Tagged: wifi

ESP32 Bus Pirate: Update Brings Waterfall Displays, Cellular Modem Support and External Radio Expander

Back in September 2025, we posted about the "ESP32 Bus Pirate" firmware, which transforms an ESP32-S3 into a multi-protocol debugging and hacking tool. Although the ESP32 does not have true SDR capabilities, it can leverage its numerous built-in radio hardware components to achieve a range of interesting feats. Recently, "Geo," the creator of the ESP32 Bus Pirate, wrote in to share some recent firmware updates with us. He writes:

The ESP32-Bus-Pirate project is an open-source firmware that transforms inexpensive ESP32-S3 boards into versatile hardware hacking and debugging tools. Inspired by tools like the Bus Pirate and Flipper Zero, the firmware allows a single ESP32 device to interact with a wide range of digital buses, radios, and hardware interfaces.

Because ESP32 boards include integrated WiFi and Bluetooth radios and can interface with many external modules, the firmware makes it possible to experiment with both hardware protocols and RF systems using very low-cost hardware.

The firmware currently supports a wide range of protocols and devices including:

I²C, SPI, UART, CAN, 1-Wire, infrared, smartcards, Sub-GHz radios, RF24 modules, WiFi, Bluetooth and cellular modems.

Major New Features in v1.5

The latest release adds several major capabilities useful for hardware analysis and RF experimentation.

Waterfall Spectrum Displays

Multiple RF modules can now display real-time waterfall visualizations, showing signal peaks and activity across frequencies. This is available for:

• Sub-GHz radios
• RF24 modules
• FM radio modules
• WiFi channel activity

This makes it easier to visually monitor RF environments directly from the device.

Sub-GHz Improvements

The Sub-GHz subsystem has been completely reworked for improved reliability when recording, replaying and receiving RF frames. Raw payload transmission is also supported.

Cellular Modem Support

ESP32-Bus-Pirate can now interact with cellular modem modules, allowing users to inspect modem and network information and perform operations such as:

• Dumping SIM card data
• sending SMS
• dialing calls

External Radio Expander

The firmware now supports an **external UART radio expansion module** called the **ESP32 Bus Expander**, which allows adding additional RF hardware modules to the system, notably for the WiFi 5GHz.

Links

Project:
https://github.com/geo-tp/ESP32-Bus-Pirate

Web Flasher:
https://geo-tp.github.io/ESP32-Bus-Pirate/webflasher/

Documentation:
https://github.com/geo-tp/ESP32-Bus-Pirate/wiki

Scripts collection:
https://github.com/geo-tp/ESP32-Bus-Pirate-Scripts

ESP32 Bus Expander:
https://github.com/geo-tp/ESP32-Bus-Expander

ESP32 Bus Pirate. Left - Running on COTS ESP32-S3 based devices. Right - ESP32 Bus Pirate Interface
ESP32 Bus Pirate. Left - Running on COTS ESP32-S3 based devices. Right - ESP32 Bus Pirate Web Interface

A Discussion on How WiFi Can Be Used To See Through Walls

Earlier in the year on YouTube, Yaniv Hoffman and Occupy The Web haved discussed research showing how Wi-Fi signals can be used to detect and track people through walls. The idea is simple from an RF point of view. Wi-Fi is just radio, and when those signals pass through a room they reflect and scatter off walls, furniture, and human bodies. By analyzing these reflections, it is possible to infer movement and even rough human outlines without placing any hardware inside the room.

Using low-cost SDRs, a standard PC, an NVIDIA GPU, and open-source AI tools like DensePose, researchers can reconstruct basic 3D human shapes in real time. In some cases, the system does not even need to transmit its own signal. It can passively analyze reflections from an existing Wi-Fi router already operating in the home.

The speakers note that this raises obvious privacy concerns. While there are some benign uses like motion-based home security or monitoring breathing in elderly care, the same techniques could be misused. Countermeasures are limited, as Wi-Fi uses spread spectrum techniques that make jamming difficult. 

If you're interested, we posted about something similar in 2015, where USRP radios were being used to detect the presence of people behind walls.

They’re Watching You Through Wi-Fi… And You Have No Idea

halow_scanner: An RTL-SDR Based 802.11aH HaLow Channel Scanner

Over on GitHub we've recently noticed the release of halow_scanner, a Python script that uses an RTL-SDR to scan the 802.11ah (WiFi HaLow) channels in the sub-GHz spectrum to determined which channels have the least noise/interference.

Unlike standard WiFi, which operates outside of the RTL-SDRs range at 2.4 GHz+, 802.11ah operates in the sub-GHz ISM bands, which RTL-SDRs can easily receive.

Use of these lower frequencies gives 802.11ah HaLow excellent signal penetration, making it useful for long-range, low-power IoT devices. With 802.11ah HaLow links, several kilometers can be achieved.

The software's features include:

  • 🔍 Scans all 802.11ah HaLow channels in the US 902-928 MHz band
  • 📊 Supports multiple channel bandwidths: 1, 2, 4, and 8 MHz
  • 📡 Uses RTL-SDR for spectrum analysis
  • 🎯 Identifies the cleanest channel with lowest noise floor
  • 📈 Provides detailed power spectrum measurements
  • ⚡ Fast scanning with averaging for accuracy
Comparison Between regular WiFi and 802.11ah HaLow. Source: https://www.gateworks.com/802-11ah-halow-long-range-low-power-wireless-for-iot/
Comparison Between regular WiFi and 802.11ah HaLow. Source: https://www.gateworks.com/802-11ah-halow-long-range-low-power-wireless-for-iot
 

ESP32 Bus Pirate: Turn your ESP32 into a Multi-Purpose Hacker Tool

Thank you to "Geo" for writing in and sharing with us his open source project called "ESP32-Bus-Pirate" which he thinks might be of interest to those in the RTL-SDR community. The ESP32 is a popular low-cost microcontroller due to the fact that it has WiFi and Bluetooth capabilities built in. Although the ESP32 does not have true SDR capabilities, it can leverage its numerous built-in hardware radio components to achieve various interesting feats. Geo writes:

This firmware turns an inexpensive ESP32-S3 board into a multi-protocol debugging and hacking tool, inspired by the original Bus Pirate and the Flipper Zero.

It currently supports a wide range of protocols and devices, including I²C, SPI, UART, 1-Wire, CAN, infrared, smartcards, and more. It also communicates with radio protocols as Subghz, RFID, RF24, WiFi, Bluetooth.

Compared to existing solutions, the focus is on:

Accessibility — runs on cheap ESP32-S3 hardware (around $7–$10).

Versatility — one device can probe, sniff, and interact with multiple buses.

Extensibility — open-source and modular, making it easy to add new protocol support.

I believe this could be useful for hardware hackers, security researchers, and hobbyists looking for a low-cost, flexible alternative to commercial tools.

With the firmware installed on a compatible ESP32 device, it is possible to create WiFi, Bluetooth, and RF24 sniffers, scanners, and spoofers, as well as perform general sub-GHz and RFID sniffing, scanning, and replay attacks. It also has a host of non-RF capabilities useful for hacking devices.

ESP32-Div: An ESP32 Based Swiss Army Knife for Wireless Networks

On his blog, Cifer has posted about a new device that he's created called "ESp32-Div." ESP32-Div is a multi-featured wireless analysis device for WiFi, Bluetooth, 2.4 GHz, and sub-GHz signals. While ESP32-Div is not based on SDR technology, it is still an interesting device for wireless hackers to discuss.

ESP32-Div can monitor WiFi packets, spam fake WiFi access points, scan for deauth attacks, and scan nearby WiFi networks. For Bluetooth, it can jam, scan, spoof, and cause unintended behaviours on Apple devices via spoofing the AirDrop function. It can also be used as a general 2.4 GHz scanner and jammer. Finally, it can perform replay attacks and jam signals for sub-GHz signals.

The device consists of a custom PCB with an ESP32 and a built-in battery pack. A piggybacking shield adds 3x NRF24 modules for the 2.4 GHz features and a CC1101 module for the sub-GHz features.

Obviously, functions like jamming and spoofing are highly illegal in most countries, but it is interesting to see the capabilities available to anyone with these cheap chips and the right software.

ESP32-DIV: Your Swiss Army Knife for Wireless Networks

ESPARGOS: An ESP32 Phased Array for Seeing WiFi

Recently, Florian Euchner, a research assistant at the Institute of Telecommunications at the University of Stuttgart, has released information about a project called ESPARGOS that he has been working on. ESPARGOS is a phased array of many patch antennas, each connected to an ESP32 WiFi microcontroller. Phased arrays enable interesting things like radio direction finding.

Combined with a bit of code, Florian can not only determine the direction of arrival of WiFi signals but, with enough patch elements, also create a live heatmap of the WiFi source overlayed on top of the video. We note that ESPARGUS is not based on software-defined radio, however, the overall concept and implementation are quite similar to KrakenSDR.

In the video embedded below, Florian explains the system and demonstrates it in action. He shows how the WiFi signal from a device can be visualized, how it can be used to track movement of the device behind a wall, how reflections from a directional antenna can be seen, how a device can be triangulated with multiple arrays. Finally Florian also shows how a device can be located with a single array, even in a high multipath environment after a neural network is trained on the environment.

Florian writes:

More information is available on the project website of the ESP32 antenna array "ESPARGOS": https://espargos.net/

Source code for Python library + demos: https://github.com/ESPARGOS/pyespargos (directory "demos/camera" for "WiFi camera" demo)

As a research assistant at the Institute of Telecommunications at the University of Stuttgart, I work on multi-antenna systems like (distributed) massive MIMO, with a focus on wireless channel measurement platforms and algorithms for processing channel measurements (classical and deep learning-based).

One day, my (incredibly talented) colleague Marc Gauger suggested to use ultra low-cost ESP32 chips instead of software defined radios for channel measurements. I was highly sceptical at first, but when he showed me a minimalistic prototype he had soldered together, I was intrigued by the idea of being able to demonstrate my algorithms in real time using WiFi signals. In a series of Bachelor's / Research theses, my excellent students Tim Schneider, David Engelbrecht and David Kellner helped me develop the ESP32 antenna array "ESPARGOS".

Measured CSI dataset used for AoA / TDoA visualization: https://espargos.net/datasets/data/espargos-0005/
AoA / TDoA localization source code (needs some minor modifications to be applied to espargos-0005 dataset): https://github.com/Jeija/ToA-AoA-Augmented-ChannelCharting/
Channel Charting source code for the animation in the video: 
https://github.com/Jeija/Geodesic-Uncertainty-Loss-ChannelCharting
Tutorial on Channel Charting: https://dichasus.inue.uni-stuttgart.de/tutorials/tutorial/dissimilarity-metric-channelcharting/

This ESP32 Antenna Array Can See WiFi

We note that while the software is open source, the array hardware itself is not. Florian has noted in a comment on his YouTube video that he is preparing a manufacturing run for ESPARGOS.

I am now preparing a manufacturing run for ESPARGOS. This involves some PCB redesigns to make the design more mass-manufacturable and to get the cost further down, and to get it certified. This will obviously take some time, but I will make sure to keep you updated. You can use the button on the website https://espargos.net/ to sign up for email updates, and I will also post updates via YouTube community notes.

DragonOS: BladeRF-wiphy Demonstration

Recently we posted about bladeRF-wiphy which is open source code that can turn a bladeRF software defined radio into a software defined WiFi access point. The bladeRF 2.0 is a relatively low cost SDR which costs $420 for the low end version. It is capable of both transmit and receive (2x2 MIMO) with a 47 MHz to 6 GHz frequency range and 61.44 MHz sampling rate.

Over on YouTube Aaron who created DragonOS has uploaded a video demonstrating bladeRF-wiphy in action. He writes:

This video demonstrates Nuand’s new open source 802.11 modem/FPGA available for the bladeRFxA9. Everything will be Pre included in DragonOS Focal to setup an open AP and hopefully whatever’s required for use within Kismet.

Minor configuration is needed for the open AP, while Kismet integration should be pretty straight forward.

This is an awesome addition to the bladeRF and I look forward to seeing what else is possible with this new open source 802.11 compatible modem!

DragonOS Focal BladeRF-wiphy w/ Open Wi-Fi AP and Splash page (bladeRFxA9)

bladeRF-wiphy: Open Source WiFi Access Point on a BladeRF

Back in August 2020 we posted about OpenWiFi , an open source implementation of the full IEEE802.11/Wi-Fi stack for FPGA and SDR combo board. Recently the team at Nuand have released their own WiFi implementation called "bladeRF-wiphy" for their bladeRF 2.0 software defined radio. The code is implemented in VHDL, which runs directly on the bladeRF's on board micro xA9 FPGA.

The bladeRF-wiphy project is an open-source IEEE 802.11 compatible software defined radio VHDL modem. The modem is able to modulate and demodulate 802.11 packets (the protocol WiFi is based on), and run directly on the bladeRF 2.0 micro xA9’s FPGA.

The bladeRF-wiphy coupled with Linux mac80211 allows the bladeRF 2.0 micro xA9 to become a software defined radio 802.11 access point! 802.11 packets (PDUs) are modulated and demodulated directly on the FPGA, so only 802.11 packets are transferred between the FPGA and libbladeRF.