At the 38th Chaos Communications Congress, [Frostie314159] and [Jasper Devreker] gave us a nice update on their project to write an open-source WiFi stack for the ESP32. If you’re interested in the ESP32 or WiFi in general, they’ve also got a nice deep dive into how that all works.
On the ESP32, there’s a radio, demodulator, and a media access controller (MAC) that takes care of the lowest-level, timing-critical bits of the WiFi protocol. The firmware that drives the MAC hardware is a licensed blob, and while the API or this blob is well documented — that’s how we all write software that uses WiFi after all — it’s limited in what it lets us do. If the MAC driver firmware were more flexible, we could do a lot more with the WiFi, from AirDrop clones to custom mesh modes.
The talk starts with [Jasper] detailing how he reverse engineered a lot of Espressif’s MAC firmware. It involved Ghidra, a Faraday cage, and a lucky find of the function names in the blob. [Frostie] then got to work writing the MAC driver that he calls Ferris-on-Air. Right now, it’s limited to normal old station mode, but it’s definite proof that this line of work can bear fruit.
This is clearly work in progress — they’ve only been at this for about a year now — but we’ll be keeping our eyes on it. The promise of the ESP32, and its related family of chips, being useful as a more general purpose WiFi hacking tool is huge.
3 thoughts on “38C3: Towards An Open WiFi MAC Stack On ESP32”
Anyone see contact other than matrix? I.e. a github, IRC? I’d be interested in reaching out to these folks, but matrix is such a pain. Well, mostly I’m interested in finding out what their code looks like.
There you go : https://github.com/esp32-open-mac/, done in Rust.
I was present at the presentation. Great work but a lot remains to be done.
https://github.com/esp32-open-mac/esp32-open-mac/commit/3405d26e4c64a3395ccfb91b8e9e3e65c4d299e0 is link from a blog post of theirs. Probably close to where you need to be?
