Reverse engineering ESP32 Wi-Fi driver: the road ahead (opens in new tab)

(esp32-open-mac.be)

192 pointsredfast001y ago63 comments

63 comments

Very cool project. I think efforts like these are among the most promising to get a FOSS WiFi cards. Because these WiFi-capable MCUs are: designed to be generally programmable, have quite a lot of open documentation, are available for purchase in both small and large quantities, have s availability over long time-frames (10 years), can tap into the larger community knowledge-base. This is in contrast to the more specialized chips that dedicated WiFi cards use.

robert_foss1y ago

The ESP32 is 802.11n over 2.4ghz with no MIMO, so the bandwidth will always be bad.

janice19991y ago

They're popular in battery powered IOT type devices where BW is not a huge concern.

anakaine1y ago

If you want bandwidth on an ESP32z you've chosen the wrong hardware in all senses.

If you were referring to the intricacies of the driver and how it might apply elsewhere, that's fair.

echoangle1y ago

What would the performance be like though? Would you want to use a ESP32 for watching Videos? Would that be doable?

jononor1y ago

Not great by modern standards... The standard ESP32 supports 802.11n, but only 2.4 GHz (not 5). So theoretical rates maybe up to 40-50 Mbps. In tests that I have seen people do on ESP32 they have reported practical speeds of 5-10 Mbps. Which is basically just in the typical range for Full HD video.

The ESP32-C6 has WiFi 6 support and 5 GHz, so theoretically that can be order of magnitude faster. But it might have completely different hardware and require separate reverse engineering. And practical speeds will still be limited compared to dedicated WiFi hardware.

3 more replies

makapuf1y ago

I know its not exactly what you mean but here is video download, decoding, and video signal generation on a bare esp32 (no Graphical chip) : https://github.com/rossumur/espflix

perbu1y ago

You can do that today with the closed source wifi driver. This is not something limited by the wifi performance.

Note that neither the framerate not resolution would be something to write home about. We're talking abot an aging MCU here.

1 more reply

DeathArrow1y ago

What do you mean by FOSS Wi-Fi cards? Aren't there lots of open source drivers for Wi-Fi cards?

MadnessASAP1y ago

While many wifi cards have open driver interfaces they still have closed basebands (the software that actually drives the RF hardware) this is usually done for a combination of intellectual property and regulatory reasons. That is, they get to keep their secrets and the user can't make the radio do something it's not licensed to do.

These devs are aiming to open up the baseband of the ESP32 which allow for all kinds of interesting hacks, and probably all kinds of opportunities to run afoul of your countries laws regard spectrum use.

I do foresee some cases not entirely unlike the Flipper Zero arising from this but still wholeheartedly support it.

1 more reply

pantalaimon1y ago

This is about ESP32, it does not run Linux. And doesn’t have a WiFi card, the WiFi hardware is part of the MCU. It’s single processor is tasked with running both the user application as well as the 'baseband' or MAC layer

1 more reply

MaximilianEmel1y ago

They're talking about open-source firmware, I would guess.

1 more reply

LukeShu1y ago

There are no newer-than-803.11n cards that are usable with a Linux-libre kernel (which doesn't load binary blobs).

1 more reply

fjfaase1y ago

I wonder if they use any of the decompiler tools that are available. There is decompiler support for the Xtensa esp32 instruction in ghidra version 11.0. I also guess that rev.ng, which uses QEMU as its disassembler, could be used for decompiling as QEMU has support for the Xtensa esp32 instructions as well.

My experience with decompilers is that are not 100% perfect and that the output often still needs a lot of clean-up. I tried rev.ng on a binary written in assembler that used a register based calling convention (not stack based) and rev.ng produced a huge file many times the size you would expect from the assembler input. It seems that decompiler can only do the most trivial step of the reverse engineering process.

linuxlizard1y ago

Decompiling the microcode blob might run afoul of intellectual property laws. A clean room implementation needs to be done without reading any of the product's actual code.

fjfaase1y ago

Clean room design [1] comes down to one team reverse engineering the code and translate that to some high-level specification and let another team write the code based on that high-level specification. This still allows the use of a decompiler by the first team.

[1] https://en.wikipedia.org/wiki/Clean_room_design

AshamedCaptain1y ago

Even printing the call stack as they are doing is already very risky; some judges may argue that this is not strictly necessary.

pabs31y ago

One of the posts mentioned they use Ghidra and Qemu forks for their work.

pantalaimon1y ago

All the newer ESP32 MCUs are RISC-V based if that may help

ajb1y ago

Interesting. 53286 accesses is a lot, I wonder if some of this is writing firmware to another processor, or writing a table. Some may also be busy waiting on status bits.

It would be interesting to see what the minimal subset of the 53286 is, which can be automated using the Delta Debugging algorithm, but it would first be necessary to figure out if there were any necessary waits during the writing process. Also blindly deleting stuff may produce a system that, even if it works, isn't a good citizen of the RF spectrum.

K0balt1y ago

It baffles me that a company like espressif wouldn’t publish complete API specs of their radio hardware . I could see why they may not want their proprietary source out there, as it might make it easier for competitors to make similar chips, but what is the downside to enabling someone to write software particular to your hardware?

It seems like they would have everything to gain and nothing to lose from this?

Anyone shed any light on the motivations here?

ta9881y ago

Really often that's because they license it from a third party and they are not allowed to.

lostemptations51y ago

Bingo :)

jesprenj1y ago

Does a FOSS wifi driver for esp8266 already exist or is it in the making?

pabs31y ago

They are working on it, the post is about what they still have to do.

jesprenj1y ago

The post is about esp32.

SillyUsername1y ago

I need _Bluetooth_ OBEX support on ESP32 and Espressif's standard lib doesn't provide it. Is this project going to look at issues like these too?

051y ago

The BT stack is based on Bluedroid, so that’s open source (up to the driver I’d guess); see here https://github.com/espressif/esp-idf/tree/master/components/...

pabs31y ago

Some other examples of open WiFi firmware here:

https://wiki.debian.org/Firmware/Open

opengears1y ago

Does this mean we could get open source (hardware) WiFi cards for our Linux Notebooks based on ESP32 in the future?

utensil47781y ago

No, and you don't want that in the first place. With an ESP32 you'd be pretty lucky to get more than 10 or 20mbps in ideal conditions. It's also 2.4GHz only.

yjftsjthsd-h1y ago

Depends on what you mean? The ESP32 isn't open hardware, so on that front, no. But could this potentially let you make an open source card that used the ESP32, absolutely. In fact, you can do that already, it'll just be using some closed source firmware. And replacing that firmware with FOSS is what this is about.

pelorat1y ago

So this appears to be a clean reversing effort, for what - legal reasons?

Espressif Systems is a Chinese company and probably stole half the code in the firmware anyways. No one will blame you if you stick the stick the firmware in Ghidra.

tecleandor1y ago

First paragraph:

"This will enable features that the current, closed source ESP32 Wi-Fi implementation does not have, for example 802.11s mesh networking. It will also improve the auditability of the code."

3abiton1y ago

Mesh is such a cool technology that seems to be reserved to high end HW, and bringing it to ESP32 would be amazing!

DeathArrow1y ago

>Espressif Systems is a Chinese company and probably stole half the code in the firmware anyways.

So if an entity is Chinese we are sure they are thiefs.

mschuster911y ago

The thing is, China as a culture does have a completely different attitude towards intellectual property. For them, copying is not theft, it's acknowledge of something's quality. Andrew "bunnie" Huang has written (at least) two articles with more details [1][2].

[1] https://www.bunniestudios.com/blog/2014/from-gongkai-to-open...

[2] https://www.bunniestudios.com/blog/2013/the-12-gongkai-phone...

2 more replies

ZiiS1y ago

The people they copied it from would.

mschuster911y ago

If you got enough (wo)manpower you can also do a cleanroom RE using a decompiler - one team decompiles and writes documentation about how the chip works, the second team writes a driver based on that doc.

hildenae1y ago

Does this way to write an implementation have a name?

1 more reply

margorczynski1y ago

Have you tried utilizing a strong LLM like ChatGPT or Claude to help you out? I've seen some really interesting examples of using it to decompile code to a very readable format.

hildenae1y ago

As other comments have mentioned - they do not want to decompile the source, they want a clean-room-implementation.

j / k navigate · click thread line to collapse

63 comments

jononor1y ago

robert_foss1y ago

The ESP32 is 802.11n over 2.4ghz with no MIMO, so the bandwidth will always be bad.

janice19991y ago

They're popular in battery powered IOT type devices where BW is not a huge concern.

anakaine1y ago

If you want bandwidth on an ESP32z you've chosen the wrong hardware in all senses.

If you were referring to the intricacies of the driver and how it might apply elsewhere, that's fair.

echoangle1y ago

What would the performance be like though? Would you want to use a ESP32 for watching Videos? Would that be doable?

jononor1y ago

3 more replies

makapuf1y ago

I know its not exactly what you mean but here is video download, decoding, and video signal generation on a bare esp32 (no Graphical chip) : https://github.com/rossumur/espflix

perbu1y ago

You can do that today with the closed source wifi driver. This is not something limited by the wifi performance.

Note that neither the framerate not resolution would be something to write home about. We're talking abot an aging MCU here.

1 more reply

DeathArrow1y ago

What do you mean by FOSS Wi-Fi cards? Aren't there lots of open source drivers for Wi-Fi cards?

MadnessASAP1y ago

I do foresee some cases not entirely unlike the Flipper Zero arising from this but still wholeheartedly support it.

1 more reply

pantalaimon1y ago

1 more reply

MaximilianEmel1y ago

They're talking about open-source firmware, I would guess.

1 more reply

LukeShu1y ago

There are no newer-than-803.11n cards that are usable with a Linux-libre kernel (which doesn't load binary blobs).

1 more reply

fjfaase1y ago

linuxlizard1y ago

Decompiling the microcode blob might run afoul of intellectual property laws. A clean room implementation needs to be done without reading any of the product's actual code.

fjfaase1y ago

[1] https://en.wikipedia.org/wiki/Clean_room_design

AshamedCaptain1y ago

Even printing the call stack as they are doing is already very risky; some judges may argue that this is not strictly necessary.

pabs31y ago

One of the posts mentioned they use Ghidra and Qemu forks for their work.

pantalaimon1y ago

All the newer ESP32 MCUs are RISC-V based if that may help

ajb1y ago

Interesting. 53286 accesses is a lot, I wonder if some of this is writing firmware to another processor, or writing a table. Some may also be busy waiting on status bits.

K0balt1y ago

It seems like they would have everything to gain and nothing to lose from this?

Anyone shed any light on the motivations here?

ta9881y ago

Really often that's because they license it from a third party and they are not allowed to.

lostemptations51y ago

Bingo :)

jesprenj1y ago

Does a FOSS wifi driver for esp8266 already exist or is it in the making?

pabs31y ago

They are working on it, the post is about what they still have to do.

jesprenj1y ago

The post is about esp32.

SillyUsername1y ago

I need _Bluetooth_ OBEX support on ESP32 and Espressif's standard lib doesn't provide it. Is this project going to look at issues like these too?

051y ago

The BT stack is based on Bluedroid, so that’s open source (up to the driver I’d guess); see here https://github.com/espressif/esp-idf/tree/master/components/...

pabs31y ago

Some other examples of open WiFi firmware here:

https://wiki.debian.org/Firmware/Open

opengears1y ago

Does this mean we could get open source (hardware) WiFi cards for our Linux Notebooks based on ESP32 in the future?

utensil47781y ago

No, and you don't want that in the first place. With an ESP32 you'd be pretty lucky to get more than 10 or 20mbps in ideal conditions. It's also 2.4GHz only.

yjftsjthsd-h1y ago

pelorat1y ago

So this appears to be a clean reversing effort, for what - legal reasons?

Espressif Systems is a Chinese company and probably stole half the code in the firmware anyways. No one will blame you if you stick the stick the firmware in Ghidra.

tecleandor1y ago

First paragraph:

"This will enable features that the current, closed source ESP32 Wi-Fi implementation does not have, for example 802.11s mesh networking. It will also improve the auditability of the code."

3abiton1y ago

Mesh is such a cool technology that seems to be reserved to high end HW, and bringing it to ESP32 would be amazing!

DeathArrow1y ago

>Espressif Systems is a Chinese company and probably stole half the code in the firmware anyways.

So if an entity is Chinese we are sure they are thiefs.

mschuster911y ago

[1] https://www.bunniestudios.com/blog/2014/from-gongkai-to-open...

[2] https://www.bunniestudios.com/blog/2013/the-12-gongkai-phone...

2 more replies

ZiiS1y ago

The people they copied it from would.

mschuster911y ago

hildenae1y ago

Does this way to write an implementation have a name?

1 more reply

margorczynski1y ago

Have you tried utilizing a strong LLM like ChatGPT or Claude to help you out? I've seen some really interesting examples of using it to decompile code to a very readable format.

hildenae1y ago

As other comments have mentioned - they do not want to decompile the source, they want a clean-room-implementation.

j / k navigate · click thread line to collapse