How bout sniffin’ those 802.11 packets?

As the title suggests, I needed to sniff some 802.11 packets, but this time using an ESP8266 (actually, a Wemos D1 mini Lite, which features ESP8285, but any ESP-based device should work).

productsd1lite_v1.0.0_1_16x9

I started with grabbing the esp8266_pcap_serial from ArduinoPcap just to find out it lacks the structs to properly stream the buffer to Wireshark. I quickly fixed it (uploaded here) and then encountered a 2nd problem which was not as easy to fix – there is a 128 bytes limitation on the SDK for packet size. Oh dear, I guess some firmware hacking are heading my way. But hey, if we’re going to hack the firmware, we better code a new sniffer, right? Here goes.

We have two official firmwares to choose from: Non-OS SDK or RTOS SDK. The main differences are (taken from here):

Non-OS SDK

  • The Non-OS SDK uses timers and callbacks as the main way to perform the various functions – nested events, functions triggered by certain conditions. The Non-OS SDK uses the espconn network interface; the user needs to develop their software according to the usage rules of the espconn interface.

RTOS SDK

  • RTOS version SDK uses the freeRTOS system, a multi-tasking OS. You can use standard interfaces to freeRTOS resource management, recycling operations, execution delay, inter-task messaging and synchronization, task-oriented process design. For the specifics of interface methods, refer to freeRTOS official website instructions or USING THE FREERTOS REAL TIME KERNEL – A Practical Guide introduction.
  • RTOS SDK version of the network operating interface is a standard lwIP API, while providing a package which enables BSD Socket APIsocket interface. Users can directly use the socket API to develop software applications; your code can also be directly compiled to run standard applications on other platforms Socket , effectively reducing the cost of learning platform switching. (possibly flawed translation)
  • RTOS version of the SDK introduces cJSON library, use the library functions to more easily parse JSON packets.
  • RTOS version is compatible with non-OS SDK in the Wi-Fi interface, smart config interfaces, Sniffer related interfaces, system interface, timer interface, FOTA interfaces and peripheral driver interface, but does not support the AT implementation.

For my purposes I naturally went with the RTOS SDK. Follow the instructions on the README and install the proper toolchain (mine is Linux64) before proceeding with the firmware itself.

WARNING: Do not try `apt install gcc-xtensa-lx106` or any other version, since the firmware will fail to compile. Here, I just saved you a few hours of errors.

wget https://dl.espressif.com/dl/xtensa-lx106-elf-linux64-1.22.0-92-g8facf4c-5.2.0.tar.gz
tar zxvf xtensa-lx106-elf-linux64-1.22.0-92-g8facf4c-5.2.0.tar.gz
export PATH=$PATH:`pwd`/xtensa-lx106-elf/bin

Now I was ready to clone and compile the firmware. First thing todo is configure the firmware options via make menuconfig . A few important notes:

    • Make sure you select correct memory size for your board on 'Serial flasher config -> Flash size'.
    • Do not change 'Compiler Options' from 'Debug' to 'Release', otherwise your program will fail to load properly.
    • For 'Wemos D1 mini Lite' I had to change the default 'Serial flasher config' -> 'Flash SPI mode' to 'DOUT', otherwise it won’t flash properly. Other boards such as 'Wemos D1 mini Pro' worked just fine with the default 'QIO'.
git clone https://github.com/espressif/ESP8266_RTOS_SDK.git
cd ESP8266_RTOS_SDK
export IDF_PATH=`pwd`
cd examples/system/console
make menuconfig
make -j8 flash monitor

Press the RESET on the ESP8266 board, and watch the terminal log for some geeks’ entertainment (to exit Miniterm, press ‘CTRL-]’). If you want more logging fun, select ‘Verbose’ on the log level, recompile and flash again.

Now for the sniffer part, I patched together some ESP8266 pcap sniffer firmware. To try it yourself, make sure you disable all log output (on make menuconfig) since the log output will interfere with the pcap output of the sniffer. Use make menuconfig to change the sniffer settings.

cd $IDF_PATH/examples/wifi
git clone https://github.com/z4ziggy/esp8266_pcap_uart.git
cd esp8266_pcap_uart
make menuconfig
make -j8 flash
./SerialShark.py

 

This is what it should look like:

esp8266-sniffer

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s