Underclocking The ESP8266 Leads To WiFi Weirdness

Sometimes the best hacks come from the most basic of questions. In this case, [CNLohr] was wondering what would happen if he started to reduce the clock speed of the ESP8266’s Baseband PLL (BBPLL) while still trying to communicate with it. You know, as one does. The results ended up being fairly surprising, and while it’s not immediately clear if there’s a practical application for this particular trick, it’s certainly worth some additional research.

Code for stepping through clock speeds

The idea here is that the BBPLL is the reference clock for the entire system, including all of the peripherals. So underclocking it doesn’t just slow down code execution as you might expect, but it also slows down the chip’s interactions with the outside world. [CNLohr] demonstrates this concept in the video below, showing how the baud rate used to view the serial output from the ESP8266 needs to be adjusted to match the chip’s frequency or else you’ll only get garbage on the line.

But what happens to the WiFi? As [CNLohr] discovered, while the center frequency itself doesn’t change, the channel width gets narrower as the clock rate is lowered. When viewed on the waterfall display of a software defined radio (SDR), the transmission can be seen “compressing” in a step pattern as the clock rate is reduced. As one might expect, the 802.11 packets become indecipherable to a normal WiFi device running in monitor mode. The signal is still at the correct frequency, but the devices can no longer understand each other.

Now it was time for another of those basic questions. What would happen if you did the same thing to a second ESP8266? Much to his surprise, [CNLohr] discovered that the two devices could still communicate successfully as long as their BBPLL clock speed was the same. From an outsider’s perspective it looked like gibberish, but to the two ESPs which had been slowed by the same amount, everything worked as expected even though the 802.11 standards say it shouldn’t.

So what can you do with this? The most obvious application is a “stealth” WiFi connection between ESP8266s which wouldn’t show up to normal devices, a communications channel invisible to all but the most astute eavesdropper. [CNLohr] has made all the source code to pull this trick off public on GitHub, and it should be interesting to see what kind of applications (if any) hackers find for this standards-breaking behavior.

If your thing is devices being forced into operations they were never intended to by particularly twisted hackers, check out our recent coverage of the USB serial adapter turned SDR by [Ted Yapo].

[Thanks to BaldPower for the tip.]

39 thoughts on “Underclocking The ESP8266 Leads To WiFi Weirdness

  1. Oooooh that’s fascinating. Use all the work that has gone into wifi development to make your own independent-ish stealth wireless network the easy way. I guess you could even have both of them vary their clock speed according to a pre-shared key or whatnot so they continuously vary their bandwidth and aren’t connectable to somebody who is trying to match their clock speed by trial and error. Or would that cause other issues with connectivity?

      1. Aren’t wireless (and serial) protocols usually designed with some form of clock recovery in mind? In that case you wouldn’t need to match them perfectly, just close enough for the clock recovery to pick up the slack.

  2. Will anyone care about this „misuse“ of the WiFi spectrum? From what I understand, the only thing required for the 2.4GHz band is staying below 20dBm ERP, right? And of course staying in the band itself, which the ESPs should do, since the channel got smaller and not larger?
    Has anyone messed with the PLLs on the ESP32 yet?

    1. Yeah, I feel like you might have a hard time prosecuting this even if it was found out. It’s consumer hardware, only the software modified, it stays in its allotted frequency band and under its power limit. Would it even interfere with other wifi? Other modems would just reject those malformed packets, right?

      Sounds like it might be an easy way to get around the no encrypted radio rules. I’m still skeptical but such a thing would be really interesting.

      1. 2.4 Ghz is unregulated. You can cause interference with wifi all you want if it’s not intentional. Simply using a baby monitor that’s 2.4 GHz or a microwave is enough to cause it. This reclocking is 100% legal as it’s not intentional jamming, if it causes interference at all.

      2. Your only risk is violating the Wi-Fi protocol standards, which breaks your compatibility and interoperability with other devices… which is intentional in this case. :) You’re not violating the actual RF spectrum use rules in any way.

      1. That’s of little use on the ESP8266. Only if: the PLL’s on the ESP8266 are the same as on the ESP32 and then: someone will need to reverse engineer the code from this binary blob to see what it actually does.

    1. Due to how bandwidth works I’d assume the bitrate ceiling would have to be slower, but I’d love to know specifically how much and if that bottleneck really comes into play at all or if it’s already running below the physical maximum for that bandwidth for other unrelated reasons.

      1. Obviously the bitrate directly depends on the PLL frequency. So if you lower the frequency by 10% the bitrate also decreases by 10%. If the range increases depends on how the hardware handles the narrower band. When the power in dBm/MHz stays constant I would expect the range to be the same because the total output power is reduced. If on the other hand the total output stays constant ( dBm/MHz increases) an increased range may be possible.

      2. The symbol separation gets less because the channel gets narrower while the ability for the receiver to separate frequencies doesn’t get any better, so the SNR gets worse, so both speed and range suffer.

        1. That’s about what I figured. But is an average wifi connection constantly and efficiently butting up against its limit, or does it usually have unused bandwidth to spare? I can’t claim expertise in that area myself, only curious.

          I wonder what the minimum reduction of bandwidth is to make the packets become unrecognizable to all other wifi modems and thereby drop into stealth mode. I’m going to rewatch the video, maybe he mentions this.

    2. Obviously the bitrate is lower, as the signal occupies less bandwidth. The bandwidth reduction is the direct result of slower signaling speed. Also, you won’t see any range increase as you don’t change the filters in the signal path. I’d expect a lower SNR due to less bandwidth occupied by the signal (less power in the channel) but the noise being still the same. At the same time, the transmission is more robust because lower signaling speed has lower SNR requirements, therefore I’d expect that the range you achieve is still the same.

  3. You can do this with many WiFi cards in a very similar way. There are actually standardized 5 and 10MHz wide WiFi systems, although they are not commonly used for consumer things. This hack will likely be physical layer compatible with them (some application layer fields will likely be wrong, but you should be able to send and receive packets).

    Be careful not to exceed the power spectral density limit if there is one in your country, as you are spreading the power over a narrower band.

    1. the 5, 10, 20 and 40 mhz wide systems likely all use the same symbol spacing you are just reducing or increasing the number of symbols that can be transmitted for each tick of the radio clock.

      This technique is compressing the radio bandwidth while still keeping the same number of symbols, making it incompatible with wifi looking for the symbols at the prescribed spacing. Neat hack to make a “stealth wifi” but probably increases error rate with the symbol spacing being shrunk.

      Seen another hack of the ESPs where they were coded to run in a transmit only mode for testing range. apparently using a modified wifi stack. basically it would only transmit using proper wifi frames and a receiver on the other end with a highly direction antenna could pick up an otherwise unmodified esp from about 10km away. The ESP was transmitting a video stream that was capable of working in this transmit only mode, the video codec itself would just deal with any lost data as dropped frames or macroblocking.

      https://www.youtube.com/watch?v=yCLb2eItDyE

      1. The 5 and 10MHz modes actually reduce the PHY clock. There are still 64 carriers, but with a smaller spacing. The 40MHz mode does use more tones. This allows a receiver to cover 20/40MHz simultaneously, while the oddball 5 and 10 require exclusive configuration.

        You can try it with an SDR, take the gnuradio 802.11 code and halve the sample rate. An ath9k card in half rate mode will receive the packet.

        Probably the ESP8266 does not have a matching pll setting for 5 and 10MHz as it was not designed for it, so you will have some oddball bandwidths…

  4. Narrower band things *might* have more range, but only if the receiver also has a narrower bandwidth. Shannon gets into more detail, but conversationally, there’s x noise power “out there” in the band and in the RF amp per root hz bandwidth. If you can make the receiver narrower, it’ll see less noise power. If the transmitter also crams all its power into this narrower band, then the SNR at the receiver *in that band* is higher than it would be if both used more spectrum.

    In other words, just reducing the transmit bandwidth usually won’t produce any range gain, or stated another way, bigger link budget. That’s happening at the other end of the link.

    Since most wifi implementations have a receiver bandwidth of the entire band – more than even one whole channel (yes,, I know it’s actually more complex than that depending on the abcgnwxyz version) – unless you can change that, there’s no benefit to be had, really.

    Until you get to coherent spread-spectrum stuff like LoRa or other older schemes that basically fold in the noise randomly, but add the signal linearly – so noise only goes up as the square root N while signal goes up as N…

    Information theory is fun and can be profitable.

  5. This isn’t really that unexpected. If you reduce the sample rate of the ADC and DAC in the WiFi you’re basically just changing the symbol rate and hence the subcarrier spacing in the OFDM scheme. It’s all the same frames, just played back slower. Same thing as playing music at half speed. You effectively halve the bandwidth.

  6. “even though the 802.11 standards say it shouldn’t”
    Except neither of the pair are complying to the standard… It’s pretty obvious that they’ll work together if symmetrically broken.

    One of the perennial problems with developing to any sort of encode/decode standard.. btdt.

  7. Can’t this be used to make the ESP8266 faster? I know someone did, but there is very little information about how. I do know WiFi won’t work (similar issue as described here), but how about setting it to “turbo boost” for short bursts when doing cpu intensive tasks and then reverting it to regain WiFi connectivity?

  8. A practical application for this would be using to esp8266’s for a point to point connection which is immune for so called wifi jammers, a (esp8266 based) device which will disconnect all clients from an AP by continuously sending deauth packets. Normally there’s nothing you can do to prevent yourself from an attack like this, but in this case it wouldn’t work any more :)

  9. I wanted to do ofdm for a hd video signal, but it turns out we need to used an FPGA , ASIC or other DSP boards..
    Since nodemcu performs ofdm , is it possible to get the OFDM modulated signal of the nodemcu module (which is wireless) before its transmission via the antenna ? Like through any of the pins or someway?

Leave a Reply to TGTCancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.