An open-source wireless platform for ESP32 devices.
Firmware · Web Flasher · Serial Console · Companion App · IR Database · Wardriving Map
An open-source wireless platform for ESP32 devices.
Firmware · Web Flasher · Serial Console · Companion App · IR Database · Wardriving Map
2.4 & 5 GHz wireless testing — deauth, beacon spam, EAPOL/PMKID capture, karma attacks, evil portals, WPA3 testing, PCAP logging, and live Wireshark streaming over USB
Scan, capture, and spam BLE devices; GPS wardriving with WiGLE CSV export; AirTag spoofing and Flipper Zero detection
Read/write NTAG tags with MIFARE Classic dictionary attacks; IR signal learning and transmission with Flipper Zero file compatibility
CC1101 frequency analysis, capture/replay across 315–915 MHz, NRF24 sniffing, and Zigbee/802.15.4 packet capture
Ethernet/W5500 support with ARP poisoning, DNS interception, TLS SNI/HTTP/FTP credential capture, DIAL/Chromecast testing
Detect Wi-Fi Pineapples, evil twin APs, AirTags, card skimmers, and passive 2.4 GHz jamming signatures
Full LVGL graphical interface with touch, keyboard, and encoder input; web dashboard for remote configuration, file management, and wired screen mirroring
GhostLink dual-device communication, Android companion app, Flipper Zero companion, camera streaming with motion detection and Discord webhook alerts
Based on GhostESP's feature set and publicly available source for listed projects. Not a complete feature list for every firmware. HaleHound and nyanBOX are compared against the latest public source available.
| Feature | GhostESP | Bruce | HaleHound | nyanBOX |
|---|---|---|---|---|
| Architecture | ||||
| Current source available for audit | ✓ | ✓ | Limited | Limited |
| ESP-IDF-native architecture | ✓ | — | — | — |
| Arduino / PlatformIO architecture | — | ✓ | ✓ | ✓ |
| Approximate source size | ~211k LOC | ~156k LOC | ~62k LOC | ~17k LOC |
| Supported board targets | 40+ | 28+ | 5 | 1 |
| Full LVGL graphical UI | ✓ | — | — | — |
| WiFi | ||||
| Web dashboard / REST control | ✓ | ✓ | — | — |
| Karma / probe response attack | ✓ | ✓ | ✓ | — |
| Handshake / EAPOL capture | ✓ | ✓ | ✓ | — |
| PMKID capture / export | ✓ | — | ✓ | — |
| Live Wireshark USB streaming | ✓ | — | — | — |
| WPA3 / SAE-specific testing | ✓ | — | — | — |
| EAPOL logoff attack | ✓ | — | — | — |
| Channel switch attack | ✓ | — | — | — |
| GTK abuse / client isolation testing | ✓ | — | — | — |
| DHCP starvation | ✓ | ✓ | — | — |
| ARP / port / SSH scanners | ✓ | ✓ | — | — |
| WiFi OUI vendor lookup | ✓ | ✓ | ✓ | — |
| PineAP detection | ✓ | — | — | ✓ |
| WPS detection / reporting | ✓ | ✓ | — | — |
| Pwnagotchi-style automated capture | ✓ | ✓ | — | — |
| Pwnagotchi detector / spam | — | ✓ | — | ✓ |
| GPS WiFi wardriving | ✓ | ✓ | ✓ | — |
| BLE wardriving | ✓ | ✓ | ✓ | — |
| WiGLE upload integration | ✓ | ✓ | — | — |
| 802.15.4 / Zigbee sweep export | ✓ | — | — | — |
| GhostLink dual-ESP control | ✓ | — | — | — |
| Drone / OpenDroneID detect | ✓ | — | — | ✓ |
| Drone / OpenDroneID spoof | ✓ | — | — | — |
| Bluetooth LE | ||||
| Flipper Zero finder | ✓ | — | — | ✓ |
| GATT / service enumeration | ✓ | — | ✓ | — |
| BLE stream to Wireshark | ✓ | — | — | — |
| BLE skimmer detection | ✓ | — | — | ✓ |
| FastPair / pairing exploit research | — | ✓ | ✓ | ✓ |
| BLE HID injection / DuckyScript | — | ✓ | — | — |
| BLE GATT honeypot / cloned peripheral | — | — | ✓ | — |
| BLE vulnerability profiling | — | ✓ | ✓ | — |
| Flock / surveillance detector | ✓ (WIFI ONLY) | — | ✓ | ✓ |
| NFC | ||||
| PN532 NFC support | ✓ | ✓ | ✓ | — |
| Chameleon Ultra support | ✓ | ✓ | — | — |
| Chameleon Ultra BLE control | ✓ | ✓ | — | — |
| Flipper .nfc import/export | ✓ | — | — | — |
| NFC parser set | ✓ | — | — | — |
| MIFARE Classic default-key attack | ✓ | ✓ | ✓ | — |
| MIFARE Classic full embedded dictionary | ✓ | — | — | — |
| MIFARE Classic user dictionary file | ✓ | ✓ | — | — |
| MIFARE Classic session key reuse / sector sweep | ✓ | — | — | — |
| EMV / payment card reader | — | ✓ | — | — |
| BadUSB / HID | ||||
| BadUSB / DuckyScript | ✓ | ✓ | — | — |
| USB keyboard host mode | ✓ | — | — | — |
| BadUSB VID/PID identity options | ✓ | ✓ | — | — |
| Infrared | ||||
| IR learn / capture / replay | ✓ | ✓ | — | — |
| Flipper .ir file support | ✓ | ✓ | — | — |
| Universal IR library transmit | ✓ | ✓ | — | — |
| SubGHz / RF | ||||
| CC1101 SubGHz scan / replay | ✓ | ✓ | ✓ | — |
| CC1101 waterfall spectrum analyzer | ✓ | ✓ | ✓ | — |
| Flipper .sub compatibility | ✓ | ✓ | ✓ | — |
| SubGHz protocol decoders | ✓ | ✓ | ✓ | — |
| NRF24 spectrum analyzer | ✓ | ✓ | ✓ | ✓ |
| NRF24 MouseJack | — | — | ✓ | — |
| Passive jamming detection | ✓ | — | ✓ | — |
| Active RF jamming shipped | Not shipped | ✓ | ✓ | ✓ |
| Zigbee / 802.15.4 packet capture | ✓ | — | — | — |
| Ethernet | ||||
| Ethernet W5500 support | ✓ | ✓ | — | — |
| Ethernet ARP poisoning / MITM tools | ✓ | ✓ | — | — |
| TLS SNI / HTTP / FTP credential capture | ✓ | — | — | — |
| Miscellaneous | ||||
| Camera streaming / motion detection | ✓ | — | — | — |
| Motion alerts with webhook support | ✓ | — | — | — |
| Network printer / PJL output | ✓ | — | — | — |
| DIAL / Chromecast testing | ✓ | — | — | — |
| On-device setup wizard | ✓ | — | — | — |
| Wired screen mirroring | ✓ | — | — | ✓ |
| Web screen mirroring | — | ✓ | — | — |
| SD config backup / restore | ✓ | — | — | — |
| Battery monitoring / fuel gauge support | ✓ | ✓ | ✓ | — |
| Sensor / RTC hardware support | ✓ | ✓ | — | — |
| M5 Cardputer keyboard support | ✓ | ✓ | — | — |
| Android companion app | ✓ | — | — | — |
| JavaScript app engine | — | ✓ | — | — |
| LoRa support | — | ✓ | — | — |
| FM radio support | — | ✓ | — | — |
Overview of the new Dual ESP32, 5GHZ standalone device.
Demonstration of 5GHz deauth attacks with ESP32-C5 on GhostESP
Demonstration of GhostESP and Flipper Zero deauthenticating a spy camera from a 2.4GHz WiFi network
How to use dual communication with GhostESP
How to get the T-Watch S3 into bootloader mode and flash GhostESP
Download official GhostESP assets, logos, and high-resolution images for media use
