.kaczmarek2, post #21737153]

What’s special about the Uascent bootloader OTA address?

“If I remember it correctly, Uascent bootloader OTA address is 0x147000.” Using that address risks overwriting LFS and RF/config partitions unless the layout matches. Adjust tools or replace the bootloader. [Elektroda, insmod, post #21737549]

How do I quickly run the extraction on Windows? (3‑step How‑To)

Run combined_uncrc_extract_run.py to remove CRC and extract the last 01PE group. 2. The script emits _partitions.bin. 3. It launches rt_partition_tool_cli.exe to print partition name/offset/size. [Elektroda, divadiow, post #21735502]

Why search for 01PE instead of reading a constant offset?

Because the table’s location varies across devices and builds. Screenshots show different 01PE offsets even for similar chips, so fixed addresses are unreliable. Searching ensures you use the active table. [Elektroda, divadiow, post #21735714]

Where can I find sample dumps to test my parser?

A public repository of IoT flash dumps is linked from the thread. Use these to validate your extraction and dedup logic across chip variants and sizes. [Elektroda, divadiow, post #21734412]

Is TLV (MAC/RF) detection useful with partition scanning?

Yes. After parsing partitions, TLV detection helps locate MAC, RF, and calibration data so you can preserve and restore them where OpenBeken expects. This is valuable during cross‑SDK migrations. [Elektroda, divadiow, post #21738157]