Photo of the MCH2022 badge's screen, showing the "Hack me if you can" app's start splashscreen, saying "Service is accessible on IP ADDRESS : 1337"

MCH2022 Badge CTF Solved, With Plenty To Learn From

August 7, 2022 by 3 Comments

Among all the things you could find at MCH2022, there were a few CTFs (Capture The Flag exercises) – in particular, every badge contained an application that you could  try and break into – only two teams have cracked this one! [dojoe] was part of one of them, and he has composed an extensive reverse-engineering story for us – complete with Ghidra disassembly of Xtensa code, remote code execution attempts, ROP gadget creation, and no detail left aside.

There was a catch: badges handed out to the participants didn’t contain the actual flag. You had to develop an exploit using your personal badge that only contained a placeholder flag, then go to the badge tent and apply your exploit over the network to one of the few badges with the real flag on them. The app in question turned out to be an echo server – sending back everything it received; notably, certain messages made it crash. One man’s crashes are another man’s exploit possibilities, and after a few hacking sessions, [dojoe]’s team got their well-deserved place on the scoreboard.

If you always thought that firmware reverse-engineering sounds cool, and you also happen to own a MCH2022 badge, you should try and follow the intricately documented steps of [dojoe]’s writeup. Even for people with little low-level programming experience, repeating this hack is realistic thanks to his extensive explanations, and you will leave with way more reverse-engineering experience than you had before.

The MCH2022 badge is a featureful creation of intricate engineering, with the ESP32 portion only being part of the badge – we’re eager to hear about what you’ve accomplished or are about to accomplish given everything it has to offer!

Remoticon 2021: Uri Shaked Reverses The ESP32 WiFi

December 30, 2021 by 9 Comments

You know how when you’re working on a project, other side quests pop up left and right? You can choose to handle them briefly and summarily, or you can dive into them as projects in their own right. Well, Uri Shaked is the author of Wokwi, an online Arduino simulator that allows you to test our your code on emulated hardware. (It’s very, very cool.) Back in the day, Arduino meant AVR, and he put in some awesome effort on reverse engineering that chip in order to emulate it successfully. But then “Arduino” means so much more than just AVR these days, so Uri had to tackle the STM32 ARM chips and even the recent RP2040.

Arduino runs on the ESP32, too, so Uri put on his reverse engineering hat (literally) and took aim at that chip as well. But the ESP32 is a ton more complicated than any of these other microcontrollers, being based not only on the slightly niche Xtensa chip, but also having onboard WiFi and its associated binary firmware. Reverse engineering the ESP32’s WiFi is the side-quest that Uri embarks on, totally crushes, and documents for us in this standout Remoticon 2021 talk. Continue reading “Remoticon 2021: Uri Shaked Reverses The ESP32 WiFi”

Announcing The Next Round Of Remoticon Talks

October 21, 2021 by 2 Comments

It’s coming up fast — Hackaday Remoticon 2021 is just a few weeks away, and we’re working around the clock to load up the weekend with awesome and inspiring talks that are bound to get the creative juices racing through your crazy straw brain.

Come and practice your neuroplasticity with us on November 19th and 20th. Remoticon is free-as-in-beer this year, unless you want a t-shirt. Even then, $25 is peanuts, because we’re sure that you’ll find a few talks that are priceless, and you’ll have a cool shirt to remember them by. Grab your ticket right now! We’ll wait.

A few days ago we announced mechanical engineering marvel Jeremy Fielding as our second keynote speaker. Passion is paramount to all projects, and Jeremy’s passion is making things move. He’s a renaissance man with a quiver full of self-taught skills, and is sure to bring enthusiasm to his keynote talk, which focuses on building hardware that moves, and how to handle the mechatronic mysteries that arise when trying to scale things up.

For now, let us indulge you with a preview of the second round of talks and speakers that we’ll be showcasing on November 19th and 20th. There’s plenty more where these came from, and we’ll be serving up fresh samples all the way until Remoticon weekend.

Continue reading “Announcing The Next Round Of Remoticon Talks”

It’s Linux – But On An ESP32

July 21, 2021 by 44 Comments

GNU/Linux is an open-source marvel that has over the past three decades given us an almost infinitely versatile and powerful UNIX-like operating system. But even it has its limitations, particularly at the lower end of the hardware scale where less fully-featured processors often lack the prerequisites such as a memory management unit. Thus [JuiceRV]’s feat of booting a Linux kernel on an ESP32 microcontroller seems impossible, what’s happening?

The ESP’s dual 32-bit Xtensa cores are no slouch in the processing power department, but without that MMU it’s not an obvious Linux candidate platform. The solution to this problem comes in the form of an emulated RISC-V virtual machine which provides just enough grunt for a Linux 5.0.0 kernel to boot.

By any measure this represents an impressive piece of work, but will this new-found ability to run Linux on a microcontroller take the world by storm? Of course not, unless your tastes run to the very slowest of computing experiences. It is however the essence of the hack, and for that we salute it.

It’s not the first time Linux has run on a microcontroller, in the past someone hooked up a 30 pin SIMM and an SD card to an 8-bit Atmel chip and did it in a similar way with an ARM emulator.

Via CNX Software.

Header image: Ubahnverleih, CC0.

New Part Day: Espressif ESP32-S3

January 9, 2021 by 53 Comments

Since Espressif Systems arrived in our collective consciousness they have expanded their range from the ESP8266 to the ESP32, and going beyond the original WROOM and WROVER modules to a range of further ESP32 products. There’s a single-core variant and one that packs a RISC-V core in place of the Tensilica one, and now they’ve revealed their latest product. The ESP32-S3 takes the ESP to a new level, packing as it does more I/O, onboard USB, and an updated version of the two Tensilica cores alongside Bluetooth version 5. It’s still an ESP32, but one that’s more useful, and it’s worth a closer look because we expect it to figure in quite a few projects.

Espressif's block diagram for the chip.
Espressif’s block diagram for the chip.

Sadly the data sheet does not seem to have been released, but we do have some tidbits to consider. Espressif are anxious to tell us about its “AIOT” capabilities thanks to the vector instructions in the EXTensa LX7 cores (PDF) that were not present in the previous model’s LX6. They claim that this will speed up software neural networks; this does have an air of marketing about it but we’ll withhold judgement until we see it in use. The new core certainly will offer a performance improvement across the board though, which should be of interest to all ESP32 developers. Meanwhile the ultra-low-power core that existing ESP32 developers will be familiar with remains.

Then there is that USB support, which appears in the feature block diagram but has little information elsewhere. It’s listed as USB OTG which raises the possibility of the ESP32 being the host, but what it should also bring is the ability to emulate other USB devices. We’ve seen badges mount as WebUSB devices using STM32 clones as peripherals for an ESP32, but in future these tricks should be possible on the Espressif chip itself.

Probably the most anticipated piece of the new device’s specification comes in the addition of 10 new I/O lines. This has historically been a weakness of the ESP line, that it’s an easy chip with which to run out of available pins. These extra lines will make it more competitive with for example the STM32 series of microcontrollers that have larger package options, and will also mean that designs can have more in the way of peripherals without the use of port expanders.

In summary then, the latest member of the ESP32 family delivers a significant and useful update, and brings some of the features first seen in the single core version to the more powerful line of chips. Sadly it doesn’t have the hoped-for on-chip RAM boost, but it brings enough in the way of new capabilities to be of interest. At the moment it doesn’t look like the ESP32-S3 is available to order, but we hope to have engineering samples soon and should be bringing you a hands-on report in due course.

New Part Day: Espressif Announces ESP32-S2 With USB

May 21, 2019 by 60 Comments

Espressif, the company behind the extremely popular ESP8266 and ESP32 microcontrollers has just announced their latest chip. It’s the ESP32-S2. It’s a powerful WiFi-enabled microcontroller, and this one has support for USB OTG.

Compared to the ESP32 we know and love, there are a few differences. The ESP32-S2 uses a single core Xtensa LX7 core running at up to 240 MHz, where the current ESP32 uses either a single or dual core LX6. The differences between these cores is hidden away in marketing speak and press releases, but it appears the LX7 core is capable of many more floating point operations per cycle: apparently 2 FLOPS / cycle for the LX6, but 64 FLOPS / cycle for the LX7. This is fantastic for DSP and other computationally heavy applications. Other features on the chip include 320 kB SRAM, 128 kB ROM, and 16 kB of RTC memory.

Connectivity for the ESP32-S2 is plain WiFi; Bluetooth is not supported. I/O includes 42 GPIOs, 14 capacitive touch sensing IOs, the regular SPI, I2C, I2S, UART, and PWM compliment, support for parallel LCDs, a camera interface, and interestingly full-speed USB OTG support. Yes, the ESP32-S2 is getting USB, let us all rejoice.

Other features include an automatic power-down of the RF circuitry when it isn’t needed, support for RSA and AES256, and plenty of support for additional Flash and SRAMs should you need more memory. The packaging is a 7 mm x 7 mm QFN, so get out the microscope, enhance your calm, and bust out the flux for this one. Engineering samples will be available in June, and if Espressif’s past performance in supplying chips to the community holds true, we should see some projects using this chip by September or thereabouts.

(Banner image is of a plain-old ESP32, because we don’t have any of the new ones yet, naturally.)

Rust Running On The Realtek RTL8710: ESP8266 Alternative?

January 4, 2017 by 26 Comments

For simply getting your project connected to WiFi, a least among hacker circles, nothing beats the ESP8266. But it’s not the only player out there, and we love to see diversity in the parts and languages that we use. One of the big shortcomings of the ESP8266 is the slightly-oddball Xtensa CPU. It’s just not as widely supported by various toolchains as its ARM-based brethren.

And so, when [Zach] wanted to do some embedded work in Rust, the ESP8266 was out of the picture. He turned to the RTL8710, a very similar WiFi module made by Realtek. Documentation for the RTL8710 is, at the moment, crappy, much as the ESP8266 documentation was before the hacker community had at it. But in trade for this shortcoming, [Zach] got to use the LLVM compiler, which supports the ARM architecture, and that means he can code in Rust.

In the end, the setup that [Zach] describes is a mix of FreeRTOS and some of the mbed libraries, which should be more than enough to get you up and running fairly painlessly on the chip. We’ve actually ordered a couple of these modules ourselves, and were looking to get started in straight C, but having Rust examples working doesn’t hurt, and doesn’t look all that different.

Is anyone else using the RTL8710? An ARM-based, cheap WiFi chip should be interesting.