beep... beep... blink... blink...
 
Convert Tuya Smart Plug for Privacy and Control – Walkthrough

Convert Tuya Smart Plug for Privacy and Control – Walkthrough

In your favorite online Chinese outlet the number of smart home gadgets/appliances seems to be growing on a daily basis. This is fantastic for home automation enthusiasts who want to automate their home or office. It is also beneficial for anyone with a very specific problem to solve. However, virtually 100% of these smart gadgets come with some major flaws, that I have already discussed in the past. Let’s recap:

  1. To control them you need to use proprietary software – to make things worse, you likely need a different app for each such device.
  2. You need to have an always on internet connection to operate them.
  3. You are locked into using the manufacturer’s servers which may or may not be there tomorrow. At this stage, there are several examples of businesses closing for one reason or another. As a result, thousands of customers are left unable to use their smart gadgets.

The solution for the above shortcomings is to use open source firmware in such devices. Of course, each model is different as such a different firmware is needed for each of them. Luckily, however, many smart devices are built around the same few microcontrollers. Over time, a few open source alternatives have emerged. Tasmota is one such firmware for ESPxxxx based devices. I have also created my own firmware for several ESPxxxx based devices, inlcuding my own creations. I have covered them in previous articles. This time I will cover another free and open source firmware called OpenBeken that is compatible with a variety of microcontrollers, such as the BK7231N, which I incidentally found in my latest purchase, a smart power socket:

Below I will show how I converted my smart plug with some basic tools and technique. It is now a privacy-friendly, user-friendly and automation-ready smart gadget.

The logical steps needed for the conversion are the same for each such device. However, all devices are different. Sometimes even when you buy two “identical” products, they turn out to be different on the inside. Thus, the actual steps may slightly be different.

Disassembly and finding the microcontroller

The first step is always to remove the device cover to get to the electronics. Here is a quick video showing how to open this particular socket:

After getting physical access to the electronics, I had to identify some of the components on it. In this case, finding the MCU, the current sensor, the LEDs, the button was very simple. In some models additional disassembly is needed.

Front of main PCB. Items of interest on this side include the MCU (top center), button (left middle), LEDs (above and under the button) and some test points that will come handy later.
On the back of the PCB we can spot the BL0937 current sensing chip. This chip is responsible for measuring power consumption.

To program the MCU with the new firmware I also needed to locate a few traces on the PCB. In the case of the BK7231N, it is only 4 lines: GND, 3.3V, Tx and Rx. GND is the easiest to find: with a continuity meter find the point that is common across most capacitors. It is also, usually, the thickest trace on the PCB.

The rest of the lines I identified based on the datasheet:

From the datasheet I learned that the MCU uses UART1 for programming, that is pins 26 (Rx) and 27 (Tx). The 3.3V power supply was a bit of a question mark for me at first as the chip has several power pins. Luckily, the datasheet clarifies that VBat is the chip’s main power line. I also found that VBat had a test point on the PCB – just like the 3 other lines:

These test points were prime suspects for interfacing the MCU

Once I knew which test points did what, it was just a matter of soldering on some wires to get UART access to the MCU:

The other end of these wires go straight to a USB-UART stick on my computer.

Here is the final layout:

  • Black: GND
  • Red: 3.3V
  • Blue: UART1 – Tx
  • Yellow: UART1 – Rx

A word of caution: the BK7231N has 2 UARTs: UART1 and UART2. In my experience, on some devices UART1 is used for programming the MCU and debugging messages are spat out on UART2, on some, like this one, UART1 is used for both.

Now I was ready to move onto the PC part of the game!

Backing up the original firmware

At this stage it is a good idea to verify that the UART connection between the PC and the MCU is working. For this I used a terminal emulator program – Putty. The communication settings were 115200 baud 8N1 – but this might be different for some other devices. Also, it speeds things up when I use the correct COM port….

Once everything is connected and configured, it was time to power up the device. If, instead of legible text you get random characters, you may need to set a different speed in Putty. If you don’t see anything, you may want to double check the connection and the COM port used.

The recommended tool for tinkering with the BK7231N (and several other similar MCUs) is an open source tool called BK7231 GUI Flash Tool. It has a lot of features of which we only need to use a few for this task.

First, I created a backup of the original firmware. In case something goes wrong, I should be able to go back to the factory firmware and start over.

It is a good idea to extract the settings (i.e. the hardware setup) from the original firmware. We can do this on this page:

Not everything goes smoothly. But I didn’t give it up!

This did not work for me, so I had to figure out the sockets configuration another way. If it works for you, then it’s great! If not, don’t despair, there are other ways to figure it out. More about this later.

Flashing new firmware

In the same tool, first I selected the COM port, the chip type, then downloaded the latest firmware:

It is worth mentioning, at least for people like me, who come from an ESP background, that the BK7231 family of chips don’t use a special pin to put the device in “download” mode. The BK7231 enters “download” mode on every re/start for a few milliseconds, so the flashing works like this: Click the Do firmware write button, then apply power to the MCU. It might take a few tries to get the timing right, but it is nothing to worry about it. Alternatively, you can ground the CEN pin of the MCU for a reset.

The flashing process takes about a minute – do not interrupt it. After a successful flashing, it was time for restarting the device with its fresh firmware.

Note, that this step and the previous one could have been done at the same time, but I like keeping things simple, one thing at a time.

Once the programming was done, I removed the small wires.

The test points are as good as new!

First time configuration

After flashing the new firmware, the device is in default state, and creates an open, unsecure access point with a name like OpenBK7231N_********, where the stars are placeholders for the device’s MAC address. I connected to it using my phone and browsed to the http://192.168.4.1 address where OpenBeken’s configuration page was waiting for me.

If you are used to Tasmota, this screen is very familiar to you. If not, the user interface is very clean and intuitive. The first (and only) thing I did here is to connect to my home’s WiFi network. After reboot, the device connected to my home WiFi network and the rest of the configuration followed.

Next, the firmware needed to be configured to the specific device, a smart plug with power metering. For this I used the built-in web app, which can be launched from device’s home page by clicking Launch Web Application. The GPIO Finder is a great aid in finding out what GPIO does what on the board. It is not suitable for everything, but it at least takes out the guesswork from finding the basic controls, i.e. buttons, LEDs, relays. So finding out the relay and LEDs was relatively easily using this built-in tool, but finding out the current sensor’s interface needed another approach: What I did was I had a closer look at the PCB and traced the 3 signals from the current sensor to the MCU.

According to the datasheet of the BL0937 current sensor, it uses three lines for communicating with the MCU: CF, CF1 and SEL.

BL0937 pinout and block diagram

Using a conductivity meter, I traced all 3 signals back to the MCU, to fill out the missing details in the config page of the WebApp. After saving the settings and restarting the unit, some of the features of the smart plug were working, but not the power metering. After some investigation, I kind of gave it up for the day, and asked for help on the OpenBeken community forum. Within minutes, I got help from someone more experienced with these modules. A big thank you to [diwadiow] for helping me!! I learned, that from the original bootlog (before the conversion) it is possible to figure out what GPIOs are used for what. Of the bootlog example (earlier) this is the relevant part that describes the GPIO configuration:

This results in a configuration like this for my device:

In the pins section, you can see the pin definitions. The command section is a startup command that is run every time the device powers up. In this case, it ensures the power meter and NTP modules start. This allows power metering and proper time keeping.
If you happen to have the same model, you can import these settings in your smart plug and it will work after a reboot.

At this the smart plug is configured correctly for basic operation. If you want to configure further options, like MQTT, Home Assistant integration, you can do that on the main configuration page:

You may ask, how come the configuration was different to what I found by tracing the signals on the PCB. Well, it turns out, that I didn’t identify pin #1 of the MCU correctly, so all my measurements were 8 pins offset… Once I deducted 8 of each value, my results were the same as the configuration [diwadiow] helped me with…

Conclusion

This was my first experience with the BK7231N MCU and also with OpenBeken. I found this conversion easy to make and totally worth it. There are so many cheap smart devices are available on the market, and you can convert most of them like this and make them privacy friendly. So what are you waiting for? Go get one yourself and start experimenting – I’ll be here if you need any help along the way!

One comment

  1. Pingback: Tuya WiFi-IR Remote Conversion to Open Source – Walkthrough – Viktor’s DIY Blog

What do you think?

This site uses Akismet to reduce spam. Learn how your comment data is processed.