ESP32’s Freedom Output Lets You Do Anything

The ESP32 is Espressif’s new wonder-chip, and one of the most interesting aspects of its development has been the almost entirely open-source development strategy that they’re taking. But the “almost” in almost entirely open is important — there are still some binary blobs in the system, and some of them are exactly where a hacker wouldn’t want them to be. Case in point: the low-level WiFi firmware.

So that’s where [Jeija]’s reverse engineering work steps in. He’s managed to decode enough of a function called ieee80211_freedom_output to craft and send apparently arbitrary WiFi data and management frames, and to monitor them as well.

This ability is insanely useful for a WiFi device. With low-level access like this, one can implement custom protocols for mesh networking, low-bandwidth data transfers, or remove the requirement for handshaking entirely. One can also spam a system with so many fake SSIDs that it crashes, deauth everyone, or generally cause mayhem. Snoop on your neighbors, or build something new and cool: with great power comes great responsibility.

Anyway, we reported on [Jeija]’s long distance hack and the post may have read like it was all about the antenna, but that vastly underestimates the role played by this firmware reverse-engineering hack. Indeed, we’re so stoked about the hack that we thought it was worth reiterating: the ESP32 is now a WiFi hacker’s dream.

38 thoughts on “ESP32’s Freedom Output Lets You Do Anything

  1. How this may fit into class licensing, FCC Part 15, and the like, is an interesting question.

    If you make the RF hardware very flexible and agile to suit many different applications, under software-defined control, then you make a specific software stack a part of the FCC-certified system which is licensed for use, and you can’t change that stack without potentially breaking the certification.

    1. They are only FCC certified as they are from the factory (firmware et al.). Once you incorporate this into another product, you need a new FCC certification. It’s still easier to use the module, because you can sort of “skip” the design and testing for the module if you use it the way it’s intended. However once integrated into the end product you need to redo the cert. Even if you resell the module with a modified firmware, you need to go through re-cert.

      Hobbyists can get around this as they are allowed to use up to 5 uncertified devices in America, so the FCC certification isn’t really applicable for this use case.

        1. I believe that the project mentioned in that article did not used the ESP8266’s wifi transmitter at all. Instead it used the I2S bus, heavily overclocked to 80 mhz, as a one bit DAC to output square waves.

    2. I certainly wouldn’t be surprised if you can do things via the ‘raw’ mode that exceed FCC Part 15 allowable behavior; but my understanding is that FCC Part 15 certification isn’t contingent on things like “if a wifi device; actually behave according to 802.11A/B/G/N/AC standards”. Specific misbehavior, like deauth attacks, runs into the “This device must not cause any harmful interference”; but something that just spews(suitably low power) 2.4GHz noise is no less legal than something that spews 802.11 frames; so, as long as things like frequency range and power level are hardware constrained, the fact that you can use the raw mode to implement all kinds of freaky custom protocols or just make noise isn’t necessarily the FCC’s concern.

      It’s quite possible that the hardware is capable of doing more than the FCC would permit, in which case having full software control can make a difference; but on the ISM band regulatory standards don’t include adherence to specific protocols or standards(are there any bands where regulation [i]is[/i] based on standards compliance?)

  2. It’s worth mentioning that the packet transmissions were restricted to data-only added after the ‘WiFi Jammer’ projects and similar came out. Nice to see that someone restored the functionality though :)

    1. Or you could just make an open AP (the DS does not support WPA) then connect to it and use a custom app for communication. I use mine as a TCP (telnet) terminal and connect it to an ESP8266 running Espruino to get a Javascript console, though it would be interesting to remove the open/hidden AP and configuration entirely.

  3. So tempted to get some stock….. They’ll be handy, just not urgently. Although deauthentication at work to kick off those P2P involved IP addresses hogging the bandwidth (There are 4 companies in the one warehouse I work at these days, LOL).

  4. Somehow I think it might backfire in an awful manner. Of course, skillful use could enable some amazing applications (FPV video streaming?), but what’s to stop a script kiddie from just blocking all WiFi traffic by cloning someone elses GitHub project and loading it on an inexpensive ESP32 module? I bet Espressif will get in a little bit in trouble.. Shame, cause they always seem to be as hacker friendly as they safely can. I’d doubt they would quietly let it slip on purpose.

      1. Jammers are easy to find but only after you get some direction finding equipment out there … An app won’t cut it
        And getting them out takes time, hours best case, and when someone can put up loads for very little money it can be a real pain in the ass
        its up the community to not be dumb and start publishing easy to follow jamming instructions and code for any pissed off skid can replicate for the good of the creators of this wonderful chip and the future of full foss and osh

        1. I use my “WiFi Analyzer” (Android) app quite frequently. If you circle around a building you can easily find where a router is hidden. Don’t forget that a microwave oven can be made into a jammer, and the company who designed the microwave oven isn’t liable for such misuse of its product.

          I do agree with the second sentiment. I don’t want to find this used for spamming and spoofing, I want to see mesh networks and solar bridges!

    1. I don’t think that Espressif did anything to aid this hack. [Jeija] reversed the binaries. The same could be done with virtually any router, etc.

      The capabilities aren’t ESP32-specific either. I have (how many?) different WiFi adapters that allow packet injection and monitoring. The ESP8266/32 _is_ a very convenient form factor, but you’re not worried about people doing this with other devices?

      WiFi vandalism is soooo 2008. The apocalypse never came. Well, it did force wider adoption of WPA, so that’s good. Your concern is misplaced, IMO.

    2. What’s to stop someone getting a load of these, dissolving or mechanically removing the encapsulation off the chip, crushing up the dies into sharp little silicon fragments, opening the airbox of your car and putting a load in the intake behind your aircleaner, and dropping some under the 710 cap for good measure, NOTHING!!!1111 #OMGbansilicon

      1. Minor adjustment to your comment:
        What’s to stop someone getting a load of these, a transistor, a lithium battery, an electric rocket lighter, hooking it up to some AMFO and sticking some in a train for good measure #OMGbanEverything

    3. Damn, I’ve been obliterated by “knives are dangerous, so let’s ban them too” argument. OK, I get it :). All I wanted to say was – we now have a very convenient, inexpensive, stand-alone device capable to render WiFi useless in its perimeter. Will anyone bother to exploit this – let us see, after all my F-91W watch has not been banned despite heavy usage amongst Al-Qaeda members as bomb triggers.

    4. There are already about 50 instructables on how to do mass death with a esp8266 so this really changes nothing from that perspective. Plus you can use any number of adapters to do the same thing.

  5. They kind of had to blob this code up to prevent any liability for when someone inevitably makes a jammer … But clearly they did not go all out with crazy obfuscation so the programmers clearly did the bear minimum legal would let them so hats off

  6. ESP32’s Freedom Output Lets You Do Anything

    You ‘bit’, and read the ‘article’, right? Who says that exaggeration is not a useful technique in the ‘reporting’ business…? (I need someone to use the ’32 to cure pattern baldness…)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s