An open-source wireless platform for ESP32 devices.
40+ boards · LVGL UI · Web Dashboard · WiFi · BLE · NFC · IR · SubGHz · Ethernet · Companion Apps
An open-source wireless platform for ESP32 devices.
40+ boards · LVGL UI · Web Dashboard · WiFi · BLE · NFC · IR · SubGHz · Ethernet · Companion Apps
The largest update in the project's history: a rebuilt UI, a first-class app ecosystem, expanded radio and device workflows, and broad platform hardening. Here are the highlights.
60 FPS rendering, toast notifications, a cleaner status bar, touch-drag scrolling, and a setup wizard with Home WiFi configuration.
custom asset packs//17+ themes//accessibility suite//high contrast//reduced motion
A first-class app ecosystem. Load tools from SD with permissions, scoped storage, and custom icons; ESP32-C5 runs app code straight from flash.
App Gallery//Ghost Build Tool (gbt)//app SDK//example apps//XIP on C5
Real-time packet and threat insights with a learned baseline that adapts to your local environment.
adaptive channel dwell//EWMA baseline//threat & insight engine//packets/sec sparkline//suspect device cards
The on-device companion now has 50 levels, moods, passive and aggressive modes, and a persistent status-bar badge.
50 levels//27 XP sources//passive / aggressive//global mood system//level-up toasts
An overlay lock with auto-lock support, so active captures like wardriving and sniffing keep running while the device is locked.
PIN lockscreen//lock on wake//auto-lock//overlay capture mode
Trackpad cursor control, USB HID keyboard output, a mouse jiggler, and a redesigned WebUI, plus SSH, NetBIOS, HTTP, and SNMP scanners.
trackpad & touch//HID output//mouse jiggler//SNMP / SSH / NetBIOS//WPA3 checker
GhostESP is GPL-licensed and built in public. You can inspect the firmware, tools, companion apps, docs, and even this website's source instead of trusting a black-box gadget.
2.4 & 5 GHz wireless testing and capture.
deauth//beacon spam//karma//evil portal//WPA3//PCAP logging//live Wireshark
Scan, capture, and spoof BLE devices.
BLE scan//device spam//GPS wardriving//WiGLE export//AirTag spoof//Flipper detect
Read, write, and replay NFC and IR signals.
NTAG read/write//MIFARE dictionary//IR learn & TX//Flipper file support
Analyze, capture, and replay across the sub-GHz bands.
CC1101//315–915 MHz//capture/replay//NRF24 sniff//Zigbee / 802.15.4
Wired attacks and live traffic interception.
Ethernet / W5500//ARP poisoning//DNS intercept//credential capture//DIAL / Chromecast
Spot hostile devices and attacks nearby.
Wi-Fi Pineapple//evil twin//AirTags//card skimmers//jamming signatures
Control GhostESP on-device or from a browser.
LVGL UI//touch / keyboard / encoder//web dashboard//file manager//screen mirroring
Connect devices, apps, and alerts.
GhostLink//Android app//Flipper companion//camera streaming//Discord webhooks
Run sideloaded ESP-IDF apps straight from the SD card.
.so apps//stable SDK//.gapp packages//App Gallery//PSRAM required
Restyle the whole UI with swappable theme packs.
.gtheme archives//custom colors / icons//live swap//compact variants
Based on GhostESP's feature set and publicly available source for listed projects. Not a complete feature list for every firmware. nyanBOX is compared against the latest public source available.
| Feature | GhostESP | Bruce | HaleHound | nyanBOX |
|---|---|---|---|---|
| Architecture | ||||
| Current source available for audit | ✓ | ✓ | Limited / older public source | Limited / older public source |
| ESP-IDF-native architecture | ✓ | — | — | — |
| Arduino / PlatformIO architecture | — | ✓ | ✓ | ✓ |
| Approximate source size | ~211k LOC | ~156k LOC | ~62k LOC | ~17k LOC |
| Supported board targets | 40+ | 28+ | 5 | 1 |
| Full LVGL graphical UI | ✓ | — | — | — |
| WiFi | ||||
| Web dashboard / REST control | ✓ | ✓ | — | — |
| Karma / probe response attack | ✓ | ✓ | ✓ | — |
| Handshake / EAPOL capture | ✓ | ✓ | ✓ | — |
| Live Wireshark USB streaming | ✓ | — | — | — |
| WPA3 / SAE-specific testing | ✓ | — | — | — |
| WPA3 compliance checker | ✓ | — | — | — |
| EAPOL logoff attack | ✓ | — | — | — |
| Channel switch attack | ✓ | — | — | — |
| GTK abuse / client isolation testing | ✓ | — | — | — |
| DHCP starvation | ✓ | ✓ | — | — |
| ARP / port / SSH scanners | ✓ | ✓ | — | — |
| mDNS discovery | ✓ | — | — | — |
| NetBIOS scanner | ✓ | — | — | — |
| HTTP banner scanner | ✓ | — | — | — |
| SNMP probe | ✓ | — | — | — |
| WiFi OUI vendor lookup | ✓ | ✓ | ✓ | — |
| PineAP / Evil Twin detection | ✓ | — | — | ✓ |
| WPS detection / reporting | ✓ | ✓ | — | — |
| Pwnagotchi-style automated capture mode | ✓ | ✓ | — | — |
| Pwnagotchi detector / spam | — | ✓ | — | ✓ |
| Channel congestion analysis | ✓ | — | — | — |
| WiFi Airspace Monitor | ✓ | — | — | — |
| DNS sinkhole / blocklist NXDOMAIN | ✓ | — | — | — |
| GPS WiFi wardriving | ✓ | ✓ | ✓ | — |
| BLE wardriving | ✓ | ✓ | ✓ | — |
| WiGLE upload integration | ✓ | ✓ | — | — |
| 802.15.4 / Zigbee sweep export | ✓ | — | — | — |
| GhostLink dual-ESP control | ✓ | — | — | — |
| Split-channel wardriving helper | ✓ | — | — | — |
| GhostLink remote radio support | ✓ | — | — | — |
| Drone / OpenDroneID detect | ✓ | — | — | ✓ |
| Drone / OpenDroneID spoof | ✓ | — | — | — |
| Bluetooth LE | ||||
| BLE scanning | ✓ | ✓ | ✓ | ✓ |
| Raw BLE scanner | ✓ | — | — | — |
| BLE spam modes | ✓ | ✓ | ✓ | ✓ |
| AirTag scan / spoof | ✓ | ✓ | ✓ | ✓ |
| Flipper Zero finder | ✓ | — | — | ✓ |
| GATT / service enumeration | ✓ | — | ✓ | — |
| BLE stream to Wireshark | ✓ | — | — | — |
| BLE skimmer detection | ✓ | — | — | ✓ |
| FastPair / pairing exploit research | — | ✓ | ✓ | ✓ |
| BLE HID injection / DuckyScript over BLE | — | ✓ | — | — |
| BLE keyboard mode | — | ✓ | — | — |
| BLE GATT honeypot / cloned peripheral | — | — | ✓ | ✓ |
| BLE vulnerability profiling | — | ✓ | — | — |
| Flock / surveillance detector | ✓ | — | ✓ | ✓ |
| NFC | ||||
| PN532 NFC support | ✓ | ✓ | ✓ | — |
| Chameleon Ultra support | ✓ | ✓ | — | — |
| Chameleon Ultra BLE control | ✓ | ✓ | — | — |
| Flipper `.nfc` import/export | ✓ | — | — | — |
| Flipper NFC parser set | ✓ | — | — | — |
| MIFARE Classic default-key attack | ✓ | ✓ | ✓ | — |
| MIFARE Classic full embedded dictionary | ✓ | — | — | — |
| MIFARE Classic user dictionary file | ✓ | ✓ | — | — |
| MIFARE Classic session key reuse / sector sweep | ✓ | — | — | — |
| EMV / payment card reader | — | ✓ | — | — |
| BadUSB / HID | ||||
| BadUSB / DuckyScript | ✓ | ✓ | — | — |
| USB keyboard host mode | ✓ | — | — | — |
| BadUSB VID/PID identity options | ✓ | ✓ | — | — |
| Infrared | ||||
| IR learn / capture / replay | ✓ | ✓ | — | — |
| Flipper `.ir` file support | ✓ | ✓ | — | — |
| Universal IR library transmit | ✓ | ✓ | — | — |
| SubGHz / RF | ||||
| CC1101 SubGHz scan / replay | ✓ | ✓ | ✓ | — |
| CC1101 waterfall spectrum analyzer | ✓ | ✓ | ✓ | — |
| Flipper `.sub` compatibility | ✓ | ✓ | — | ✓ |
| SubGHz protocol decoders | ✓ | ✓ | ✓ | — |
| NRF24 spectrum analyzer | ✓ | ✓ | ✓ | ✓ |
| NRF24 MouseJack | — | — | ✓ | — |
| Passive jamming detection | ✓ | — | ✓ | — |
| Active RF jamming shipped | Not shipped | ✓ | ✓ | ✓ |
| Zigbee / 802.15.4 packet capture | ✓ | — | — | — |
| Ethernet | ||||
| Ethernet W5500 support | ✓ | ✓ | — | — |
| Ethernet ARP poisoning / MITM tools | ✓ | ✓ | — | — |
| TLS SNI / HTTP / FTP credential capture over Ethernet | ✓ | — | — | — |
| Miscellaneous | ||||
| Camera streaming / motion detection | ✓ | — | — | — |
| Motion alerts with webhook support | ✓ | — | — | — |
| Network printer / PJL output | ✓ | — | — | — |
| DIAL / Chromecast testing | ✓ | — | — | — |
| On-device setup wizard | ✓ | — | — | — |
| Wired screen mirroring | ✓ | — | — | ✓ |
| Web screen mirroring | — | ✓ | — | — |
| SD config backup / restore | ✓ | — | — | — |
| Battery monitoring / fuel gauge support | ✓ | ✓ | ✓ | — |
| Sensor / RTC hardware support | ✓ | ✓ | — | — |
| M5 Cardputer keyboard support | ✓ | ✓ | — | — |
| Android companion app | ✓ | — | — | — |
| LoRa support | — | ✓ | — | — |
| FM radio support | — | ✓ | — | — |
Overview of the new Dual ESP32, 5GHZ standalone device.
Demonstration of 5GHz deauth attacks with ESP32-C5 on GhostESP
Demonstration of GhostESP and Flipper Zero deauthenticating a spy camera from a 2.4GHz WiFi network
How to use dual communication with GhostESP
How to get the T-Watch S3 into bootloader mode and flash GhostESP
Official logos, color schemes, and design resources for media and creators