During the past year, quite a lot happened within the esp32-open-mac project (and within the broader ESP32 reverse engineering community in general), both code-wise and event-wise.

Events:

And some more code-related changes:

  • We removed the FreeRTOS dependency by reverse engineering the internals of the blobs; this now makes the blobs largely version independent from our stack.
  • We added AP mode support to the C stack; this means that you can now host a (very basic) access point using opensource code on the ESP32
  • Simon started writing a new 802.11 stack from the ground up, in Rust. After seeing that stack mature, we decided to stop splitting efforts between the open-source C stack (the esp32-open-mac repository in the esp32-open-mac organisation) and the Rust stack (the FoA repository in the esp32-open-mac organisation); all work now goes into the FoA repository. In addition to being a more secure language, Rust also has the advantage that it’s more easy to write parsers and generators for the (sometimes complex) Wi-Fi frames we have to send and receive. All features in the C stack have currently been ported over, except for the AP mode support.
  • We passed our first security review by an external organisation (paid for by NLNet); no security issues were found!
  • After reverse engineering the hardware cryptography acceleration together, Simon added support for connecting to WPA2 protected networks. This means that our stack can now connect to most home- and small-office networks.
  • Simon added support for Apple Wireless Direct Link (AWDL), which serves as the link layer for AirDrop and P2P-AirPlay. The implementation lives in foa-awdl in the FoA repo.
  • mjwells2002 even used our frame sending/receiving primitives to write an image sender for the (somewhat ancient) Nintendo DSi Pictochat.
  • We started work on implementing standards-compliant mesh-networking (see also this blogpost ). This is the start of the first standards-compliant feature that our open source stack has, that the closed-source Wi-Fi stack by Espressif does not have. Currently, we can already connect to open 802.11s networks, but cannot yet send/receive data packets.

We would like to thank all contributors, in particular Simon Neuenhausen, who was instrumental to writing the Rust stack & implementing WPA2 (among others). In addition to that, we’d also like to thank NLNet for supporting this work through their grants, both the one we received in the past year, as the one with which Simon will continue working on this. I’d also like to personally thank the single (anonymous) person who donated some money all the way back in 2023 when I published the first blog post explaining the RX and TX packet sending mechanism; it was nice to get a real-life confirmation that other people find the effort I put into this useful.

We feel like our stack is now ready for beta-testing, and as such have released a first 0.1.0 release and an example demo ESP32 firmware in Rust that connects to a Wi-Fi network and can be adapted to your needs (so you can start from a working project, instead of having to try to set everything up yourself).

Simon also wrote a small bit about the future of the project:

Since my grant was approved, I’ve been working on implementing an intermediary layer in the driver, which talks directly to the hardware and provides a fairly unopinionated API, that can then be used by the user-facing API. This should make it significantly easier to maintain the driver and add new functionality, such as support for more chips, as well as make it possible to implement C bindings to the driver. The later should also open our work to more people, as most people are still using C for their projects, which we fully acknowledge. The work on the intermediary layer is nearing completion, but I haven’t been able to work that much on it in recent weeks, as I started attending university, which has started filling up my schedule.

As already mentioned, more chips are going to be supported, which (if everything goes according to plan) will include the ESP32C6, from which we can then derive support for most other chips. There’s however still a number of features of the original ESP32 Wi-Fi peripheral, that we haven’t looked at yet (e.g. TSF, Block ACKs, Modem sleep), which we hope to investigate further.

Another important aspect, is making the project more accessible to new developers, as so far the reverse engineering side of things has been a two-man show. The main way of achieving this is more documentation and a less convoluted code base (which is already being worked on).