ESP8266 Modify default SSID without a compiler

This program has been written in FreeBasic with the IDE FireFly 3.50 ; both tools are free, easy to use and very “light”.  The compiled executable doesn’t need for installation, it’s ready to run. Just download the zipped file and expand it in a working directory (ie. \downloads\esp8266) and there will be the ssid_mod.exe ready to run.
In order to expand the .zip you must supply a password that is: eficara. Be sure that the downloaded file is the original one by checking its MD5 with a tool like HashTab that’s available for free.
The MD5 hash for the zipped file must be: FB94DDF8B155A0511C13A60FE585642D. If it’s different, do not expand the zip, ‘cause it isn’t the original one. Look at the screenshot of the program just executed:

SSIDmod_ssHow it works

Prior to write this software, I tried to modify the original firmware binary file ESP_8266_BIN0.92.bin with a hex-editor, looking for the string “ESP_” that was the prefix of the default SSID. I found the string at address 0x82C4. Well, it was simple. I stored a new SSID string at the same address, with the care to not overcome the memory area reserved for such data. I then saved the new binary file and tried to re-flash my ESP-01 module, but the programmer failed at a certain block. Ok, the simplest solution did not work. The reason was that the binary file isn’t a “true binary”, but is a collection of binary data, instructions, addresses that are used by the programmer software to communicate with the ESP-01 bootloader (when in flash mode). Looking on the internet I discovered an important information: all the blocks in this “no-binary .bin file” are followed by a checksum. The checksum is very simple: it’s just the xor of all the bytes in the block. Then I decided to write this program that simply creates a string with the same checksum of the original one. This is possible due to the easy implementation of the checksum by means of xor ;.if it was done with a real CRC, this programming approach couldn’t have been used.

The string in the original .bin file is “ESP_%02X%02X%02X” that seems to be a constant data or a variable initialization data. This will probably be used in C statement like: printf(“ESP_%02X%02X%02X”, x,y,z) that means send the ascii “ESP_” followed by three bytes of data in HEX format, 2 characters each, capital letters, to the standard output. In our case, the default SSID of the module may be(for example): ESP_9A0FE9 where 9A, 0F and E9 are the three least significative bytes of the MAC address of the WiFi chip. The C compiler saves all the initialization data in a memory area called “data segment” and the linker creates a fixed map of all that areas. So, if we modify some data without overcoming the assigned space, we can change any initialization string. Note that C strings are “null-terminated”, that means that after the ascii characters there is a /0 (0x00). This makes very simple to change the default SSID of the module, in our case. The important thing is that the ‘Replacement String’ must be at least 2 bytes shorter than the one we want to change. This is because we want to change the data in that memory space without changing the full block checksum. This can be obtained in a very easy way. It’s better to explain with an example: suppose that we want to change an initialization string with the contents “ABCDEF” ; the checksum for all the characters will be 0x07 (0x41 xor 0x42 xor 0x43 xor 0x44 xor 0x45 xor 0x46). Now, lets change it in “TEST” ; such string has checksum 0x16 (0x54 xor 0x45 xor 0x53 xor 0x54) , so we simply add after TEST a null-terminator (0x00) and the value that makes the checksum equal to the one of the old string. In this case it’s 0x11 (0x11 xor 0x16 = 0x07). At the end, the ESP C program, when accessing that data, will find a variable at the default address with the contents : 0x54 0x45 0x53 0x54 0x00 (and this is the end of string, for the program) followed by 0x11. The C program will ignore the 0x11 (it’s after the null-termination), but the .bin file will result correct because “ABCDEF” has exactly the same checksum as “TEST” followed by 0x00 and 0x11. That’s all.

Why the original string is 16 characters long (ESP_%02X%02X%02X) and we can only use a max 10 characters SSID ? It could be 14 max (16 of original size, minus 2 for the checksum adjustment), but in this C program only 10 characters are used, even if you write a 14 characters field. I still haven’t a compiler and toolchain for the ESP8266, nor the C sources to look inside, but, for now, I reached my target that is to change the default SSID of the module without using a compiler and a toolchain. 🙂

update: 2016/04/20

I tried the SSID change on a newer version of the firmware (ai-thinker-, changing the ‘Search String’ to AI-THINKER_%02X%02X%02X, and modifying the wanted SSID, but at the end of re-flashing, the ESP-01 module still presented the old SSID AI-THINKER_A0C76D 🙁 The reason is simple: there is another point in the firmware where the string is saved in plain form. So I changed again the ‘Search String’ as you can see in the picture below and all was OK. Note that in this case, you can use an SSID up to 15 characters long.

new-version_ssReflashing the ESP-01 module

I used a tool called esp8266_flasher.exe to re-flash the ESP-01 module after the default SSID change; here is a screenshot of the operation. Note that the program ends with a failure trying to exit the “flash mode”, but it’s normal, ‘cause my hardware has a physical jumper to enter / leave such operating mode.

flash-downloader-ssThe original firmware, together with the programming tool, was found googling the internet for ESP8266_flasher_V00170901_00_Cloud Update Ready. The original binary file used in my experiments is the one named: ESP_8266_BIN0.92.bin

After resetting the module, the state of the WiFi networks visible from my computer was the one in the picture below. As you can see, I joined my ESP-01 module with SSID named WiFicara01, that was substituted to the one in the original flash rom binary file.