New Part Day: Espressif ESP32-C6 Includes WiFi 6 And A RISC-V Core

April 11, 2021 by 15 Comments

If you’re a reader of Hackaday, then you’ve almost certainly encountered an Espressif part. The twin microcontroller families ESP8266 and ESP32 burst onto the scene and immediately became the budget-friendly microcontroller option for projects of all types. We’ve seen the line expand recently with the ESP32-C3 (packing a hacker-friendly RISC-V core) and ESP32-S3 with oodles of IO and fresh new CPU peripherals. Now we have a first peek at the ESP32-C6; a brand new RISC-V based design with the hottest Wi-Fi standard on the block; Wi-Fi 6.

There’s not much to go on here besides the standard Espressif block diagram and a press release, so we’ll tease out what detail we can. From the diagram it looks like the standard set of interfaces will be on offer; they even go so far as to say “ESP32-C6 is similar to ESP32-C3” so we’ll refer you to [Jenny’s] excellent coverage of that part. In terms of other radios the ESP32-C6 continues Espressif’s trend of supporting Bluetooth 5.0. Of note is that this part includes both the coded and 2 Mbps Bluetooth PHYs, allowing for either dramatically longer range or a doubling of speed. Again, this isn’t the first ESP32 to support these features but we always appreciate when a manufacturer goes above and beyond the minimum spec.

Welcome to the ESP32-C6

The headline feature is, of course, Wi-Fi 6 (AKA 802.11ax). Unfortunately this is still exclusively a 2.4GHz part, so if you’re looking for 5GHz support (or 6GHz in Wi-Fi 6E) this isn’t the part for you. And while Wi-Fi 6 brings a bevy of features from significantly higher speed to better support for mesh networks, that isn’t the focus here either. Espressif have brought a set of IoT-centric features; two radio improvements with OFDMA and MU-MIMO, and the protocol feature Target Wake Time.

OFDMA and MU-MIMO are both different ways of allowing multiple connected device to communicate with an access point simultaneously. OFDMA allows devices to slice up and share channels more efficiency; allowing the AP more flexibility in allocating its constrained wireless resources. With OFDMA the access point can elect to give an entire channel to a single device, or slice it up to multiplex between more than once device simultaneously. MU-MIMO works similarly, but with entire antennas. Single User MIMO (SU-MIMO) allows an AP and connected device to communicate using a more than one antenna each. In contrast Multi User MIMO (MU-MIMO) allows APs and devices to share antenna arrays between multiple devices simultaneously, grouped directionally.

Finally there’s Target Wake Time, the simplest of the bunch. It works very similarly to the Bluetooth Low Energy (4.X and 5.X) concept of a connection interval, allowing devices to negotiate when they’re next going to communicate. This allows devices more focused on power than throughput to negotiate long intervals between which they can shut down their wireless radios (or more of the processor) to extended battery life.

These wireless features are useful on their own, but there is another potential benefit. Some fancy new wireless modes are only available on a network if every connected device supports them. A Wi-Fi 6 network with 10 Wi-Fi 6 devices and one W-Fi 5 (802.11ac) one may not be able to use all the bells and whistles, degrading the entire network to the lowest common denominator. The recent multiplication of low cost IoT devices has meant a corresponding proliferation of bargain-basement wireless radios (often Espressif parts!). Including new Wi-Fi 6 exclusive features in what’s sure to be an accessible part is a good start to alleviating problems with our already strained home networks.

When will we start seeing the ESP32-C6 in the wild? We’re still waiting to hear but we’ll let you know as soon as we can get our hands on some development hardware to try out.

Thanks to friend of the Hackaday [Fred Temperton] for spotting this while it was fresh!

18650 Brings ESP8266 WiFi Repeater Along For The Ride

April 8, 2021 by 30 Comments

We’re truly fortunate to have so many incredible open source projects floating around on the Internet, since there’s almost always some prior art you can lean on. By combining bits and pieces from different projects, you can often save yourself a huge amount of time and effort. It’s just a matter of figuring out how all the pieces fit together, like in this clever mash-up by [bethiboothi] that takes advantage of the fact that the popular TP4056 lithium-ion battery charger module happens to be almost the exact same size of the ESP-01.

By taking a 3D printed design intended to attach a TP4056 module to the end of an 18650 cell and combining it with an ESP8266 firmware that turns the powerful microcontroller into a WiFi repeater, [bethiboothi] ended up with a portable network node that reportedly lasts up to three days on a charge. The observed range was good even with the built-in PCB antenna, but hacking on an external can get you out a little farther if you need it.

While it doesn’t appear that [bethiboothi] is using it currently, the esp_wifi_repeater firmware does have an automatic mesh mode which seems like it would be a fantastic fit for this design. Putting together an impromptu mesh WiFi network with a bunch of cheap battery powered nodes would be an excellent way to get network connectivity at an outdoor hacker camp, assuming the ESP’s CPU can keep up with the demand.

Rolling Your Own TiVo WiFi Adapter

October 14, 2020 by 16 Comments

The only thing more surprising than finding out TiVo actually put out a new 4K set-top box recently is learning that somehow they didn’t bother to build WiFi into the thing. You’re forced to buy a special wireless adapter to the tune of $60 USD to add the feature. We’d make a joke about the company living in the past, but frankly, it would be too easy.

Having to buy just one of these expensive dongles in 2020 would be insulting enough, but TiVo superfan [xxbiohazrdxx] needed four of them. Rather than hand nearly $250 to the antennae-headed overlords, they decided to reverse engineer the adapter and produce their own low-cost version. While the final result might not be as slim and svelte as the original, it does come in at less than 1/4 the price.

Operating under the assumption that the TiVo would only talk to a WiFi adapter based on the same Broadcom BCM43569 chipset used in the official one, [xxbiohazrdxx] started by trying to find a standard USB dongle that might be a drop-in replacement. Unfortunately, it looks like this particular chip was almost exclusively used in proprietary applications, most commonly as a WiFi board inside of smart TVs. But as it turns out, that wasn’t necessarily a deal breaker.

After some searching, [xxbiohazrdxx] eventually found the promising CyberTAN NU361-HS board. Not only was it based on the right chipset and ran from 5 volts, but its FCC ID entry had a complete pinout for the connector. This particular WiFi module is used in a number of budget TVs and is widely available as a spare part for less than $10. By combing the board and a USB breakout PCB inside of a 3D printed case, you’ve got a plug-and-play WiFi adapter that the TiVo thinks is the real deal.

There was a time when Hackaday was flooded with TiVo hacks, but it’s now been more than a decade since cheap carrier-provided DVRs ate the company’s lunch. Realistically, there’s an excellent chance that this post will be the only time a mention of the once-mighty DVR graces the front page in 2020. While the reign of the TiVo might be at its end, the impact it had as one of the first Linux-powered consumer devices will be etched in hacker history forever.

Long Range WiFi Broadcasts Open-Source Video Conferencing

October 10, 2020 by 18 Comments

WiFi is an ubiquitous feature of the modern landscape, but due to power restrictions on most hardware alongside the high-frequency signal it’s typically fairly limited in range. This of course leads to frustration where a WiFi signal can be seen, but the connection is unreliable or slow. While most would reach for a range extender or other hardware bridge, [tak786] was able to roll out a better solution for his workplace by using a high-gain antenna and a single-board computer which gets him an amazing kilometer-wide WiFi network.

The build uses a 10 dBi antenna from TP-Link that’s rated for outdoor use and a single-board computer which acts as a sort of router. The antenna is placed at the top of a building which certainly helps with the extreme range as well. This setup doesn’t actually broadcast an open Internet connection, though. [tak786]’s employer needed a teleconferencing solution for their building, and he also created a fully open-source video conferencing solution called trango that can run on any LAN and doesn’t require an Internet connection. The WiFi setup in this build is effectively just a bonus to make the conferencing system more effective.

[tak786] is planning on releasing a whitepaper about this build shortly, but for now you can access the source code for the video conferencing system at his GitHub page. And, before anyone jumps to conclusions, apparently this is well within FCC rules as well. Some of the comments in the linked Reddit post suggest that with an amateur radio license this system could be pushed much further, too. If you need more range than a kilometer, though, it’s not too much more difficult to do once you have all the right hardware.

ESP8266 Turned Secretive WiFi Probe Request Sniffer

September 20, 2020 by 21 Comments

When a Wi-Fi device is switched on, it starts spewing out probe requests to try and find a familiar access point. These probe requests contain the device’s MAC address and the SSID of the hotspot it’s looking for, which can potentially be used to identify a specific device and where it’s been. After experimenting with these probe requests, [Amine Mehdi Mansouri] has created OpenMAC, a tiny ESP8266 based sniffer that could be hidden anywhere.

The device consists of an ESP-07S module, a regulator circuit for getting power from a USB-C connector, and a button for power cycling. An external antenna is required for the module, which can be selected based on the size or gain requirements for a specific deployment. [Amine] tested the OpenMAC at a local library (with permission), in combination with a number of his own little Wi-Fi repeaters to expand the reach of the network. All the recorded MAC addresses were logged to a server, where the data can be used for traffic analysis in and around the library, or even for tracking and locating specific devices.

This is nothing new, and is relatively common technique used for gathering information in retail locations, and could be also be used for more nefarious purposes. Newer versions of iOS, Android, and Windows 10 feature MAC address randomization which can limit the ability to track devices in this manner, but it isn’t always activated.

We’ve seen a number of projects that exploit probe requests. FIND-LF can be used for locating devices in your home, and Linger fools probe requests sniffers by replaying previously recorded requests.

Separation Between WiFi And Bluetooth Broken By The Spectra Co-Existence Attack

August 7, 2020 by 5 Comments

This year, at DEF CON 28 DEF CON Safe Mode, security researchers [Jiska Classen] and [Francesco Gringoli] gave a talk about inter-chip privilege escalation using wireless coexistence mechanisms. The title is catchy, sure, but what exactly is this about?

To understand this security flaw, or group of security flaws, we first need to know what wireless coexistence mechanisms are. Modern devices can support cellular and non-cellular wireless communications standards at the same time (LTE, WiFi, Bluetooth). Given the desired miniaturization of our devices, the different subsystems that support these communication technologies must reside in very close physical proximity within the device (in-device coexistence). The resulting high level of reciprocal leakage can at times cause considerable interference.

There are several scenarios where interference can occur, the main ones are:

  • Two radio systems occupy neighboring frequencies and carrier leakage occurs
  • The harmonics of one transmitter fall on frequencies used by another system
  • Two radio systems share the same frequencies

To tackle these kind of problems, manufacturers had to implement strategies so that the devices wireless chips can coexist (sometimes even sharing the same antenna) and reduce interference to a minimum. They are called coexistence mechanisms and enable high-performance communication on intersecting frequency bands and thus, they are essential to any modern mobile device. Despite open solutions exist, such as the Mobile Wireless Standards, the manufacturers usually implement proprietary solutions.

Spectra

Spectra is a new attack class demonstrated in this DEF CON talk, which is focused on Broadcom and Cypress WiFi/Bluetooth combo chips. On a combo chip, WiFi and Bluetooth run on separate processing cores and coexistence information is directly exchanged between cores using the Serial Enhanced Coexistence Interface (SECI) and does not go through the underlying operating system.

Spectra class attacks exploit flaws in the interfaces between wireless cores in which one core can achieve denial of service (DoS), information disclosure and even code execution on another core. The reasoning here is, from an attacker perspective, to leverage a Bluetooth subsystem remote code execution (RCE) to perform WiFi RCE and maybe even LTE RCE. Keep in mind that this remote code execution is happening in these CPU core subsystems, and so can be completely invisible to the main device CPU and OS.

Join me below where the talk is embedded and where I will also dig into the denial of service, information disclosure, and code execution topics of the Spectra attack.

Continue reading “Separation Between WiFi And Bluetooth Broken By The Spectra Co-Existence Attack”

Life-Saving Surgery For A Telescopic Antenna

July 11, 2020 by 19 Comments

Whether it was as an impulsive youth or an impatient adult, there’s probably few among us who haven’t broken a telescopic antenna or two over the years. It doesn’t take much to put a bend in the thin walled tubing, and after that, all bets are off. So [The Amateur Engineer] couldn’t really be too upset when his son snapped the antenna off the transmitter of an old RC truck. Instead, he decided to take it apart and see how it could be repaired.

Taking a thin screwdriver to the antenna’s bottom most segment, he was able to widen up the opening enough to remove the upper sections as well as recover the broken piece and copper locking plates. He cut out the damaged area and drilled new holes for the pins on the copper plates to fit into. Inserting the repaired section back into the lowest segment was no problem, but he says it took a little trial and error before he was able to roll the edge over enough to keep the antenna from falling apart.

Buying a replacement would certainly have been easier, but as the radios in our devices have moved into the higher frequencies, these collapsible antennas have become a bit harder to come by. Modern RC vehicles operate on 2.4 GHz, so they don’t need the long antennas that the older 27 MHz systems utilized. [The Amateur Engineer] did find a few direct replacements online, but none for a price he was willing to pay.

We might have used the broken transmitter as an excuse to switch the RC vehicle over to WiFi control, but we appreciate [The Amateur Engineer] showing how this type of antenna can be disassembled and repaired if necessary.