Antennas · Volume 29

Use-case Matrix: Radios in the Hub

Per-radio antenna recommendations for every device in the Hack Tools hub — HackRF, RTL-SDR, Flipper, Marauder, Pineapple, PortaRF, UV-K5, Rayhunter, Banshee, PWNagotchi, Nyan Box, DSTIKE Hackheld — with BALUN/feedline notes and posture mapping

Contents

SectionTopic
1About this volume
2The matrix at a glance
3HackRF One — wideband 1 MHz – 6 GHz TX+RX
4RTL-SDR V4 — receive-only HF/VHF/UHF
5Flipper Zero — sub-GHz CC1101 + 433 MHz IR + NFC
6ESP32 Marauder Firmware — 2.4 GHz Wi-Fi / BLE
7WiFi Pineapple Mark VII / AC — 2.4 / 5 GHz
8OpenSourceSDRLab PortaRF — HackRF-class handheld SDR
9Quansheng UV-K5 — 144 / 430 MHz handheld
10Rayhunter — Orbic Speed RC400L cellular detection
11Wired Hatters Banshee — multi-modal ESP32 platform
12PWNagotchi — Pi Zero W + Wi-Fi handshake capture
13Nyan Box — multi-radio handheld
14DSTIKE Hackheld — ESP8266 Wi-Fi attack platform
15Bus Pirate 6 — wired protocol tool (no antenna)
16Clockwork PicoCalc / uConsole — handheld compute platforms
17M5Stack Cardputer ADV / Zero, M5Stick S3, AWOK modules
18Decision graph — “I want to do X, which radio + antenna?“
19Resources

1. About this volume

This is the synthesis volume — the bridge between the antenna theory of Vols 2-28 and the radios that live in the rest of the Hack Tools hub. Every radio gets a per-radio section here with specific antenna recommendations drawn from the wire-and-air chapters (Vols 6-15), the BALUN/UNUN topology choice from Vol 16, the tuner choice (when applicable) from Vol 17, the feedline choice from Vol 5, and a posture mapping that says whether the recommendation assumes a home-base antenna farm, a portable kit, a mobile install, or a handheld walk.

The cross-link discipline is bidirectional and intentional. This volume links out to each radio’s deep-dive CLAUDE.md for radio-side material — modulation schemes, sensitivity numbers, demodulator software, attack surface. Each radio’s deep dive links back here for antenna-side material — which whip to buy, which feedline survives the run, where to put the common-mode choke, what the link budget looks like. The antenna side is authoritative here; the radio side is authoritative there. The point is that nobody has to re-derive antenna math while writing a radio chapter, and nobody has to re-derive radio-front-end behaviour while writing an antenna chapter.

The recommendations land at three depths. The top layer is the matrix in §2 — scan it for the one-liner answer to “what do I put on radio Y.” The middle layer is the per-radio section in §§3-17 — read it when you have to pick an actual SKU. The bottom layer is the per-antenna chapter (Vols 6-15) cross-linked from every recommendation — read it when you have to design, tune, or build. The decision graph in §18 indexes the matrix by use case instead of by radio — start there when you know what you want to do but haven’t picked the radio yet.

One note on prices and dates. Every price quoted in this volume is in USD and qualified mid-2026 unless otherwise stated. Antenna pricing is more stable than ESP32 board pricing — a $25 Nagoya NA-771 is still $25 ten years from now — but feedline, masts, and SDRs all drift, and the commercial-buy sections of Vols 6-15 get re-checked annually. Where this volume says “approximately $X”, that bracket is the mid-2026 street price.

2. The matrix at a glance

The table below is the reference layer — scan it for the one-liner answer. Connector callouts assume the radio in stock condition; mod paths that change the connector are flagged in the per-radio section. Stock-antenna performance ratings are relative to a well-tuned external antenna for the same band; “poor” means 8-15 dB worse than a tuned external, “fair” means 3-8 dB worse, “good” means within 3 dB. Upgrade cost is the cost to move from stock to the primary recommendation in column 5 — feedline, masts, and BALUN included where they apply.

RadioNative bandsConnectorStock antennaPrimary antenna recommendationBest postureBALUN / UNUNUpgrade cost (mid-2026 USD)
HackRF One1 MHz – 6 GHz TX+RXSMA-FNone (stub whip optional)Discone for VHF/UHF wideband + EFHW + 49:1 UNUN for HF TXHome base + portable49:1 UNUN at EFHW feed; 1:1 current choke at every coax feed$300-450 (discone + EFHW + LMR-400 + chokes)
RTL-SDR V424 MHz – 1.766 GHz RX + integrated HF tapSMA-FTelescopic dipole kit (fair)Active loop (Wellbrook ALA1530 or LZ1AQ MLA-30+) + disconeHome baseBias-T for active loop power; 9:1 UNUN for random-wire$200-1100 (depending on active-loop tier)
Flipper Zero300 / 433 / 868 / 915 MHz (CC1101)None (PCB trace + helical)Helical whip (poor — 10-15 dB down)Tuned 1/4-wave whip per band (433/868/915 MHz) via GPIO modPortable / handheldNone (direct-fed)$5-25 per band (DIY) or $40-80 (mod kit + 3 whips)
ESP32 Marauder firmware2.4 GHz Wi-Fi + BLEUFL / RP-SMA (varies by host)Onboard PCB / chip antenna (fair)2.4 GHz directional patch (15 dBi, 60° HPBW) for audit; 2.4 GHz omni 5-7 dBi for scanPortable / handheldNone (50 Ω direct)$15-60 (patch + RP-SMA pigtail)
WiFi Pineapple Mark VII / AC2.4 / 5 / 5 GHz dual-bandRP-SMA-F (3 ports)5 dBi dual-band omni whips (good)Sector-audit: 15 dBi panel; distant-client: high-gain Yagi; stealth: rubber-duck arrayHome base + sectorNone$25-300 per port (whip → panel → parabolic)
OpenSourceSDRLab PortaRF1 MHz – 6 GHz TX+RXSMA-FNone (telescopic whip)Same as HackRF One but kit-portable: telescopic whip + foldable EFHW + Spiderbeam mastPortable / handheld49:1 UNUN at EFHW feed; 1:1 choke at SMA pigtail$150-350 (portable EFHW kit + mast)
Quansheng UV-K5144 / 430 MHz (RDA1846S extended)SMA-FStock rubber duck (poor — ~5% efficient)Nagoya NA-771 (38 cm, +6 dB on 2 m / +3 dB on 70 cm)Portable / mobile / handheldNone for VHF/UHF; 9:1 UNUN for HF extended-RX mod$20-25 (NA-771) up to $90 (DIY tape-measure Yagi + NA-771)
Rayhunter (Orbic RC400L)600 – 2600 MHz cellular (B1/B2/B3/B4/B5/B7/B12/B13/B17/B25/B26/B41/B66/B71)Internal PIFA + diversityInternal PIFA (good for capture, poor for DF)Mobile Mark PSKN-LTE omni or directional cellular patch via U.FL modPortableNone$40-200 (depending on whether you tear down for U.FL or use the external antenna port if present)
Wired Hatters Banshee2.4 / 5 GHz Wi-Fi 6 (C5+S3) + sub-GHz NRF24 + GPSSMA-F (multiple)Stock whips + active GPS patchDual-band 2.4/5 GHz whip per Wi-Fi chain; separate 2.4 GHz NRF24 whip; external active GPS patchPortable / handheldNone$50-150 (per-chain whip upgrades)
PWNagotchi2.4 GHz Wi-Fi (Pi Zero W)None (chip antenna)Onboard chip antenna (poor — 5-15 m range)External 2.4 GHz panel via U.FL solder pad modPortable / wearableNone$30-80 (U.FL pigtail + 2.4 GHz panel + mod time)
Nyan Box2.4 GHz Wi-Fi + 3× NRF24L01+ + GPSU.FL on WROOM-32U; per-module on NRF24sStock whip on WROOM; PCB antennas on NRF24sDual-band 2.4 GHz whip on WROOM; three spaced 2.4 GHz whips on NRF24s; active GPS patchPortable / handheldNone$25-100 (per-radio whip upgrade set)
DSTIKE Hackheld2.4 GHz Wi-Fi (ESP8266 + 25 dBm PA)None (onboard PCB)PCB antenna (fair — boosted by onboard PA)Stock for typical use; U.FL mod for sustained range or stealth (invasive, removes RF shield)Portable / handheldNone$0 (stock) or $30-50 (U.FL mod + external 2.4 GHz whip)
Bus Pirate 6None (wired protocol)NoneN/AN/A — wired protocol tool, no antennaN/AN/AN/A
Clockwork PicoCalc / uConsoleVaries by populated module (cellular / Wi-Fi / BT / GPS / LoRa / SDR)Multiple SMA / U.FLPer-module stockPer-module recommendation from rows above; consolidate via Vol 30All posturesPer-radio; see Vol 30 for shared topology$100-1000+ (full multi-radio install)
M5Stack Cardputer (ADV/Zero), M5Stick S3, AWOK modules2.4 GHz Wi-Fi + BLEOnboard PCB (varies); some U.FL padsPCB chip antenna (fair)Stock for typical use; external 2.4 GHz whip via U.FL pad mod for range/stealthPortable / handheld / wearableNone$5-30 (pigtail + whip)

The matrix collapses some nuance — read the per-radio section for the full picture. Two patterns are worth calling out before diving in. First, for 2.4 GHz-only devices (Marauder, PWNagotchi, Nyan Box, DSTIKE, M5 family, AWOK modules), the antenna upgrade is much cheaper than the radio itself and is the highest-ROI mod available; a $15 panel can extend usable range from 10 m to 200 m. Second, for HF-capable radios (HackRF, PortaRF, RTL-SDR with HF tap), the antenna costs more than the radio and is the long-term investment; an EFHW with a quality 49:1 UNUN (Vol 16) and LMR-400 feedline (Vol 5) is a 10-20 year purchase that will outlive several SDR generations.

3. HackRF One — wideband 1 MHz – 6 GHz TX+RX

The HackRF One is the prime consumer of every antenna covered in this series. It TX+RXes across more than three decades of frequency (1 MHz to 6 GHz, ~32× span by frequency, ~10 octaves) — no single antenna covers that span. The HackRF lives or dies on the collection of antennas at its disposal, switched in via SMA-F at the front.

Native antenna characterization. The HackRF ships bare. The SMA-F connector at the front goes straight into the front-end mixer chain (MAX5864 ADC + MAX2837 transceiver + RFFC5072 mixer + DSA RF switch matrix). There is no internal antenna; whatever you plug in is the antenna. Clifford Heath’s modified design (the JSTVRO-built unit) keeps the same connector topology. TX power is +5 dBm in the HF range, climbing to about +15 dBm in the 30 MHz – 1 GHz range, and rolling back off to ~+5 dBm at 6 GHz. The RX noise figure runs 8-12 dB across the full range, which is why preamps and the right antenna matter so much.

HF band recommendations (1-30 MHz). For TX, the end-fed half-wave (EFHW) with a 49:1 UNUN is the canonical HackRF HF antenna (Vol 10) — multi-band coverage (40m / 20m / 15m / 10m at minimum on a 20m wire), no radials, single-point feed at the building edge, and impedance close to 50 Ω at the resonant bands so the HackRF’s PA sees a tractable load. The 49:1 UNUN topology is covered in detail in Vol 16 — a single trifilar winding on an FT240-43 core handles up to 100 W comfortably (the HackRF’s HF +5 dBm is 3 mW, so the UNUN is hilariously over-spec — but you may stack it behind a 100 W amp later). For RX-only, the random-wire + 9:1 UNUN (Vol 10 + Vol 16) is simpler and cheaper: any wire of non-resonant length over 30 ft, a 9:1 UNUN at the feed, and a counterpoise wire on the ground side of the UNUN. Both topologies demand a 1:1 current choke at the radio end of the coax (Vol 16) — the HackRF’s RX chain is particularly susceptible to common-mode current riding back up the shield and lifting the noise floor. A 7-turn coax-wound choke on an FT240-31 core costs $15 and drops noise floor 3-8 dB in typical installs.

VHF/UHF recommendations (30 MHz – 3 GHz). Discone is the standard answer for wideband receive (Vol 12) — the geometric impedance match holds approximately 50 Ω from the design low-end (typically 25-100 MHz depending on disc diameter) up to about 1.5-2 GHz, with a slow rolloff above. The Diamond D-130J ($120) and Diamond D-220 ($95) are the canonical commercial buys; the DIY equivalent is in Vol 12 ($40-60 in 1/8” 6061 aluminum stock). For direction-finding, a monoband Yagi optimized for the specific band of interest (Vol 11) — a 3-element 2 m Yagi (8 dBi, 65° HPBW) is the standard DF antenna, $90 commercial (Arrow II or Diamond A144S3) or $25-30 DIY in 12 AWG wire and PVC. For 70 cm DF, the InnovAntennas LFA 5-el ($175) or a 3-element DIY ($20) covers the ATV / amateur repeater bands.

Microwave recommendations (3-6 GHz). The HackRF’s TX gain rolls off past 4 GHz so microwave use is mostly receive. A 2.4 GHz biquad (Vol 11 — the W4WT design) gives 11 dBi at 70° HPBW for $15 in copper wire and a soup-can reflector. For 5/5.8 GHz, the Ubiquiti AirMax M5 parabolic dish (24 dBi, 8° HPBW, $90) is the standard purchase — it’s optimized for the same band the HackRF is reading, has an N-female feed, and converts to SMA via a $4 pigtail. For wideband microwave RX, a Vivaldi notch antenna (Vol 13) covers 800 MHz to 6 GHz at modest gain (4-6 dBi) on a single PCB.

BALUN/UNUN/feedline. The HackRF’s TX chain is sensitive to common-mode current riding back up the shield — every coax-fed antenna gets a 1:1 current choke at the feedpoint. The 49:1 UNUN is the HF-EFHW workhorse; the 9:1 UNUN is the random-wire workhorse; the 1:1 current choke is mandatory at every feedpoint. Feedline-wise: LMR-400 (Vol 5) for outdoor runs to permanent antennas (0.65 dB / 100 ft at 30 MHz, 4.5 dB / 100 ft at 1 GHz), LMR-240 for portable jumpers and short indoor runs (1.5 dB / 100 ft at 30 MHz, 9 dB / 100 ft at 1 GHz), and RG-58 only for jumpers under 6 ft (the loss budget runs away above 1 GHz). For the microwave bands, the loss budget gets nasty — every dB of feedline at 5 GHz is a dB you didn’t get from your 24 dBi dish. The standard answer is to mount the radio close to the antenna with a USB extender (Icron 100 m fiber-optic USB or a powered active-USB extender) and only the USB extends — the radio sits at the antenna’s feedpoint.

Posture. Home base — the full antenna farm picture from Vol 32. EFHW for HF off the eaves with a 49:1 UNUN at the wall, discone on a 30 ft Spiderbeam HD mast or Rohn 25G tower for wideband receive (Vol 21, Vol 21), a rotator-mounted Yagi for DF, and a 5/5.8 GHz parabolic on the side of the house. Portable — Spiderbeam HD telescoping mast (10 m, 4.5 kg, $375) plus a folded EFHW (Vol 10) plus a 3-element Yagi in PVC. Mobile — limited; the HackRF doesn’t really live in a vehicle, but if it does, a Diamond NR770HB dual-band mobile vertical on a 5/8 wavelength radiator covers 2 m / 70 cm. Handheld — the HackRF is technically handheld but not really; if you need handheld use the PortaRF (§8 below).

Posture-specific upgrade ladder. Stock (just the radio): $0. Budget portable ($150-250): telescopic whip + 9:1 UNUN + 10m random wire + 6 ft LMR-240 jumper. Mid ($400-700): Diamond D-130J discone + 25 ft LMR-400 + 20m EFHW + 49:1 UNUN + 1:1 choke at feedpoint. Premium ($1500-3000): full antenna farm with rotator-mounted Yagi, EFHW for HF, discone for wideband, parabolic for microwave, full mast system. The premium tier is a 10+ year commitment; budget for replacement coax in year 8-10 and replacement UV-degraded insulators in year 5-7 (Vol 22).

Test every antenna before deployment with the NanoVNA (Vol 24) — the HackRF can transmit into a high-SWR antenna without instantly destroying itself, but repeated TX into a 3:1+ SWR will eventually cook the PA. The NanoVNA workflow is calibrate → measure S11 across band → trim to <1.5:1 across operating band → install choke → re-measure.

Cross-link: ../HackRF One/CLAUDE.md for the radio side — front-end architecture, control software (hackrf_transfer, gqrx, SDR#), and the modified Clifford Heath design notes.

4. RTL-SDR V4 — receive-only HF/VHF/UHF

The RTL-SDR Blog V4 changed the receive-only equation when it added the integrated HF tap with direct-sampling mode (Q-branch ADC bypassing the R820T2 mixer for frequencies below 24 MHz). The V4 also fixed the V3’s bias-T noise issue and bumped the ADC effective dynamic range. The receive-only nature is the key constraint — it changes the antenna calculus entirely: no SWR/PA worries, no TX duty cycle, the only sin is noise (received noise floor either from the antenna environment or the radio’s own NF).

Native antenna characterization. The V4 ships with the standard RTL-SDR Blog antenna kit — a telescopic dipole pair (5-100 cm legs depending on extension) with an SMA-F base, a 1 m flexible-coax cable, and a desktop tripod. The dipole works adequately from VHF up; HF performance through the dipole + direct-sampling tap is marginal because the dipole is too short to be efficient on HF. The integrated HF tap, in receive-only direct-sampling mode, can use any external long wire that you connect via the SMA — the dipole is the wrong tool for HF.

HF receive (1-30 MHz). The defining HF receive consideration for SDRs is noise floor, not antenna gain. A passive random wire on a suburban lot will pick up the neighbor’s plasma TV, the LED light fixtures, the EV charger, and the IoT mesh — gain you don’t want. Active loops are the SDR-friendly answer because they couple to the magnetic field rather than the electric field, and most local noise is E-field dominant. The reference active loops are the Wellbrook ALA1530LN+ (£420, $550 mid-2026, made in the UK by Andrew Ikin) — 1 m diameter, 50 kHz to 30 MHz, 65 dB image rejection, the gold standard for receive-only HF — and the LZ1AQ Active Antenna ($130 — DIY kit by Chavdar Levkov LZ1AQ) — 1 m wire loop in a wide-band amp configuration. The Bonito MegActiv MA305 ($250) and MLA-30+ ($40 from AliExpress) are budget alternatives; the MLA-30+ in particular punches well above its price but has high-IMD overload in strong-signal environments. The active loop pairs with a USB-powered bias-T injector at the radio end ($20-30 — Nooelec NESDR bias-T or the RTL-SDR Blog bias-T cable) — the loop pulls its 12 V over the coax.

For receive-only HF without an active loop, the random wire + 9:1 UNUN (Vol 10 + Vol 16) is the standard cheap solution — 30-60 ft of 14 AWG insulated wire, a 9:1 UNUN at the feedpoint, a counterpoise wire on the ground side, 25 ft of RG-58 to the radio. Total cost is $40-60 for the parts, $80-100 for a finished commercial kit (MyAntennas RX-9:1 or PAR EndFedz). Performance is noisier than the active loop in suburban environments but better in rural ones.

VHF receive (30-300 MHz). Discone is again the answer for wideband (Vol 12) — the same Diamond D-130J or DIY version covers VHF/UHF cleanly. For specific VHF bands (6 m, 2 m, 1.25 m), a tuned dipole or 1/4-wave vertical (Vol 6, Vol 8) gives 3-6 dB more gain over the discone in the design band at the cost of band-specific performance. The receive-only NF is dominated by sky noise above ~30 MHz, so antenna gain matters more than receiver NF.

UHF receive (300 MHz – 1.7 GHz). The discone covers most of this; the V4’s R820T2 tunes 24 MHz to about 1.766 GHz (the marketing claim is 24-1766 MHz; the practical edge is fuzzy at the top — sensitivity drops past 1.5 GHz). For directional reception, a 70 cm Yagi or a 1296 MHz (23 cm) Yagi works. For ADS-B (1090 MHz), the FlightAware 1090 MHz antenna ($45) is a tuned 1/4-wave vertical optimized for the band — adds 5-8 dB over a discone for the specific frequency.

BALUN/UNUN/feedline. 9:1 UNUN at the wire antenna feedpoint; bias-T inline at the radio end for active loops; LMR-240 or RG-58 (the receive-only application doesn’t justify LMR-400 since there’s no TX power to conserve, and receive sensitivity loss from 1-2 dB extra feedline is dwarfed by noise floor variability).

Posture. Home base — the RTL-SDR is rarely portable beyond “I plugged the dongle into a laptop in the car.” For DXing and HF receive, the active loop on a 6-10 ft mast in the yard with bias-T-powered coax to the desktop is the canonical install. Portable: the telescopic dipole and a laptop in a park or coffeeshop is fine for VHF/UHF/satellite reception. The Outernet active patch antenna ($45) is the portable L-band satellite RX answer for Inmarsat / Iridium / NOAA APT.

Posture-specific upgrade ladder. Stock ($35 — the V4 kit): telescopic dipole + 1 m coax + tripod. Budget HF ($75-100): add random-wire kit + 9:1 UNUN + 25 ft RG-58. Mid HF ($170-300): swap to MLA-30+ active loop + bias-T injector + 50 ft LMR-240 + discone for VHF/UHF. Premium HF ($800-1500): Wellbrook ALA1530LN+ on a 10 ft mast + bias-T + LMR-240 + Diamond D-130J discone + 70 cm tuned Yagi for ADS-B / satellite work.

Cross-link: ../RTL-SDR/CLAUDE.md for the radio side — V3 vs V4 differences, gqrx / SDR# configuration, direct-sampling mode setup, the dump1090 / readsb ADS-B pipeline.

5. Flipper Zero — sub-GHz CC1101 + 433 MHz IR + NFC

The Flipper Zero’s sub-GHz front end is a CC1101 transceiver with a PCB trace antenna and an external helical whip. The CC1101’s TX power tops out at +12 dBm (16 mW); RX sensitivity is typical for the class (-110 dBm at 1.2 kbps in the 433 MHz band). The antenna is the bottleneck — the stock arrangement runs 10-15 dB worse than a band-tuned external whip, which means the Flipper’s effective sub-GHz range is a fraction of what the radio could deliver.

Native antenna characterization. The Flipper’s sub-GHz path is a CC1101 chip → balun-matching network → PCB trace antenna stub. The included helical whip plugs into a tiny U.FL-equivalent connection internally; mechanically it’s the rubber “antenna” that pulls up from the top of the unit. The PCB trace is approximately 1/8 wavelength at 433 MHz (heavily compromised), and the helical whip is a loaded element trying to look like a quarter-wave at 433/868/915 MHz simultaneously. Efficiency on any single band is 10-15% — typical of multi-band loaded handheld antennas. There’s no SMA connector on a stock Flipper, so any antenna upgrade requires either a hardware mod (adding an external connector to the PCB) or a connector to the GPIO header (which doesn’t carry RF directly — the mod has to bridge the PCB trace).

Tuned 1/4-wave whip per band — the killer upgrade. The single most impactful change is to add a band-tuned 1/4-wave whip via a hardware mod. The physics: a 1/4-wave at 433 MHz is approximately 17.3 cm in free space, 16.4 cm with the typical 5% end-loading factor, and about 12 cm when the antenna is loaded by a hand and a counterpoise ground (the Flipper itself). For 868 MHz the corresponding whip is ~8.7 cm; for 915 MHz ~8.2 cm. The mod path is to add a U.FL connector to the CC1101’s matching-network output (skipping the PCB trace and helical whip), run a short pigtail to an SMA-F at the body, and swap whip per band. DIY cost: $5-15 per whip (12 cm steel rod with SMA-M base, $3 from AliExpress) plus $20-30 for the connector mod (U.FL connector + 5 cm pigtail). Kit option: the Flipper Wifi Devboard + ESP32 + external antenna mod kits sold by third parties — $40-80 — include the SMA mod and three band-tuned whips. The mod is well-documented in the Flipper community (search “Flipper external antenna mod” — guides at flipperzero.one and similar). Performance gain is typically 8-12 dB measured by S-meter on a paired SDR receiver, which translates to ~3× range in free space (Vol 3 — link budget math).

Direction-finding with a small Yagi or magloop. For DF work, a 3-element 433 MHz Yagi gives ~7 dBi and 60° HPBW — small enough to be handheld (boom ~30 cm). The DIY version (Vol 11) is 12 AWG wire on a PVC boom for $10-15. A 433 MHz magnetic loop (15 cm diameter, copper pipe + variable cap) is even more compact, gives null-steering, and works at <0.1 wavelength — useful for DF in cluttered urban environments where multipath confuses Yagis. The mag-loop is in Vol 14 for the TX case, Vol 15 for the RX-only DF case.

The IR and NFC paths. The Flipper’s IR is line-of-sight optical — there is no RF antenna question. The NFC reader is a 13.56 MHz inductive coil, intentionally near-field and short-range (≤10 cm); the stock coil is what you have, and the only “antenna” upgrade is to position the unit closer to the target. No external NFC antenna meaningfully extends range without active amplification (which crosses into legal territory, Vol 31).

BALUN/UNUN/feedline. Direct-fed at 50 Ω — no BALUN or UNUN needed. Pigtail length should be kept under 10 cm to minimize loss; LMR-100 (the FlexCore equivalent) or 1.13 mm OD coax pigtail is standard for U.FL → SMA mods.

Posture. Portable / handheld exclusively. The Flipper isn’t a base-station radio; it’s a pocket tool. The 12 cm tuned whip is roughly the size that fits comfortably in a coat pocket alongside the Flipper itself. The 3-element Yagi for DF is the largest field-deployable antenna for this radio — anything larger defeats the purpose.

Posture-specific upgrade ladder. Stock ($0): helical whip, accept the 10-15 dB penalty. Budget upgrade ($25-50): U.FL-to-SMA mod + tuned whip for primary band (usually 433 MHz). Mid upgrade ($75-150): mod kit with three whips (433/868/915) + small DF antenna. Premium upgrade ($200-400): mod kit + Yagi for DF + S-meter app on a paired SDR for real DF work. The premium tier crosses into “what the Flipper was probably never meant to do alone” — at that point you’re using the Flipper as an interface device for an SDR-based workflow.

Cross-link: ../Flipper Zero/CLAUDE.md for the radio side — CC1101 configuration, sub-GHz protocols, firmware (Momentum / Xtreme / Unleashed), the Flipper Wifi Devboard + ESP32 add-on for 2.4 GHz, the AWOK / Game Over external modules (§17 below).

6. ESP32 Marauder Firmware — 2.4 GHz Wi-Fi / BLE

Marauder is firmware, not hardware — it runs on multiple platforms, so the antenna recommendation varies by host. The four common hosts in the Hack Tools hub are the AWOK Dual Touch V3 (dual ESP32-WROOM + UFL output), Wired Hatters Banshee (ESP32-C5 + ESP32-S3 with multiple SMA ports), the Flipper Wifi Devboard (ESP32-S2 with U.FL pad), and generic ESP32 dev boards (varies). All operate at 2.4 GHz only (ESP32-S3 + ESP32-WROOM original generation). 5 GHz is an ESP32-C5 / ESP32-C6 capability — only the Banshee and AWOK ESP32 C5 modules in the hub support it.

Native antenna characterization. Stock ESP32 modules use either an onboard PCB-trace antenna (the standard WROOM/MINI series) or a stamped-metal chip antenna depending on variant. Both are nominally 2.5-3 dBi but achieve closer to 0-1 dBi gain in real-world deployment because of casing/hand-proximity detuning. The WROOM-32U variant (used by Nyan Box and others) replaces the PCB antenna with a U.FL connector, exposing 50 Ω external antenna feed.

Wi-Fi audit / scan antenna options. For directional sector audit (capturing a specific AP or client cluster), a 2.4 GHz directional patch antenna is the right call — 15 dBi gain, 60° HPBW, RP-SMA male connector. The Alfa APA-M25 ($55) and TP-Link TL-ANT2414B ($25) are the canonical references. For 360° scanning, a 2.4 GHz omnidirectional whip in the 5-9 dBi range is standard — TP-Link TL-ANT2409CL ($15), Alfa ARS-N19 ($25), or any RP-SMA omni. For long-range capture (1+ km), a 2.4 GHz parabolic grid antenna — TP-Link TL-ANT2424B ($55, 24 dBi, 10° HPBW) — drops the link budget by 12-18 dB compared to a 5 dBi omni, which translates to 4-8× range.

Mod paths. The AWOK Dual Touch V3 has UFL pads exposed by design — no mod required, plug in a UFL-to-RP-SMA pigtail ($4) and an external whip. The Banshee has SMA connectors directly. The Flipper Wifi Devboard requires a small solder mod to expose the U.FL pad if it’s not already populated. Generic ESP32 dev boards with PCB antennas require a desolder-the-PCB-antenna + solder-on-U.FL-connector mod (Vol 16 discusses the matching-network implications — the typical ESP32 antenna match is direct 50 Ω with no series cap, so the mod is mostly mechanical).

Posture. Portable / handheld is the natural fit. The Marauder’s UI is a small color display; field operation involves carrying the unit in hand. For a stationary capture position (parked car, café table), the directional patch on a small tripod gives stable sector coverage. Combined with the GPS module on AWOK V3 (or Banshee’s onboard GPS), Marauder can geo-tag captured handshakes — useful for wardriving maps.

BALUN/UNUN/feedline. None — 50 Ω direct feed. The 2.4 GHz band loss budget is brutal; keep pigtails under 30 cm if possible, and use LMR-240 or low-loss equivalents for any longer runs.

Posture-specific upgrade ladder. Stock ($0): onboard PCB or chip antenna, 10-50 m range. Budget upgrade ($15-30): RP-SMA omni whip with 5-9 dBi gain + U.FL-to-RP-SMA pigtail if needed. Mid upgrade ($55-100): directional patch antenna (15 dBi, 60° HPBW) for sector audit + bias-T amp on the Marauder side. Premium upgrade ($150-300): parabolic grid (24 dBi) for long-range + masthead LNA + mount on a small tripod with rotator.

Cross-link: ../ESP32 Marauder Firmware/CLAUDE.md for the firmware side — fork landscape (mainline / Ghost ESP / Bruce / Bad Pinguino), SD layout, Evil Portal templates, capture analysis pipeline.

7. WiFi Pineapple Mark VII / AC — 2.4 / 5 GHz

The WiFi Pineapple is purpose-built for wireless auditing — three RP-SMA antenna ports, one 2.4 GHz radio and two 5 GHz radios (in the AC Tactical model; the Mark VII base model has 2.4 + 5 single-band; the Enterprise has higher-end radios and the same connector layout). The Pineapple is the most antenna-agnostic radio in the hub by design — Hak5 expects you to swap antennas based on engagement type.

Native antenna characterization. Stock antennas are 5 dBi dual-band (2.4 + 5 GHz) omnidirectional whips, RP-SMA male connectors, 17 cm rubber-duck form factor. They’re acceptable for general-purpose use and good for the form factor, but the Pineapple’s 3-port architecture means you can run dramatically asymmetric configurations — directional on one port for capture, omni on another for advertising the rogue AP, panel for sector — that the stock arrangement can’t realize.

Sector-audit configuration. For capturing client traffic from a known direction (a specific office building, a particular conference room), a 15 dBi 2.4 GHz panel antenna on the rogue-AP port focuses the rogue-AP’s coverage area to the target zone while leaving the management traffic on the omni ports. The Alfa APA-M25 ($55, 14 dBi panel) and TP-Link TL-ANT2414B ($25, 14 dBi panel) are the workhorses. For 5 GHz sector, the Alfa APA-M2510 ($90, 10 dBi 5 GHz panel) is the equivalent.

Distant-client capture. A high-gain 2.4 GHz Yagi (15-20 dBi, 30° HPBW) reaches distant single clients — useful for the “I see this client device from across the street” scenario. The Hyperlink HG2415Y ($175, 15 dBi Yagi) is the standard reference; the Alfa AOA-2415-9V ($35) is the budget version.

Stealth deployment. A pure rubber-duck array (three stock 5 dBi omnis) is the most innocuous setup — the Pineapple looks like a small router. For deeper stealth, recess-mount the Pineapple inside a small case with U.FL-to-RP-SMA bulkhead pigtails out to chassis-mount whips on the case exterior, or hide the antennas behind a “wall art” cover. This is a tradecraft topic — see ../Hacker Tradecraft/03-outputs/HackerTradecraft_Complete.html Vols 14-15 for the deployment-and-recovery discipline.

Long-range Wi-Fi. Combining the Pineapple’s PineAP with a 24 dBi parabolic grid antenna (Ubiquiti AirMax M5 at 5 GHz, TP-Link TL-ANT5830B at 5 GHz, or TP-Link TL-ANT2424B at 2.4 GHz) extends the auditable range to 1+ km in clear LOS. Important Part 15 EIRP note: a 24 dBi antenna with the Pineapple’s typical +18 dBm TX power produces +42 dBm EIRP, which exceeds the FCC Part 15.247(b)(3) EIRP limit of +36 dBm for unlicensed 2.4 GHz operation — for the 2.4 GHz case, you have to reduce TX power to stay legal, or operate on the 5 GHz UNII bands which have higher EIRP limits (up to +53 dBm EIRP under UNII-3 with specific dish/restrictions). Vol 31 covers the specifics.

Antenna diversity. The 2026-era WiFi Pineapple firmware supports per-radio antenna selection and diversity — the Mark VII AC has firmware controls for which antenna feeds the capture vs the rogue-AP. Useful for asymmetric configurations: directional patch on capture, omni on rogue-AP advertising.

BALUN/UNUN/feedline. None — direct 50 Ω. The Pineapple’s RP-SMA pigtails are short (10-20 cm typically); the antennas mount directly. For mast-mount installs, RP-SMA panel-mount bulkhead connectors and 6-12 ft LMR-240 jumpers are standard ($30-50 for a complete jumper set).

Posture. Home base — the Pineapple at a stationary capture point with omni or panel antennas. Sector — Pineapple at a stationary point with directional antennas covering a specific area. Portable — the Pineapple is small enough to carry but its USB power + Wi-Fi-only architecture makes “true mobile” awkward; it’s more “carry in a backpack to a target site and run from a battery pack.” The Pager (the small Pineapple variant) is the genuinely portable option (Vol 31 for the regulatory note — small form factor doesn’t change the Part 15 EIRP limit).

Posture-specific upgrade ladder. Stock ($0 — kit-included whips): three 5 dBi dual-band omnis. Budget upgrade ($50-100): swap one omni for a 14 dBi panel for sector use. Mid upgrade ($175-300): full sector setup — panel + Yagi + bias-T amp on capture port. Premium upgrade ($400-800): parabolic grid + masthead LNA + tripod mount + per-radio antenna selection in firmware. The Pineapple Enterprise option moves antenna budgets up another level ($800-2000+ for full directional + rotator-based scan).

Cross-link: ../WiFi Pineapple/CLAUDE.md for the platform side — PineAP / KARMA / evil-twin module configuration, Campaigns, Cloud C2, the four current Hak5 models, and the most important posture topic in the project (Pineapple work is fully Part 15 / Part 97 / state-law sensitive — see Vol 31 and ../_shared/legal_ethics.md).

8. OpenSourceSDRLab PortaRF — HackRF-class handheld SDR

The PortaRF is a handheld package of HackRF-class silicon (Clifford Heath modified design, same MAX2837 + RFFC5072 chain as the HackRF One) with an integrated PortaPack-class display, keyboard, and battery. The antenna recommendations match HackRF One section by section — but the handheld form factor constrains the practical answer.

Native antenna characterization. The PortaRF ships with a telescopic whip on an SMA-F front connector. The whip is the same kind that ships with cheap SDR kits — moderately efficient at VHF (where the extended length is close to a quarter-wave), poor at HF (the wire is too short to be efficient), and limited at UHF (the loaded-element design starts to lose efficiency above ~500 MHz). The PortaRF inherits the HackRF’s noise figure (~8-12 dB across the band) and its TX power profile (+5 to +15 dBm depending on band).

HF. The handheld form factor forces a “carry an EFHW kit” approach rather than “install a 30m vertical.” A foldable EFHW + 49:1 UNUN kit (Vol 10) is the standard PortaRF HF antenna — 20m of 22 AWG insulated wire on a winder spool, a 49:1 UNUN in a 3D-printed box, 6 ft of RG-58 pigtail with 1:1 choke at the SMA end. Total kit weight is about 250 g, packs into a single coat pocket. Deploy by stringing the wire from any convenient elevated support (tree branch, fence top, parking-lot light pole) and operating from a folding chair below. Total cost: $80-150 finished or $35-50 DIY.

VHF/UHF. Same recommendations as HackRF One (§3 above) — discone for wideband receive (but a 30 cm form-factor discone like the Diamond D-190 is the portable choice rather than the desktop D-130J), Yagi for DF. For very portable VHF/UHF, a Diamond RH771 dual-band whip (40 cm, $35) directly on the PortaRF’s SMA outperforms the stock telescopic by 3-6 dB.

Microwave. The handheld posture rules out parabolic dishes; the practical microwave answer for the PortaRF is a 2.4 GHz biquad or panel held in the off-hand or mounted on a small tripod.

BALUN/UNUN/feedline. Same as HackRF One — 49:1 UNUN at EFHW feed, 1:1 current choke at the SMA end of the coax pigtail to suppress common-mode current riding back into the PortaRF’s RX chain. The choke is more important on the PortaRF than the HackRF because the handheld is grounded through the operator’s hand — a noisy common-mode current path that the unit can’t avoid.

Posture. Portable / handheld exclusively. The PortaRF is purpose-built for this. The standard kit is a small belt pack: PortaRF + Diamond RH771 dual-band whip + foldable EFHW kit + Spiderbeam HD telescoping mast (10 m, 4.5 kg) for the cases where you need to deploy a serious antenna in the field. Mobile use through a vehicle window is awkward but workable with the Diamond RH771 stuck through the window frame on a mag-mount adapter.

Posture-specific upgrade ladder. Stock ($0): telescopic whip. Budget portable ($60-100): Diamond RH771 + EFHW-Lite kit. Mid portable ($200-400): EFHW + 49:1 UNUN + LMR-240 + Spiderbeam HD mast for elevated deployment. Premium portable ($500-1000+): full mobile RF lab — multiple band-tuned antennas, tripod, mast, NanoVNA for in-field tuning, battery-powered tracking generator from Vol 27.

Cross-link: ../OpenSourceSDRLab PortaRF/CLAUDE.md for the radio side — PortaPack-class firmware (Mayhem, derivatives), integrated keyboard/display UI, battery management, comparison against the discrete HackRF + PortaPack stack on porta (the JSTVRO-built modified-design unit).

9. Quansheng UV-K5 — 144 / 430 MHz handheld

The UV-K5 is a $30 dual-band handheld with a cult-firmware ecosystem (Egzumer, FAGCI, IJV variants) that extends the radio well past the vendor’s nominal 2 m / 70 cm coverage. The antenna upgrade story is dominated by one answer: the Nagoya NA-771.

Native antenna characterization. Stock UV-K5 ships with a short rubber-duck antenna — approximately 12 cm tall, SMA-female connector at the radio (the radio side is SMA-F; the antenna side has SMA-M). Efficiency on the stock antenna is about 5% at 144 MHz and 10% at 430 MHz — typical of cheap handheld antennas where physical length is sacrificed for pocket-portability. The radio’s TX power is 5 W; the effective radiated power through the stock antenna is closer to 0.25-0.5 W ERP.

Nagoya NA-771 — the universal upgrade. The Nagoya NA-771 (38 cm semi-flexible whip, $20-25 from Amazon or any ham vendor) is the canonical UV-K5 upgrade. It’s a half-wave at 144 MHz (or close enough — the loading network brings it to resonance) and a 5/8 wave at 430 MHz. Measured gain over the stock antenna is approximately +6 dB at 2 m and +3 dB at 70 cm. That’s a 4× increase in ERP at 2 m and a 2× increase at 70 cm — transformative for typical FM repeater work. The NA-771 is long enough to be awkward in a coat pocket but short enough to be practical handheld. Avoid the counterfeit NA-771s on AliExpress (the genuine articles cost $20-25; sub-$10 listings are usually copies with mediocre tuning) — check the polarized SMA base and the silk-screen branding to confirm authenticity.

Tape-measure Yagi for DF. For direction-finding on 2 m or 70 cm, a 3-element tape-measure Yagi (Vol 11) is the canonical fox-hunt antenna. Steel measuring-tape elements (1 inch wide, cut to the right length per Vol 11), PVC boom, hairpin match at the driven element, total cost $15 DIY, takes about an hour to build. Pattern is approximately 8 dBi with 60° HPBW and 15-20 dB front-to-back ratio — easy to point and easy to get a clear null on the back of the antenna for DF. The classic ARRL “Tape Measure Beam Antenna for 2-Meter Fox Hunting” article (originally W6MMA, reprinted in QST many times since 1995) is the canonical reference.

HF receive via firmware mod. The UV-K5’s RDA1846S transceiver chip nominally supports operation down to 134 MHz, but the custom firmware (FAGCI specifically) has extended the RX coverage to as low as 18-30 MHz via a software trick that abuses the chip’s IF stages. Performance at HF is poor — the antenna port is engineered for VHF/UHF impedance, and the front-end is unfiltered — but for casual HF DXing it works. For HF receive, the standard answer is a random wire on a 9:1 UNUN at the SMA port. Important: the UV-K5 cannot legally TX on HF amateur bands — even though Part 97 authorizes HF amateur operation, the UV-K5’s HF TX path is not type-accepted, spurious-clean, or filtered for legal HF transmission. HF on the UV-K5 is receive-only.

Mobile and home posture. The UV-K5 is small enough to clip to a belt, vest, or pack. For mobile use in a vehicle, a Diamond NR770HB ($60, dual-band 5/8 wavelength, NMO base) on a mag-mount on the roof is the standard answer — pairs with an NMO-to-SMA pigtail ($15) and a hand-held mic for the radio. For a home-base setup (UV-K5 acting as a desk-top scanner or low-end FM station), a Diamond X-200 ($150, dual-band base vertical, 6 dBi at 2 m / 8 dBi at 70 cm) on a 6-10 ft mast gives true antenna performance — at that point the UV-K5 becomes a competent dual-band base station for casual operation.

BALUN/UNUN/feedline. None at VHF/UHF — direct 50 Ω. For the HF receive mod, a 9:1 UNUN at the random-wire feed. Feedline is irrelevant for handheld use (antenna mounts directly on the radio); for mobile/base, RG-58 for short runs (under 15 ft) and LMR-240 for longer runs.

Posture. Portable / mobile / handheld primary; home base for casual desk use. The UV-K5 is the most universally-deployable handheld in the lineup — small enough for true daily-carry, cheap enough that loss isn’t a crisis.

Posture-specific upgrade ladder. Stock ($0): stock rubber duck, accept the 5-10% efficiency. Budget upgrade ($20-25): Nagoya NA-771 — the universal recommendation. Mid upgrade ($40-100): NA-771 + DIY tape-measure Yagi for DF + Diamond NR770HB mag-mount for vehicle use. Premium upgrade ($200-400): NA-771 + commercial Yagi (Arrow II or Diamond A144S3) + Diamond X-200 base vertical with LMR-240 feedline.

Cross-link: ../Quansheng UV-K5/CLAUDE.md for the radio side — Egzumer/FAGCI/IJV firmware comparison, the spectrum-analyzer mode, AM/SSB demodulation in custom firmware, the K-style mic connector and accessories.

10. Rayhunter — Orbic Speed RC400L cellular detection

Rayhunter (EFF’s open-source IMSI catcher / Stingray detector) runs on the Verizon Orbic Speed RC400L hotspot — a commodity LTE mobile hotspot with a Qualcomm MDM9628 modem and internal cellular antennas. The use case is defensive: detect rogue cell towers (Stingrays, IMSI catchers) by anomalies in the cellular network around you. The antenna question is “how do I improve detection sensitivity and direction-finding ability?”

Native antenna characterization. The Orbic RC400L has internal cellular antennas — a primary PIFA (planar inverted-F antenna) and a diversity antenna for MIMO, both etched on a small PCB inside the case. These cover B1/B2/B3/B4/B5/B7/B12/B13/B17/B25/B26/B41/B66/B71 — all the major US LTE bands. PIFA performance is adequate for capture (detect that a cell is present and read its parameters) but poor for direction-finding (the pattern is essentially omnidirectional with low gain and significant null variability across the band).

External cellular omni for sensitive detection. A Mobile Mark PSKN-LTE omnidirectional antenna ($150, covers 600 MHz – 6 GHz with 3-5 dBi gain across LTE bands) on a small mast gives a 3-6 dB improvement in detection sensitivity over the internal PIFA. The Orbic RC400L doesn’t have an exposed external antenna port in stock configuration — connecting an external requires either (a) using the TS-9 port if it exists on your specific Orbic SKU (some variants have TS-9; others don’t), or (b) tearing down the device and adding a U.FL pigtail to the internal antenna trace. The teardown is documented in the Rayhunter project’s GitHub issues; it’s a moderately invasive mod requiring small Torx drivers, careful PCB ribbon-cable disconnection, and patience.

Directional cellular patch for DF. For direction-finding a suspected rogue tower, a directional cellular patch — Mobile Mark M3M-LTE ($175, 8 dBi at 700 MHz – 6 GHz, ~70° HPBW) or a generic LTE Yagi (TP-Link AY24L, $85, 9 dBi peak) — gives clear directional discrimination. The DF workflow is: connect the patch via TS-9 or U.FL mod, sweep the antenna 360° at a fixed location, log RSSI per direction in the Rayhunter UI, identify the peak as the direction to the tower. This is the cellular-band equivalent of the 2 m DF workflow with the tape-measure Yagi.

BALUN/UNUN/feedline. None — direct 50 Ω at the antenna port. TS-9 to N-type or TS-9 to SMA pigtails are the standard adapters. Feedline: for handheld antennas (under 5 ft of pigtail), RG-178 or LMR-100 micro-coax is fine; for masthead antennas, LMR-240 or LMR-400.

Posture. Portable — the Orbic is the size of a deck of cards, runs from internal battery for 4-6 hours, and is the form factor of a typical mobile hotspot (which is intentional, for tradecraft reasons — the device looks like exactly what a normal user would carry). For more sensitive direction-finding or fixed installations, the external antenna + mast configuration moves it toward “stationary detection setup.”

Posture-specific upgrade ladder. Stock ($0): internal PIFA, useful for ambient capture. Budget upgrade ($40-100): TS-9 omni external antenna (if your Orbic SKU has the TS-9 port). Mid upgrade ($150-250): teardown + U.FL mod + Mobile Mark PSKN-LTE external omni on a small tripod. Premium upgrade ($350-500): teardown + U.FL mod + Mobile Mark M3M-LTE directional patch + tripod with manual rotator for DF work.

Cross-link: ../Rayhunter/CLAUDE.md for the platform side — EFF’s open-source firmware, the IMSI-catcher detection heuristics, the Orbic teardown procedure, defensive deployment strategies.

11. Wired Hatters Banshee — multi-modal ESP32 platform

The Banshee is the most antenna-port-rich device in the hub — dual ESP32 (C5 for 2.4/5 GHz Wi-Fi 6, S3 for 2.4 GHz) plus NRF24L01+ plus active GPS plus Ethernet plus USB host plus front/back cameras. Each RF chain has its own SMA-F or U.FL connector on the device, and the antenna recommendation maps per-chain.

Native antenna characterization. The Banshee ships with three external antenna whips — a dual-band (2.4/5 GHz) whip on the ESP32-C5 chain, a 2.4 GHz whip on the ESP32-S3 chain, and a smaller whip on the NRF24 (often a 2.4 GHz monoband). The GPS antenna is typically an external active patch on a magnetic base ($15-25). All three Wi-Fi/NRF whips are SMA-F at the device side.

Per-chain antenna upgrades.

  • ESP32-C5 (2.4/5 GHz Wi-Fi 6) chain. This is the primary capture/audit radio. For maximum capability: separate the 2.4 and 5 GHz antennas (the dual-band stock whip is a compromise; a dedicated 2.4 GHz omni like Alfa ARS-N19 + a dedicated 5 GHz patch like Alfa APA-M2510 deployed on the same chain via an external diplexer (Vol 30) gives better performance per band). For sector audit, swap to a 5 GHz panel (15 dBi, 60° HPBW) — the 5 GHz Wi-Fi 6 spectrum is where the most interesting modern attacks happen.
  • ESP32-S3 (2.4 GHz only) chain. Use this as the secondary scan/management radio. A 5-7 dBi 2.4 GHz omni (TP-Link TL-ANT2409CL, $15) is the standard choice. This chain often advertises the rogue AP while the C5 chain captures.
  • NRF24L01+ (2.4 GHz proprietary) chain. NRF24 modules operate on 2.4 GHz but for proprietary protocols (Logitech Unifying, generic 2.4 GHz mice/keyboards, drone telemetry, etc.). A 2.4 GHz omni whip works fine; for direction-finding on NRF24 targets, a 2.4 GHz biquad ($15 DIY) gives 11 dBi at 70° HPBW.
  • GPS chain. The active patch is the standard — Adafruit Ultimate GPS or u-blox MAX-M10 with external SMA active patch ($25). Position requires sky view, so the patch needs to be mounted with clear top-hemisphere clearance.

Antenna placement. With four+ antennas on one device, mutual coupling becomes a real concern. The Banshee’s mechanical design places the antennas with some separation — generally enough that adjacent-channel desensitization is bearable — but for serious deployments, route the NRF24 antenna 10+ cm away from the Wi-Fi antennas, and the GPS antenna 15+ cm from any active 2.4 GHz radiator (GPS is at 1575 MHz; second harmonic of the WiFi 2.4 GHz lower edge is at 2462 MHz, which is comfortably outside the GPS band, but front-end overload from a strong nearby Wi-Fi signal still affects GPS sensitivity).

BALUN/UNUN/feedline. None — all direct 50 Ω. Keep all pigtails under 30 cm; LMR-100 or similar for any extensions.

Posture. Portable / handheld. The Banshee’s flagship form factor is the multi-modal handheld; its design assumes the operator carries it in hand or in a pack and uses the integrated displays. For a stationary capture point, the antennas can be mast-mounted via RP-SMA bulkhead extensions — see Vol 21.

Posture-specific upgrade ladder. Stock ($0): three included whips + active GPS patch. Budget upgrade ($30-60): swap NRF24 whip for biquad for DF capability. Mid upgrade ($100-200): dedicated 2.4 + 5 GHz omnis on C5 chain via diplexer; sector patch for capture. Premium upgrade ($400-800): full multi-antenna mast setup with mast-mounted antennas + LMR-240 feedlines + masthead LNAs per chain.

Cross-link: ../Wired Hatters Banshee/CLAUDE.md for the platform side — multi-radio firmware (GhostESP), dual-MCU coordination, integrated peripheral catalog, status as the highest-spec multi-modal ESP32 device in the hub.

12. PWNagotchi — Pi Zero W + Wi-Fi handshake capture

The PWNagotchi is a Pi Zero W (Broadcom BCM43438 Wi-Fi/BT SoC) running an AI-driven Wi-Fi handshake capture appliance. The Pi Zero W’s Wi-Fi is a chip antenna on the PCB — the lowest-performance antenna in the lineup. The PWNagotchi’s effective range with stock antenna is 5-15 m line-of-sight; useless for serious capture.

Native antenna characterization. The Pi Zero W has a single Murata chip antenna soldered on the PCB. Gain is approximately -2 to 0 dBi (depending on enclosure and orientation), the pattern is highly variable, and the case adds further attenuation. The BCM43438 itself has decent RX sensitivity (around -97 dBm at 1 Mbps for the 2.4 GHz Wi-Fi), but the antenna’s poor coupling to free space squanders most of it.

The U.FL mod — the canonical fix. The Pi Zero W’s PCB has an unpopulated U.FL solder pad immediately adjacent to the chip antenna. The mod is: (1) remove the 0-Ω jumper resistor that routes the BCM43438’s RF to the chip antenna, (2) solder a U.FL connector to the unpopulated pad and route the BCM43438’s RF there instead, (3) connect a U.FL pigtail to an external RP-SMA antenna. This is well-documented in the PWNagotchi community (search “Pi Zero W U.FL mod” — guides at jayofelony’s repo, the Fancygotchi project, and elsewhere). The mod takes 10-15 minutes for someone competent with fine-pitch SMD soldering. Important: the mod voids FCC certification — the Pi Zero W’s type-acceptance assumes the chip antenna; once you put an external antenna with arbitrary gain, the FCC sees the device as a new product. For personal experimental use this is fine; for any commercial deployment it’s not.

External antenna choices. Post-mod, the antenna question becomes the same as for any 2.4 GHz Wi-Fi device:

  • 5-7 dBi omni (TP-Link TL-ANT2409CL, $15) — general-purpose, 30-100 m range, fits in a pocket.
  • 15 dBi panel (Alfa APA-M25, $55) — directional, 100-500 m range in the patch direction.
  • 24 dBi parabolic grid (TP-Link TL-ANT2424B, $55) — long-range, 1+ km, but obvious and not portable.

The 5-7 dBi omni is the most common upgrade — the PWNagotchi’s design intent is wearable/portable capture, and a 5-7 dBi whip is a reasonable size-to-performance compromise. The 15 dBi panel is the next tier; the parabolic is impractical for the wearable form factor but useful for stationary “park bench wardriving” scenarios.

Case considerations. Mike J. Kelly’s Motorola Advisor pager-case mod (covered at chapter length in ../PWNagotchi/CLAUDE.md and the PWNagotchi deep dive) puts the Pi Zero W and its e-ink display inside a vintage Motorola pager — the case has a vestigial helical antenna stub that the mod often re-purposes as an external whip. The trade is aesthetic-vs-performance; the pager-stub whip is a compromise between PCB chip antenna (terrible) and external 5-7 dBi omni (visible/un-tradecrafty).

BALUN/UNUN/feedline. None — direct 50 Ω.

Posture. Portable / wearable / stationary-capture. The PWNagotchi is intentionally low-profile — it’s designed to be carried on a backpack strap or worn on a belt clip, capturing handshakes throughout the day. For stationary “set it on the porch for the weekend” deployments, the directional patch with a mast mount is the natural upgrade.

Posture-specific upgrade ladder. Stock ($0): chip antenna, 5-15 m range. Budget upgrade ($30-50): U.FL mod + 5-7 dBi omni — by far the highest-ROI mod on any device in the hub, 6-15 dB net improvement for under $50 of parts and an hour of work. Mid upgrade ($80-150): U.FL mod + 15 dBi panel for stationary sector capture. Premium upgrade ($200-400): U.FL mod + masthead LNA + parabolic for long-range fixed installation (effectively turns the PWNagotchi into a stationary wireless honeypot).

Cross-link: ../PWNagotchi/CLAUDE.md for the platform side — Pi Zero W substrate, e-ink display ecosystem, the A2C reinforcement-learning agent, Fancygotchi color-display fork, plugin ecosystem (jayofelony’s distribution), and the Motorola pager case-mod.

13. Nyan Box — multi-radio handheld

The Nyan Box’s distinguishing feature is its triple NRF24L01+ array — three independent 2.4 GHz NRF24 radios for parallel-channel sniffing — plus the ESP32-WROOM-32U as the main Wi-Fi/BLE radio. The WROOM-32U variant is significant: it has a U.FL port out-of-the-box (no mod required, unlike the standard WROOM-32 with onboard PCB antenna), so the main 2.4 GHz Wi-Fi chain is external-antenna-ready by design.

Native antenna characterization. The ESP32-WROOM-32U accepts a U.FL connector for an external 2.4 GHz antenna — the Nyan Box ships with a 2.4 GHz whip on a U.FL-to-RP-SMA pigtail. The three NRF24L01+ modules each have their own onboard PCB antenna (the standard NRF24 module form factor); higher-end NRF24L01+PA+LNA variants ($5 each) replace the PCB antenna with an SMA port and add a 20 dB power amplifier + 10 dB LNA. The GPS chain (if equipped) is an active patch via SMA. The 0.96” OLED is informational, not RF.

Main Wi-Fi/BLE chain (ESP32-WROOM-32U). A 5-9 dBi 2.4 GHz omni gives good general-purpose performance — TP-Link TL-ANT2409CL or Alfa ARS-N19. For sector audit, the same 14-15 dBi panel (Alfa APA-M25) as on other 2.4 GHz devices. For BLE-specific work, lower-gain omnis (3 dBi) give better near-field omni-coverage useful for BLE device enumeration.

Triple NRF24 array — the key feature. The three NRF24s give parallel-channel sniffing across the 2.4 GHz band — instead of hopping a single radio through channels, the three radios sit on three pre-selected channels and capture simultaneously. The antenna implication: antenna isolation matters more here than on any other device. Three NRF24s with adjacent antennas suffer cross-coupling — the TX from one radio leaks into the RX of the others, raising the noise floor and creating false detection events. Mitigation:

  • Physical separation: at least 10 cm between antenna phase centers (more is better). The Nyan Box’s enclosure design is small (~10×6 cm), so achieving 10 cm separation requires extending antennas on pigtails to external mount points.
  • Polarization diversity: mount one antenna vertical, one horizontal, one at 45° — this gives ~6-10 dB extra isolation.
  • Ferrite-bead chokes on each NRF24 power lead (suppresses crosstalk via the shared power rail).

For a sniffer that needs to listen on 3 specific channels (e.g., 2402 / 2440 / 2480 MHz for BLE advertising channels 37/38/39), the triple-NRF24 array is the killer feature of the Nyan Box. With proper antenna isolation, it can monitor all three BLE advertising channels simultaneously instead of polling them sequentially.

BALUN/UNUN/feedline. None — direct 50 Ω. Pigtails should be kept short (<20 cm) for 2.4 GHz loss budget reasons; ferrite chokes on power leads (not RF leads) for crosstalk suppression.

Posture. Portable / handheld. The Nyan Box’s small form factor and OLED display make it a daily-carry device; the triple NRF24 array is the rare configuration that can’t be replicated on most other ESP32 platforms (the Banshee has only one NRF24 chain; the M5 family typically has zero).

Posture-specific upgrade ladder. Stock ($0): one Wi-Fi whip + three NRF24 PCB antennas. Budget upgrade ($25-50): replace three NRF24 modules with NRF24L01+PA+LNA variants (each has an SMA port — adds external-antenna option). Mid upgrade ($60-100): four external antennas (one Wi-Fi + three NRF24) with deliberate spatial separation and polarization diversity. Premium upgrade ($150-300): full external antenna farm on a small tripod with the Nyan Box mounted as the head unit — four 2.4 GHz antennas spaced 10+ cm apart with polarization diversity, plus active GPS patch.

Cross-link: ../Nyan Box/CLAUDE.md for the platform side — drone RemoteID detection (the killer use case the parallel-channel sniffing was designed for), hidden-camera detection, the educational-first design philosophy of Nyan Devices.

14. DSTIKE Hackheld — ESP8266 Wi-Fi attack platform

The DSTIKE Hackheld is an ESP8266 + onboard 25 dBm power amplifier + 0.96” SSD1306 OLED in a purpose-built handheld package. The factory-flashed firmware is Spacehuhn’s esp8266_deauther (the original “deauther” project, dating to 2017). It’s the smallest standalone Wi-Fi attack platform in the lineup — host-less, battery-powered, immediate.

Native antenna characterization. The ESP8266 module on the DSTIKE has an onboard PCB antenna — the standard ESP-12 module shape. With the addition of the onboard 25 dBm (316 mW) power amplifier between the SoC and the antenna, the DSTIKE has noticeably better range than a stock ESP8266 — for typical Wi-Fi deauthentication and probe-request capture work, the stock antenna is adequate. Effective TX-side gain is ~+22 dBi (25 dBm PA - 3 dBi loss in the matching network and chip antenna inefficiency, vs a bare ESP-12 at ~+20 dBm). Receive-side performance is more typical of bare ESP8266 — the PA only helps TX.

External antenna mod. Like the PWNagotchi, the DSTIKE’s improvement path is an external antenna via a U.FL solder pad mod — but it’s substantially more invasive than the PWNagotchi mod because the ESP8266 modules used on DSTIKE have an RF shield over the antenna trace that must be removed first. The mod sequence:

  1. Desolder the RF shield (4-6 solder joints around the perimeter, requires a hot-air station or careful iron work to lift without damaging the PCB underneath).
  2. Identify the antenna feedline — a short PCB trace between the ESP8266 SoC’s RF pin and the PCB antenna.
  3. Cut the trace immediately after the matching-network pi-section.
  4. Solder a U.FL connector pad to the trace at the cut point.
  5. Pigtail to RP-SMA at the case body.

Total mod time is 30-60 minutes; total cost is $5-15 in parts. The mod loses the integrated 25 dBm PA’s tuning to the chip antenna, so expect a slight TX-side reduction (1-3 dB) compared to stock; this is more than offset by the gain of a proper 5-7 dBi external whip. The mod is significantly more invasive than the PWNagotchi mod — the RF shield removal is the gotcha. Several DSTIKE units have been destroyed by overheating the PCB during shield removal; if you’re not comfortable with hot-air rework, leave the mod alone.

Stock-as-shipped is the right choice for most use cases. The DSTIKE’s purpose is “smallest possible standalone Wi-Fi attack platform” — the deauther firmware was designed for short-range exercise of specific APs and clients, not long-range capture. The stock antenna + onboard PA configuration is well-matched to that use case. The mod path is only worthwhile if you have a specific reason to extend range or improve receive sensitivity for sustained capture work.

Range and stealth tradeoffs. The mod path improves TX range from ~30-50 m (stock) to ~100-200 m (with 5-7 dBi external whip). For stealth deployments (the DSTIKE looks like a small electronic toy in its enclosure), the stock antenna keeps the device visually low-profile; the modded version has an obvious external whip. The tradeoff is range-vs-tradecraft.

BALUN/UNUN/feedline. None — direct 50 Ω.

Posture. Portable / handheld. The DSTIKE is a single-purpose tool; its 1000 mAh battery gives 4-6 hours of continuous use.

Posture-specific upgrade ladder. Stock ($0): the DSTIKE as it ships — onboard PCB + 25 dBm PA, good for most deauther use cases. Budget upgrade ($5-20): no mod path is “budget” — the U.FL mod is moderately invasive; if you’re not doing the mod, the stock configuration is the answer. Mid upgrade ($30-50): U.FL mod + 5-7 dBi external whip. Premium upgrade ($80-150): U.FL mod + 14 dBi directional patch for sector use + small tripod mount.

Cross-link: ../DSTIKE Hackheld/CLAUDE.md for the platform side — Spacehuhn deauther firmware history, alternative firmware (Bruce, Marauder ports), button-cluster UI, the 25 dBm PA design, and the legal/ethical caveats specific to deauthentication attacks (../_shared/legal_ethics.md, Vol 31).

15. Bus Pirate 6 — wired protocol tool (no antenna)

The Bus Pirate 6 is a wired-protocol multitool — UART, I²C, SPI, JTAG, SWD, 1-Wire, smart-card, DDR5-SPD, and the BP6-distinctive “look-behind buffer” follow-along logic analyzer on its 8 buffered I/O pins. There is no RF, no radio, and no antenna. This section exists solely so that readers searching the hub for “Bus Pirate antenna” find the explicit “no antenna” answer here rather than wandering into the wrong volume or making the wrong assumption about the device.

If you arrived here expecting an antenna recommendation: there isn’t one. The Bus Pirate 6 talks to chips and buses over wires (test clips, IDC ribbon, breakout connectors). For wireless device work, the relevant tools in the hub are the radio sections above. For the radio inside a wireless device whose firmware you want to dump or whose serial console you want to drive, the Bus Pirate is your tool but the wireless RF path is irrelevant to its operation.

Cross-link: ../Bus Pirate 6/CLAUDE.md for the device side — protocol coverage, the follow-along logic analyzer feature, BP6 REV2 hardware (RP2350B), flash-adapter trio, Probe + Aux cable + KF141 adapter set.

16. Clockwork PicoCalc / uConsole — handheld compute platforms

The PicoCalc and uConsole are compute platforms, not radios. They’re full handheld Linux/RP2040 computers with extensive expansion options. Antennas come from whatever radio modules you install in them. A bare PicoCalc has no RF at all; a fully-equipped uConsole hosts seven or more radios simultaneously and creates the most interesting multi-antenna question in the hub.

uConsole radio inventory (fully-equipped). A typical “fully loaded” uConsole carries:

  • Cellular (LTE/5G via Quectel EM05-CE / EM06-A or similar M.2 module) — 600 MHz to 6 GHz cellular bands
  • Wi-Fi 2.4 GHz (typically Intel AX200/AX210 or Realtek RTL8852)
  • Wi-Fi 5 GHz (same module, dual-band)
  • Bluetooth (same module typically)
  • GPS (u-blox MAX-M10 or Quectel L80, often integrated with cellular)
  • LoRa (RAK4630 or HopeRF RFM95W via the daughterboard) — typically 868 MHz EU or 915 MHz US
  • Wideband SDR (HackRF One internal via USB or PortaPack via headphone jack)

Seven radios, each with its own antenna recommendation. Per-radio, every recommendation in §§3-14 above applies. The interesting question is the multi-radio consolidation — can the seven antennas be reduced to a smaller, more-portable set?

Vol 30 (Multi-Radio Shared Antennas) is the dedicated treatment. That volume walks the uConsole worked example end-to-end, consolidating from 7 antennas to 3 (cellular + Wi-Fi/BT combo + GPS) using a triplexer + diplexer chain, or to 2 if you’re willing to compromise GPS performance (combining GPS L1 with cellular in the 1500-1700 MHz block via a notch filter). The compromise tradeoffs are quantified there — cellular cellular RX sensitivity drops 1-2 dB, GPS time-to-first-fix increases 30-90 seconds. The Vol 30 worked example is one of the load-bearing artifacts of the Antennas project.

Per-module pointers. For the SDR daughterboard (HackRF internal), see §3 (HackRF One). For the cellular module, see §10 (Rayhunter) — same antenna recommendations apply (cellular omni or directional patch via U.FL pigtail through the case). For the Wi-Fi/BT, see §6 (ESP32 Marauder) — though the uConsole’s Wi-Fi is Intel AX200/AX210 class rather than ESP32 (better than ESP32 by ~6-10 dB sensitivity), the antenna recommendations (5-7 dBi omni for general use, directional patch for sector) still apply. For LoRa at 868/915 MHz, a tuned 1/4-wave whip ($5-15) or a 3 dBi rubber-duck SMA antenna ($10-15) — same as the Flipper at 868/915 MHz.

Posture. Portable / handheld for both PicoCalc and uConsole. The uConsole’s larger form factor (10×17 cm with keyboard + display) accommodates more antennas externally than a typical handheld; the PicoCalc is smaller and typically limited to onboard or small-footprint expansion radios.

Posture-specific upgrade ladder. Bare PicoCalc/uConsole ($0): no antennas, no radios — install per-module antennas as you install per-module radios. Budget multi-radio ($150-300): per-module whips on each installed radio, no consolidation. Mid multi-radio ($300-600): Vol 30 consolidation to 3 antennas (cellular + Wi-Fi/BT + GPS) via diplexer + triplexer. Premium multi-radio ($600-1500): Vol 30 consolidation to 2 antennas with notch-filter GPS sharing + masthead LNAs + full per-band optimization.

Cross-link: ../Clockwork PicoCalc/CLAUDE.md and ../Clockwork uConsole/CLAUDE.md for the platform sides — PicoCalc’s RP2040/RP2350 dual-MCU architecture, uConsole’s CM4 + custom-board architecture, expansion-bay layout, current Clockwork firmware status.

17. M5Stack Cardputer ADV / Zero, M5Stick S3, AWOK modules

This section groups the small-form-factor ESP32-class devices in the hub — they share an antenna story dominated by the 2.4 GHz Wi-Fi/BLE chip-antenna question and the recurring U.FL-mod path.

M5Stack Cardputer ADV. ESP32-S3-WROOM-1 (no -U variant — the WROOM-1 is the chip-antenna version, not the U.FL variant). Onboard PCB chip antenna for 2.4 GHz Wi-Fi/BLE. The Cardputer ADV has an EXT 14-pin bus that can carry RF for a Cap LoRa-1262 expansion (LoRa at 868/915 MHz with a separate u.FL antenna). For the main 2.4 GHz path: the ESP32-S3-WROOM-1’s PCB chip antenna achieves ~0-2 dBi in practice; for range extension, the desolder-PCB-antenna + add-U.FL mod is the same as the generic ESP32 dev board mod, but more invasive on the Cardputer because the case is purpose-designed and the PCB layout doesn’t leave much room for the mod.

M5Stack Cardputer Zero. Aspirational at the time of this writing; hardware specs not yet confirmed by Claude. Presumed ESP32-S3 family with onboard PCB antenna; presumed no EXT bus. Antenna recommendation tentatively: same as Cardputer ADV, but verify specs against vendor data before treating as authoritative.

M5Stick S3. ESP32-S3-PICO-1-N8R8 (8 MB flash + 8 MB OPI PSRAM), 1.14” 135×240 ST7789P3 IPS, 6-axis IMU, IR TX+RX, the standout ES8311 audio chain with MEMS mic + AW8737 amp + 1 W speaker. Wearable form factor (48×24×15 mm, 20 g). The audio chain is the M5Stick S3’s distinguishing feature; from an antenna standpoint, that’s relevant because the audio strength can be used as an RF-direction-finding indicator — the 1 W speaker plays the demodulated signal of, e.g., an FM beacon, and the listener turns the device until the audio is loudest (highest gain direction) or nulled (back of antenna). The actual RF antenna is the standard ESP32-S3-PICO PCB chip antenna; no U.FL pad is exposed by default but can be added via a fine-pitch SMD mod. The Hat2 + Grove expansion buses can carry additional radios (e.g., a NRF24 hat); each adds its own antenna.

AWOK Dual Touch V3. Dual ESP32-WROOM (the standard chip-antenna variant) + on-board GPS + resistive touch interface, mounted on a Flipper Zero as the AWOKflip unit. The AWOK V3 ships with UFL pads exposed and a UFL-to-RP-SMA pigtail in the box — no soldering required to add an external 2.4 GHz antenna. This is the killer feature of the AWOK relative to other ESP32-based handheld modules; the engineer-time-saving of “plug in a pigtail, screw on a whip” beats “desolder the RF shield, cut the trace, solder U.FL, hope the matching network still works” by an order of magnitude. The AWOK V3 is also the primary Marauder host in the hub.

AWOK ESP32 C5. Aspirational at the time of this writing; ESP32-C5-based for dual-band 2.4/5 GHz Wi-Fi 6 coverage. Form factor TBD. Once specifics confirm, the antenna recommendation for the C5-based version will mirror the Wired Hatters Banshee C5 chain — separate antennas for 2.4 and 5 GHz, or a dual-band whip.

Common antenna recommendations across this group:

  • Stock chip antenna is adequate for short-range work (5-30 m).
  • For range extension to 100-200 m: external 5-7 dBi omni via U.FL mod (or pre-existing UFL pad on AWOK V3).
  • For sector audit: directional patch (15 dBi) — but the small form factor of these devices makes the patch awkwardly large.
  • For BLE-specific work: lower-gain omni (3 dBi) gives better near-field omni-coverage.

BALUN/UNUN/feedline. None — direct 50 Ω. Pigtails under 20 cm; LMR-100 micro-coax for any extensions.

Posture. Portable / handheld / wearable. The M5Stick S3 in particular is small enough to clip to a strap or pocket; the Cardputer family is pocket-sized but not really wearable; the AWOK module is small but lives on top of a Flipper Zero.

Posture-specific upgrade ladder. Stock ($0): chip antenna, accept 5-30 m range. Budget upgrade ($5-25): U.FL mod (or no mod for AWOK V3) + 5-7 dBi external whip. Mid upgrade ($40-80): U.FL mod + 14 dBi panel for sector use. Premium upgrade ($150-300): masthead-mounted antenna farm with the M5 device or AWOK as a remote-controlled head unit.

Cross-links: ../M5Stack Cardputer ADV/CLAUDE.md, ../M5Stack Cardputer Zero/CLAUDE.md, ../M5Stick S3/CLAUDE.md, ../AWOK Dual Touch V3/CLAUDE.md, ../AWOK ESP32 C5/CLAUDE.md.

18. Decision graph — “I want to do X, which radio + antenna?”

The decision graph indexes the per-radio sections above by use case instead of by radio. Find the scenario that matches what you’re trying to do; the paragraph beneath gives the specific recommendation — radio, antenna, BALUN/UNUN, feedline, posture — with prices in mid-2026 USD.

Use caseRadioAntennaMatch / FeedlinePosture
Receive any signal across HF + VHF + UHFHackRF One or RTL-SDR V4Discone + EFHW or random wire9:1 UNUN HF + 1:1 choke + LMR-400Home base
Audit Wi-Fi networks in a specific directionWiFi Pineapple AC Tactical15 dBi 2.4 GHz panelNone + LMR-240 jumperSector / portable
Capture sub-GHz device telemetry at 433 MHzFlipper Zero (or HackRF for advanced)Tuned 433 MHz 1/4-wave whip via modNone (50 Ω direct)Handheld
Direction-find an unknown transmitterUV-K5 + tape-measure Yagi (or HackRF)3-el tape-measure YagiNone (50 Ω direct)Handheld / portable
Test a 5G or LTE cellular linkRayhunter (Orbic RC400L)External cellular omni or patchNonePortable
Long-range Wi-Fi audit at 1+ kmWiFi Pineapple24 dBi parabolic gridMasthead LNA + LMR-240Sector / fixed
Wideband scan with waterfallHackRF OneLPDA (400 MHz – 1 GHz)1:1 choke + LMR-240Home base / portable
HF TX on 20m for amateur operatingHackRF One (or amateur transceiver)EFHW + 49:1 UNUN1:1 current choke + LMR-400Home base or portable mast
Receive only HF with low noiseRTL-SDR V4 (HF tap)Wellbrook ALA1530 active loopBias-T + LMR-240Home base
Multi-radio simultaneous operationuConsole (fully equipped)Per-radio or consolidated via Vol 30Diplexer + triplexerAll postures
RF safety / EMC compliance checkBird 43 + dummy load + spectrum analyzerN/AN/ABench

Receive any signal across HF + VHF + UHF

HackRF One with a discone (Diamond D-130J, $120) for VHF/UHF wideband + an EFHW with 49:1 UNUN (DIY $50, commercial $130 from Chameleon or MyAntennas) for HF, fed by LMR-400 ($1.50/ft, ~$60 for 40 ft) with a 1:1 current choke ($15 — FT240-31 core, 7 turns of coax) at every feedpoint. Alternative: same setup with RTL-SDR V4 if receive-only is acceptable — save $300+ on the radio side. Posture: home base with mast-mounted discone and EFHW strung between the eaves and a fence post. Total cost: $250-400 plus the radio. The HackRF gets you TX capability; the RTL-SDR V4 gets you a better noise floor for the receive-only case.

Audit Wi-Fi networks in a specific direction

WiFi Pineapple Mark VII AC Tactical with one or more 15 dBi 2.4 GHz panel antennas (Alfa APA-M25, $55) replacing the stock 5 dBi omnis. Use one panel for sector capture, leave a 5 dBi omni for rogue-AP advertising, and (optionally) add a bias-T amp ($75) inline on the capture port for extra sensitivity. Feedline: LMR-240 jumpers (6 ft, $15 each, with RP-SMA terminations). Posture: stationary sector — Pineapple at a fixed point with antennas covering the target zone. Total cost: $300-500 for the antennas and feedlines; the Pineapple AC Tactical kit is $235 separately. Legal note: any capture work requires authorization for the target network (../_shared/legal_ethics.md, Vol 31).

Capture sub-GHz device telemetry at 433 MHz

Flipper Zero with a tuned 433 MHz 1/4-wave whip via the U.FL connector mod — $5-15 for the whip ($20-30 for the connector mod). For more advanced capture (high-data-rate, OOK/FSK demodulation), HackRF One with the same 433 MHz tuned whip or a 3-element 433 MHz Yagi (Vol 11, DIY $15) for directional reception. The Flipper is the field tool; the HackRF is the lab tool. Posture: handheld (Flipper) or portable (HackRF with a small Yagi). Total cost: Flipper mod $30-60; HackRF + Yagi setup $80-150 above the HackRF itself.

Direction-find an unknown transmitter

UV-K5 + 3-element tape-measure Yagi (Vol 11, DIY $15) for 2 m or 70 cm targets — the classic fox-hunt configuration. The UV-K5’s S-meter app + the Yagi’s clean front-to-back ratio (15-20 dB) makes for a usable DF antenna at modest cost. For HF DF, HackRF One + small magnetic loop (Vol 14, DIY $80-150) — the magloop’s tight pattern null is the HF DF tool. For UHF DF, HackRF One or PortaRF + 4-element 70 cm Yagi (Arrow II $175 or DIY $25). Posture: handheld for the VHF/UHF Yagi work, portable for the HF magloop. Total cost: $15-200 depending on band and quality tier.

Rayhunter (Orbic Speed RC400L) with an external cellular omni (Mobile Mark PSKN-LTE, $150) or directional patch (Mobile Mark M3M-LTE, $175) via U.FL pigtail through a teardown mod. The Rayhunter firmware reads cellular network parameters and flags anomalies; the antenna upgrade improves both detection sensitivity and direction-finding ability. Posture: portable with the Orbic on a strap and the antenna on a small tripod or mast. Total cost: $200-400 above the Orbic + Rayhunter setup.

Long-range Wi-Fi audit at 1+ km

WiFi Pineapple + 24 dBi parabolic grid antenna (TP-Link TL-ANT2424B for 2.4 GHz, $55; Ubiquiti AirMax M5 for 5 GHz, $90) + masthead bias-T amp ($85 — Mini-Circuits ZHL-1010 class) + LMR-400 feedline for the run between mast and Pineapple. Part 15 EIRP caveat: a 24 dBi antenna with the Pineapple’s typical +18 dBm TX produces +42 dBm EIRP, which exceeds the +36 dBm EIRP limit for unlicensed 2.4 GHz under FCC Part 15.247. For legal operation, reduce TX power or operate in the 5 GHz UNII-3 band (higher EIRP limit, up to +53 dBm) — see Vol 31. Posture: fixed sector — the parabolic isn’t portable. Total cost: $250-500 for the antenna/amp/feedline.

Wideband scan with waterfall

HackRF One + LPDA (log-periodic dipole array) covering 400 MHz – 1 GHz — Diamond D-3000N ($300) or DIY LPDA (Vol 13, $80-120). The LPDA’s near-constant gain (5-7 dBi) across multi-octave bandwidth makes for a clean wideband-RX antenna without the impedance roller-coaster of broadband mismatched antennas. For 1-6 GHz wideband, a Vivaldi notch antenna (Vol 13, DIY $20-50) covers the upper end. Posture: home base with mast-mounted LPDA or portable with a compact LPDA on a Spiderbeam mast. Total cost: $80-300 depending on band and DIY-vs-buy.

HF TX on 20m for amateur operating

HackRF One (or any amateur transceiver) + EFHW (40 ft for 40m through 10m coverage) + 49:1 UNUN (Vol 16, DIY $25 in FT240-43 core and #14 wire, commercial $130 from MyAntennas) + LMR-400 feedline + 1:1 current choke at feedpoint. Mast: Spiderbeam HD 10 m telescoping mast (4.5 kg, $375) for portable use, or Rohn 25G tower ($800+ for hardware and concrete) for permanent installation. Posture: home base for the permanent tower or portable for the Spiderbeam-mast version (full-size 40m EFHW deployable in 20 minutes in a field setting). FCC Amateur Extra-class authorization covers full HF including 20m at the full 1.5 kW PEP limit. Test before TX with NanoVNA (Vol 24) — verify SWR <1.5:1 across the operating band, verify the choke doesn’t have a self-resonance in the operating band. Total cost: $250-600 for the antenna and feedline; $375-1500 for the mast.

Receive only HF with low noise

RTL-SDR Blog V4 (uses the integrated HF tap in direct-sampling mode) + Wellbrook ALA1530LN+ active loop ($550, gold-standard) or LZ1AQ Active Antenna ($130) or MLA-30+ ($40 budget option) + USB-powered bias-T injector ($25) + LMR-240 feedline (active loops don’t need LMR-400). Posture: home base with the loop mounted on a 6-10 ft mast in the yard, fed via bias-T-powered coax to the desktop. The active loop’s primary value is noise-floor suppression — magnetic-loop coupling rejects most E-field local noise (LED lights, plasma TVs, EV chargers, IoT mesh). Total cost: $40-600 depending on active-loop tier; the radio is $35.

Multi-radio simultaneous operation

Clockwork uConsole (fully equipped) with seven or more installed radios + Vol 30 (Multi-Radio Shared Antennas) consolidation playbook. The worked example walks the seven-antenna uConsole down to three antennas (cellular + Wi-Fi/BT combo + GPS) via a triplexer + diplexer chain, or to two antennas (with notch-filter GPS sharing) at the cost of slight GPS performance reduction. Total cost: $300-1500 for the consolidation hardware (diplexers, triplexers, filters); $100-500 per installed radio module separately. This is the load-bearing reason Vol 30 exists.

RF safety / EMC compliance check

Bird 43 wattmeter + appropriate slug (~$300-400 for the meter, $80-150 per slug — see Vol 26) + 50 Ω dummy load (Heathkit Cantenna $50 used; DIY $55 — Vol 26) + spectrum analyzer (TinySA Ultra $130-180 — Vol 27 for the budget option; R&S FSH4 $5000+ for compliance-grade). This is the bench setup for measuring TX power, verifying harmonic suppression (FCC Part 97.307(d) requires -43 dBc for amateur HF), checking SWR before connecting to an antenna, and validating that home-brew RF doesn’t violate Part 15 or Part 97 spurious-emission limits. Total cost: $200-600 (hobby tier with TinySA Ultra) or $6000+ (compliance-grade tier). Posture: bench — this is the workshop setup that gets every other antenna/radio combination tested before it goes outside.

19. Resources

Per-radio deep dives (each has its own CLAUDE.md with full coverage of the radio side):

Cross-tool comparison and matrices:

Per-antenna chapters (this series) — the authoritative source for each antenna recommendation here:

Sibling deep dives that link back into this volume: