ESP32 Marauder · Volume 1
ESP32 Marauder Firmware Volume 1 — Series Overview, the Firmware-First Project, the Fork Landscape, and a Decision Tree
What Marauder is, what it isn't, the four-fork landscape, where it already runs in tjscientist's lab, and depth indices into Vols 2–12
Contents
1. About this volume
This is the overview volume of a twelve-volume engineer-grade deep dive into the ESP32 Marauder firmware ecosystem — Justin “JustCallMeKoko” Cohen’s open-source Wi-Fi/BLE pentest stack and the canonical handheld hardware the community designed around it. The target reader is a working hardware/RF engineer who already knows how 802.11 management frames are shaped, what an EAPOL 4-way handshake looks like, what BLE advertising packets carry, and who wants to use Marauder as a bench-grade Wi-Fi/BLE tool — not a script-kiddie button-press demo.
This project’s center of gravity is the firmware. tjscientist owns no Koko-branded Marauder hardware — but he runs the Marauder firmware every week on hardware he does own: the AWOK Dual Touch V3 module (Device Info reads HW V6.1, ESP-IDF V5.5.1-710, Marauder release v1.12.x as of 2026-05-12) and the Flipper Zero WiFi Devboard. The Marauder canon — what the firmware does, how the menus work, what the forks add, what the SD-card layout looks like — applies now, before any new hardware purchase. The Koko reference handhelds (Marauder Mini, v6/v6.1) are an aspirational adjunct, tracked in Vol 2 against the day they’re needed as the firmware author’s own test bed.
Vols 2–12 go deep into specific subsystems; this volume’s job is to anchor the series and tell the reader which volume to read next based on what they actually want to do.
This volume specifically does not teach the menu structure (Vol 3), the per-attack details (Vols 4–6), the fork comparison in full (Vol 7), the SD card layout (Vol 8), the host-side analysis pipeline (Vol 9), the build toolchain (Vol 10), or operational posture (Vol 11). It teaches what Marauder is, what it isn’t, where in the rest of the series to go for each of those things, and how to read the depth indices in §11.
2. What ESP32 Marauder is
Marauder is a menu-driven open-source firmware for ESP32-family microcontrollers that turns an ESP32 development board into a self-contained Wi-Fi and Bluetooth security tool. From a single small device with a TFT or OLED, a couple of buttons, and an SD card slot, the operator can:
- Scan Wi-Fi APs and clients, capture probe requests, sniff beacon frames, capture EAPOL 4-way handshakes and PMKID material.
- Attack Wi-Fi networks with deauth frames, beacon-spam SSID floods, probe-response karma-style traps, and captive-portal credential harvesting (“Evil Portal”).
- Scan Bluetooth — BLE advertising scans, AirTag detection (in some forks), BT-classic discovery on classic ESP32 silicon.
- Attack Bluetooth — BLE-spam (Sour Apple, Swiftpair, Easysetup, Samsung pairing-prompt floods).
- Log everything to SD card in standard formats (pcap, csv) for offline analysis.
- Run entirely standalone, on battery, with no host computer — but also report telemetry over USB serial when one is connected.
In a Wi-Fi-utility taxonomy:
- A commercial pentest platform (Wi-Fi Pineapple, hak5 stuff) presents a polished web UI for client engagements, supports Wi-Fi 6, costs $200–$400, and is designed for “billable hour” workflows.
- A laptop with a monitor-mode card (Alfa AWUS036ACM + aircrack-ng/bettercap/hashcat) is the full-power solution — every attack Marauder can do, plus everything it can’t, but you’re tethered to a laptop.
- Marauder is the handheld in between — costs $30–$80 of hardware, runs from a coin-pocket-sized battery, supports a respectable subset of the laptop’s attacks, and is small enough to carry into “site-survey while pretending to be a customer” scenarios that the laptop and the Pineapple are both too obvious for.
The product line has been called the reference open-source ESP32 Wi-Fi pentest firmware since around 2020. Marauder is the canonical stack — other ESP32 pentest firmwares are typically named in reference to it (Ghost ESP, Bruce, Bad Pinguino — all live in its orbit). When a third-party module vendor (AWOK Dynamics, Ruckus / Game Over, M5Stack with Cardputer ADV) ships an ESP32-based handheld and says “runs Marauder,” they mean a Marauder build targeted at their board variant.
2.1 Firmware first, hardware second
This is the load-bearing distinction this project makes — and the reason the folder is named ESP32 Marauder Firmware/ rather than ESP32 Marauder/.
The Marauder firmware (github.com/justcallmekoko/ESP32Marauder) is a single open-source codebase that supports a large catalog of ESP32-family boards via PlatformIO build environments. JustCallMeKoko also designs and sells hardware — his own handheld designs (Marauder Mini, v6, v6.1, the “Flipper Mini” pocket variant) via Tindie and vendor channels. The two are coupled at the firmware-build level (each Koko board has its own PlatformIO environment) but they are independently consumable: you can buy Koko’s hardware and run mainline firmware, or you can buy any other ESP32 dev board the firmware supports and run Marauder on that.
In tjscientist’s lineup, the firmware-first stance is already true on the bench: Marauder is running today on a third-party module (AWOK Dual Touch V3) and on the Flipper Zero’s WiFi Devboard. Buying Koko hardware is a future decision that may or may not happen — but the firmware fluency built up by reading this series applies immediately, regardless of that purchase.
2.2 The five-year origin story
Briefly, because the lineage informs which docs are current vs which are deprecated:
| Year | Event |
|---|---|
| 2020 | First public Marauder commits by Koko. Initial target: Heltec WiFi Kit 32. UI is button-driven menus on a small OLED. Wi-Fi scan/attack only; no Bluetooth. |
| 2021 | Mass-adoption begins. Display abstraction generalized to TFT. SD card support added. Evil Portal first ships. Deauth and beacon spam reach feature-complete in mainline. |
| 2022 | Bluetooth subsystem added (BLE scan, BT-classic where supported). Web flasher (flasher.marauder.maurersystems.com) goes live — eliminates the PlatformIO setup hurdle for end users. The Marauder Mini hardware ships from Koko’s Tindie store. |
| 2023 | Ghost ESP fork (Spooks4576) emerges. Adds BLE-spam (Sour Apple) and a richer attack catalog. Becomes the de-facto answer to “how do I get Apple-device BLE spam?” Marauder mainline begins to lag in raw feature count vs Ghost ESP. |
| 2024 | Bruce fork (pr3y) takes a different direction: multi-firmware-on-one-device, focused on multi-modal handhelds (Cardputer-style devices). M5Stack ships a Cardputer build that integrates Marauder + RF430 sub-GHz on one box. v6 / v6.1 Koko hardware reaches maturity. |
| 2025 | Mainline Marauder consolidates around ESP32-S3 silicon. Classic-ESP32 (ESP32-WROOM) support continues but is treated as legacy. AirTag detection appears in some forks (not mainline). |
| 2026 | Current state. Mainline v1.12.x. Marauder runs on ~15 documented board variants via PlatformIO environments. Ghost ESP and Bruce remain the two notable parallel forks; the wider ESP32 pentest landscape (Evil-M5Project, Bad-Pinguino, GhostESP-S3 / GhostESP-Mini variants) all trace back to Koko’s mainline at some commit. |
Critical for navigating community docs: most “ESP32 Marauder” YouTube tutorials older than 2024 assume classic-ESP32 hardware (ESP32-WROOM-32) — they reference behaviors that don’t map cleanly to ESP32-S3 targets. The menu structure is similar enough to confuse beginners. When in doubt, check the upload date and whether the tutorial mentions marauder_v6_1 (= current S3 target) or marauder_dev_board_pro (= legacy WROOM target).
2.3 Where Marauder sits in the lineup
In tjscientist’s lab specifically, Marauder fills the handheld Wi-Fi/BLE recon-and-spam slot. Pairings against the rest of the Hack Tools lineup:
- Marauder + Flipper Zero (
AWOKflip) — Flipper handles RF / RFID / NFC / IR / BadUSB / iButton, plus serial console pass-through to the Marauder-running AWOK V3 mounted on its GPIO header. Marauder handles Wi-Fi / BLE. - Marauder + HackRF One (
porta) — HackRF for arbitrary RF down to 1 MHz, GHz-band sniffing without firmware constraints. Marauder for the protocol-layer Wi-Fi/BLE work that HackRF’s raw I/Q is overkill for. - Marauder + Bus Pirate 6 — non-overlapping. BP6 is wired-protocol bring-up; Marauder is wireless.
- Marauder + GL-iNet GL-BE3600 — overlap exists. The BE3600 is a Wi-Fi 7 OpenWrt platform with full monitor-mode adapters available — it can do everything Marauder can do, plus 5 GHz, plus client-mode bridge attacks. The BE3600 wins for sustained engagements; Marauder wins for covert form factor.
- Marauder + AWOK Dual Touch V3 — literally the same thing. The AWOK V3 module is a Marauder host. The Marauder firmware runs on its dual ESP32-WROOM chips. The AWOK V3 deep dive at
../AWOK Dual Touch V3/03-outputs/AWOK_Dual_Touch_V3_Complete.htmlcovers the platform-specific Marauder experience (the resistive touchscreen UI, the dual-board layout, the AWOK companion FAP); this series covers the firmware itself in a platform-neutral way. Cross-references between the two are bidirectional.
3. The hardware-firmware split
Two distinct things this project tracks:
- The firmware — feature catalog, build process, fork lineage, per-board build configs, SD card layout, attack/scan subsystem implementations.
- The hardware — JustCallMeKoko’s own handheld designs (Marauder Mini, v6/v6.1, Flipper Mini pocket variant), plus DSTIKE Watch and other community-built reference platforms.
The firmware is the common ground — every host platform Marauder runs on uses the same source tree, the same menu structure, the same SD-backed save format. The hardware varies: classic-ESP32 vs ESP32-S3, OLED vs TFT, button vs touchscreen vs joystick, single-radio vs dual-radio vs multi-radio (with NRF24L01 / CC1101 daughter slots).
3.1 What runs Marauder right now in tjscientist’s lab
| Platform | Marauder host? | Status | Notes |
|---|---|---|---|
AWOK Dual Touch V3 (mounted on AWOKflip) | Yes — daily driver | Owned · running v1.12.x | Dual ESP32-WROOM (classic, not S3), resistive touch (ILI9341 + XPT2046), on-board GPS, microSD slot at top-center. Either of the dual ESP32s can independently run Marauder, Ghost ESP, or Bruce. Device Info: HW V6.1, ESP-IDF V5.5.1-710. See ../../../AWOK Dual Touch V3/03-outputs/AWOK_Dual_Touch_V3_Complete.html §§ 4-6 for the platform-specific Marauder experience. |
| Flipper Zero WiFi Devboard | Yes — secondary | Owned · sporadic use | ESP32-S2-WROVER on a Flipper-shaped daughter board. Form factor is “module-on-Flipper”, not standalone — the Flipper relays the serial over the GPIO header. Less polished Marauder experience than the AWOK V3; primarily kept on hand for the Flipper-side BadUSB ecosystem. See ../../../Flipper Zero/ and the WiFi Devboard module page. |
| Cardputer ADV (with Marauder build) | Possible — aspirational | Aspirational | M5Stack ESP32-S3 handheld with QWERTY. Bruce fork is the more common build here; pure-Marauder is supported via PlatformIO env. See ../../../M5Stack Cardputer ADV/03-outputs/cardputer_adv_deep_dive.html § 9. |
| Ruckus Game Over | Maybe — via vendor fork | Owned · not running pure Marauder | Game Over ships a closed-source vendor fork that derives from Marauder but isn’t kept in sync with mainline. Treat it as a separate firmware that happens to look familiar. See ../../../Ruckus Game Over/03-outputs/game_over_complete.html Vol 5. |
3.2 The reference hardware family (forward-ref Vol 2)
When/if tjscientist wants the canonical Marauder experience — the hardware the firmware author actually develops and tests against — the options are:
- Marauder Mini (~$60-90 on Koko’s Tindie) — ESP32-S3, 320×240 TFT, microSD, single 18650 battery slot, three buttons. The most pocketable of the canonical platforms.
- Marauder v6 / v6.1 (~$100-150) — full-size handheld, larger battery, more robust antenna mount, brighter TFT. The vendor-recommended platform for “I want the best Marauder experience” buys.
- Flipper Mini variant (~$70) — pocket-form-factor handheld styled to fit alongside a Flipper. Tindie-specific SKU.
- DSTIKE Watch (~$45-60) — alternative vendor; ESP32 (classic) in a wrist-watch form factor with a small OLED. Runs Marauder with display patches. Tradeoff: tiny screen, novelty form factor.
Vol 2 walks the schematic-grade hardware for v6.1 and the Mini, plus the cross-platform table for what each module variant exposes.
4. The fork landscape (teaser — full in Vol 7)
Marauder is the upstream, but multiple downstream forks ship features that mainline doesn’t. The fork choice depends on which features matter for the current job. Vol 7 has the full comparison — this is the orientation map.
4.1 Marauder mainline (Koko)
Repo: github.com/justcallmekoko/ESP32Marauder. License: GPLv3.
Best for: stable feature set, widest hardware support, the firmware tjscientist already runs on the AWOK V3. Mainline is the canon. When in doubt, start here.
Tradeoffs: conservative feature set. New attacks land in forks first (Ghost ESP particularly), then sometimes get back-ported to mainline. Some features are deliberately kept out — e.g., the more aggressive BLE-spam variants live in Ghost ESP because Koko is cautious about pairing-prompt floods that can brick iOS devices in worst-case scenarios.
4.2 Ghost ESP (Spooks4576)
Repo: github.com/Spooks4576/Ghost_ESP. License: GPLv3 (forked from Marauder).
Best for: maximum feature count, especially BLE-spam variants (Sour Apple, Swiftpair, Easysetup, Samsung pairing-prompt). Larger attack catalog generally. More polish on the visualization side — e.g., signal-strength bar graphs that mainline doesn’t render.
Tradeoffs: less hardware support than mainline (Spooks4576 prioritizes a smaller set of boards he actually tests on). Sometimes flakier — newer features land before edge-case stability work. The Wired Hatters Banshee ships GhostESP as its default firmware — when reading Banshee material, “GhostESP” and “Ghost ESP” both refer to this fork.
4.3 Bruce (pr3y)
Repo: github.com/pr3y/Bruce. License: AGPLv3.
Best for: multi-device handhelds where one piece of hardware needs to do many things. Bruce is structured as a meta-firmware — it presents a top-level menu that exposes Marauder-class attacks, sub-GHz tools, IR tools, RFID tools, BadUSB tools, all from one boot. Cardputer ADV and Lilygo T-Embed are common Bruce targets.
Tradeoffs: largest binary footprint (won’t fit on small flash chips), more buttons-to-learn, the multi-modal UI sometimes obscures the specific Wi-Fi/BLE attack workflows that mainline + Ghost ESP foreground.
4.4 Bad Pinguino and other narrow forks
Bad Pinguino: single-screen “do one attack well” approach. Useful as a demo / training tool — strips Marauder down to one attack, makes it impossible to accidentally fire the wrong one. Niche.
GhostESP-S3 / GhostESP-Mini variants: board-specific repackagings of GhostESP for particular hardware. Watch the upload date and the README — these are sometimes orphan forks of orphan forks.
Evil-M5Project / Evil-S3: M5Stick-specific firmware family. Not strictly a Marauder fork — they share some attack code but have a different UI lineage. Mentioned here so the reader doesn’t conflate them. Covered in ../M5Stick S3/ when that platform is in play.
4.5 When to switch
Pragmatic rule:
- Start on mainline — most stable, most documented, most likely to be the firmware shipped pre-flashed on whatever module you bought.
- Switch to Ghost ESP if you need BLE-spam variants beyond what mainline ships, or signal-strength visualizations, or want the absolute largest attack catalog.
- Switch to Bruce if your hardware is genuinely multi-modal (Cardputer, T-Embed, similar) and you want one boot to expose all of it. Don’t switch to Bruce on a single-purpose Marauder host — you’ll be paying the multi-modal overhead for no benefit.
- Stay on the vendor fork if your hardware is something like the Ruckus Game Over where the vendor fork ships features (CC1101 sub-GHz integration, NRF24 daughterboard control) that mainline doesn’t have.
Vol 7 has the full feature-by-feature comparison with build-time considerations.
5. Capability matrix — what Marauder can/cannot do
| Capability | Marauder mainline | Notes |
|---|---|---|
| Wi-Fi AP scan (2.4 GHz) | Yes | All channels, region-flag dependent (US: 1–11; intl: 1–13/14) |
| Wi-Fi AP scan (5 GHz) | No | ESP32 / ESP32-S3 radio is 2.4-only. Requires ESP32-C5 silicon (see ../AWOK ESP32 C5/) or the Wired Hatters Banshee’s C5+S3 combo. |
| Probe request sniffer | Yes | Captures probe requests with source MAC + SSID + RSSI. Saves to SD as csv or pcap. See Vol 4 § 2. |
| Beacon sniffer | Yes | Captures AP beacons; built-in SSID enumeration. Vol 4 § 3. |
| EAPOL handshake capture | Yes | Capture 4-way handshake on monitor mode + channel-locked. Hashcat 22000 prep. Vol 4 § 5. |
| PMKID capture | Yes | Opportunistic from beacon RSN IE. Vol 4 § 4. Common with KRACK-vulnerable routers. |
| Deauth attack | Yes (gated by build flag) | Some mainline builds ship with deauth disabled by default. Vol 5 § 2. |
| Beacon spam | Yes | Configurable SSID list from SD card (beacons.txt). Rick Roll, Funny Names, random MAC. Vol 5 § 3. |
| Probe spam | Yes | Targeted probe-request flooding. Less commonly used. Vol 5 § 4. |
| Evil Portal | Yes | Captive-portal credential-capture harness. HTML on SD card. Vol 5 § 5. |
| Karma-style probe response | Partial | Mainline does basic; Ghost ESP has more aggressive variant. Vol 5 § 4. |
| BLE scan | Yes | Advertising-packet capture with RSSI + manufacturer data parse. Vol 6 § 2. |
| BLE spam — Sour Apple | Ghost ESP only | iOS BLE pairing-prompt flood. Not in mainline (intentional). Vol 6 § 3. |
| BLE spam — Swiftpair | Ghost ESP only | Windows BLE pairing-prompt flood. Vol 6 § 3. |
| BLE spam — Easysetup / Samsung | Ghost ESP only | Galaxy pairing-prompt flood. Vol 6 § 3. |
| AirTag detection | Bruce / Ghost ESP only | Apple Find My-style proximity tag scan. Vol 6 § 4. |
| BT-classic scan | ESP32-classic only | ESP32-S3 has no BT-classic radio (BLE only). Vol 6 § 5. |
| Sub-GHz attacks | No | Requires CC1101 daughter (Game Over) or external transmitter (Flipper SubGHz, HackRF). |
| NFC / RFID attacks | No | Not the right tool; see Flipper / Proxmark3. |
| WPA cracking (on-device) | No | Crack offline on host with hashcat 22000. Marauder captures; host cracks. Vol 9 § 4. |
| 5 GHz capture (in-band) | No | Hard hardware limit; see § 5 entry above. |
| Wi-Fi 6 / 6E | No | Same hardware limit; not relevant for handshake/probe-request workflows. |
The matrix above is the quick orientation. Each line forward-refs into the volume that has the implementation depth.
6. Decision tree — when to reach for Marauder
Need wireless 2.4 GHz Wi-Fi or BLE recon/attack?
│
┌─────────────┴─────────────┐
│ │
No → use a different tool Yes ↓
(HackRF for arbitrary RF;
Bus Pirate for wired; Have a Marauder host on hand?
Proxmark/Flipper for (AWOK V3, Flipper Devboard,
RFID/NFC) Cardputer-w-Marauder, Koko hw)
│
┌───────────────┴───────────────┐
│ │
No → flash a Marauder Yes ↓
build to a $30 ESP32-S3
dev board via the web flasher
(Vol 10 § 3) — fastest path
Need a feature mainline lacks?
(BLE-spam, AirTag detect,
richer visualization)
│
┌─────────────────┴──────────────────┐
│ │
No ↓ Yes → switch to Ghost ESP
(Vol 7 § 3) or, if
multi-modal hw, Bruce
(Vol 7 § 4)
Mainline, current
tag. Read the
subsystem volume
for your task:
Vol 4 (scan) /
Vol 5 (attack) /
Vol 6 (Bluetooth)
→ Vol 9 for the
host-side analysisThe most common path in practice: AWOK V3 is already plugged into the AWOKflip, already running mainline Marauder v1.12.x, already has an SD card mounted. tjscientist opens the menu, runs the relevant scan or attack, retrieves the SD card, and processes the captures on a workstation per Vol 9.
7. Hardware at a glance (forward-ref Vol 2)
The full hardware walk is Vol 2. The summary for orientation:
| Aspect | ESP32-classic target (e.g., Marauder Dev Board Pro) | ESP32-S3 target (e.g., Marauder v6.1) |
|---|---|---|
| MCU | ESP32-WROOM-32 (Xtensa LX6, 2 cores @ 240 MHz, 520 KB SRAM) | ESP32-S3-WROOM-1 (Xtensa LX7, 2 cores @ 240 MHz, 512 KB SRAM, 8 MB PSRAM optional) |
| Wi-Fi | 2.4 GHz only, 802.11 b/g/n | 2.4 GHz only, 802.11 b/g/n |
| Bluetooth | BT 4.2 (classic + BLE) | BT 5.0 (BLE only — no BT classic) |
| Flash | 4 MB typical | 8 MB or 16 MB typical |
| Display | OLED or small TFT | Larger TFT (320×240 / 320×320) |
| USB | UART bridge (CP210x or CH340) | Native USB-OTG |
| Brownout under TX-spam | Common | Less common (better TX PA design) |
The classic-ESP32 targets are legacy — still supported, still flashed daily, but new feature work prioritizes S3 silicon. Long-form treatment: Vol 2.
8. Firmware at a glance (forward-ref Vol 3)
Vol 3 walks the firmware architecture in detail. Top-level orientation:
- Build system: PlatformIO project,
platformio.inicarries the per-board environment matrix. Arduino IDE is supported but less convenient. - Top-level dispatcher:
src/MenuFunctions.cpp— switch on the current menu state, render menu items, route button presses. - Per-feature files: one
.cppper major subsystem (WiFiScan.cpp,EvilPortal.cpp,BluetoothScan.cpp,Settings.cpp,SDInterface.cpp). - Display abstraction: TFT_eSPI for most TFTs; per-board pin assignments in the PlatformIO env. Adafruit_GFX is the fallback.
- SD interface: standard
SD.hfrom Arduino; the firmware mounts/marauder/at startup, createspcaps/,evil_portal/, etc., if they don’t exist. - Settings persistence:
settings.txton SD; small key/value format.
The build matrix lives in platformio.ini; Vol 3 § 4 catalogues every shipping environment with target board, MCU silicon, and notable build flags.
9. tjscientist’s current Marauder fleet
Per MY_GEAR/inventory.yaml (read on 2026-05-13):
| Unit | Host platform | Firmware | Display | Status |
|---|---|---|---|---|
| AWOK Dual Touch V3 (on AWOKflip) | Dual ESP32-WROOM (classic) on Flipper-shaped module | Marauder mainline v1.12.x; HW V6.1; ESP-IDF V5.5.1-710 | ILI9341 + XPT2046 resistive touch (2.4″) | Daily driver — primary Marauder bench |
| Flipper WiFi Devboard | ESP32-S2-WROVER | Marauder mainline (date TBD) | None standalone (Flipper passes through serial) | Secondary; sporadic |
Not yet in the fleet (aspirational):
- Marauder Mini (Koko)
- Marauder v6 / v6.1 (Koko)
- DSTIKE Watch
- Wired Hatters Banshee (out of stock as of 2026-05-13; will ship with GhostESP, not Marauder mainline)
- AWOK ESP32 C5 (form factor unannounced; pricing TBD)
- Nyan Box (aspirational; multi-radio with NRF24L01 array; runs vendor fork derived from Marauder)
10. Comparison to other ESP32 pentest firmware
Marauder is the Wi-Fi-and-BLE-focused member of a broader ESP32 pentest-firmware family. Other notable family members tjscientist might encounter:
| Firmware | Focus | Marauder relationship |
|---|---|---|
| WiFi Deauther (spacehuhn, 2018) | Pure Wi-Fi deauth + minimal beacon spam | Pre-Marauder. Mostly retired; Marauder superseded it. Some legacy hardware still ships with it pre-flashed. |
| Pwnagotchi (evilsocket) | AI-themed handshake harvester running on Raspberry Pi Zero W (NOT ESP32) | Different platform entirely; mentioned because operators confuse them. Pwnagotchi is the long-running passive sniffer; Marauder is the active handheld. |
| Bjorn | Pwnagotchi-styled handheld with active recon | Different platform; somewhat parallel to Marauder in spirit but with a different attack catalog. |
| ESP32 Wi-Fi Penetration Tool (risinek) | Pure command-line handshake/PMKID capture, no UI | Predates / parallel-evolves with Marauder. Useful when you want a headless ESP32 sniffer with no menus. |
| Evil-M5Project / Evil-S3 | M5Stick-specific multi-protocol firmware (Wi-Fi + IR + RFID where supported) | Distant cousin. Shares some attack code with Marauder via copy-paste lineage. Not a fork. |
| Bruce | Multi-modal handheld meta-firmware (covered in § 4.3) | Marauder fork — includes Marauder’s attack catalogue + adds sub-GHz / IR / RFID. |
| Ghost ESP | Wi-Fi/BLE pentest, expanded attack catalog (covered in § 4.2) | Marauder fork — expands Marauder’s attacks; same general scope. |
The decision tree from § 6 still applies: start at Marauder mainline, switch out only if a specific feature gap drives it.
11. Depth indices into Vols 2–12
Read this list when you have a specific task in mind and want to jump to the right volume. Each entry names the task, the volume, and the specific section.
Hardware
- I’m shopping for Marauder-canonical hardware → Vol 2 §§ 2-5 (Koko’s family + DSTIKE).
- What’s the BoM cost of building my own Marauder host? → Vol 2 § 7.
- Which third-party module supports Marauder best? → Vol 2 § 6 + cross-ref to
../AWOK Dual Touch V3/and../Ruckus Game Over/deep dives.
Firmware basics
- How is the firmware structured? What file does what? → Vol 3 §§ 2-4.
- How do I read the menu structure from the code? → Vol 3 § 5.
- How does the SD-card save/load work? → Vol 3 § 7 + Vol 8 in full.
Scanning
- I want to capture probe requests → Vol 4 § 2.
- I want to enumerate SSIDs in the area → Vol 4 § 3.
- I need a WPA2 handshake for hashcat → Vol 4 § 5 + Vol 9 § 4.
- I need PMKID material → Vol 4 § 4 + Vol 9 § 4.
- Channel hopping vs static channel? → Vol 4 § 7.
Attacking
- Deauth a single AP → Vol 5 § 2.
- Beacon spam an SSID list → Vol 5 § 3 + Vol 8 § 4 (SSID list format).
- Run Evil Portal → Vol 5 § 5 + Vol 8 § 5 (portal HTML format).
- Karma-style probe response → Vol 5 § 4.
Bluetooth
- Scan BLE advertising → Vol 6 § 2.
- Sour Apple iOS spam → Vol 6 § 3.1 (Ghost ESP).
- Swiftpair Windows spam → Vol 6 § 3.2 (Ghost ESP).
- Detect AirTags nearby → Vol 6 § 4 (Bruce / Ghost ESP).
Forks
- Which fork should I be on right now? → Vol 7 § 2 (decision tree) + Vol 1 § 4.5 (this volume).
- Feature-by-feature comparison of all four forks → Vol 7 § 3.
- How do I migrate from mainline to Ghost ESP without losing my SD-card content? → Vol 7 § 5 + Vol 8 § 7.
SD card / customization
- Full SD layout → Vol 8 § 2.
- Edit the Evil Portal HTML → Vol 8 § 5.
- Beacon-spam SSID list format → Vol 8 § 4.
Capture analysis
- pcap → Wireshark workflow → Vol 9 § 2.
- pcap → hashcat for handshake/PMKID → Vol 9 § 4.
- Probe-request clustering / who’s-looking-for-what → Vol 9 § 5.
- bettercap integration → Vol 9 § 6.
Building from source
- Set up PlatformIO → Vol 10 § 2.
- Build for my specific board → Vol 10 § 3.
- Add a new attack → Vol 10 § 5.
- Fork the firmware for downstream maintenance → Vol 10 § 6.
Operational posture
- What does Marauder look like to a Wi-Fi IDS? → Vol 11 § 2.
- Regional channel-plan considerations → Vol 11 § 3.
- Power profile / battery sizing for sustained attacks → Vol 11 § 4.
- Thermal behavior under continuous TX → Vol 11 § 5.
Cheatsheet
- One-page laminate-ready field card → Vol 12 (the entire volume).
12. Resources
Primary
- Marauder repo: https://github.com/justcallmekoko/ESP32Marauder
- Marauder wiki: https://github.com/justcallmekoko/ESP32Marauder/wiki
- Marauder web flasher: https://flasher.marauder.maurersystems.com/
- JustCallMeKoko Tindie store: https://www.tindie.com/stores/justcallmekoko/
Forks
- Ghost ESP: https://github.com/Spooks4576/Ghost_ESP
- Bruce: https://github.com/pr3y/Bruce
- Bad Pinguino: https://github.com/bmorcelli/Bad-Pinguino
Related platforms in this hub
- AWOK Dual Touch V3 deep dive:
- Ruckus Game Over deep dive:
- Flipper Zero WiFi Devboard coverage:
../../../Flipper Zero/03-outputs/Flipper_Zero_Complete.html(search “Devboard”) - M5Stack Cardputer ADV deep dive:
../../../M5Stack Cardputer ADV/03-outputs/cardputer_adv_deep_dive.html - Wired Hatters Banshee (GhostESP target):
../../../Wired Hatters Banshee/ - AWOK ESP32 C5 (5 GHz target, aspirational):
../../../AWOK ESP32 C5/
Cross-tool resources
- Hack Tools comparison matrix:
../../../_shared/comparison.md - Capability matrix (sortable):
../../../_shared/capability_matrix.html - Legal / ethics:
../../../_shared/legal_ethics.md
Community references
- Marauder Discord (linked from the project README)
- Hak5 forum / Reddit
r/HowToHackr/ESP32for build-specific questions
Hardware vendor channels
- Koko’s Tindie: https://www.tindie.com/stores/justcallmekoko/
- DSTIKE: https://dstike.com/
- AWOK Dynamics (Dual Touch V3, future C5 module): vendor Discord
- Where Marauder is shipping pre-flashed (varies by vendor): check each module’s product page
This is Volume 1 of a twelve-volume series. Next: Vol 2 walks the schematic-grade Marauder-canonical hardware (Koko’s v6.1 + Mini), the cross-platform hardware matrix for every documented host board, and the host-module ecosystem (AWOK V3, Game Over, Cardputer ADV) where the firmware also lives.