I clicked a link in my local meshcore Discord while sipping coffee this morning as was greeted with this:
Look, I’m not really a radio person. I was attracted to Meshcore because frankly, I feel like the internet has mostly gone to shit and off-grid mesh networks provide a convenient, technical form of escapism from those depressing thoughts. I was up and running with a Seedstudio solar node and a companion app for about 2 weeks before one of them died. Which died? Who knows!
During those two weeks I was able to send and receive messages from people hundreds of miles away, with no help from the internet at all. It’s very cool, I see the attraction.
But my interest in Meshcore at a technical level has diminished.
“Open source” drama
Exactly seven days ago, this post from meshcore.io - Why the split? started to make the rounds. Not just on the meshnet, but places like hacker news and lobste.rs. See, there was no meshcore.io prior to this post. It was created by members of the community in response to AndyK acting very, very badly. First, he filed for a trademark on the Meshcore name in the UK, which many people saw as a betrayal to the community. Secondly it turns out he’s a dirty vibe-coder, and that made people mad. So they forked.
A win for open source right?
Except that the people in charge of meshcore.io (if I understand this correctly) are the ones that provide the official meshcore app - which is closed source. Womp.
Exploitable firmware
A few days later we get this amazing post from Alainx277 that’s a pretty damning critique of the Meshcore code (the open source part). It’s a very good read, but the TL;DR is that the source is a nightmare, full of unchecked buffers and includes a bug that is very simple to exploit that can remotely wipe any repeater. Ouch.
I’m not an embedded engineer so I can’t cast stones here - but I did spelunk through the code fairly recently in an attempt to write my own client library called Meshcorrode and even I could tell something was up. I abandoned the project pretty quickly.
Exploitable software, too
So what’s the deal with the tasteful website with the middle finger? It looks like some enterprising members of the Meschore community decided to stick it to Andy - the vibe-coded closed source app guy (the bad one, not the good closed source app guys) by unleashing an LLM on the binary and reverse engineering the product activation code. Turns out a product key is a simple hash of the device ID it’s running on. They published their findings and created a simple html page where anyone can generate a product key trivially.
I’ll be back
You know what, I’m good on Meshcore for a bit. The community needs to figure their drama out, and all the official software needs to be open source - full stop.
I still believe that mesh networks will play an important role in the future, and I want to hack on them. I just don’t think Meshcore is it right now.