# ESP32 Hacking Roadmap

## v0.1 - Documentation & Setup [DONE]
- [x] Copy firmware sources from esp-csi
- [x] Document current firmware behavior
- [x] Document CSI data format
- [x] Document build & flash process
- [x] List firmware modification ideas with priorities
- [x] Verify build from repo (ESP-IDF v5.5.2, aarch64)

## v0.2 - Remote Management [DONE]
- [x] Add UDP command listener on ESP32 (port 5501)
- [x] Implement REBOOT command
- [x] Implement IDENTIFY command (LED solid 5s)
- [x] Implement STATUS command (uptime, heap, RSSI, tx_power, rate, version)
- [x] Implement RATE command (change ping Hz, NVS persist)
- [x] Implement POWER command (TX power dBm, NVS persist)
- [x] Add LED status indicator (off/slow blink/fast blink/solid)
- [x] NVS persistence for rate and tx_power settings
- [x] Pi-side `esp-cmd` and `esp-fleet` CLI tools
- [x] mDNS hostname, watchdog, human-readable uptime
- [x] Build and flash to device
- [x] Update CHEATSHEET.md with new commands

## v0.3 - OTA Updates [DONE]
- [x] Dual OTA partition table (ota_0 + ota_1, 1920 KB each)
- [x] 4MB flash config, custom partitions in sdkconfig.defaults
- [x] OTA command handler + ota_task in firmware
- [x] LED_OTA double-blink pattern during download
- [x] Bootloader rollback on failed update (30s watchdog)
- [x] Version field in STATUS reply
- [x] Pi-side `esp-ota` tool (HTTP server + OTA orchestration)
- [x] `esp-fleet ota` subcommand (sequential fleet update)
- [x] USB-flash first device (partition table change)
- [x] End-to-end OTA test

## v0.4 - Adaptive Sampling [DONE]
- [x] On-device CSI wander calculation (coefficient of variation)
- [x] Reduce to 10 pkt/s when idle (3s holdoff)
- [x] Increase to 100 pkt/s on motion detection
- [x] Rate change EVENT notification to Pi via UDP
- [x] ADAPTIVE ON/OFF command (NVS persisted)
- [x] THRESHOLD command for tuning sensitivity (NVS persisted)
- [x] RATE command disables adaptive mode
- [x] adaptive/motion fields in STATUS reply

## v0.5 - BLE Scanning
- [x] Enable Bluetooth alongside WiFi (NimBLE, BLE ON/OFF command)
- [x] Periodic BLE advertisement scanning
- [x] Report device MAC, RSSI, name via UDP (`BLE_DATA,<mac>,<rssi>,<type>,<name>`)
- [x] Pi-side BLE device tracking (`esp-ctl ble --track`, dedup, summary table)

## v1.0 - Production Firmware
- [x] mDNS auto-discovery (done in v0.2)
- [x] Watchdog + auto-recovery (done in v0.2)
- [ ] On-device CSI processing (send metrics, not raw)
- [x] Configuration via UDP (`TARGET <ip> [port]`, NVS persisted)
- [x] Comprehensive error handling (watchdog, WiFi reconnect via example_connect)
- [x] `esp-ctl` unified CLI tool (cmd, status, listen, serial, ble, target)

## Future
- WiFi probe request capture (promiscuous mode, WIFI_PKT_MGMT)
  - Capture client SSID searches → `PROBE_DATA,<mac>,<rssi>,<ssid>` via UDP
  - Uses `esp_wifi_set_promiscuous` with management frame filter
  - Can coexist with CSI (both use promiscuous callbacks)
- AP+STA config portal (WIFI_MODE_APSTA, same channel as STA)
  - Soft-AP for initial setup: WiFi credentials, UDP target IP, hostname
  - Captive portal or minimal HTTP server on AP interface
  - Eliminates need for hardcoded config in sdkconfig
- ESP-NOW mesh (ESP32-to-ESP32 CSI)
- Multi-channel scanning
- External sensor support (PIR, temp/humidity via GPIO)
- Power management for battery operation