Tagged: ESP32

ESP32 Bus Pirate: Update Brings Waterfall Displays, Cellular Modem Support and External Radio Expander

Back in September 2025, we posted about the "ESP32 Bus Pirate" firmware, which transforms an ESP32-S3 into a multi-protocol debugging and hacking tool. Although the ESP32 does not have true SDR capabilities, it can leverage its numerous built-in radio hardware components to achieve a range of interesting feats. Recently, "Geo," the creator of the ESP32 Bus Pirate, wrote in to share some recent firmware updates with us. He writes:

The ESP32-Bus-Pirate project is an open-source firmware that transforms inexpensive ESP32-S3 boards into versatile hardware hacking and debugging tools. Inspired by tools like the Bus Pirate and Flipper Zero, the firmware allows a single ESP32 device to interact with a wide range of digital buses, radios, and hardware interfaces.

Because ESP32 boards include integrated WiFi and Bluetooth radios and can interface with many external modules, the firmware makes it possible to experiment with both hardware protocols and RF systems using very low-cost hardware.

The firmware currently supports a wide range of protocols and devices including:

I²C, SPI, UART, CAN, 1-Wire, infrared, smartcards, Sub-GHz radios, RF24 modules, WiFi, Bluetooth and cellular modems.

Major New Features in v1.5

The latest release adds several major capabilities useful for hardware analysis and RF experimentation.

Waterfall Spectrum Displays

Multiple RF modules can now display real-time waterfall visualizations, showing signal peaks and activity across frequencies. This is available for:

• Sub-GHz radios
• RF24 modules
• FM radio modules
• WiFi channel activity

This makes it easier to visually monitor RF environments directly from the device.

Sub-GHz Improvements

The Sub-GHz subsystem has been completely reworked for improved reliability when recording, replaying and receiving RF frames. Raw payload transmission is also supported.

Cellular Modem Support

ESP32-Bus-Pirate can now interact with cellular modem modules, allowing users to inspect modem and network information and perform operations such as:

• Dumping SIM card data
• sending SMS
• dialing calls

External Radio Expander

The firmware now supports an **external UART radio expansion module** called the **ESP32 Bus Expander**, which allows adding additional RF hardware modules to the system, notably for the WiFi 5GHz.

Links

Project:
https://github.com/geo-tp/ESP32-Bus-Pirate

Web Flasher:
https://geo-tp.github.io/ESP32-Bus-Pirate/webflasher/

Documentation:
https://github.com/geo-tp/ESP32-Bus-Pirate/wiki

Scripts collection:
https://github.com/geo-tp/ESP32-Bus-Pirate-Scripts

ESP32 Bus Expander:
https://github.com/geo-tp/ESP32-Bus-Expander

ESP32 Bus Pirate. Left - Running on COTS ESP32-S3 based devices. Right - ESP32 Bus Pirate Interface
ESP32 Bus Pirate. Left - Running on COTS ESP32-S3 based devices. Right - ESP32 Bus Pirate Web Interface

ESP32 Bus Pirate: Turn your ESP32 into a Multi-Purpose Hacker Tool

Thank you to "Geo" for writing in and sharing with us his open source project called "ESP32-Bus-Pirate" which he thinks might be of interest to those in the RTL-SDR community. The ESP32 is a popular low-cost microcontroller due to the fact that it has WiFi and Bluetooth capabilities built in. Although the ESP32 does not have true SDR capabilities, it can leverage its numerous built-in hardware radio components to achieve various interesting feats. Geo writes:

This firmware turns an inexpensive ESP32-S3 board into a multi-protocol debugging and hacking tool, inspired by the original Bus Pirate and the Flipper Zero.

It currently supports a wide range of protocols and devices, including I²C, SPI, UART, 1-Wire, CAN, infrared, smartcards, and more. It also communicates with radio protocols as Subghz, RFID, RF24, WiFi, Bluetooth.

Compared to existing solutions, the focus is on:

Accessibility — runs on cheap ESP32-S3 hardware (around $7–$10).

Versatility — one device can probe, sniff, and interact with multiple buses.

Extensibility — open-source and modular, making it easy to add new protocol support.

I believe this could be useful for hardware hackers, security researchers, and hobbyists looking for a low-cost, flexible alternative to commercial tools.

With the firmware installed on a compatible ESP32 device, it is possible to create WiFi, Bluetooth, and RF24 sniffers, scanners, and spoofers, as well as perform general sub-GHz and RFID sniffing, scanning, and replay attacks. It also has a host of non-RF capabilities useful for hacking devices.

KISS_LoRa_TAK – Integrating ESP32 LoRa with TAK

Thank you to YD1RUH for writing in and sharing his open-source KISS_LoRa_TAK project with us. YD1RUH writes:

I’d like to share a small open-source project that I believe could be valuable for the RTL-SDR and tactical radio communities: KISS_LoRa_TAK, a minimalistic approach to integrate ESP32-based LoRa modules with ATAK (Android Team Awareness Kit) using a simple web-based configuration and KISS principles (Keep It Simple, Stupid).

The project is documented here:
📎 GitHub: https://github.com/YD1RUH/KISS_LoRa_TAK

It includes a web UI for setting LoRa parameters directly from a browser, turns the ESP32 into a configurable CoT forwarder over LoRa, and allows ATAK users to operate in disconnected environments — all from a low-cost module like the TTGO LoRa32-OLED.

  • The documentation covers:
  • How to flash the firmware and get started
  • Web interface preview
  • ATAK connection instructions
  • Recommended LoRa settings for various terrains
  • Screenshots of the system in use
ATAK (Android Tactical Awareness Kit) + LoRa Lowbudget Poorman Tech #ATAK #LoRa

ESP32 Tak LoRa Hardware
ESP32 Tak LoRa Hardware

ESP32-Div: An ESP32 Based Swiss Army Knife for Wireless Networks

On his blog, Cifer has posted about a new device that he's created called "ESp32-Div." ESP32-Div is a multi-featured wireless analysis device for WiFi, Bluetooth, 2.4 GHz, and sub-GHz signals. While ESP32-Div is not based on SDR technology, it is still an interesting device for wireless hackers to discuss.

ESP32-Div can monitor WiFi packets, spam fake WiFi access points, scan for deauth attacks, and scan nearby WiFi networks. For Bluetooth, it can jam, scan, spoof, and cause unintended behaviours on Apple devices via spoofing the AirDrop function. It can also be used as a general 2.4 GHz scanner and jammer. Finally, it can perform replay attacks and jam signals for sub-GHz signals.

The device consists of a custom PCB with an ESP32 and a built-in battery pack. A piggybacking shield adds 3x NRF24 modules for the 2.4 GHz features and a CC1101 module for the sub-GHz features.

Obviously, functions like jamming and spoofing are highly illegal in most countries, but it is interesting to see the capabilities available to anyone with these cheap chips and the right software.

ESP32-DIV: Your Swiss Army Knife for Wireless Networks

ESPARGOS: An ESP32 Phased Array for Seeing WiFi

Recently, Florian Euchner, a research assistant at the Institute of Telecommunications at the University of Stuttgart, has released information about a project called ESPARGOS that he has been working on. ESPARGOS is a phased array of many patch antennas, each connected to an ESP32 WiFi microcontroller. Phased arrays enable interesting things like radio direction finding.

Combined with a bit of code, Florian can not only determine the direction of arrival of WiFi signals but, with enough patch elements, also create a live heatmap of the WiFi source overlayed on top of the video. We note that ESPARGUS is not based on software-defined radio, however, the overall concept and implementation are quite similar to KrakenSDR.

In the video embedded below, Florian explains the system and demonstrates it in action. He shows how the WiFi signal from a device can be visualized, how it can be used to track movement of the device behind a wall, how reflections from a directional antenna can be seen, how a device can be triangulated with multiple arrays. Finally Florian also shows how a device can be located with a single array, even in a high multipath environment after a neural network is trained on the environment.

Florian writes:

More information is available on the project website of the ESP32 antenna array "ESPARGOS": https://espargos.net/

Source code for Python library + demos: https://github.com/ESPARGOS/pyespargos (directory "demos/camera" for "WiFi camera" demo)

As a research assistant at the Institute of Telecommunications at the University of Stuttgart, I work on multi-antenna systems like (distributed) massive MIMO, with a focus on wireless channel measurement platforms and algorithms for processing channel measurements (classical and deep learning-based).

One day, my (incredibly talented) colleague Marc Gauger suggested to use ultra low-cost ESP32 chips instead of software defined radios for channel measurements. I was highly sceptical at first, but when he showed me a minimalistic prototype he had soldered together, I was intrigued by the idea of being able to demonstrate my algorithms in real time using WiFi signals. In a series of Bachelor's / Research theses, my excellent students Tim Schneider, David Engelbrecht and David Kellner helped me develop the ESP32 antenna array "ESPARGOS".

Measured CSI dataset used for AoA / TDoA visualization: https://espargos.net/datasets/data/espargos-0005/
AoA / TDoA localization source code (needs some minor modifications to be applied to espargos-0005 dataset): https://github.com/Jeija/ToA-AoA-Augmented-ChannelCharting/
Channel Charting source code for the animation in the video: 
https://github.com/Jeija/Geodesic-Uncertainty-Loss-ChannelCharting
Tutorial on Channel Charting: https://dichasus.inue.uni-stuttgart.de/tutorials/tutorial/dissimilarity-metric-channelcharting/

This ESP32 Antenna Array Can See WiFi

We note that while the software is open source, the array hardware itself is not. Florian has noted in a comment on his YouTube video that he is preparing a manufacturing run for ESPARGOS.

I am now preparing a manufacturing run for ESPARGOS. This involves some PCB redesigns to make the design more mass-manufacturable and to get the cost further down, and to get it certified. This will obviously take some time, but I will make sure to keep you updated. You can use the button on the website https://espargos.net/ to sign up for email updates, and I will also post updates via YouTube community notes.

SOCORAD32 Now Crowd Funding: ESP32-based Walkie-Talkie with Data Communication

Back in May of 2022 we posted about SOCORAD32 which at the time was pre-announced for future crowd funding. A few days ago Crowd Funding begun and already it's goal has been reached.

The project is described as a "hackable, open source, ESP32 amateur radio board with walkie-talkie functionality and data communication". We note that this is not a software defined radio, rather it's a highly customizable software controlled radio.

The advertising claims that you can communicate between SOCORAD32 devices by voice and text for up to 5km at 2W of power. No commercial or amateur radio license is required to use this radio since it operates in the 400 - 470 MHz license free bands that are available in many countries. Although we note that these bands in many countries may have power restrictions well below 2W, which would restrict range.

In recent updates they note that they have been refining the PCB and now added a battery holder and moved the push to talk button to a new position.

During crowd funding the device is selling for US$80 + $8 US shipping / $18 worldwide shipping.

SOCORAD32 can communicate between devices by voice or text for up to 5km, via license free bands.
SOCORAD32 can communicate between devices by voice or text for up to 5km, via license free bands.

Tech Minds: Demonstrating RTL_433 Running on ESP32 Devices

Earlier in the month we posted about how rtl_433 has been ported to ESP32 devices that are combined with CC1101 or SC127X transceiver chips, such as the low cost LILYGO LoRa 32 boards available on Aliexpress.

Over on YouTube Matt from the Tech Minds channel has uploaded a video showing how to set up rtl_433 on an ESP32 device, and how to set it up with a home automation service like Home Assistant, Node Red or OpenHAB via an MQTT broker.

RTL 433 ON ESP32 DEVICE - MQTT HOME ASSISTANT

rtl_433 ported to ESP32 microcontrollers with CC1101 or SX127X Transceiver Chips

Receiving wireless sensors operating in the unlicensed ISM band has been made almost universal with rtl_433 and RTL-SDRs. However, recently rtl_433 has been ported over for use on ESP32 microcontrollers that are combined with CC1101 or SC127X transceiver chips.

PCB boards that combine these two chips can be found cheaply on Aliexpress as LoRa boards, under the name "LILYGO LoRa 32". If you are unaware, ESP32 chips cheaply combine a WiFi and Bluetooth modem with a microcontroller that is capable of hosting a webserver. CC1101 and SC127X are low cost low power hardware transceiver chips made for IOT devices. We've posted about LILYGO boards in the past as they've been used with interesting projects such as Meshtastic, and for weather balloon tracking.

This project could be useful for home automation as a module has been made available for openMQTTGateway. Instead of dedicating a more powerful Raspberry Pi and RTL-SDR, you can now dedicate a much cheaper and much lower power device to the task. 

[Also seen on Hackaday.]

RTL_433 running on a LILYGO LoRa V2 Board
RTL_433 running on a LILYGO LoRa V2 Board