Nyan Box Volume 5 — NRF24 / 2.4 GHz Toolset — Nyan Box · Hacking

Spectrum analysis, multi-channel sniff, jam, replay, Mousejack-class tools, the transmit-and-confirm workflow

Section	Topic
1	About this volume
2	2.4 GHz spectrum analysis
3	Multi-channel NRF24 sniff
4	Mousejack-class tools
5	Jam
6	Replay + transmit-and-confirm
7	The NRF24 toolset at a glance
8	Resources

1. About this volume

Vol 5 covers the nyanBOX tools that run on the three NRF24 radios. Vol 3 covered the hardware — why three radios, how they’re wired, the antenna-isolation reality. This volume covers what you do with them: spectrum work, sniffing, the Mousejack family, jamming, and replay.

The triple-radio hardware (Vol 3) is what makes several of these tools meaningfully better than a single-NRF24 board. Where that’s the case, this volume says so explicitly.

2. 2.4 GHz spectrum analysis

The NRF24L01+ isn’t a spectrum analyzer — but it has a trick: its RPD (Received Power Detector) register flags whether received power on the current channel exceeds ~-64 dBm. Sweep the channel across the band, read RPD at each step, and you get a crude energy-detector spectrum.

2.1 How it works

   NRF24 RPD-sweep spectrum
   ═════════════════════════

   For each channel 0..125:
     1. Set NRF24 to channel N
     2. Enter RX mode briefly (~little hundred µs settle)
     3. Read RPD bit: 1 = power > ~-64 dBm, 0 = quiet
     4. Step to N+1

   With THREE radios, split the sweep:
     NRF#1 sweeps ch 0-41
     NRF#2 sweeps ch 42-83      → 3x faster full-band sweep
     NRF#3 sweeps ch 84-125

   OLED render — energy bar graph:

   2400 ────────────────────────────────── 2525 MHz
   ▁▁▃█████▃▁▁▁▁▃▇▇▇▃▁▁▁▁▁▁▁▃███▇▃▁▁▁▁▁▁▁▁
        ▲              ▲          ▲
       WiFi ch1      WiFi ch6   WiFi ch11
       (or BT, or a busy IoT band, or a camera...)

2.2 What it’s good for — and not

Good for	Not good for
”Is this band busy?” — congestion survey	Amplitude accuracy (RPD is a 1-bit threshold, not a dBm reading)
Finding the active Wi-Fi channels	Narrow-signal resolution (1 MHz channel steps)
Spotting a strong continuous emitter	Anything quieter than ~-64 dBm
The triple-radio 3× sweep speed-up	A real spectrum display (that’s a HackRF / TinySA job)

The RPD-sweep spectrum is a coarse energy detector, not an instrument. But it’s genuinely useful as a fast “what’s loud in 2.4 GHz right now” check — and the triple-radio split makes it 3× faster than a single-NRF24 board. It’s also the substrate for the hidden-camera detection (Vol 7) — camera detection is, at its core, a smarter version of this sweep.

[FIGURE SLOT — Vol 5, § 2] Photo of the nyanBOX OLED running the 2.4 GHz spectrum sweep, showing the energy bar graph. Source: vendor product page. Caption when filled: “Figure 5.1 — The RPD-sweep spectrum display.”

3. Multi-channel NRF24 sniff

The headline NRF24 tool — and the one the triple-radio hardware most directly enables. Vol 3 § 6 covered the hardware “why”; this is the operational “how”.

3.1 The tool

   Multi-channel NRF24 sniff — OLED view
   ══════════════════════════════════════
   ┌────────────────────────────────┐
   │ NRF24 Sniff x3      pkts: 247  │
   ├────────────────────────────────┤
   │ R1 ch75  ▓▓▓▓▓░░  88 pkts      │
   │ R2 ch76  ▓▓░░░░░  31 pkts      │
   │ R3 ch77  ▓▓▓▓▓▓▓ 128 pkts      │
   ├────────────────────────────────┤
   │ last: R3 ch77 addr A1:B2:C3..  │
   │ [OK] log [↓] cfg [←] back      │
   └────────────────────────────────┘

Three radios, three channels, all listening continuously. Each captured packet shows channel + address + payload (within OLED limits).

3.2 The configuration that matters

Parameter	Why it matters
Channel per radio	The three channels you cover — pick by target protocol (Vol 3 § 9 channel map)
Data rate	250 kbps / 1 Mbps / 2 Mbps — must match the target; wrong rate = no packets
Address width	3-5 bytes — must match, or set to promiscuous-ish wildcard mode
Address	The target’s pipe address — or a “sniff anything” config if the firmware supports it
CRC	1 or 2 byte — must match

The NRF24 is not a true promiscuous receiver — it’s an addressed protocol radio. “Sniffing” NRF24 means either (a) you know the target’s address/rate/CRC and configure to match, or (b) you use the classic NRF24-promiscuous trick (set a 2-byte address of 0x00AA or 0x0055, disable CRC, and let preamble false-syncs leak packets). The nyanBOX firmware almost certainly implements the promiscuous trick for “sniff unknown” — verify the exact method on the unit.

3.3 The triple-radio payoff

This is the tool where three radios beats one cleanly (Vol 3 § 5 — it’s all-RX, so no antenna-coupling problem):

A channel-hopping wireless mouse that a single radio chases and half-misses → three radios on the hop set catch fully
A protocol you’re characterizing (you don’t yet know its channels) → three radios sample three points of the band at once, 3× faster characterization
The classic Mousejack workflow (§ 4) → three radios covering the Logitech channel set

3.4 The capture-storage limit

Reminder from Vol 2 § 7: the nyanBOX has EEPROM, not microSD. Long sniff sessions can’t dump everything to a card. Options:

Read hits off the OLED in real time
Pull the capture stream over USB-serial to a host (Vol 9 § 4) for a long session
Accept that the on-device log is a small rolling buffer

For a multi-hour sniff, plan to tether to a host for logging.

4. Mousejack-class tools

“Mousejack” is Bastille’s 2016 research into the NRF24-class wireless mice/keyboards — the vulnerability that lets an attacker inject keystrokes into a vulnerable wireless mouse/keyboard dongle. It’s the canonical NRF24-pentest workflow, and the nyanBOX’s NRF24 toolset is built around it.

4.1 The attack family

Stage	Tool	What it does
Discover	Multi-channel sniff (§ 3)	Find NRF24 mice/keyboards by their address + channel hopping
Identify	Address + protocol fingerprint	Logitech Unifying? Microsoft? Generic? Determines exploitability
Inject	Keystroke injection	Send crafted “keypress” packets to a vulnerable dongle
Confirm	Transmit-and-confirm (§ 6)	One radio injects, two watch for the dongle’s response / the host’s behavior

4.2 Why the triple-radio helps the Mousejack workflow

   Mousejack with three radios
   ════════════════════════════

   Discover phase:  NRF#1, #2, #3 → 3 channels of the
                    Logitech hop set, parallel sniff.
                    Catch the target faster + fuller.

   Inject phase:    NRF#1 → inject keystrokes
                    NRF#2 → watch for dongle ACK
                    NRF#3 → watch an adjacent channel for
                            the dongle hopping away
                    = transmit-and-confirm (Vol 3 § 7)

A single-radio Mousejack tool does discover-then-inject sequentially on one radio. The nyanBOX can keep watching while it injects.

4.3 The posture line

Keystroke injection into someone else’s wireless mouse/keyboard is unauthorized access to a computer system — illegal essentially everywhere without authorization. The nyanBOX’s education framing almost certainly XP-gates this hard and frames it heavily. For tjscientist: the mechanics are educational; the use requires owned hardware or written authorization. Vol 11 § 3.

4.4 The honest capability note

Modern wireless mice/keyboards (post-2016) are mostly patched or encrypted — the Mousejack-vulnerable population has shrunk. The nyanBOX’s Mousejack tools are most useful as (a) an education demonstration of the attack class, and (b) a way to test whether a specific old dongle is still vulnerable. They are not a reliable “inject into any wireless keyboard” capability in 2026.

5. Jam

The nyanBOX can jam 2.4 GHz — transmit noise/garbage on a channel (or, with three radios, three channels) to deny that spectrum.

5.1 How NRF24 jamming works

   NRF24 jam mechanism
   ════════════════════

   Set NRF24 to continuous-carrier or constant-TX mode,
   on the target channel. The radio dumps RF energy
   continuously — any real signal on that channel is
   buried under it.

   With three radios:
     NRF#1 → jam ch X
     NRF#2 → jam ch Y    = three channels denied at once
     NRF#3 → jam ch Z

   Or "sweep jam": rapidly retune one+ radios across a
   band, denying a swath rather than fixed channels.

5.2 The hard posture line

Jamming is illegal in essentially every jurisdiction — FCC §333 in the US, equivalent statutes elsewhere. It’s not a gray area. It’s not “gray like deauth” — it’s a clear, enforced prohibition. The nyanBOX’s NRF24 jam tool exists; the legal reality is that you may operate it only:

Inside a verified RF-shielded enclosure (Faraday cage / anechoic chamber with confirmed <1 µW leakage)
With explicit authorization in a controlled test (rare, specialized)
As an inert education demonstration of why jamming is a problem — discussed, not transmitted

The nyanBOX’s education firmware almost certainly XP-gates jam to the highest tier and frames it heavily. Vol 11 § 3 is mandatory reading before this tool is ever activated. For tjscientist: treat jam as a “know it exists, understand the mechanism, essentially never transmit it” tool.

5.3 NRF24 jam is also weak

Even setting the legality aside: NRF24 jam at ~0 dBm (bare GTmini, Vol 3 § 2.2) is low-power. It denies spectrum in the immediate few meters, not a building. It’s a demonstration-scale capability, not an area-denial weapon. That’s a small mercy from a harm-reduction standpoint.

6. Replay + transmit-and-confirm

6.1 Replay

Capture an NRF24 packet (§ 3), retransmit it. Classic for:

Replaying a captured RC / toy / simple-IoT command
Testing whether a device accepts replayed packets (no rolling code → vulnerable)

The nyanBOX’s replay is the standard capture-then-retransmit. The triple-radio adds the confirm half:

6.2 Transmit-and-confirm — the triple-radio version

Vol 3 § 7 covered the hardware timing. Operationally:

   Transmit-and-confirm — operational flow
   ════════════════════════════════════════

   1. NRF#1 transmits the replayed packet
   2. (NRF#2, NRF#3 are deaf during the TX burst — Vol 3 § 5)
   3. TX burst ends; NRF#2 + NRF#3 immediately listen
   4. NRF#2 watches the channel the target answers on
   5. NRF#3 watches an adjacent channel (in case the
      target's protocol hops on response)
   6. OLED shows: TX sent → response heard? → on which channel?

   Result: you don't just "hope the replay worked" — you
   SEE the target's reaction (ACK / state change / hop).

This is the genuine value-add of the triple radio for active work. A single-radio board replays blind. The nyanBOX replays and watches.

6.3 The rolling-code wall

Most modern devices with any security use rolling codes — each command packet is single-use; a replayed packet is rejected. Replay works against:

Old/cheap fixed-code devices (some RC toys, very old remotes, naive IoT)
Devices where the rolling-code implementation is broken
Test scenarios with replay deliberately enabled

It does not work against properly-implemented rolling-code devices. The transmit-and-confirm capability is actually useful here — it tells you immediately whether the replay was accepted or rejected, so you’re not guessing.

7. The NRF24 toolset at a glance

   nyanBOX NRF24 / 2.4 GHz toolset
   ═════════════════════════════════════════════════════

   Tool                 Radios used   Posture    Triple-radio benefit
   ───────────────────  ───────────   ────────   ────────────────────
   Spectrum sweep       3× (split)    passive    3× faster sweep
   Multi-channel sniff  3× RX         passive    3 channels at once ★
   Mousejack discover   3× RX         passive    full hop-set coverage ★
   Mousejack inject     1 TX + 2 RX   GATED      transmit-and-confirm
   Jam                  1-3× TX       ILLEGAL*   3 channels denied
   Replay               1 TX          gated      —
   Transmit-and-confirm 1 TX + 2 RX   gated      the whole point ★

   ★ = the triple-radio hardware materially helps here
   * = jam: see Vol 5 § 5.2 and Vol 11 § 3 — essentially
       never transmit outside a shielded enclosure

   The triple-radio hardware delivers cleanest on the
   PASSIVE tools (sniff, discover, spectrum) — exactly
   the tools that are also legally safe. That's a happy
   alignment: the device's best capability is also its
   most-defensible-to-use capability.

8. Resources

NRF24 pentest canon

Bastille Mousejack research: https://www.mousejack.com/
Mousejack technical whitepaper: Bastille Networks
NRF24L01+ datasheet (register-level — RPD, FIFO, addressing): Nordic Semiconductor
nrf24-playground / promiscuous-mode NRF24 technique writeups (community)

Posture

Hack Tools shared legal/ethics: ../../../_shared/legal_ethics.md
Vol 11 of this series — operational posture

Sibling reference

Ruckus Game Over deep dive — single-NRF24-daughter comparison:

End of Vol 5. Next: Vol 6 is the drone RemoteID detection deep dive — the FAA/EASA RemoteID broadcast specifications, how the nyanBOX detects them, what is and isn’t detectable, and the RemoteID-watch workflow.

Nyan Box Volume 5 — NRF24 / 2.4 GHz Toolset

Contents