docs: Reorganize roadmap and TODO for passive sensing & multi-sensor phases

- Mark completed items in TODO - Add v1.1 Passive Sensing & Multi-Sensor phase (probe capture, deauth detection, sensor ID, multi-sensor BLE correlation, alerting) - Add v1.2 Profiling & Power Management phase - Move on-device CSI processing to Future (lower priority) - Add OSINT/purple team ideas (fingerprinting, triangulation, presence logging)
2026-02-04 18:03:31 +01:00
parent 7ec70a653d
commit d9530c99dd
2 changed files with 53 additions and 28 deletions
--- a/ROADMAP.md
+++ b/ROADMAP.md
@@ -58,16 +58,28 @@
 - [x] Comprehensive error handling (watchdog, WiFi reconnect via example_connect)
 - [x] `esp-ctl` unified CLI tool (cmd, status, listen, serial, ble, target)

+## v1.1 - Passive Sensing & Multi-Sensor
+- [ ] Sensor ID in data packets (hostname prefix on all UDP streams)
+- [ ] WiFi probe request capture (`PROBE_DATA,<sensor>,<mac>,<rssi>,<ssid>`)
+- [ ] Deauth/disassoc frame detection (`ALERT_DATA,<sensor>,deauth,<mac>`)
+- [ ] Multi-sensor BLE correlation in esp-ctl (zone tracking by source sensor)
+- [ ] BLE alerting (known device list, alert on unknown MACs)
+- [ ] BLE dwell time tracking (loitering detection)
+- [ ] Timestamped CSV event logging
+
+## v1.2 - Profiling & Power Management
+- [x] PROFILE command (heap, stack watermarks, CPU runtime stats)
+- [ ] Chip temperature reporting in STATUS
+- [ ] Power consumption measurements (per-mode baseline)
+- [ ] Deep sleep mode with wake-on-CSI-motion
+- [ ] Battery-optimized duty cycling
+
 ## Future
- WiFi probe request capture (promiscuous mode, WIFI_PKT_MGMT)
-  - Capture client SSID searches → `PROBE_DATA,<mac>,<rssi>,<ssid>` via UDP
-  - Uses `esp_wifi_set_promiscuous` with management frame filter
-  - Can coexist with CSI (both use promiscuous callbacks)
- AP+STA config portal (WIFI_MODE_APSTA, same channel as STA)
-  - Soft-AP for initial setup: WiFi credentials, UDP target IP, hostname
-  - Captive portal or minimal HTTP server on AP interface
-  - Eliminates need for hardcoded config in sdkconfig
+- AP+STA config portal (WIFI_MODE_APSTA, captive portal for initial setup)
 - ESP-NOW mesh (ESP32-to-ESP32 CSI)
- Multi-channel scanning
+- Multi-channel scanning (hop across WiFi channels)
+- RSSI triangulation with 3 sensors (approximate device location)
+- BLE device fingerprinting (identify phone models by advertisement patterns)
+- Historical presence logging (who was here, when, how long)
 - External sensor support (PIR, temp/humidity via GPIO)
- Power management for battery operation
+- On-device CSI processing (send metrics, not raw)
--- a/TODO.md
+++ b/TODO.md
@@ -1,37 +1,50 @@
 # ESP32 Hacking TODO

 ## Firmware Features
- [ ] UDP command listener (reboot, identify, status, rate)
- [ ] LED status indicator
- [ ] OTA firmware updates
- [ ] Adaptive sampling rate
- [ ] BLE scanning
- [ ] mDNS auto-discovery
- [ ] On-device wander calculation
+- [x] UDP command listener (reboot, identify, status, rate, power)
+- [x] LED status indicator
+- [x] OTA firmware updates
+- [x] Adaptive sampling rate
+- [x] BLE scanning
+- [x] mDNS auto-discovery
+- [x] On-device wander calculation
+- [x] Configurable target IP/port via command (TARGET)
+- [x] PROFILE command (heap, stack, CPU stats)
 - [ ] Chip temperature reporting
- [ ] WiFi reconnect on disconnect
- [ ] Configurable target IP/port via command
+- [ ] Sensor ID in data packets (hostname prefix on CSI_DATA/BLE_DATA)
+- [ ] WiFi probe request capture (PROBE_DATA via promiscuous mode)
+- [ ] Deauth/disassoc frame detection (alert on WiFi attacks)
+- [ ] On-device CSI processing (send metrics, not raw)

 ## Tools
- [ ] `esp-cmd` CLI tool to send commands to sensors
- [ ] Flash script for OTA updates
- [ ] Sensor discovery script (find all ESP32s on network)
+- [x] `esp-cmd` CLI tool to send commands to sensors
+- [x] `esp-fleet` parallel fleet management
+- [x] `esp-ota` OTA firmware update orchestration
+- [x] `esp-ctl` unified CLI (cmd, status, listen, serial, ble, target, profile)
+- [ ] Multi-sensor BLE correlation (tag by source sensor, zone tracking)
+- [ ] BLE alerting (known device list, alert on unknown MACs)
+- [ ] BLE dwell time tracking (loitering detection)
+- [ ] Event logging (timestamped CSV from all streams)
+- [ ] Sensor discovery script (find all ESP32s on network via mDNS)

 ## Testing
 - [ ] Benchmark: CSI callback latency
 - [ ] Benchmark: UDP throughput at different rates
- [ ] Test: WiFi reconnect reliability
- [ ] Test: BLE + WiFi coexistence impact on CSI
+- [x] Test: BLE + WiFi coexistence impact on CSI
+- [ ] Power consumption measurements (per-mode: idle, CSI, BLE, probe)

 ## Documentation
 - [ ] Pin mapping for ESP32-DevKitC V1
- [ ] Memory usage analysis (heap, stack)
- [ ] Power consumption measurements
+- [x] Memory usage analysis (PROFILE command)
 - [ ] Compare CSI quality: passive (router) vs active (ESP-NOW)
+- [ ] Multi-sensor deployment guide (placement, zones, triangulation)

 ## Ideas
- WiFi probe request capture — sniff client SSID searches via promiscuous mode
 - ESP-NOW mesh for direct ESP32-to-ESP32 CSI
 - External PIR sensor for CSI ground truth validation
 - Battery + deep sleep mode for portable deployment
- Web-based firmware configurator (WiFi credentials, UDP target)
+- AP+STA config portal (captive portal for initial setup)
+- Multi-channel scanning (hop across WiFi channels)
+- RSSI triangulation with 3 sensors (approximate device location)
+- BLE device fingerprinting (identify phone models by advertisement patterns)
+- Historical presence logging (who was here, when, how long)