Comments ▾
Figures ▾
Tables ▾

M5Stick S3 · Volume 11

M5Stack M5StickS3 Volume 11 — Operational Posture

250 mAh battery realities, thermal under 1 W speaker, audio-bug legal landscape, Espressif OUI, chain-of-custody


11.1 About this volume

Vol 11 is the operational-posture synthesis for M5StickS3. Most considerations parallel the Cardputer ADV (Vol 11 there) — Wi-Fi attack detection, Espressif OUI fingerprinting, RF safety, chain-of-custody.

Figure 1 — An M5StickS3 on a scale reading 20 g, a reminder of the tiny-battery, pocket-carry realities this operational-posture volume weighs. Source: docs.m5stack.com.
Figure 1 — An M5StickS3 on a scale reading 20 g, a reminder of the tiny-battery, pocket-carry realities this operational-posture volume weighs. Source: docs.m5stack.com.

The M5StickS3-specific concerns that dominate this volume:

  1. The 250 mAh battery — fundamentally reshapes every engagement plan vs the Cardputer ADV’s 1750 mAh.
  2. The audio-bug legal landscape — the M5StickS3’s voice-recording capability + wearable + magnetic-back form factor creates legal exposure the Cardputer ADV doesn’t have at this risk level.
  3. Thermal under sustained audio playback — 1 W speaker continuous = real thermal load on a small device.

The “own the airspace + own the hardware target + know your audio-recording jurisdiction” rule is the operational frame.


11.2 Detection signatures across attack modes

Table 1 — 2. Detection signatures across attack modes

Attack modeSignatureDetection ease
Wi-Fi deauth (Bruce / Evil-M5Project)Burst of deauth frames sourced from spoofed AP MACTrivial — every Wi-Fi IDS has deauth-flood rules
Wi-Fi beacon spamRapid unique-SSID beacons; non-allocated OUI MACsTrivial
Evil Portal SoftAPNew open SSID; Espressif OUI MAC unless spoofed; HTTP Server: header reveals firmwareTrivial
BLE-spam Sour Apple (via Evil-M5 fork or Bruce)Rapid Apple-Continuity advertising; rotating BD_ADDRs but stable subtypesModerate — BLE-aware IDS detects
IR TV-B-GoneVisible IR LED blink; remote-controlled devices reactingEasy if anyone’s watching, otherwise silent
BadUSB HID injectionmacOS “Keyboard Setup Assistant” pops; Windows more permissiveModerate — UI-level detection on macOS
Audio playback (sustained at high volume)Acoustically detectable by anyone in rangeTrivial — any human in earshot hears it
Audio recording (passive)None on the wire; legal-detectable if jurisdiction has audio surveillance lawsWire-level: undetectable; legal-level: prosecutable in some jurisdictions
EAPOL handshake capture (pure passive)NoneUndetectable
PMKID capture (pure passive)NoneUndetectable

M5StickS3-unique in this table:

  • Audio playback is the loudest “attack” the M5StickS3 can do — and it’s not even an attack; it’s the device emitting sound. In covert scenarios, audio playback is the equivalent of a flashlight in stealth context.
  • Audio recording has no on-the-wire signature — but has strict legal-detectability in jurisdictions with audio surveillance laws (Vol 11 § 7).

Espressif OUI fingerprinting: same as Cardputer ADV — Espressif’s MAC OUI prefixes (F4:12:FA, EC:DA:3B, 34:85:18, FC:F5:C4, etc.) are how rogue-AP scanners spot Espressif-class hardware. Bruce’s “Spoof MAC” feature randomizes the OUI to a non-Espressif range, breaking this fingerprint. M5StickS3 firmwares should expose the same setting.


11.3 Regional rules (LoRa-free Stick — Wi-Fi/BLE focused)

The M5StickS3 has no LoRa (no Cap LoRa-1262 equivalent — no EXT bus). The LoRa regional rules from Cardputer ADV Vol 11 § 3 don’t apply.

Wi-Fi 2.4 GHz regional rules apply identically to any 2.4 GHz device:

Table 2 — Wi-Fi 2.4 GHz regional rules apply identically to any 2.4 GHz device

RegionFrequencyMax EIRPNotes
US (FCC §15.247)2400-2483 MHz+30 dBm (1 W) for FHSS/DSSS; +20 dBm (100 mW) typicalWi-Fi devices typically run +14-+20 dBm
EU (ETSI EN 300 328)2400-2483.5 MHz+20 dBm EIRPStrict
JP (ARIB STD-T66)2400-2483.5 MHz+20 dBm EIRPSimilar to EU
Other regionsSimilar variantsGenerally +20 dBm cap

The M5StickS3’s ESP32-S3 at +20 dBm (100 mW) is within all major-region limits. No EIRP-compliance gotcha like the Cap LoRa-1262’s EU g1 issue.

BLE 2.4 GHz rules: subset of Wi-Fi rules. BLE TX at +20 dBm is universally legal in ISM 2.4 GHz.


11.4 The 250 mAh battery posture

The constraint that defines M5StickS3 use cases.

11.4.1 Battery life math

Table 3 — Battery life math

ModeCurrent (mA)Battery life (250 mAh full charge)
Deep sleep (display off, radios off)~0.5 µAWeeks (theoretical)
Display backlight only (no Wi-Fi / radios)~50 mA~5 hours
Wi-Fi station idle connected~80 mA~3 hours
Wi-Fi scan continuous~120 mA~2 hours
Sustained Wi-Fi TX (deauth spam)~200-280 mA peak~50-60 minutes
Audio playback at low volume~150-200 mA~1.3-1.7 hours
Audio playback at full 1 W speaker output~280-320 mA peak~50 minutes
Audio recording (mic only, low display)~95 mA~2.5 hours
ESP-NOW walkie-talkie active~200-250 mA~1.0-1.2 hours
Wake-word detection idle~85 mA~3 hours

Pattern: every “active” mode drops battery life below 3 hours. Multi-hour engagements not feasible without USB-C power or external power bank.

11.4.2 Brownout posture

ESP32-S3 brownout detector trips at ~2.7 V (configurable). Under sustained TX-spam or full-volume audio on a weak battery:

  • Supply rail dips during current peaks
  • If dip exceeds threshold + hysteresis, SoC resets
  • Attack/audio “stops working” mid-session — actually the device rebooted

Mitigations:

  1. Fresh battery — 250 mAh degrades faster than larger cells; replace every 6-12 months for daily use.
  2. Known-good USB cable when on USB power.
  3. Lower audio volume if running audio simultaneously with Wi-Fi.
  4. Firmware-side rebuild with relaxed brownoutCONFIG_ESP_BROWNOUT_DET_LVL_SEL_5 in sdkconfig (Vol 10).

11.4.3 Practical operational wisdom

Table 4 — Practical operational wisdom

Use caseDurationM5StickS3 viable?
Quick site survey (<30 min)Short✓ Yes
Sustained passive scan (~2 hr)Moderate✓ Manage thermal + battery
Sustained Wi-Fi TX-spamLong✗ Battery limit; use Cardputer ADV
Multi-hour audio recordingLong✓ if mic-only (~2.5 hr); ✗ if playback
Continuous wake-word listeningHours✓ (~3 hr battery, near-free CPU)
USB-C tethered operationUnlimited✓ Removes battery limits
Wall-mount / desk-stand with USB powerAlways-on✓ Practical for HA / ESPHome use

Plan engagements <30 min for safety margin; <2 hr for scan-only.


11.5 Thermal under sustained audio + TX

M5StickS3’s small enclosure (48×24×15 mm) + sustained 1 W speaker + ESP32-S3 at 240 MHz = real thermal load.

After 15-20 minutes of continuous playback at full volume:

  • Case palpably warm to touch
  • ESP32-S3 die temperature ~80-90 °C (below 125 °C throttle but warm)
  • Speaker driver gets warm; cone displacement may drift if continuous high SPL
  • Battery may also warm (LiPos accept some heat but >40 °C accelerates aging)

Recommendations:

  • Take breaks: 15 min playback / 5 min rest cycles
  • Lower volume: 50% volume halves the power; thermal load drops proportionally
  • Don’t fully enclose: pocket use is OK because pockets breathe; sealed enclosures trap heat
  • Avoid direct sun: ambient temp + audio thermal load can exceed safe operating temp (>40 °C)

For continuous audio operation: lower volume + take breaks.


11.6 RF safety

+20 dBm (100 mW) max Wi-Fi/BLE — same as Cardputer ADV. Body-distance operation well within SAR safety limits.

Antenna: PCB-trace on the Stamp-S3A SIP package — cannot be disconnected accidentally. Open-load damage risk: minimal (PCB antenna can’t be unplugged like an SMA whip).

RF exposure: 100 mW is much lower than smartphone cellular (typically +33 dBm = 2 W peak) or microwave oven RF (kilowatts, far higher frequency). M5StickS3 RF emissions are negligible from a body-exposure perspective.


The most legally hazardous M5StickS3 use case.

11.7.1 US federal law

Federal Wiretap Act (Title III, 18 USC §§ 2510-2522): prohibits interception of “oral communications” — defined as private communications spoken with reasonable expectation of privacy.

Federal interpretation: “one-party consent” — if one party (the operator) consents to recording, it’s legal under federal law. Most federal investigations proceed under this.

Federal exceptions: recording where no party consents is always illegal under federal law, regardless of state law. Surveillance of others’ private conversations without participation = federal felony.

11.7.2 US state law (more restrictive than federal)

Two-party / all-party consent states: 11 US states (as of 2026-05-13) require all parties to consent before recording. Operating without all-party consent in these states is a criminal offense, typically a felony:

Table 5 — Two-party / all-party consent states: 11 US states (as of 2026-05-13) require all parties to consent before recording. Operating without all-party consent in these states is a criminal offense, typically a felony

StateStatuteNotes
CaliforniaCA Penal Code §§ 631, 632Strict; civil + criminal exposure
FloridaFL Stat. § 934.03Felony
Illinois720 ILCS 5/14-2”Eavesdropping” statute
MarylandMD Cts. Jud. Proc. § 10-402Strict
MassachusettsMass. Gen. Laws ch. 272 § 99”Recording in secret” prohibited
MontanaMont. Code Ann. § 45-8-213Strict
NevadaNRS 200.620Strict
New HampshireNH Rev. Stat. § 570-A:2Strict
Pennsylvania18 Pa. Cons. Stat. § 5704Strict
VermontVermont Supreme Court rulingsCommon-law-derived
WashingtonRCW 9.73.030”Privacy Act”

The other 39 US states use one-party consent. Recording in those is legal as long as the operator is a party to the conversation.

11.7.3 EU + UK

GDPR (Regulation 2016/679): voice is personal data. Recording voice without lawful basis (consent / legitimate interest / legal obligation) is a regulatory violation. Penalties up to 4% of global annual revenue for organizations; criminal exposure under national laws for individuals.

UK Investigatory Powers Act 2016: regulates electronic interception. Strict criminal penalties for unauthorized interception.

National variations: each EU member state has slightly different rules.

  • Germany (StGB § 201): “Spoken word” prohibition — strict.
  • France: similar one-party consent + GDPR overlay.
  • Italy: strict; criminal exposure.
  • Netherlands: one-party consent.

11.7.4 Other jurisdictions

  • Canada: Criminal Code § 184 — one-party consent.
  • Australia: state-by-state. Generally restrictive (similar to two-party consent).
  • Japan: Wiretap Act prohibits private-conversation recording without consent. Cultural norm: even one-party recording is socially censured.
  • Singapore: similar to UK/Australia.
  • Russia / China / restrictive regions: assume strict prohibitions + severe consequences (criminal + administrative).

11.7.5 Operational rule for M5StickS3 covert-audio use

The M5StickS3 can technically be deployed as a covert audio recorder. The operator must not, except under explicit authorization.

Practical operational discipline:

  1. Know your jurisdiction — US state of operation drives the rule. EU jurisdiction drives the rule. Travel jurisdictions matter.
  2. Document authorization — written, signed, scope-specified, before engagement starts.
  3. Time-box — shorter is safer.
  4. Don’t deploy in spaces where third parties might be present without all-party consent: schools, hospitals, courthouses, public accommodations have additional rules.
  5. Sanitize recordings post-engagement — chain-of-custody discipline (§ 11).
  6. For personal bench use: recording yourself / your own equipment / your own private spaces = legal everywhere. This is the safe operating envelope.

For personal use (voice memos, audio note-taking, sound recording of your own activities): no legal exposure.

For engagement work: get authorization, document, time-box, sanitize.

For public-space deployment (magnetic-back stick on the side of a server rack with audio recording): only with explicit authorization from the venue + all parties present. Otherwise: don’t.

The form-factor + capability profile makes this device a temptation. Don’t yield to it without authorization.


HID injection works only against unlocked targets or systems that auto-accept new HID devices (most do — flag for “new keyboard” on macOS, most users click through).

Legal posture: HID injection of payloads on systems you don’t own is unauthorized computer access. Even harmless payloads (Rick-Roll, screen lock) constitute a violation:

  • US: 18 USC § 1030 (CFAA) — unauthorized access; up to 10 years for some violations
  • EU: national computer-misuse laws (UK Computer Misuse Act, German StGB § 202a/b/c)
  • AU/NZ/CA/JP: equivalent statutes

Authorized engagement scope is the only safe operating envelope.

Even with authorization: log every BadUSB execution with timestamp + target machine identifier + payload hash. Defensible documentation is mandatory.


11.9 LiPo handling — small-cell-specific concerns

250 mAh small-cell concerns:

Aging: small cells age faster than large ones — internal resistance grows quicker, capacity drops faster. Expect ~200-300 charge cycles before significant capacity loss (vs ~500+ for the Cardputer ADV’s 1750 mAh).

Replacement frequency: every 6-12 months for daily use. Vendor part availability TBD.

Safety rules (apply universally to LiPos but more critical at small capacity):

  1. Never short-circuit the cell terminals.
  2. Never charge a damaged or punctured cell — small cells reach unsafe temperatures faster.
  3. Storage: ~50% charge for long shelf life. Full charge accelerates aging.
  4. Temperature: 0-40 °C operating; degrades faster >30 °C at full charge; avoid >50 °C entirely.
  5. If swelling observed: discontinue use immediately. Dispose properly (battery recycling, not regular trash).
  6. For battery replacement: source 251015 / 401015 form-factor LiPos from RC hobby suppliers. Verify JST-PH 2-pin polarity (red = +, black = −) before connecting.

11.10 Charging gotchas

USB-C charging at ~500 mA. Full charge from empty: ~30-45 minutes.

Side switch or button-based power:

Unlike the Cardputer ADV (slide switch), the M5StickS3 likely uses button-based power:

  • Short-press power button → wake from sleep
  • Long-press power button (>2 sec) → force shutdown

Charging while powered off: behavior depends on PMIC (TBD pending hardware inspection). AXP2101-class PMICs typically allow charging in any power state.

Charge-only cables: as with all USB-CDC devices, M5StickS3 requires a data-capable USB cable for flashing + serial console. Charge-only cables lack data lines, block enumeration.

Charging current: don’t charge from cables that supply more than 1 A — small batteries shouldn’t exceed 1C charge rate (so 250 mAh = 250 mA max charge current). M5StickS3’s internal charge controller limits charge current to safe levels, but external high-power chargers may stress the controller.


11.11 Chain-of-custody for captures

Audio captures + Wi-Fi captures from M5StickS3 are evidence-grade material:

  1. Hash at capture-time: sha256sum of every file. Document the hash + the device + the date.
  2. Encrypted archive only for transfer:
tar -czf captures.tar.gz /mnt/m5sticks3/
age -p captures.tar.gz > captures.tar.gz.age   # Password-encrypted
# OR
gpg -c captures.tar.gz   # GPG symmetric encrypt
  1. Out-of-band hash verification — share hash via separate channel.

  2. Secure-erase source flash / SD post-engagement:

# For Hat2 SD card:
sudo dd if=/dev/urandom of=/dev/sdX bs=4M status=progress
sudo mkfs.vfat -F 32 /dev/sdX1

# For internal flash:
esptool.py --chip esp32s3 -p /dev/ttyACM0 erase_flash
esptool.py --chip esp32s3 -p /dev/ttyACM0 -b 1500000 write_flash 0x0 stock_backup.bin
  1. Audio captures specifically: more sensitive than Wi-Fi captures because they contain identifiable voice + ambient personal data. Treat with higher security discipline:

    • Hash + encrypt within minutes of recording end
    • Don’t keep originals on the M5StickS3 longer than necessary
    • Document chain of custody for legal defense
  2. Retention: only what scope authorizes. Purge bystander data with documentation.

Cross-ref: Cardputer ADV Vol 11 § 11 + Marauder Firmware Vol 11 § 7 for the same discipline applied to platform-neutral captures. The Hack Tools shared posture in ../../../_shared/legal_ethics.md carries.


11.12 When NOT to use the M5StickS3

Scenarios where M5StickS3 is the wrong tool:

Table 6 — Scenarios where M5StickS3 is the wrong tool

ScenarioWhy M5StickS3 is wrongBetter alternative
Multi-hour engagement (>2 hr)250 mAh battery limitCardputer ADV or USB-powered device
QWERTY-typing-heavy workflowNo keyboardCardputer ADV
5 GHz Wi-Fi workESP32-S3 silicon 2.4-onlyM5MonsterC5 via Grove or Linux laptop
LoRa / off-grid meshNo LoRa hardwareCardputer ADV + Cap LoRa-1262
Sub-GHz CC1101 workNo on-board CC1101; Hat2 ecosystem thinCardputer ADV with CC1101 Grove or BadCard
Public-space deployment with audio recordingLegal landmine — strict two-party consent jurisdictionsDon’t (or only with extreme legal cover)
Bench-class debuggingM5StickS3 too smallBP6 / HackRF
Sustained playback / music250 mAh + 1 W speaker drains fastDifferent audio platform
Hostile-jurisdiction travelCustoms ambiguity for “hacker gadget” — magnetic-back + audio recording particularly suspectDon’t carry; ship from in-country vendor if needed
BT-classic device enumerationESP32-S3 has BLE 5.0 onlyM5StickC Plus 2 (classic ESP32)
Heavy on-device computationLX7 is fine but Cardputer ADV has same silicon with more battery for sustained workCardputer ADV
Camera applicationsNo cameraM5Stack Core S3 or Atom S3R

11.13 Pre-engagement checklist

Before any non-trivial engagement, verify each item:

  • Written authorization signed and dated, covering target scope (network / hardware / location / time window)
  • RF coverage scope specified (target SSIDs / BSSIDs / geographic area)
  • Attacks permitted listed (deauth? Evil Portal? BLE-spam? IR? BadUSB? Audio recording?)
  • Audio recording authorization documented separately if audio is in scope — especially critical
  • Two-party-consent state check done if recording in US — list of states in § 7
  • Stop condition defined (time limit, signal-of-completion)
  • Battery charged (250 mAh; engagement < 30 min battery; ≤2 hr scan-only)
  • Firmware version locked (specific tag, not master HEAD)
  • Region setting matches venue (US / EU / JP)
  • Target BSSID(s) configured if surgical attacks planned
  • MAC randomization enabled (Bruce Settings → Spoof MAC)
  • Capture destination + extraction plan — where do logs/audio/PCAPs go after engagement?
  • Sanitization plan — how / when SD content + flash erased
  • Bystander mitigation — narrow targeting only; no broadcast attacks in public spaces
  • Discovery response (if observed, stop, produce authorization, document)
  • Out-of-band channel prepared for security team to reach me

If any item isn’t checked, abort.


11.14 Resources

Legal references

Hack Tools shared posture

Cross-references

  • Audio chain detail (battery realism per mode): Vol 5 § 11
  • Audio-bug legal landscape: Vol 5 § 10
  • Wearable deployment patterns: Vol 9 § 7
  • Cardputer ADV operational posture: ../../../M5Stack Cardputer ADV/03-outputs/Cardputer_ADV_Complete.html Vol 11
  • Marauder Firmware operational posture: ../../../ESP32 Marauder Firmware/03-outputs/ESP32_Marauder_Firmware_Complete.html Vol 11

This is Volume 11 of a twelve-volume series. Next: Vol 12 is the laminate-ready cheatsheet — synthesis of every preceding volume’s most-referenced content.

Comments (0)

  1. Loading…

Comments are held for moderation — nothing appears until approved.