Nyan Box · Volume 12
Nyan Box Volume 12 — Cheatsheet
Quick-facts, the tool catalog at a glance, the NRF24 channel map, the posture lines in one block, the recipes, troubleshooting, pre-use checklist
Contents
1. About this volume
Vol 12 is the laminate-ready field card — the synthesis of Vols 1-11 for at-the-bench, in-the-field reference. Print the sections you need; the whole thing is designed to be scanned, not read.
2. Hardware quick-facts panel
┌────────────────────────────────────────────────────────────────┐
│ nyanBOX — Nyan Devices │
├────────────────────────────────────────────────────────────────┤
│ MCU ESP32-WROOM-32U · dual-core 240 MHz · Wi-Fi 2.4 + │
│ BT 5.0 (BLE + Classic) · U.FL antenna │
│ Extra radio 3× NRF24L01+ GTmini · 2.400-2.525 GHz · GFSK · │
│ 126 ch · ~0 dBm TX (bare GTmini) · ~-94 dBm RX │
│ Display 0.96" OLED · 128×64 mono · SSD1306-class · I²C │
│ Storage EEPROM (settings + XP state) — NOT microSD │
│ Battery 2500 mAh LiPo · USB-C charge+data · ~9.25 Wh │
│ Antennas 4× 2.4 GHz stub (1× ESP32 + 3× NRF24) │
│ Input Arrow-key cluster + OK · arrow-sequence dev lock │
│ Tools 40+ menu-driven · gamified XP progression │
│ UNIQUE Drone RemoteID detection · hidden-camera detection │
│ Firmware Stock (closed-source likely) · web-flasher update │
│ Alt FW ESP32 Marauder / Ghost ESP (loses unique features) │
│ Enclosure 3D-printed · no IP rating · repairable │
│ Vendor Nyan Devices (jbohack & zr_crackiin) │
│ Price $220 USD assembled │
│ Status Aspirational — not yet owned (2026-05-14) │
└────────────────────────────────────────────────────────────────┘
Schematic-block hardware: Vol 2. Triple-NRF24 deep dive: Vol 3.3. The tool catalog at a glance
┌─ Wi-Fi (ESP32) ──────────┐ ┌─ BLE / BT (ESP32) ───────┐
│ AP scan passive │ │ BLE scan passive │
│ Client detect passive │ │ BLE spoof active │
│ Probe capture passive │ │ BLE spam ACTIVE-D │
│ Channel survey passive │ │ Device track passive │
│ Beacon spam active │ │ BT Classic scan passive │
│ Beacon clone active │ │ ↑ nyanBOX edge: the │
│ Deauth ACTIVE-D │ │ original ESP32 sees BT │
│ Evil portal ACTIVE-D │ │ Classic; an S3 cannot │
│ Karma ACTIVE-D │ └──────────────────────────┘
└──────────────────────────┘
┌─ NRF24 / 2.4 GHz ────────┐
┌─ Detection (UNIQUE) ──────┐ │ Spectrum sweep passive │
│ Drone RemoteID passive │ │ Multi-ch sniff passive ★│
│ → Vol 6 │ │ Mousejack disc passive ★│
│ Hidden camera passive │ │ Mousejack inject ACTIVE-D│
│ → Vol 7 │ │ Jam ILLEGAL* │
│ Both = the reason to own │ │ Replay active │
│ the nyanBOX │ │ TX-and-confirm active ★ │
└──────────────────────────┘ └──────────────────────────┘
passive = receive only — broadly legal everywhere
active = TX; own-gear or authorized only
ACTIVE-D = disruptive; own-gear or written authz ONLY
ILLEGAL* = jamming — shielded enclosure only; see §7
★ = triple-NRF24 hardware materially helps here4. The triple-NRF24 modes
Mode Radios Coupling Best for
────────────────── ────────── ──────── ───────────────────
Parallel sniff 3× RX none ✓ channel-hopping
protocols, full
capture, no chase
TX-and-confirm 1 TX + 2 RX TX leaks replay with
(sequential) verification —
TX then RX
RSSI triangulation 3× RX same minimal hint-grade DF;
channel "warmer/colder"
The PASSIVE parallel-sniff mode delivers cleanest —
no TX, no antenna coupling. It's also the most
legally-defensible mode. Vol 3 has the full detail.
Antenna discipline: SPREAD the four antennas. Clustered
= coupling = degraded multi-radio isolation (Vol 2 §6.3).5. NRF24 channel map
NRF24 channel N → 2400 + N MHz
ch: 0 20 40 60 80 100 124
MHz: 2400 2420 2440 2460 2480 2500 2524
│←──── 2.4 GHz ISM band ────→│
│ (TX legal here) │ (TX above 2483.5
│ │ may NOT be legal)
ch83 ──┘
WiFi ch1 ▓▓▓▓▓▓▓▓ (2401-2423)
WiFi ch6 ▓▓▓▓▓▓▓▓▓▓ (2426-2448)
WiFi ch11 ▓▓▓▓▓▓▓▓▓▓ (2451-2473)
BLE adv ▲(2402) ▲(2426) ▲(2480) ch37/38/39
3-radio starting points:
Mousejack hunt ch5 / ch32 / ch65
Wireless mouse ch75 / ch76 / ch77
WiFi-overlap watch ch11 / ch48 / ch73
General sweep walk all three across the band
⚠ Keep NRF24 TX ≤ ch83 (≤2483 MHz, in ISM band).6. The two unique features — quick reference
DRONE REMOTEID DETECTION (Vol 6)
───────────────────────────────────
Detects: COMPLIANT drones broadcasting RemoteID over
Wi-Fi Beacon/NAN + BT4 Legacy (BT5 Long
Range = partial — ESP32 limitation)
Shows: drone ID · position · velocity · OPERATOR
POSITION · operator ID
Misses: non-compliant drones, RemoteID-disabled
drones, network-only RemoteID, far/high
drones below RF threshold
Legal: receiving is legal — the broadcast is public
Watch: ~13 h on battery; longer on USB-C power
HIDDEN CAMERA DETECTION (Vol 7)
───────────────────────────────────
Detects: WIRELESS 2.4 GHz cameras — Wi-Fi IP cams,
AP-mode cams, 2.4 GHz analog video TX
Method: MAC OUI match (strongest) + SSID patterns +
emission-pattern signatures · "20+ brands"
≈ a smaller set of rebranded OEM modules
Misses: SD-card-only (no radio), wired, cellular
(4G/5G), 5 GHz-only, powered-off cameras
Discipline: it's a LEAD generator, not a verdict.
Cross-reference flags against a Wi-Fi scan;
RSSI-walk the real leads; physical check.
⚠ Update firmware before a real sweep — the signature
DB is only as fresh as the firmware.
Legal: sweeping a space you occupy = the most
defensible tool in the lineup7. The posture lines in one block
╔═══════════════════════════════════════════════════╗
║ PASSIVE (RX only) → broadly legal everywhere ║
║ scan · sniff · RemoteID watch · camera detect ║
║ · spectrum survey ║
║ ║
║ ACTIVE on YOUR OWN gear → legal ║
║ deauth your AP · replay your device ║
║ ║
║ ACTIVE on OTHERS' gear w/o authz → ILLEGAL ║
║ deauth · BLE spam · Mousejack inject · ║
║ beacon attacks ║
║ ║
║ JAMMING → ILLEGAL essentially everywhere ║
║ (US FCC §333 + equivalents). Shielded ║
║ enclosure only, or never transmit it. ║
║ ║
║ MOUSEJACK INJECT = unauthorized computer access ║
║ — a more serious category than interference. ║
║ Owned hardware / written authz ONLY. ║
║ ║
║ The XP gate is a PEDAGOGICAL guard, not a legal ║
║ one. The legal line is always the operator's. ║
╚═══════════════════════════════════════════════════╝
The nyanBOX's BEST capabilities (the 2 unique
features, triple-NRF24 sniff) are all PASSIVE — its
strongest use is also its most defensible. Full
posture: Vol 11.8. Battery-life table
2500 mAh cell (~2200 mAh usable). Estimates — bench-verify.
Mode Est. current Est. runtime
──────────────────────────── ──────────── ────────────
Idle (display on) 75 mA ~29 h
Wi-Fi scan continuous 150 mA ~14.5 h
3× NRF24 RX (multi-ch sniff) 115 mA ~19 h
RemoteID watch 160 mA ~13.5 h
Camera sweep 130 mA ~17 h
Heaviest (Wi-Fi TX + 3×NRF24) 290 mA ~7.5 h
The 2500 mAh cell makes the nyanBOX an ALL-DAY device
for the passive detection work — RemoteID watch + camera
sweep both run 13-17 h. Charge-while-operating on USB-C
extends any of these indefinitely.9. The recipes in one page
STATIONARY REMOTEID WATCH (Vol 10 §2)
Position (antenna clear, elevated) → Drone RemoteID
mode → drones populate (ID/RSSI/position/operator) →
RSSI trend = approach sense. Host-log for a record.
TRAVEL CAMERA SWEEP (~10 min) (Vol 10 §3)
UPDATE FIRMWARE first → walk in, run camera detect
2-3 min → HIGH flags: RSSI-walk + physical check →
LOW flags: probably the TV → optical lens-check the
spots facing the bed. "Clean" = no streaming wireless
2.4 GHz cam — NOT "no camera."
THOROUGH ROOM SWEEP (Vol 10 §4)
Baseline → triage (cross-ref vs Wi-Fi scan) →
RSSI-walk leads → physical search → optical pass →
+ NRF24 RPD sweep for analog video TX → document.
MULTI-CHANNEL NRF24 SNIFF (Vol 10 §5)
ID the channel set → set 3 radios → match rate/addr/
CRC (or promisc mode) → parallel RX → SPREAD antennas
→ host-log the full stream.
EDUCATION SESSION (Vol 10 §7)
Lead with DEFENSIVE tools (camera/RemoteID/"what your
devices leak") → build the ethical foundation →
disruptive tools later, framed as "why this is
regulated." The device is built for this.
COUNTER-SURVEILLANCE KIT (Vol 10 §8)
nyanBOX covers 3 of 7 camera threat classes (Wi-Fi
2.4, analog video, compliant UAV). Pair with optical
finder + 5 GHz scanner + broadband detector + physical
search for the other 4.10. Troubleshooting flow
Won't boot / no display?
├─ Battery dead? Charge 30 min, retry.
├─ Stuck firmware? Re-flash via web flasher (Vol 8 §3).
└─ Hardware fault? Vendor Discord / RMA.
USB-C not recognized by host?
├─ Charge-only cable? Use a data cable.
├─ USB-serial bridge driver missing? Install CP210x/
│ CH340-class driver (the nyanBOX isn't native-USB).
└─ Different USB port / Chrome-or-Edge for web flasher.
NRF24 sniff catches nothing?
├─ Data rate mismatch? Must match target (250k/1M/2M).
├─ Address / CRC mismatch? Match it, or use promisc mode.
├─ Wrong channels? Re-check the target's hop set.
└─ Antennas clustered? Spread them (Vol 2 §6.3).
Camera detection flags everything?
├─ That's expected — it's a lead generator (Vol 7 §6).
├─ Cross-reference each flag vs a plain Wi-Fi scan.
├─ LOW-confidence flags = probably the room's TV/mesh.
└─ Trust HIGH-confidence (OUI-matched) flags as leads.
Camera detection misses a known camera?
├─ Is it RF-silent / cellular / 5 GHz / wired?
│ → the nyanBOX can't see those (Vol 7 §7). Expected.
├─ Firmware stale? Update — the signature DB ages.
└─ Camera not currently streaming? No live RF to detect.
RemoteID watch sees nothing?
├─ Are there actually compliant drones in RF range?
├─ Non-compliant drones are INVISIBLE (Vol 6 §7).
├─ BT5 Long Range RemoteID = partial on this ESP32.
└─ Antenna obstructed? Elevate / clear it.
A tool is locked / won't run?
├─ XP gate (Vol 8 §4). Grind passive tools, or find
│ the expert-mode toggle.
└─ Re-flash resets XP state — back up EEPROM if it
matters (it usually doesn't for tjscientist).11. Pre-use checklist
┌─────────────────────────────────────────────────────┐
│ NYANBOX PRE-USE │
├─────────────────────────────────────────────────────┤
│ LEGAL │
│ □ Passive tools only? → broadly fine │
│ □ Active tool? → MY gear or WRITTEN authz? else STOP│
│ □ No jamming outside a shielded enclosure │
│ □ NRF24 TX ≤ ch83 (in-band) │
│ HARDWARE │
│ □ Firmware current (camera DB freshness!) │
│ □ Battery charged / USB-C power available │
│ □ Antennas spread for multi-radio work │
│ □ Host logger ready if a durable record is needed │
│ DATA │
│ □ Capturing only what's needed │
│ □ Host logs → encrypted; brief retention │
│ □ RemoteID operator positions handled with care │
│ IF LENDING IT │
│ □ Device lock set │
│ □ Legal lines briefed VERBALLY (not just XP gate) │
│ □ Session framed defensive-tools-first │
├─────────────────────────────────────────────────────┤
│ Any LEGAL box unchecked → STOP. │
└─────────────────────────────────────────────────────┘12. Key references in one block
Vendor
Nyan Devices nyandevices.com
Vendor GitHub (linked from the site — check
here FIRST for FW source)
Vendor Discord (linked from the site —
jbohack & zr_crackiin)
Datasheets
ESP32-WROOM-32U espressif.com (datasheet PDF)
NRF24L01+ nordicsemi.com/Products/NRF24L01P
SSD1306 OLED Solomon Systech
RemoteID
FAA Remote ID rule faa.gov/uas/getting_started/remote_id
ASTM F3411 astm.org/f3411-22a.html
OpenDroneID github.com/opendroneid
Camera detection
IEEE OUI registry standards-oui.ieee.org
Alt firmware
ESP32 Marauder github.com/justcallmekoko/ESP32Marauder
Ghost ESP github.com/Spooks4576/Ghost_ESP
Regulatory
FCC §15.247 (2.4 ISM) law.cornell.edu/cfr/text/47/15.247
FCC §333 (jamming ban) law.cornell.edu/uscode/text/47/333
EU ETSI EN 300 328 etsi.org
Hack Tools cross-references
Ruckus Game Over (sibling)
../../../Ruckus Game Over/03-outputs/game_over_complete.html
ESP32 Marauder Firmware deep dive
../../../ESP32 Marauder Firmware/03-outputs/ESP32_Marauder_Firmware_Complete.html
Comparison matrix ../../../_shared/comparison.md
Capability matrix ../../../_shared/capability_matrix.html
Legal / ethics ../../../_shared/legal_ethics.md
Tools
esptool.py github.com/espressif/esptool
pyserial (host scripts) pyserial.readthedocs.ioThis is the final volume of the Nyan Box twelve-volume series. Hardware specs are vendor-sourced (nyandevices.com) and not bench-verified — re-build the affected volumes with confirmed values once the unit is acquired, and fill the FIGURE SLOT markers via Photo Helper at that time.