Implementing a High-Performance SubGhz Stack on ESP32-P4 with CC1101

The CC1101 is a low-power sub-1 GHz transceiver designed for very low-power wireless applications. It is widely used in security research due to its flexibility in handling various modulation schemes such as ASK, OOK, FSK, and GFSK. Within the TentacleOS project, we have implemented a specialized driver and capture stack optimized for the ESP32-P4 to achieve industrial-grade signal analysis.

Radio Driver Foundations

The TentacleOS CC1101 driver is a strategic port of the SmartRC ELECHOUSE library. Unlike generic implementations that use fixed register values, this driver implements active frequency calibration. The core logic calculates frequency words based on the 26MHz crystal oscillator and applies band-specific offsets for 300, 433, 868, and 915 MHz ranges.

void cc1101_set_frequency(uint32_t freq_hz) {
    uint64_t freq_reg = ((uint64_t)freq_hz * 65536) / 26000000;
    uint8_t freq_bytes[3];
    freq_bytes[0] = (freq_reg >> 16) & 0xFF;
    freq_bytes[1] = (freq_reg >> 8) & 0xFF;
    freq_bytes[2] = freq_reg & 0xFF;
    cc1101_write_burst(CC1101_FREQ2, freq_bytes, 3);
    cc1101_calibrate();
}

Calibration involves adjusting the FSCTRL0 and TEST0 registers dynamically. For high-frequency bands, the driver performs post-calibration corrections on the FSCAL2 register. This ensures the radio maintains peak sensitivity and frequency stability across different environmental conditions and hardware variations.

Hardware-Accelerated Capture

A critical challenge in SubGhz research is capturing pulse timings with microsecond precision without overwhelming the CPU. While traditional implementations often rely on GPIO interrupts, where the processor must respond to every signal transition, this approach is prone to jitter caused by higher-priority system tasks. On the ESP32-P4, we mitigate this by utilizing the Remote Control Transceiver (RMT) peripheral.

The radio is configured in Asynchronous Transparent Mode, where the demodulated RF signal is routed directly to a GPIO pin. The RMT hardware acts as a dedicated logic analyzer, recording the duration of every high and low transition. By leveraging Direct Memory Access (DMA), the RMT writes these timings into internal RAM buffers autonomously, ensuring signal integrity even when the CPU is busy.

To satisfy the ESP32-P4 cache requirements, we implemented a 64-byte aligned memory allocation strategy:

size_t raw_symbols_size = sizeof(rmt_symbol_word_t) * RX_BUFFER_SIZE;
raw_symbols = heap_caps_aligned_alloc(64, raw_symbols_size, MALLOC_CAP_DMA | MALLOC_CAP_INTERNAL);

This prevents cache synchronization failures and ensures that the system can handle high-speed data streams without losing pulses. The raw symbols are then normalized into a linear array of signed integers representing microseconds: positive values for high levels and negative values for low levels.

Modular Protocol Dispatcher

The decoding logic in TentacleOS has moved away from hardcoded checks to a modular Dispatcher architecture. The system treats each protocol as a standalone plugin. When a signal is captured, the Dispatcher passes the normalized pulse array through a registry of decoders.

The RCSwitch implementation serves as the primary template for this system. It utilizes adaptive timing, meaning it does not rely on a fixed pulse length. Instead, it identifies the synchronization bit of a signal and derives the base delay (Te) from the actual transmission:

uint32_t sync_long_factor = (pro->syncFactor.low > pro->syncFactor.high) ? pro->syncFactor.low : pro->syncFactor.high;
uint32_t dur_long = (pro->syncFactor.low > pro->syncFactor.high) ? dur2 : dur1;
uint32_t delay = dur_long / sync_long_factor;

This makes the decoder resilient to clock drift and low battery conditions in the transmitter.

Each protocol plugin follows a strict contract:

1. Identify the specific synchronization pattern.
2. Calculate the adaptive timing unit.
3. Validate the bitstream based on the derived timings.
4. Return structured metadata including protocol name, bit count, and raw value.

Signal Heuristics and Noise Filtering

To maintain high signal integrity, the stack includes a software-defined filtering layer. Glitches and noise pulses shorter than 20 microseconds are discarded before reaching the decoders. If no registered protocol recognizes the signal, the system can fallback to a raw capture mode. This allows for the recording and replaying of unknown signals, effectively acting as a digital twin of the original RF transmission.

The combination of the CC1101 flexibility, the ESP32-P4 RMT hardware, and a modular software architecture provides a robust platform for advanced SubGhz exploration and security auditing.