M5Stack Cardputer ADV · Volume 11

M5Stack Cardputer ADV Volume 11 — Operational Posture

Regulatory, RF safety, legal, BadUSB ethics, LiPo handling, charging gotchas, when-NOT-to-use

Contents

SectionTopic
1About this volume
2Detection signatures across attack modes
3Regional LoRa frequency rules
4Cap LoRa-1262 EIRP compliance — the EU 868 g1 gotcha
5Power profile and brownout posture
6RF safety — never transmit unloaded
7BadUSB legal posture
8LiPo handling and storage
9Charging gotchas
10microSD format + cable selection gotchas
11Chain-of-custody for captured material
12When NOT to use the Cardputer ADV
13Pre-engagement checklist
14Resources

1. About this volume

Vol 11 is the operational-posture synthesis — considerations that apply across every attack and use case from Vols 4-10. Detection, regulatory, RF safety, BadUSB ethics, LiPo handling, charging gotchas, chain-of-custody. Treat it as a checklist before any non-trivial engagement.

The single most-important rule: own the airspace + own the hardware target. Only operate attacks on RF or hardware you own or have written authorization for. Everything else in this volume is downstream of that.

2. Detection signatures across attack modes

From the perspective of a Wi-Fi IDS / BLE monitor / RF site survey:

Attack modeSignatureDetection ease
Wi-Fi deauth (Bruce / Marauder)Burst of deauth frames sourced from spoofed AP MACTrivial — every Wi-Fi IDS has deauth-flood rules
Wi-Fi beacon spam (Bruce)Rapid unique-SSID beacons; non-allocated OUI MACsTrivial — beacon-anomaly rules common
Evil Portal SoftAP (Bruce)New open SSID; Espressif OUI MAC (unless spoofed); HTTP Server: header reveals firmwareTrivial — visible in any AP scan
BLE-spam Sour Apple (Bruce)Rapid Apple-Continuity advertising patterns; rotating BD_ADDRs but stable subtypesModerate — BLE-aware IDS detects
LoRa TX (Meshtastic, Bruce LoRa-chat)RF activity in licensed ISM band — detectable via spectrum monitor but unremarkableHard — RF spectrum monitoring is rare
IR TV-B-Gone (Bruce / NEMO)Visible IR LED blink; remote-controlled devices reactingEasy if anyone’s watching, otherwise silent
BadUSB HID injectionmacOS “Keyboard Setup Assistant” pops; Windows is more permissive; sustained typing visible in keylogModerate — UI-level detection on macOS
EAPOL handshake capture (pure passive)NoneUndetectable — passive RX only
PMKID capture (pure passive)NoneUndetectable

Pattern: pure-passive captures (EAPOL, PMKID, BLE scan, Wi-Fi scan) are silent. Anything that transmits (attacks, Evil Portal, LoRa, IR, BadUSB) leaves a signature.

Espressif OUI fingerprinting: every Espressif Wi-Fi chip has a MAC in their assigned OUI ranges (F4:12:FA, EC:DA:3B, 34:85:18, FC:F5:C4, etc.). Rogue-AP IDS scanners look specifically for these. Bruce’s “Spoof MAC” feature randomizes the OUI to a non-Espressif range, breaking this fingerprint.

For Cardputer ADV operators: assume the device’s RF emissions are detectable if anyone’s watching the spectrum. Authorization (not stealth) is the protection.

3. Regional LoRa frequency rules

LoRa hardware operates in ISM bands per region. Rules vary on frequency, max EIRP, and duty cycle.

RegionFrequencyMax EIRPDuty cycleStandard
EU g1868.0 - 868.6 MHz+14 dBm / 25 mW1% (36 sec/hour)ETSI EN 300 220
EU g2868.7 - 869.2 MHz+14 dBm / 25 mW0.1%Same
EU g3869.4 - 869.65 MHz+27 dBm / 500 mW10%Same
EU g4869.7 - 870.0 MHz+7 dBm / 5 mW1%Same
US902 - 928 MHz+30 dBm / 1 WNone (dwell-time rules apply)FCC §15.247
AU/NZ915 - 928 MHz+30 dBm / 1 WNoneAS/NZS 4268
JP920.6 - 928 MHz+13 dBm / 20 mW10% (sub-band varies)ARIB STD-T108
CNvaries (multiple bands)variesvariesSRRC
IN865 - 867 MHz+30 dBm / 1 WNoneTEC
RUvariesvariesvariesNational

Meshtastic ships region presets that automatically configure SX1262 for compliant operation. Bruce + raw RadioLib require manual configuration.

For travel: set firmware region to match the country you’re operating in. Wrong region = potentially non-compliant TX power + duty cycle.

4. Cap LoRa-1262 EIRP compliance — the EU 868 g1 gotcha

The Cap LoRa-1262 ships at +22 dBm TX power by default. With the included 3 dBi antenna:

EIRP = TX power + antenna gain
     = +22 dBm + 3 dBi
     = +25 dBm EIRP

This is 11 dB over the EU g1 limit of +14 dBm. Running the stock Cap at +22 dBm in EU g1 frequencies is non-compliant.

Three compliance paths in EU:

  1. Firmware-clamp TX to ≤+11 dBm (so +11 + 3 dBi = +14 dBm EIRP). Meshtastic does this automatically when EU868 region is set.
  2. Run g3 only (+27 dBm EIRP cap, 10% duty) — operate in 869.4-869.65 MHz, allow full +22 dBm.
  3. Lower-gain antenna — 0 dBi or omni-of-lower-gain allows higher TX. Niche choice — most operators want more antenna, not less.

US operators don’t have this problem — +25 dBm EIRP is well under the +30 dBm FCC limit.

Bare RadioLib code without explicit region-aware configuration defaults to whatever the operator sets. Meshtastic’s region presets handle this; custom firmware must do it manually.

EIRP recalculation after antenna upgrade:

TX powerAntenna gainEIRPEU g1 limitEU g3 limitUS limit
+22 dBm3 dBi+25 dBm
+22 dBm6 dBi+28 dBm
+22 dBm14 dBi (Yagi)+36 dBm
+11 dBm3 dBi+14 dBm
+8 dBm6 dBi+14 dBm

Always recalculate after any antenna change.

5. Power profile and brownout posture

Per-mode current draw (from Vol 2 § 9, repeated for cross-reference):

ModeCurrent (mA)
Idle (display backlight + scan loop)~120 mA
Wi-Fi scan continuous+12 mA
BLE peripheral active+35 mA
Sustained Wi-Fi TX (deauth spam)+130-280 mA peak
Cap LoRa-1262 TX +22 dBm+163 mA peak
Cap GNSS continuous tracking+20-30 mA
Display backlight off (sleep)~30 mA
Deep sleep (mainline firmwares don’t use)0.23 µA

Brownout mechanics:

ESP32-S3 has a brownout detector that trips at ~2.7 V (configurable). Under sustained TX:

  • Battery dips during high-current peak (LiPo internal resistance).
  • If dip exceeds threshold + hysteresis, SoC resets.
  • Symptoms: attack “stops working” mid-engagement, reboot animation, menu state lost.

Mitigations:

  1. Fresh LiPo (>2000 mAh upgrade per Vol 9 § 4.1).
  2. Known-good USB cable for USB-powered operation.
  3. Avoid concurrent SD writes during TX-heavy attacks (extra current draw).
  4. Rebuild firmware with CONFIG_ESP_BROWNOUT_DET_LVL_SEL_5 (less aggressive threshold) — Vol 10 § 10 covers the rebuild.

Battery-life estimates for stock 1750 mAh battery:

Use caseBattery life
Idle / menu navigation~14 hours
Wi-Fi scan continuous~10 hours
Sustained TX-spam~3-5 hours
Meshtastic LongFast (GPS+Wi-Fi off)~24 hours
Bruce evilportal (SoftAP + DHCP + DNS + HTTP)~6-8 hours
Solar-harvested deploymentIndefinite (with appropriate panel — Vol 9 § 3.3)

6. RF safety — never transmit unloaded

Always attach an antenna before powering on the Cap LoRa-1262. SX1262’s power amplifier (PA) can be damaged by an open or short load. FM8625H antenna switch adds protection but don’t rely on it for unattended operation.

M5Stack publishes this as a red-type warning in the Mesh Kit setup guide.

RF exposure: +22 dBm = 158 mW. Lower than a Wi-Fi AP, a fraction of a phone’s 4G TX power (+33 dBm). Body-distance operation is well within SAR safety limits. GNSS module is receive-only — no RF emissions.

Antenna swap safety:

  • Disconnect USB-C / battery (side switch OFF) before swapping antennas.
  • The RP-SMA female connector is robust but repeated swaps wear it.
  • Don’t operate without an antenna even briefly. PA damage is permanent and silent — you won’t notice until the next attempted TX produces no signal.

HID injection works only against unlocked targets or systems that auto-accept new HID devices (most do — flag for “new keyboard” on macOS, most users click through).

Legal posture: HID injection of payloads on systems you don’t own is unauthorized computer access. Even harmless payloads (Rick-Roll, screen lock) constitute a violation:

  • US: 18 USC § 1030 (CFAA) — unauthorized access; up to 10 years for some violations
  • EU: national computer-misuse laws (UK Computer Misuse Act, German StGB § 202a/b/c)
  • AU/NZ/CA/JP: equivalent statutes

Authorized engagement scope is the only safe operating envelope.

Even with authorization: log every BadUSB execution with timestamp + target machine identifier + payload hash. Defensible documentation is mandatory.

8. LiPo handling and storage

The 1750 mAh single-cell LiPo (or upgraded 3000 mAh) requires LiPo discipline:

Safety rules:

  1. Never short-circuit the cell terminals.
  2. Never charge a damaged or punctured cell — damaged LiPos can spontaneously combust hours after damage.
  3. Storage: ~50% charge extends shelf life. Full charge accelerates aging.
  4. Temperature: 0-40 °C operating; degrades faster >30 °C at full charge; avoid >50 °C entirely.
  5. Swelling observed: discontinue use immediately. Dispose properly (battery recycling, not regular trash).

Battery upgrade (Vol 9 § 4.1) safety:

  • When paralleling cells, charge each independently to within 0.05 V of the other before connecting.
  • Mismatched voltages at parallel-connect = thermal runaway = house fire.
  • No theory — measured chemistry. Take the safety seriously.

Operational rules:

  • Don’t leave the device unattended while charging.
  • Don’t carry damaged batteries on aircraft (most carriers prohibit damaged LiPos).
  • Don’t store devices with batteries in hot cars (>60 °C summer interior temperatures).
  • Replace the LiPo when capacity drops to ~70% of original (300-500 cycles typical).

9. Charging gotchas

The side switch must be ON to charge. USB-C is electrically disconnected from the charge controller when switch is OFF. This is a design choice, not a fault.

Common confusion: “I plugged it in and it’s not charging.” Answer ~90% of the time: side switch is OFF.

USB enumeration (for firmware flashing / serial console) works regardless of switch position — the data lines route through the ESP32-S3’s native USB peripheral, not through the charge controller.

USB cable: must be data-capable, not “charge only.” Charge-only cables lack data lines, block USB enumeration. Use OEM cables or known-good third-party (Anker, Belkin).

Charge current: ~500 mA typical (TP4056-class controller). Full-charge time from empty: ~4 hours for 1750 mAh, ~7 hours for 3000 mAh upgrade.

Charging while operating: works fine. The buck converter handles the load. Device can run permanently plugged in.

10. microSD format + cable selection gotchas

SD format:

  • FAT32 (preferred) — max 32 GB native; larger cards need third-party formatter
  • exFAT — supported in newer arduino-esp32 builds; max 1 TB
  • NTFS / ext4 / other — not supported

Brand-name cards (SanDisk / Samsung / Kingston) more reliable than generic. Class 10 / U1 minimum — slower cards cause OTA timeout and slow file operations.

SD card storage temperature: 0-40 °C operating; degrades faster outside this range.

Cable:

  • Data-capable USB-C for flashing + serial console.
  • Avoid magnetic-tip cables with the Cardputer’s USB-C — the magnetic-tip adapters often lack data lines.

11. Chain-of-custody for captured material

For captures intended as engagement deliverables (Evil Portal creds, EAPOL PCAPs, wardriving logs, RFID dumps):

At capture-time:

  1. Document: target identifier, date/time, location, authorization scope.
  2. Photograph SD card in situ with a known timestamp source (your phone clock) before removal — provenance metadata.
  3. Power down cleanly before SD removal (don’t pull during a write).
  4. Label the SD card or its container.

At transfer to host:

  1. Hash everything immediately:
find /mnt/sd_cardputer -type f -exec sha256sum {} \; > /tmp/captures_$(date +%Y%m%d_%H%M%S).sha256
  1. Encrypted archive only for transfer:
tar -czf captures.tar.gz /mnt/sd_cardputer/
age -p captures.tar.gz > captures.tar.gz.age   # Password-encrypted
# OR
gpg -c captures.tar.gz   # GPG symmetric encrypt
  1. Out-of-band hash verification — share hash via a separate channel from the archive itself.

At engagement close:

  1. Deliverable: encrypted archive + report + chain-of-custody documentation.
  2. Source SD card sanitization:
sudo dd if=/dev/urandom of=/dev/sdX bs=4M status=progress   # Multi-pass overwrite
sudo mkfs.vfat -F 32 /dev/sdX1                              # Reformat clean

Repeat 2-3 passes for thoroughness. Document the sanitization in the engagement report.

  1. Retention: only what scope authorizes. Purge bystander data with documentation.

Cross-ref: Marauder Firmware Vol 11 § 7 for the same discipline applied to platform-neutral captures. The Hack Tools shared posture in ../../../_shared/legal_ethics.md carries.

12. When NOT to use the Cardputer ADV

The inverse of Vol 1 § 6. Scenarios where the Cardputer ADV is the wrong tool:

ScenarioWhy Cardputer ADV is wrongBetter alternative
Need 5 GHz Wi-FiESP32-S3 silicon is 2.4 GHz onlyM5MonsterC5 add-on (Vol 4 § 5), or Linux laptop + monitor-mode adapter
Need Wi-Fi 6 / 6ESame hardware limitModern Intel AX-series adapter + Linux
Need stealthCardputer ADV is overt — Espressif OUI MACs, attack signatures, beacon spam visibleDifferent tool entirely (passive Linux laptop, RTL-SDR receive)
Need sustained 8+ hr engagementsBattery + thermal limitsWi-Fi Pineapple Mark VII or laptop
Need cracking powerCardputer doesn’t crack on-deviceHost with GPU (Vol 9 § 2.2 hashcat workflow)
Need NFC / RFID depthNo on-board NFC controllerProxmark3 RDV4
Need Flipper-style sub-GHz library breadthNo CC1101 on boardFlipper Zero + add-ons
Need 5 GHz LoRa or non-868/915 bandsCap antenna tuned 868-923Re-antenna + matching, or HackRF for arbitrary RF
Hostile jurisdiction with import restrictionsCustoms risk for “hacker device”Don’t carry; ship fresh from in-country vendor
Educational demo with minorsAttack ethics matter more than toolLab-only setup with no live attack traffic
Wired protocol bring-up (UART / SPI / I²C / JTAG / SWD)Cardputer’s keyboard helps but BP6 is purpose-builtBus Pirate 6
Calculator-class computing workloadsCardputer screen too smallClockwork PicoCalc
Camera applicationsNo camera bus exposedM5Stack Core S3 or Atom S3R
Cellular communicationsNo cellular modemNB-IoT / 4G LTE / Cat-M Grove Units, or a different platform
HF radio (sub-300 MHz)Cap LoRa-1262 tuned 868-923 MHzHackRF One

The Cardputer ADV is the right answer when: you need a pocket-form-factor ESP32-S3 handheld with a real keyboard, native Wi-Fi/BLE, optional LoRa+GNSS, and access to an active firmware-development ecosystem. Outside that envelope, sister Hack Tools projects cover the gaps.

13. Pre-engagement checklist

Before any non-trivial engagement, verify each item:

  • Written authorization signed and dated, covering target scope (network / hardware / location / time window).
  • RF coverage scope specified (target SSIDs / BSSIDs / geographic area).
  • Attacks permitted listed (deauth? Evil Portal? BLE-spam? LoRa TX? BadUSB?). Be specific.
  • Stop condition defined (time limit, signal-of-completion).
  • Battery charged: ≥ 50% if engagement < 1 hr; ≥ 90% if longer.
  • SD card formatted FAT32; fresh /bruce/portals/ or /captures/ directory ready.
  • Firmware version locked (mainline tag, not master HEAD — avoid surprises).
  • Region setting matches venue (US / EU868 / JP).
  • Target BSSID(s) configured if surgical attacks planned.
  • MAC randomization enabled (Bruce Settings → Spoof MAC).
  • Cap LoRa-1262 antenna attached and tight if LoRa work is in scope.
  • TX power verified compliant for region (Vol 11 § 4 EIRP recalculation).
  • Capture-destination plan: where do PCAPs / creds go after engagement?
  • Sanitization plan: how / when SD content is erased.
  • Discovery response: if observed, stop, produce authorization, document.
  • Out-of-band channel prepared for security team to reach me.

If any item isn’t checked, abort. Don’t compromise.

14. Resources

Legal references

Hack Tools shared posture

Cross-references

This is Volume 11 of a twelve-volume series. Next: Vol 12 is the laminate-ready cheatsheet — synthesis of every preceding volume’s most-referenced content.