MeshCore Packet Format and Encryption

This page covers MeshCore's packet encryption as verified from docs/packet_format.md and src/Utils.cpp in the official MeshCore repository. 

 Encryption at the Packet Level 
 Each MeshCore message packet is protected by AES-128 encryption followed by a 2-byte HMAC-SHA256 MAC: 
 [Cleartext header] [AES-128 ECB encrypted payload] [2-byte HMAC-SHA256 MAC] 

 Route Types 
 Packets carry one of four route types (from packet_format.md): 
 
 ROUTE_TYPE_FLOOD - broadcast to all repeaters; used for initial contact and group messages 
 ROUTE_TYPE_DIRECT - embeds a specific repeater path; only listed repeaters forward the packet 
 ROUTE_TYPE_TRANSPORT_FLOOD - flood with transport/region code prefix 
 ROUTE_TYPE_TRANSPORT_DIRECT - direct-routed with transport/region code 
 

 Path Learning (How Direct Routing Works) 
 MeshCore uses a flood-then-direct-route mechanism (not AODV path discovery/acknowledgment): 
 
 First message to a new destination is flood-routed 
 The destination node returns a PAYLOAD_TYPE_PATH packet containing the full repeater path it received the message through 
 The sender stores this path and uses ROUTE_TYPE_DIRECT for subsequent messages, embedding the learned path 
 Only the specific repeaters in the path forward the packet - all others ignore it 
 
 This mechanism reduces channel load significantly compared to pure flooding once paths are established. 

 Source: docs/packet_format.md and src/Utils.cpp in the official MeshCore repository. Verified 2026-05-03.