Pancake.-.evil.twin.mov
Pancake.-.handshaker.mov
WiFi 6 security toolkit & wardriving device built on ESP32-C5
-blueviolet){kind=icon}
Pancake is a portable, touchscreen-driven WiFi security toolkit running on the Waveshare ESP32-C5-WIFI6-KIT. Inspired by Pwnagotchi-style devices, it combines a rich set of offensive and defensive WiFi tools with BLE scanning, GPS wardriving, and a beautiful Material-style dark UI — all packed into a handheld form factor with a 3.5" capacitive touch display.
Built entirely on ESP-IDF 6.0 with LVGL 8.x for the UI, the firmware leverages the ESP32-C5's RISC-V core and WiFi 6 capabilities for modern wireless security research and education.
- Features Overview
- Screenshots
- Hardware
- Pinout
- Software Features — Detailed
- Data & Storage
- Building & Flashing
- Photos
- Disclaimer
| Category | Features |
|---|---|
| WiFi Scanning | Active scan, per-channel analysis, RSSI, client enumeration |
| WiFi Attacks | Deauth, Evil Twin, Captive Portal, Blackout, Snifferdog, SAE Overflow |
| Handshake Capture | WPA/WPA2 4-way handshake capture (PCAP & HCCAPX) |
| Karma AP | Respond to probe requests, rogue access point |
| Wardriving | GPS + WiFi logging to SD card (CSV) |
| BLE | AirTag scanner, SmartTag detection, BLE Locator |
| Deauth Monitor | Passive detection of nearby deauth attacks |
| Credentials | Captive portal credential capture, WPA-SEC upload |
| UI | Material dark theme, touch gestures, screen dimming, screenshots |
| Storage | SD card for handshakes, wardrive logs, screenshots |
Main Menu
Selected Network Attack Panel
Global attacks
Handshaker
Kismet-style network observer & Karma attack
| Component | Model | Interface |
|---|---|---|
| MCU | ESP32-C5 (RISC-V, WiFi 6, BLE 5) | — |
| Board | Waveshare ESP32-C5-WIFI6-KIT | — |
| Display | 3.5" ILI9341 TFT (480×320, 16-bit RGB565) | SPI @ 40 MHz |
| Touch | FT6336U Capacitive Touch | I2C @ 0x38 |
| SD Card | MicroSD (shared SPI bus with display) | SPI |
| GPS | UART NMEA module (GGA, RMC) | UART @ 9600 baud |
| LED | WS2812 NeoPixel (single) | RMT / GPIO |
| Battery | LiPo with voltage divider (ADC monitoring) | ADC |
Screen link: https://pl.aliexpress.com/item/1005009570156903.html - remember to select 3.5"
ESP32-C5 Waveshare
┌──────────────────┐
│ │
Display ────────┤ GPIO 24 (MOSI) │──────── SD Card
(shared SPI) │ GPIO 4 (MISO) │ (shared SPI)
│ GPIO 23 (CLK) │
│ │
LCD CS ─────────┤ GPIO 5 │
LCD DC ─────────┤ GPIO 3 ⚠️ │
LCD RST ────────┤ GPIO 2 ⚠️ │
│ │
BAT ADC ────────┤ GPIO 6 (ADC) │──── Battery voltage divider
│ │
SD CS ──────────┤ GPIO 7 │
│ │
Touch SDA ──────┤ GPIO 9 │
Touch SCL ──────┤ GPIO 10 │
Touch INT ──────┤ GPIO 25 │
Touch RST ──────┤ GPIO 8 │
│ │
GPS TX ─────────┤ GPIO 13 │
GPS RX ─────────┤ GPIO 14 │
│ │
NeoPixel ───────┤ GPIO 27 │
│ │
Console ────────┤ GPIO 11/12 (USB) │
└──────────────────┘
⚠️ = Strapping pins — require gpio_reset_pin() before use
| GPIO | Function | Interface | Notes |
|---|---|---|---|
| 2 | LCD Reset | Output | |
| 3 | LCD Data/Command | Output | |
| 4 | SPI MISO | SPI | Shared: LCD + SD |
| 5 | LCD Chip Select | SPI | Active LOW |
| 6 | Battery ADC | ADC1_CH5 | Voltage divider (ratio 3.2) |
| 7 | SD Card Chip Select | SPI | Active LOW |
| 8 | Touch Reset | Output | Active LOW |
| 9 | Touch SDA | I2C | FT6336U data |
| 10 | Touch SCL | I2C | FT6336U clock |
| 11 | Console TX | UART0 | USB serial |
| 12 | Console RX | UART0 | USB serial |
| 13 | GPS TX | UART1 | ESP → GPS |
| 14 | GPS RX | UART1 | GPS → ESP |
| 23 | SPI Clock | SPI | Shared: LCD + SD |
| 24 | SPI MOSI | SPI | Shared: LCD + SD |
| 25 | Touch Interrupt | Input | Touch detected |
| 27 | NeoPixel Data | RMT/GPIO | WS2812 LED |
SPI2_HOST (40 MHz)
├── LCD ILI9341 (CS = GPIO 5)
│ ├── MOSI = GPIO 24
│ ├── MISO = GPIO 4
│ ├── CLK = GPIO 23
│ └── DC = GPIO 3, RST = GPIO 2
│
└── SD Card (CS = GPIO 7)
├── MOSI = GPIO 24
├── MISO = GPIO 4
└── CLK = GPIO 23
Mutual exclusion via sd_spi_mutex
VBAT ──┤ R10 (200kΩ) ├──┬── GPIO 6 (ADC1_CH5)
│
R16 (100kΩ)
│
GND
Divider ratio: 3.0 (calibrated: 3.2)
Active WiFi scanning with per-network details, followed by targeted attacks on selected networks.
| Feature | Description |
|---|---|
| WiFi Scan | Scans all channels, shows SSID, BSSID, RSSI, channel, encryption |
| Deauth Attack | Sends deauthentication frames to disconnect clients from selected AP |
| Evil Twin | Creates a rogue AP cloning the target SSID to lure clients |
| Captive Portal | HTTP server presenting a fake login page to capture credentials |
| Handshake Capture | Captures WPA/WPA2 4-way handshakes and saves as PCAP/HCCAPX |
| ARP Poisoning | LwIP-based ARP spoofing for MitM scenarios |
Attacks that operate on all nearby networks simultaneously.
| Feature | Description |
|---|---|
| Blackout | Mass deauthentication of all detected networks in range |
| Snifferdog | Channel-hopping sniffer with automatic client deauthentication |
| SAE Overflow | WPA3 SAE authentication flood attack |
Passive network intelligence and rogue AP capabilities.
| Feature | Description |
|---|---|
| Network Observer | Passive 802.11 sniffing in promiscuous mode |
| Karma AP | Automatically responds to client probe requests, creating matching rogue APs |
Passive detection of deauthentication attacks happening in the area. Alerts when deauth frames are detected on nearby channels — useful for detecting hostile activity.
BLE scanning features leveraging the ESP32-C5's BLE 5.0 radio.
| Feature | Description |
|---|---|
| AirTag Scanner | Detects Apple Find My network devices |
| SmartTag Scanner | Detects Samsung SmartTag devices |
| BLE Locator | Generic BLE device scanner with signal strength |
Note: WiFi and BLE share the same radio. The firmware automatically switches between
RADIO_MODE_WIFIandRADIO_MODE_BLEas needed.
GPS-enabled WiFi logging for mapping wireless networks.
- Combines GPS coordinates (NMEA GGA/RMC) with WiFi scan results
- Logs to CSV files on the SD card
- Compatible with standard wardriving visualization tools
| Setting | Description |
|---|---|
| Screen Timeout | Inactivity timer before display dimming |
| Brightness | Software brightness overlay (10–100%) |
| Scan Duration | Configurable WiFi scan time |
All settings are persisted via NVS (Non-Volatile Storage) across reboots.
| Feature | Description |
|---|---|
| LVGL Material Dark Theme | Modern, touch-friendly dark UI |
| 6-Tile Main Menu | Quick access to all feature categories |
| Screenshot Capture | Save screen to SD card (/sdcard/screenshots/) |
| WPA-SEC Upload | Upload captured handshakes to wpa-sec.stanev.org via HTTPS |
| NeoPixel Status LED | Visual feedback via WS2812 LED |
| Battery Monitor | Real-time battery voltage reading |
All data is stored on the SD card:
/sdcard/
├── lab/
│ └── handshakes/ # Captured WPA handshakes
│ ├── *.pcap # Wireshark-compatible captures
│ └── *.hccapx # Hashcat-compatible format
├── wardrive/ # GPS + WiFi logs (CSV)
├── screenshots/ # UI screenshots (BMP)
└── portal/ # Captured portal credentials
- ESP-IDF v6.0 (with ESP32-C5 support)
- Waveshare ESP32-C5-WIFI6-KIT (or compatible)
cd ESP32C5
idf.py set-target esp32c5
idf.py buildidf.py -p /dev/ttyACM0 flash monitor
Device — Front View
Device — Back / Wiring
Home-made waveshare build
pancake/
├── ESP32C5/
│ ├── main/
│ │ ├── main.c # Core application, UI, init
│ │ ├── attack_handshake.c # Handshake capture logic
│ │ ├── ft6336.c # FT6336U touch driver
│ │ └── lvgl_memory.c # PSRAM allocator for LVGL
│ ├── components/
│ │ ├── wifi_cli/ # CLI, WiFi init, LED control
│ │ ├── wifi_scanner/ # WiFi scanning engine
│ │ ├── wifi_sniffer/ # Promiscuous mode sniffer
│ │ ├── wifi_attacks/ # Deauth, Evil Twin, Captive Portal, Karma
│ │ ├── wifi_wardrive/ # GPS + WiFi wardriving
│ │ ├── sniffer/ # Raw 802.11 frame capture
│ │ ├── frame_analyzer/ # EAPOL / beacon parsing
│ │ ├── pcap_serializer/ # PCAP file writer
│ │ └── hccapx_serializer/ # HCCAPX file writer (hashcat)
│ ├── sdkconfig
│ └── CMakeLists.txt
└── README.md
This project is intended for educational and authorized security research purposes only. Unauthorized access to computer networks is illegal. Always obtain proper authorization before testing on any network you do not own. The author assumes no liability for misuse of this software.
Made with ☕ and ESP-IDF