WiFi Scanning Using ESP8266 ESP-01 Module
In my earlier post I discussed installing the ESPurna firmware on the ESP-01 module, a ESP8266 based IoT device. The firmware provides a Web as well as a telnet UI. In this post we’ll be more focused on the CLI via telnet. More specifically, we’ll be looking at the wifi.scan command issued in a telnet session to determine wireless coverage.
The ESP-01 module is well suited for tasks like determining wifi coverage. It is small, can operate on a small Lipo 300 mAh pack, and is inexpensive. The device can be setup with additional units to get coverage in real time.
First we’ll go through the same steps in the earlier post to connect, flash, and configure the ESP-01 device. Here are the steps.
Connect a 3.3v USBUART adapter to ESP-01 using a breadboard, then connect to the PC.
RXD – To TXD of FTDI Basic
GPIO0 – To GND
GND – To GND
TXD – To RXD of FTDI Basic
CH_PD – To 3.3v VCC
VCC – To 3.3v VCC
Next erase the existing Firmware, unplug and re-plug to PC when finished. Note the mac address in the output, the last 3 octets will be part of the wifi network name later in our setup. This requires that you have linux as well as all of the ESPTool pre-requisits, see https://github.com/espressif/esptool.
./esptool.py –port /dev/ttyUSB0 erase_flash
Now we will write firmware to the ESP-01 device. You’ll need to download the firmware from the Espurna releases, see https://github.com/xoseperez/espurna/releases.
./esptool.py –port /dev/ttyUSB0 write_flash –flash_size 1MB –flash_mode dout 0x00000 espurna-1.13.3-tonbux-powerstrip02.bin
The ESPurna firmware is now installed on the ESP-01. Disconnect from the PC and change the connections on the breadboard to these.
GND – To GND
CH_PD – To 3.3v VCC – Chip enable option is unique to ESP-01 modules, mainly used as a software on/off switch to save power, we’ll use this as a standby switch.
VCC – To 3.3v VCC
Connect and Configure the ESPurna wifi network settings, use the mac address noted in the flashing steps earlier to identify the wireless device. When all is said and done, you should be able to ping it.
Finally, we’ll connect the ESP-01 to a switch and battery. Test and verify you can ping and telnet on the bench before placing.
GND – To GND – connect a switch between these, this will be the on/off switch.
CH_PD – To 3.3v VCC – connect a switch between these, this will be the standby/reset switch.
VCC – To 3.3v VCC
Now, we are ready to place the ESP-01 device. When you do place the device where you want to test wifi coverage, turn on the power and take it out of standby. Ensure you can ping the device.
With it online, telnet to the device and let it send periodic updates. You should see similar output. This information can be useful as you can track power consumption of the ESP-01.
[300602] [MAIN] Uptime: 300 seconds [300603] [MAIN] Heap : 37968 bytes initially | 17736 bytes used (46%) | 20232 bytes free (53%) [300604] [MAIN] Power: 3646 mV [300605] [MAIN] Time: 2019-01-20 04:43:58
Now lets check wifi coverage by runing the “-wifi.scan” command. If you get a “-ERROR unknown command”, check your syntax and try again. You should get similar looking results. Names have been changed to protect the innocent, any correlation is purely coincidental.
[778020] [WIFI] Start scanning [780145] [WIFI] 4 networks found: [780146] [WIFI] > BSSID: AA:BB:CC:DD:EE:01 SEC: YES RSSI: -73 CH: 6 SSID: Loopy [780147] [WIFI] > BSSID: AA:BB:CC:DD:EE:02 SEC: YES RSSI: -86 CH: 10 SSID: Tandom [780153] [WIFI] > BSSID: AA:BB:CC:DD:EE:03 SEC: YES RSSI: -83 CH: 6 SSID: Spiffy [780160] [WIFI] > BSSID: AA:BB:CC:DD:EE:04 SEC: YES RSSI: -86 CH: 10 SSID: Slacker [780167] +OK
In the above example, wireless network “Loopy” and “Spiffy” have the same radio channel. If our network is “Spiffy”, we can see it has a lower signal strength than “Loopy”. Based on this, we should change the radio channel of our AP so “Loopy” doesn’t interfere with our network.
You can do the same steps above to find blind spots and create heat maps of your network.
In addition to the things we can do with ESPurna, there are some useful linux commands to scan wireless networks from command line. These are outside the scope of this post, but I wanted to include them here anyway.
First one we’ll look at is iwlist. We will be using the scan argument. This argument returns lists of Access Points and Ad-Hoc cells in range, and optionally a whole bunch of information about them (ESSID, Quality, Frequency, Mode…). The type of information returned depends on what the card supports. First we’ll need to get the wireless adapter name. To get the wireless interface name use ifconfig command.
Here is a sample of the returned output from the command. From it we can see wlan01 is our wireless adapter.
ifconfig wlan01 Link encap:Ethernet HWaddr aa:bb:cc:dd:ee:ff inet addr:192.168.0.100 Bcast:192.168.0.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:10910 errors:0 dropped:8 overruns:0 frame:0 TX packets:391 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:1715373 (1.7 MB) TX bytes:76401 (76.4 KB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:228 errors:0 dropped:0 overruns:0 frame:0 TX packets:228 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1 RX bytes:18030 (18.0 KB) TX bytes:18030 (18.0 KB)
Now we can use that with our next command to scan using iwlist. Here is the command we’ll use to grep ESSID info. Leaving out the pipe and grep command will output all available data from the command. This pipe is useful to limit your output for ease of reading.
iwlist wlan01 scan | grep ESSID
We’ll try the next command iw with the same wireless adapter name and the info argument. The iw command is a powerful tool giving you the ability to manipulate the properties of the wireless adapter, including the mac address. It requires elevated privilege to run, use su or sudo. Here is the command we’ll use.
sudo iw dev wlan01 scan | grep SSID
I wanted to save the best for last. The nmcli command will provide output that is easier to read than the previous commands with regards to WiFi scanning. Here is the command we’ll use.
nmcli dev wifi
You should get easy to read results, like in this example. We can see columns for the different types of information regarding the available wireless networks.
SSID MODE CHAN RATE SIGNAL BARS SECURITY Spiffy Infra 1 54 Mbit/s 100 ▂▄▆█ WPA2 Loopy Infra 6 54 Mbit/s 50 ▂▄__ WPA2 Slacker Infra 10 54 Mbit/s 24 ▂___ WPA1
Using ESPurna with the ESP-01 module, or more advanced CLI wireless scanning tools on a linux platform, should give you the means to optimize your wireless network and get the coverage where you need it.