top | item 35501737

(no title)

Author here - there are two main problems with directly constructing frames on an esp: first, espressif only very recently opened up the wifi stack to a point where raw frame construction is supported and even this has some limitations on which frame types are supported. There is an, erhm, liberated API on older SDKs that supports some more frametypes, but both cannot be used to construct encrypted frames (which is kind of reasonable, I assume that encryption is done purely in hardware).

Second, the more practical limitation comes from the fuzzing objective: esps are slowwwww, and the testcase throughput is abysmal; especially if you factor in that the firmware is essentially a black box and the usual coverage-guidance used in modern fuzzing simply does not work on a device that constrained.

So yeah - constructing frames on the esp would be the smart thing to do, figuring out how to do this efficiently (and fully automated) is however not trivial at all. FWIW, hooking the board up to a computer via serial is also not enough, the fuzzer needs some way to hard reset devices (that is, pull the reset pin to ground or powercycle or both). We use some extra microcontrollers we had lying around for that, however we needed to make some custom PCBs to make that work reliable.

Edit: also, to clarify, the esp8266 is even more limited than the esp32. There is no officially supported way to construct raw frames on the 8266, and in/out connections other than wifi are limited to fairly low speed UART (no JTAG, etc..).

discuss

tony-allan|2 years ago

Thanks. That makes a lots of sense.