Jasper Devreker Sets His Sights on a Fully-Open Wi-Fi Stack for Espressif's ESP32 Microcontrollers
Aiming to banish the binary blobs required for Wi-Fi, this reverse engineering operation can already send and receive arbitrary packets.
Jasper Devreker, a member of Ghent University's student association for computer science, is aiming to make Espressif's popular ESP32 platform a little more open — with the development of an open source Medium Access Control (MAC) layer.
"The ESP32 is a popular microcontroller known in the maker community for its low price (~ €5) and useful features," Devreker explains. "It has a dual-core CPU, built-in Wi-Fi and Bluetooth connectivity and 520kB of RAM. Most of the software development kit that is used to program for the ESP32 is open source, except notably the wireless bits (Wi-Fi, Bluetooth, low-level RF functions): that functionality is distributed as pre-compiled libraries, that are then compiled into the firmware the developer writes."
Unhappy with this state of affairs, Devreker has set up a project to develop a "minimal replacement" for the binary blobs driving Espressif's ESP32 Wi-Fi radio. "We don’t intend to be API-compatible with existing code that uses the Espressif ESP-IDF API," Devreker notes, "rather, we'd like to have a fully working, open source networking stack."
It's a challenging prospect: Espressif's own code is proprietary and only provided as opaque binary blobs, and because the company doesn't expect developers to be using anything else the underlying hardware is not publicly documented. The solution: reverse engineering the hardware, building on work done by Uri Shaked back in 2021 and Martin Johnson in 2022.
Taking Espressif's fork of the QEMU emulator as a starting point, and using the open source Ghidra reverse engineering tool with a plugin for Tensilica Xtensa support, Devreker and colleagues began their work — including analyzing the firmware running on a genuine ESP32 board under the team's control. "In addition to the JTAG debugger, we also connected a USB Wi-Fi dongle directly to the ESP32," Devreker explains.
"We connect [the] antenna connector to a 60dB attenuator (this weakens the signal by 60dB)," Devreker continues, "then connect that to the antenna connector of the wireless dongle. That way we'll be able to only receive the packets coming from the ESP32, and the ESP32 will only receive packets sent by the wireless dongle."
Placing the resulting combination in a Faraday cage made from an empty tin can, the team was able to write a minimal firmware and uncover a high-level overview of the "hardware lifecycle" while sending a packet. With that in hand, they created a proof-of-concept firmware for transmitting and receiving arbitrary packets without using any of Espressif's software development kit functionality — except for the proprietary functions required to initialize the radio and disable power saving.
That's an impressive start, but the project still has a ways to go: Devreker's roadmap includes controlling the radio's tuner and power settings, replacing the proprietary radio initialization step, and adding code from an existing 802.11 MAC stock to allow the device to associate with Wireless Access Point (WAP) devices.
"This is a sizeable project that could definitely use multiple contributors; I’d really like to collaborate with other people to create a fully functional, open source Wi-Fi stack for the ESP32," Devreker adds. "If this sounds like something you’d like to work on, contact me via zeusblog@devreker.be, maybe we can have a weekly hacking session?"
The full project write-up is available on the Ghent University Zeus WPI website — with the packet-reception breakthrough in a second post. the source code thus far is up on GitHub under the permissive MIT license with Espressif's blobs licensed under Apache 2.0.
Freelance journalist, technical author, hacker, tinkerer, erstwhile sysadmin. For hire: freelance@halfacree.co.uk.