Jasper Devreker, a member of Ghent College’s scholar affiliation for laptop science, is aiming to make Espressif’s common ESP32 platform slightly extra open — with the event of an open supply Medium Entry Management (MAC) layer.

“The ESP32 is a well-liked microcontroller identified within the maker group for its low worth (~ €5) and helpful options,” Devreker explains. “It has a dual-core CPU, built-in Wi-Fi and Bluetooth connectivity and 520kB of RAM. A lot of the software program improvement package that’s used to program for the ESP32 is open supply, besides notably the wi-fi bits (Wi-Fi, Bluetooth, low-level RF capabilities): that performance is distributed as pre-compiled libraries, which can be then compiled into the firmware the developer writes.”

Sad with this state of affairs, Devreker has arrange a mission to develop a “minimal alternative” for the binary blobs driving Espressif’s ESP32 Wi-Fi radio. “We don’t intend to be API-compatible with present code that makes use of the Espressif ESP-IDF API,” Devreker notes, “moderately, we would prefer to have a completely working, open supply networking stack.”

It is a difficult prospect: Espressif’s personal code is proprietary and solely offered as opaque binary blobs, and since the corporate does not anticipate builders to be utilizing anything the underlying {hardware} is just not publicly documented. The answer: reverse engineering the {hardware}, constructing on work achieved by Uri Shaked again in 2021 and Martin Johnson in 2022.

Taking Espressif’s fork of the QEMU emulator as a place to begin, and utilizing the open supply Ghidra reverse engineering device with a plugin for Tensilica Xtensa assist, Devreker and colleagues started their work — together with analyzing the firmware operating on a real ESP32 board below the staff’s management. “Along with the JTAG debugger, we additionally linked a USB Wi-Fi dongle on to the ESP32,” Devreker explains.

“We join [the] antenna connector to a 60dB attenuator (this weakens the sign by 60dB),” Devreker continues, “then join that to the antenna connector of the wi-fi dongle. That method we’ll have the ability to solely obtain the packets coming from the ESP32, and the ESP32 will solely obtain packets despatched by the wi-fi dongle.”

Putting the ensuing mixture in a Faraday cage made out of an empty tin can, the staff was in a position to write a minimal firmware and uncover a high-level overview of the “{hardware} lifecycle” whereas sending a packet. With that in hand, they created a proof-of-concept firmware for transmitting and receiving arbitrary packets with out utilizing any of Espressif’s software program improvement package performance — aside from the proprietary capabilities required to initialize the radio and disable energy saving.

That is a formidable begin, however the mission nonetheless has a methods to go: Devreker’s roadmap contains controlling the radio’s tuner and energy settings, changing the proprietary radio initialization step, and including code from an present 802.11 MAC inventory to permit the machine to affiliate with Wi-fi Entry Level (WAP) gadgets.

“This can be a sizeable mission that might undoubtedly use a number of contributors; I’d actually prefer to collaborate with different individuals to create a completely practical, open supply Wi-Fi stack for the ESP32,” Devreker provides. “If this appears like one thing you’d prefer to work on, contact me through [email protected], perhaps we are able to have a weekly hacking session?”

The complete mission write-up is out there on the Ghent College Zeus WPI web site — with the packet-reception breakthrough in a second put up. the supply code up to now is up on GitHub below the permissive MIT license with Espressif’s blobs licensed below Apache 2.0.