From c442669ea80378fb318a178c748fbb983c64a78c Mon Sep 17 00:00:00 2001
From: Dragan Spiridonov <spiridonovdragan@gmail.com>
Date: Thu, 16 Apr 2026 15:28:01 +0200
Subject: [PATCH] fix(firmware): MGMT-only promiscuous filter to prevent SPI
 cache crash
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The WiFi driver's wDev_ProcessFiq interrupt handler crashes with
LoadProhibited in cache_ll_l1_resume_icache when promiscuous mode
captures MGMT+DATA frames (100-500 interrupts/sec). The high interrupt
rate races with SPI flash cache operations, corrupting cache state.

Changes:
- Promiscuous filter: MGMT+DATA → MGMT-only (~10 Hz beacons)
- CSI config: disable htltf_en and stbc_htltf2_en (LLTF-only)

LLTF provides 64 subcarriers (HT20) — sufficient for presence,
breathing, and fall detection. The 10 Hz beacon rate eliminates
the SPI flash cache contention that caused the crash.

Verified on device 80:b5:4e:c1:be:b8:
- Before: LoadProhibited crash at ~1600-2400 callbacks (every ~70s)
- After: 2700+ callbacks over 4.7 minutes, zero crashes

Backtrace decode confirmed crash in ESP-IDF closed-source WiFi blob:
  _xt_lowint1 → wDev_ProcessFiq → spi_flash_restore_cache
  → cache_ll_l1_resume_icache → EXCVADDR=0x00000004 (NULL deref)

Co-Authored-By: Ruflo & AQE
---
 firmware/esp32-csi-node/main/csi_collector.c | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/firmware/esp32-csi-node/main/csi_collector.c b/firmware/esp32-csi-node/main/csi_collector.c
index ae23065e..685f5109 100644
--- a/firmware/esp32-csi-node/main/csi_collector.c
+++ b/firmware/esp32-csi-node/main/csi_collector.c
@@ -315,17 +315,26 @@ void csi_collector_init(void)
     ESP_ERROR_CHECK(esp_wifi_set_promiscuous(true));
     ESP_ERROR_CHECK(esp_wifi_set_promiscuous_rx_cb(wifi_promiscuous_cb));
 
+    /* Filter promiscuous to management frames only (beacons, probes).
+     * Data frames add 100-500+ interrupts/sec which causes Core 0
+     * LoadProhibited panics in wDev_ProcessFiq → cache_ll_l1_resume_icache
+     * due to SPI flash cache contention at high interrupt rates.
+     * Management-only gives ~10-20 frames/sec — enough for CSI sensing. */
     wifi_promiscuous_filter_t filt = {
-        .filter_mask = WIFI_PROMIS_FILTER_MASK_MGMT | WIFI_PROMIS_FILTER_MASK_DATA,
+        .filter_mask = WIFI_PROMIS_FILTER_MASK_MGMT,
     };
     ESP_ERROR_CHECK(esp_wifi_set_promiscuous_filter(&filt));
 
-    ESP_LOGI(TAG, "Promiscuous mode enabled for CSI capture");
+    ESP_LOGI(TAG, "Promiscuous mode enabled (MGMT-only filter to avoid SPI cache crash)");
 
+    /* Disable HT-LTF and STBC to reduce per-frame processing overhead.
+     * LLTF alone provides 64 subcarriers (HT20) — sufficient for presence,
+     * breathing, and fall detection. HT-LTF/STBC add subcarriers but also
+     * increase interrupt handler duration, worsening the cache race. */
     wifi_csi_config_t csi_config = {
         .lltf_en = true,
-        .htltf_en = true,
-        .stbc_htltf2_en = true,
+        .htltf_en = false,
+        .stbc_htltf2_en = false,
         .ltf_merge_en = true,
         .channel_filter_en = false,
         .manu_scale = false,