-
Notifications
You must be signed in to change notification settings - Fork 21
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
1D TOF measurement with RTS-CTS-NULL-ACK ? #8
Comments
I don't currently have any interest to develop against this sort of thing. I think it is very cool, and very well may be used by the ESP with some more hacking, however, I am not that interested. For future notes of anyone who wants to attempt this, it makes me think of another feature. The ESP does seem to get interrupts called on send and send "success" so perhaps one could use the time delta between those. I intend to leave this ticket open but not work on it. Thank you for bringing it to my attention. |
Thank you for hosting my request :-) For the moment, my limited time is overbooked with more basic tasks, but when I see a viable chance for a solution, I'd like to pick up the TOF-Idea again. So maybe if somebody is stumbling across this post who had a deeper look into the wifi API of the espconn, may I ask him to leave a note whether and where we could look for hooks to the RTS-CTS / NULL_ACK mechanism. |
@wolfgangr |
I've put it on my large pile of nice-to-have projects. |
@wolfgangr Theoretically with the CPU at 240MHz one could achieve a 1.2 meter resolution (in a perfect world). It all depend on your knowledge level on C/assembler and the time you want to invest in it .. ? |
this sounds promising.
still not far beyond novice. I can write litte hello worlds, grasp a rough idea on complex projects and do some limited modifications there. Haven't ever a done a major project on my own.
far far ago. In the late 1970ies, I hexcoded the 6502.
hm... How much were required? |
At the moment, I am looking for a forth implementation for the ESP8266 Might that help? May I just quote you
To me, this sounds like 4 low level primitives ( send - listen - gettime - alltogether_in_tough_timing) to be implemented. Maybe some more to play interactively with the WiFi-setup. |
I have absolutely no idea. With luck and skills it can take few days, or it could also miserably fail after 3 years
I don't really know Forth, but if it is even slightly slower than well optimized C it might be too much to have TOF. |
Yes, of course, the time critical measurement istself has to be performed in Assembler. But I haven't any operating forth yet, so there's no reason to shy horses, so far... |
Hi @jonathanmuller , https://www.kickstarter.com/projects/214379695/micropython-on-the-esp8266-beautifully-easy-iot/posts/1501224
Does this hold for the WiFi peripheral registers as well? The die picture does not look like some dedicated processor hardware were present. So if there is a quirky hardware layer between processor and WiFi hardware, it will be very different to analyze the timing behaviour. If the I/O-access layer injects irreproducible delays in the order of many processor cycles, this would severely spoil TOF precision, of course. But I know, there are many eagerly motivated and trained people out there in reverse engineering ESP8266. And the datasheet mentions
So maybe Espressif has provided for precise TOF, but covered it with some obscurity layer still to be uncovered? Just like with early GPS signal distortion for civil use? My next question were if the PLD is of the field programmable FPGA type, or of some factory write-once-only kind. As far as I can remeber, FPGA with volatile ram-cell-like programming are much cheaper than persistently programmed ones. So the hope is, for a low budget chip like the ES8266, we have a RAM-programmed FPGA. If so, the setup procedure had to load the 'IP' (aka intellectual property kernel, which is the definition of the logical circuit) onto the chip first. So this were easier accessible for reverse engineering (albeit still verey difficult to understand, as I'm afraid). It could reside somewhere in the ROM or even in the espressif blobs to be flashed, or both, obviously. Looking at the die picture and missing any processor there, in case of FPGA, there were a boot stage needed were the processor itself is loaded to the chip first. Thinking in terms of booting up a SOC into an FPGA, ESP8266 weird memory scheme gains meaning.
Consequence: the processor itself were defined on the flash image and in principle accessible to reverse engineering. Of course, it may be protected, maybe just by bare encryption. Yes, I have FPGA (Altera) lingering beyond my desk. |
following this line of thought.... https://www.reddit.com/r/electronics/comments/2jq22l/esp8266_wifiserial_chip_decapped_its_actually/
....
....
https://hackaday.io/project/8678-rpi-wifi
....
see also So my Idea: I think a dissection of the ESP8089- linux-driver might be the next step |
I totally agree with you on the fact that flashing it with some custom firmware could probably allow TOF. If you are interested I have de-assembled some part of the code and found some interesting functions/properties. You seem to know more that I do on the hardware of the ESP, so I can't answer them, but hopefully someone can ! My hope is that some "high" level (in fact low level) function allow direct modifications of the WiFi function of the chip, which could allow for direct TOF without code included. For example "CSI" frames require a nanosecond precision, so I expect that the chip has something related in its guts |
what's required? This guy But shouldn't this SDIO flashing as well be possible over the serial port of any linux work station? And maybe this is not necessary at all?
not knowledge, just bold speculation, but getting confirmed when I was digging deeper, which made me somewhat more confident in my assumptions And I haven't much knowledge on WiFi, either. |
Just recall the finding in one of the above mentioned reverse engineering links that espressif was obviously heavily building upon open source projects. There are CPU-cores for FPGA in the public available as well. So may be they did the same thing with CPU code than they did with lwip etc? |
I think Espressif probbaly got inspiration from already existing open-source project but for sure they modified it a lot. |
Hi @jonathanmuller , I just rescanned my informations and found this elaborate:
translates to english: I think IEEE 802.11 is anything about wifi, Do you know this document? this one '========================
'======================== https://arxiv.org/pdf/1505.03446
looks quite comprehensive http://www.rfwireless-world.com/Terminology/WLAN-SIFS-vs-PIFS-vs-DIFS-vs-EIFS-vs-AIFS.html https://hackaday.io/project/4872-subpos-positioning-system Anything in there which is new for you? |
just starting to search.
more than 10.000 matches for RTS and CTS in the ESP sdk is still a haystack. Whats in the binary? One needle found, and one wooden toothpick?
well, not really. Just an error message - no call. |
Working down the rabbithole aka source tree.
a linkable object file with a dozen of hits - may that smell like a needle?
get some time .... btw: |
lets have some eye on it
...
focus on this stanza
The label
what's |
before you can RTFM, you have to find one - not that easy....
hm... no read from I/O -back to start. |
google "libpp rate_control" does not reveal any public documentation. So, if I had time, I knew where I'd continue my search.... |
Just FYI there are no "register reads" everything is done as memory-mapped IO. |
Ah, thanks, so there is no special machine instruction to do so, I assume. Just found
Size= 1000h, repeating every 100h, next documented area 10000h above ? So if we look for low level IO-access, we look for reads / writes to 3FF00?XXh ? |
looking in the disassemby from
It is at the end of previous routine, where I suspect data areas. asked google, recommended me to put these under my pillow for tonight: |
A common technique for determining TOF is to write code that ping-pongs packets in a very deterministic way. For example code that directly interfaces with the radio hardware and does not use interrupts. You then ping-pong say 1,000 round trips. Each CPU takes X milliseconds to do the ping-ping. So time for 1,000 round trips = 2000 X + 2000 TOF this is a big enough number that you can use the CPU hardware clock to measure it. Do some math and you can compute the TOF. The accuracy is a function of:
Data I have seen indicates that you can get centimeter accuracy or better. The problem - this technique is not real time and it ties up your radio. On the other hand it is quite useful for locating fixed objects such as IOT devices. If you have three devices that you accurately know the location of, you can map out the rest of the network in 3D using triangulation. Another techique is AOA/AOD as currently implement in Bluetooth. This could also be implement on the ESP but it requires an antenna array and an antenna switching chip. I've seen several PCB antenna arrays build for this purpose. It also requires low level access to the received radio signal. Once you have three angles you can again triangulate. Basic Idea is for one device to emit a carrier wave, and receiver then uses the switch to receive the CW from the different elements of the array. The radio receiver generate vector data that can be processed to figure out the AOA. Bluetooth does this very quickly and uses the packet preamble as the CW. |
The new esp32-s2 chip in beta is supposed to have time of flight measurements, this might help when the hardware and software ships. https://esp32.com/viewtopic.php?t=11265 says about the new hardware features supported by the esp-idf libraries: "Time-of-Flight (TOF) measurements with normal Wi-Fi packets is not supported", but work is being done to add the new hardware features to the library. |
That'll be cool when it goes in. |
Hello, cnlohr,
Great project!
For surveillance of crop irrigation systems,
I am looking for a 1D-distance in the range up to 350 m, with ~10m accuracy.
I think this is feasible with wlan directional antennae.
From an earlier google scan, I kept this link (in German only):
https://chemnitzer.linux-tage.de/2011/vortraege/folien/653_haustein.pdf
According to them, the RTS-CTS-NULL-ACK sequence is part of IEE 802.11 standard and travels 4 time the transmit line with little jitter.
They use a linux MAC80211 driver, which obviously allows the required manipulations.
They report 1 µs, but by repeating measurements (n >> 1000), they end up at ns resolution.
For my 10m accuracy target, we'd need ~ 100 ns for quadruple path.
Their setup is a master sender/receiver at a fixed location, a slave receiver close to it, and the target receiver at the moving distant target. I think a raspberry or so might be a good master, and esp8266 suitable slaves.
How does this approach fit into the work you have done till now?
Would you like to share efforts?
Wolfgang Rosner
The text was updated successfully, but these errors were encountered: