New DeviceKey-Based Tuya Encrypted KV Decryption Method (BK7252U/TR6260/W800/LN8825B/RTL8720CM)

divadiow 1572 41

Report a violation of the law

Reply Cool? Ranking DIY | New topic

Notify about new articles

📢 Listen (AI):

Topic author Helpful post? (+3)

Helpful post
Post #1
21808089 13 Jan 2026 22:35

I've been trying to figure out why we cannot decrypt the key vault on some Tuya flash backups and why this seems to be the case for certain, typically older, platforms. BK7252U, TR6260, W800 to name a few.

The decryption method for BK7231N/T (and some RTLs) is known, though the Tuya 'seed' KEY_PART_1 has been known to deviate away from 8720_2M (effectively '8720') depending on the platform.

eg

In an effort to find the assumed unknown, but present, seed key I spent quite a bit of time in LLM discussions, poring over various SDKs, programmatically trying different plain-text strings from dumps, PowerShell-generated key combinations numbering into the millions, breaking down libs with various csky tools (W800 dump).

What turned out to be different is that this “vault KV” path is not KEY_PART_1-seed driven at all.

Instead of the BK7231N/T-style config extractor model (where a platform “seed” influences the key used to decrypt a specific config blob), this vault mechanism is device-key centred and two-stage:

1) Key-record stage (per-device key material)
A dedicated “key record” region in flash contains the per-device keying material (including a 16-byte DeviceKey). That key record itself is wrapped/encrypted as a unit (sector/page sized, typically 4KB) and must be decrypted first before the DeviceKey can be read. This key-record page is wrapped using a fixed mechanism (typically a constant wrapper key), and decrypting it is what reveals the DeviceKey used for the vault pages.

2) Vault stage (derived vault key + page encryption)
The effective vault key is derived by combining a 16-byte BaseKey with that per-device 16-byte DeviceKey using bytewise addition mod 256. BaseKey is either caller-supplied (p_key) or constructed by the SDK when p_key is NULL (see below).

Code: Text
Log in, to see the code

The vault payload is then stored as fixed-size encrypted pages (typically 4KB each). Each decrypted page is expected to match a known page structure: a magic value in the header (e.g. 0x98761234) plus an integrity field (checksum or CRC) used to confirm the page decryption is correct.

Where the “default BaseKey” comes from (when not explicitly supplied)
The “default BaseKey” is not a flash-layout assumption; it comes from the NULL-key branch in Tuya’s DB init logic inside the prebuilt library.

Concretely, in libtuya_iot.a (object tuya_ws_db.c.o), ws_db_init checks whether p_key is NULL:

ADVERTISEMENT

If p_key != NULL: it copies 16 bytes from the caller-provided buffer → BaseKey = p_key

If p_key == NULL: it constructs a 16-byte BaseKey in a 16-iteration loop by adding bytes from two embedded 16-byte constants.

Those two constants both contain the same ASCII seed:
Code: text Expand Select all Copy to clipboard
HHRRQbyemofrtytf
(16 bytes)

So the NULL-key case is effectively:
Code: text Expand Select all Copy to clipboard
BaseKey(byte_index) = (seed(byte_index) + seed(byte_index)) & 0xFF

Doubling the bytes of "HHRRQbyemofrtytf" yields:
Code: text Expand Select all Copy to clipboard
9090a4a4a2c4f2cadadecce4e8f2e8cc

(which is the “Tuya default (NULL p_key)” BaseKey value).

How the JSON is recovered
Once the vault pages are decrypted correctly (i.e. page header/magic + checksum or CRC validates), the JSON is not separately encrypted again; it exists as plaintext within the reconstructed decrypted vault region. Extraction is therefore a straightforward carve/parse step over the decrypted bytes: locate candidate JSON starts ({ or [), bracket/quote-balance to a candidate end, then validate by parsing as JSON before emitting the object (with optional dedupe of identical objects/blocks when redundancy is present).

With that knowledge this tkinter/Python program was then developed with (a lot) of help from an LLM:

This uses the above mechanism to decrypt vault-style KV on dumps that are structured this way. I've added options to dedupe/collapse duplicate decoded objects (the vaults appear to contain duplicates / redundancy), export decoded JSON, export decrypted blobs (“swap” relates to a secondary region present in LN8825B dumps).

In summary, it turns out this method can successfully decrypt the KV on Tuya W800, TR6260, BK7252U, LN8825B and RTL8720CM. However, the key vaults don't appear to contain the same pin assignment information seen in successful extractions from BK7231N etc dumps.

Of all the dumps in Flashdumps, these can be decoded with this method:

Code: Text
Log in, to see the code

example JSON from a BK7252U:
Code: JSON
Log in, to see the code

This method may only apply to a minority of (mostly older) platforms, and the decoded JSON doesn’t appear to include pin assignments, so the immediate practical value is limited. That said, I still think it’s been a worthwhile adventure. Next step: should this be integrated into Easy Flasher?

Attachments:

TY_KV_Decrypt.zip Download (9.7 KB)

Cool? Ranking DIY
From Display to Complete System: How the Solution Team Creates Value at Unisystem [ad]
About Author
divadiow divadiow

Level 38
Offline

Joined: 20 Nov 2023

Posts: 4570

Help: 400

Posts rating: 810

Points: 22798
divadiow wrote 4570 posts with rating 810, helped 400 times. Live in city Bristol. Been with us since 2023 year.
ADVERTISEMENT
#2 21808335 14 Jan 2026 09:57

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Helpful post? (0)

Post #2
21808335 14 Jan 2026 09:57

Very interesting finding, how did you find that out? I think it's worth to add this to the flasher.

However... that missing key issue we was searching for in Ghidra is still not yet solved?

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
#3 21808412 14 Jan 2026 20:38

divadiow divadiow

Level 38
Topic author Helpful post? (0)

Post #3
21808412 14 Jan 2026 20:38

p.kaczmarek2 wrote:
Very interesting finding, how did you find that out?

basically hours of trying stuff with LLM. So many angles explored, but ultimately feeding it the Tuya LN882X SDKs from the Lightning Semi FTP seemed to contain the answer. Expert handling of the LLM also played a huge part of course

p.kaczmarek2 wrote:
However... that missing key issue we was searching for in Ghidra is still not yet solved?

I do recall, I think you're referring to the ECR6600 investigations in this thread: https://www.elektroda.com/rtvforum/topic4111822.html

I would like to focus on ECR6600 next, it is still unknown.

Added after 8 [minutes]:

oh yeh. there was even some T-Head/CSKY debug server stuff with the W800 at one point to see if there was any sign of some ephemeral key in RAM at the app's boot/decryption stage. The STM32 CK-Link Lite without NRST limited my options/success somewhat.

Added after 9 [hours] 14 [minutes]:

that didn't take long

deduped json from Tuya_EU_Plug_keyge8wsy99n5pr7_ECR6600_0.1.0.bin

Code: JSON
Log in, to see the code

still no pins though

ECR6600 uses the same two-layer scheme as those mentioned in the first post.

ECR6600 differences for the DeviceKey + BaseKey Tuya vault method

BaseKey used on ECR6600
ECR6600 uses the Tuya default BaseKey that is applied when the DB layer is initialised with a null key.
Default BaseKey hex, 16 bytes
Code: Text
Log in, to see the code

Derived vault key formula is unchanged
The per-device vault key is still derived by bytewise addition modulo 256.
DeviceKey is the 16-byte value stored in the key-record sector.

Wrapper layer is unchanged
The key-record sector remains AES-128 ECB wrapped with the fixed ASCII key.
Wrapper key ASCII, 16 bytes
Code: Text
Log in, to see the code

Key-record magic
Code: Text
Log in, to see the code

Vault page header magic differs on ECR6600 and TuyaOS3 style dumps
Tools already available to us already check for the common vault page magic.
Common vault page magic
Code: Text
Log in, to see the code

On ECR6600 style dumps the decrypted vault pages start with a different magic.
ECR6600 and TuyaOS3 vault page magic
Code: Text
Log in, to see the code

Same value as decimal
Code: Text
Log in, to see the code

There is an explicit comment in TuyaConfig.cs noting the alternate TuyaOS3 magic value 324478635, which equals 0x135726AB in hex.
https://github.com/openshwprojects/BK7231GUIF...19f940/BK7231Flasher/Utils/TuyaConfig.cs#L284

Attachments:

TY_KV_Decrypt_ecr6600.zip Download (9.8 KB)

Helpful post

#4 21808986 14 Jan 2026 20:53

insmod insmod

Level 31

Helpful post

Post #4

21808986 14 Jan 2026 20:53

While this can't extract pins from a backup, it's good for those with TuyaMCU devices.
From https://www.elektroda.com/rtvforum/topic4097544.html

{
    "tokenResponse": {
        "expire_time": 300,
        "region": "EU",
        "secret": "4Flr",
        "token": "cL7GO4Qn"
    },
    "deviceApi": "http://a.tuyaeu.com/d.json",
    "activeRequest": {
        "token": "cL7GO4Qn",
        "productKey": "sz9fil14ndvneelz",
        "softVer": "1.0.0",
        "protocolVer": "2.2",
        "baselineVer": "40.00",
        "cadVer": "1.0.3",
        "cdVer": "1.0.0",
        "options": "{\"isFK\":false}",
        "t": 1768419946
    },
    "activeResponse": {
        "capability": 1025,
        "devId": "bfc2f77834489ef844c6bj",
        "dstIntervals": [
            [
                1774746000,
                1792890000
            ],
            [
                1806195600,
                1824944400
            ],
            [
                1837645200,
                1856394000
            ],
            [
                1869094800,
                1887843600
            ],
            [
                1901149200,
                1919293200
            ]
        ],
        "localKey": "a}V@oAD(~?arXI9b",
        "resetFactory": false,
        "schema": [
            {
                "mode": "rw",
                "property": {
                    "type": "bool"
                },
                "id": 1,
                "type": "obj"
            },
            {
                "mode": "rw",
                "property": {
                    "min": 10,
                    "max": 1000,
                    "scale": 0,
                    "step": 1,
                    "type": "value"
                },
                "id": 2,
                "type": "obj"
            },
            {
                "mode": "rw",
                "property": {
                    "min": 10,
                    "max": 1000,
                    "scale": 0,
                    "step": 1,
                    "type": "value"
                },
                "id": 3,
                "type": "obj"
            },
            {
                "mode": "rw",
                "property": {
                    "min": 0,
                    "max": 86400,
                    "scale": 0,
                    "step": 1,
                    "type": "value"
                },
                "id": 6,
                "type": "obj"
            }
        ],
        "schemaId": "ecx4sg",
        "secKey": "RNtps4{zF6M@y{xm",
        "stdTimeZone": "+00:00",
        "timeZone": "UTC"
    },
    "checkResponse": {
        "error_devices": [],
        "success_devices": [
            {
                "id": "bfc2f77834489ef844c6bj",
                "ip": "2a06:98c0:3600::103",
                "lat": "",
                "lon": "",
                "name": "Wall Dimmer",
                "online": false,
                "product_id": "sz9fil14ndvneelz",
                "uuid": "1155ee8bc34b55a0"
            }
        ]
    },
    "modelResponse": {
        "model": {
            "modelId": "ecx4sg",
            "services": [
                {
                    "actions": [],
                    "code": "",
                    "description": "",
                    "events": [],
                    "name": "\u9ed8\u8ba4\u670d\u52a1",
                    "properties": [
                        {
                            "abilityId": 1,
                            "accessMode": "rw",
                            "code": "switch_led_1",
                            "description": "",
                            "extensions": {
                                "attribute": "515"
                            },
                            "name": "\u5f00\u51731",
                            "typeSpec": {
                                "type": "bool"
                            }
                        },
                        {
                            "abilityId": 2,
                            "accessMode": "rw",
                            "code": "bright_value_1",
                            "description": "",
                            "extensions": {
                                "iconName": "icon-dp_half",
                                "attribute": "1154"
                            },
                            "name": "\u4eae\u5ea6\u503c1",
                            "typeSpec": {
                                "type": "value",
                                "max": 1000,
                                "min": 10,
                                "scale": 0,
                                "step": 1
                            }
                        },
                        {
                            "abilityId": 3,
                            "accessMode": "rw",
                            "code": "brightness_min_1",
                            "description": "",
                            "extensions": {
                                "iconName": "icon-liangdu1",
                                "attribute": "1152"
                            },
                            "name": "\u6700\u5c0f\u4eae\u5ea61",
                            "typeSpec": {
                                "type": "value",
                                "max": 1000,
                                "min": 10,
                                "scale": 0,
                                "step": 1
                            }
                        },
                        {
                            "abilityId": 6,
                            "accessMode": "rw",
                            "code": "countdown_1",
                            "description": "",
                            "extensions": {
                                "iconName": "icon-dp_time2",
                                "attribute": "1155"
                            },
                            "name": "\u5f00\u51731\u5012\u8ba1\u65f6",
                            "typeSpec": {
                                "type": "value",
                                "max": 86400,
                                "min": 0,
                                "scale": 0,
                                "step": 1,
                                "unit": "s"
                            }
                        }
                    ]
                }
            ]
        }
    },
    "errors": [],
    "detailsResponse": {
        "active_time": 1768419946,
        "asset_id": "269111819",
        "category": "tgkg",
        "category_name": "Dimmer Switch",
        "gateway_id": "",
        "icon": "smart/icon/ay1541056239985fDGjj/6fe41f0dda204d30fb997c336b8b2bd5.png",
        "id": "bfc2f77834489ef844c6bj",
        "ip": "2a06:98c0:3600::103",
        "lat": "",
        "local_key": "a}V@oAD(~?arXI9b",
        "lon": "",
        "model": "5226000300",
        "name": "Wall Dimmer",
        "online": false,
        "product_id": "sz9fil14ndvneelz",
        "product_name": "Wall Dimmer",
        "sub": false,
        "time_zone": "UTC",
        "uuid": "1155ee8bc34b55a0"
    },
    "updateResponse": [
        {
            "channel": 0,
            "control_type": 0,
            "current_version": "1.0.0",
            "dev_type": 0,
            "last_upgrade_time": 0,
            "timeout": 0,
            "type": 0,
            "type_desc": "Main Module",
            "upgrade_status": 0
        }
    ],
    "deleteResponse": true,
    "cachedAt": 1768419950802,
    "cacheKey": "sz9fil14ndvneelz"
}

ADVERTISEMENT
#5 21809017 14 Jan 2026 21:19

divadiow divadiow

Level 38

Topic author Helpful post? (0)

Post #5
21809017 14 Jan 2026 21:19

insmod wrote:
While this can't extract pins from a backup, it's good for those with TuyaMCU devices.

true. I quite like seeing all the decoded json has to offer because it at the very least helps to label each dump file.

ultimately, it'd be nice to see Easy Flasher support all methods and output full pretty json to window pane/offer export option, even if no pins are matched. We've already seen users getting no extraction because EF doesn't show/match enough.
#6 21809045 14 Jan 2026 21:44

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Helpful post? (0)

Post #6
21809045 14 Jan 2026 21:44

That's because there is some kind of secondary data structure, each fragment of ASCII text is prefixed with some kind of block header, and we don't parse it, we just naively skip non-printable characters.

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
#7 21810323 16 Jan 2026 09:48

divadiow divadiow

Level 38
Topic author Helpful post? (+1)

Post #7
21810323 16 Jan 2026 09:48

Good news. The pin data *is* present in at least ECR6600 KV, it's just the extractor was looking for real JSON. The extra info is stored as a brace-delimited key:value block with unquoted keys (not valid JSON).

Here's a rough, mostly untested one-shot LLM rejig of the Py prog that should accept all the platform dumps that is seen in this thread, but now includes a 'loose KV' extraction too.

eg
Tuya_EU_Plug_keyge8wsy99n5pr7_ECR6600_0.1.0.bin

Code: JSON
Log in, to see the code

there's also the baud+more now in the LSC TuyaMCU ECR6600
Code: JSON
Log in, to see the code

maybe LN is the same, but back to the other extraction method with the KEY_PART1.

note that the json output includes PY-added description bits for the blocks in this version

Attachments:

TY_KV_Decrypt_Universal.zip Download (12.67 KB)
#8 21810334 16 Jan 2026 10:01

divadiow divadiow

Level 38

Topic author Helpful post? (0)

Post #8
21810334 16 Jan 2026 10:01

RTL8720CM\Tuya_Master_Recessed_Downlight_(schemaID-000003wp7g)_key73ve9nrcgkhck_fy9psuhjzjga4tyg_CR3L_1.2.17.bin

Code: JSON
Log in, to see the code
#9 21810339 16 Jan 2026 10:07

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Helpful post? (0)

Post #9
21810339 16 Jan 2026 10:07

Great finding, but I think that numerical values don't have to have quotes in JSON. Quotes are only required for keys (key names) and strings.

I guess we need it in EasyFlasher

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
#10 21810343 16 Jan 2026 12:26

divadiow divadiow

Level 38

Topic author Helpful post? (0)

Post #10
21810343 16 Jan 2026 12:26

ah OK.

yes, a couple of new decoding and extraction methods now required in EF. + nice complete JSON output options

Added after 2 [hours] 16 [minutes]:

LN plain text
Helpful post

#11 21811115 17 Jan 2026 05:29

insmod insmod

Level 31

Helpful post? (+1)

Helpful post
Post #11
21811115 17 Jan 2026 05:29

https://github.com/openshwprojects/BK7231GUIFlashTool/pull/100
Based on TY_KV_Decrypt_Universal.py
#12 21811124 17 Jan 2026 06:49

divadiow divadiow

Level 38

Topic author Helpful post? (0)

Post #12
21811124 17 Jan 2026 06:49

awesome! thank you

ECR6600 Tuya_MCL-Y10-L-03W_keysceeymg7xqvk7_AXYU_1.0.15.bin

Added after 2 [minutes]:

RTL8720CM Tuya_Master_Recessed_Downlight_(schemaID-000003wp7g)_key73ve9nrcgkhck_fy9psuhjzjga4tyg_CR3L_1.2.17.bin
#13 21811308 17 Jan 2026 11:54

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Helpful post? (0)

Post #13
21811308 17 Jan 2026 11:54

Great! Ready to merge?

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
ADVERTISEMENT
#14 21811352 17 Jan 2026 12:56

divadiow divadiow

Level 38

Topic author Helpful post? (0)

Post #14
21811352 17 Jan 2026 12:56

p.kaczmarek2 wrote:
Great! Ready to merge?

so far so good for me in use and testing, but I've not been surgical re all changes in PR.
Helpful post

#15 21812029 18 Jan 2026 06:43

insmod insmod

Level 31

Helpful post? (+2)

Helpful post
Post #15
21812029 18 Jan 2026 06:43

>>21811308
Debugging features in myDecrypt are gone (as is the function itself), because they're too slow.
New algo scans everything in the dump, versus just after magic found.
This solves the issue when MAGIC_FIRST_BLOCK is after the data.

I merged both algorithms together, thus making it possible to decrypt RTLA, RTLD, BK7252 and T5 without extra steps.

Also added passing LED_Map and currents or pwm frequency to startup command (with careful value handling, see led remap in https://www.elektroda.com/rtvforum/topic4103341.html#21419280)
#16 21812367 18 Jan 2026 15:08

divadiow divadiow

Level 38

Topic author Helpful post? (0)

Post #16
21812367 18 Jan 2026 15:08

p.kaczmarek2 wrote:
Great! Ready to merge?

all good still?
#17 21812884 18 Jan 2026 23:25

insmod insmod

Level 31

Helpful post? (0)

Post #17
21812884 18 Jan 2026 23:25

It is, i've yet to encounter any error.
It even successfully decrypts duplicate tuya configs in ~1gb file in about 15 seconds.

I removed ILRepack from workflow, because antiviruses started going wild again. And different detection in each build.
That means there would be 10 dlls included in an archive.
#18 21812893 18 Jan 2026 23:48

divadiow divadiow

Level 38

Topic author Helpful post? (0)

Post #18
21812893 18 Jan 2026 23:48

insmod wrote:
It even successfully decrypts duplicate tuya configs in ~1gb file in about 15 seconds.

excellent work
Helpful post

#19 21813082 19 Jan 2026 10:26

insmod insmod

Level 31

Helpful post? (+1)

Helpful post
Post #19
21813082 19 Jan 2026 10:26

Added minimal KV parsing. (I don't know enough about the structure, but it often works. Is source available?)
If user_param_key/baud_cfg checksum passes, then only that data is used. Otherwise it's using old method.
Plus added support for parsing platform name, if it's stored in kv (em_sys_env).
#20 21813129 19 Jan 2026 11:17

divadiow divadiow

Level 38

Topic author Helpful post? (0)

Post #20
21813129 19 Jan 2026 11:17

insmod wrote:
Plus added support for parsing platform name, if it's stored in kv (em_sys_env).

nice

Added after 5 [minutes]:

with the XR806 offset info, shoud it read "And the Tuya section starts at 2052096 (0x1F5000), which is a default T1/BK7238, XR806 and some T34 offset."

instead of:

(XR806 dump)

to match this on T3:
"And the Tuya section starts at 3997696 (0x3D0000), which is a default T3/BK7236 offset."

and this on T5:
"And the Tuya section starts at 8245248 (0x7DD000), which is a default T5/BK7258 offset."

BK7238 dump:
#21 21813141 19 Jan 2026 11:31

insmod insmod

Level 31

Helpful post? (0)

Post #21
21813141 19 Jan 2026 11:31

Don't think it's necessary here
#22 21813484 19 Jan 2026 17:47

divadiow divadiow

Level 38
Topic author Helpful post? (0)

Post #22
21813484 19 Jan 2026 17:47

insmod wrote:
Is source available

not finding simple*.c but there are some kv header files in the things im searching.

these attached zips seem to be the most interesting I think

one of the folders in one:

for those that don't use kvs for pin info?

$Search results for hw_table.* files in folder G:\tuyadownloadsgite\$

Attachments:

super_knob_tuya_esp8266-master.zip Download (63.35 MB)

fr-pkgs-tuya-master.zip Download (14.34 MB)

bl602_tuya-master.zip Download (164.38 MB)
Helpful post

#23 21813500 19 Jan 2026 18:17

divadiow divadiow

Level 38

Topic author Helpful post? (+1)

Helpful post
Post #23
21813500 19 Jan 2026 18:17

lots of unstripped libs

Added after 11 [minutes]:

BL602 built files

QIO
Code: Text
Log in, to see the code

Added after 2 [minutes]:

Code: Text
Log in, to see the code

first BL602 Tuya fw I think I've ever seen
ADVERTISEMENT
#24 21813781 19 Jan 2026 23:16

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Helpful post? (0)

Post #24
21813781 19 Jan 2026 23:16

So there is Tuya for BL602? I was not aware about that. Have we ever seen any BL602 Tuya device?

By the way, i think there are compiled files (but with debug symbols) for KV.

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
#25 21813788 19 Jan 2026 23:34

divadiow divadiow

Level 38

Topic author Helpful post? (0)

Post #25
21813788 19 Jan 2026 23:34

p.kaczmarek2 wrote:
So there is Tuya for BL602?

yes. https://github.com/divadiow/Misc/blob/main/Tuya/bl602.txt

Added after 1 [minutes]:

p.kaczmarek2 wrote:
Have we ever seen any BL602 Tuya device?

I've never spotted any
#26 21824985 31 Jan 2026 11:08

divadiow divadiow

Level 38
Topic author Helpful post? (0)

Post #26
21824985 31 Jan 2026 11:08

hey here's something else but for Tuya ESP8266

The AES key is derived as a fixed 16-byte AES-128 key, built from mostly constant ASCII plus one byte taken from the device’s Wi-Fi MAC.

The key derivation is:
-Take the 6-byte MAC address as raw bytes (e.g. e0:98:06:e1:28:cf)
-Grab the 5th byte (0-based index mac[4] - in the example above that’s 0x28)
-Build the 16-byte key as: key = b"Qby6" + bytes([mac[4]]) + b"TH9bj8GiexU"

So it’s:
4 bytes: "Qby6" and:
1 byte: mac[4] and:
11 bytes: "TH9bj8GiexU"

If it can’t obtain a full MAC (or a direct key), the script will brute-force the single unknown byte mac[4] (0x00..0xFF). For each candidate value it derives the AES key and scans the dump for a PSM page where the first 16 decrypted bytes start with PSM1 or PSM2, and the nearby decrypted payload contains common Tuya/PSM strings (e.g. ty_ws_, ssid, passwd, local_key).

So when run against an ESP8266 dump in FlashDumps, like ESP8285_TDQ-101-U1-V1.7-20251216.bin we get:
Code: Text
Log in, to see the code

BW-SHP8.bin
Code: Text
Log in, to see the code

good for confirming keys, schemas, firmware versions, if not for pin extraction.

Longer/better script description in the header of the py alongside argument use and examples

Attachments:

TY_ESP8266_PSM_Decode_AutoPSMSize.zip Download (6.92 KB)
#27 21825343 31 Jan 2026 17:52

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Helpful post? (0)

Post #27
21825343 31 Jan 2026 17:52

Hey, I remember that BW-SHP8 dump! That's one of my first IoT devices!
https://www.elektroda.com/rtvforum/topic3687040.html
Can you add it to Easy Flasher?

Added after 28 [seconds]:

How did you figure out the key derivation?

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
#28 21825392 31 Jan 2026 19:00

insmod insmod

Level 31

Helpful post? (0)

Post #28
21825392 31 Jan 2026 19:00

https://github.com/openshwprojects/BK7231GUIFlashTool/pull/103 (minimal ai made)
But i'm against it, since there are no pins.
#29 21825393 31 Jan 2026 19:13

divadiow divadiow

Level 38
Topic author Helpful post? (0)

Post #29
21825393 31 Jan 2026 19:13

p.kaczmarek2 wrote:
Hey, I remember that BW-SHP8 dump! That's one of my first IoT devices!

indeed. I saw your post and assumed it was the very same one. I then used your Tasmota screenshots to validate another script that seems to be OKish at extracting the GPIO from the hardcoded assignments. Not sure how good/flexible what I have is though.

p.kaczmarek2 wrote:
How did you figure out the key derivation?

as before, scouring for suitable SDKs that contain enough info in for LLM to work it out. libs with enough still in them. Jumped through quite a few hoops to make sure we were confident with the mac[4] line of thinking. Checked reasoning with 10+ dumps.

Added after 1 [minutes]:

insmod wrote:
But i'm against it, since there are no pins.

ah hello.

yeh, I know what you mean. Personally I'd want full complete plain-text/json for it to be of real value

Added after 10 [minutes]:

divadiow wrote:
another script

Code: Text
Log in, to see the code

https://templates.blakadder.com/blitzwolf_SHP8.html

could be a junk method, dead-end, dunno. the heuristic sweep anyway

Code: Text
Log in, to see the code

Attachments:

tuya_esp8266_gpio_extract.zip Download (7.61 KB)
#30 21825407 31 Jan 2026 19:18

divadiow divadiow

Level 38

Topic author Helpful post? (0)

Post #30
21825407 31 Jan 2026 19:18

divadiow wrote:
yeh, I know what you mean. Personally I'd want full complete plain-text/json for it to be of real value

still, thank you!! I do appreciate even what is shown
Create an account, log in here. You will receive points by participating in discussions.
Join this discussion.

Install Elektroda application

Reply Cool? Ranking DIY | New topic

Notify about new articles

📢 Listen (AI):

Report a violation of the law

Topic summary

The discussion addresses the challenge of decrypting the key vault (KV) in Tuya flash backups for certain older platforms such as BK7252U, TR6260, and W800. Unlike the known decryption method for BK7231N/T and some RTL chipsets, which relies on a platform-specific seed key (KEY_PART_1), these older platforms do not use the same seed-driven approach for vault KV decryption. Extensive analysis involving SDK examination, brute-force attempts with millions of key combinations, and reverse engineering of libraries using csky tools revealed that the vault KV path on these devices is independent of the BK7231N/T-style seed key. This indicates a fundamentally different encryption scheme for these platforms, necessitating alternative decryption strategies beyond the known BK7231N/T and RTL8720CM methods.
Summary generated by the language model.

FAQ

TL;DR: New method decrypts Tuya vault KV across 5 chip families and 11 sample dumps; "device-key centred and two-stage." [Elektroda, divadiow, post #21808089]

Why it matters: It finally explains why older Tuya platforms wouldn’t decrypt and gives a reproducible path to recover JSON from encrypted KV.

Who this is for: firmware hackers, repairers, and tool authors wondering how to decrypt Tuya KV on BK7252U/TR6260/W800/LN8825B/RTL8720CM without the old seed trick.

Quick facts:

Works on BK7252U, TR6260, W800, LN8825B, RTL8720CM; 11 example dumps decoded. [Elektroda, divadiow, post #21808089]
Two-stage design: decrypt key-record page, then decrypt 4KB vault pages with a derived key. [Elektroda, divadiow, post #21808089]
Keys are 16 bytes; DerivedKey uses bytewise addition mod 256. [Elektroda, divadiow, post #21808089]
Default BaseKey (NULL p_key) doubles bytes of "HHRRQbyemofrtytf" → 0x9090…e8cc. [Elektroda, divadiow, post #21808089]
Decrypted JSON includes UUID, auth_key, Wi‑Fi config, but not pin maps. [Elektroda, divadiow, post #21808089]

Quick Facts

Works on BK7252U, TR6260, W800, LN8825B, RTL8720CM; 11 example dumps decoded. [Elektroda, divadiow, post #21808089]
Two-stage design: decrypt key-record page, then decrypt 4KB vault pages with a derived key. [Elektroda, divadiow, post #21808089]
Keys are 16 bytes; DerivedKey uses bytewise addition mod 256. [Elektroda, divadiow, post #21808089]
Default BaseKey (NULL p_key) doubles bytes of "HHRRQbyemofrtytf" → 0x9090…e8cc. [Elektroda, divadiow, post #21808089]
Decrypted JSON includes UUID, auth_key, Wi‑Fi config, but not pin maps. [Elektroda, divadiow, post #21808089]

What changed versus the older BK7231N/T seed-based method?

Older BK7231N/T extractions used a platform seed (e.g., 8720) to decrypt specific blobs. The new finding shows some platforms use a device-key-centered, two-stage vault: first decrypt a wrapped key-record page to reveal a 16‑byte DeviceKey, then derive the vault key and decrypt 4KB pages. [Elektroda, divadiow, post #21808089]

Which chips and example dumps are confirmed to decrypt with this method?

Confirmed families include BK7252U, TR6260, W800, LN8825B, and RTL8720CM. The author lists 11 specific FlashDumps paths that successfully decode, covering doorbells, LED controllers, hubs, and downlights. Tooling validated page headers and checksums, yielding plaintext JSON. [Elektroda, divadiow, post #21808089]

How is the DerivedKey computed for vault pages?

Combine a 16‑byte BaseKey with the 16‑byte DeviceKey using bytewise addition modulo 256. In code terms: DerivedKey[i] = (BaseKey[i] + DeviceKey[i]) & 0xFF for i=0..15. This key decrypts fixed-size vault pages. [Elektroda, divadiow, post #21808089]

Where does the default BaseKey come from when p_key is NULL?

Tuya’s DB init logic constructs a 16‑byte BaseKey by adding two embedded 16‑byte constants. Both constants equal the ASCII seed “HHRRQbyemofrtytf,” so the bytes are doubled, yielding hex 9090a4a4…e8cc. “NULL-key branch” lives in libtuya_iot.a. [Elektroda, divadiow, post #21808089]

How do I verify that page decryption worked?

Each decrypted vault page should show a known header magic (example 0x98761234) and pass an integrity check (checksum or CRC). If either fails, your BaseKey/DeviceKey or page boundary is wrong. “Magic + CRC proves correctness.” [Elektroda, divadiow, post #21808089]

What JSON data can I actually recover?

You can carve plaintext JSON after decryption. Examples include uuid, psk_key, auth_key, SmartLife AP SSID, version fields, region, and tokens. The sample BK7252U JSON shows multiple objects and redundant blocks. Dedupe identical objects during export. [Elektroda, divadiow, post #21808089]

Does this method reveal GPIO pin assignments like BK7231N dumps did?

No. The decoded vaults lack the pin assignment info seen on BK7231N extractions. Practical value is JSON recovery, not pin mapping. Plan alternative pin discovery if needed. [Elektroda, divadiow, post #21808089]

How do I use the Python/tkinter tool to decrypt a dump? (3 steps)

Load the flash dump and select the key-record region to unwrap the DeviceKey.
Choose BaseKey (NULL default or custom) and decrypt vault pages.
Export plaintext JSON and optionally dedupe or save decrypted blobs. “Swap” handles a secondary region in LN8825B. [Elektroda, divadiow, post #21808089]

What is the “key record” and how do I decrypt it?

It’s a dedicated flash page (often 4KB) wrapping per-device key material, including the 16‑byte DeviceKey. Decrypt it first using the fixed wrapper mechanism. After unwrapping, read DeviceKey to derive the vault key. [Elektroda, divadiow, post #21808089]

What is Tuya in this FAQ’s context?

Here, “Tuya” refers to the vendor ecosystem whose firmware stores an encrypted key-value vault and initializes DB keys as described. We focus on how its prebuilt library derives and applies BaseKey and DeviceKey during KV decryption. [Elektroda, divadiow, post #21808089]

Should this land in Easy Flasher?

Yes, a maintainer encouraged adding it. One open issue remains: the separate “missing key” puzzle investigated in Ghidra is still unsolved. Integrate the vault workflow, but track that gap. [Elektroda, p.kaczmarek2, post #21808335]

What are common failure modes or edge cases to watch for?

Edge cases include wrong page alignment, incorrect BaseKey in NULL vs caller-supplied paths, and non-matching magic or CRC. Also, expect no GPIO pin maps in recovered JSON. Some platforms outside the listed set may use different layouts. [Elektroda, divadiow, post #21808089]