ESP32’s Freedom Output Lets You Do Anything

The ESP32 is Espressif’s new wonder-chip, and one of the most interesting aspects of its development has been the almost entirely open-source development strategy that they’re taking. But the “almost” in almost entirely open is important — there are still some binary blobs in the system, and some of them are exactly where a hacker wouldn’t want them to be. Case in point: the low-level WiFi firmware.

So that’s where [Jeija]’s reverse engineering work steps in. He’s managed to decode enough of a function called ieee80211_freedom_output to craft and send apparently arbitrary WiFi data and management frames, and to monitor them as well.

This ability is insanely useful for a WiFi device. With low-level access like this, one can implement custom protocols for mesh networking, low-bandwidth data transfers, or remove the requirement for handshaking entirely. One can also spam a system with so many fake SSIDs that it crashes, deauth everyone, or generally cause mayhem. Snoop on your neighbors, or build something new and cool: with great power comes great responsibility.

Anyway, we reported on [Jeija]’s long distance hack and the post may have read like it was all about the antenna, but that vastly underestimates the role played by this firmware reverse-engineering hack. Indeed, we’re so stoked about the hack that we thought it was worth reiterating: the ESP32 is now a WiFi hacker’s dream.

Simple Scanner Finds the Best WiFi Signal

Want to know which way to point your WiFi antenna to get the best signal? It’s a guessing game for most of us, but a quick build of a scanning WiFi antenna using mostly off-the-shelf components could point you in the right direction.

With saturation WiFi coverage in most places these days, optimizing your signal might seem like a pointless exercise. And indeed it seems [shawnhymel] built this more for fun than for practical reasons. Still, we can see applications where a scanning Yagi-Uda antenna would come in handy. The build started with a “WiFi divining rod” [shawnhymel] created from a simple homebrew Yagi-Uda and an ESP8266 to display the received signal strength indication (RSSI) from a specific access point. Tired of manually moving the popsicle stick and paperclip antenna, he built a two-axis scanner to swing the antenna through a complete hemisphere.

The RSSI for each point is recorded, and when the scan is complete, the antenna swings back to the strongest point. Given the antenna’s less-than-perfect directionality — [shawnhymel] traded narrow beam width for gain — we imagine the “strongest point” is somewhat subjective, but with a better antenna this could be a handy tool for site surveys, automated radio direction finding, or just mapping the RF environment of your neighborhood.

Yagi-Uda antennas and WiFi are no strangers to each other, whether it be a WiFi sniper rifle or another recycling bin Yagi.  Of course this scanner isn’t limited to WiFi. Maybe scanning a lightweight Yagi for the 2-meter band would be a great way to lock onto the local Ham repeater.

Continue reading “Simple Scanner Finds the Best WiFi Signal”

DIY DynDNS with ESP8266 and Dweets

You’re on a home router, and your IP address keeps changing. Instead of paying a little bit extra for a static IP address (and becoming a grownup member of the Internet) there are many services that let you push your current IP out to the rest of the world dynamically. But most of them involve paying money or spending time reading advertisements. Who has either money or time?!

[Alberto Ricci Bitti] cobbled together a few free services and an ESP8266 module to make a device that occasionally pushes its external IP address out to a web-based “dweet” service. The skinny: an ESP8266 gets its external IP address from ipify.org and pushes it by “dweet” to a web-based data store. Freeboard reads the “dweet” and posts the resulting link in a nice format.

Every part of this short chain of software services could be replaced easily enough with anything else. We cobbled together our own similar solution, literally in the previous century, back when we were on dialup. But [Alberto R B]’s solution is quick and easy, and uses no fewer than three (3!) cloud services ending in .io. Add an ESP8266 to the WiFi network that you’d like to expose, and you’re done.

ESP32 WiFi Hits 10km with a Little Help

[Jeija] was playing with some ESP32s and in true hacker fashion, he wondered how far he could pull them apart and still get data flowing. His video answer to that question covers the Friis equation and has a lot of good examples of using the equation, decibels, and even a practical example that covers about 10km. You can see the video below.

Of course, to get that kind of range you need a directional antenna. To avoid violating regulations that control transmit power, he’s using the antenna on the receiving end. That also means he had to hack the ESP32 WiFi stack to make the device listen only on one side. The hack involves putting the device in promiscuous mode and only monitoring the signals being sent. You can find the code involved on GitHub (complete with a rickrolling application).

Continue reading “ESP32 WiFi Hits 10km with a Little Help”

Generator Monitor Gives the Phone Company the Boot

Part of the problem with having an alarm system is its reliance on land line telephone service. Some of them are getting away from this practice, but there are still many legacy systems out there that require a check to be sent in to Ma Bell every month in addition to the alarm system fees. Like these antiquated systems, [jgyates] was having a similar problem with the generator at his home which could only be monitored with a link to a cell network. Now that there’s a Raspberry Pi in every house, however, [jgyates] has a generator monitor that isn’t beholden to the phone company.

The hardware setup is little more than connecting the communications lines from the generator’s controller (in this case, a Generac Evolution controller) to the serial communications pins on a Raspberry Pi 3. [jgyates] did most of the work in Python, and his code is able to monitor almost every aspect of this generator and report it over WiFi or Ethernet, as well as control the generator settings from anywhere that has an Internet connection.

Even if you don’t have a generator with this particular controller, it will be a good guide for converting a monitor of any type into one that doesn’t require a land line or cell network connection. To that end, there have been lots of projects that convert even simple, old, analog household devices to report data over the LAN.

Sir, It Appears We’ve Been Jammed!

In a move that would induce ire in Lord Helmet, [Kedar Nimbalkar] has recreated Instructables user spacehun’s version of WiFi jammer that comes with a handful of features certain to frustrate whomever has provoked its wrath.

The jammer is an ESP8266 development board — running some additional custom code — accessed and controlled by a cell phone. From the interface, [Nimbalkar] is able to target a WiFi network and boot all the devices off the network by de-authenticating them. Another method is to flood the airspace with bogus SSIDs to make connecting to a valid network a drawn-out affair.

This kind of signal interruption is almost certainly illegal where you live. It does no permanent damage, but once again raises the existing deauth exploit and SSID loophole. [Nimbalkar]’s purpose in recreating this was for educational purposes and to highlight weaknesses in 802.11 WiFi protocols. The 802.11w standard should alleviate some of our fake deauth woes by using protected frames. Once the device authenticates on a network it will be able to detect fake deauth packets.

We featured a more targeted version of this hack that can be done using a PC — even targeting itself! And more recently there was a version that can target specific devices by jumping on the ACK.

Continue reading “Sir, It Appears We’ve Been Jammed!”

3G to WiFi Bridge Brings the Internet

[Afonso]’s 77-year-old grandmother lives in a pretty remote location, with only AM/FM radio reception and an occasionally failing landline connecting her to the rest of the world. The nearest 3G cell tower is seven kilometers away and unreachable with a cell phone. But [Afonso] was determined to get her up and running with video chats to distant relatives. The solution to hook granny into the global hive mind? Build a custom antenna to reach the tower and bridge it over to local WiFi using a Raspberry Pi.

The first step in the plan was to make sure that the 3G long-shot worked, so [Afonso] prototyped a fancy antenna, linked above, and hacked on a connector to fit it to a Huawei CRC-9 radio modem. This got him a working data connection, and it sends a decent 4-6 Mbps, enough to warrant investing in some better gear later. Proof of concept, right?

On the bridging front, he literally burned through a WR703N router before slapping a Raspberry Pi into a waterproof box with all of the various radios. The rest was a matter of configuration files, getting iptables to forward the 3G radio’s PPP payloads over to the WiFi, and so on. Of course, he wants to remotely administer the box for her, so he left a permanent SSH backdoor open for administration. Others of you running remote Raspberry Pis should check this out.

We think it’s awesome when hackers take connectivity into their own hands. We’ve seen many similar feats with WiFi, and indeed [Afonso] had previously gone down that route with a phased array of 24 dBi dishes. In the end, the relatively simple 3G Pi-and-Yagi combo won out.

Part two of the project, teaching his grandmother to use an Android phone, is already underway. [Afonso] reports that after running for two weeks, she already has an Instagram account. We call that a success!