The ESP32 has become an ubiquitous platform in the hacker and maker communities, powering everything from badges and sensors to mesh networks and custom routers. While its Wi-Fi stack has been the subject of previous reverse engineering efforts, its Bluetooth subsystem remains largely undocumented and closed source despite being present in millions of devices.

This talk presents a reverse engineering effort to document Espressif’s proprietary Bluetooth stack, with a focus on enabling low-level access for researchers, security analysts, and developers to improve existing affordable and open Bluetooth tooling.

The presentation covers the reverse engineering process itself, techniques and the publication of tooling to simplify the process of peripheral mapping, navigating broken memory references and symbol name recovery.

The core of the talk focuses on the internal workings of the Bluetooth peripheral. The reverse engineering effort led to the discovery of the peripheral architecture, it’s memory regions, interrupts and a little bit of information about other related peripherals.

By publishing open tooling, SVD files and other documentation, this work aims to empower researchers, hackers, and developers to build custom Bluetooth stacks, audit existing ones, and repurpose the ESP32 for novel applications. This may interest you if you care about transparency, low-level access, and collaborative tooling.