esp32-open-mac · redfast00 · Mar 7, 2025
diff --git a/components/80211_mac_rust/rust_crate/src/lib.rs b/components/80211_mac_rust/rust_crate/src/lib.rs
@@ -333,8 +333,8 @@ struct SequenceControlTracker {
 // holds all state for the case where we are a station
 // TODO find better name for this and for the StaMachineState
 struct GlobalState {
+    iface_0_mac: MACAddress,
     iface_1_mac: MACAddress,
-    iface_2_mac: MACAddress,
     // TODO separate this BSSID out and into the STA/AP states
     bssid: MACAddress,
     sta_state: StaMachineState,
@@ -352,7 +352,7 @@ fn transition_to_scanning(state: &mut GlobalState) {
         // TODO don't hardcode this to STA 1
         sys::rs_mark_iface_down(rs_mac_interface_type_t::STA_1_MAC_INTERFACE_TYPE)
     }
-    unsafe { sys::rs_filters_set_scanning(INTERFACE_STA, state.iface_1_mac.as_ptr()) }
+    unsafe { sys::rs_filters_set_scanning(INTERFACE_STA, state.iface_0_mac.as_ptr()) }
     state.sta_state = StaMachineState::Scanning(ScanningS {
         last_channel_change: None,
     });
@@ -361,7 +361,7 @@ fn transition_to_scanning(state: &mut GlobalState) {
 fn transition_to_authenticating(state: &mut GlobalState, bssid: MACAddress, _channel: u8) {
     println!("transitioning to authenticating");
     unsafe {
-        sys::rs_filters_set_client_with_bssid(INTERFACE_STA, state.iface_1_mac.as_ptr(), bssid.as_ptr());
+        sys::rs_filters_set_client_with_bssid(INTERFACE_STA, state.iface_0_mac.as_ptr(), bssid.as_ptr());
     }
     // TODO change to correct channel
     state.bssid = bssid;
@@ -421,8 +421,8 @@ fn handle_ap_auth(state: &mut GlobalState, auth_req: AuthenticationFrame) {
                 fcf_flags: FCFFlags::new(),
                 duration: 0, // TODO
                 receiver_address: auth_req.header.transmitter_address,
-                transmitter_address: state.iface_2_mac,
-                bssid: state.iface_2_mac,
+                transmitter_address: state.iface_1_mac,
+                bssid: state.iface_1_mac,
                 ..Default::default()
             },
             body: AuthenticationBody {
@@ -476,8 +476,8 @@ fn handle_ap_assoc_req(state: &mut GlobalState, assoc_req: AssociationRequestFra
             fcf_flags: FCFFlags::new(),
             duration: 0, // TODO
             receiver_address: assoc_req.header.transmitter_address,
-            transmitter_address: state.iface_2_mac,
-            bssid: state.iface_2_mac,
+            transmitter_address: state.iface_1_mac,
+            bssid: state.iface_1_mac,
             ..Default::default()
         },
         body: AssociationResponseBody  {
@@ -512,8 +512,8 @@ fn handle_ap_probe_req(state: &mut GlobalState, probe_req: ProbeRequestFrame) {
             fcf_flags: FCFFlags::new(),
             duration: 0, // TODO
             receiver_address: probe_req.header.transmitter_address,
-            transmitter_address: state.iface_2_mac,
-            bssid: state.iface_2_mac,
+            transmitter_address: state.iface_1_mac,
+            bssid: state.iface_1_mac,
             ..Default::default()
         },
         body: ProbeResponseBody {
@@ -676,7 +676,7 @@ fn send_authenticate(state: &mut GlobalState) {
             fcf_flags: FCFFlags::new(),
             duration: 0, // TODO
             receiver_address: state.bssid,
-            transmitter_address: state.iface_1_mac,
+            transmitter_address: state.iface_0_mac,
             bssid: state.bssid,
             ..Default::default()
         },
@@ -701,7 +701,7 @@ fn send_associate(state: &mut GlobalState) {
             fcf_flags: FCFFlags::new(),
             duration: 0, // TODO
             receiver_address: state.bssid,
-            transmitter_address: state.iface_1_mac,
+            transmitter_address: state.iface_0_mac,
             bssid: state.bssid,
             ..Default::default()
         },
@@ -727,7 +727,7 @@ fn send_sta_data_frame(state: &mut GlobalState, wrapper: &mut MacTxDataWrapper)
             fcf_flags: fcf,
             duration: 0,                          // TODO
             address_1: state.bssid,               // RA
-            address_2: state.iface_1_mac,         // TA
+            address_2: state.iface_0_mac,         // TA
             address_3: wrapper.destination_mac(), // DA
             sequence_control: SequenceControl::new()
                 .with_fragment_number(1)
@@ -755,7 +755,7 @@ fn send_ap_data_frame(state: &mut GlobalState, wrapper: &mut MacTxDataWrapper) {
             fcf_flags: fcf,
             duration: 0,                          // TODO
             address_1: wrapper.destination_mac(), // RA
-            address_2: state.iface_2_mac,         // TA = BSSID
+            address_2: state.iface_1_mac,         // TA = BSSID
             address_3: wrapper.source_mac(),      // SA
             sequence_control: SequenceControl::new()
                 .with_fragment_number(1)
@@ -847,8 +847,8 @@ fn handle_state_ap(state: &mut GlobalState) -> u32 {
                 fcf_flags: FCFFlags::new(),
                 duration: 0, // TODO
                 receiver_address: BROADCAST,
-                transmitter_address: state.iface_2_mac,
-                bssid: state.iface_2_mac,
+                transmitter_address: state.iface_1_mac,
+                bssid: state.iface_1_mac,
                 ..Default::default()
             },
             body: BeaconBody {
@@ -894,7 +894,7 @@ fn sequence_control_accept(
     receiver: MACAddress,
 ) -> bool {
 
-    if state.iface_1_mac != receiver && state.iface_2_mac != receiver {
+    if state.iface_0_mac != receiver && state.iface_1_mac != receiver {
         println!("accepting likely broadcast frame");
         return true;
     }
@@ -1026,6 +1026,7 @@ fn handle_ap_hardware_rx(state: &mut GlobalState, wrapper: &mut HardwareRxDataWr
 
 #[no_mangle]
 pub extern "C" fn rust_mac_task() -> *const c_void {
+    let bssid = MACAddress([0xf0, 0xae, 0xa5, 0xb8, 0xfc, 0xba]);
     let mut state: GlobalState = GlobalState {
         bssid: BROADCAST,
         sta_state: StaMachineState::Scanning(ScanningS {
@@ -1035,16 +1036,21 @@ pub extern "C" fn rust_mac_task() -> *const c_void {
             clients: Default::default(),
             last_beacon_timestamp: None
         },
-        iface_1_mac: MACAddress([0x00, 0x23, 0x45, 0x67, 0x89, 0xab]), // TODO don't hardcode this
-        iface_2_mac: MACAddress([0x00, 0x20, 0x91, 0x00, 0x00, 0x00]), // TODO don't hardcode this
+        iface_0_mac: MACAddress([0x00, 0x23, 0x45, 0x67, 0x89, 0xab]), // TODO don't hardcode this
+        iface_1_mac: MACAddress([0x00, 0x20, 0x91, 0x00, 0x00, 0x00]), // TODO don't hardcode this
         current_channel: 1,
         seq_control_trackers: [SequenceControlTracker::default()]
     };
 
+    // unsafe {
+    //     rs_filters_set_ap_mode(0, state.iface_0_mac.as_ptr());
+    // }
+    // transition_to_scanning(&mut state);
+
     unsafe {
-        rs_filters_set_ap_mode(1, state.iface_2_mac.as_ptr());
+        sys::rs_filters_set_client_with_bssid(INTERFACE_STA, state.iface_0_mac.as_ptr(), bssid.as_ptr());
     }
-    transition_to_scanning(&mut state);
+    unsafe { sys::rs_change_channel(state.current_channel) };
 
     let mut wait_for: u32 = 0;
     loop {
@@ -1054,6 +1060,7 @@ pub extern "C" fn rust_mac_task() -> *const c_void {
                 wait_for = 0;
                 match event {
                     MacEvent::HardwareRx(mut wrapper) => {
+                        println!("Hardware RX");
                         let payload = wrapper.payload();
                         let generic = GenericFrame::new(payload, false);
                         let Ok(generic) = generic else {
@@ -1073,6 +1080,7 @@ pub extern "C" fn rust_mac_task() -> *const c_void {
                             }
                         }
                         let matches = wrapper.interface();
+                        println!("matches {:?}", matches);
                         if matches.0 {
                             handle_sta_hardware_rx(&mut state, &mut wrapper);
                         }
@@ -1099,9 +1107,39 @@ pub extern "C" fn rust_mac_task() -> *const c_void {
                 }
             }
             None => {
-                let wait_for_sta = handle_state_sta(&mut state);
-                let wait_for_ap = handle_state_ap(&mut state);
-                wait_for = wait_for_ap.min(wait_for_sta);
+                // let wait_for_sta = handle_state_sta(&mut state);
+                // let wait_for_ap = handle_state_ap(&mut state);
+                // wait_for = wait_for_ap.min(wait_for_sta);
+                wait_for = 1000;
+                {
+                    let frame = [
+
+                        // 0x08, 0x48, 0xc3, 0x2c, 0x0f, 0xd2, 0xe1, 0x28, 0xa5, 0x7c, 0x50, 0x30, 0xf1, 0x84, 0x44, 0x08, 0xab, 0xae, 0xa5, 0xb8, 0xfc, 0xba, 0x80, 0x33, 0x0c, 0xe7, 0x00, 0x20, 0x76, 0x97, 0x03, 0xb5, 0xf8, 0xba, 0x1a, 0x55, 0xd0, 0x2f, 0x85, 0xae, 0x96, 0x7b, 0xb6, 0x2f, 0xb6, 0xcd, 0xa8, 0xeb, 0x7e, 0x78, 0xa0, 0x50,
+                        0x08, 0x4b, 0xc3, 0x2c, 0x0f, 0xd2, 0xe1, 0x28, 0xa5, 0x7c, 0x50, 0x30, 0xf1, 0x84, 0x44, 0x08, 0xab, 0xae, 0xa5, 0xb8, 0xfc, 0xba, 0x80, 0x33, 0x00, 0x23, 0x45, 0x67, 0x89, 0xab, 0x0c, 0xe7, 0x00, 0x20, 0x76, 0x97, 0x03, 0xb5, 0xf8, 0xba, 0x1a, 0x55, 0xd0, 0x2f, 0x85, 0xae, 0x96, 0x7b, 0xb6, 0x2f, 0xb6, 0xcd, 0xa8, 0xeb, 0x7e, 0x78, 0xa0, 0x50,
+                        0,0,0,0,0,0,0,0 // padding for CCMP MIC
+                    ];
+                    let _: u8 = frame[0];
+                    let length = frame.len();
+                    let smart_frame = unsafe { rs_get_smart_frame(length) };
+
+                    if smart_frame.is_null() {
+                        continue;
+                    }
+
+                    unsafe {
+                        (*smart_frame).payload_length = length;
+                        (*smart_frame).rate = 1;
+                    }
+                    let buf = unsafe {
+                        core::slice::from_raw_parts_mut(
+                            (*smart_frame).payload,
+                            (*smart_frame).payload_size as usize,
+                        )
+                    };
+                    buf.pwrite(frame, 0).unwrap();
+
+                    unsafe { rs_tx_smart_frame(smart_frame) };
+                }
             }
         }
     }

diff --git a/main/hardware.c b/main/hardware.c
@@ -196,13 +196,18 @@ bool transmit_80211_frame(rs_smart_frame_t* frame) {
 
 	WIFI_TX_CONFIG_BASE[WIFI_TX_CONFIG_OS*slot] = WIFI_TX_CONFIG_BASE[WIFI_TX_CONFIG_OS * slot] | 0xa;
 
-	MAC_TX_PLCP0_BASE[MAC_TX_PLCP0_OS*slot] = (((uint32_t)(tx_item)) & 0xfffff) | (0x00600000);
+	// We don't entirely know what these bits do yet, but it's related to RTS/CTS
+	uint32_t bool_request_to_send_before_packet = 0;
+	uint32_t bool_clear_to_send = 0;
+
+
+	MAC_TX_PLCP0_BASE[MAC_TX_PLCP0_OS*slot] = (((uint32_t)(tx_item)) & 0xfffff) | (0x00600000) | (bool_request_to_send_before_packet << 27) | (bool_clear_to_send << 28);
 	uint32_t rate = frame->rate;  // see wifi_phy_rate_t
 	uint32_t is_ht = (rate >= 0x10);
 	uint32_t is_short_gi = (rate >= 0x18);
-	uint32_t crypto_key_slot = 0;
+	uint32_t crypto_key_slot = 2;
 
-	MAC_TX_PLCP1_BASE[MAC_TX_PLCP1_OS*slot] = 0x10000000 | (frame->payload_length & 0xfff) | ((rate & 0x1f) << 12) | ((is_ht & 0b1) << 25) | ((crypto_key_slot & 0b11111) << 17);
+	MAC_TX_PLCP1_BASE[MAC_TX_PLCP1_OS*slot] = 0x10000000 | (frame->payload_length & 0xfff) | ((rate & 0x1f) << 12) | ((crypto_key_slot & 0b11111) << 17) | ((is_ht & 0b1) << 25);
 	MAC_TX_PLCP2_BASE[MAC_TX_PLCP2_OS*slot] = 0x00000020;
 	MAC_TX_DURATION_BASE[MAC_TX_DURATION_OS*slot] = 0;
 
@@ -406,6 +411,7 @@ void handle_rx_messages() {
 		// update rx chain
 		rx_chain_begin = next;
 		current->next = NULL;
+		ESP_LOG_BUFFER_HEXDUMP("received", current->packet, current->length, ESP_LOG_INFO);
 		c_hand_rx_to_mac_stack(current);
 
 		//TODO disable interrupt?

diff --git a/main/hwinit.c b/main/hwinit.c
@@ -113,8 +113,54 @@ void wifi_hw_start_openmac(uint8_t mode) {
     ic_enable_rx();
 }
 
+extern void __real_wDev_Insert_KeyEntry(uint8_t wpa_alg,uint8_t vif_sta0_ap1,uint8_t wpa_supplicant_key_idx,uint8_t* mac_addr,
+    uint8_t hardware_key_idx, uint8_t* key,size_t key_len, bool pmf,bool spp);
+
+void __wrap_wDev_Insert_KeyEntry(uint8_t wpa_alg,uint8_t vif_sta0_ap1,uint8_t wpa_supplicant_key_idx,uint8_t* mac_addr,
+    uint8_t hardware_key_idx, uint8_t* key,size_t key_len, bool pmf,bool spp) {
+    ESP_LOGI(TAG, "intercepted insert key entry");
+    __real_wDev_Insert_KeyEntry(wpa_alg, vif_sta0_ap1, wpa_supplicant_key_idx, mac_addr,
+     hardware_key_idx, key, key_len,  pmf, spp);
+}
+
+
+void wDev_Insert_KeyEntry(uint8_t wpa_alg,uint8_t vif_sta0_ap1,uint8_t wpa_supplicant_key_idx,uint8_t* mac_addr,
+    uint8_t hardware_key_idx, uint8_t* key,size_t key_len, bool pmf,bool spp);
+
+
+
+uint8_t crypto_bssid[6] = {0xab, 0xae, 0xa5, 0xb8, 0xfc, 0xba};
+
+uint8_t ccmp_key[16] = {0xc9, 0x7c, 0x1f, 0x67, 0xce, 0x37, 0x11, 0x85, 0x51, 0x4a, 0x8a, 0x19, 0xf2, 0xbd, 0xd5, 0x2f};
+
+enum wpa_alg {
+    WIFI_WPA_ALG_NONE   = 0,
+    WIFI_WPA_ALG_WEP40  = 1,
+    WIFI_WPA_ALG_TKIP   = 2,
+    WIFI_WPA_ALG_CCMP   = 3,
+    WIFI_WAPI_ALG_SMS4  = 4,
+    WIFI_WPA_ALG_WEP104 = 5,
+    WIFI_WPA_ALG_WEP    = 6,
+    WIFI_WPA_ALG_IGTK   = 7,
+    WIFI_WPA_ALG_PMK    = 8,
+    WIFI_WPA_ALG_GCMP   = 9,
+};
+
+
 void hwinit() {
 	ESP_ERROR_CHECK(adc2_wifi_acquire());
     wifi_hw_start_openmac(0);
     ESP_ERROR_CHECK(_do_wifi_start_openmac(0));
+
+    wDev_Insert_KeyEntry(
+        WIFI_WPA_ALG_CCMP, // CCMP
+        0, // VIF 0
+        0, // WPA key index
+        crypto_bssid, // TA address to decrypt packets for
+        0, // hw key idx: important: the wDev_Insert_KeyEntry function handles hw idx < 4 differently
+        ccmp_key,
+        16,
+        true, // disable PMF (protected management frames)
+        false // Signaling and Payload Protection 
+    );
 }