Unveiling secrets of the ESP32: creating an open-source MAC layer

I wasnt aware of this wifi blob. This feeds a tiny paranoia I have at the back of my head when dealing with esp32&#x2F;espressif. I have dozens of esp32s around and I love them, but Espressif is 100% Chinese.<p>Im uncomfortable with what I read that every company of significant size in China automatically requires CCP party members to be involved in the company at a high level.<p>So Im very happy to hear people such as these guys are looking deep at this.<p>Ofcourse since Espressif controls the hardware, so they can do anything eventually. My itch will always be there and Im going to switch once I find something made in preferably the EU when I find something comparable to esp32. Maybe Nordic Semiconductors will make some nice risk-v chips and dev-boards soon.

The article claims that the ESP32 costs $5. The reality is around half of that for the MCU, and around $3 for pre certified modules including crystal, PCB antenna or UF-L connector. So it&#x27;s really affordable.<p>Espressif has also launched a new ESP32C3 based on RISC-V, with modules priced at around $2.

The section on trying to attenuate outside wifi signals interested me.<p>There is a bunch of hand wavy information on building faraday cages online, some people suggesting to utilize a microwave oven, since they operate at the same frequency.<p>There are even wifi faraday cages for sale on amazon.<p>However I can&#x27;t really find much actual benchmark data online about how well these various approaches actually attenuate signals.

For someone unexperienced with ESP32 but wanting to dip your toes, I&#x27;d highly recommend M5Stack - <a href="https:&#x2F;&#x2F;m5stack.com&#x2F;" rel="nofollow noreferrer">https:&#x2F;&#x2F;m5stack.com&#x2F;</a> . No affiliation whatsoever, but I started playing with some basic boards last year for the first time and the the tiny devices they build have so many different sensors, transmitters, etc that you can start with a lot of early experiments just using a single device and a USB-C cable.

I can attest to the challenges of the section on Dynamic analysis on real hardware and the struggles of attenuating signal interference on the ESP.<p>Anyone have a recommendation on conducting fabric for RF isolation as briefly mentioned in the article or resources on the subject of rf isolation&#x2F;Faraday cages for microcontrollers?

…I wonder if this could be used to implement AWDL (Apple Wireless Direct Link) for use with AirDrop… if I recall correctly, the blocker on normal WiFi chipsets is being unable to send the ACK frames, which this should enable?

What kind of programmer does one need to work with ESP32? I bought jlink for stm32 thinking that&#x27;s the ultimate programmer for all my needs, however it does not claim compatibility with esp32.

I think Espressif have or at least used to have their own in-house developed MAC and PHY, which is not publicly documented.<p>For the Bouffalo Lab and Beken WiFi SoCs we already have SVD files[1] for the WiFi MAC (and likely the PHY too). Thus we have nearly complete documentation for all chip registers and their bitfields. Both SoCs are based on CEVA RivieraWaves WiFi IP.<p>Also you might be able to use it as a SDR for the 2.4GHz band, there appears to be registers to send ADC data to on-chip SRAM. And USB 2.0 High Speed device functionality on some of the Bouffalo chips.<p>I was thinking of hacking it to use as a cheap uplink to the QO-100 amateur radio satellite, which uplinks in the 2.4GHz band. I think 100mW of power might be just enough for CW or some very narrowband PSK mode.<p>By the way, on the Bouffalo devices, watch out for the eFuse registers, they&#x27;re not fully lockable and write protectable, one wrong register write and the <i>whole chip itself</i> can be bricked and stuck permanently in secure boot mode. It happened to me, and I&#x27;m going to try and work around it by glitching the clock input on boot, just at the right time, to disrupt the eFuse reading, just for the fun of it.<p>1. <a href="https:&#x2F;&#x2F;github.com&#x2F;bouffalolab&#x2F;bl_iot_sdk&#x2F;blob&#x2F;master&#x2F;components&#x2F;platform&#x2F;soc&#x2F;bl602&#x2F;bl602_std&#x2F;bl602_std&#x2F;Device&#x2F;Bouffalo&#x2F;BL602&#x2F;Peripherals&#x2F;soc602_reg.svd">https:&#x2F;&#x2F;github.com&#x2F;bouffalolab&#x2F;bl_iot_sdk&#x2F;blob&#x2F;master&#x2F;compon...</a>

&gt; 50000 peripheral memory accesses are needed [to initialize the hardware]<p>Wow, that&#x27;s a lot. If OP could upload somewhere the list of accesses together with a stack trace for each, I think we could crowd source a rewrite of each function - I&#x27;d be willing to bet the vast majority of those are repetitive patterns - ie. &#x27;run this transmission test 1000 times while increasing the power levels each time until the received power = some set value&#x27;.

Headline should read &quot;MAC&quot; layer like it does in the article, not &quot;Mac&quot; layer. Two very different things :)

I picked up an ESP32 devboard recently. I&#x27;ve always been intrigued by embedded but don&#x27;t have a background in it at all.<p>I have no idea what my first project should be. Any ideas?

&gt; 50000 peripheral memory accesses are needed<p>Have you tried just replaying those 50,000 accesses and seeing if things work? Obviously some things might not be correctly calibrated, but merely knowing that a simple replay works tells you that there are no complex hardware&#x2F;software handshakes (ie. Take random token from here and write it to there). It also tells you that the process is probably fairly timing independent.

Wouldn&#x27;t this invalidate the FCC certification on the prebuilt modules? You&#x27;d have to get certified with this firmware to ensure you aren&#x27;t violating transmission power requirements.<p>Admittedly, this is a non-issue for hobby scale projects, but is potentially a blocker for commercial applications.<p>I wouldn&#x27;t say it&#x27;s necessarily a bad thing, but worth discussion.

He should just go with stm and its open source LwMesh library instead.<p>But the closed radio parts are indeed horrible. Qualcomm (US Intelligence) and Broadcom (Chinese intelligence) controlling the physical layer underneath is as disturbing as the various Intel, AMD, ARM backdoors in their pre-OS layers.

I think bl602 shares the wifi rf&#x2F;mac layer with esp32. There is a monitor mode implementation here <a href="https:&#x2F;&#x2F;github.com&#x2F;stschake&#x2F;bl60x-wifimon&#x2F;">https:&#x2F;&#x2F;github.com&#x2F;stschake&#x2F;bl60x-wifimon&#x2F;</a>

Just a few months ago I was thinking &quot;surely someone must have tried to RE the ESP32 Wi-Fi stack&quot; and tried to find some research on it, but couldn&#x27;t find anything. Great work!

the esp32 also has a mask ROM (which includes BASIC for some weird reason). Hence fully deblobbing it is a hopeless battle.<p><a href="https:&#x2F;&#x2F;docs.espressif.com&#x2F;projects&#x2F;esp-idf&#x2F;en&#x2F;v4.3&#x2F;esp32&#x2F;api-guides&#x2F;romconsole.html" rel="nofollow noreferrer">https:&#x2F;&#x2F;docs.espressif.com&#x2F;projects&#x2F;esp-idf&#x2F;en&#x2F;v4.3&#x2F;esp32&#x2F;ap...</a>

This is very interesting. I&#x27;m keen to get involved but, while I&#x27;m very experienced with ESP32, I don&#x27;t have experience with this type of reverse engineering.<p>How long did it take you to get the environment and tools set up, so you could start digging in?<p>Is time or money a more valuable investment at this stage? If it&#x27;s not too forward, how much would be useful to your organisation? (I can email if preferred.)