espressif
diff --git a/‎.github/scripts/on-release.sh‎
Lines changed: 5 additions & 0 deletions b/‎.github/scripts/on-release.sh‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎.github/workflows/release.yml‎
Lines changed: 42 additions & 0 deletions b/‎.github/workflows/release.yml‎
Lines changed: 42 additions & 0 deletions
diff --git a/‎docs/en/troubleshooting.rst‎
Lines changed: 1 addition & 1 deletion b/‎docs/en/troubleshooting.rst‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎libraries/BLE/examples/Client_secure_static_passkey/Client_secure_static_passkey.ino‎
Lines changed: 86 additions & 7 deletions b/‎libraries/BLE/examples/Client_secure_static_passkey/Client_secure_static_passkey.ino‎
Lines changed: 86 additions & 7 deletions
diff --git a/‎libraries/BLE/examples/Server_secure_static_passkey/Server_secure_static_passkey.ino‎
Lines changed: 72 additions & 2 deletions b/‎libraries/BLE/examples/Server_secure_static_passkey/Server_secure_static_passkey.ino‎
Lines changed: 72 additions & 2 deletions
diff --git a/‎libraries/BLE/src/BLECharacteristic.cpp‎
Lines changed: 68 additions & 1 deletion b/‎libraries/BLE/src/BLECharacteristic.cpp‎
Lines changed: 68 additions & 1 deletion
@@ -391,6 +391,11 @@ pushd "$OUTPUT_DIR" >/dev/null
 tar -cJf "$LIBS_XZ" "esp32-arduino-libs"
 popd >/dev/null
 
+# Copy esp-hosted binaries
+
+mkdir -p "$GITHUB_WORKSPACE/hosted"
+cp "$OUTPUT_DIR/esp32-arduino-libs/hosted"/*.bin "$GITHUB_WORKSPACE/hosted/"
+
 # Upload ZIP and XZ libs to release page
 
 echo "Uploading ZIP libs to release page ..."
 
@@ -36,3 +36,45 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.TOOLS_UPLOAD_PAT }}
         run: bash ./.github/scripts/on-release.sh
+
+      - name: Upload hosted binaries
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: hosted
+          if-no-files-found: ignore
+          path: ${{ github.workspace }}/hosted
+
+  upload-hosted-binaries:
+    name: Upload hosted binaries
+    needs: build
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout gh-pages branch
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: gh-pages
+
+      - name: Download hosted binaries
+        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
+        with:
+          name: hosted
+          path: ${{ github.workspace }}/hosted-latest
+
+      - name: Copy hosted binaries to proper directory and commit
+        env:
+          GITHUB_TOKEN: ${{ secrets.TOOLS_UPLOAD_PAT }}
+        run: |
+          # Create hosted directory if it doesn't exist
+          mkdir -p ${{ github.workspace }}/hosted
+
+          # Copy hosted binaries to proper directory without overwriting existing files
+          cp -n ${{ github.workspace }}/hosted-latest/*.bin ${{ github.workspace }}/hosted/
+
+          # Commit the changes
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git add hosted/*.bin
+          if ! git diff --cached --quiet; then
+            git commit -m "Add new esp-hosted slave binaries"
+            git push origin HEAD:gh-pages
+          fi
@@ -149,7 +149,7 @@ Solution
 ^^^^^^^^
 
 Newer ESP32 variants have two possible USB connectors - USB and UART. The UART connector will go through a USB->UART adapter, and will typically present itself with the name of that mfr (eg, Silicon Labs CP210x UART Bridge). The USB connector can be used as a USB-CDC bridge and will appear as an Espressif device (Espressif USB JTAG/serial debug unit). On Espressif devkits, both connections are available, and will be labeled. ESP32 can only use UART, so will only have one connector. Other variants with one connector will typically be using USB. Please check in the product [datasheet](https://products.espressif.com) or [hardware guide](https://www.espressif.com/en/products/devkits) to find Espressif products with the appropriate USB connections for your needs.
-If you use the UART connector, you should disable USB-CDC on boot under the Tools menu (-D ARDUINO_USB_CDC_ON_BOOT=0). If you use the USB connector, you should have that enabled (-D ARDUINO_USB_CDC_ON_BOOT=1) and set USB Mode to "Hardware CDC and JTAG" (-D ARDUINO_USB_MODE=0).
+If you use the UART connector, you should disable USB-CDC on boot under the Tools menu (-D ARDUINO_USB_CDC_ON_BOOT=0). If you use the USB connector, you should have that enabled (-D ARDUINO_USB_CDC_ON_BOOT=1) and set USB Mode to "Hardware CDC and JTAG" (-D ARDUINO_USB_MODE=1).
 USB-CDC may not be able to initialize in time to catch all the data if your device is in a tight reboot loop. This can make it difficult to troubleshoot initialization issues.
 
 SPIFFS mount failed
 
@@ -1,20 +1,27 @@
 /*
-  Secure client with static passkey
+  Secure client with static passkey and IRK retrieval
 
   This example demonstrates how to create a secure BLE client that connects to
   a secure BLE server using a static passkey without prompting the user.
   The client will automatically use the same passkey (123456) as the server.
 
+  After successful bonding, the example demonstrates how to retrieve the
+  server's Identity Resolving Key (IRK) in multiple formats:
+  - Comma-separated hex format: 0x1A,0x1B,0x1C,...
+  - Base64 encoded (for Home Assistant Private BLE Device service)
+  - Reverse hex order (for Home Assistant ESPresense)
+
   This client is designed to work with the Server_secure_static_passkey example.
 
   Note that ESP32 uses Bluedroid by default and the other SoCs use NimBLE.
   Bluedroid initiates security on-connect, while NimBLE initiates security on-demand.
   This means that in NimBLE you can read the insecure characteristic without entering
   the passkey. This is not possible in Bluedroid.
 
-  IMPORTANT: MITM (Man-In-The-Middle protection) must be enabled for password prompts
-  to work. Without MITM, the BLE stack assumes no user interaction is needed and will use
-  "Just Works" pairing method (with encryption if secure connection is enabled).
+  IMPORTANT:
+  - MITM (Man-In-The-Middle protection) must be enabled for password prompts to work.
+  - Bonding must be enabled to store and retrieve the IRK.
+  - The server must distribute its Identity Key during pairing.
 
   Based on examples from Neil Kolban and h2zero.
   Created by lucasssvaz.
@@ -36,10 +43,59 @@ static BLEUUID secureCharUUID("ff1d2614-e2d6-4c87-9154-6625d39ca7f8");
 static boolean doConnect = false;
 static boolean connected = false;
 static boolean doScan = false;
+static BLEClient *pClient = nullptr;
 static BLERemoteCharacteristic *pRemoteInsecureCharacteristic;
 static BLERemoteCharacteristic *pRemoteSecureCharacteristic;
 static BLEAdvertisedDevice *myDevice;
 
+// Print an IRK buffer as hex with leading zeros and ':' separator
+static void printIrkBinary(uint8_t *irk) {
+  for (int i = 0; i < 16; i++) {
+    if (irk[i] < 0x10) {
+      Serial.print("0");
+    }
+    Serial.print(irk[i], HEX);
+    if (i < 15) {
+      Serial.print(":");
+    }
+  }
+}
+
+static void get_peer_irk(BLEAddress peerAddr) {
+  Serial.println("\n=== Retrieving peer IRK (Server) ===\n");
+
+  uint8_t irk[16];
+
+  // Get IRK in binary format
+  if (BLEDevice::getPeerIRK(peerAddr, irk)) {
+    Serial.println("Successfully retrieved peer IRK in binary format:");
+    printIrkBinary(irk);
+    Serial.println("\n");
+  }
+
+  // Get IRK in different string formats
+  String irkString = BLEDevice::getPeerIRKString(peerAddr);
+  String irkBase64 = BLEDevice::getPeerIRKBase64(peerAddr);
+  String irkReverse = BLEDevice::getPeerIRKReverse(peerAddr);
+
+  if (irkString.length() > 0) {
+    Serial.println("Successfully retrieved peer IRK in multiple formats:\n");
+    Serial.print("IRK (comma-separated hex): ");
+    Serial.println(irkString);
+    Serial.print("IRK (Base64 for Home Assistant Private BLE Device): ");
+    Serial.println(irkBase64);
+    Serial.print("IRK (reverse hex for Home Assistant ESPresense): ");
+    Serial.println(irkReverse);
+    Serial.println();
+  } else {
+    Serial.println("!!! Failed to retrieve peer IRK !!!");
+    Serial.println("This is expected if bonding is disabled or the peer doesn't distribute its Identity Key.");
+    Serial.println("To enable bonding, change setAuthenticationMode to: pSecurity->setAuthenticationMode(true, true, true);\n");
+  }
+
+  Serial.println("=======================================\n");
+}
+
 // Callback function to handle notifications
 static void notifyCallback(BLERemoteCharacteristic *pBLERemoteCharacteristic, uint8_t *pData, size_t length, bool isNotify) {
   Serial.print("Notify callback for characteristic ");
@@ -62,11 +118,30 @@ class MyClientCallback : public BLEClientCallbacks {
   }
 };
 
+// Security callbacks to print IRKs once authentication completes
+class MySecurityCallbacks : public BLESecurityCallbacks {
+#if defined(CONFIG_BLUEDROID_ENABLED)
+  void onAuthenticationComplete(esp_ble_auth_cmpl_t desc) override {
+    // Print the IRK received by the peer
+    BLEAddress peerAddr(desc.bd_addr);
+    get_peer_irk(peerAddr);
+  }
+#endif
+
+#if defined(CONFIG_NIMBLE_ENABLED)
+  void onAuthenticationComplete(ble_gap_conn_desc *desc) override {
+    // Print the IRK received by the peer
+    BLEAddress peerAddr(desc->peer_id_addr.val, desc->peer_id_addr.type);
+    get_peer_irk(peerAddr);
+  }
+#endif
+};
+
 bool connectToServer() {
   Serial.print("Forming a secure connection to ");
   Serial.println(myDevice->getAddress().toString().c_str());
 
-  BLEClient *pClient = BLEDevice::createClient();
+  pClient = BLEDevice::createClient();
   Serial.println(" - Created client");
 
   pClient->setClientCallbacks(new MyClientCallback());
@@ -192,15 +267,19 @@ void setup() {
   pSecurity->setPassKey(true, CLIENT_PIN);
 
   // Set authentication mode to match server requirements
-  // Enable secure connection and MITM (for password prompts) for this example
-  pSecurity->setAuthenticationMode(false, true, true);
+  // Enable bonding, MITM (for password prompts), and secure connection for this example
+  // Bonding is required to store and retrieve the IRK
+  pSecurity->setAuthenticationMode(true, true, true);
 
   // Set IO capability to KeyboardOnly
   // We need the proper IO capability for MITM authentication even
   // if the passkey is static and won't be entered by the user
   // See https://www.bluetooth.com/blog/bluetooth-pairing-part-2-key-generation-methods/
   pSecurity->setCapability(ESP_IO_CAP_IN);
 
+  // Set callbacks to handle authentication completion and print IRKs
+  BLEDevice::setSecurityCallbacks(new MySecurityCallbacks());
+
   // Retrieve a Scanner and set the callback we want to use to be informed when we
   // have detected a new device. Specify that we want active scanning and start the
   // scan to run for 5 seconds.
 
@@ -40,6 +40,73 @@
 // This is an example passkey. You should use a different or random passkey.
 #define SERVER_PIN 123456
 
+// Print an IRK buffer as hex with leading zeros and ':' separator
+static void printIrkBinary(uint8_t *irk) {
+  for (int i = 0; i < 16; i++) {
+    if (irk[i] < 0x10) {
+      Serial.print("0");
+    }
+    Serial.print(irk[i], HEX);
+    if (i < 15) {
+      Serial.print(":");
+    }
+  }
+}
+
+static void get_peer_irk(BLEAddress peerAddr) {
+  Serial.println("\n=== Retrieving peer IRK (Client) ===\n");
+
+  uint8_t irk[16];
+
+  // Get IRK in binary format
+  if (BLEDevice::getPeerIRK(peerAddr, irk)) {
+    Serial.println("Successfully retrieved peer IRK in binary format:");
+    printIrkBinary(irk);
+    Serial.println("\n");
+  }
+
+  // Get IRK in different string formats
+  String irkString = BLEDevice::getPeerIRKString(peerAddr);
+  String irkBase64 = BLEDevice::getPeerIRKBase64(peerAddr);
+  String irkReverse = BLEDevice::getPeerIRKReverse(peerAddr);
+
+  if (irkString.length() > 0) {
+    Serial.println("Successfully retrieved peer IRK in multiple formats:\n");
+    Serial.print("IRK (comma-separated hex): ");
+    Serial.println(irkString);
+    Serial.print("IRK (Base64 for Home Assistant Private BLE Device): ");
+    Serial.println(irkBase64);
+    Serial.print("IRK (reverse hex for Home Assistant ESPresense): ");
+    Serial.println(irkReverse);
+    Serial.println();
+  } else {
+    Serial.println("!!! Failed to retrieve peer IRK !!!");
+    Serial.println("This is expected if bonding is disabled or the peer doesn't distribute its Identity Key.");
+    Serial.println("To enable bonding, change setAuthenticationMode to: pSecurity->setAuthenticationMode(true, true, true);\n");
+  }
+
+  Serial.println("=======================================\n");
+}
+
+// Security callbacks to print IRKs once authentication completes
+class MySecurityCallbacks : public BLESecurityCallbacks {
+#if defined(CONFIG_BLUEDROID_ENABLED)
+  void onAuthenticationComplete(esp_ble_auth_cmpl_t desc) override {
+    // Print the IRK received by the peer
+    BLEAddress peerAddr(desc.bd_addr);
+    get_peer_irk(peerAddr);
+  }
+#endif
+
+#if defined(CONFIG_NIMBLE_ENABLED)
+  void onAuthenticationComplete(ble_gap_conn_desc *desc) override {
+    // Print the IRK received by the peer
+    BLEAddress peerAddr(desc->peer_id_addr.val, desc->peer_id_addr.type);
+    get_peer_irk(peerAddr);
+  }
+#endif
+};
+
 void setup() {
   Serial.begin(115200);
   Serial.println("Starting BLE work!");
@@ -76,8 +143,11 @@ void setup() {
   pSecurity->setCapability(ESP_IO_CAP_OUT);
 
   // Set authentication mode
-  // Require secure connection and MITM (for password prompts) for this example
-  pSecurity->setAuthenticationMode(false, true, true);
+  // Enable bonding, MITM (for password prompts), and secure connection for this example
+  pSecurity->setAuthenticationMode(true, true, true);
+
+  // Set callbacks to handle authentication completion and print IRKs
+  BLEDevice::setSecurityCallbacks(new MySecurityCallbacks());
 
   BLEServer *pServer = BLEDevice::createServer();
   pServer->advertiseOnDisconnect(true);
 
@@ -904,6 +904,52 @@ void BLECharacteristicCallbacks::onWrite(BLECharacteristic *pCharacteristic, esp
 
 #if defined(CONFIG_NIMBLE_ENABLED)
 
+/**
+ * @brief Process a deferred write callback.
+ *
+ * This function is called as a FreeRTOS task to execute the onWrite callback
+ * after the write response has been sent to the client. This maintains backwards
+ * compatibility with Bluedroid, where the write response is sent before the
+ * onWrite callback is invoked.
+ *
+ * The delay is based on the connection interval to ensure the write response
+ * packet has been transmitted over the air before the callback executes.
+ *
+ * See: https://github.com/espressif/arduino-esp32/issues/11938
+ */
+void BLECharacteristic::processDeferredWriteCallback(void *pvParameters) {
+  DeferredWriteCallback *pCallback = (DeferredWriteCallback *)pvParameters;
+
+  // Get connection parameters to calculate appropriate delay
+  ble_gap_conn_desc desc;
+  int rc = ble_gap_conn_find(pCallback->conn_handle, &desc);
+
+  if (rc == 0) {
+    // Connection interval is in units of 1.25ms
+    // Wait for at least one connection interval to ensure the write response
+    // has been transmitted. Add a small buffer for processing.
+    uint16_t intervalMs = (desc.conn_itvl * 125) / 100;  // Convert to milliseconds
+    uint16_t delayMs = intervalMs + 5;                   // Add 5ms buffer
+
+    log_v("Deferring write callback by %dms (conn_interval=%d units, %dms)", delayMs, desc.conn_itvl, intervalMs);
+    vTaskDelay(pdMS_TO_TICKS(delayMs));
+  } else {
+    // If we can't get connection parameters, use a conservative default
+    // Most connections use 7.5-30ms intervals, so 50ms should be safe
+    log_w("Could not get connection parameters, using default 50ms delay");
+    vTaskDelay(pdMS_TO_TICKS(50));
+  }
+
+  // Call the onWrite callback now that the response has been transmitted
+  pCallback->pCharacteristic->m_pCallbacks->onWrite(pCallback->pCharacteristic, &pCallback->desc);
+
+  // Free the allocated memory
+  delete pCallback;
+
+  // Delete this one-shot task
+  vTaskDelete(NULL);
+}
+
 int BLECharacteristic::handleGATTServerEvent(uint16_t conn_handle, uint16_t attr_handle, struct ble_gatt_access_ctxt *ctxt, void *arg) {
   const ble_uuid_t *uuid;
   int rc;
@@ -955,7 +1001,28 @@ int BLECharacteristic::handleGATTServerEvent(uint16_t conn_handle, uint16_t attr
         rc = ble_gap_conn_find(conn_handle, &desc);
         assert(rc == 0);
         pCharacteristic->setValue(buf, len);
-        pCharacteristic->m_pCallbacks->onWrite(pCharacteristic, &desc);
+
+        // Defer the onWrite callback to maintain backwards compatibility with Bluedroid.
+        // In Bluedroid, the write response is sent BEFORE the onWrite callback is invoked.
+        // In NimBLE, the response is sent implicitly when this function returns.
+        // By deferring the callback to a separate task with a delay based on the connection
+        // interval, we ensure the response packet is transmitted before the callback executes.
+        // See: https://github.com/espressif/arduino-esp32/issues/11938
+        DeferredWriteCallback *pCallback = new DeferredWriteCallback();
+        pCallback->pCharacteristic = pCharacteristic;
+        pCallback->desc = desc;
+        pCallback->conn_handle = conn_handle;
+
+        // Create a one-shot task to execute the callback after the response is transmitted
+        // Using priority 1 (low priority) and sufficient stack for callback operations
+        // Note: Stack must be large enough to handle notify() calls from within onWrite()
+        xTaskCreate(
+          processDeferredWriteCallback, "BLEWriteCB",
+          4096,  // Stack size - increased to handle notify() operations
+          pCallback,
+          1,    // Priority (low)
+          NULL  // Task handle (not needed for one-shot task)
+        );
 
         return 0;
       }