BSc (Hons) Cybersecurity — SETU Carlow — FYP 2026

Handheld Wireless Security Research Device

A portable Wi-Fi and Bluetooth security research platform built from scratch. Custom PCB, 3D-printed enclosure, 30+ attack and monitoring tools, browser-based dashboard. All on a €4 ESP32.

View Features GitHub Contact
30+
Security Tools
22
Confirmed Working
8,000+
Lines of C++
€28
Hardware Cost
6
Months Building

About the Project

What it is and why I built it

The ESP32 Cyber Device is a handheld wireless security research platform I designed and built for my Final Year Project. The concept was to build something similar to a Flipper Zero a purpose-built pocket device for security research using an ESP32 microcontroller that costs €4.

Everything is custom: the PCB designed in EasyEDA, the enclosure modelled in Tinkercad and printed in MJF nylon, the firmware written in C++ with a modular cooperative multitasking architecture, and the control dashboard built in vanilla JavaScript. All 30+ tools are accessible from any browser connected to the device's own Wi-Fi hotspot.

ESP32-WROOM-32UC++ / Arduino IEEE 802.11Bluetooth LE EasyEDA PCBMJF Nylon NimBLELittleFS JLCPCBVanilla JS SPA

Features

All tools accessible from the dashboard at 192.168.4.1 no app installation needed

FeatureDescriptionStatus
Evil PortalFake captive portal with DNS spoofing. iOS triggers the login page automatically via captive portal detection. Captures email, password, MAC address, and User-Agent in real time.Works
Karma AttackListens for probe requests from nearby phones and auto-creates a matching fake AP. Devices auto-connect thinking they found a known network.Works
Beacon Spam (4 variants)Custom SSID list, random ISP-style names (BTHub6, Sky_, eir-), Rick Roll lyrics as network names, SSID confusion with homoglyph variants of real networks nearby.Works
WardrivingAsync continuous AP logging BSSID, SSID, channel, encryption, RSSI. Persists in flash across reboots. CSV export. Logged 23 APs in a 5-minute walk.Works
BadBLE Keyboard InjectionESP32 advertises as a Bluetooth keyboard. Once paired, injects arbitrary keystrokes. Confirmed opening CMD on Windows 11 with a Win+R payload.Works
Probe Request SnifferCaptures SSIDs broadcast by nearby phones in probe request frames reveals their remembered network history. Passive only, no transmitted frames.Works
DNS SpoofingUDP server on port 53 redirects all DNS queries to 192.168.4.1. Any URL typed in a browser on a connected device opens the ESP32 dashboard.Works
WiFi / BLE ScannersAP discovery with SSID, BSSID, RSSI, channel, encryption, WPS, and OUI manufacturer. BLE device scan with company ID type classification (Apple, Samsung, MS).Works
Station ScannerPassive 802.11 data frame capture to map client-AP associations. Completely passive no transmitted frames.Works
Network / Port ScannerARP discovery of all devices on the AP subnet. TCP port scan of 21 common ports. Channel analyser showing AP density per 2.4 GHz channel.Works
BLE Name SpoofAdvertises as any named Bluetooth device. Visible in nRF Connect and Windows Bluetooth scanner.Works
EAPOL Handshake CaptureCaptures WPA2 four-way handshake. Outputs hashcat 22000 format for offline cracking. Works for devices connecting to this device's own AP only.Own AP only
BLE Proximity SpamApple Continuity Protocol and MS Swift Pair advertisements. Frames confirmed transmitting in nRF Connect. OS-level popup notifications inconsistent.Partial
Deauth AttackCode and en_sys_seq fix are correct. ESP-IDF 5.x rejects 0xC0/0xA0 frame types at the driver level. Downgrade to 2.0.17 breaks other modules not viable.Blocked (IDF 5.x)

Hardware

Custom PCB designed in EasyEDA, enclosure designed in Tinkercad both built from scratch

Microcontroller

ModuleESP32-WROOM-32U
CPU240 MHz dual-core Xtensa LX6
SRAM520 KB
Wi-Fi802.11 b/g/n 2.4 GHz
BluetoothBLE 4.2
AntennaExternal IPEX connector
DisplayILI9341 2.8" TFT + XPT2046

PCB

Design toolEasyEDA (manual routing)
Layers2-layer, 1.6mm FR4
Dimensions84 × 70 mm
ManufacturerJLCPCB
Cost€1.60 per board
Firmwarearduino-esp32 3.3.7, TFT_eSPI, NimBLE

Power

Battery1150 mAh LiPo 3.7V
ChargerTP4056 USB-C module
Boost converterME2108A33P 3.7V → 5V
Current powerESP32 USB Micro-B (power bank)
IssueTP4056 circuit insufficient for 500mA Wi-Fi peak future revision needs TPS63020

Enclosure

Design toolTinkercad
MaterialMJF PA12 black nylon
ManufacturerJLC3DP
Revisions2 (v1 had USB slot error)
Mounting4× M3 screws to PCB bosses
Total cost~€28 all-in

Firmware

Cooperative multitasking every module ticks once per loop and returns immediately

// Every attack module exposes tick() one unit of work, returns fast
void loop() {
  server.handleClient();
  if (pendingCmd.ready) dispatch();
  evilPortal.tick(); karmaAttack.tick(); beaconSpam.tick();
  wardriving.tick();    // async scan AP stays online
  eapolSniffer.tick(); display.tick();
  // ... 20+ more modules
}
// EAPOL detection fixed byte offsets, adapted from ESP32 Marauder
bool isEapol(const uint8_t* d, int len) {
  if (len < 36) return false;
  if (d[30]==0x88 && d[31]==0x8E) return true; // non-QoS
  if (d[32]==0x88 && d[33]==0x8E) return true; // QoS
  return false;
}

Problems Encountered

Every significant issue during development with root cause and outcome

01
ILI9341 Screen Damaged by 5V Exposure
Backlight on, no pixels. Caused by accidental 5V on display RESET pin during breadboard rewiring. ILI9341 is 3.3V only. Implemented headless stub so development could continue. Replacement screen worked first time.
Resolved
02
ESP32-S3 Migration Failed After Two Weeks
Three blockers: NimBLE API differences, promiscuous mode behaves differently on S3 under softAP, 7" display used LVGL not TFT_eSPI. No compatibility checking done before starting. Two weeks wasted. Lesson: verify every API dependency before any platform migration.
Abandoned
03
Deauth Blocked by ESP-IDF 5.x Downgrade Not Viable
ESP-IDF 5.x rejects 0xC0/0xA0 frame types in esp_wifi_80211_tx. Separate en_sys_seq=false bug also found (silent failure when softAP running) fixed. Attempted 2.0.17 downgrade broke BLE and WebServer. Documented as known limitation.
Known Limitation
04
PMKID Off-by-Two Bug + Sky Router Has No PMKID
Key Data Length field is at byte offset 93 in the EAPOL descriptor body, not 95. Found by comparing raw hex output against a Wireshark capture. After fix: Sky Q Hub still shows zero their firmware doesn't include PMKID for fresh connections. Optional per IEEE 802.11i.
Partial
05
USB-C Power Insufficient Under Load
ESP32 peaks at 500mA during Wi-Fi transmit. ME2108A33P rated 500mA max no headroom. Device resets under load. Now powered via ESP32 USB Micro-B from a power bank. Future revision: TPS63020 (1.8A), wider traces, bulk decoupling cap.
Workaround
06
Wardriving Disconnecting the Dashboard
Synchronous WiFi.scanNetworks() disrupts the softAP interface. Fixed: switched to async mode. tick() polls WiFi.scanComplete() each iteration. AP stays online throughout.
Resolved
07
TFT_eSPI + WebServer Namespace Conflict
In arduino-esp32 3.x, FS.h puts the FS class in fs:: namespace. WebServer.h expects it globally. Fix: add #include FS.h, LittleFS.h, and "using namespace fs;" at the very top of the .ino before all other includes.
Resolved
08
ArduinoJson Buffer Overflow Causing Random Reboots
StaticJsonDocument<8192> overflowed with 20+ WiFi + 10+ BLE results. ArduinoJson truncates silently malformed JSON crashed the browser poll loop, leading to WebServer timeout and restart. Fixed: 32KB document, overflow check, try/catch in JS.
Resolved
09
TP4056 Solder Bridges on Assembly
Hand-soldering tight-pitch SMD module without a hot air station produced bridges between pads. Removed with desoldering braid, re-soldered individually with fresh flux, verified with multimeter. A ~€40 hot air station would have prevented this.
Resolved
10
Enclosure v1 USB Slots on Wrong Side
Tinkercad coordinate confusion: both USB cutouts ended up on the same face. Fixed by physically measuring each port position with a ruler and using those exact measurements in the model. Second revision was correct.
Fixed in v2

Development Timeline

September 2025 – April 2026

Sep 2025
Research & Proof of Concept
Platform research, 802.11/BLE study. Beacon injection and evil portal PoC both worked first try.
Oct 2025
Specification Submitted
FURPS+ requirements, ethical framework, component selection, specification submitted.
Nov 2025
Core Firmware
Module architecture. WiFi/BLE scanners, probe sniffer, station scanner, web server, dashboard v1.
Dec 2025
Screen Failure + Failed S3 Migration
ILI9341 damaged by 5V. S3 migration attempted two weeks then abandoned. Headless mode. Evil portal, karma, beacon spam all built.
Jan 2026
PCB and Enclosure Designed
EasyEDA PCB (2 iterations). Tinkercad enclosure (2 revisions v1 had slot error). PCB ordered JLCPCB.
Feb 2026
Hardware Assembly + More Features
PCB assembled TP4056 bridge fixed. USB-C power unreliable, switched to USB power bank. EAPOL, deauth, BLE spam, BadBLE, wardriving implemented.
Mar 2026
Debugging Phase
Deauth root cause confirmed. PMKID offset bug fixed, Sky limitation found. ArduinoJson crash fixed. Enclosure v2 arrived.
Apr 2026
Final Integration & Submission
TFT re-enabled, namespace fix, status labels, comprehensive testing, report and showcase website.

Security Implications

What each feature demonstrates about real-world wireless vulnerabilities

WPA2-PSK Weakness

EAPOL handshake material is passively observable by anyone in radio range. The entire security of WPA2-PSK depends on passphrase complexity. WPA3 with SAE eliminates this attack completely.

Evil Portal / Karma

WPA2 has no mutual authentication clients can't verify an AP is genuine. iOS captive portal detection makes rogue portals seamless. VPN is the only reliable countermeasure.

Probe Request Privacy

Phones broadcast every remembered network SSID continuously. A partial movement history is passively readable. MAC randomisation helps but doesn't stop SSID content leaking.

BLE Proximity Spoofing

Apple Continuity Protocol and MS Swift Pair have no cryptographic source authentication. Any BLE device can spoof any advertisement. iOS 17.3 rate-limits popups but can't fix the underlying protocol.

HID Keyboard Injection

Windows default settings accept BLE keyboard pairings without a PIN. A paired device can inject arbitrary keystrokes immediately. Open CMD + run a command is achievable in seconds.

Vendor API Restrictions

ESP-IDF 5.x deliberately blocks deauth frame injection a vendor security policy choice. Platform vendors can restrict research capabilities via firmware regardless of what the hardware supports.

Contact

BSc (Hons) Cybersecurity — SETU Carlow — Supervised by Joseph Kehoe

📧 C00287783@setu.ie GitHub
All testing was performed on personally owned hardware in a private residential environment. No attacks were directed at third-party infrastructure. Use of this device against networks without authorisation is illegal under the Computer Misuse Act 1990.