esp32-hacking/ROADMAP.md

# ESP32 Hacking Roadmap

## v0.1 - Documentation & Setup [DONE]
- [x] Copy firmware sources from esp-csi
- [x] Document current firmware behavior
- [x] Document CSI data format
- [x] Document build & flash process
- [x] List firmware modification ideas with priorities
- [x] Verify build from repo (ESP-IDF v5.5.2, aarch64)

## v0.2 - Remote Management [DONE]
- [x] Add UDP command listener on ESP32 (port 5501)
- [x] Implement REBOOT command
- [x] Implement IDENTIFY command (LED solid 5s)
- [x] Implement STATUS command (uptime, heap, RSSI, tx_power, rate, version)
- [x] Implement RATE command (change ping Hz, NVS persist)
- [x] Implement POWER command (TX power dBm, NVS persist)
- [x] Add LED status indicator (off/slow blink/fast blink/solid)
- [x] NVS persistence for rate and tx_power settings
- [x] Pi-side `esp-cmd` and `esp-fleet` CLI tools
- [x] mDNS hostname, watchdog, human-readable uptime
- [x] Build and flash to device
- [x] Update CHEATSHEET.md with new commands

## v0.3 - OTA Updates [DONE]
- [x] Dual OTA partition table (ota_0 + ota_1, 1920 KB each)
- [x] 4MB flash config, custom partitions in sdkconfig.defaults
- [x] OTA command handler + ota_task in firmware
- [x] LED_OTA double-blink pattern during download
- [x] Bootloader rollback on failed update (30s watchdog)
- [x] Version field in STATUS reply
- [x] Pi-side `esp-ota` tool (HTTP server + OTA orchestration)
- [x] `esp-fleet ota` subcommand (sequential fleet update)
- [x] USB-flash first device (partition table change)
- [x] End-to-end OTA test

## v0.4 - Adaptive Sampling [DONE]
- [x] On-device CSI wander calculation (coefficient of variation)
- [x] Reduce to 10 pkt/s when idle (3s holdoff)
- [x] Increase to 100 pkt/s on motion detection
- [x] Rate change EVENT notification to Pi via UDP
- [x] ADAPTIVE ON/OFF command (NVS persisted)
- [x] THRESHOLD command for tuning sensitivity (NVS persisted)
- [x] RATE command disables adaptive mode
- [x] adaptive/motion fields in STATUS reply

## v0.5 - BLE Scanning
- [x] Enable Bluetooth alongside WiFi (NimBLE, BLE ON/OFF command)
- [x] Periodic BLE advertisement scanning
- [x] Report device MAC, RSSI, name via UDP (`BLE_DATA,<mac>,<rssi>,<type>,<name>`)
- [x] Pi-side BLE device tracking (`esp-ctl ble --track`, dedup, summary table)

## v1.0 - Production Firmware
- [x] mDNS auto-discovery (done in v0.2)
- [x] Watchdog + auto-recovery (done in v0.2)
- [ ] On-device CSI processing (send metrics, not raw)
- [x] Configuration via UDP (`TARGET <ip> [port]`, NVS persisted)
- [x] Comprehensive error handling (watchdog, WiFi reconnect via example_connect)
- [x] `esp-ctl` unified CLI tool (cmd, status, listen, serial, ble, target)

## v1.1 - Passive Sensing & Multi-Sensor
- [ ] Sensor ID in data packets (hostname prefix on all UDP streams)
- [ ] WiFi probe request capture (`PROBE_DATA,<sensor>,<mac>,<rssi>,<ssid>`)
- [ ] Deauth/disassoc frame detection (`ALERT_DATA,<sensor>,deauth,<mac>`)
- [ ] Multi-sensor BLE correlation in esp-ctl (zone tracking by source sensor)
- [ ] BLE alerting (known device list, alert on unknown MACs)
- [ ] BLE dwell time tracking (loitering detection)
- [ ] Timestamped CSV event logging

## v1.2 - Profiling & Power Management
- [x] PROFILE command (heap, stack watermarks, CPU runtime stats)
- [ ] Chip temperature reporting in STATUS
- [ ] Power consumption measurements (per-mode baseline)
- [ ] Deep sleep mode with wake-on-CSI-motion
- [ ] Battery-optimized duty cycling

## Future
- AP+STA config portal (WIFI_MODE_APSTA, captive portal for initial setup)
- ESP-NOW mesh (ESP32-to-ESP32 CSI)
- Multi-channel scanning (hop across WiFi channels)
- RSSI triangulation with 3 sensors (approximate device location)
- BLE device fingerprinting (identify phone models by advertisement patterns)
- Historical presence logging (who was here, when, how long)
- External sensor support (PIR, temp/humidity via GPIO)
- On-device CSI processing (send metrics, not raw)