New DeviceKey-Based Tuya Encrypted KV Decryption Method (BK7252U/TR6260/W800/LN8825B/RTL8720CM)

divadiow 201 2

Report a violation of the law

Reply Cool? Ranking DIY | New topic

Notify about new articles

📢 Listen (AI):

Topic author Helpful post? (+2)

Helpful post
Post #1
21808089 13 Jan 2026 22:35

I've been trying to figure out why we cannot decrypt the key vault on some Tuya flash backups and why this seems to be the case for certain, typically older, platforms. BK7252U, TR6260, W800 to name a few.

The decryption method for BK7231N/T (and some RTLs) is known, though the Tuya 'seed' KEY_PART_1 has been known to deviate away from 8720_2M (effectively '8720') depending on the platform.

eg

In an effort to find the assumed unknown, but present, seed key I spent quite a bit of time in LLM discussions, poring over various SDKs, programmatically trying different plain-text strings from dumps, PowerShell-generated key combinations numbering into the millions, breaking down libs with various csky tools (W800 dump).

What turned out to be different is that this “vault KV” path is not KEY_PART_1-seed driven at all.

Instead of the BK7231N/T-style config extractor model (where a platform “seed” influences the key used to decrypt a specific config blob), this vault mechanism is device-key centred and two-stage:

1) Key-record stage (per-device key material)
A dedicated “key record” region in flash contains the per-device keying material (including a 16-byte DeviceKey). That key record itself is wrapped/encrypted as a unit (sector/page sized, typically 4KB) and must be decrypted first before the DeviceKey can be read. This key-record page is wrapped using a fixed mechanism (typically a constant wrapper key), and decrypting it is what reveals the DeviceKey used for the vault pages.

2) Vault stage (derived vault key + page encryption)
The effective vault key is derived by combining a 16-byte BaseKey with that per-device 16-byte DeviceKey using bytewise addition mod 256. BaseKey is either caller-supplied (p_key) or constructed by the SDK when p_key is NULL (see below).

Code: Text
Log in, to see the code

The vault payload is then stored as fixed-size encrypted pages (typically 4KB each). Each decrypted page is expected to match a known page structure: a magic value in the header (e.g. 0x98761234) plus an integrity field (checksum or CRC) used to confirm the page decryption is correct.

Where the “default BaseKey” comes from (when not explicitly supplied)
The “default BaseKey” is not a flash-layout assumption; it comes from the NULL-key branch in Tuya’s DB init logic inside the prebuilt library.

Concretely, in libtuya_iot.a (object tuya_ws_db.c.o), ws_db_init checks whether p_key is NULL:

ADVERTISEMENT

If p_key != NULL: it copies 16 bytes from the caller-provided buffer → BaseKey = p_key

If p_key == NULL: it constructs a 16-byte BaseKey in a 16-iteration loop by adding bytes from two embedded 16-byte constants.

Those two constants both contain the same ASCII seed:
Code: text Expand Select all Copy to clipboard
HHRRQbyemofrtytf
(16 bytes)

So the NULL-key case is effectively:
Code: text Expand Select all Copy to clipboard
BaseKey(byte_index) = (seed(byte_index) + seed(byte_index)) & 0xFF

Doubling the bytes of "HHRRQbyemofrtytf" yields:
Code: text Expand Select all Copy to clipboard
9090a4a4a2c4f2cadadecce4e8f2e8cc

(which is the “Tuya default (NULL p_key)” BaseKey value).

How the JSON is recovered
Once the vault pages are decrypted correctly (i.e. page header/magic + checksum or CRC validates), the JSON is not separately encrypted again; it exists as plaintext within the reconstructed decrypted vault region. Extraction is therefore a straightforward carve/parse step over the decrypted bytes: locate candidate JSON starts ({ or [), bracket/quote-balance to a candidate end, then validate by parsing as JSON before emitting the object (with optional dedupe of identical objects/blocks when redundancy is present).

With that knowledge this tkinter/Python program was then developed with (a lot) of help from an LLM:

This uses the above mechanism to decrypt vault-style KV on dumps that are structured this way. I've added options to dedupe/collapse duplicate decoded objects (the vaults appear to contain duplicates / redundancy), export decoded JSON, export decrypted blobs (“swap” relates to a secondary region present in LN8825B dumps).

In summary, it turns out this method can successfully decrypt the KV on Tuya W800, TR6260, BK7252U, LN8825B and RTL8720CM. However, the key vaults don't appear to contain the same pin assignment information seen in successful extractions from BK7231N etc dumps.

Of all the dumps in Flashdumps, these can be decoded with this method:

Code: Text
Log in, to see the code

example JSON from a BK7252U:
Code: JSON
Log in, to see the code

This method may only apply to a minority of (mostly older) platforms, and the decoded JSON doesn’t appear to include pin assignments, so the immediate practical value is limited. That said, I still think it’s been a worthwhile adventure. Next step: should this be integrated into Easy Flasher?

Attachments:

TY_KV_Decrypt.zip Download (9.7 KB)

Cool? Ranking DIY
From Display to Complete System: How the Solution Team Creates Value at Unisystem [ad]
About Author
divadiow divadiow

Level 37
Offline

Joined: 20 Nov 2023

Posts: 4280

Help: 370

Posts rating: 754

Points: 21358
divadiow wrote 4280 posts with rating 754, helped 370 times. Live in city Bristol. Been with us since 2023 year.
ADVERTISEMENT
#2 21808335 14 Jan 2026 09:57

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Helpful post? (0)

Post #2
21808335 14 Jan 2026 09:57

Very interesting finding, how did you find that out? I think it's worth to add this to the flasher.

However... that missing key issue we was searching for in Ghidra is still not yet solved?

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
#3 21808412 14 Jan 2026 11:24

divadiow divadiow

Level 37

Topic author Helpful post? (0)

Post #3
21808412 14 Jan 2026 11:24

p.kaczmarek2 wrote:
Very interesting finding, how did you find that out?

basically hours of trying stuff with LLM. So many angles explored, but ultimately feeding it the Tuya LN882X SDKs from the Lightning Semi FTP seemed to contain the answer. Expert handling of the LLM also played a huge part of course

p.kaczmarek2 wrote:
However... that missing key issue we was searching for in Ghidra is still not yet solved?

I do recall, I think you're referring to the ECR6600 investigations in this thread: https://www.elektroda.com/rtvforum/topic4111822.html

I would like to focus on ECR6600 next, it is still unknown.

Added after 8 [minutes]:

oh yeh. there was even some T-Head/CSKY debug server stuff with the W800 at one point to see if there was any sign of some ephemeral key in RAM at the app's boot/decryption stage. The STM32 CK-Link Lite without NRST limited my options/success somewhat.
Create an account, log in here. You will receive points by participating in discussions.
Join this discussion.

Install Elektroda application

Didn't find an answer? Ask Artificial Intelligence

*I agree to send the question to OpenAI, Anthropic PBC, Perplexity AI, Inc., Kagi Inc., Google LLC - owners of language models in order to prepare the best response. The companies may monitor and log information entered into the form.

*I agree to publicly display my question and answer. The question and answer will be publicly available to everyone. The process may take a few minutes. Upon completion, you will be redirected to the page with the answer.

Wait...(2min)

Reply Cool? Ranking DIY | New topic

Notify about new articles

📢 Listen (AI):

Report a violation of the law

FAQ

TL;DR: New method decrypts Tuya vault KV across 5 chip families and 11 sample dumps; "device-key centred and two-stage." [Elektroda, divadiow, post #21808089]

Why it matters: It finally explains why older Tuya platforms wouldn’t decrypt and gives a reproducible path to recover JSON from encrypted KV.

Who this is for: firmware hackers, repairers, and tool authors wondering how to decrypt Tuya KV on BK7252U/TR6260/W800/LN8825B/RTL8720CM without the old seed trick.

Quick facts:

Works on BK7252U, TR6260, W800, LN8825B, RTL8720CM; 11 example dumps decoded. [Elektroda, divadiow, post #21808089]
Two-stage design: decrypt key-record page, then decrypt 4KB vault pages with a derived key. [Elektroda, divadiow, post #21808089]
Keys are 16 bytes; DerivedKey uses bytewise addition mod 256. [Elektroda, divadiow, post #21808089]
Default BaseKey (NULL p_key) doubles bytes of "HHRRQbyemofrtytf" → 0x9090…e8cc. [Elektroda, divadiow, post #21808089]
Decrypted JSON includes UUID, auth_key, Wi‑Fi config, but not pin maps. [Elektroda, divadiow, post #21808089]

Quick Facts

- Works on BK7252U, TR6260, W800, LN8825B, RTL8720CM; 11 example dumps decoded. [Elektroda, divadiow, post #21808089]
- Two-stage design: decrypt key-record page, then decrypt 4KB vault pages with a derived key. [Elektroda, divadiow, post #21808089]
- Keys are 16 bytes; DerivedKey uses bytewise addition mod 256. [Elektroda, divadiow, post #21808089]
- Default BaseKey (NULL p_key) doubles bytes of "HHRRQbyemofrtytf" → 0x9090…e8cc. [Elektroda, divadiow, post #21808089]
- Decrypted JSON includes UUID, auth_key, Wi‑Fi config, but not pin maps. [Elektroda, divadiow, post #21808089]

What changed versus the older BK7231N/T seed-based method?

Older BK7231N/T extractions used a platform seed (e.g., 8720) to decrypt specific blobs. The new finding shows some platforms use a device-key-centered, two-stage vault: first decrypt a wrapped key-record page to reveal a 16‑byte DeviceKey, then derive the vault key and decrypt 4KB pages. [Elektroda, divadiow, post #21808089]

Which chips and example dumps are confirmed to decrypt with this method?

Confirmed families include BK7252U, TR6260, W800, LN8825B, and RTL8720CM. The author lists 11 specific FlashDumps paths that successfully decode, covering doorbells, LED controllers, hubs, and downlights. Tooling validated page headers and checksums, yielding plaintext JSON. [Elektroda, divadiow, post #21808089]

How is the DerivedKey computed for vault pages?

Combine a 16‑byte BaseKey with the 16‑byte DeviceKey using bytewise addition modulo 256. In code terms: DerivedKey[i] = (BaseKey[i] + DeviceKey[i]) & 0xFF for i=0..15. This key decrypts fixed-size vault pages. [Elektroda, divadiow, post #21808089]

Where does the default BaseKey come from when p_key is NULL?

Tuya’s DB init logic constructs a 16‑byte BaseKey by adding two embedded 16‑byte constants. Both constants equal the ASCII seed “HHRRQbyemofrtytf,” so the bytes are doubled, yielding hex 9090a4a4…e8cc. “NULL-key branch” lives in libtuya_iot.a. [Elektroda, divadiow, post #21808089]

How do I verify that page decryption worked?

Each decrypted vault page should show a known header magic (example 0x98761234) and pass an integrity check (checksum or CRC). If either fails, your BaseKey/DeviceKey or page boundary is wrong. “Magic + CRC proves correctness.” [Elektroda, divadiow, post #21808089]

What JSON data can I actually recover?

You can carve plaintext JSON after decryption. Examples include uuid, psk_key, auth_key, SmartLife AP SSID, version fields, region, and tokens. The sample BK7252U JSON shows multiple objects and redundant blocks. Dedupe identical objects during export. [Elektroda, divadiow, post #21808089]

Does this method reveal GPIO pin assignments like BK7231N dumps did?

No. The decoded vaults lack the pin assignment info seen on BK7231N extractions. Practical value is JSON recovery, not pin mapping. Plan alternative pin discovery if needed. [Elektroda, divadiow, post #21808089]

How do I use the Python/tkinter tool to decrypt a dump? (3 steps)

Load the flash dump and select the key-record region to unwrap the DeviceKey.
Choose BaseKey (NULL default or custom) and decrypt vault pages.
Export plaintext JSON and optionally dedupe or save decrypted blobs. “Swap” handles a secondary region in LN8825B. [Elektroda, divadiow, post #21808089]

What is the “key record” and how do I decrypt it?

It’s a dedicated flash page (often 4KB) wrapping per-device key material, including the 16‑byte DeviceKey. Decrypt it first using the fixed wrapper mechanism. After unwrapping, read DeviceKey to derive the vault key. [Elektroda, divadiow, post #21808089]

What is Tuya in this FAQ’s context?

Here, “Tuya” refers to the vendor ecosystem whose firmware stores an encrypted key-value vault and initializes DB keys as described. We focus on how its prebuilt library derives and applies BaseKey and DeviceKey during KV decryption. [Elektroda, divadiow, post #21808089]

Should this land in Easy Flasher?

Yes, a maintainer encouraged adding it. One open issue remains: the separate “missing key” puzzle investigated in Ghidra is still unsolved. Integrate the vault workflow, but track that gap. [Elektroda, p.kaczmarek2, post #21808335]

What are common failure modes or edge cases to watch for?

Edge cases include wrong page alignment, incorrect BaseKey in NULL vs caller-supplied paths, and non-matching magic or CRC. Also, expect no GPIO pin maps in recovered JSON. Some platforms outside the listed set may use different layouts. [Elektroda, divadiow, post #21808089]

New DeviceKey-Based Tuya Encrypted KV Decryption Method (BK7252U/TR6260/W800/LN8825B/RTL8720CM)

Didn't find an answer? Ask Artificial Intelligence