FAQ
TL;DR: New method decrypts Tuya vault KV across 5 chip families and 11 sample dumps; "device-key centred and two-stage." [Elektroda, divadiow, post #21808089]
Why it matters: It finally explains why older Tuya platforms wouldn’t decrypt and gives a reproducible path to recover JSON from encrypted KV.
Who this is for: firmware hackers, repairers, and tool authors wondering how to decrypt Tuya KV on BK7252U/TR6260/W800/LN8825B/RTL8720CM without the old seed trick.
Quick facts:
- Works on BK7252U, TR6260, W800, LN8825B, RTL8720CM; 11 example dumps decoded. [Elektroda, divadiow, post #21808089]
- Two-stage design: decrypt key-record page, then decrypt 4KB vault pages with a derived key. [Elektroda, divadiow, post #21808089]
- Keys are 16 bytes; DerivedKey uses bytewise addition mod 256. [Elektroda, divadiow, post #21808089]
- Default BaseKey (NULL p_key) doubles bytes of "HHRRQbyemofrtytf" → 0x9090…e8cc. [Elektroda, divadiow, post #21808089]
- Decrypted JSON includes UUID, auth_key, Wi‑Fi config, but not pin maps. [Elektroda, divadiow, post #21808089]
Quick Facts
- Works on BK7252U, TR6260, W800, LN8825B, RTL8720CM; 11 example dumps decoded. [Elektroda, divadiow, post #21808089]
- Two-stage design: decrypt key-record page, then decrypt 4KB vault pages with a derived key. [Elektroda, divadiow, post #21808089]
- Keys are 16 bytes; DerivedKey uses bytewise addition mod 256. [Elektroda, divadiow, post #21808089]
- Default BaseKey (NULL p_key) doubles bytes of "HHRRQbyemofrtytf" → 0x9090…e8cc. [Elektroda, divadiow, post #21808089]
- Decrypted JSON includes UUID, auth_key, Wi‑Fi config, but not pin maps. [Elektroda, divadiow, post #21808089]
What changed versus the older BK7231N/T seed-based method?
Older BK7231N/T extractions used a platform seed (e.g., 8720) to decrypt specific blobs. The new finding shows some platforms use a device-key-centered, two-stage vault: first decrypt a wrapped key-record page to reveal a 16‑byte DeviceKey, then derive the vault key and decrypt 4KB pages. [Elektroda, divadiow, post #21808089]
Which chips and example dumps are confirmed to decrypt with this method?
Confirmed families include BK7252U, TR6260, W800, LN8825B, and RTL8720CM. The author lists 11 specific FlashDumps paths that successfully decode, covering doorbells, LED controllers, hubs, and downlights. Tooling validated page headers and checksums, yielding plaintext JSON. [Elektroda, divadiow, post #21808089]
How is the DerivedKey computed for vault pages?
Combine a 16‑byte BaseKey with the 16‑byte DeviceKey using bytewise addition modulo 256. In code terms: DerivedKey[i] = (BaseKey[i] + DeviceKey[i]) & 0xFF for i=0..15. This key decrypts fixed-size vault pages. [Elektroda, divadiow, post #21808089]
Where does the default BaseKey come from when p_key is NULL?
Tuya’s DB init logic constructs a 16‑byte BaseKey by adding two embedded 16‑byte constants. Both constants equal the ASCII seed “HHRRQbyemofrtytf,” so the bytes are doubled, yielding hex 9090a4a4…e8cc. “NULL-key branch” lives in libtuya_iot.a. [Elektroda, divadiow, post #21808089]
How do I verify that page decryption worked?
Each decrypted vault page should show a known header magic (example 0x98761234) and pass an integrity check (checksum or CRC). If either fails, your BaseKey/DeviceKey or page boundary is wrong. “Magic + CRC proves correctness.” [Elektroda, divadiow, post #21808089]
What JSON data can I actually recover?
You can carve plaintext JSON after decryption. Examples include uuid, psk_key, auth_key, SmartLife AP SSID, version fields, region, and tokens. The sample BK7252U JSON shows multiple objects and redundant blocks. Dedupe identical objects during export. [Elektroda, divadiow, post #21808089]
Does this method reveal GPIO pin assignments like BK7231N dumps did?
No. The decoded vaults lack the pin assignment info seen on BK7231N extractions. Practical value is JSON recovery, not pin mapping. Plan alternative pin discovery if needed. [Elektroda, divadiow, post #21808089]
How do I use the Python/tkinter tool to decrypt a dump? (3 steps)
- Load the flash dump and select the key-record region to unwrap the DeviceKey.
- Choose BaseKey (NULL default or custom) and decrypt vault pages.
- Export plaintext JSON and optionally dedupe or save decrypted blobs.
“Swap” handles a secondary region in LN8825B. [Elektroda, divadiow, post #21808089]
What is the “key record” and how do I decrypt it?
It’s a dedicated flash page (often 4KB) wrapping per-device key material, including the 16‑byte DeviceKey. Decrypt it first using the fixed wrapper mechanism. After unwrapping, read DeviceKey to derive the vault key. [Elektroda, divadiow, post #21808089]
What is Tuya in this FAQ’s context?
Here, “Tuya” refers to the vendor ecosystem whose firmware stores an encrypted key-value vault and initializes DB keys as described. We focus on how its prebuilt library derives and applies BaseKey and DeviceKey during KV decryption. [Elektroda, divadiow, post #21808089]
Should this land in Easy Flasher?
Yes, a maintainer encouraged adding it. One open issue remains: the separate “missing key” puzzle investigated in Ghidra is still unsolved. Integrate the vault workflow, but track that gap. [Elektroda, p.kaczmarek2, post #21808335]
What are common failure modes or edge cases to watch for?
Edge cases include wrong page alignment, incorrect BaseKey in NULL vs caller-supplied paths, and non-matching magic or CRC. Also, expect no GPIO pin maps in recovered JSON. Some platforms outside the listed set may use different layouts. [Elektroda, divadiow, post #21808089]