New DeviceKey-Based Tuya Encrypted KV Decryption Method (BK7252U/TR6260/W800/LN8825B/RTL8720CM)

divadiow 1809 41

TL;DR

A new Tuya encrypted KV decryption method targets vault-style flash backups on BK7252U, TR6260, W800, LN8825B, and RTL8720CM.
It decrypts a wrapped key-record page first, extracts a 16-byte DeviceKey, then derives the vault key by bytewise addition with a BaseKey.
The vault data lives in fixed 4KB encrypted pages, and decrypted pages must match the 0x98761234 header and checksum or CRC.
When p_key is NULL, Tuya builds the BaseKey from two embedded 16-byte constants containing "HHRRQbyemofrtytf", yielding 9090a4a4a2c4f2cadadecce4e8f2e8cc.
The method successfully decoded vault KV on W800, TR6260, BK7252U, LN8825B, and RTL8720CM, but the recovered JSON does not include the pin assignments seen in BK7231N/T dumps.

Generated by the language model.

Report a violation of the law

Reply Cool? Ranking DIY | New topic

Notify about new articles

📢 Listen (AI):

#31 21839656 15 Feb 2026 18:56

divadiow divadiow

Level 38

Topic author Helpful post? (0)

Post #31
21839656 15 Feb 2026 18:56

added ESP decryption/json presentation to EF https://github.com/openshwprojects/BK7231GUIFlashTool/pull/108
ADVERTISEMENT
#32 21839703 15 Feb 2026 19:40

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Helpful post? (0)

Post #32
21839703 15 Feb 2026 19:40

It's the same thing that @insmod tested? With no pins? Or something more?

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
#33 21839705 15 Feb 2026 19:41

divadiow divadiow

Level 38

Topic author Helpful post? (0)

Post #33
21839705 15 Feb 2026 19:41

Same thing but adapted to work with the enhanced presentation. No pins, like some other platforms already supported for decryption.
ADVERTISEMENT
#34 21839714 15 Feb 2026 19:50

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Helpful post? (0)

Post #34
21839714 15 Feb 2026 19:50

Ok, merged. Which platforms are yet to be added for Tuya json?

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
#35 21839719 15 Feb 2026 19:53

divadiow divadiow

Level 38

Topic author Helpful post? (0)

Post #35
21839719 15 Feb 2026 19:53

cool cool. I don't think there are any other Tuya platforms/vault types left although it'd be interesting to see what Tuya ESP32 dumps are like. We don't have any and I haven't been able to find any.
#36 21839732 15 Feb 2026 20:05

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Helpful post? (0)

Post #36
21839732 15 Feb 2026 20:05

Are there any?

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
ADVERTISEMENT
#37 21839767 15 Feb 2026 20:48

divadiow divadiow

Level 38

Topic author Helpful post? (0)

Post #37
21839767 15 Feb 2026 20:48

An assumption based on the fact there's the Tuya ESP32 SDK. Not sure what modules Tuya have based on ESP32. if any.
ADVERTISEMENT
#38 21840780 16 Feb 2026 22:12

divadiow divadiow

Level 38

Topic author Helpful post? (0)

Post #38
21840780 16 Feb 2026 22:12

divadiow wrote:
Not sure what modules Tuya have based on ESP32

Xtensa
TYWE3SE
#39 21840794 16 Feb 2026 22:18

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Helpful post? (0)

Post #39
21840794 16 Feb 2026 22:18

Very interesting, I haven't seen any TYWE3SE yet. It seems that we need to order more devices.

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
#40 21840797 16 Feb 2026 22:20

divadiow divadiow

Level 38

Topic author Helpful post? (0)

Post #40
21840797 16 Feb 2026 22:20

can't see it mentioned much around the net. only in passing here https://www.reddit.com/r/esp32/comments/115k98k/commercial_electric_15_wifi_light_switch_but/
#41 21843692 19 Feb 2026 23:52

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Helpful post? (0)

Post #41
21843692 19 Feb 2026 23:52

interesting dump:
https://github.com/openshwprojects/FlashDumps/commit/f0e3f4585eafe6f651459cdef2d0afb26e18f41e
it seems to crash out tool with irfunSet array
https://openbekeniot.github.io/webapp/templateImporter.html

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
#42 21844893 21 Feb 2026 12:56

divadiow divadiow

Level 38

Topic author Helpful post? (0)

Post #42
21844893 21 Feb 2026 12:56

it's not parsing Tuya's pseudo-JSON seen in some dumps I think.

this works though: https://github.com/divadiow/OpenBekenIOT-webapp/tree/templateImporter

it's still not aligned with EF though regarding other KV types
Create an account, log in here. You will receive points by participating in discussions.
Join this discussion.

Install Elektroda application

Reply Cool? Ranking DIY | New topic

Notify about new articles

📢 Listen (AI):

Report a violation of the law

Topic summary

✨ The discussion addresses the challenge of decrypting the key vault (KV) in Tuya flash backups for certain older platforms such as BK7252U, TR6260, and W800. Unlike the known decryption method for BK7231N/T and some RTL chipsets, which relies on a platform-specific seed key (KEY_PART_1), these older platforms do not use the same seed-driven approach for vault KV decryption. Extensive analysis involving SDK examination, brute-force attempts with millions of key combinations, and reverse engineering of libraries using csky tools revealed that the vault KV path on these devices is independent of the BK7231N/T-style seed key. This indicates a fundamentally different encryption scheme for these platforms, necessitating alternative decryption strategies beyond the known BK7231N/T and RTL8720CM methods.
Generated by the language model.

FAQ

TL;DR: New method decrypts Tuya vault KV across 5 chip families and 11 sample dumps; "device-key centred and two-stage." [Elektroda, divadiow, post #21808089]

Why it matters: It finally explains why older Tuya platforms wouldn’t decrypt and gives a reproducible path to recover JSON from encrypted KV.

Who this is for: firmware hackers, repairers, and tool authors wondering how to decrypt Tuya KV on BK7252U/TR6260/W800/LN8825B/RTL8720CM without the old seed trick.

Quick facts:

Works on BK7252U, TR6260, W800, LN8825B, RTL8720CM; 11 example dumps decoded. [Elektroda, divadiow, post #21808089]
Two-stage design: decrypt key-record page, then decrypt 4KB vault pages with a derived key. [Elektroda, divadiow, post #21808089]
Keys are 16 bytes; DerivedKey uses bytewise addition mod 256. [Elektroda, divadiow, post #21808089]
Default BaseKey (NULL p_key) doubles bytes of "HHRRQbyemofrtytf" → 0x9090…e8cc. [Elektroda, divadiow, post #21808089]
Decrypted JSON includes UUID, auth_key, Wi‑Fi config, but not pin maps. [Elektroda, divadiow, post #21808089]

Quick Facts

Works on BK7252U, TR6260, W800, LN8825B, RTL8720CM; 11 example dumps decoded. [Elektroda, divadiow, post #21808089]
Two-stage design: decrypt key-record page, then decrypt 4KB vault pages with a derived key. [Elektroda, divadiow, post #21808089]
Keys are 16 bytes; DerivedKey uses bytewise addition mod 256. [Elektroda, divadiow, post #21808089]
Default BaseKey (NULL p_key) doubles bytes of "HHRRQbyemofrtytf" → 0x9090…e8cc. [Elektroda, divadiow, post #21808089]
Decrypted JSON includes UUID, auth_key, Wi‑Fi config, but not pin maps. [Elektroda, divadiow, post #21808089]

What changed versus the older BK7231N/T seed-based method?

Older BK7231N/T extractions used a platform seed (e.g., 8720) to decrypt specific blobs. The new finding shows some platforms use a device-key-centered, two-stage vault: first decrypt a wrapped key-record page to reveal a 16‑byte DeviceKey, then derive the vault key and decrypt 4KB pages. [Elektroda, divadiow, post #21808089]

Which chips and example dumps are confirmed to decrypt with this method?

Confirmed families include BK7252U, TR6260, W800, LN8825B, and RTL8720CM. The author lists 11 specific FlashDumps paths that successfully decode, covering doorbells, LED controllers, hubs, and downlights. Tooling validated page headers and checksums, yielding plaintext JSON. [Elektroda, divadiow, post #21808089]

How is the DerivedKey computed for vault pages?

Combine a 16‑byte BaseKey with the 16‑byte DeviceKey using bytewise addition modulo 256. In code terms: DerivedKey[i] = (BaseKey[i] + DeviceKey[i]) & 0xFF for i=0..15. This key decrypts fixed-size vault pages. [Elektroda, divadiow, post #21808089]

Where does the default BaseKey come from when p_key is NULL?

Tuya’s DB init logic constructs a 16‑byte BaseKey by adding two embedded 16‑byte constants. Both constants equal the ASCII seed “HHRRQbyemofrtytf,” so the bytes are doubled, yielding hex 9090a4a4…e8cc. “NULL-key branch” lives in libtuya_iot.a. [Elektroda, divadiow, post #21808089]

How do I verify that page decryption worked?

Each decrypted vault page should show a known header magic (example 0x98761234) and pass an integrity check (checksum or CRC). If either fails, your BaseKey/DeviceKey or page boundary is wrong. “Magic + CRC proves correctness.” [Elektroda, divadiow, post #21808089]

What JSON data can I actually recover?

You can carve plaintext JSON after decryption. Examples include uuid, psk_key, auth_key, SmartLife AP SSID, version fields, region, and tokens. The sample BK7252U JSON shows multiple objects and redundant blocks. Dedupe identical objects during export. [Elektroda, divadiow, post #21808089]

Does this method reveal GPIO pin assignments like BK7231N dumps did?

No. The decoded vaults lack the pin assignment info seen on BK7231N extractions. Practical value is JSON recovery, not pin mapping. Plan alternative pin discovery if needed. [Elektroda, divadiow, post #21808089]

How do I use the Python/tkinter tool to decrypt a dump? (3 steps)

Load the flash dump and select the key-record region to unwrap the DeviceKey.
Choose BaseKey (NULL default or custom) and decrypt vault pages.
Export plaintext JSON and optionally dedupe or save decrypted blobs. “Swap” handles a secondary region in LN8825B. [Elektroda, divadiow, post #21808089]

What is the “key record” and how do I decrypt it?

It’s a dedicated flash page (often 4KB) wrapping per-device key material, including the 16‑byte DeviceKey. Decrypt it first using the fixed wrapper mechanism. After unwrapping, read DeviceKey to derive the vault key. [Elektroda, divadiow, post #21808089]

What is Tuya in this FAQ’s context?

Here, “Tuya” refers to the vendor ecosystem whose firmware stores an encrypted key-value vault and initializes DB keys as described. We focus on how its prebuilt library derives and applies BaseKey and DeviceKey during KV decryption. [Elektroda, divadiow, post #21808089]

Should this land in Easy Flasher?

Yes, a maintainer encouraged adding it. One open issue remains: the separate “missing key” puzzle investigated in Ghidra is still unsolved. Integrate the vault workflow, but track that gap. [Elektroda, p.kaczmarek2, post #21808335]

What are common failure modes or edge cases to watch for?

Edge cases include wrong page alignment, incorrect BaseKey in NULL vs caller-supplied paths, and non-matching magic or CRC. Also, expect no GPIO pin maps in recovered JSON. Some platforms outside the listed set may use different layouts. [Elektroda, divadiow, post #21808089]

Generated by the language model.